Overclock.net banner

[HardOCP] W3C Abandons Consensus, Standardizes DRM with 58.4% Support

3K views 36 replies 17 participants last post by  Avonosac 
#1 ·
Quote:
The World Wide Web Consortium has gone ahead with a DRM standard that conflicts with accessibility, security research, archiving, and competition: it's called EME, and it allows DRM-protected content published online to be decoded by web browsers without the need for plugins thanks to loading content decryption modules. The Electronic Frontier Foundation has tendered their resignation from the W3C, as their objections fell on deaf ears.
Quote:
This is a bad day for the W3C: it's the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections -- even the most minimal compromise was rejected without discussion, an intransigence that the W3C leadership tacitly approved. It's the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium.
Source.
 
#2 ·
Mmmmm it'll be great when somebody sees the Pirate Bay profit model (JavaScript crypto miners) and tries it on their own, this time not in plain site. But if the DRM is standardized, doesn't that make it easier to crack? Even Denuvo is getting cracked within weeks of releases these days.

I give it a week before DRM-protected whitelists are implemented (e.g. only Netflix may push this type of content to me) and a month before it gets cracked wide open.
thumb.gif
 
#3 ·
Full letter:

Quote:
Dear Jeff, Tim, and colleagues,

In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing "Encrypted Media Extensions," an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem. By doing so, the organization offered the use of its patent pool, its staff support, and its moral authority to the idea that browsers can and should be designed to cede control over key aspects from users to remote parties.

When it became clear, following our formal objection, that the W3C's largest corporate members and leadership were wedded to this project despite strong discontent from within the W3C membership and staff, their most important partners, and other supporters of the open Web, we proposed a compromise. We agreed to stand down regarding the EME standard, provided that the W3C extend its existing IPR policies to deter members from using DRM laws in connection with the EME (such as Section 1201 of the US Digital Millennium Copyright Act or European national implementations of Article 6 of the EUCD) except in combination with another cause of action.

This covenant would allow the W3C's large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C's DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM. It would signal to the world that the W3C wanted to make a difference in how DRM was enforced: that it would use its authority to draw a line between the acceptability of DRM as an optional technology, as opposed to an excuse to undermine legitimate research and innovation.

More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video.

Despite the support of W3C members from many sectors, the leadership of the W3C rejected this compromise. The W3C leadership countered with proposals - like the chartering of a nonbinding discussion group on the policy questions that was not scheduled to report in until long after the EME ship had sailed - that would have still left researchers, governments, archives, security experts unprotected.

The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew - and the large corporate members continued to reject any meaningful compromise - the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. In essence, a core of EME proponents was able to impose its will on the Consortium, over the wishes of a sizeable group of objectors - and every person who uses the web. The Director decided to personally override every single objection raised by the members, articulating several benefits that EME offered over the DRM that HTML5 had made impossible.

But those very benefits (such as improvements to accessibility and privacy) depend on the public being able to exercise rights they lose under DRM law - which meant that without the compromise the Director was overriding, none of those benefits could be realized, either. That rejection prompted the first appeal against the Director in W3C history.

In our campaigning on this issue, we have spoken to many, many members' representatives who privately confided their belief that the EME was a terrible idea (generally they used stronger language) and their sincere desire that their employer wasn't on the wrong side of this issue. This is unsurprising. You have to search long and hard to find an independent technologist who believes that DRM is possible, let alone a good idea. Yet, somewhere along the way, the business values of those outside the web got important enough, and the values of technologists who built it got disposable enough, that even the wise elders who make our standards voted for something they know to be a fool's errand.

We believe they will regret that choice. Today, the W3C bequeaths a legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they'll be able to ensure no one ever subjects them to the same innovative pressures.

So we'll keep fighting to keep the web free and open. We'll keep suing the US government to overturn the laws that make DRM so toxic, and we'll keep bringing that fight to the world's legislatures that are being misled by the US Trade Representative to instigate local equivalents to America's legal mistakes.

We will renew our work to battle the media companies that fail to adapt videos for accessibility purposes, even though the W3C squandered the perfect moment to exact a promise to protect those who are doing that work for them.

We will defend those who are put in harm's way for blowing the whistle on defects in EME implementations.

It is a tragedy that we will be doing that without our friends at the W3C, and with the world believing that the pioneers and creators of the web no longer care about these matters.

Effective today, EFF is resigning from the W3C.

