The World Wide Web Consortium (W3C), the industry body that oversees development of HTML and related Web standards, has today published the Encrypted Media Extensions (EME) specification as a Recommendation, marking its final blessing as an official Web standard. Final approval came after the W3C's members voted 58.4 percent to approve the spec, 30.8 percent to oppose, with 10.8 percent abstaining.

EME provides a standard interface for DRM protection of media delivered through the browser. EME is not itself a DRM scheme; rather, it defines how Web content can work with third-party Content Decryption Modules (CDMs) that handle the proprietary decryption and rights-management portion.

The development of EME has been contentious. There are broad ideological and legal concerns; some groups, such as the Free Software Foundation, oppose any and all DRM in any context or application. Some do not object to DRM, per se, but are concerned by regulations such as the US' Digital Millennium Copyright Act (DMCA). Under the DMCA, bypassing DRM is outlawed, even if the bypass is intended to enable activities that are otherwise legal. These concerns are particularly acute in the context of the Web; for many the Web should be open, without any kind of technological restrictions on what can be done with Web content. The protection that DRM offers is seen as anathema to this. Moreover, while browsers themselves can be fully open source, CDMs are built using proprietary, secret code with no source available.

The principal groups favoring the development of EME have been streaming media companies such as Netflix and Microsoft, Google, and Apple, companies that both develop browsers and operate streaming media services. While the use of DRM for perpetually licensed music has largely fallen out of favor, DRM protection for subscription services, both audio and video, remains alive and well, and the industry has argued that these services could not exist without some kind of content protection. This gives these groups three options for distributing content: proprietary plugins, such as Flash and Silverlight; proprietary standalone applications in various app stores; or HTML5 video with some kind of DRM system. EME provides this final option.

This shift from rich plugins and standalone apps to browser-based alternatives has produced some level of support for EME even for those opposed to DRM. If a publisher is going to insist on using DRM, the argument goes, it's better for them to use a CDM to provide that protection than it is an app or Flash. The CDM can be sandboxed, with limited access to personal data, pages within the browser, or the network. Flash, Silverlight, and standalone apps, by contrast, are much less constrained and have much greater scope to violate privacy. The complexity of Flash and Silverlight also makes them richer targets for security flaws and exploitation. CDMs should be substantially simpler in comparison.

As such, EME is seen as an incremental improvement in privacy and security, relative to the practical alternatives.

Across the spectrum of positions there was hope that W3C could provide safeguards from the DMCA and similar laws in other jurisdictions. The Electronic Frontier Foundation (EFF) proposed a binding covenant for W3C members that would limit their ability to take legal action against those developing DRM bypasses. Under the terms of this covenant, members would promise to only use the legal system against those pirating media; those bypassing DRM to assert their fair use rights, or to assess the security of CDMs, would be protected from action. This covenant was rejected as was a weaker one that would have protected only security researchers.