WTF is up with the W3C, DRM and security bods threatened – we explain
Five years on, attempts at compromise on web standards still fueling fights
Analysis A lengthy battle over the inclusion of digital rights management as a Web standard is coming to a head, with a set of new guidelines planned for early March.
Those guidelines will include the latest attempt at compromise between pragmatists and idealists over how to allow control of content online without undermining the central concept of a free and open internet.
On March 2, the World Wide Web Consortium (W3C) will publish details of its new vulnerability disclosure program, closely followed by a "call for review" from its director, Tim Berners-Lee, that intends to protect security researchers from being sued if they dig into the black box of code that makes digital rights management (DRM) possible.
It is a messy compromise, and one that some are still not happy with, but it is progress on an issue that has set the W3C against itself for five years.
It is also a proxy for a much broader fight: between corporations that want to be able to protect their content, and internet engineers opposed to commercialization of the internet who want to protect the open internet in an era of closed systems.
Stuck in the middle is the W3C itself – torn between the desire to produce common standards for the contemporary internet and the risk that it may be undermining its very reason for existing. Both sides' positions are entirely understandable.
The case for DRM
As many, including the W3C executive team, have repeatedly pointed out, DRM already exists online and is used every day by millions of people – the best-known examples of such systems being Silverlight and Widevine. Typically, this content protection is achieved by browser plugins, although browser companies are increasingly including DRM systems as a standard.
What the W3C wants to achieve through its Encrypted Media Extensions (EME) to HTML5's HTMLMediaElement is to avoid the need for plugins. Instead there will be a standard API that automatically discovers and handles third-party protected content.
Result: everyone is on the same page, huge collective broader benefits, fewer compatibility issues – you know, the rationale for every standard ever created. The EME idea was officially born in February 2012, and Tim Berners-Lee gave it his blessing in September 2013 (it was "within scope," he decided).
EME exists and is in fact already included in many browsers, but its status remains only as a proposed recommendation rather than a full one. Mozilla somewhat grumpily agreed to add EME in May 2015. And just a few months later, Microsoft disowned its own DRM system in preference to an HTML5 standard.
The truth is that even the fiercest critics of DRM watch Netflix on their computers. And most of them would prefer a safer, more secure internet. Anything that moves people away from streaming video using a security disaster like Adobe's Flash to a standard that can be properly audited and updated has to be a good thing.
But then, back in June, a big hole was discovered in Widevine and those opposed to DRM leapt on it as an example of where the rationale for having a Web standard falls down. Without some kind of legal protection for security researchers, they argued, it would be impossible to dig into DRM systems to look for bugs and so, they claimed, security benefits would disappear.
The idea was born – with somewhat of a wink – that if the W3C required all members to agree not to sue security researchers if they dug into DRM systems, then the standard could proceed.
Of course, what the companies that wish to use DRM saw was them being asked to make it legal for people to hack their systems and circumvent the protections. And so a kind of impasse developed.
Sponsored: Becoming a Pragmatic Security Leader