Perspectives on security research, consensus and W3C Process
Author(s) and publish date
- By:
-
-
Coralie Mercier
-
- Published:
Linux Weekly News published a recent story called "Encrypted Media Extensions and exit conditions", Cory Doctorow followed by publishing "W3C DRM working group chairman vetoes work on protecting security researchers and competition”. While the former is a more accurate account of the status, we feel obligated to offer corrections and clarifications to the latter, and to share a different perspective on security research protection, consensus at W3C, W3C's mission and the W3C Process, as well as the proposed Technology and Policy Interest Group.
There have been a number articles and blog posts about the W3C EME work but we've not been able to offer counterpoints to every public post, as we're focusing on shepherding and promoting the work of 40 Working Groups and 14 Interest Groups –all working on technologies important to the Web such as: HTML5, Web Security, Web Accessibility, Web Payments, Web of Things, Automotive, etc.
TAG statement on the Web’s security model
In his recent article, Cory wrote:
For a year or so, I've been working with the EFF to get the World Wide Web Consortium to take steps to protect security researchers and new market-entrants who run up against the DRM standard they're incorporating into HTML5, the next version of the key web standard.
First, the W3C is concerned about risks for security researchers. In November 2015 the W3C Technical Architecture Group (TAG), a special group within the W3C, chartered under the W3C Process with stewardship of the Web architecture, made a statement (after discussions with Cory on this topic) about the importance of security research. The TAG statement was:
The Web has been built through iteration and collaboration, and enjoys strong security because so many people are able to continually test and review its designs and implementations. As the Web gains interfaces to new device capabilities, we rely even more on broad participation, testing, and audit to keep users safe and the web’s security model intact. Therefore, W3C policy should assure that such broad testing and audit continues to be possible, as it is necessary to keep both design and implementation quality high.
W3C TAG statements have policy weight. The TAG is co-Chaired by the inventor of the Web and Director of W3C, Tim Berners-Lee. It has elected representatives from W3C members such as Google, Mozilla, Microsoft and others.
This TAG statement was reiterated in an EME Factsheet, published before the W3C Advisory Committee meeting in March 2016 as well as in the W3C blog post in April 2016 published when the EME work was allowed to continue.
Second, EME is not a DRM standard. W3C does not make DRM. The specification does not define a content protection or Digital Rights Management system. Rather, EME defines a common API that may be used to discover, select and interact with such systems as well as with simpler content encryption systems. We appreciate that to those who are opposed to DRM, any system which "touches" upon DRM is to be avoided, but the distinction is important. DRM is on the Web and has been for many years. We ask pragmatically what we can do for the good of the Web to both make sure a system which uses protected content insulates users as much as possible, and ensure that the work is done in an open, transparent and accessible way.
A several-month TF to assess EFF's proposed covenant
Cory further wrote, about the covenant:
As a compromise that lets the W3C continue the work without risking future web users and companies, we've proposed that the W3C members involved should agree on a mutually acceptable binding promise not to use the DMCA and laws like it to shut down these legitimate activities -- they could still use it in cases of copyright infringement, just not to shut down activity that's otherwise legal.
The W3C took the EFF covenant proposal extremely seriously. Made as part of EFF's formal objection to the Working Group's charter extension, the W3C leadership took extraordinary effort to resolve the objection and evaluate the EFF proposed covenant by convening a several month task force. Hundreds of emails were exchanged between W3C Members and presentations were made to the W3C Advisory Committee at the March 2016 Advisory Committee meeting.
While there was some support for the idea of the proposal, the large majority of W3C Members did not wish to accept the covenant as written (the version they voted on was different from the version the EFF made public), nor a slightly different version proposed by another member.
Member confidentiality vs. transparent W3C Process
Cory continued:
The LWN writeup is an excellent summary of the events so far, but parts of the story can't be told because they took place in "member-confidential" discussions at the W3C. I've tried to make EFF's contributions to this discussion as public as possible in order to bring some transparency to the process, but alas the rest of the discussion is not visible to the public.
W3C works in a uniquely transparent way. Specifications are largely developed in public and most groups have public minutes and mailings lists. However, Member confidentiality is a very valuable part of the W3C process. That business and technical discussions can happen in confidence between members is invaluable to foster broader discussion, trust and the opportunity to be frank. The proceedings of the HTML Media Extensions work are public however, discussions amongst Advisory Committee members are confidential.
In his post, Nathan Willis quoted a June 6 blog post by EFF's Cory Doctorow, and continued:
Enough W3C members endorsed the proposed change that the charter could not be renewed. After 90 days' worth of discussion, the working group had made significant progress, but had not reached consensus. The W3C executive ended this process and renewed the working group's charter until September.
Similar wording is found in an April EFF blog post, attributing the renewal to "the executive of the W3C." In both instances, the phrasing may suggest that there was considerable internal debate in the lead-up to the meeting and that the final call was made by W3C leadership. But, it seems, the ultimate decision-making mechanism (such as who at W3C made the final decision and on what date) is confidential; when reached for comment, Doctorow said he could not disclose the process.
Though the Member discussions are confidential, the process itself is not.
In the W3C process, charters for Working Groups go to the Advisory Committee for review at different stages of completion. That happened in this case. The EFF made an objection. By process, when there are formal objections the W3C then tries to resolve the issue.
