W3C Refuses To Protect Security Researchers Studying DRM-Enabling Web Extension, Claims WHATWG

Ian Hickson, who edits the HTML specification at the Web Hypertext Application Technology Working Group (WHATWG), called out the World Wide Web Consortium (W3C) for not offering security researchers legal protection when they report bugs in web DRM schemes. Hickson previously oversaw the standardization of the HTML5 specification at the W3C and also protested the W3C’s adoption of the DRM-enabling Encrypted Media Extensions (EME).

EME’s Failed Promise

Over the past few years, the W3C has been working on implementing an HTML extension that would bring DRM to the web. The EME standard was mainly promoted by Netflix. At the time, the company was trying to eliminate the need for the Silverlight plugin, which Microsoft was about to kill. The promise of EME was that users would be able to stream Netflix videos without having to install any other plugin or app on their computers.

However, things didn’t go quite as promised, as according to Hickson, EME is itself a plug-in mechanism for proprietary DRM modules. You could also see that Firefox, for instance, has to load up both Adobe (Primetime) and Google’s (Widevine) DRM plugins for video to work.

Therefore, EME didn’t get rid of plugins, but instead changed what plugins we need in order to play DRM-protected media. Instead of installing a Flash or Silverlight plugin, we’d now install the DRM plugins from other companies.

Beyond EME’s failures, there’s also a long debate about how DRM isn’t stopping copyright infringements at all, but instead is used as a tool to control distributors and prevent people from using content in otherwise legally permissible ways (fair use doctrine in the U.S.).

However, Hickson’s biggest problem with EME and its enabling of DRM on the web is with how the DMCA makes it illegal for security researchers to disclose vulnerabilities in DRM software without a vendor’s permission. Vendors may not always respond well to others finding vulnerabilities in their software. Sometimes, that may lead to software being vulnerable for too long if the bugs are hidden from the public.

According to Hickson, browser security is bad enough as it is, and browsers are constantly getting exploited. Chilling the research on browser security would make things worse.

WHATWG’s Proposal

The WHATWG proposed that the W3C require each company working on the EME specification to sign an agreement in which they agree not to sue security researchers studying EME. According to the group, the W3C already requires a similar agreement for patents, and this new agreement would be an extension to that.

The W3C has so far refused to require this, so Hickson’s group is now calling the W3C out for endangering the health of the web as a whole. Hickson’s letter to the W3C was co-signed by other WHATWG members such as Simon Pieters from Opera and Anne van Kesteren from Mozilla.

The EFF (a member of the W3C) also called out the W3C earlier this year over the same issue. It has also been leading a parallel fight to kill Section 1201 of the DMCA once and for all, so that security researchers and anyone else would be free to tinker with DRM-enabled devices without fear of legal repercussions.

W3C’s Charter Renewal

The reason there are now new calls on W3C to agree to this “DRM nonaggression covenant” is because the W3C’s charter will expire in less than a week, and it will have to be renewed. The last time the proposal to protect EME security researchers was made, the W3C board rejected it.

The movement to fix this issue has grown much larger since then. There are now 20 W3C members who are willing to block the new charter unless the W3C agrees to protect security researchers from DMCA lawsuits, according to the EFF.  

So far, only a single browser vendor is supporting the EFF's and WHATWG's proposal--Brave, the new browser from Mozilla’s former CEO, Brendan Eich. Google and Microsoft were the co-creators of the Encrypted Media Extension, along with Netflix, so chances are they will also be among the last to support the DMCA protection agreement.

We have contacted the W3C for an official response.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Web DRM is a joke anyway. Just play the video in fullscreen and turn on your desktop recording software (ShadowPlay or whatever), done.

    Where's your fancy DRM now?
  • nukemaster
    18649268 said:
    Web DRM is a joke anyway. Just play the video in fullscreen and turn on your desktop recording software (ShadowPlay or whatever), done.

    Where's your fancy DRM now?
    Compressing already compressed video will cause more quality loss.

    This is the same reason people to not copy bluray movies via HDMI(rip the disc instead), but the standard still has to be laced with DRM.

    Some of this causes more issues for paying users than it ever does for pirates.

    I am not saying I am against all DRM(to protect ones work), but it does get in the way of legitimate uses too often.
  • Christopher1
    Web DRM needs to disappear. Period. Adobe Flash for everything but games needs to disappear as well and even for games, HTML5 games could take over for Flash games if properly written.
    Basically the only reason they want DRM support in browsers is so they can control what people do with their own legally bought content.
    They want to prevent people from legally recording that content so that they can pull that content at any time and charge the people in question AGAIN for the content in question.
  • dE_logics
    Don't want to be known about vulnerabilities, sell the vulnerabilities in black. There's a risk both way.