W3C

On EME in HTML5

The question which has been debated around the net is whether W3C should endorse the Encrypted Media Extensions (EME) standard which allows a web page to include encrypted content, by connecting an existing underlying Digital Rights Management (DRM) system in the underlying platform. Some people have protested “no”, but in fact I decided the actual logical answer is “yes”. As many people have been so fervent in their demonstrations, I feel I owe it to them to explain the logic. My hope is, as there are many things which need to be protested and investigated and followed up in this world, that the energy which has been expended on protesting EME can be re-channeled other things which really need it. Of the things they have argued along the way there have also been many things I have agreed with. And to understand the disagreement we need to focus the actual question, whether W3C should recommend EME.

The reason for recommending EME is that by doing so, we lead the industry who developed it in the first place to form a simple, easy to use way of putting encrypted content online, so that there will be interoperability between browsers. This makes it easier for web developers and also for users. People like to watch Netflix (to pick one example). People spend a lot of time on the web, they like to be able to embed Netflix content in their own web pages, they like to be able to link to it. They like to be able to have discussions where they express what they think about the content where their comments and the content can all be linked to.

Could they put the content on the web without DRM? Well, yes, for a huge amount of video content is on the web without DRM. It is only the big expensive movies where to put content on the web unencrypted makes it too easy for people to copy it, and in reality the utopian world of people voluntarily paying full price for content does not work. (Others argue that the whole copyright system should be dismantled, and they can do that in the legislatures and campaign to change the treaties, which will be a long struggle, and meanwhile we do have copyright).

Given DRM is a thing,…

When a company decides to distribute content they want to protect, they have many choices. This is important to remember.

If W3C did not recommend EME then the browser vendors would just make it outside W3C. If EME did not exist, vendors could just create new Javascript based versions. And without using the web at all, it is so easy to invite ones viewers to switching to view the content on a proprietary app. And if the closed platforms prohibited DRM in apps, then the large content providers would simply distribute their own set-top boxes and game consoles as the only way to watch their stuff.

If the Director Of The Consortium made a Decree that there would be No More DRM in fact nothing would change. Because W3C does not have any power to forbid anything. W3C is not the US Congress, or WIPO, or a court. It would perhaps have shortened the debate. But we would have been distracted from important things which need thought and action on other issues.

Well, could W3C make a stand and just because DRM is a bad thing for users, could just refuse to work on DRM and push back wherever they could on it? Well, that would again not have any effect, because the W3C is not a court or an enforcement agency. W3C is a place for people to talk, and forge consensus over great new technology for the web. Yes, there is an argument made that in any case, W3C should just stand up against DRM, but we, like Canute, understand our power is limited.

But importantly, there are reasons why pushing people away from web is a bad idea: It is better for users for the DRM to be done through EME than other ways.

  1. When the content is in a web page, it is part of the web.
  2. The EME system can ‘sandbox’ the DRM code to limit the damage it can do to the user’s system
  3. The EME system can ‘sandbox’ the DRM code to limit the damage it can do to the user’s privacy.

As mentioned above, when a provider distributes a movie, they have a lot of options. They have different advantages and disadvantages. An important issue here is how much the publisher gets to learn about the user.

  • If they sell a DVD or Blu-ray disk, they never get to know whether the user watches it. From the user’s point of view they can watch each bit of it as many times as they like without the feeling they are being watched.
  • If they put it on the web using EME, they will get to record that the user unlocked the movie. The browser though, in the EME system, can limit the amount of access the DRM code has, and can prevent it “phoning home” with more details. (The web page may also monitor and report on the user, but that can be detected and monitored as that code is not part of the “DRM blob”)
  • If they put it on an app in a closed system like an iPhone, then they get to make whatever DRM they like. They also get to watch exactly how and where the user watches which bits of the movie. If they can persuade the user to allow them other access, such to the user’s calendar, they can completely profile the user, and correlate this with their movie-watching habits.
  • If they distribute it using an app on an open system like Android or Mac OS X, then they can get the same feedback as on an iPhone app. However as the OS is not a locked-down system, the app may be able to further abuse the user, by possibly exfiltrating further information, and also like, in theSony Rootkit case, installing spyware on the system.
  • If they distribute it with their own closed system, like a game console or a set-top box, then the user is protected from spying on their computer. The publisher has complete control of information which is sent back about the user’s play and pause, and so on. The user has no way though to have this as part of their connected web life. There are no links in or out.

