The EFF post on EME is an awesome bit of misdirection.
Everything it says about DRM is true. Almost everything it says about the W3C is either false or misdirection, applying one set of arguments to another target. (Some background on EME if this doesn’t make any sense.)
I get that DRM is not a good thing, I agree, but the EFF attacks the W3C by relying on three false assumptions:
- Browsers would not have implemented DRM without the W3C’s blessing (and the alternative is better).
- It is possible for some people to bypass DRM but not others.
- The legal situation has changed (with the obvious IANOL caveat).
The misdirection is playing on people’s assumptions that the W3C controls the technology, and implying that EME is DRM rather than an API to DRM.
Browsers would have implemented DRM
In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing “Encrypted Media Extensions,” an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem.
The key word there is API, the W3C was aiming standardise the API. The W3C does not create/standardise or do anything with the DRM directly, that is out of scope.
I’ve seen comments saying that the rights-holders wouldn’t turn away 1 billion web users by withholding content from browsers. But they wouldn’t have to. Their video would be available through devices and set-top-boxes (with DRM) to probably 90% of that billion users. I think the browser makers saw that and would rather there were an option for ‘premium’ video on the web.
For example, if you want to watch Game of Thrones in the UK on your computer, the only legal place to do that without a cable subscription is at NowTV.com (owned by Sky). Once subscribed you browse to the programme page, and you have to install a dedicated app, which then pops-up when you click on the programme.
So now I have an app installed on my computer instead of watching it in the browser, how is that better?
No offence to Sky, but I’d rather have Google/Microsoft/Apple/Mozilla supply the software on my computer as part of the browser, rather than every video provider create their own application.
I’ve spoken to people at broadcasters and an online video service and they were clear that DRM was going to happen somehow, otherwise premium TV and Movies would move off to apps (which was already happening).
So the question is whether there should be standardised interface to DRM for browsers, because DRM was going to happen. Having the EME spec puts accessibility and privacy in a better place, especially compared to having random apps installed on your computer.
Selective DRM bypassing
We agreed to stand down regarding the EME standard, provided that the W3C extend its existing IPR policies to deter members from using DRM laws in connection with the EME (such as Section 1201 of the US Digital Millennium Copyright Act or European national implementations of Article 6 of the EUCD) except in combination with another cause of action.
Aah, the convenant. The most basic issue is: anything poking holes in DRM could be ‘called’ security research, how do you define that?
Also, the W3C’s spec on EME does not cover the DRM module, so what difference would it make?
There is also a technology and logic problem:
- The DRM used with EME is an encrypted stream, i.e. secure. This security is essentially a fig-leaf, but the point is that the content rights-holders require it, and require that it is seen to be secure.
- If you allow some people to bypass the DRM, that is a back-door. Whether it is for archiving or accessibility purposes, a back door is a security hole.
- So what do companies have to do about security holes? They have to be fixed, otherwise it is pointless, and seen to be pointless.
I get that DRM doesn’t really stop piracy, but until the rights-holders are persuaded it doesn’t matter.
The bottom line is that: On an open platform, you can’t ban something that the content-owners require and (most of) the public want to use. The browsers will support it.
Lack of legal change
Since HTML 4.0 in 1997, there was an
object tag which could be used to include DRM content.
In a similar way the DRM that would be used by EME is separate from the standard, just like the Flash / Java content added with the object tag is separate.
I really struggle to see what the difference is in terms of protecting security researchers. Given that DRM would be used by browsers, the existence of an API spec doesn’t change the legal situation.
Despite the support of W3C members from many sectors, the leadership of the W3C rejected this compromise.
That isn’t how the W3C works, the people working on the spec (i.e. the working group) would have to accept the covenant (which wasn’t part of the scope when the group formed), they didn’t.
So again, the question is whether it is better to have a spec for the API, or not?
a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors
The browsers are able to implement whatever the hell they like without agreement from anyone. That isn’t the question. The question is whether there should be a standard API to the DRM, or not.
There are many aspects in the EFF post that are about the DRM rather than EME, such as:
But those very benefits… depend on the public being able to exercise rights they lose under DRM law“
the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people.“
give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities.“
The existence of the EME spec doesn’t actually affect any of those, the DRM does.
Effective today, EFF is resigning from the W3C.
That seems like a logical thing to do. The EFF joined to disrupt the EME spec so there isn’t much point in sticking around now.
We’ll keep suing the US government to overturn the laws that make DRM so toxic, and we’ll keep bringing that fight to the world’s legislatures that are being misled by the US Trade Representative to instigate local equivalents to America’s legal mistakes.
Good. The law is the source of the problem, without those laws there wouldn’t be a technology problem. If you don’t like DRM, support that legal effort.
The only way I can understand thinking that the EME spec is a bad thing is if you don’t accept that DRM would have been implemented by browsers anyway. That doesn’t make any sense to me given the current trends.
But then, perhaps that was the point of the EFF’s campaign: to confuse the issues as part of a general anti-DRM effort. The W3C is just collateral damage in that campaign, which is very frustrating.
Postscript: The headline “World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support” is spin as well. If you can’t get consensus, a decision has to be made, and this was indeed the first time it has gone down this route. The 58% is misleading because there were plenty of abstentions, only 31% membership organisations voted against the decision with a near-record turn out.