Digital Rights Management back in the spotlight after controversial W3C vote — but what does it mean for you and me?
In a not wholly unexpected move, the Electronic Frontier Foundation (EFF) recently announced in an open letter penned by Advisory Committee Representative to the W3C for the EFF, Cory Doctorow, that the organisation has resigned from the World Wide Web Consortium (W3C).
This follows a well-publicized disagreement between the digital rights group and the W3C regarding the latter’s decision to publish Encrypted Media Extensions (EME) as a standard. EME allows for DRM-protected content published online to be decoded by web browsers without the need for plugins. According to the W3C, EME allows for a better user experience, is more secure and improves stability.
“If you’re going to watch encrypted content, it is safer in the browser where the security and privacy are provided rather than downloaded as an app,” director of the W3C, Tim Berners-Lee, said in a recent statement. “Some parts of the web are free, and some are for pay. It’s understandable that certain producers incurring huge costs to produce their content are not prepared to release them without protection.”
However, as a group fighting for civil liberties, the EFF wasn’t pleased with this decision at all, arguing for a compromise to be met to address their concerns. The leadership of the W3C decided against this, despite widespread support from many of their members.
“In our campaigning on this issue, we have spoken to many, many members’ representatives who privately confided their belief that the EME was a terrible idea (generally they used stronger language) and their sincere desire that their employer wasn’t on the wrong side of this issue,” Cory Doctorow wrote in his scathing letter published online. “You have to search long and hard to find an independent technologist who believes that DRM is possible, let alone a good idea.”
To better understand the reasons behind the EFF’s decision, what exactly the inclusion of the EME standard entails and how it will affect the average internet user, we’ve spoken with G-J van Rooyen, CEO of Custos Media Technologies.
What exactly is the W3C consortium?
It stands for World Wide Web Consortium and is really a body that standardises the language that browsers use online to show you the pages that you view and allows you to interact with Twitter and Facebook and all of the other applications you use.
Consumers have a choice in which browser they want to use and you want to make sure they all speak the same language. So the W3C is headed by the inventor of the world wide web, Sir Tim Berners-Lee, and they’re a huge consortium of various industry stakeholders that regularly get together and plan the evolution of the protocol of web browsers. They have a very broad membership that includes universities and big companies like Twitter, Google and Facebook, research organisations, infrastructure providers — so it’s really a very complex and large organisation.
So what type of decisions do they make that affects everyday internet users like you and me?
A practical example of what the W3C would decide about are what elements are allowed within a web page. This allows for a web designer to know how they’ll put together a form that lets you fill something into the browser. And more recently with the evolution of the web away from the original idea of just hypertext to becoming a very rich interactive media, how to embed things like graphics and audio and 3D video and things like that into the browsing experience. However, in reality, all browsers tend to implement their own subset of the W3C’s standards, which makes consistent web design quite a challenge.
So whatever the W3C says is not necessarily enforceable?
It’s not law. It’s a standardisation body that tries to align the different stakeholders and these stakeholders are involved with this alignment process. But in the end, it’s the browser makers that decide what they want to do. And not all browsers subscribe to the W3C standards. A good few years ago Apple and the Mozilla Foundation (the makers of Firefox) split away from the W3C and formed their own standards body. So if you have a web browser that uses WebKit, it’s built around a different set of standards. So it’s not a single process that makes the laws of what’s happening on the web.
So who is the Electronic Freedom Foundation (EFF) that just resigned from the W3C?
They’re a very long established internet civil liberties organisation. They came from the realisation during the early days of the web that our existing legislation and law enforcement are woefully unequipped with dealing with the electronic era. And they became a body that stands up for civil rights in this internet era and helps people and lawmakers and law enforcement agencies to navigate the complexity of this new era.
They fight against outdated laws and practices; act as a friend of the court in cases involving internet freedoms. They were instrumental in improving encryption standards back in the day. They pointed to vulnerabilities in the old encryption status, including DDS. And it was their way to point out these vulnerabilities that can affect regular consumers that lead to the adoption of a new encryption standard. They have a very strong freedom agenda: that you and I should have some guarantee of privacy online; that we can decide what we want to view online and have access to content.
In that vein, they are often quite vehemently opposed to things like Digital Rights Management (DRM) that contain or restricts access to certain types of web content or tries to stop people from accessing certain parts of the so-called “open web”.
And it’s exactly DRM that’s causing this major issue between the EFF and the W3C?
Yes. DRM tends to be a big issue whenever it comes up. And as you know we here at Custos also have a pretty strong stance when it comes to DRM. It’s something that quite often has very negative impact on the end consumer.
So DRM is where a content owner restricts access to that content so that only licensed users can view a video or listen to audio or access software. The usual criticism against DRM is first, as the EFF would be quick to point out as well as us from Custos’ side often tell our clients and prospective clients, DRM is ineffective against exactly the thing it’s supposed to bring, which is protection against piracy. No matter how hard you try to lock something up within a DRM protected container, somebody will be able to get out the content and redistribute it. Even if it’s as primitive as just rerecording a video with another recording device while it’s playing on the screen. There’s always a way of getting the content out of the DRM.
“DRM is ineffective against exactly the thing it’s supposed to bring, which is protection against piracy.” — G-J van Rooyen
So DRM provides little guarantee of actually preventing piracy. While at the same time have far-reaching effects on how people can consume content and can access content in a fair way. In the days of analogue media, there was a well-established law regarding fair use rights of media. So if I wanted to record a television show on a VHS tape to watch it later, that wasn’t copyright infringement. Because fair use said I can displace my content in time and place to watch at another time; it’s not infringing on anyone’s rights. DRM is often so restrictive you can’t really do that kind of thing.