So in summary, it is important to support EME as providing a relatively safe online environment in which to watch a movie, as well as the most convenient, and one which makes it a part of the interconnected discourse of humanity.

I should mention that the extent to which the sandboxing of the DRM code protects the user is not defined by the EME spec at all, although current implementations in at least Firefox and Chrome do sandbox the DRM.

Spread to other media

Do we worry that having put movies on the web, then content providers will want to switch also to use it for other media such as music and books? For music, I don’t think so, because we have seen industry move consciously from a DRM-based model to an unencrypted model, where often the buyer’s email address may be put in a watermark, but there is no DRM.

For books, yes this could be a problem, because there have been a large number of closed non-web devices which people are used to, and for which the publishers are used to using DRM. For many the physical devices have been replaced by apps, including DRM, on general purpose devices like closed phones or open computers. We can hope that the industry, in moving to a web model, will also give up DRM, but it isn’t clear.

We have talked about the advantages of different ways of using DRM in distributing movies. Now let us discuss some of the problems with DRM systems in general.

Problems with DRM

Much of this blog post is W3C’s technical perspective on EME which I provide wearing my Director’s hat – but in the following about DRM and the DMCA, that (since this is a policy issue), I am expressing my personal opinions.

Problems for users

There are many issues with DRM, from the user’s point of view. These have been much documented elsewhere. Here let me list these:

  • Fair use of the material is not possible, such as excepting for commentary, educational purposes, and so on
  • This prevents remixing into derivative works
  • The user cannot take a backup copy
  • Having a DRM blob in one’s computer is a security threat, in that it could attack the machine

DRM systems are generally frustrating for users. Some of this can be compounded by things like attempts to region-code a licence so the user can only access when they are in a particular country, confusion between “buying” and “renting” something for a fixed term, and issues when content suppliers cease to exist, and all “bought” things become inaccessible.

Despite these issues, users continue to buy DRM-protected content.

Problems for developers

DRM prevents independent developers from building different playback systems that interact with the video stream, for example, to add accessibility features, such as speeding up or slowing down playback.

Problems for Posterity

There is a possibility that we end up in decades time with no usable record of these movies, because either their are still encrypted, or because people didn’t bother taking copies of them at the time because the copies would have been useless to them. One of my favorite suggestions is that anyone copyrighting a movie and distributing it encrypted in any way MUST deposit an unencrypted copy with a set of copyright libraries which would include the British Library, the Library of Congress, and the Internet Archive.

Problems with Laws

Much of the push back against EME has been based on push back against DRM which has been based on specific important problems with certain laws.

The law most discussed is the US Digital Millennium Copyright Act (DMCA). Other laws exist in other countries which to a greater or lesser extent resemble the DMCA. Some of these have been brought up in the discussions, but we do not have an exhaustive list or analysis of them. It is worth noting that US has spent a lot of energy using the various bilateral and multilateral agreements to persuade other countries into adopting laws like the DMCA. I do not go into the laws in other countries here. I do point out though that this cannot be dismissed as a USA-only problem. That said, let us go into the DMCA in more detail.

Whatever else you would like to change about the Copyright system as a whole, there are particular parts of the DMCA, specifically section 1201, which put innocent security researchers at risk of dire punishment if they are deemed to have thrown light on any DRM system.

There was an attempt at one point in the W3C process to refuse to bring the EME spec forward until all the working group participants would agree to indemnify security researchers under this section. To cut a very long story short, the attempt failed, and historians may point to the lack of leverage the EME spec had to be used in this way, and the difference between the set of companies in the working group and the set of companies which would be likely to sue over the DMCA, among other reasons.

Security researchers

There is currently (2017-02) a related effort at W3C to encourage companies to set up ‘bug bounty” programs to the extent that at least they guarantee immunity from prosecution to security researchers who find and report bugs in their systems. While W3C can encourage this, it can only provide guidelines, and cannot change the law. I encourage those who think this is important to help find a common set of best practice guidelines which companies will agree to. A first draft of some guidelines was announced. Please help make them effective and acceptable and get your company to adopt them.

