July 11, 2017
The World Wide Web Consortium (W3C), which oversees standards for the web, approved a new system for handling DRM-protected video. Encrypted Media Extensions (EME) work by letting DRM systems connect directly to the user’s browser. EME lets streaming video services protect their content without forcing users to install plugins that can be insecure. But not everyone is happy. Some researchers and advocates of the open Internet believe EME will give browser developers and content providers too much power.
According to The Verge, EME has been debated as a standard for five years. Voicing concerns, journalist Cory Doctorow wrote on the Electronic Frontier Foundation (EFF) blog that, “this will break people, companies, and projects.” Doctorow believes that the new standard doesn’t protect security researchers, since it doesn’t address the fact that, “in the U.S., breaking DRM, even for otherwise legal purposes, can be a crime.”
EME also doesn’t provide “exemptions … that would allow computers to scan videos and automate work like generating subtitles and translations or identifying strobing lights to produce warnings for people with epilepsy,” or “standardize decryption either.” The latter means that, “companies developing browsers may have to license decryption components, making it harder for new browsers to enter the market.”
“Web creator Tim Berners-Lee and W3C project manager Philippe Le Hégaret write that they believe EME is better for accessibility, because it complies with other web accessibility standards, and that having DRM support built into the web, instead of requiring plugins, makes life easier for browser developers,” notes The Verge. They also state that, with regard to protections for security researchers, they “didn’t want to hold up the standard just because all parties couldn’t come to agreement on this issue.”
“We also recommend that [organizations using DRM and EME] not use the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) and similar laws around the world to prevent security and privacy research on the specification or on implementations,” they write.
The Verge notes that the disagreement boils down to a difference in philosophy. Whereas the EFF doesn’t like DRM and “would like to see a much more open solution … W3C seems to have decided that since DRM is going to get used anyway, the web may as well standardize and avoid security horrors like Flash.”