What is EFF worried about?

The W3C effort to standardize Encrypted Media Extensions (EME, part of the Media Extensions Working Group) marks a new era in W3C standardization. For the first time, implementations of a W3C standard will be covered by "anti-circumvention" laws such as the Section 1201 of the US DMCA; European laws that implement Article 6 of the EUCD; and Canada's Bill C-11.

These laws have been used by companies and rightsholders to threaten security and privacy researchers who came forward to report defects in their products. These laws may also create legal risks for entities who independently implement EME-compatible systems.

What is EFF proposing?

Last year, EFF opposed renewal of the EME Working Group unless its charter was modified to require WG members to agree not to use the DMCA or laws like it to attack security researchers or independent implementers of the specification. Enough W3C members endorsed the proposed change that the charter could not be renewed. After 90 days' worth of discussion, the working group had made significant progress, but had not reached consensus. The W3C executive ended this process and renewed the working group's charter until September.

EFF is now proposing that the group's charter not be renewed in September unless an exit condition is added to the group's work.

This exit condition is for the group to continue its work on arriving at a consensus agreement on protecting security disclosure and independent reimplementation, reflecting a compromise that all parties can live with.

Is EME DRM?

EME is intended as one component of a two-component system, the other being a Content Decryption Module (CDM). Some working group members argue that EME -- that is, the part the W3C is specifying -- is not DRM, and wouldn't be covered under the DMCA and other statutes.

We're skeptical of this claim. First, there are minor variations in implementations of the relevant statutes, and many of them have very thin litigation history, meaning that their exact contours are as yet to be determined. There's a lot on the line here: liability for competitive new entrants and for those who make the web more secure for users. It's worth taking measures to mitigate those risks.

There's also the matter of EME's intended purpose: the members who advocate for EME clearly intend it to be used in DRM. There is no useful role for EME without a DRM system, and no one would be working on EME if it wasn't for its usefulness in DRM applications.

No one will be able to say for sure whether courts will view EME as DRM, but based on decades of history litigating DMCA cases, we think there's a signficant chance they will.

Why defend piracy?

Even the most expansive version of a DMCA nonaggression covenant -- one where members simply agreed to never invoke DMCA 1201-like laws -- would have no impact on the ability of rightsholders to pursue claims against people who commit copyright infringement. They would still be able to take criminal and civil action for creating and facilitating the creation of unauthorized copies; for violations of terms of service, for tortious interference and all the other statutes in which legislatures have explicitly given rights to creators and their investors to control their copyrighted works.

Laws like DMCA 1201 allow companies to convert their commercial preferences into legal obligations. For example, no statute prohibits shifting the color gamut of a video stream to adapt it for use by color-blind people, but if you have to bypass EME to do this, the company gets a right of action against you. If the W3C standardizes a DRM without protections for interoperability and security, they're handing companies the ability to make up laws that governments will enforce for them, even though no legislature ever debated or enacted those laws.

Here's a list of some of the things that will be off-limits once EME is finalized, if no action is taken to defuse laws like the DMCA:

https://www.eff.org/deeplinks/2016/03/interoperability-and-w3c-defending-future-present

Doesn't the Copyright Office ruling solve this problem?

In 2015, EFF and many other entities -- companies, scholars, academics, technologists, advocates -- petitioned the US Copyright Office for exemptions to section 1201 of the DMCA, many of which were granted, including one that offers limited protection to security researchers. This is important recognition from an expert agency in the US government that the DMCA poses real problems for security research and user safety.

But the exemption does not relieve the risk that EME poses to the web.

First, it only takes effect in October 2016, and only lasts for two years.

Second, it only covers the act of bypassing a DRM like EME, but not the creation or sharing of tools or knowledge that allow researchers to replicate and independently verify this feat (the Copyright Office believes it lacks the authority to grant this kind of exemption).

Finally, it applies solely to the USA, while anti-circumvention laws have proliferated all over the world, largely thanks to the efforts of the US Trade Representative.

What about bug bounties?

Could we just solve the problem for security researchers by having companies offer bug bounties and other programs that provide a path to disclosure?

Bug bounties and other managed disclosure systems are fantastic ideas and EFF applauds W3C members who choose to implement them. If all the working group members wanted to commit to such a system, we'd be delighted. But we believe that it's not our place to tell members how they must spend their money or manage their users.

We favor the much more modest solution of allowing security researchers and implementers to freely negotiate the terms of disclosure. For such a negotiation to take place, we first need to ensure that companies can't unilaterally censor embarrassing reports of defects in their products by invoking laws like the DMCA.

Why don't you get rid of these bad laws?

The problem here is the DMCA and laws like it, and we favor reforming those laws, something that has widespread support, including support from Tim Berners-Lee.

We have worked for many years to make this happen, and this year has been a good one for the project: both the US Congress and the US Copyright Office have held proceedings to hear arguments for reforming anticircumvention law.

But this is a process of years, and the web moves faster than the speed of law. Until such time as statutory reform can be accomplished around the world, the W3C can insulate web users from its most dangerous and anti-competitive effects.

What's more, the adoption of a W3C rule taking DMCA abuse off the table is itself powerful evidence that the law is in need of reform. That is, by taking this step, the W3C brings us closer to legal reform.

Even if legal reform never arrives -- or if it's a long time coming -- the protection the W3C extends to the web by adopting a rule limiting DMCA abuse stands on its own as an important step with usefulness from day one.