Obviously a more logical thing would be to change the law, but the technical community seems to have become resigned to not being able to positive effect on the US legislative system due to well documented problems with that system.

This is something where public pressure could perhaps be beneficial, on the companies to agree on and adopt protection, not to mention changing the root cause in the DMCA. W3C would like to hear, by the way of any examples of security researchers having this sort of problem, so that we can all follow this.

The future web

The web has to be universal, to function at all. It has to be capable of holding crazy ideas of the moment, but also the well polished ideas of the century. It must be able to handle any language and culture. It must be able to include information of all types, and media of many genres. Included in that universality is that it must be able to support free stuff and for-pay stuff, as they are all part of this world. This means that it is good for the web to be able to include movies, and so for that, it is better for HTML5 to have EME than to not have it.

TimBL

43 thoughts on “On EME in HTML5

  1. The fact that the CDM (DRM code in the article) is not part of the standard means the promise of interoperability is false.

    And the fact that CDM sandboxing is not defined means you allow for a race to the bottom in terms of end-user security.

    Nobody wins here.

    1. > Nobody wins here.

      Users, web developers, security researchers and most browser vendors do not win here. Agreed.

      But in the short term, archaic content industries that lack the agility to develop modern business models do win here. At the expense of everyone else.

      Also, browser vendors like Google who succeed in getting their CDM implementation blessed also win.

  2. Without EME the web will be subject to proprietary apps. With EME the web will be subject to proprietary apps. In what universe is that a valid argument for EME?

  3. Why is it the W3C’s job to decide how content distributors should make money? The DRM pushers can invent their own damn protocol. We’re going to see a lot of standards-breaking proprietary stuff either way, like Roman says. It’s better for the W3C to be able to remain true to the goal of openness rather than heading down the path of encouraging EME. Remember the bad old days of ActiveX?

  4. My browser starts downloading random x86 Linux and Windows binaries and trying to run them, this is progress.
    Sandboxing (which is outright disabled on ‘lower tier operating systems’ like the one I use) is perfect and will never fail us.
    Next it will demand that my monitor and GPU driver support DRM-content-playing (yes that’s a thing – HDCP), so much for having an open source driver, or open source hardware.
    The difference between a DRM program in an OS and one in a browser isn’t the lack of sandboxing. it’s the fact I can completely opt out of it.
    Many programs I run on my OS are better sandboxed than anything a browser does by default. It can’t use chroots. it can’t do read-only null mounts. etc.

  5. “The web has to be universal, to function at all.”

    Which, with EME, it won’t be. There will be a return to “Best viewed with browser X” for those sites which present DRM encumbered content which will only work in “approved” browsers / operating systems. If this kind of walled garden is created outside the w3c spec (as it historically has been), it is an inconvenience, but when it is explicitly endorsed as part of the spec, it is explicitly the end of the open web.

    It feels like Tim Berners-Lee has been presented with a decision where his choice will either see him being viewed as unprincipled or irrelevant, and the fear of irrelevance has won out.

  6. Here is the major problem with the whole EME that is never discussed: proprietary blobs (no I’m not talking about the decryption modules) included in _browser code_ that require browser developers to “maintain a relationship” with CDM vendors. This effectively silos web browsers, and therefore the web.

    ————————
    > For a browser to support a CDM, is a developer required to write CDM-specific browser code?

    Yes. Not just that, but for actual CDMs on the market the developer is also required to work with the CDM vendor to accept that particular browser as a trusted enough party.

    This is because CDMs are supposed to prevent the decoded data being captured, so they must either handle their own on-screen display or do so via an intermediary they trust. See also the “What does this mean for downstream users of the Firefox code base?” section of https://hacks.mozilla.org/2014/05/reconciling-mozillas-missi… and note that in the setup described there the CDM basically bakes in some sort of signature of the actual browser _binary_ that it’s willing to work with. So just compiling the same, or worse yet slightly modified, source is not enough to get something that works with the same CDM
    ————————

    See this thread and particularly note the replies by bzbarsky, a Firefox dev.
    https://news.ycombinator.com/item?id=11679552

    The idea that w3c would be interested in encouraging this kind of situation is unfathomable. How myopic is this group?

