W3C

On Encrypted Video and the Open Web

There has been a lot of response to the announcement that W3C considers content protection for video as in-scope for discussion in the HTML Working Group. In this post I can touch on some of the arguments.

We hear the outburst of criticism (and some support) for W3C’s recent rechartering of the HTML Working Group that put content protection for video in-scope for discussion. We hear that criticism as a signal that many people value W3C’s voice, and feel betrayed by this decision. I want to make it clear that I and all the staff at W3C are as passionate as ever about the open Web. Also, none of us as users like certain forms of content protection such as DRM at all. Or the constraints it places on users and developers. Or the over-severe legislation it triggers in countries like the USA.

We’re together in wanting a robust, rich, open Web. We want a Web open to inventors and tinkerers, to media-makers and cultural explorers. We want a Web which is rich in content but also a two-way, read-write Web. We want a Web which is universal in that it can contain anything. As Michael Dertouzos, one-time head of the Lab for Computer Science here at MIT, used to say, an Information Marketplace, where people can buy, sell or freely exchange information. To be universal, the Web has got to be open to many different sorts of businesses and business models.

The HTML Design Principles give helpful guidance on the priority of constituencies: “In case of conflict, consider users over authors over implementers over specifiers over theoretical purity. In other words, costs or difficulties to the user should be given more weight than costs to authors; which in turn should be given more weight than costs to implementers; which should be given more weight than costs to authors of the spec itself, which should be given more weight than those proposing changes for theoretical reasons alone. Of course, it is preferred to make things better for multiple constituencies at once.”

So we put the user first, but different users have different preferences. Putting the user first doesn’t help us to satisfy users’ possibly incompatible wants: some Web users like to watch big-budget movies at home, some Web users like to experiment with code. The best solution will be one that satisfies all of them, and we’re still looking for that. If we can’t find that, we’re looking for the solutions that do least harm to these and other expressed wants from users, authors, implementers, and others in the ecosystem.

The arguments about whether content protection for video, and EME in particular, should be in scope for W3C discussion and standardization are many and varied. When we discussed the issue in the W3C Technical Architecture Group earlier this year I noted on the whiteboard a list of related arguments, then already quite long, and that list has not grown any shorter with time. Many of the arguments involve what different parties, the users, the browser makers, the media content distributors, and so on, would do under different new scenarios — things which we can opine on but in the end only guess. Many of these arguments involve comparing very different types of things — the smoothness of a user interface and the danger that programmers will be jailed. So there will not be an end to much of this argument for a long time. I would like to thank everyone who has weighed into the discussion thoughtfully and with consideration, and I hope you will continue to do so.

Let me just pick up a few elements, by no means a comprehensive set.

W3C is a place where people discuss possible technology. The HTML Working Group charter is about the scope of the discussion. W3C does not and cannot dictate what browsers or content distributors can do. By excluding this issue from discussion, we do not exclude it from anyone’s systems.

Some arguments for inclusion take this form: if content protection of some kind has to be used for videos, it is better for it to be discussed in the open at W3C, better for everyone to use an interoperable open standard as much as possible, and better for it to be framed in a browser which can be open source, and available on a general purpose computer rather than a special purpose box. Those are key arguments for the decision that this topic is in scope.

No one likes DRM as a user, wherever it crops up. It is worth thinking, though, about what it is we do not like about existing DRM-based systems, and how we could possibly build a system which will be a more open, fairer one than the actual systems which we see today. If we, the programmers who design and build Web systems, are going to consider something which could be very onerous in many ways, what can we ask in return?

The conversation has just started. The Restricted Media Community Group is one forum for discussing this. The www-tag@w3.org list is good for general Web architecture, and there is the HTML Working Group and a Web Copyright Community Group. And there are comments to Jeff’s posting or this post though I may not be able to answer them all.

Let us all continue to pursue creation of a powerful Web platform that is built on open standards. The use case of protected video content is a challenging one. We think this discussion will help get us there, but there is much more to do to achieve the level of openness I have personally sought for 25 years, and that W3C has pursued since its inception.

timbl

33 thoughts on “On Encrypted Video and the Open Web

  1. I just want to thank Tim Berners-Lee and everyone else at the W3C for all the effort they’ve put into trying to lead the World Wide Web to its full potential over the past 19 years.

    But we’ll take it from here.

    Regards,
    The World Wide Web

  2. An open standard cannot guaranty Compliance and Robustness in any way. Since that is required for content owners, they’re doing just a half open standard making part of the standard secret (the CDM). Given that, I think it doesn’t matter if “we” do it at the W3C or not. I also think that allowing this to exist under the W3C name is going to be a stain in the future. So it’s better for the W3C to keep aside of this or any kind of content protection which isn’t completely Open.

