EFF’s long, hard-fought campaign at the World Wide Web Consortium over its plan to standardize a universal DRM for the web was always a longshot, but we got farther than anyone dared hope before we lost the web to corporate interests and cynical indifference in September.
We lost at the W3C, but we got farther than we had any right to, and that’s because we created a powerful new tactic for fighting DRM, one that everyone needs to know about and use as we fight to save the rest of the internet — including its extrusions into the physical world, AKA the “internet of things” — from DRM.
People who want DRM say that they’re just trying to protect their copyrights, but it’s obvious to anyone who knows even a little about computer science that DRM is effectively useless for this purpose. But DRM laws allow companies to shut down (and even jail) anyone who breaks DRM for any reason, and that means that once a company has DRM, they can decide whether and when security researchers can disclose the defects in their products; it also means they get to decide who can compete with them and how. It also means that accessibility workers and archivists can’t exercise their rights without permission from corporations.
Now, when you argue about DRM, the pro-DRM side always says that all this stuff is an unfortunate side-effect of the law, and that they’re really only trying to stop pirates, promise and cross my heart.
So here’s what we did at the W3C: we proposed a membership rule that would allow members to use DRM law to sue anyone who infringed their copyrights — but took away their rights to sue people who were breaking DRM for some other reason, like adapting works for people with disabilities, or investigating critical security flaws, or creating legal, innovative new businesses.
That meant that the pro-DRM side also had to explain to why they needed all these rights as well as the right to stop copyright infringement. It also meant that they had to explain how their DRM was technologically useful at stopping lawbreakers if the only thing keeping those lawbreakers from breaking it was the law — not the technological efficacy of the DRM itself.
This was devastating. By taking copyright enforcement off the table and separating it from the so-called side-effects of DRM, we were able to shift the debate to the principled question of whether standards bodies should be in the business of giving powerful new legal rights to massive corporations like Apple and Google, Comcast and Disney, Netflix and Adobe. We made those companies address our concerns, and swept away the piracy smokescreen.
There are refinements to be made to this tactic, to be sure, but it was so effective in its first outing that it’s a sure bet that we’ll make those refinements and bring it out again.
I’ve written a long postmortem on the W3C fight and the tactical lessons from it. If you’re in an organization, corporation or project that’s wrestling with this question, I hope you’ll find this useful.
The success of DRM at the W3C is a parable about market concentration and the precarity of the open web. Hundreds of security researchers lobbied the W3C to protect their work, UNESCO publicly condemned the extension of DRM to the web, and the many crypto-currency members of the W3C warned that using browsers for secure, high-stakes applications like moving around peoples’ life-savings could only happen if browsers were subjected to the same security investigations as every other technology in our life (except DRM technologies).There is no shortage of businesses that want to be able to control what their customers and competitors do with their products. When the US Copyright Office held hearings on DRM in 2015, they heard about DRM in medical implants and cars, farm equipment and voting machines. Companies have discovered that adding DRM to their products is the most robust way to control the marketplace, a cheap and reliable way to convert commercial preferences about who can repair, improve, and supply their products into legally enforceable rights.
The marketplace harms from this anti-competitive behavior are easy to see. For example, the aggressive use of DRM to prevent independent repair shops ends up diverting tons of e-waste to landfill or recycling, at the cost of local economies and the ability of people to get full use out of your property. A phone that you recycle instead of repairing is a phone you have to pay to replace — and repair creates many more jobs than recycling (recycling a ton of e-waste creates 15 jobs; repairing it creates 150 jobs). Repair jobs are local, entrepreneurial jobs, because you don’t need a lot of capital to start a repair shop, and your customers want to bring their gadgets to someone local for service (no one wants to send a phone to China for repairs — let alone a car!).
But those economic harms are only the tip of the iceberg. Laws like DMCA 1201 incentivize DRM by promising the power to control competition, but DRM’s worst harms are in the realm of security. When the W3C published EME, it bequeathed to the web an unauditable attack-surface in browsers used by billions of people for their most sensitive and risky applications. These browsers are also the control panels for the Internet of Things: the sensor-studded, actuating gadgets that can see us, hear us, and act on the physical world, with the power to boil, freeze, shock, concuss, or betray us in a thousand ways.
The gadgets themselves have DRM, intended to lock our repairs and third-party consumables, meaning that everything from your toaster to your car is becoming off-limits to scrutiny by independent researchers who can give you unvarnished, unbiased assessments of the security and reliability of these devices.
In a competitive market, you’d expect non-DRM options to proliferate in answer to this bad behavior. After all, no customer wants DRM: no car-dealer ever sold a new GM by boasting that it was a felony for your favorite mechanic to fix it.
But we don’t live in an a competitive market. Laws like DMCA 1201 undermine the competition that might counter their worst effects.
DRM’s dead canary: how we just lost the web, what we learned from it, and what we need to do next [Cory Doctorow/Electronic Frontier Foundation]