  7. Seems the future of web is DARK… :(

    …trying to make digital files uncopyable is like trying to make water not wet.
    – Bruce Schneier

  8. Craven, gutless, self-serving garbage. You blessed EME because you were frightened your little club would not receive corporate funding if you did not. As did Mozilla before you. I’m disgusted with you. Now you’re on your knees, do you really think they will stop with DRM ?

    To quote “A Man For All Seasons”:

    “For Wales? Why Richard, it profit a man nothing to give his soul for the whole world.. but for Wales!”

  9. I believe Zak Rogoff at defectivebydesign.org has put it rather well:

    > This argument relies on a false dichotomy between wiping DRM from the face of the Earth, and giving it his stamp of approval. Of course, a refusal to ratify could not immediately stop the use of DRM, but it could meaningfully weaken the position of DRM in the court of public opinion, and put EME proponents Netflix, Microsoft, Apple, and Google on notice that a very prominent figure was willing to stand up to them on behalf of users.

    And in particular:

    > Changes in society’s technological infrastructure require political movements, not just technological arguments, and political movements benefit greatly from the support of prominent figures.

    Dear Mr. Berners-Lee, first of all, you appear to be fronting a false dilemma here. W3 has a sway with the heaveweight industry players, that’s the third choice you did not describe at all. By merely opining the right thing to do, and standing behind it, you are affecting things. Turning up the contrast to just illustrate how W3 has no direct authorative or directly decisive power over anything, is misleading and insulting. We don’t expect W3 to dictate the development of the Web alone, but for it to just throw what is effectively a “blank” vote like that, is at best very disappointing.

    We owe you for the Web, and somehow also for much that has come since with it, but let’s all be realistic and allow critique where it’s due.

  10. When HTML pages themselves become subject to DRM restrictions under EME… what then? TBL does not seem to entertain that dark possibility.

  11. 1) EME does not enable DRM for HTML, only for the video stream, so this is not an argument against EME.
    2) Well, the way to do that would be for example to go back to Flash – but why would people want to do that? They moved away from flash to open html, for several reasons.

    1. As the author of Video.js, I would very much not like to go back to Flash or proprietary apps. Both are terrible for accessibility (even despite regulations). The web allows us to discuss, develop, and share accessibility solutions openly, bringing content to users that may never be able to experience it if it were left up to regulations to be created and enforced.

      While it was hinted otherwise in the article, better accessibility is still very much possible even when using EME.

    2. To quote your own article

      “Do we worry that having put movies on the web, then content providers will want to switch also to use it for other media such as music and books? … For books, yes this could be a problem…”

      To suggest that a block of text could very well be subject to w3c endorsed DRM, if it is described as a book, but there is no reason to think that a block of text would be subject to the w3c endorsed DRM, if it is described as an HTML page, is, quite frankly, ridiculous.

    3. Are you really so naive as to believe that this demand for DRM will end with just video and nothing else? News sites will want their stories protected with DRM. Any site that publishes any kind of story online will want it protected with DRM. Adult publishers like Perfect 10 and ALS Scan will want all their photos protected with DRM. They’ve already sued Google for indexing their images, you don’t think they’ll be chomping at the bit to get DRM added for images?

      Once added to the official standard, DRM will spread like a plague. In case you haven’t noticed, the copyright industry is NEVER satisfied. They want literally EVERYONE to help protect their business model. They’ve even gone so far as to get copyright propaganda taught in kindergarten classes. Do you really this will end with just video being subject to DRM?

      What will the web look like when everything is locked down and nothing can be saved or copied?

      Any way you try to spin it, this is just bending over and taking it up the a** for the corporations.

  12. in “Problems for developers” section, you mentioned that DRM prevents independent developer to “add accessibility features, such as speeding up or slowing down playback.”

    the “video” element “playbackRate” property can be changed to achieve the above and it works on DRM enabled browsers like Chrome, Safari, Edge.
    Could you please provide some more details regarding this point ?