As part of the process, when there is no consensus, the W3C generally allows existing groups to continue their work as described in the charter. When there is a "tie-break" needed, it is the role of the Director, Tim Berners-Lee, to assess consensus and decide on the outcome of formal objections. It was only after the overwhelming majority of participants rejected the EFF proposal for a covenant attached to the EME work that Tim Berners-Lee and the W3C management felt that the EFF proposal could not proceed and the work would be allowed to continue.
Next steps within the HTML Media Extensions Working Group
Cory also wrote:
The group's charter is up for renewal in September, and many W3C members have agreed to file formal objections to its renewal unless some protection is in place. I'll be making an announcement shortly about those members and suggesting some paths for resolving the deadlock.
The group is not up for charter renewal in September but rather, its specifications are progressing on the time-line to "Recommendation". A Candidate Recommendation transition will soon have to be approved, and then the spec will require interoperability testing, and Advisory Committee approval before it reaches REC. One criteria for Recommendation is that the ideas in the technical report are appropriate for widespread deployment and EME is already deployed in almost all browsers.
To a lesser extent, we wish to clarify that veto is not part of the role of Working Group chairs; indeed Cory wrote:
Linux Weekly News reports on the latest turn of events: I proposed that the group take up the discussion before moving to recommendation, and the chairman of the working group, Microsoft's Paul Cotton, refused to consider it, writing, "Discussing such a proposed covenant is NOT in the scope of the current HTML Media Extensions WG charter."
As Chair of the HTML Media Extensions Working Group, Paul Cotton's primary role is to facilitate consensus-building among Group members for issues related to the specification. A W3C Chair leads the work of the group but does not decide for the group; work proceeds with consensus. The covenant proposal had been under wide review with many lengthy discussions for several months on the W3C Advisory Committee mailing lists. Paul did not dismiss W3C-wide discussion of the topic, but correctly noted it was not a topic in line with the chartered work of the group.
Conclusion
In the April 2016 announcement that the EME work would continue, the W3C reiterated the importance of security research and acknowledged the need for high level technical policy discussions at W3C - not just for the covenant. A few weeks prior, during the March 2016 Advisory Committee meeting the W3C announced a proposal to form a Technology and Policy Interest Group.
The W3C has, for more than 20 years, focused on technology standards for the Web. However, recognizing that as the Web gets more complex and its technology is increasingly woven into our lives, we must consider technical aspects of policy as well. The proposed Technology and Policy Interest Group, if started, will explore, discuss and clarify aspects of policy that may affect the mission of W3C to lead the Web to its full potential. This group has been in preparation before the EME covenant was presented, and will be address broader issues than anti-circumvention. It is designed as a forum for W3C Members to try to reach consensus on the descriptions of varying views on policy issues, such deep linking or pervasive monitoring.
While we tried to find common ground among our membership on the covenant issue, we have not succeeded yet. We hope that EFF and others will continue to try. We recognize and support the importance of security research, and the impact of policy on innovation, competition and the future of the Web. Again, for more ample information on EME and frequently asked questions, please see the EME Factsheet, published in March 2016.
Thank you for the much needed clarification.
The confidentiality of those expressing certain viewpoints can be frustrating at times, to an outsider. But we've already seen this devolve into misplaced naming and shaming, so this confidentiality is understandable. Accurate naming and shaming is, however, a vital part of good democracy.
The timing of EME seems unfortunate, in that we finally seem to have reached a good consumer-friendly compromise with streaming music, working in the web browser and on a wide variety of devices without unnecessary encryption.
I'm worried that with EME, DRM and CDMs, brought on by stakeholders in the movie industry, we'll see a major regression within the music industry. We've already seen the control and monitoring of podcasts appear on the wishlists of certain industry magnates.
At the very least, the EFF covenant would protect consumers from poorly-written or maliciously-designed CDMs, by allowing security and privacy researchers to examine the behaviour of CDMs without fear of legal reprisal.
Is the EFF covenant 100% dead for good? Or are their further avenues to propose at a later stage in the process? You've also made mention of 3 different wordings of the covenant, only 1 of which was published. Can you please publish the exact wording of all failed covenant proposals?
Hello Ron,
We did not succeed in finding a consensus for the covenants proposed. It is hard to predict whether a consensus might emerge in the future, but the Advisory Committee has stopped looking for one after the large majority of W3C Members did not wish to accept the variations that were proposed. We would like to take a step back and discuss policy issues in general in a proposed Technology and Policy Interest Group.
I stand with WHATWG and EFF on this one.
It's clear that your goal is to add strong proprietary DRM to the platform. I don't believe you when you say EME is an interoperable standard when, for all practical purposes, it's inseparable from proprietary CDM plug-ins, which are meant to remain a black box protected by DMCA.
I'm disappointed that you're using your name and reputation to legitimize DRM on the Web, and such carefully-worded PR pieces make me feel you're being disingenous about it.
Couch EME in whatever words you will, but no matter the words or rationalizations, it effectively legitimizes DRM, one of the most anti-user technologies around.
Imagine if in the web's infancy, EME had existed and provided a common W3C-blessed API to apply DRM to images--jpg, gif, etc. Would the web be the success it is today if media companies used EME to control the images people could see, download, and share in the web's early days? If Time Warner was able to dictate how we could view and share the dancing baby gif?
The web is for users, not for media megacorporations. *We* have the leverage here, and it's up to *us* to imagine and implement the brightest and most open future we can for users--not the most profitable future we can for corporate interests. Corporations may be dragged along kicking and screaming, but be dragged they will--if we realize that *we're* actually the ones with the leverage here.