    What I just said it’s a truth by itself. Now I’ll give you my own opinion:

    Content owners don’t just want to protect their content but also to control the user in the process. That’s spyware and can have serious vulnerabilities. Users can’t be abused forever. Please care for all the people who is innocent and ignorant about this and stop them as soon as possible.

    1. Yes, I think the temptation will be huge for content owners to not just authorize but also track and abuse users if users have to install special software to get content. Can we make a module which is sandboxed, and shared by different content providers, and won’t let them e.g. spy on users?

  3. The problem is that the standard itself isn’t enough to actually support any of the content it claims to support.

    It’s the equivalent of standardizing the object or embed tags: it’s a standard way of getting at non-standard functionality, and sites then depend on specific implementations of that non-standard functionality, the same way they depend on the Flash plugin today in ways that knowing how to implement the object tag doesn’t help with.

    Standardizing a single fully-specified mechanism for DRM might actually be useful (debatably), but that would break the current model in which DRM is completely unsound and relies on security-through-obscurity. “Standardizing” a means of getting at the myriad non-standard DRM implementations and their non-standard APIs is worse than worthless: it’s actively harmful, and it prolongs the death of those technologies.

    Right now, content providers have to choose whether to support the open web or DRM. They should continue to have to make that choice, with supporters of the open web reaching a larger audience, until eventually all the holdouts either switch or lose. This is a major step backward for that goal, and the W3C has no business claiming EME has anything to do with the open web.

    1. Indeed!

      One has to wonder if Mr Berners-Lee even read the specification’s text or if he has been falsly informed by people he believed he could trust.

  4. The CR Exit Criteria and their application regarding EME need to be clarified.

    The “Model CR Exit Criteria (Public Permissive version 3)” states that an “Implementation” must be “suitable for a person to use as his/her primary means of accessing the Web.” (http://dev.w3.org/html5/decision-policy/public-permissive-exit-criteria.html)

    Considering the NSA revelations closed source implementations only running on closed source operating systems and produced by organisations who have collaborated with the NSA for security reasons are not suitable “primary means of accessing the Web”.

  5. “consider users over …”

    1. All users not some. That means any technology MUST be open in the sense of anybody being able to reimplement 100% of the whole technology stack. By closing this possibility, since DRM requires blackboxing, this isn’t possible. As result some users will be excluded. May it be because they are on a niche-system, on a system where its not possible to DRM the output cause its open source or cause they use an exotic browser/agent/output method.

    2. No one likes DRM as a user. And yet the sentence continues to invalidate this with “theoretical purity” arguing they get something in return there wouldn’t otherwise whats a pure theory.

    Constructive:

    1. Any DRM MUST be open and complete usable without limitations.
    2. This means it cannot be 100% “secure” as in the implementation be done by 3th parties giving up the control.
    3. Note that DRM as of today isn’t 100% secure anyways.

    Conclusion:
    1. Any DRM needs to be 100% defined and controlled by w3c.
    2. An reference-implementation needs to be made available in source code without any limitations.

    Only with point 2 the w3c fullfits the requirement to put users first, all users, over interests or theoretical benefits of others.

  6. Well, that allows arbitrary black boxes. Whatever you do as company within the DRM-box is – with your full support – standards compliant. Whitewashing wholesale just to be competitive to flash and silverlight?

  7. /u/cmilquetoast from reddit said it best:

    “There is an incredible amount of naivety and shortsightedness in this response. The stakeholders asking for this now will use it as a beach head to try and eliminate everything about the web that makes is successful and sustainable: openness, independence, and hackability.

    Additionally any standard implemented will be immediately hacked. The entire effort is a foolish attempt at superficial crowd pleasing. It also assumes something that is completely false; that hollywood won’t eventually cave to strong open standards, they will or they will go extinct and those that replace them will participate. I honestly can’t believe TBL has been duped or pressured into it but that undeniably seems to be the case.”

  8. “If we, the programmers who design and build Web systems, are going to consider something which could be very onerous in many ways, what can we ask in return?”

    Content owners in the USA generally don’t care what the answer to this question is: their delivery preference is “take it or leave it”, and the user’s rights are waived any time a EULA is displayed. If a piece of content leaves a user’s computer out of sorts or unusable, it’s the user’s own fault for clicking Yes even if they paid to do it.

    Prepare for a lot of empty answers, buzzwords and doublespeak in that request.