Thank you,

Cory Doctorow
Advisory Committee Representative to the W3C for the Electronic Frontier Foundation
 
  • Rep+
Reactions: shellashock
#4 ·
Quote:
Originally Posted by CynicalUnicorn View Post

Mmmmm it'll be great when somebody sees the Pirate Bay profit model (JavaScript crypto miners) and tries it on their own, this time not in plain site. But if the DRM is standardized, doesn't that make it easier to crack? Even Denuvo is getting cracked within weeks of releases these days.

I give it a week before DRM-protected whitelists are implemented (e.g. only Netflix may push this type of content to me) and a month before it gets cracked wide open.
thumb.gif
Denuvo cracked in weeks? They're down to a week now, They're getting better. Also the TPB JS model is too easy to block.

The DRM only applies to video media streams. So no other things can be tied down to the API.
 
#5 ·
Quote:
Originally Posted by Omega X View Post

Denuvo cracked in weeks? They're down to a week now, They're getting better. Also the TPB JS model is too easy to block.

The DRM only applies to video media streams. So no other things can be tied down to the API.
Well, video streams are HTML5, are they not? I can't imagine it's possible to lock this down so only video streams are DRM protected.
 
#7 ·
Can someone ELI5 this for me please?
 
#8 ·
Quote:
Originally Posted by CynicalUnicorn View Post

Well, video streams are HTML5, are they not? I can't imagine it's possible to lock this down so only video streams are DRM protected.
And yet it is. The EME specification is only defined for video streams. The Content Decryption Modules only accepts video streams called by JavaScript. Mozilla's HTML members tried to make sure very early that the spec could only be defined for video in static manner.

Two browser makers HAVE to implement first before it becomes considered for Recommendation. The spec itself is useless without browser maker participation (They are not against making their own consortium like they did with HTML5 before the W3C adopted it). Netflix asked for video protection. Google implemented to keep from getting locked out of Netflix. Microsoft followed. Mozilla resisted up until it was either implement of suffer more user loss, BUT they did it with a restrictive sandbox to protect the browser and users from potential malice.

Quote:
Originally Posted by Shiftstealth View Post

Can someone ELI5 this for me please?
The W3C forcibly approved a HTML5 DRM API for Video streams called Encrypted Media Extensions. The EFF got angry and quit because they didn't reach a consensus like they normally do.
 
#9 ·
Quote:
Originally Posted by Omega X View Post

And yet it is. The EME specification is only defined for video streams. The Content Decryption Modules only accepts video streams called by JavaScript. Mozilla's HTML members tried to make sure very early that the spec could only be defined for video in static manner.

Two browser makers HAVE to implement first before it becomes considered for Recommendation. The spec itself is useless without browser maker participation (They are not against making their own consortium like they did with HTML5 before the W3C adopted it). Netflix asked for video protection. Google implemented to keep from getting locked out of Netflix. Microsoft followed. Mozilla resisted up until it was either implement of suffer more user loss, BUT they did it with a restrictive sandbox protect the browser and users from potential malice.
Ahhh, gotcha. I figured it could be adapted for general-purpose HTML5.
thumb.gif
 
#10 ·
The scoop here is the W3C is only an INDUSTRY body with insanely high membership fees for small or independent contributors, so this is 58% of the massive corporate interests which drive W3C.

They barely convinced half of those with self interest in the proposal that this was sufficiently well designed, 42% of the participants couldn't stomach the risk of damage to the internet.
 
#11 ·
Wait, 58.4% isn't a consensus?

Last time I checked, that's over half.
wink.gif
 
#13 ·
Quote:
Originally Posted by Avonosac View Post

Quote:
Originally Posted by Syan48306 View Post

Wait, 58.4% isn't a consensus?

Last time I checked, that's over half.
wink.gif
Did you forget /s?
A little tounge-in-cheek. Though, 58.4% is indeed still majority.
 
#14 ·
So explain to me how this could damage the internet.
 
#15 ·
Quote:
Originally Posted by Syan48306 View Post

A little tounge-in-cheek. Though, 58.4% is indeed still majority.
Yes, but not consensus...

Quote:
Originally Posted by Rayleyne View Post

So explain to me how this could damage the internet.
Short answer no security research exemptions, its the same problem which exists in the DMCA and no clause for responsible disclosure et al. White hats are literally gambling their freedom to 'do the right thing' and hoping the company on the other side is stand up and not going to charge them with a major federal felony because they CAN and are actively fighting to maintain that right.

The longer answer also includes the point that DRM is in fact impossible but the dream makes content holders sleep better at night. It's easier to put a padlock on the door, than design a perfect gateway which captures payment for access to a string of bits. The callousness and carelessness of the content holders also extends to the point that they don't care about causing damage and inconvenience to the user, in order to put systems in place which live (and annoy / damage) forever but work for a limited time e.g. HDMI's encryption.

