Reply All covers DRM and the W3C

In the latest episode of Reply All, a fantastic tech podcast, the hosts and producers discuss the situation with DRM, the future of the web, and the W3C — a piece I've been working on them with for a year now.


The issue is a complicated and eye-glazingly technical one, and they do a genuinely excellent job presenting the story. Inevitably, there's some nuance lost in the translation, and so here's a bit more, for people who are interested.

The story talks about DRM as an anti-piracy technology. I think that's just wrong, though DRM advocates walk a confusing line on this question. They freely admit that DRM can be broken by skilled attackers, and that dishonest people can just access versions of movies or songs or whatever that the DRM-breakers have stripped the DRM off of (the Reply All host starts off by describing how he hits all kinds of problems with DRM on movies he pays for, leading him to download easy-to-find cracked versions).

So if DRM isn't anti-piracy, what is it? DRM isn't really a technology at all, it's a law. Specifically, it's section 1201 of the US DMCA (and its international equivalents). Under this law, breaking DRM is a crime with serious consequences (5 years in prison and a $500,000 fine for a first offense), even if you're doing something that would otherwise be legal. This lets companies treat their commercial strategies as legal obligations: Netflix doesn't have the legal right to stop you from recording a show to watch later, but they can add DRM that makes it impossible to do so without falling afoul of DMCA.

This is the key: DRM makes it possible for companies to ban all unauthorized conduct, even when we're talking about using your own property in legal ways. This intrudes on your life in three ways:

1. It lets companies sue and threaten security researchers who find defects in products

2. It lets companies sue and threaten accessibility workers who adapt technology for use by disabled people

3. It lets companies sue and threaten competitors who want to let you do more with your property — get it repaired by independent technicians, buy third-party parts and consumables, or use it in ways that the manufacturer just doesn't like.

How do we know that companies only want DRM because they want to abuse this law, and not because they want to fight piracy? Because they told us so. At the W3C, we proposed a compromise: companies who participate at W3C would be allowed to use it to make DRM, but would have to promise not to invoke the DMCA in these ways that have nothing to do with piracy. So far, nearly 50 W3C members — everyone from Ethereum to Brave to the Royal National Institute for Bind People to Lawrence Berkeley National Labs — have endorsed this, and all the DRM-supporting members have rejected it.

In effect, these members are saying, "We understand that DRM isn't very useful for stopping piracy, but that law that lets us sue people who aren't breaking copyright law? Don't take that away!"

The Director of the W3C, web inventor Tim Berners-Lee, wrote recently about why he supports DRM standardization, an odd step that it hard to understand, really: the leaders of the DRM standardization committee at the W3C have asked Berners-Lee to consult with his members to ask whether they want to see this DRM standard published. Instead, he appears to be telling us what decision he plans on coming to, regardless of how that consultation goes.

#90 Matt Lieber Goes To Dinner [Reply All/Gimlet]