EFF blasts plans to build DRM into HTML5

The Electronic Frontier Foundation has weighed in on the growing controversy over the proposal to build DRM into HTML5, the next version of the standard language for building Web pages and applications. Staff technologists Seth Schoen and Peter Eckersley have written a great essay explaining how this kind of work is totally incompatible with the mission of the W3C and how its proponents' insistence that this isn't really DRM are just hollow jokes:

The EME proposal suffers from many of these problems because it explicitly abdicates responsibilty on compatibility issues and let web sites require specific proprietary third-party software or even special hardware and particular operating systems (all referred to under the generic name "content decryption modules", or CDMs, and none of them specified by EME). EME's authors keep saying that what CDMs are, and do, and where they come from is totally outside of the scope of EME, and that EME itself can't be thought of as DRM because not all CDMs are DRM systems. Yet if the client can't prove it's running the particular proprietary thing the site demands, and hence doesn't have an approved CDM, it can't render the site's content. Perversely, this is exactly the reverse of the reason that the World Wide Web Consortium exists in the first place. W3C is there to create comprehensible, publicly-implementable standards that will guarantee interoperability, not to facilitate an explosion of new mutually-incompatible software and of sites and services that can only be accessed by particular devices or applications. But EME is a proposal to bring exactly that dysfunctional dynamic into HTML5, even risking a return to the "bad old days, before the Web" of deliberately limited interoperability.

Because it's clear that the open standards community is extremely suspicious of DRM and its interoperability consequences, the proposal from Google, Microsoft and Netflix claims that "[n]o 'DRM' is added to the HTML5 specification" by EME. This is like saying, "we're not vampires, but we are going to invite them into your house".

Proponents also seem to claim that EME is not itself a DRM scheme. But specification author Mark Watson admitted that "Certainly, our interest is in [use] cases that most people would call DRM" and that implementations would inherently require secrets outside the specification's scope. It's hard to maintain a pretense that EME is about anything but DRM.

Defend the Open Web: Keep DRM Out of W3C Standards (via /.)

See also:

* HTML5's overseer says DRM's true purpose is to prevent legal forms of innovation

* Why Tim Berners-Lee is wrong about DRM in HTML5



  1. God, I skipped the “blasts” in the title: “EFF plans to build DRM into HTML5″ – WTF?

  2. Architecturally, if the hooks that allow the browser to communicate with the ‘CDM’ are in-scope, the W3C should basically just throw up their hands and declare absolutely anything that can paint pixels within a browser window to be a ‘web standard’ and call it a day.

    1. Time-to-crack for DRM systems varies a bit, the same would presumably be true here, for various different CDMs.

      Perhaps more insidiously, though, the EME design(see the diagram) allows for CDMs that, in practice, more or less entirely replace the browser for the purposes of a given video, which would make a plugin-based attach much more challenging as well as bringing back the wonderful world of arbitrary-stuff-embedded-in-webpages, just like the good old days of flash, shockwave, java, and activex at every turn.

      (The phrases of special concern are, bottom left and bottom right, respectively, “CDM may use or defer to platform capabilities” and “CDM implementations may return decrypted frames or render them directly”. So, the EME ‘standard’ really boils down to a few bits of javascript boilerplate to wrap around a CDM that could be, and quite possibly will be, a platform specific, or even hardware-based, black-box  DRM module that handles everything except downloading the encrypted video. It’s honestly rather breathtaking in its hostility to all things web.)

  3. This is the same W3C that states its goal as constantly breaking a significant percentage of websites in pursuit of the higher goal of absolute standardization and compatability.

  4. Here is the warning that I might need to disable my popup blocker.  I am using the latest Safari on the latest OS X.  And, indeed, I can’t login without going to preferences and unchecking pop up blocking.

      1. I always have to turn off Ghostery (a tracker blocker) to post anything here, although Disqus itself is white listed.

Comments are closed.