But if we have to have it.. and the people with money and content the public wants won't let their content go without it.. it's better to have a few highly vetted, centralized, and continuously maintained implementations than the flash fiasco. But Tim and others decided to yield to corporate pressure to not reach consensus now on the extremely necessary exceptions the rules which are being actively abused to silence the little guy, or put 'hackers' like that guy in prison all around the world. That story would be comedy genius if it wasn't actually true, but since it is actually happening is a very sad state of affairs when smart people concede to factually wrong rich people / corporations / government desires.

You're giving stupid people with power a huge weapon to silence a large portion of the knowledgeable people fighting to keep systems and people safe.

tl;dr small minded people can't understand the problem, so it must not be a problem.
 
#16 ·
Quote:
Originally Posted by Rayleyne View Post

So explain to me how this could damage the internet.
The gist of their argument is that the DMCA makes it illegal for independent security researchers to find and report security vulnerabilities in DRM, which will result in unchecked exploits in browsers and websites that conform to the new standard.
 
#17 ·
Quote:
Originally Posted by FallenFaux View Post

The gist of their argument is that the DMCA makes it illegal for independent security researchers to find and report security vulnerabilities in DRM, which will result in unchecked exploits in browsers and websites that conform to the new standard.
A fair 40k feet gist, heck even mine is glancing over most of the real details of the problem.

OT: I hate having to explain nuanced reality to people who think in one sentence summaries. You always play this guessing game of how they will interpret your summary and distort the truth from it...
 
#18 ·
Quote:
Originally Posted by Avonosac View Post

A fair 40k feet gist, heck even mine is glancing over most of the real details of the problem.

OT: I hate having to explain nuanced reality to people who think in one sentence summaries. You always play this guessing game of how they will interpret your summary and distort the truth from it...
I think his summary was pretty good.
 
#19 ·
Quote:
Originally Posted by CrazyHeaven View Post

I think his summary was pretty good.
@Avonosac's point is that people asking for summaries to a problem that's as complex and nuanced as HTML5 DRM are at best too simple-minded to research deeply into the controversy, and at worst looking to maliciously deceive other simple-minded people by distorting even the accurate summaries.

It's like GamerGate IMO. There's really no good summary for it, just because there's so many facets of it. Any attempt at a summary usually invokes the ire of one side of the controversy, and it inevitably gets distorted upon retellings due to the bias of whoever reads said summary. The only good way to fully understand such a controversial topic is to do your research, learn all sides of the argument and the inevitable gotchas of each, and make your own informed opinion.

I also believe the same nuance lies with HTML5 DRM. It has a lot of sides: the W3C rushing to make a standard, the political & commercial interests, the EFF's interests, the security expert side, the small-time content producer side, etc. Summarizing it is pretty damn hard, and will inevitably lean in favor of the author's bias.
 
#20 ·
It seems the W3C hasn't learned much since the formation of the WHATWG. It's still running in the wrong direction.
 
#21 ·
Quote:
Originally Posted by randomizer View Post

It seems the W3C hasn't learned much since the formation of the WHATWG. It's still running in the wrong direction.
They like their top down authority structures, that's for sure. But even that is a nuanced thing to talk about because this stuff is too complicated for 90% of developers, 8% more don't care and the rest are in the club, so in a lot of ways its true. The problem is they don't spend enough time getting feedback from real people to make sure their assumptions are true.

A lot of the stuff below also applies as a response to your post.
Quote:
Originally Posted by firagabird View Post

@Avonosac's point is that people asking for summaries to a problem that's as complex and nuanced as HTML5 DRM are at best too simple-minded to research deeply into the controversy, and at worst looking to maliciously deceive other simple-minded people by distorting even the accurate summaries.

It's like GamerGate IMO. There's really no good summary for it, just because there's so many facets of it. Any attempt at a summary usually invokes the ire of one side of the controversy, and it inevitably gets distorted upon retellings due to the bias of whoever reads said summary. The only good way to fully understand such a controversial topic is to do your research, learn all sides of the argument and the inevitable gotchas of each, and make your own informed opinion.

