The Web is 25 today, and its inventor, Tim Berners-Lee, has called for a "Magna Carta" for the Web, through which the people of the world will articulate how they want to curtail their governments' adversarial attacks on Internet freedom. Berners-Lee is particularly concerned with the Edward Snowden revelations about mass surveillance and systematic government sabotage of Internet security.
I'm delighted to see Berners-Lee tackling this. Everything we do today involves the Web and everything we do tomorrow will require it; getting Web policy right is the first step to getting everything else right.
I hope that this also signals a re-think of Berners-Lee's endorsement of the idea of standardizing "digital rights management" technology for Web browsers through the W3C. The majority of the Web's users live in a country in which it is illegal to report on vulnerabilities in DRM, because doing so might help to defeat the DRM's locks. The standardization of DRM in the deep structures of the Web means that our browsers will become reservoirs of long-lived, critical bugs that can be used to attack Web users -- just as Web users are massively expanding the activities that are mediated through their browsers.
If we are to have a Web that is fit for a free and fair world, it must be a Web where researchers are free to warn users about defects in their tools. We wouldn't countenance a rule that banned engineers from telling you if your house was structurally unsound. By standardizing DRM in browsers, the W3C is setting in place rules that will make it virtually impossible to know if your digital infrastructure is stable and secure.
Read the rest
When you watch Netflix videos in the Chrome browser, the service disables Chrome's developer console, a debugging and programming tool that gives you transparency and control over what your browser is doing. The Hacker News thread explains that this is sometimes done in order to stop an attack called "Self-XSS" that primarily arises on social media sites, where it can cause a browser to leak nominally private information to third parties. But in this case, the "Self-XSS" attack Netflix is worried about is very different: they want to prevent browser owners from consciously choosing to run scripts in the Netflix window that subvert Netflix's restrictions on video.
This is the natural outflow of the pretense that "streaming" exists as a thing that is distinct from "downloading" -- the idea that you can send a stream of bytes to someone else's computer without the computer being able to store those bytes. "Streaming" is at the heart of "rental" business models like Netflix's, and there's nothing wrong with the idea of rental per se. But the only way to attain "rental" with computers is to design computers so that their owners can't give them orders that the landlords disagree with. You have to change the computer and its software so that you can't see what it's doing and can't change what it's doing.
Your browser is a portal to your whole social life, your financial life and your work life, entrusted with the most potentially compromising secrets of your life. Anything that allows third parties to make it harder for you to figure out what the browser is doing, or to prevent it from doing something you don't want, should be a non-starter. As soon as a powerful entity like Netflix comes to depend on -- and insist on -- computers that owners can't control, that company is doing something wrong. Not because rentals are bad, but because taking away owner control from computers is bad.
This is why it's such a big deal that Netflix has convinced Microsoft, Apple, and Google to build user-controlling technology into their browsers, and why it's such a big deal that Microsoft, Apple, and Google have convinced the W3C to standardize this for all devices with HTML5 interfaces. Any time we allow the discussion to be sidetracked into "How can Netflix maximize its revenue by enforcing rental terms?" we're missing the real point, which is, "How can people be sure that their browsers aren't betraying them?"
Netflix disables use of the Chrome developer console (pastebin.com)
The work at the World Wide Web Consortium (W3C) on adding DRM to HTML5 is one of the most disturbing developments in the recent history of technology. The W3C's mailing lists have been full of controversy about this ever since the decision was announced.
Most recently, a thread in the restricted media list asked about the requirements for DRM from the studios -- who have pushed for DRM, largely through their partner Netflix -- and discoverd that these requirements are secret.
It's hard to overstate how weird this is.
Read the rest
An excellent editorial by Simon St. Laurent on O'Reilly Programming asks what the open Web has gained from the World Wide Web Consortium's terrible decision to add DRM to Web-standards. As St Laurent points out, the decision means that programmers are now under threat of fines or imprisonment for making and improving Web-browsers in ways that displease Hollywood -- and in return, the W3C has extracted exactly zero promises of a better Web for users or programmers.
Read the rest
As the Internet comes to grips with the news that the World Wide Web Consortium has decided to press ahead with DRM in HTML5, here's a timely strip from the Flea Snobbery webcomic (excerpted above).
Kyre sez, "The Free Culture Foundation has posted a thorough response to the most common and misinformed defenses of the W3C's Extended Media Extensions (EME) proposal to inject DRM into HTML5. They join the EFF and FSF in a call to send a strong message to the W3C that DRM in HTML5 undermines the W3C's self-stated mission to make the benefits of the Web 'available to all people, whatever their hardware, software, network infrastructure, native language, culture, geographical location, or physical or mental ability.' The FCF counters the three most common myths by unpacking some quotes which explain that 1.) DRM is not about protecting copyright. That is a straw man. DRM is about limiting the functionality of devices and selling features back in the form of services. 2.) DRM in HTML5 doesn't obsolete proprietary, platform-specific browser plug-ins; it encourages them. 3.) the Web doesn't need big media; big media needs the Web.
There is also a new coalition of 27 internet freedom companies and groups standing up to the W3C."
Don’t let the myths fool you: the W3C’s plan for DRM in HTML5 is a betrayal to all Web users.
John from the Free Software Foundation sez,
Hollywood is making yet another attempt to lock down the Web. Undeterred by SOPA's failure, Hollywood is conspiring with tech giants like Microsoft, Google, and Netflix to try to influence the World Wide Web Consortium (W3C). A proposal currently under consideration at W3C would *build accommodation for Digital Restrictions Management (DRM) into HTML itself.* The W3C's job is to keep the Web working for everyone; building DRM into HTML would be a dramatic departure from the NGO's mission.
Today a coalition, organized by the Free Software Foundation and including EFF and Creative Commons, released a joint letter to the W3C condemning the proposal. The coalition is also asking Web users to send a message to W3C by signing a petition>.
The coalition says, "Ratifying EME would be an abdication of responsibility; it would harm interoperability, enshrine nonfree software in W3C standards and perpetuate oppressive business models. It would fly in the face of the principles that the W3C cites as key to its mission and it would cause an array of serious problems for the billions of people who use the Web."
I wrote about this in detail in the Guardian in March.
Keep DRM out of Web standards -- Reject the Encrypted Media Extensions (EME) proposal
Ian Hickson, the googler who is overseeing the HTML5 standard at the W3C, has written a surprisingly frank piece on the role of DRM. As he spells out in detail, the point of DRM isn't to stop illegal copying, it's to stop legal forms of innovation from taking place. He shows that companies that deploy DRM do so in order to prevent individuals, groups and companies from innovating in ways that disrupt their profitability:
The purpose of DRM is to give content providers leverage against creators of playback devices.
Content providers have leverage against content distributors, because distributors can't legally distribute copyrighted content without the permission of the content's creators. But if that was the only leverage content producers had, what would happen is that users would obtain their content from those content distributors, and then use third-party content playback systems to read it, letting them do so in whatever manner they wanted.
Here are some examples:
A. Paramount make a movie. A DVD store buys the rights to distribute this movie from Paramount, and sells DVDs. You buy the DVD, and want to play it. Paramount want you to sit through some ads, so they tell the DVD store to put some ads on the DVD labeled as "unskippable".
Without DRM, you take the DVD and stick it into a DVD player that ignores "unskippable" labels, and jump straight to the movie.
This is the first third of my recent Guardian column, What I wish Tim Berners-Lee understood about DRM, but there's two other important points to make, apropos the W3C:
Read the rest