Browsers’ bid for relevance is turning them into time-bombs

The growth of mobile devices and the apps that fuel them has been followed by a decline in browsers, locking more and more of the Internet into silos controlled by giant corporations that love “disruption” when they're the ones doing it, but not so much when they’re the ones being disrupted. The browser ecosystem is weaker than it’s ever been, and that’s made it ripe for predation — and you’ll find no better example of it than something happening under MIT’s own roof.

To understand what’s happening, you need to understand both web standards and a notorious U.S. law called the Digital Millennium Copyright Act (DMCA).

MIT has hosted the World Wide Web Consortium, the web’s premier open standards body, since its founding in 1994. Unlike other standards bodies, which require members to contribute their relevant patents to a “pool” that is rented out to standards implementers, the W3C pioneered a new, radical approach to patents in standards: members must give their standards-overlapping patents away for free as a condition of participation.

This principled stand, taken when the web was strong and the W3C was flush, meant that for the whole modern life of the web, the core standards for browsers could be implemented by anyone, without fear of a patent suit from the W3C’s members.

That is, until the W3C got tangled up in the DMCA.

Passed in 1998, the DMCA contains a provision, section 1201, which makes it a crime to circumvent an “effective means of access control” that sits between users and copyrighted works. In the early days, this was used to punish technologists who made it possible to do things like watch DVDs purchased in one country on a player bought in a different country, but since “copyrighted works” include software, and software is in nearly everything these days, from buildings to voting machines to tractors to insulin pumps, the DMCA has metastasized into every conceivable domain, turning tinkering, interoperability and accessibility into legal minefields.

For more than a decade, browsers have supported DRM piecemeal, with a variety of technologies like Adobe Flash. With the advent of HTML5 and the removal of the NSAPI interface through which these DRMs had run, it seemed possible that online video would follow online music in going DRM-free. Instead, the W3C took the hugely controversial step of agreeing to standardize DRM as part of HTML5, in a standard called Encrypted Media Extensions (EME).

This decision — which Ian Hickson, who formerly maintained HTML5 for the W3C, publicly denounced — means that for the first time, implementing a browser that can play back all the content that is served under W3C standards will require permission from a movie studio.

It gets worse: one of the DMCA’s major targets is security researchers, who face legal threats when they disclose defects in DRM (because knowing a defect makes it easier to break the DRM), and security researchers report that they are routinely prevented from disclosing grave defects in everything from medical implants to critical software because of this threat.

The W3C’s strategy for “saving the web” from the corporate-controlled silos of apps is to replicate the systems of control that make apps off-limits to innovation and disruption. It’s a poor trade-off, one that sets a time-bomb ticking in the web's foundations, making the lives of monopolists easier, and the lives of security researchers and entrepreneurs much, much more perilous.

The Electronic Frontier Foundation, a W3C member, has proposed a compromise that will protect the rights of academics, entrepreneurs, and security researchers to make new browser technologies and report the defects in the old ones: we asked the W3C to extend its patent policy to the DMCA, so that members who participated in making DRM would have to promise not to use the DMCA to attack implementers or security researchers.

But although this was supported by a diverse group of W3C members, the W3C executive did not adopt the proposal. Now, EME has gone to Candidate Recommendation stage, dangerously close to completion. The purpose of HTML5 is to provide the rich interactivity that made apps popular, and to replace apps as the nexus of control for embedded systems, including the actuating, sensing world of “internet of things” devices.

We can’t afford to have these devices controlled by a system that is a no-go zone for academic work, security research, and innovative disruption. Although some of the biggest tech corporations in the world today support EME, very few of them could have come into being if EME-style rules had been in place at their inception. A growing coalition of leading international privacy and security researchers have asked the W3C to reconsider and protect the open web from DRM, a proposal supported by many W3C staffers, including Danny Weitzner (CSAIL/W3C), who wrote the W3C’s patent policy.

MIT students, researchers and alumni should join them in calling on the W3C to take a stand for an open web that is hospitable to scholarship and innovation.

Cory Doctorow is a Special Advisor of the Electronic Frontier Foundation.