  9. “…If content protection of some kind has to be used for videos, it is better for it to be discussed in the open at W3C, better for everyone to use an interoperable open standard as much as possible, and better for it to be framed in a browser which can be open source, and available on a general purpose computer rather than a special purpose box.”

    If that’s your argument, I can end the debate right now. NO. No, it’s NOT better.

    What you’re saying is: the media industry wants to be closed and proprietary, and we want to be open and standard. So – obviously! – we should compromise our position and help them out. But don’t worry… next time, we’ll really dig our heels in, when Hollywood asks for something really unreasonable.

  10. If you’re truly thinking about the users first, then you must consider that the user owns his computer. He decides how it is to be used and has full control over it. Putting encrypted media into HTML is endorsing a system whereby the control over the computer is taken away from the user and put into someone else’s hands.

    Unlike every other part of HTML, it is not open, not transparent and not something that the users actually desire to make using the web better. Adding encrypted media to HTML does not appreciably expand the market reach or the maintainability of technologies that already deliver encrypted streams in browsers.

    This is essentially a non-problem and a waste of time on the part of the W3C.

    Furthermore, by endorsing anti-consumer, anti-user technologies, the W3C demonstrates its stand against democratization of access to content, culture, authorship and community.

  11. The main question everyone seems to be asking is: once video DRM is technically acceptable, what technical reasons can be argued to not allow audio DRM… and image DRM… and text DRM?
    You can have an open Web or a closed one but you can’t have both at the same time: history is littered with so many similar slippery slopes that one would think you had learned something from it.

  12. It is disturbing to see W3C is using this peculiar language in which playback restrictions become “content protection”. “Content protection”, if anything, means making as many copies as possible, minimizing the chance of said content getting irreversibly lost and unavailable. DRM, by its nature, is contrary to this goal as its purpose is to restrict ways in which users are able to consume and make copies of the content they gained access to.

    This is not merely a semantic point. Language is important – it shapes our understanding of issues we try to address. In a world where making it harder to create copies becomes “content protection”, users are seen as vandals, a threat to content in some way. At the same time, the true meaning of what DRM is remains obscured, preventing any meaningful discussion. After all, who could be against “protecting” content?

    We should get this in order. Unless we mean preservation and greater availability, no “content protection” doublespeak anymore. There are more truthful alternatives, like “playback restrictions”, “copying restrictions”, “copyright protection system” or “copyright management system”.

    As for the “DRM” itself – “Digital Restrictions Management” seems accurate.

  13. Would you and Jeff consider to discuss this with the participants at this year’s TPAC? A face-to-face talk is always better than posts that are prone to misunderstanding.

  14. Tim,

    I’ve been working in this eco-system as a coder, architect and end-user for the entire time you’ve been working with W3C.

    Though I can understand the need for some kind of right management, I echo the sentiments here regarding that rights management being an Open standard.

    If you’re going to have everything else open, and close this one piece, you’re negating it all – this one piece is crucial because the vendors / content-owners have shown themselves to be untrustworthy in the past with close-source solutions to rights management.

    There’s got to be a way to provide protection without giving the vendors a way to infect the end-user’s systems.

  15. It is so much better to discuss this inside than outside W3C for any kind of content. Including books. Great initiative. This is valiant. Creators and Authors rights must be protected inside the open web platform.

  16. I indeed used to value w3c’s voice, until the voice said yes to drm. Serving the interests of a powerful few at the detriment of all of us.

    I can’t wait to have to insert a dongle to be able to display part or all of a web page… not!

    Now I’m on lookout for another body who’s not going to sell Internet and the web to holy-wood, to become the new voice to value.

    Sorry Sir Tim, I’m not buying any of it.

  17. “Content Protection” to me, means restricting access to content unless users have subscribed/paid for that content. Why shouldn’t someone who has created some content (be it digital or traditional) charge money for it, and if it is digital, utilise mechanisms of technology to achieve that? (even if it is through the World Wide Web).

    Newspapers sell content online, offline, in print etc… they just use a different form of technology; a paid subscription service, users still have to pay for it. Just because it’s on a platform which happens to be accessible to a lot of people all over the world does not necessarily mean it should all be free or open.

    Isn’t this the kind of world we live in? I’m sure most people wouldn’t think twice about selling a cake they had baked down the local market stall, why should it be any different with digital content?

    I think Michael Dertouzos was right to say the web can be whatever anyone wants to make of it.

    If users want content that just happens to be encoded, so the owners can essentially make money and protect their assets, fair enough, they pay for it. If users don’t like it, they can consume some open, freely accessible content instead, no one seems to complain when they have to pay their Digital TV Subscription every month.

