W3C Responds To WHATWG’s Demand For Legal Protection For EME Security Researchers

The W3C (World Wide Web Consortium) has responded to WHATWG’s (Web Hypertext Application Technology Working Group) claim that it refuses to protect security researchers studying Encrypted Media Extension (EME) implementations. The W3C split its response into two parts, one addressing WHATWG’s demand, and the other addressing the issue of EME enabling DRM.

The W3C has said before that it is committed to supporting security researcher and audits for EME software. Coralie Mercier, the Head of W3C Marketing & Communications, reiterated the point.

“The W3C Technical Architecture Group (TAG) discussed in particular certain pieces of legislation which have had a chilling effect on security research on software. As a result, the TAG has stated its support for a Strong and Secure Web Platform noting the importance of security research on software as well as broad testing and audit. This statement still stands,” said Coralie Mercier, Head of W3C Marketing & Communications, in an email to Tom's Hardware.

It’s not that clear what the W3C means here, but Mercier noted that the W3C couldn’t guarantee legal protection against jurisdictions that choose to prosecute security researchers.

“W3C, a technical standards organization, has no power over jurisdictions that choose to prosecute security researchers. I’d like to draw your attention to the fact that the EFF itself is suing the US government to invalidate Section 1201 of the DMCA, a law that has been used to threaten research into the security risks of DRM and inhibit the development of products and tools that break digital locks, even if the purpose is otherwise legal,” noted Mercier.

However, the WHATWG seems to have only asked for companies that work on the EME specification to agree in writing that they would not sue security researchers studying EME. This may or may not work the same way as non-aggression patent agreements work, but the W3C would probably be at least able to banish companies from having a say in the design of the EME specification if they violate the agreement.

W3C’s Rebuttal Of EME Being “DRM-Enabling”

The second part of W3C’s response involved the association of EME with DRM, which the W3C thinks is inaccurate.

“EME does not affect the question of user rights - it only affects whether video content providers, such as movie distribution companies, need to use a standard API or different mechanisms for each browser on each platform. Also, many users would rather have an easy, legal way to access content on their Web browser than face penalties for accidental misuse or circumvention,” said Coralie Mercier.

Another related statement, taken from W3C’s fact sheet page for EME, says the following:

“By making the technology in a browser which can be open source, users can then use their own Web browser, available on a general purpose computer, instead of a special proprietary, locked silo, device or plug-in,” stated the W3C.“By creating an API that all DRM systems can use, playback in a Web browser will be possible (via Content Decryption Modules), thus helping to support an open Web. Developers who use HTML5 for video can create playback video directly without external dependency on third party apps (like Adobe Flash or Microsoft Silverlight) and without inheriting security vulnerabilities from those third party apps,” explained the W3C.

The W3C seems to be saying that EME is used for the purpose of enabling multiple DRM systems, as opposed to only using one or two (Flash and Silverlight; Microsoft has already deprecated the latter). From the point of view of allowing the existence and usage of multiple DRM systems that can support more operating systems and browsers, this could indeed lead to a “more open web,” because more users would have access to certain pieces of protected content.

However, the W3C achieves this by making it easier to use DRM through EME, not harder, so essentially, EME seems to be enabling a more widespread use of DRM.

For now, the issue of whether EME should be adopted or not has been put to rest as all the major browser vendors have already adopted it, including Mozilla, which reluctantly embraced it two years ago. The main issue that WHATWG, EFF and other groups want to see resolved right now is a guaranteed legal protection when security researchers are studying EME implementations.

However, for now, the W3C seems willing only to offer some “best effort” protection without guaranteeing anything in writing. The approach could still change later this week when the W3C has to renew its charter, given that over 20 members of the W3C support legal protection for security researchers, according to the EFF.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.