Google quietly makes "optional" web DRM mandatory in Chrome

The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more.

Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance.

Because of laws like section 1201 of the US Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products.

Dozens of W3C members -- and hundreds of security professionals -- have asked the W3C to amend its policies so that its members can't use EME to silence security researchers and whistleblowers who want to warn web users that they are in danger from security vulnerabilities in browsers.

So far, the W3C has stonewalled on this. This weekend, the W3C executive announced that it would not make such an agreement part of the EME work, and endorsed the idea that the W3C should participate in creating new legal rights for companies to decide which true facts about browser defects can be disclosed and under what circumstances.

Barriers to disclosure ensure that defects linger. Google's now-mandatory Widevine had a critical flaw for six years, which was only reported because a researcher from Israel, the only industrialized nation that doesn't have a law protecting DRM, published his findings.

Other browsers make W3C DRM optional for now. Brave explicitly allows you to turn it off and warns you about using it.

Chrome Widevine DRM can no longer be disabled [Hacker News]

Please allow disabling Widevine/EME again [Bugs/]

Notable Replies

  1. IIRC, it's the other way round: Chrome is built on Chromium.

    Also IIRC, Chromium is open-source. so I'm guessing/hoping a fork with optional (or no) EME will appear shortly. (This does not, of course, excuse Google's actions.)

  2. Can Chromium be built without EME support?

  3. lrf says:

    Aren't we almost at the point where nobody "needs" a browser for Netflix anymore? Let the content vendors build their own apps with whatever DRM they want and leave the browsers alone?

  4. Update: Don't be REALLY evil.

  5. They already do that. The app is called Adobe Flash, which happens to run inside your web browser. The problems are that adobe flash is a festering pile of security vulnerabilities held together with spit and string, that it is not usable on mobile, and that it is being depreciated, along with all other plugins, on every desktop web browser, both because of security concerns and because it's horribly power inefficient. Flash was stillborn on mobile and it is dying on PCs. Aside from browser games, it gets used mainly for delivering ads and DRMed media content through a web browser. Ad companies are happy to switch to HTML5. Media companies, not so much.

    Cory and the EFF have the noble but quixotic goal of destroying DRM. Hollywood has the goal of not getting napsterized by file sharing, and they have latched onto DRM as an essential tool in their quest to avoid the fate of the music industry. Lost in the battle between these two is the W3C.

    The W3C's goals are to finish killing Adobe Flash and to keep hollywood media content from departing the open web and being delivered solely through siloed apps. Adobe flash is a complete programming language (which is why it is such a malware playground). Maybe 0.1% of it gets used by Netflix to provide the hollywood mandated DRM. So the W3C is creating an API (basically a stripped down plugin protocol) for interfacing with a media decrypter package (that does nothing but decryption, so it's 0.1% the size of Flash and inherently far more secure), said package to be provided by the media companies.

    The Cory and the EFF have declared war on the W3C for the mortal sin of being pragmatic and saying, well, DRM isn't going away anytime soon, but meanwhile we need to get rid of Flash and we need to enable the companies who insist on DRM to deliver their stuff over the open web so they don't go app-only.

Continue the discussion

17 more replies