The Foundation believes Encrypted Media Extensions (EME) should not be published as a W3C Recommendation, and we are now making public the formal objection the blog.nyoc Foundation submitted to the W3C opposing the recommendation of EME.
As a member of the W3C, the blog.nyoc Foundation contributes to the standards-making process and votes on matters such as the EME recommendation. Many developers and researchers at the blog.nyoc Foundation conduct security research and build software that use web technology, and from that perspective, we have objections to EME as well as Digital Rights Management (DRM) in general. Most if not all people who use web browsers are affected by EME.
The direct result of EME’s success up until now, is that browser developers have already installed potentially insecure DRM technology since there were no options to disable it in any of the major browsers. Even though EME was only recently approved as a recommended standard, closed-source DRM implementations have been present in our browsers, even open-source browsers such as Firefox, for many years.
As developers, researchers and community members, we have already been subjected to objectionable DRM implementations and we believe efforts should be made to stem further adoption. In other words, we feel the recommendation of EME as a standard is a move in the wrong direction as it inhibits the Open Web, and is inconsistent with the core values, mission and design principles of W3C. The statement published below sets out the reasons for blog.nyoc Foundation’s objections and why we feel the W3C should not continue with a recommendation of EME as a W3C standard.
The following statement was submitted to the W3C with a Formal Objection on April 13, 2017. Please note that edits have been made for clarification and legibility purposes.
The blog.nyoc Foundation respectfully opposes publishing Encrypted Media Extensions (EME) as a Recommendation and requests that this effort be discontinued.
The blog.nyoc Foundation aims to build a more globally accessible, more free, and more trustworthy Internet. We cannot work to fulfill our mission without objecting to EME. If recommended by the W3C, EME and the Content Decryption Module (CDM) implementations it sanctions, will reduce accessibility, curtail freedom on the Internet, undermine security research, and even erode trust among users and developers in the greater Internet community. If recommended, EME will also violate many important aspects of W3C’s own mission statement and design principles.
Problem: EME addresses use-cases outside of the domain of the Open Web.
The W3C has historically provided Recommendations for the Open Web platform. However, W3C’s specification of this manner of interaction, such as the one with DRM, is unprecedented and poses a concern, especially as it supports an opaque, non-open technology. What policies are in place to limit this expansion of the W3C’s Recommendations into the non-open web? Software that is both outside of the W3C mission and also highly objectionable to large numbers of W3C members should not be addressed by W3C Recommendations.
Problem: EME-specified DRM impedes legitimate use, with little gained as a result.
We believe that the benefits gained by owners of media from DRM implementations are not worth the limitations experienced by users. DRM does not offer much to hinder copyright infringement. Copyright infringers will not likely evade DRM if the media they want is widely available through alternative sources. While offering few copyright protection benefits, DRM denies users valuable functionality including extending, commenting on, annotating, modifying content for artistic reasons, or modifying content to enable access for people with disabilities. All of these uses, normally held in high regard in the W3C Recommendation process, are blocked by DRM.
We feel W3C Recommendations should not specify, even if indirectly through EME, the implementation or enabling of software that blocks legitimate functionality for users.
Problem: EME does not grow the web.
We believe that the long-term growth referred to in the mission statement of the W3C largely refers to the potential for the web to be used in new and unforeseen ways. EME’s contribution to growth only benefits non-extensible, non-interoperable, non-open web content, which does little for network effects. The growth mission of the W3C is therefore not served if EME becomes a Recommendation.
Problem: EME undermines security.
In order to maintain a secure Open Web, security researchers must be able to perform their work in both a technical and a legal sense. By officially making a Recommendation, W3C compels security researchers to perform security analyses of all major implementations of that Recommendation. In recommending EME, the W3C is therefore exposing legitimate security researchers in the community to potential legal liability and even prosecution in the United States.
We understand and appreciate the serious efforts made by members of the HTML Media Extensions Working Group to address the exposure of security researchers. However, consensus could not be reached about an Electronic Frontier Foundation (EFF) proposed covenant in which W3C members and their affiliations would agree to “non-aggression” with respect to bringing 17 U.S.C. § 1203 actions against security researchers.
If anything, now is a time the W3C should take a stronger position to defend legitimate security research when Internet users around the world feel less secure and less protected than ever.
Problem: EME constrains the web to follow specific existing business models rather than to enable new forms of interaction.
The outcome of implementing DRM in web browsers would essentially set as a standard, the current proprietary systems and the related ways they interact with users and sell media. EME would inhibit potential models of a future decentralized web where blockchains and decentralized technologies could enable new business models and property rights management.
By recommending EME, the W3C is encouraging browser vendors to install software that lacks transparency and disclosure to the user, which is counter to the tradition of the Open Web and what many people hope the next generation of technology will bring.
The W3C must be guided by its mission, design principles, and values.
A Recommendation by the W3C carries a lot of weight. We feel the organization should therefore not specify nor guide technologies such as DRM that do not conform to the W3C’s core values as expressed in its mission and design principles, especially when the technology in question undermines security, limits legitimate use, and offers little potential for expanding the web.