In an 11 March 2017 article for the Guardian, Tim Berners-Lee — the inventor of the world wide web — posits three changes that must be made to save his progeny:
- Regain control of our personal data
- Slow the spread of misinformation
- Make political advertising transparent
All well and good. By all means I hope Berners-Lee has set his Web Foundation on those three tasks.
The inventor of the web supports DRM on the web
But interestingly, Berners-Lee makes no mention of another threat to the future of the web, one every bit as dangerous and menacing: The addition of digital rights management (DRM) to the HTML5 standard. It’s especially interesting because the DRM implementation for HTML5 — Encrypted Media Extensions (EME) — has been pushed by the usual suspects (and some unexpected and downright surprising ones as well) for the last four years.
One of the most unexpected and surprising supporters of EME is Berners-Lee himself.
On 28 February 2017, Berners-Lee who is also the director of the World Wide Web Consortium (W3C), the international standards organization for the web, unflinchingly endorsed EME on the official W3C blog:
“The question which has been debated around the net is whether W3C should endorse the Encrypted Media Extensions (EME) standard which allows a web page to include encrypted content, by connecting an existing underlying Digital Rights Management (DRM) system in the underlying platform. Some people have protested ‘no,’ but in fact I decided the actual logical answer is ‘yes.’ As many people have been so fervent in their demonstrations, I feel I owe it to them to explain the logic. …”
Except his logic is circular at best, boiling down to the essential explanation that because DRM and copyright law exists, so too must EME exist. Because we have to save the web and “… because the W3C is not a court or an enforcement agency. W3C is a place for people to talk, and forge consensus over great new technology for the web.” Like EME.
DRM always brings the DMCA with it
The glaring problem that Berners-Lee is ignoring is that once DRM is involved at any level, the Digital Millennium Copyright Act (DMCA) is automatically triggered. The DMCA’s anti-circumvention provision can be used as a cudgel with which to threaten, suppress, and legally flatten security researchers from disclosing flaws in any DRM implementation. The Electronic Frontier Foundation (EFF) warned of this in a 29 March 2016 article by Cory Doctorow.
Only now is the W3C beginning to consider a formal disclosure policy that just might maybe offer some protection to security researchers.
One way out
Rather than embrace DRM in any form (including EME), the better, cleaner, more elegant, and yes, more honorable, approach available to the W3C was to simply refuse to incorporate any form of DRM in the HTML5 standard. But it decided to do the opposite in 2013 and now that four-year-old mistake is coming due in the form of the W3C’s moving the EME specification to a proposed recommendation. The W3C advisory committee’s review period runs until 13 April 2017. The committee has three available options:
- Accept the EME specification in its entirety, making it a full W3C recommendation
- Revert the EME specification to candidate recommendation status requiring further improvement
- Revert the EME specification to working group note status, basically abandoning it
The first of the three options is far and away the most likely. All of the major browsers already implement draft versions of the EME specification and Adobe, Google, and Microsoft all have EME-compatible back-end software.
Bet the farm and all the animals on a new, unwelcome, addition to the HTML5 standard.