Security researchers: help EFF keep the Web safe for browser research!

With the Electronic Frontier Foundation, I've been lobbying the World Wide Web Consortium (W3C), which sets the open standards that the Web runs on, to take measures to protect security researchers (and the users they help) from their own bad decision to standarize Digital Rights Management as part of HTML5.


The W3C decided to incorporate DRM into HTML5 despite the calls from public interest groups, free software developers, security researchers and others. Now, we're trying to get them to take the minimum steps necessary to prevent the worst harms from DRM.

The problem with DRM isn't (just) the way it interferes with lawful activities — it's that laws like America's DMCA (and the foreign versions that the US trade rep has rammed down the world's throats) make security researchers vulnerable to legal retaliation from companies when they come forward with vulnerabilities, because the DMCA lets them sue people who weaken DRM, and revealing vulns does just that.

We've proposed a simple step to protect researchers: we've asked W3C members who're making the DRM to sign a legally binding agreement not to use the DMCA or its international equivalents against security researchers.

The proposal is under consideration right now, and we're looking for security researchers who'll endorse it. If you're a researcher and you're willing to go on the record, get in touch with me.

EFF has proposed a way for the W3C to have its DRM cake without eating its security researchers, too. We've written a short, simple "covenant," a binding promise that W3C members would have to sign as a condition of continuing the DRM work at the W3C, and once they do, they not be able to use the DMCA or laws like it to threaten security researchers.

Tomorrow's browsers are supposed to be the universal interface for all of our automated systems, from medical implants to vehicles. The world's security researchers need to know that companies won't have the ability to gag them with legal threats when they embarrass companies by revealing their mistakes.

Free software advocates picketed a recent W3C meeting to call on the organization to reform its DRM work, and the Open Source Initiative says it won't consider a DRM standard to be "open" unless it adopts an agreement modelled on ours.

Its time for the W3C to hear from you, the security researchers whose future it holds in its hands.

Security Researchers: Tell the W3C To Protect Researchers Who Investigate Browsers
[EFF]