clock menu more-arrow no yes mobile

Filed under:

A DRM standard has been approved for the web, and security researchers are worried

New, 18 comments
Combination Lock (Flickr) Photo: Sh4rp_i / Flickr

The standards body for the web has approved a system for handling DRM-protected video after a long and controversial debate — one that security researchers and open web advocates vow to continue.

The new standard is called EME, or Encrypted Media Extensions, and it allows DRM systems to hook directly into your browser. That way, Netflix and other streaming video services can protect their shows and movies without making users install annoying, often insecure plugins like Flash or Silverlight. On that note, it’s a win. But in other ways, EME’s approval has a lot of people concerned.

Researchers and open web advocates worry that by approving this standard, W3C, the World Wide Web Consortium, is giving major browser developers and content providers too much power over what users and researchers can do. “This will break people, companies, and projects,” Cory Doctorow writes on the Electronic Frontier Foundation (EFF)’s blog.

Doctorow calls out a few specific points that have come up in the five-year-long debate over whether this standard should be approved. One is that there’s no protection for security researchers — in the US, breaking DRM, even for otherwise legal purposes, can be a crime, and the fact that EME doesn’t do anything about that keeps security researchers exposed to prosecution.

There are also accessibility and competitive concerns. There are no exemptions here that would allow computers to scan videos and automate work like generating subtitles and translations or identifying strobing lights to produce warnings for people with epilepsy. EME doesn’t standardize decryption either, and Doctorow writes that companies developing browsers may have to license decryption components, making it harder for new browsers to enter the market.

For its part, W3C disagrees with a lot of these concerns. In a note about the standard’s approval, web creator Tim Berners-Lee and W3C project manager Philippe Le Hégaret write that they believe EME is better for accessibility, because it complies with other web accessibility standards, and that having DRM support built into the web, instead of requiring plugins, makes life easier for browser developers. Berners-Lee also argues that EME provides more privacy protections for viewers, because it gives browsers control over how much information is sent back to the streaming provider.

As for adding protections for security researchers, Berners-Lee and Hégaret write that they didn’t want to hold up the standard just because all parties couldn’t come to agreement on this issue. Their solution here is not particularly comforting. “We also recommend that [organizations using DRM and EME] not use the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) and similar laws around the world to prevent security and privacy research on the specification or on implementations,” they write.

To understand the schism here between two parties that ostensibly both want web openness, the key is to recognize what they’re viewing as the alternative. The EFF dislikes DRM entirely and, if it has to be implemented, would like to see a much more open solution. W3C seems to have decided that since DRM is going to get used anyway, the web may as well standardize and avoid security horrors like Flash.

“Could [video services] put the content on the web without DRM? Well, yes, for a huge amount of video content is on the web without DRM,” Berners-Lee wrote in February. “It is only the big expensive movies where to put content on the web unencrypted makes it too easy for people to copy it, and in reality the utopian world of people voluntarily paying full price for content does not work.”

Even though EME was approved this week, the battle isn’t quite over. Doctorow says the EFF intends to appeal the W3C’s decision — though he notes the appeals process has never been used successful.

It’s also not entirely clear how much of a change we’re in for now that EME is approved. Even though it’s only been finalized as a standard this week, major browsers have supported a working version of EME for years now — by the end of 2015, it was in Chrome, Firefox, Safari, Internet Explorer, and Edge. And websites like Netflix have been using it to securely deliver HTML5 video.

That suggests that the web probably isn’t going to see huge changes because of this approval, or at least nothing immediate. But as the EFF points out, there are plenty of places where the W3C could have done more to push content providers to open up. The W3C even notes that “additional work in some areas [of the standard] may be beneficial for the future of the” web. Though for now, it isn’t saying much about what it’d like to see.