Open Source Initiative says standards aren't open unless they protect security researchers and interoperability

The Open Source Initiative, a nonprofit that certifies open source licenses, has made an important policy statement about open standards.

The OSI's new document, Principles of DRM Nonaggression for Open Standards, deals with standards bodies that are dealing with DRM, as the World Wide Web Consortium has been doing, rather controversially. The problem is that DRM is protected by laws like the DMCA, that prohibit breaking DRM even for legitimate reasons — like making interoperable products or doing basic security research. This is the opposite of how open standards are supposed to work: an open standard should be implementable by anyone, and there should be no barriers to improving it by pointing out security problems with it.

At the W3C, I've worked with the Electronic Frontier Foundation to propose a solution to this: a nonaggression covenant that requires members to promise not to invoke the DMCA to stop interoperability or security work. Members would still be able to shut down "bad guys" using the whole spectrum of legal rights made for that purpose: copyright, torts, trade secrets, etc. They would only be giving up the right to aggress against those who circumvent without engaging in any other conduct that conflicts with the law.

The Open Source Initiative agreed with this approach, and they've adopted it as a principle, saying that DRM standards only qualify as open under their definition if they adopt a covenant like the one we've proposed at the W3C:

An "open standard" must not prohibit conforming implementations in open source software. (See Open Standards Requirement for Software).

When an open standard involves content restriction technology commonly known as Digital Rights Management (DRM)—either directly specifying an implementation of DRM or indirectly consuming or serving as a component within DRM technology—the laws in some jurisdictions against circumvention of DRM may hinder efforts to develop open source implementations of the standard. In order to make open source implementations possible, an open standard that involves DRM needs an agreement from the standards body and the authors of the standard not to pursue legal action for circumvention of DRM. Such an agreement should grant permission to:

circumvent DRM in implementations of the open standard

distribute implementations of the open standard, even if the implementation modifies some details of the open standard

perform security research on the open standard or implementations of the open standard, and publish or disclose vulnerabilities discovered

Principles of DRM Nonaggression for Open Standards
[Open Source Initiative]

Standards Are Only Open If They Protect Security and Interoperability
[Cory Doctorow/EFF]