The World Wide Web Consortium is the premier open standards organization for the web, with a long history of recommendations and policies that ensure that anyone can make and improve the web's core technologies. But since 2013, the W3C has been standardizing the Encrypted Media Extension, a DRM to allow server-side messages to override users' commands to their computers. That effort has grave legal implications for security researchers who discover flaws in the next generation of browsers.
The Electronic Frontier Foundation is a nonprofit that's been defending the rights of users and the programmers who serve them since before the web. We've got a proposal to help the W3C live up to its ideal of defending the open web, and privacy and security experts like you can help us make it happen.
At root is the Digital Millennium Copyright Act. When Congress passed the DMCA in 1998, security experts sounded the alarm about the act's Section 1201, the "anti-circumvention" rule that made it a felony to remove an "effective access control" for a copyrighted work (commonly known as "DRM"). The rule is so broadly worded that it allowed companies to sue security researchers who revealed defects in their products on the grounds that knowledge of a programmer's error could help someone bypass the DRM.
It didn't take long for the act to send a security researcher to jail: Dmitry Sklyarov was arrested in 2001 for giving a presentation at a technology conference about the flaws in Adobe's ebook DRM. Moreover, the law doesn’t only impact research on traditional DRM systems like DVD-CSS, but also research on all kinds of technological protection measures, even those that have nothing to do with inhibiting copyright infringement.
Last summer, the U.S. Copyright Office solicited comments on problems with DMCA 1201, and heard from some of the nation's most respected security researchers, from Bruce Schneier to Steve Bellovin (formerly chief technologist at the Federal Trade Commission, now the first technology scholar for the Privacy and Civil Liberties Oversight Board), and Ed Felten (now White House Deputy Chief Technology Officer).
The researchers spoke as one to say that the DMCA has chilled them from reporting on flaws in technologies from cars and tractors to medical implants to voting machines.
The W3C's decision to standardize DRM puts it on a collision course with this legal system. The U.S. Trade Representative has exported versions of the DMCA to most of the U.S.'s trading partners, meaning that web users all over the world face the risk that the flaws in their browsers will go unreported because researchers fear retaliation from vendors who want to avert commercial embarrassment (and even legal liability) when those flaws come to light.
EFF would prefer that the W3C not standardize DRM at all: anything that makes it easier for companies to attack security researchers is not good for the open web. But since the W3C rejected that proposal, we've offered a compromise: asking the W3C to extend its existing policy on IPRs to protect security researchers.
Since its earliest days, the W3C has required its members to promise not to use their patents to attack people implementing W3C standards. Under our proposal, this rule would grow to encompass DMCA 1201 anti-circumvention aggression. Thus, a condition of participating in DRM standardization at the W3C would be a legally binding promise not to use the DMCA to threaten security researchers.
Security researchers from the top of the field and from all over the world have signed an open letter to the W3C asking them to adopt our suggestion. Today, I'm asking you to consider doing the same.
You'll find the letter at:
Get in touch with me, Cory Doctorow, at cory@eff.org to sign on. Please include the country and institutional affiliation (if any) you'd like to see alongside your name.
photo credit: Circuit Board via photopin(license)