Source.The World Wide Web Consortium has gone ahead with a DRM standard that conflicts with accessibility, security research, archiving, and competition: it's called EME, and it allows DRM-protected content published online to be decoded by web browsers without the need for plugins thanks to loading content decryption modules. The Electronic Frontier Foundation has tendered their resignation from the W3C, as their objections fell on deaf ears.
Quote:
This is a bad day for the W3C: it's the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections -- even the most minimal compromise was rejected without discussion, an intransigence that the W3C leadership tacitly approved. It's the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium.
Dear Jeff, Tim, and colleagues,
In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing "Encrypted Media Extensions," an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem. By doing so, the organization offered the use of its patent pool, its staff support, and its moral authority to the idea that browsers can and should be designed to cede control over key aspects from users to remote parties.
When it became clear, following our formal objection, that the W3C's largest corporate members and leadership were wedded to this project despite strong discontent from within the W3C membership and staff, their most important partners, and other supporters of the open Web, we proposed a compromise. We agreed to stand down regarding the EME standard, provided that the W3C extend its existing IPR policies to deter members from using DRM laws in connection with the EME (such as Section 1201 of the US Digital Millennium Copyright Act or European national implementations of Article 6 of the EUCD) except in combination with another cause of action.
This covenant would allow the W3C's large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C's DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM. It would signal to the world that the W3C wanted to make a difference in how DRM was enforced: that it would use its authority to draw a line between the acceptability of DRM as an optional technology, as opposed to an excuse to undermine legitimate research and innovation.
More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video.
Despite the support of W3C members from many sectors, the leadership of the W3C rejected this compromise. The W3C leadership countered with proposals - like the chartering of a nonbinding discussion group on the policy questions that was not scheduled to report in until long after the EME ship had sailed - that would have still left researchers, governments, archives, security experts unprotected.
The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew - and the large corporate members continued to reject any meaningful compromise - the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors - and every person who uses the web. The Director decided to personally override every single objection raised by the members, articulating several benefits that EME offered over the DRM that HTML5 had made impossible.
But those very benefits (such as improvements to accessibility and privacy) depend on the public being able to exercise rights they lose under DRM law - which meant that without the compromise the Director was overriding, none of those benefits could be realized, either. That rejection prompted the first appeal against the Director in W3C history.
In our campaigning on this issue, we have spoken to many, many members' representatives who privately confided their belief that the EME was a terrible idea (generally they used stronger language) and their sincere desire that their employer wasn't on the wrong side of this issue. This is unsurprising. You have to search long and hard to find an independent technologist who believes that DRM is possible, let alone a good idea. Yet, somewhere along the way, the business values of those outside the web got important enough, and the values of technologists who built it got disposable enough, that even the wise elders who make our standards voted for something they know to be a fool's errand.
We believe they will regret that choice. Today, the W3C bequeaths a legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they'll be able to ensure no one ever subjects them to the same innovative pressures.
So we'll keep fighting to keep the web free and open. We'll keep suing the US government to overturn the laws that make DRM so toxic, and we'll keep bringing that fight to the world's legislatures that are being misled by the US Trade Representative to instigate local equivalents to America's legal mistakes.
We will renew our work to battle the media companies that fail to adapt videos for accessibility purposes, even though the W3C squandered the perfect moment to exact a promise to protect those who are doing that work for them.
We will defend those who are put in harm's way for blowing the whistle on defects in EME implementations.
It is a tragedy that we will be doing that without our friends at the W3C, and with the world believing that the pioneers and creators of the web no longer care about these matters.
Effective today, EFF is resigning from the W3C.
Thank you,
Cory Doctorow
Advisory Committee Representative to the W3C for the Electronic Frontier Foundation
Denuvo cracked in weeks? They're down to a week now, They're getting better. Also the TPB JS model is too easy to block.Originally Posted by CynicalUnicorn
Mmmmm it'll be great when somebody sees the Pirate Bay profit model (JavaScript crypto miners) and tries it on their own, this time not in plain site. But if the DRM is standardized, doesn't that make it easier to crack? Even Denuvo is getting cracked within weeks of releases these days.
I give it a week before DRM-protected whitelists are implemented (e.g. only Netflix may push this type of content to me) and a month before it gets cracked wide open.
Well, video streams are HTML5, are they not? I can't imagine it's possible to lock this down so only video streams are DRM protected.
Its been planned for some time now. I remember advocates spinning this back in March.
And yet it is. The EME specification is only defined for video streams. The Content Decryption Modules only accepts video streams called by JavaScript. Mozilla's HTML members tried to make sure very early that the spec could only be defined for video in static manner.
The W3C forcibly approved a HTML5 DRM API for Video streams called Encrypted Media Extensions. The EFF got angry and quit because they didn't reach a consensus like they normally do.
Ahhh, gotcha. I figured it could be adapted for general-purpose HTML5.Originally Posted by Omega X
And yet it is. The EME specification is only defined for video streams. The Content Decryption Modules only accepts video streams called by JavaScript. Mozilla's HTML members tried to make sure very early that the spec could only be defined for video in static manner.
