Why Tim Berners-Lee is wrong about DRM in HTML5

My latest Guardian column is "What I wish Tim Berners-Lee understood about DRM," a response to the Web inventor's remarks about DRM during the Q&A at his SXSW talk last week.

Additionally, all DRM licence agreements come with a set of "robustness" rules that require manufacturers to design their equipment so that owners can't see what they're doing or modify them. That's to prevent device owners from reconfiguring their property to do forbidden things ("save to disk"), or ignore mandatory things ("check for regions").

Adding DRM to the HTML standard will have far-reaching effects that are incompatible with the W3C's most important policies, and with Berners-Lee's deeply held principles.

For example, the W3C has led the world's standards bodies in insisting that its standards are not encumbered by patents. Where W3C members hold patents that cover some part of a standard, they must promise to license them to all comers without burdensome conditions. But DRM requires patents or other licensable elements, for the sole purpose of adding burdensome conditions to browsers.

The first of these conditions – "robustness" against end-user modification – is a blanket ban on all free/open source software (free/open source software, by definition, can be modified by its users). That means that the two most popular browser technologies on the Web – WebKit (used in Chrome and Safari) and Gecko (used in Firefox and related browsers) – would be legally prohibited from implementing whatever "standard" the W3C emerges.

What I wish Tim Berners-Lee understood about DRM


  1. If I had a column, I would write one titled “Why Cory Doctorow is right about DRM in HTML5 – and DRM in general.”

  2. And now the real question is; which way is the wind blowing at W3C? Is this really a threat, or is it the pony on the media industry Christmas list?

  3. “the urinary tract infection business model”?  awesomely nasty turn of phrase.

    This isn’t really my field of expertise, but I’d like to know more about why (or IF) the W3C’s encrypted media extension would be considered kosher as a DRM solution for publishers.

    It’s being used to allow samsung chromebooks to play netflix movies (and really THAT is the use case gold standard for DRM, isn’t it?).

    1. “Implementation of Digital Rights Management is not required for compliance with this specification: only the simple clear key system is required to be implemented as a common baseline.”

      So, no, it wouldn’t be enough.  It just requires that clients be able to receive encrypted content, receive a key, and use the latter to decrypt the former.  It places no restrictions on what can be done with the decrypted content.

      That could have some nice benefits – for instance, a vendor could store large volumes of encrypted data with an inexpensive cloud storage provider, and keep and control the keys on a more secure, and hence more expensive, platform.  The keys could even be controlled entirely by clients, so the clients can save money on storage and backup infrastructure, and still be sure that the encryption & decryption keys never left their control, or left their legal jurisdiction, etc.

      DRM would require that the clients accept a set of restrictions along with the key, indicating what actions the client must refuse to take on behalf of the user.  And, the client must not be modifiable by the user so as to cause it to ignore the restrictions  (i.e. it must not be open source).

    1. And this person purports to know something about the media? One can peek at an unlimited variety of tits for free these days.

  4. I think Berner-Lee’s position is not that he loves DRM, but if it’s going to exist, better it be an open royalty-free standard. Cory seems confident that any non-W3C proprietary standard would fail anyway, so there’s no need to dance with the devils; but maybe Tim knows something we don’t? (Also, yes, flash is failing, but many suffered in the ten year death rattle.) Hence, this is a question of pragmatics, how does one calculate the likelihood of various alternatives and their merits/demerits?

    1. I don’t understand your comment. How do you make an “open royalty-free standard” for DRM? Did you read the article?

  5. A coworker of mine recently finished refurbishing an old xray diffraction machine.  Shortly after he got it working, the dongle for the interlock control software crapped out, and, as the company that made it is long defunct, there was no way to get a new one.  My first thought was “no problem, I can whip up an interlock in an afternoon.” until he pointed out that if my interlock failed, it could kill someone.  Fortunately, we were able to find someone who managed to crack the software to work without a dongle.   This made me think, though, that for academic institutions, there should be a universal clause in the spec in a call for bids stipulating that the control software for lab equipment must not have any copy protection whatsoever.

    1. I find it utterly unacceptable that DRM technologies and products can be legally sold without having a “system obsolete, deactivate DRM” key.  Then the key would be published when the original manufacturer drops or ceases to support the product.

      While you might argue that DRM should never exist, this seems like a minimal modern “fair use” requirement.

      1. I really think that’s quite a brilliant idea.  I have no idea how to get it publicized or picked up, but it’d be wonderful to see your idea implemented.

  6. So the proposed DRM effectively let’s a website lockdown your browser using the DRM tools, right?

    What happens when a malicious website uses this DRM to obscure malicious code, or simply forces a pop-over video ad you can’t close or block?

    I’m sure there are untold numbers of ways malicious sites coul exploit even the best designed HTML DRM. Flash’s only advantage is that it’s containerized, while html5 and javascript are much less controlable.

Comments are closed.