The World Wide Web Consortium has been co-opted into standardizing a DRM scheme for letting entertainment companies control your browser; what’s more, they’ve rejected even basic safeguards for competition, changing the browser landscape in a way that threatens the kind of disruptive innovation that gave us the Mozilla project and the Firefox browser.
This system, “Encrypted Media Extensions” (EME) uses standards-defined code to funnel video into a proprietary container called a “Content Decryption Module.” For a new browser to support this new video streaming standard – which major studios and cable operators are pushing for – it would have to convince those entertainment companies or one of their partners to let them have a CDM, or this part of the “open” Web would not display in their new browser.
This is the opposite of every W3C standard to date: once, all you needed to do to render content sent by a server was follow the standard, not get permission. If browsers had needed permission to render a page at the launch of Mozilla, the publishers would have frozen out this new, pop-up-blocking upstart. Kiss Firefox goodbye, in other words.
The W3C didn’t have to do this. No copyright law says that making a video gives you the right to tell people who legally watch it how they must configure their equipment. But because of the design of EME, copyright holders will be able to use the law to shut down any new browser that tries to render the video without their permission.
That’s because EME is designed to trigger liability under section 1201 of the Digital Millennium Copyright Act (DMCA), which says that removing a digital lock that controls access to a copyrighted work without permission is an offense, even if the person removing the lock has the right to the content it restricts. In other words, once a video is sent with EME, a new company that unlocks it for its users can be sued, even if the users do nothing illegal with that video.
We proposed that the W3C could protect new browsers by making their members promise not to use the DMCA to attack new entrants in the market, an idea supported by a diverse group of W3C members, but the W3C executive overruled us saying the work would go forward with no safeguards for future competition.
It’s even worse than at first glance. The DMCA isn’t limited to the USA: the US Trade Representative has spread DMCA-like rules to virtually every country that does business with America. Worse still: the DMCA is also routinely used by companies to threaten and silence security researchers who reveal embarrassing defects in their products. The W3C also declined to require its members to protect security researchers who discover flaws in EME, leaving every Web user vulnerable to vulnerabilities whose disclosure can only safely take place if the affected company decides to permit it.
Bad news for the web in general if American companies control world DRM policies. Especially the security flaws. Good news for black hats and criminals though…