The World Wide Web Consortium (W3C) is an amazing, long-running open standards body that has been largely responsible for the web’s growth and vibrancy, creating open standards that lets anyone make web technology and become part of the internet ecosystem.
Since 2013, the W3C has been working on a very different kind of standard: Encrypted Media Extensions (EME), designed to enable DRM for streaming video, is more than a technology standard. Thanks to US-propagated laws that give DRM makers the right to sue people who break DRM, even for legal purposes, EME will — for the first time in W3C history — give its members the power to sue security researchers, accessibility toolmakers, and competitors who improve EME implementations, regardless of whether these improvements enable copyright infringement or other illegal outcomes.
It doesn’t have to be: a widely supported compromise proposed by the Electronic Frontier Foundation would let the W3C make a technological standard without making a legal weapon at the same time. EFF’s proposal is that the W3C should extend its existing rules, which require members not to sue standards implementers over patent violations, to include violations of DRM law. Members could still sue over copyright infringement, tortious interference, theft of trade secrets, etc — they just couldn’t sue over breaking DRM where none of these other things had taken place.
A recent W3C poll of its members attracted the broadest-ever support for this compromise, including visual disability groups on three continents, a major national library, a host of cryptocurrency startups, a security firm, a browser vendor, web technology groups and consortia, and some of the world’s leading universities and government research labs, including Oxford, Eindhoven, Lawrence Berkeley Labs, and many, many others.
These supporters join the chorous of cryptographers and security researchers who’ve endorsed this proposal, along with other standards bodies, the W3C’s own head of strategy, and the Open Source Initiative, which has declared that EME will not meet its “open standard definition” in the absence of some protection for legitimate activities.
EME’s advocates have asked the W3C to hold another vote to finalize it and publish it as a W3C standard. This is the final showdown at the W3C, the moment at which it decides whether to act as a cyber arms-dealer, creating legal tools that lets some of the biggest corporations in the world suppress accessibility and security research and competition, or whether it is still in the technology business, continuing its decades-long tradition of making its members set down their legal arms as a condition of participating in the creation of the web’s standards.
In October, the W3C polled its members about EME. Dozens of those members spoke loudly and on the public record, demanding that the W3C halt work on EME unless some step is taken to prevent abuse of laws like the DMCA. Those members include:
* The Royal National Institute for Blind People (UK); Media Access Australia and Vision Australia; and Benetech and SSB Bart (USA): three continents’ worth of blind-rights advocacy organizations.
EME means that groups like these won’t be make tools to adapt video for their specific disabilities (for example, a tool to shift the colors of videos to help color-blind people; or a machine-learning tool that automatically adds descriptive tracks to videos);* Brave: a new entrant into the browser market.
Companies that are starting out want to offer all legal features to their users, not just the ones that the entertainment companies and old browser companies have decided we should get;* Oxford University, The Eindhoven University of Technology, Kings College London, The Open University, Lawrence Berkeley Labs, and others, representing some of the world’s leading research institutions;
Their researchers can’t afford to risk legal retaliation for investigating and reporting on defects in browsers;* Ripple, Ethereum, Blockstream: three of the world’s leading blockchain companies; they were joined by White Ops, a security company run by some of the industry’s best-respected experts.
People who understand information security and cryptography are rightly alarmed at the thought of browsers that are off-limits to security researchers who can surface problems before they are exploited and used to attack users and companies alike;* Hypothes.is and Dublin Core: two leading representatives of the open data/metadata sector.
The web depends on an open platform that anyone can improve, annotate and extend;* Deutsche Nationalbibliothek: the national library of Germany, charged with archiving all German copyrighted works;
* Vivliostyle: a critical member of the standards community who has contributed significantly to W3C community.
Open standards can’t be subject to a veto from a handful of self-interested companies;* Electronic Frontier Foundation and the Center for Democracy & Technology: user-rights organizations with a long track record of fighting against corporate abuse of the standards-setting process.
Security researchers are alarmed, too. Hundreds of researchers have called on the W3C to protect their work. A group of principal investigators from CSAIL, MIT’s computer science department — which hosts the W3C — sent a letter to the W3C executive, expressing concern that EME presents a danger to the work of MIT researchers and independent researchers alike, and calling out EME for what it is: a way to put proprietary content on the Web. This group was organized by Hal Abelson, one of the most esteemed computer scientists in the field today.
The W3C itself is deeply divided on this issue. The organization’s head of strategy, Wendy Seltzer, publicly called on the organization to protect the web from DMCA abuse; she’s joined by leading engineers from the W3C, who signed the security researchers’ open letter.
The World Wide Web Consortium at a Crossroads: Arms-Dealers or Standards-Setters? [Cory Doctorow/Electronic Frontier Foundation]