In March, the World Wide Web Consortium (W3C) unveiled a proposed recommendation that would extend the Internet standards organization’s HTML5 standard to incorporate Encrypted Media Extensions (EME), a specification which provides a communication channel between web browsers and digital rights management (DRM) agent software. The proposed new standard has raised a bit of controversy among Internet industry groups despite a reasoned argument from W3C founder and Internet pioneer Tim Berners-Lee that the move allows W3C to remain as the leading consortium for setting Internet standards.
Media outlets have already balked at the W3C proposal. British tech publication The Register has published an article outlining criticism of the new standard, incorrectly characterizing the W3C’s actions as formally putting forward a “highly controversial digital rights management as a new web standard;” EME does enable communication between browsers and DRM agents, but it is not DRM itself. Part of the legitimate concern which is raised by The Register surrounds the legality of security research under the provisions of laws such as the Digital Millennium Copyright Act (DMCA). Section 1201 of the DMCA is the provision regarding violations for circumventions of technological measures and its purported effects on good faith security research have struck some controversy. These concerns are also on display in an article published by the science magazine New Scientist which more correctly describes the difference between EME and DRM.
The official proposed recommendation published by W3C would enable browser script in application programming interfaces (APIs) to select content protection mechanisms, control license/key exchanges and execute custom license management algorithms. The resulting API can be used to discover, select and interact with a wide variety of DRM systems, from simple systems relying on clear key decryption to more complex systems for high-value video.
As often happens when there’s any proposed change that could affect any consumer access of digital content, a flurry of opposition from industry groups tends to kick up a lot of dust on the issue. Some industry organizations, like the Free Software Foundation (FSF) or the Electronic Frontier Foundation (EFF), are religiously opposed to DRM and are zealous in their conviction that the W3C’s proposal “is simply a back door for media companies to require proprietary player software.” Although EFF doesn’t don the same tinfoil hat which adorns the head of FSF’s argument, EFF closely equates EME with DRM by noting that “there’s no useful role for EME without a DRM system.”
Whether or not Internet stakeholders are happy with the impacts of DRM, Berners-Lee argues that opposing such measures is not the province of the W3C, which is a standards-setting organization and not an enforcement agency. In a post written by Berners-Lee and published on the W3C blog February 28th, he notes that vendors would likely create third-party applications for DRM even if the W3C doesn’t adopt EME into the HTML5 standard:
If the Director Of The Consortium made a Decree that there would be No More DRM in fact nothing would change. Because W3C does not have any power to forbid anything. W3C is not the US Congress, or WIPO, or a court. It would perhaps have shortened the debate. But we would have been distracted from important things which need thought and action on other issues.”
A great deal of digital content uploaded to various World Wide Web applications is unencrypted, as Berners-Lee notes. It’s those developers of high-quality video content, like major movie production studios, which prefer stringent DRM techniques to keep digital content from proliferating throughout the Web. Baking EME directly into the HTML5 standard is optimal for Internet users because the EME system can sandbox DRM code to limit damage to the user’s system, in the case of malicious DRM code, as well as damage to the user’s privacy. Publication of digital content using a DRM scheme implemented through EME only lets a publisher see that a user watched a movie while publishing content through a third-party app like an iPhone app could allow publishers to persuade users for access to calendar data or other information stored on the device.
In a fact sheet on EME, W3C addresses the concerns over good faith security research being illegal in certain jurisdictions. In a statement issued November 2015, the W3C Technical Architecture Group (TAG) resolved that “W3C policy should assure that… broad testing and audit continues to be possible, as it is necessary to keep both design and implementation quality high.” Elsewhere, an article published early March by computer tech publication Ars Technica points out disingenuous viewpoints in the argument made by both EFF and FSF against EME implementation. Even as those organizations celebrate the reduced footprint of third-party DRM available through Flash or Silverlight, the Ars Technica writer notes that content providers are working with app platforms like iOS or Android, which have DRM measures native to their proprietary APIs. “In other words, the alternative to using DRM in browser plugins on the Web is not ‘abandoning DRM;’ it’s ‘abandoning the Web,’” Ars Technica writer Peter Bright argues.