Security researchers: the W3C's DRM needs to be thoroughly audited

Encrypted Media Extensions (EME), part of a DRM system that's being standardized at the World Wide Web Consortium (W3C), marks the first instance in which a W3C standard will fall under laws like the DMCA, which let companies threaten security researchers with criminal and civil liability just for disclosing the defects in these products.



The Electronic Frontier Foundation has asked the W3C to extend its existing policies (which ban members from using patent rights to attack those who implement W3C standards) to cover these DMCA rights, but so far, the organization has not adopted these rules.

Security researchers, privacy experts, and technology professionals from all over the world have signed an open letter to the W3C asking it to reconsider. In the meantime, EME has progressed through the W3C to "candidate recommendation" stage, just days after an Israeli security researcher divulged that Google's version of EME has had serious flaws, possibly latent since 2010, that no one had reported (Israel is one of the world's few developed nations without a law like the DMCA).

EFF is calling on security researchers to audit all the existing implementations of EME, to ensure that they perform as advertised, that their sandboxes don't have lurking escapes, that they can't be used to launch attacks on users:


In the meantime, we urge the security research community to subject all EME implementations to the closest possible scrutiny. The black hats who are already doing this are not bound by fear of the DMCA, and they are delighted to have an attack surface that white hats are not allowed to investigate in detail.

Even with this handicap, white hats discover serious vulnerabilities. Every discovery proves the need to let researchers examine the full scope of possible security flaws. If you are investigating a system or wish to disclose a flaw and need legal advice, please contact our intake address.


A Call to the Security Community: The W3C's DRM Extension Must Be Investigated
[Cory Doctorow/EFF]