  13. >If EME did not exist, vendors could just create new Javascript based versions
    I’m sorry, but how is that worse? It doesn’t forces you to use proprietary blobs (and they ARE proprietary blobs) that will never work if you compile existing browser by yourself (at least solution by Adobe picked by Mozilla: https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/ ) (you need to provide Mozilla’s or “bit-identical to Mozilla’s CDM host executable”)
    Not to mention about other browsers or players.
    The obvious solution would be to create open-source Content Decryption Module (CDM) (but we all know Hollywood will not pick this route because it would be extremely easy to modify it for piracy purporses) or leave it to JS/WebAssembly (at least you can use same code for all platforms and browsers).

  14. I posted a longer comment to Hacker News about this article, which you can read here: https://news.ycombinator.com/item?id=13770281

    I’d like to highlight one particular bit from it here, namely this one. In the article, you write “If EME did not exist, vendors could just create new Javascript based versions.”

    What you fail to mention is that this would be vastly more preferable to EME. EME doesn’t specify the actual DRM part itself, leaving that to proprietary black boxes that need to be separately approved by content distributors, which vastly increases lock-in and hands over unnecessary amounts of control to Big Media when it comes to deciding who gets to view what.

    If in comparison all content protection was implement purely in JS, any modern browser would work with it because JS is actually fully specified open standard! This is what would guarantee actual, true interoperability, which EME in comparison really doesn’t.

  15. When we allow the interests of others to direct our goals and vision, we become subordinate to our own ideals.

    #EME in #HTML5 is antithetical to a free and open Web. I remain convinced that there are two issues in play which are not being honestly and openly addressed:

    1. EME is something all of the most influential W3C members want. This means their opinion – and MEMBERSHIP DUES – are in part influencing decision making;

    2. The W3C is not set up to be a political organization and many statements have been made to that end over the decades since its creation. This is an understandable defense but it’s still a defense – anything that touches human society IS inherently political. To withdraw from that is a choice that removes the organization from a fully honest relationship with the community that drives it,

    These actions do not in any way make the W3C wrong in its decisions IF YOU DO NOT CONTINUE TO REPRESENT YOURSELF as the organization who cares about an Open Web. What you care about consistently is writing specs. Keep writing specs and stay out of the politics if you like, but please stop lying. First to yourselves, and then to the rest of us who have worked as hard if not harder to MOVE THE WEB FORWARD.

    I respectfully ask The W3C rescind ALL use of the word “Open” In relation to any and all references of the TCP/IP x HTTP(s) World Wide Web.

    Sometimes, we create Frankensteins and Monsters and don’t mean to do harm. The Web is now a Frankenstein Monster – it has a heart but it has its own mind. If you want an Open Free Web, it’s time we turned our developer attention and energy away from W3C (except in specs) and toward other organizations like FSF and EFF that actually do work on the political and social layers of electronic freedoms and the true realization of that which we refer to as “open.”

    With regards,

    Molly E. Holzschlag
    molly.com

  16. “Yes, there is an argument made that in any case, W3C should just stand up against DRM, but we, like Canute, understand our power is limited.”

    W3C was a champion of the open web.
    That champion has now chosen to bows it’s head and kneel, instead of standing tall before those that want to create silos and tollgates on the open web .
    By doing so that champion looses the respect it used to arouse.

    Since it is now clear W3C has capitulated and been co-opted by enemy forces, we can no longer trust the W3C to champion an open web, and hence any W3C standard becomes suspect.

    Your decision ruins W3C as a standards organization.

    Hugely disappointed, I thought the W3C to have principles AND the backbone to stick to them… RIP… not. any. more.
    Please continue going gently into the night.

    Just like Microsoft used OOXML to check of the ‘open standard’-checkbox. The tollgated and siloed places on the web, will now claim to be part of the open web.

  17. Dear TimBL.

    Others had already addressed very solid and clearly the many obscure, simply lacking or erred points on your article on the technical, ethical and political aspects, so I won’t repeat them here. In simple words, your position is unsustainable from almost any logical point of view, except of course in the big media companies interests.

    I would like -however- to try to really understand *you*.

    The man that created something so powerful as to become what the web is today, that directed a consortium for an Open Web, now officially gives support to what is obviously wrong for almost everyone except those big media companies. How such a change was done? What process could make you break your ideals in such brutal way?

