WTF is up with the W3C, DRM and security bods threatened – we explain

Corps menacing researchers for finding security holes

The new guidelines due March 2 hope to break that impasse by creating a "Responsible Vulnerability Disclosure" program that would give security researchers a free pass if they disclose any holes they find (confidentially to companies at first and then after a set period of time, publicly). That leaves the door open to corporations to sue anyone who finds a security hole and produces software that bypasses protections.

The program was, unsurprisingly, developed by Netflix. And Netflix, along with Microsoft and Google, are the key drivers behind EME in the first place.

It is this slow, gradual wearing away of the arguments and excuses by large corporations that is especially galling to those who see themselves as the defenders of the free and open internet.

The sad truth is that the W3C relies on the membership fees it receives to function – there is no broad-base financial support that exists without them. As such, some see the persistent push of DRM as a creeping commercialization of an organization that was set up specifically to ensure that the internet did not become the plaything of huge corporations.

Some feel very passionately about the issue. For example, one W3C staffer, Harry Halpin, publicly exclaimed back in April 2016 that he would resign if a DRM standard ever becomes a W3C recommendation.

Other high-profile individuals in the internet standards world – including director of the MIT Media Lab, Joi Ito, and founder of the Free Software Foundation, Richard Stallman – have both come out as critics of standardizing a system of content control. The controversy over the issue even prompted the W3C to write a lengthy "factsheet" on the topic last year.

All about Tim

But with the argument coming to a head, many are looking to W3C director and inventor of the World Wide Web, Tim Berners-Lee, for guidance.

Berners-Lee has actively tried to stay out of the way of the passionate arguments on both sides, only breaking cover back in October 2013 shortly after he approved the EME in a blog post.

Three years later, he again avoided taking a stance on the issue, punting a decision on whether to extend the EME's development timeline to the W3C's Advisory Committee. That was excitedly taken by some to indicate that Berners-Lee was opposed to the introduction of DRM as a standard – but in all reality, it is more likely he was trying to stay neutral on the topic.

When he has spoken on the issue, Berners-Lee has struck a careful line, but one that nonetheless points to the introduction of DRM.

"If content protection of some kind has to be used for videos, it is better for it to be discussed in the open at W3C, better for everyone to use an interoperable open standard as much as possible, and better for it to be framed in a browser which can be open source, and available on a general purpose computer rather than a special-purpose box," he argued.

Already the signs of an acceptance argument have started emerging: without the EME standard, some W3C representatives have pointed out, there would not have been several important improvements in DRM software surrounding privacy and other controls.

If the W3C can find a middle ground between the corporations that want full control and full knowledge on the one hand, and tech idealists who view any form of DRM as a dangerous step toward a closed internet on the other – it can argue with some justification that it has done its job.

And you can bet Tim Berners-Lee is ready and waiting to give that speech. ®