Skip to main content

The W3C, led by Sir Tim Berners-Lee, looks set to standardise DRM-enabling Encrypted Media Extensions (EME) in browsers, a move that betrays the founding principles of the open Web.

When Berners-Lee invented the Web, he gave it away. His employer at the time, CERN, licensed the patents royalty-free for anyone to use. An open architecture that supported the free flow of information for all made it what it is today.

The NeXT machine used by TimBL at CERN.
Enlarge / The NeXT machine used by TimBL at CERN.
SSPL/Getty Images

But that openness is under assault, and Berners-Lee’s support for standardising EME, a browser API that enables DRM (digital rights/restrictions management) for media playback, has provoked a raging battle within the W3C (World Wide Web Consortium), the organisation that sets the standards for how browsers work.

The stakes could not be higher, to hear both sides tell it. On the one hand, Hollywood is terrified of online piracy, and studios insist that video streaming providers like Netflix use DRM to stop users from pirating movies. On the other hand, a long list of security experts argue that DRM breaks the Web’s open architecture, and damages browser security, with cascading negative effects across the Internet.

As the director of W3C, Berners-Lee shepherds the future of the Web, and is under intense pressure from both camps. While the W3C has no governing power to mandate a solution—in fact, many browsers, including Chrome, ship with EME already—what the W3C does have is TimBL.

And both sides want his blessing.

Security time-bomb

The Web has upended earlier ways of publishing, and charging for, copyrighted material. Creators of movies, songs, books, and newspapers still struggle to adapt to a new world in which anything can be copied at nearly zero cost, and shared around the world in nearly no time.

In desperation, many creators have turned to DRM in an attempt to limit consumers’ ability to copy and share what are, at the end of the day, just ones and zeroes traversing the Internet. But DRM is trivially circumvented, and so companies rely on the legal muscle of the DMCA (Digital Millennium Copyright Act) §1201 in the US, and its counterparts in other countries around the world, including the European Union Copyright Directive (EUCD), which make it a felony to break it. This turns violating copyright law, a minor offence, into a serious crime punishable by prison time.

But prohibiting copyright scofflaws from breaking DRM has the side effect of criminalising legitimate security research, which, by definition, involves taking things apart and breaking them in order to make them better. Some critics go so far as to call this side-effect a feature, not a bug. Filing a lawsuit remains the knee-jerk reaction for many companies embarrassed by good-faith security research into their software.

This DMCA/DRM one-two combo stifles security research and makes us all less safe, security experts warn. Browsers are a key piece of infrastructure, and increasingly serve not only Web pages and streaming video, but also as front ends for important services and the administration of devices. Security researchers are reluctant to engage in legitimate, public-interest research for fear of a lawsuit or prosecution under DMCA §1201. Indeed, the most recently discovered vulnerability in Widevine, Google’s DRM solution for video streaming in browsers, came from researchers in Israel, one of the few developed countries without a DMCA-like law.

“DRM is a dangerous feature to standardise and have enabled across everyone’s browser because it essentially enforces a black box of code to be installed on your browser which cannot be audited or looked at or even talked about by security researchers,” Harry Halpin, a W3C employee who publicly threatened to quit in protest over the proposed EME standard, and left the organisation at the end of 2016, tells Ars.

Joi Ito, director of MIT’s Media Lab, agrees. “By allowing DRM to be included in the standard we ‘break’ the architecture of the Internet by allowing companies to create places to store data and run code on your computer that do you not have access to,” he explains to Ars. “We will be left with a broken and fragile architecture, as well as browsers whose internals are off limits to security researchers, who face brutal punishment for trying to determine whether your gateway to the Internet is secure enough to rely on.”

Ars attempted to reach a number of pro-DRM advocates for this story, but few were willing to comment on the record.