The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more.
Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance.
Because of laws like section 1201 of the US Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products.
Dozens of W3C members — and hundreds of security professionals — have asked the W3C to amend its policies so that its members can't use EME to silence security researchers and whistleblowers who want to warn web users that they are in danger from security vulnerabilities in browsers.
So far, the W3C has stonewalled on this. This weekend, the W3C executive announced that it would not make such an agreement part of the EME work, and endorsed the idea that the W3C should participate in creating new legal rights for companies to decide which true facts about browser defects can be disclosed and under what circumstances.
Barriers to disclosure ensure that defects linger. Google's now-mandatory Widevine had a critical flaw for six years, which was only reported because a researcher from Israel, the only industrialized nation that doesn't have a law protecting DRM, published his findings.
Other browsers make W3C DRM optional for now. Brave explicitly allows you to turn it off and warns you about using it.
Chrome Widevine DRM can no longer be disabled [Hacker News]
Please allow disabling Widevine/EME again [Bugs/Chromium.org]