I also believe the same nuance lies with HTML5 DRM. It has a lot of sides: the W3C rushing to make a standard, the political & commercial interests, the EFF's interests, the security expert side, the small-time content producer side, etc. Summarizing it is pretty damn hard, and will inevitably lean in favor of the author's bias.
You hit the nail on the head in regards to my point, I thought that was evident but thanks for the backup.
thumb.gif


The W3C is concerned because the media holders wouldn't get on board with giving up rights to sue in certain cases for fears of inadvertent loopholes, and undermining their lobbying efforts to laws passed and changed. They know their position is unreasonable, and they don't want to concede any of it because they have the clout to do so. They exercised this clout on the leadership at W3C and made them operate outside their defined process with absolutely no imperative or cause.

Like stated there are other facets and reasons to not be 100% happy with the solution. Gamergate was complex and no summary can hold up, however in this case, of the ~42% of people still at no about 40% of them is because of the security issue. The security issue is multiple orders of magnitude more severe with potential damage it causes, all the other problems can realistically be improved over time while maintaining backwards compatibility. If W3C had required the security provisions to stay in, and forced the content providers to agree, it would have been an overwhelming consensus and *nobody* but nerds like myself would have ever heard about it. But they wouldn't do that because the majority of the money for W3C comes from the providers who forced this through.

Like I said before, you have to really understand that this is a VERY EXPENSIVE paid membership from industry, so even of the content providers whose self interest was most on the table ~42% had the strength of character to say no to an abusive system.

I honestly could just keep going, but I'll stop here. Either way as a high level developer / architect I'll have work, but its really depressing to be a part of a system intentionally overreaching to try to achieve the mathematically and logically impossible at great pain to the abused, and no material gain to those who inflict the harm.
 
#22 ·
Quote:
Originally Posted by FallenFaux View Post

The gist of their argument is that the DMCA makes it illegal for independent security researchers to find and report security vulnerabilities in DRM, which will result in unchecked exploits in browsers and websites that conform to the new standard.
Quote:
Originally Posted by Avonosac View Post

Yes, but not consensus...
Short answer no security research exemptions, its the same problem which exists in the DMCA and no clause for responsible disclosure et al. White hats are literally gambling their freedom to 'do the right thing' and hoping the company on the other side is stand up and not going to charge them with a major federal felony because they CAN and are actively fighting to maintain that right.

The longer answer also includes the point that DRM is in fact impossible but the dream makes content holders sleep better at night. It's easier to put a padlock on the door, than design a perfect gateway which captures payment for access to a string of bits. The callousness and carelessness of the content holders also extends to the point that they don't care about causing damage and inconvenience to the user, in order to put systems in place which live (and annoy / damage) forever but work for a limited time e.g. HDMI's encryption.

But if we have to have it.. and the people with money and content the public wants won't let their content go without it.. it's better to have a few highly vetted, centralized, and continuously maintained implementations than the flash fiasco. But Tim and others decided to yield to corporate pressure to not reach consensus now on the extremely necessary exceptions the rules which are being actively abused to silence the little guy, or put 'hackers' like that guy in prison all around the world. That story would be comedy genius if it wasn't actually true, but since it is actually happening is a very sad state of affairs when smart people concede to factually wrong rich people / corporations / government desires.

You're giving stupid people with power a huge weapon to silence a large portion of the knowledgeable people fighting to keep systems and people safe.

tl;dr small minded people can't understand the problem, so it must not be a problem.
Yeah this does not look good.
 
#24 ·
Quote:
Originally Posted by Avonosac View Post

Yea, it's not good at all.
For the legal customers anyway...

I think i just sit back with a big popcorn and watch them(the industry) struggle with keeping up with the crackers...
biggrin.gif
DRM never worked and it never will. Adapt or die, its the basic rule of life. But for some reason governments are keeping the brain dead on life support, when they will say enough and pull the plug?
mad.gif
 
#25 ·
Quote:
Originally Posted by jagdtigger View Post

For the legal customers anyway...

I think i just sit back with a big popcorn and watch them(the industry) struggle with keeping up with the crackers...
biggrin.gif
DRM never worked and it never will. Adapt or die, its the basic rule of life. But for some reason governments are keeping the brain dead on life support, when they will say enough and pull the plug?
mad.gif
Nope, even bad for them.. because it adds a privileged attack surface for attacks to get remote code execution on your machine. It isn't that DRM won't be successful, its that you can't have white hats attacking it for security vulnerability concerns.
 
#26 ·
Quote:
Originally Posted by Avonosac View Post

Nope, even bad for them.. because it adds a privileged attack surface for attacks to get remote code execution on your machine. It isn't that DRM won't be successful, its that you can't have white hats attacking it for security vulnerability concerns.
Good thing the firs thing i did is switched it off. Hopefully there will be at least one browser that wont have it included
biggrin.gif
.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top