Against strong opposition, the World Wide Web Consortium has announced its approval of Encrypted Media Extensions (EME), a standard intended to allow easier incorporation of Digital Rights Management (DRM) protected content into Web pages.
EME provides a standard way for incorporating a copy-protection software module into any Web browser. The idea is to make ad hoc solutions like Flash and Silverlight obsolete, and allow streaming services or third parties to build secure media software that can live ‘inside' a Web browser and display protected media content as part of a standard Web page.
"After consideration of the issues, the Director reached a decision that the EME specification should move to W3C Recommendation," stated W3C Director Tim Berners-Lee and Project Management Lead Philippe Le Hégaret. "The Encrypted Media Extensions specification remains a better alternative for users than other platforms, including for reasons of security, privacy, and accessibility, by taking advantage of the Web platform."
Nonetheless, numerous groups and legions of Web users have opposed EME right from the start. Their concerns have been summarily dismissed by the W3C, and especially by Berners-Lee, the man credited with creating the World Wide Web in the first place.
On the positive side, EME seems technically sound. It creates a standard software interface inside the browser, which media players can connect to. It's much like the current plug-in model used by Flash and Silverlight, but explicitly designed to accommodate DRM protection software, offering standard mechanisms for things like fetching license keys, validating users and interacting with the browser's other functions.
The W3C claims that EME will make DRM better-behaved, less prone to technical problems, more convenient for users and more secure in general.
On the negative side, there's an immediate conceptual objection to EME, in that it aims to create a space for proprietary, obfuscated and blatantly anti-user software ‘inside' the otherwise open Web standard. DRM is by definition hostile to the user: it's intent is to prevent the owner of a device from performing certain actions that the device would otherwise be expected to execute without hesitation. In essence, say the critics, the W3C has given a green light to this concept, legitimizing it as part of the World Wide Web.
Critics also ask, not unreasonably, why EME was required at all. Netflix and other services have been successfully delivering protected content on every imaginable type of device, using both browser plugins and standalone apps. So EME isn't a fundamental requirement of content delivery.
What's more, it's obvious that users would tend to interact with realtime content such as music or video in very different ways than they would with typical Web pages consisting of words and images. This separation won't magically disappear on account of EME.
Worst of all, there's the fear that EME may even put us on the edge of a very slippery slope, encouraging increasing amounts of formerly free and accessible content to be locked up behind DRM restrictions. There's nothing about EME that limits its use to Netflix videos. Once DRM capability is the default in every Web browser, we could enter a very different world, in which users face an array of toll gates rather than the current universe of readily accessible content.
Finally, there's a massive concern about security and privacy. EME allows proprietary, secretive, user-hostile Content Delivery Modules (CDMs) to be downloaded at the whim of the content provider, and run within the browser environment - with minimal oversight.
The W3C draft standard does include various safeguards. For example, it states that CDM providers "must" ensure that their software does not access information or system resources that are not "reasonably required" for playback of protected media. But the term "reasonably" is open to interpretation. Protecting digital content isn't easy, and CDM providers can be expected to assert a need to access all sorts of user data.
The W3C standard makes no provision for independent verification of conformance with its privacy or security requirements. Or, in fact, for any internal activity of a CDM. In fact, under current copyright law in both the US and Canada, it is flatly illegal to peer inside anything that can possibly be termed a ‘digital lock.' Thus, while CDMs will undoubtedly be cracked by enterprising pirates, laws-abiding security researchers will be legally prohibited from scrutinizing the safety or robustness of CDM software.
The Electronic Frontier Foundation spearheaded the objections to EME. It made a strong plea for inclusion of a "covenant" that would require W3C members to use copyright laws only to prosecute actual piracy of content, and prohibit them from going after those who might bypass DRM for benign reasons, such as creating new features for users with disabilities, or vetting the code for security vulnerabilities.
The EFF's requests were gradually watered down, and ultimately flatly rejected by the W3C.
Regarding creation of features for disabled users, for example, the W3C blithely states that all needs will be addressed by the content provider. This assumes that captions, for example, or digital flags warning of epilepsy-inducing ‘strobe effects,' will always be included in protected content streams, and that there will thus never be any need for a third-party to add them. History provides no support for this optimistic view.
Obviously, content providers will continue to claim that they desperately need ‘digital locks' to protect their business models. Despite the plain fact that DRM has never prevented a single piece of content from being widely copied, and that ‘rampant' piracy has not prevented content industries from remaining among the most profitable in today's dismal economic climate.
This is not to say that piracy is okay, or that it has no effect on content industries. But it should certainly give us pause to ask whether building DRM facilities into every Web browser is either necessary or desirable.
The inexorable movement to adopt EME makes it appear that the W3C has simply capitulated to requests from media companies, without considering the fundamental pros and cons of a standard like EME, and without ever contemplating the possibility of taking a stand on principle. (It may or may not be significant that the draft EME standard credits four "editors:" two from Microsoft and one each from Google and Netflix.)
For its part, the EFF has vowed to continue its opposition to EME. "There is an appeals process for Tim Berners-Lee's decisions at the W3C," writes Cory Doctorow, on the EFF site. "The entire project of designing technology to control web users, rather than empowering them, has taken the W3C into uncharted waters, and this is the most unfamiliar of them all. We're looking into this, counting noses, and assessing our options. We'll keep you informed."