Two browser makers HAVE to implement first before it becomes considered for Recommendation. The spec itself is useless without browser maker participation (They are not against making their own consortium like they did with HTML5 before the W3C adopted it). Netflix asked for video protection. Google implemented to keep from getting locked out of Netflix. Microsoft followed. Mozilla resisted up until it was either implement of suffer more user loss, BUT they did it with a restrictive sandbox protect the browser and users from potential malice.
Yes, but not consensus...
Short answer no security research exemptions, its the same problem which exists in the DMCA and no clause for responsible disclosure et al. White hats are literally gambling their freedom to 'do the right thing' and hoping the company on the other side is stand up and not going to charge them with a major federal felony because they CAN and are actively fighting to maintain that right.
The gist of their argument is that the DMCA makes it illegal for independent security researchers to find and report security vulnerabilities in DRM, which will result in unchecked exploits in browsers and websites that conform to the new standard.
A fair 40k feet gist, heck even mine is glancing over most of the real details of the problem.
I think his summary was pretty good.Originally Posted by Avonosac
A fair 40k feet gist, heck even mine is glancing over most of the real details of the problem.
OT: I hate having to explain nuanced reality to people who think in one sentence summaries. You always play this guessing game of how they will interpret your summary and distort the truth from it...
@Avonosac's point is that people asking for summaries to a problem that's as complex and nuanced as HTML5 DRM are at best too simple-minded to research deeply into the controversy, and at worst looking to maliciously deceive other simple-minded people by distorting even the accurate summaries.
They like their top down authority structures, that's for sure. But even that is a nuanced thing to talk about because this stuff is too complicated for 90% of developers, 8% more don't care and the rest are in the club, so in a lot of ways its true. The problem is they don't spend enough time getting feedback from real people to make sure their assumptions are true.
You hit the nail on the head in regards to my point, I thought that was evident but thanks for the backup.Originally Posted by firagabird
@Avonosac's point is that people asking for summaries to a problem that's as complex and nuanced as HTML5 DRM are at best too simple-minded to research deeply into the controversy, and at worst looking to maliciously deceive other simple-minded people by distorting even the accurate summaries.
It's like GamerGate IMO. There's really no good summary for it, just because there's so many facets of it. Any attempt at a summary usually invokes the ire of one side of the controversy, and it inevitably gets distorted upon retellings due to the bias of whoever reads said summary. The only good way to fully understand such a controversial topic is to do your research, learn all sides of the argument and the inevitable gotchas of each, and make your own informed opinion.
I also believe the same nuance lies with HTML5 DRM. It has a lot of sides: the W3C rushing to make a standard, the political & commercial interests, the EFF's interests, the security expert side, the small-time content producer side, etc. Summarizing it is pretty damn hard, and will inevitably lean in favor of the author's bias.
Quote:
Yeah this does not look good.Originally Posted by Avonosac
Yes, but not consensus...
Short answer no security research exemptions, its the same problem which exists in the DMCA and no clause for responsible disclosure et al. White hats are literally gambling their freedom to 'do the right thing' and hoping the company on the other side is stand up and not going to charge them with a major federal felony because they CAN and are actively fighting to maintain that right.
The longer answer also includes the point that DRM is in fact impossible but the dream makes content holders sleep better at night. It's easier to put a padlock on the door, than design a perfect gateway which captures payment for access to a string of bits. The callousness and carelessness of the content holders also extends to the point that they don't care about causing damage and inconvenience to the user, in order to put systems in place which live (and annoy / damage) forever but work for a limited time e.g. HDMI's encryption.
But if we have to have it.. and the people with money and content the public wants won't let their content go without it.. it's better to have a few highly vetted, centralized, and continuously maintained implementations than the flash fiasco. But Tim and others decided to yield to corporate pressure to not reach consensus now on the extremely necessary exceptions the rules which are being actively abused to silence the little guy, or put 'hackers' like that guy in prison all around the world. That story would be comedy genius if it wasn't actually true, but since it is actually happening is a very sad state of affairs when smart people concede to factually wrong rich people / corporations / government desires.
You're giving stupid people with power a huge weapon to silence a large portion of the knowledgeable people fighting to keep systems and people safe.
tl;dr small minded people can't understand the problem, so it must not be a problem.
For the legal customers anyway...
Nope, even bad for them.. because it adds a privileged attack surface for attacks to get remote code execution on your machine. It isn't that DRM won't be successful, its that you can't have white hats attacking it for security vulnerability concerns.Originally Posted by jagdtigger
For the legal customers anyway...
I think i just sit back with a big popcorn and watch them(the industry) struggle with keeping up with the crackers...DRM never worked and it never will. Adapt or die, its the basic rule of life. But for some reason governments are keeping the brain dead on life support, when they will say enough and pull the plug?
Good thing the firs thing i did is switched it off. Hopefully there will be at least one browser that wont have it included