W3C DRM working group chairman vetoes work on protecting security researchers and competition

For a year or so, I've been working with the EFF to get the World Wide Web Consortium to take steps to protect security researchers and new market-entrants who run up against the DRM standard they're incorporating into HTML5, the next version of the key web standard.

At issue is the DMCA and its global equivalents, which impose daunting penalties on those who break DRM, even for legal reasons — whether that's investigating privacy and security risks or making a competitive new product that does completely legal things. Once DRM is part of a full implementation of HTML5, there's a real risk to security researchers who discover defects in browsers and want to warn users about them, and for new companies hoping to compete by offering features and products that the incumbents don't choose to implement.

As a compromise that lets the W3C continue the work without risking future web users and companies, we've proposed that the W3C members involved should agree on a mutually acceptable binding promise not to use the DMCA and laws like it to shut down these legitimate activities — they could still use it in cases of copyright infringement, just not to shut down activity that's otherwise legal.

Linux Weekly News reports on the latest turn of events: I proposed that the group take up the discussion before moving to recommendation, and the chairman of the working group, Microsoft's Paul Cotton, refused to consider it, writing, "Discussing such a proposed covenant is NOT in the scope of the current HTML Media Extensions WG charter."

The group's charter is up for renewal in September, and many W3C members have agreed to file formal objections to its renewal unless some protection is in place. I'll be making an announcement shortly about those members and suggesting some paths for resolving the deadlock.

The LWN writeup is an excellent summary of the events so far, but parts of the story can't be told because they took place in "member-confidential" discussions at the W3C. I've tried to make EFF's contributions to this discussion as public as possible in order to bring some transparency to the process, but alas the rest of the discussion is not visible to the public.

If you're a security/privacy pro who wants to do something about this, please consider signing on to this open letter to the W3C.

To be fair, the group's purpose is to write the specification, and there appears to be pressure from other working groups at the W3C to wrap the process up. Such pressure exists, even if for no other reason, because finishing the EME specification would finally complete the work of the original HTML Working Group, of which the current Media Extensions group is the last remaining vestige. Still, one could be forgiven for finding the general unresponsiveness of list subscribers to be a source of serious frustration. If, as it seems, the group members themselves cannot be persuaded to entertain calls to adopt a nonaggression covenant, the EFF has another tactic available: appealing to the W3C Advisory Committee instead.

The Advisory Committee is part of the W3C's permanent governance structure; it consists of one representative from each W3C member organization. Doctorow is the EFF representative, and he posted an open letter to other representatives, asking them to commit to supporting the EFF's move to make the DMCA nonaggression covenant an exit condition for the Media Elements working group. It is unlikely, the letter states, that the group will have completed the EME specification by September, so another charter renewal decision will have to be made.

It is difficult to handicap the EFF's odds of success. The previous attempt to force adoption of a nonaggression pact gained a fair amount of support, but may have simply been overruled by W3C leadership. Keeping the pressure on will in all likelihood allow the EFF to pick up additional allies, but whether or not it can force the W3C's executive leadership team to reconsider may be a different question entirely.


Encrypted Media Extensions and exit conditions
[Nathan Willis/LWN]