How Netflix is driving permanent, terrible, standards-defined insecurity for billions of browser users

The New Scientist has published a good piece on Encrypted Media Extensions (previously), the World Wide Web Consortium's proposed standard for adding DRM to video streams; they're creating their first-ever standard that is encompassed by laws protecting DRM (such as the DMCA), and in so doing, they're creating new liability for security researchers, who'll face unprecedented criminal and civil liability just for reporting defects in browsers.


This is dangerous stuff. The Electronic Frontier Foundation offered a significant compromise to the W3C: make DRM standards if you must, but amend your membership agreement so that W3C members can't use this standard as a legal weapon, one that gives them the power to censor true reports of defects in their products.


After strong pushback from a minority of members who represent giant media and DRM firms, the W3C decided not to do this. Instead, they're creating feel-good/do-nothing "voluntary guidelines" that legitimize the idea of members being able to use W3C work to get the power to muzzle their critics, then asks those members to choose not to abuse those powers.

The New Scientist story lays the responsibility for this on Netflix and its "Hollywood partners," claiming that the industry effectively threatened to boycott browsers and give apps an unbeatable edge by making them the sole way of viewing "premium" videos.


While you could opt out of using a plugin, the push for DRM in browsers means companies – and users – soon won't have a choice, says Halpin. The development of the technology has largely been driven by film studios and distribution companies, which require companies like Netflix to restrict who can view their films, he says. "Hollywood won't even give Netflix access to content without DRM."

If a browser doesn't have DRM, it can't support Netflix. And that's not an option for a browser that wants to remain competitive. "The loser is likely to be innovation," says Ross Anderson at the University of Cambridge.

W3C members, which include the industry's major players as well as smaller charities and activist groups, have until 13 April to share their thoughts about the proposed standard. W3C director and World Wide Web creator Tim Berners-Lee will respond to objections and make a final decision about whether to approve EME as a web standard.


No DRM, no Netflix
[Matt Reynolds/New Scientist]