The W3C, DRM, and future of the open web

JM Porup's long, thoughtful article on the W3C's entry into the DRM standardization game gives a sense of the different forces that are pushing one of the open web's staunchest allies into a disastrous compromise: the competition that siloed apps present to open-web browsers, the debts of the W3C, the relentless pressure from the entertainment industry to redesign browsers to do a corporation's bidding, rather than the user's.

This is a fight I've been intimately and exhaustingly involved with, having built a coalition of dozens of W3C members from different industries (cryptocurrency, browser vendors, information security), accessibility organizations, security researchers, other standards development organizations, and other multistakeholder bodies, to urge the W3C to create some basic protections for people who legitimately bypass DRM, for example, to make a browser more accessible to people with visual disabilities.

The W3C's initial position was that this wasn't its problem, and besides, it may not even be a problem at all because the laws that protect DRM didn't protect its standard (but have thus far declined to make this assertion legally binding).

Then they took the position that this may be a problem, but they couldn't dictate which legal rights its members should exercise -- even when those legal rights were created by the standardization of DRM -- despite the organization's longstanding, central position to the contrary.

The latest tactic is to treat the creation of a new right to sue people whose activities would be legal (save for the W3C's standards) as a feature, not a bug: the W3C has proposed the development of voluntary, nonbinding principles that members could choose to adhere to in deciding when to sue people for otherwise legal behavior.

This is nearly the opposite of EFF's proposal: rather than telling its members what they should do, the W3C is creating guidelines intended to control what security researchers do, though the security researchers involved are not members of the W3C, don't have a seat at the table, and overwhelmingly reject this approach.

The base position of the W3C should be that true facts about defects in products are always presumptively legal to disclose. It is obvious that any defender of the "open" web should take all steps to preserve the right of people to tell the truth about risks to web users from defective software.

Likewise, the W3C should take the position that the rights of accessibility organizations to modify technology to make it better for people with disabilities should not be subject to approval from corporations -- even if a quirk of a badly drafted system of copyright laws inadvertently confers the ability to forbid such activities upon corporations. There are plenty of things that accessibility activists could do to improve EME, and except for the DRM involved, they would be free to do so without having to negotiate with the lawyers for giant entertainment, tech and DRM companies. The W3C can restore their right to do so by making its members agree not to use the rights its standards create this way.

Finally, innovators should be allowed to do otherwise legal things that make products better, even if the products' original makers don't like it. This principle was key to the creation of browsers themselves, not to mention the legitimate marketplace for copyrighted works, cable television, and some of the 21st century's great copyright success stories.

EFF's proposal lets W3C members sue companies that directly or indirectly commit copyright infringement, that steal their trade secrets, that interfere with their contracts and so on -- all the rights every legislature in the world has granted to them. What it ends is the ability of W3C members to abuse the law to invent new offenses that no legislature has ever created, things that these companies would prefer, but don't have the rights to, and turn them into legal obligations.

This is a substantial compromise. In EFF's view, the W3C shouldn't be making DRM, period. Rather than insisting on this, we've come more than halfway, saying, "Make DRM, but for heaven's sake, don't do so in a way that gives corporations the right to create private laws and wield them against security whistleblowers, blind people and new competitors."

The fact that the largest corporations on the W3C's roster reject this compromise should be setting off alarm-bells for all of us.

Led by Cory Doctorow at the EFF, they proposed a compromise in the form of a DRM Circumvention Nonaggression Covenant. If adopted, all members of the W3C would agree not to sue security researchers working on browsers.

There is precedent for such a proposal. One of the main benefits of corporate membership in the W3C is that it serves as a patent pool. Members donate their patents to the W3C patent pool, and receive free licences to other members' patents in return. Members agree not to sue each other for patent violation, and the Web as a whole benefits from the collective innovation of W3C members.

"The non-aggression pact for patents inspired us,” says Doctorow. “So we crafted a covenant as a participant in DRM standardisation: 'I promise not to use the DMCA to attack people whose only unlawfulness relates to circumvention.'"

The covenant, to the disappointment of many anti-DRM advocates, was not well received. Doctorow speculates that companies fear that vulnerabilities discovered by security researchers would be used by others who might want to bypass DRM to violate copyright.

"We're asking the W3C to tell browser makers not to sue people," Doctorow explains, "and the members so far have refused to go along with this, and they can't explain why. I think that if you ask people not to sue security researchers, and they say 'we won't make that promise,' it's because they'd like to retain that right. There's something desperately wrong there."

A battle rages for the future of the Web [JM Porup/Ars Technica]

A battle rages for the future of the Web [JM Porup/Ars Technica]