But content owners and distributors consider it a necessary evil because in this digital era it’s often seen as the only way to provide some sort of protection at least. However, the EFF’s objection to something like DRM is that it’s largely ineffective and it’s very overreaching. And they didn’t want to see DRM become a full-fledged part of the web standard.
But how is the W3C planning to make DRM part of the web standard?
Something that gets lost in the media coverage and discussion around the issue is that most of the major browsers already have this standard — the Encrypted Media Extensions (EME) — that was voted on now. Chrome, Internet Explorer, Firefox, Safari, Edge — all of these have EME inside them.
So if you go to Netflix or to Showmax and you click on play, the video starts streaming. That is a DRM-protected video being played through the EME extension. This extension receives the encrypted stream and decrypts it at the point that it’s being played. And it prevents you from downloading the video to your hard drive.
To me, that sounds like a good thing? Are there any advantages or disadvantages to it?
The good argument for EME is in the old days of Netflix you had to install a special plugin to be able to watch something. So third-party DRM tools were created to help protect the content up to the point where the end-user starts viewing. Or you might have been required to install a separate application on your computer, tablet or phone in order to watch the protected media.
The argument for EME and the majority of the W3C’s members is that it’s better to have a standard that specifies how this encrypted media extensions work and have it inside a well-controlled browser environment than have any third-party plugin or free standing application potentially take full control of your computer.
So what the modern browsers do that support EME, is they run it in a very constrained environment so that when Netflix, for example, has an extension that enforces their digital rights, it can’t access parts of your hard drive. Whereas a stand-alone plugin would be able to do that. So the majority of the W3C’s standpoint was that if we are going to have DRM, do it in a standardised way; put it inside a browser in a way that everyone can do just what they’re supposed to be doing. From a very pragmatic “I just want to watch a video on Hulu” point of view, it’s non-intrusive technology.
“So the majority of the W3C’s standpoint was that if we are going to have DRM, do it in a standardised way.”
From a security standpoint, it does have issues, and these are the things the EFF was quite angry about. Because of the legislative environment especially in the United States with the Digital Millennium Copyright Act (DMCA), for example, it’s illegal to bypass any type of DRM. So if I’m a security researcher and I want to check whether a content provider’s EME module is secure or doesn’t leak personal information or anything like that, I’m not allowed to bypass the DRM even for testing or for security reasons.
There have been cases where vulnerabilities in DRM-related applications where only discovered by researchers in countries where they do have the freedom to do that kind of thing without prosecution. For DRM-security in particular, that type of industry standard security analysis is impossible because the DMCA makes that illegal. And that was the EFF’s great protest against including this as a standard. They would’ve liked to see the industry players reach an agreement that they at least won’t prosecute according to the DMCA in an unfair way. But that compromise wasn’t reached.
So the EFF walked out as a sign of protest.
So how will this decision to standardise EME affect users?
I have to point out that users still have a choice regarding what software they install on their computers. You do get browsers that are very privacy-centric and take a very strong stance regarding security and advertising and third-party involvement in your browsing activity. The Brave browser is an example of one that will probably never support EME. So for a user that feels very strongly about this issue, alternative browsers are still an option.
However, I feel that the most important thing to take away from this discussion is it just again highlights how problematic DRM is. It’s such a critique that large fall-outs happen because of a technology that does extremely little to prevent piracy, has potential security risks and affects the legitimate users of a media in a negative way. Because that is what DRM does. It prevents the honest users from exercising their fair rights in moving media in time and space across devices, while it does very little to prevent the bad users, the bad actors, the pirates from getting the content out of the walled garden and redistributing it.
That is exactly the reason why at Custos we focus really strongly on DRM alternatives like session-based forensic watermarking where you have a much less intrusive way of tracking where content flows and when it does get redistributed outside the terms of the licence you are able to discover where these leaks happen.
We also feel that content creators have certain rights around the digital content that gets sent to viewers or listeners. If you create an artistic work or a movie or an album track, that you as creator or creative team have the right to decide who’s going to watch it and what type of compensation you expect to receive for that.
And if you subscribe to this idea of intellectual property rights, you have some right in being able to decide who you licence your content to. For that, you need ways to make sure that licensees act in a fair way. In our view, something like session-based forensic watermarking gives you a gentler way of monitoring that and enforcing that as a heavy-handed approach as DRM would’ve.
In conclusion, do you think the EFF’s decision to leave the W3C will have any lasting implications?
I think the good implication is that it brings the issues surrounding DRM to the forefront again. I doubt that it will have a very big effect on the way the standardisation process happens; the W3C is a very large organisation. 58% of the consortium did, in the end, agree to add EME to the standard; 10% abstained from voting and a relatively small minority dissented against the decision. So I think standardisation is going to go ahead as it does. Which is a haphazard process anyways. It’s trying to find a common ground for the way we get our browsers and servers to talk with each other.
I think it’s a good thing that if you’re going to have DRM anyways it should be within a standardised way and controlled environment, but I think in the longer term we should do away with these kinds of solutions, because having something that’s both overreaching and ineffective doesn’t really serve anyone’s interests.
Custos provides content protection for video, audio, and documents. Content owners or distributors can visit custostech.com for more information.
This article also appeared on the Custos Media Technologies blog, updated regularly.
Like this story? Recommend it by hitting the clap button to show your appreciation!