    I think protected content and free/open content can safely co-exist on the web, it already has for the past 20 years (or more)

  18. I’m sorry, Tim, I have to disagree with you. You say “some Web users like to watch big-budget movies at home” and I’m sure this is true. However, that’s different than saying that users want DRM.

    Users would like to watch videos at home and content providers would like to attach DRM to those videos. The question is, will users be able to watch videos at home if DRM is not part of HTML video. Hollywood had continually insisted on DRM even when it’s been shown, again and again, that it doesn’t actually stop piracy. What it does do is make systems less usable for the consumers.

    Hollywood, as a whole, made about $30B in 2012. That’s less than Apple’s revenues in the first quarter alone of 2012, let alone the IT industry as a whole. Why do we keep letting ourselves be wagged by the Hollywood tail?

  19. What’s so special about video? If DRM has any legitimate place in an “open” web standard, then why would it not be appropriate for it to apply to all content types, including HTML itself? It seems an embarrassing technical oversight to arbitrarily restrict the DRM interface to one content type, and miss the opportunity for a more general solution here.

    Is it just because it’s more obvious how laughable that proposal would be? Imagine the absurdity of having to download and install some untrusted proprietary black box and letting it loose to do whatever it wants on your machine… just to read a particular web page. (For anyone who doesn’t follow these things closely, this is, always has been, and always will be the minimum requirement of any passably effective software-defined DRM scheme.) Even to the layman who knows neither what the “open” part nor the “standard” part of “open standard” means, that would seem just plain nuts.

    There are plenty of publishers, including most of the big magazines and newspapers, who would love to be able to lock down their text content in web browsers, just the same as they’d love to be able to lock down their video content. But it’s so brick-in-the-face obvious that it’s impossible to have an open web standard compatible with that goal that we haven’t made any concessions to these publishers for the hope that they’ll put a little more of their content on the web.

    So I ask again: what’s so special about video?

  20. “Putting the user first doesn’t help us to satisfy users’ possibly incompatible wants: some Web users like to watch big-budget movies at home, some Web users like to experiment with code.”

    What a load of nonsense that these two things would be mutually incompatible! Big Content is going to be compelled to use the web regardless of how openly it is structured.

  21. Hi Tim,

    I may have better solution.

    Many users oppose, like me, DRM but end up buying DRM devices, like me, to get (paid) access to content choice. Core problems of DRM from a user standpoint are: (1) can’t get content for free; (2) proprietary DRM code infringes on my civil rights, privacy and security; (3) intrroperability issues and inability to transfer content among platforms.
    (1) is a morally invalid reason: even though rights holders abuse their power position, you can’t fix wealth distribution by making theft legal.
    W3C could solve (2) and (3) by mandarting any DRM solution allowed on the Open Web Platform to comply to requirements for: interoperability, security and privacy. All code of allowed DRM solutions should be public and there should be user-verifiable ways to ensure that running DRM-code has undergone FOR MONTHS open public and top-experts hacking before it gets onto devices.

  22. Content owners have somehow managed to move the goalposts here.

    On one side of the spectrum, there’s the open web. On the other side of the spectrum, there are big companies controlling our computers. And the compromise is … somewhere in the middle?

    Seriously?

    Why must the W3C explore this spectrum: the W3C mission on one end, disaster on the other? The spectrum was invented by abusers of the open web.

    Maybe I’m jumping the gun here. If the W3C can explore this spectrum while still letting all human beings partake in all the benefits of the Web with any hardware and any software (that’s design principle #1 on http://www.w3.org/Consortium/mission), I’ll keep an open mind.

    But if it can’t, please remember: compromise isn’t necessarily the best option.

  23. If we, the programmers who design and build Web systems, are going to consider something which could be very onerous in many ways, what can we ask in return?

    That HTML not be turned into a tool for stifling fair use? Most (99%?) of the feedback W3C is getting on this issue, is that this is indeed so onerous that it should not even be considered.

    What’s surprising to me, TBL, is that you would risk the credibility of W3C by pushing forward with this in spite of such overwhelming, principled opposition — particularly when said principles were yours to begin with!

  24. The debate is funny from my point of view.

    On the one side is a large group of hot-headed idealists and pirate bay seeders.
    On the other hand are people who work hard to create some entertainment content.

    I don’t mind to pay a few bucks to watch a movie and don’t care if I am not allowed to rip the movie and “save a copy”.

    And I understand that Netflix movie library will expand once there is a commonly accepted way for content protection.

    Some one will abuse the system and spy on me?
    Oh god oh god, I am so scared.
    I guess my immunity to privacy violation comes with me being a Russian.

Comments are closed.