    Imagine yourself trying to explain this to your grandchildren and please leave it here for them. Maybe in this way we can understand you.

    Otherwise, it just looks like you sold not only your ideals, but yourself and all of us in the same deal.

    Thanks…

  18. Dear Mr Berners-Lee,

    I urge you to reconsider.

    This whole post feels like an excuse. A concession. A “Oh well, if they want it so badly…”. Especially given your personal views laid out at the end of the post.

    > If the Director Of The Consortium made a Decree
    > that there would be No More DRM.

    I don’t think anyone expected you to make such a decree. What I expected you to do is to keep true to your vision of an “open web”, and firmly say “no” to proposals which would clearly undermine it. As others said, no matter how you hard you try to justify it, DRM doesn’t fit into this vision, and you seem to agree!

    So what is stopping you from steering away from the EME spec? If the proponents wants it so badly, they can devise their own standard. It doesn’t need to be woven into the “open” web standard. I would think (and many seems to agree) that privacy and security concerns ought to be a higher priority than the ease of distributing/watching Hollywood movies. Letting this EME spec land in would be a dangerous precedent.

    Please, Mr Berners-Lee, don’t compromise on something as fundamental as keeping the web an open/handcuffs-free platform.

    Thank you for reconsidering.

  19. This is a terrible idea. Companies, like those asking for EME, got the chance to exist because the foundation of the Web is OPEN STANDARDS!

  20. The start of the Intel-only web.
    That is what this “solution” is.
    If we are lucky, ARM will be allowed to play.
    But MIPS, SPARC, PowerPC etc. will no longer be welcome to the web.
    Nor will niche OS like Haiku.
    The internet: soon only available on approved systems. Is that really what the W3C stands for?
    If not, will there at least be a requirement for the content modules to be available on any architecture and OS that either Debian or Firefox support?
    If a bunch of volunteers can do it, is it too much to ask that people earning money via the internet do their part to keep it open to all, if they really HAVE to use DRM?

  21. You know, DRM is the very antithesis of universality. So your logic says that to exist the thing must carry its own ready-made poison pill. I would question that logic except for the simple finding that with this “living standard” malarky and the rest of the current browser wars 2.0, the ‘web has become unreliable and unsuitable for the long run. And as such the W3C has shown itself [x] unfit and [x] incompetent, making hair-splitting about your logic mostly academic. But at least you’re in good company: The companies that keep pushing DRM, which has been shown to be effectively dead time and again, are themselves dead men walking. Their business models are based on premises that are steadily evaporating. This is inherent in the nature of ubiquitous communication. DRM, just like their protectionist laws and conspicuously named “free trade treaties”, tries to turn back that clock. Sorry, the ship has sailed. And now we see that you, too, are doing your level best to make yourself irrelevant to the future. But hey, at least you are free to make that choice.

  22. After so much excellent work, and after founding the W3C to establish interoperable web standards, it’s sad to see such a thorough screw-up here.

  23. The how do I publish movie is missing something.

    Not all cases do you need DRM. Sometimes if the ability to encrypted with a preshared key would be enough.

    So with is the case for a business/channel that does not 100 percent care if the video leaks but only want the video to get to paid subscribers first. Encrypted with presharing of keys does this usage case.

    Next businesses for internal videos could give all staff members key-store holding the keys to the videos they are allowed to watch. Again this is not DRM. This is video access control. EME need to be put head to head with video access control that is based on open source. Will people leak videos as much if they know there account can be located and them blacklisted?

    With watermaking and access control it possible to zone in on the thieves.

    Will EME sandbox module prevent someone creating a solution to run EME DRM module in a sandbox to play back the video to decode and recode it. I think not. So this would be back to water marking to locate your thief.

    My biggest problem with EME is that is promises a load of goods that its not going to really be able to deliver.

  24. Unbelievable that the W3C would promote a technology that would subject security researchers to jail time for finding security flaws in a piece of software that you want to force users to install. It is not enough that you “encourage” these companies to not prosecute, you should demand it before allowing it.

Leave a Reply

Your email address will not be published. Required fields are marked *