W3C

The World Wide Web Consortium (W3C) has elevated the Encrypted Media Extensions (EME) to the status of "Proposed Recommendation," the last step before becoming an official W3C standard, pending a vote from its members.

W3C, the organization responsible for most of today's standards, such as HTML, CSS, SVG, and others, has blatantly ignored all criticism of the EME proposed specification, which would facilitate the implementation of a Digital Rights Management (DRM) platform into today's browsers.

As the EFF noted in a long-winded blog post last March, the EME would not force browser makers to support a DRM but would make it unfeasible not to.

Any new browser coming on the scene after the standardization of EME will enter a fundamentally different world than all the ones that have come before: for that browser to receive and display content that is defined by the W3C, it will have to enter into a commercial partnership with one of a handful of companies that have been blessed as being entitled to produce a CDM.

A browser that can't strike such a partnership -- either because all possible partners are in exclusive relationships with existing browsers, or because it lacks the commercial or structural ability to enter into a commercial partnership (say, because it is a community-based free software project) will be frozen out of rendering part of the standards-defined Web.

It would be a return to the bad old days of websites that advised that they were "Best viewed with Netscape" or "Best viewed with Internet Explorer," because the new browsers would be locked out of some of their content.

Engineers from Google, Microsoft, and Netflix have proposed the EME specification, which is no surprise, as all would stand to win from the approval of such a standard, solidfying their market position, or making sure their rights as content providers couldn't be skirted or broken.

The EME specification, often referred to only as DRM, in its current form, would give content providers the upper hand.

Security researchers at risk

For example, security researchers who uncover flaws in the DRM platform that delivers content from providers to users' browsers can be silenced with copyright infringement lawsuits.

This leaves hundreds of millions of users exposed to security flaws if the content provider is unwilling to fix the issue, and decides to bury a security researcher in lawsuits, ruining his life.

According to Cory Doctorow, EFF member and Boing Boing editor, the W3C is blatantly lying to everyone's faces by saying the new standard protects security researchers, and that the reality is actually very different.

The W3C suspended all work on a covenant to protect security researchers more than a year ago, after a mere 90 days' discussion. They refused to convene any kind of process to protect other people who might be harmed by this standard, including accessibility workers and innovators.

Rather than continue this work, the W3C has taken steps to legitimize suing security researchers, by convening a new group that will allow manufacturers to set voluntary guidelines for when this new right to sue people who tell the truth about defects in their products should be used.

They have characterized this as "protecting security researchers" despite the fact that it offers no protection to security researchers -- even those who follow the guidelines will have no guarantee that W3C members won't sue them, as the rules are voluntary, rather than (say) a condition of membership, or the W3C's patent license.

Users and software developers fake the same risk

Similarly to security researchers, developers who create apps that provide accessibility (a11y) support for visually impaired users face the same danger, Doctorow argued on GitHub.

The EME specification was put forward as a way for content providers to protect their work. For example, with EME, a video will be encrypted on the content provider's servers, delivered to users, and then decrypted with the local DRM (CDM) module.

Any user tampering with this module, or attempting to record or capture content from this module is committing copyright infringement and would face legal penalties. Of course, the DRM module would provide any detail on the user's identity.

The EFF has argued that users aren't protected against the powers of the all-mighty DRM. For example, a user managing bandwidth or viewing content offline using special software might be interpreted as tampering with the content provider's content, even if the user has paid for viewing the content.

Tim Berners-Lee in favor of EME standard

The W3C has been pushing the EME specification for years, ignoring all criticism. Prior to February 2017, everyone but content providers have been against the W3C's work on EME.

The organization got a media boost from Sir Tim Berners-Lee, the WWW's inventor, who put his stamp of approval on the EME and argued that browser makers would eventually implement their own DRM platforms anyway, and it was better if the W3C stepped in while it had a chance.

"Users, web developers, security researchers and most browser vendors do not win here," said JavaScript developer Ron Waldon, Responding to Berners-Lee's blog post. "But in the short term, archaic content industries that lack the agility to develop modern business models do win here. At the expense of everyone else. Also, browser vendors like Google who succeed in getting their CDM implementation blessed also win." Other critics have been more acid in their response to Berners-Lee.

For EME to become an official standard, it must now pass a vote from all W3C members, meaning everyone else's chance to oppose the standard has passed.

Only W3C members can comment on the standard now (until April 19), but to become a W3C member, organizations must pay a hefty fee, meaning the train has already left the station. The EME proposed recommendation is expected to succeed.