WTF is up with the W3C, DRM and security bods threatened – we explain

Five years on, attempts at compromise on web standards still fueling fights


Analysis A lengthy battle over the inclusion of digital rights management as a Web standard is coming to a head, with a set of new guidelines planned for early March.

Those guidelines will include the latest attempt at compromise between pragmatists and idealists over how to allow control of content online without undermining the central concept of a free and open internet.

On March 2, the World Wide Web Consortium (W3C) will publish details of its new vulnerability disclosure program, closely followed by a "call for review" from its director, Tim Berners-Lee, that intends to protect security researchers from being sued if they dig into the black box of code that makes digital rights management (DRM) possible.

It is a messy compromise, and one that some are still not happy with, but it is progress on an issue that has set the W3C against itself for five years.

It is also a proxy for a much broader fight: between corporations that want to be able to protect their content, and internet engineers opposed to commercialization of the internet who want to protect the open internet in an era of closed systems.

Stuck in the middle is the W3C itself – torn between the desire to produce common standards for the contemporary internet and the risk that it may be undermining its very reason for existing. Both sides' positions are entirely understandable.

The case for DRM

As many, including the W3C executive team, have repeatedly pointed out, DRM already exists online and is used every day by millions of people – the best-known examples of such systems being Silverlight and Widevine. Typically, this content protection is achieved by browser plugins, although browser companies are increasingly including DRM systems as a standard.

What the W3C wants to achieve through its Encrypted Media Extensions (EME) to HTML5's HTMLMediaElement is to avoid the need for plugins. Instead there will be a standard API that automatically discovers and handles third-party protected content.

Result: everyone is on the same page, huge collective broader benefits, fewer compatibility issues – you know, the rationale for every standard ever created. The EME idea was officially born in February 2012, and Tim Berners-Lee gave it his blessing in September 2013 (it was "within scope," he decided).

EME exists and is in fact already included in many browsers, but its status remains only as a proposed recommendation rather than a full one. Mozilla somewhat grumpily agreed to add EME in May 2015. And just a few months later, Microsoft disowned its own DRM system in preference to an HTML5 standard.

The truth is that even the fiercest critics of DRM watch Netflix on their computers. And most of them would prefer a safer, more secure internet. Anything that moves people away from streaming video using a security disaster like Adobe's Flash to a standard that can be properly audited and updated has to be a good thing.

But then, back in June, a big hole was discovered in Widevine and those opposed to DRM leapt on it as an example of where the rationale for having a Web standard falls down. Without some kind of legal protection for security researchers, they argued, it would be impossible to dig into DRM systems to look for bugs and so, they claimed, security benefits would disappear.

The idea was born – with somewhat of a wink – that if the W3C required all members to agree not to sue security researchers if they dug into DRM systems, then the standard could proceed.

Of course, what the companies that wish to use DRM saw was them being asked to make it legal for people to hack their systems and circumvent the protections. And so a kind of impasse developed.

Similar topics

Narrower topics


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022