The World Wide Web Consortium has embarked upon an ill-advised project to standardize Digital Rights Management (DRM) for video at the behest of companies like Netflix; in so doing, they are, for the first time, making a standard whose implementations will be covered under anti-circumvention laws like Section 1201 of the DMCA, which makes it a potential felony to reveal defects in products without the manufacturer's permission.

This is especially worrisome because the W3C's aspiration for the new version of HTML is that it will replace apps as the user-interface for the Internet of Things, making all sorts of potentially compromising (and even lethal) bugs difficult to report without serious legal liability.

The EFF has proposed that W3C members should be required to promise not to use the DMCA and laws like it this way; this has had support from other multistakeholder groups, like the Open Source Initiative, which has said that the W3C work will not qualify as an "open standard" if it doesn't do something to prevent DMCA abuse.

Now, another important body, WHATWG, has joined the chorus calling on the W3C to prevent their technical work from become a legal weapon. WHATWG is a breakaway web standards body, backed by all the major browser vendors, and much of the W3C's standardization process consists of snapshotting WHATWG's documents and putting W3C's stamp of approval on them.

In an op-ed on the WHATWG blog, Ian "Hixie" Hickson (who formerly oversaw HTML5 for the W3C, and now edits the HTML spec for WHATWG, while working for Google) calls on the W3C to adopt the rules protecting security research, saying "We can ill afford a chilling effect on Web browser security research. Browsers are continually attacked. Everyone who uses the Web uses a browser, and everyone would therefore be vulnerable if security research on browsers were to stop."

Hixie's letter is co-signed by fellow WHATWGers Simon Pieters from Opera, and Anne van Kesteren from Mozilla.

The charter for the W3C's DRM working group runs out in eight days and will have to be renewed. Some 20 W3C members have pledged to block any further renewal unless the W3C executive requires the group to solve this problem before finishing its work. The last time this happened, the executive dismissed these objections, but the numbers have swelled and now include prominent disabled rights groups like the UK Royal National Institute for Blind People and Media Access Australia, as well as a browser vendor, Brave.

A who's who of security researchers, including the W3C's own invited experts, have signed an open letter asking the W3C to ensure that control over disclosure of vulnerabilities in web browsers isn't given to the companies whom these disclosures might potentially embarrass.

From Hixie's post: