How standardizing DRM will make us all less secure

After decades of fighting for open Web standards that let anyone implement software to receive and render online data, the World Wide Web Consortium changed course and created EME, a DRM system that locks up video in formats that can only be played back with the sender's blessing, and which also gives media giants the power to threaten and sue security researchers who discover bugs in their code.

The Electronic Frontier Foundation proposed a W3C policy that would have prevented its members from using DRM law to silence security researchers, but the body rejected it. As a result, the future of HTML will include elements that give companies the legal power to censor vital information about security flaws.

What will this mean for the Web? One example is the critical bugs in a CCTV system that were disclosed earlier this year by a researcher who'd spent two years trying to get the vendor to respond to his bug-reports. If that system had used EME, the researcher's alarm-call would have exposed him to brutal criminal and civil liability — meaning we might never have learned that the code in more than 70 vendors' CCTV systems could be hijacked by criminals to spy on the systems' owners.

Which brings us back to Rotem Kerner and TVT. Digital locks, like the ones that W3C's EME proposal call for, are just the sort of thing an organization might look for in its security systems. After all, many regulators impose strict limits on how long security videos may be retained, and insurers write policies for their customers that require that they purge their surveillance data after a set period, to limit their liability in the event of a breach. A system like EME could be a godsend for head offices that want to set policy on the security systems in all their nationwide branches, causing stored video to become inaccessible after the retention period, backstopping the existing regime of compliance audits.

CCTV and video recorders that include EME or other digital locks could effectively become off-limits to the sort of important disclosures that Kerner made last month. A researcher coming forward about vulnerabilities in a system that includes EME could risk criminal and civil punishments.

It doesn't have to be this way. EFF asked the W3C to adopt a legally binding policy that would prohibit its members from invoking anti-circumvention law against security researchers. Enough W3C members agreed with us that the group working on EME wasn't able to renew its charter. But after three months of discussion, with no agreement in hand, the executive of the W3C decided to let the EME work continue without any safeguards for security research.

The lack of consensus on this issue suggests that some technology companies want to preserve their ability to use the DMCA to shut down embarrassing disclosures. After decades of removing impediments to implementing core Web technology, the W3C is now on its way to creating a new impediment to the open Web, one that will expose users to untold security risks.

Standardized DRM Will Make Us Less Safe