
An Open Letter to Members of the W3C Advisory Committee - DiabloD3
https://www.eff.org/deeplinks/2016/05/open-letter-members-w3c-advisory-committee
======
gregmac
> We've proposed a simple solution, patterned after the existing W3C patent
> policy. The patent policy doesn't take a position on whether patents are
> good or bad, but it does hold that standards are more open if you don't have
> to license a patent to implement them, so W3C members are required to
> promise not to sue others for practicing their patents when implementing W3C
> recommendations.

> Our proposal does the same thing, except for anti-circumvention rights
> (rather than patents). Members who participate in the Media Extensions
> Working Group will have to make a legally binding promise not to use anti-
> circumvention laws to aggress against security researchers or implementers.
> All other rights and causes of action -- trade secrecy, copyright, tortious
> interference, breach of contract -- are intact.

This sounds like a reasonable compromise. Having a W3C standard that can't
actually be implemented by anyone except those that are explicitly granted a
license is not a standard: it's really just proprietary software, and feels
like going back to the days of Flash, Java and Active-X applets, only worse,
because it's a legal problem instead of a technical one.

I'm definitely against the idea of DRM in any W3C standards without this type
of provision, but I'm not sure if this is enough or not.

~~~
tzs
What in the W3C EME standard cannot be freely implemented? As far as I know,
EME is just a communications standard between the browser and components that
are not part of the browser to allow those components to provide media data
for the browser to display.

EME can be used to communicate with proprietary DRM components, but those DRM
components are not part of the standard, and there is nothing that I've seen
in EME that makes DRM the only thing it can be used for.

For instance, couldn't EME be used to make a system to protect the privacy of
people sharing personal videos? Encrypt the video and upload to a web server
that all the parties sharing have access to. Distribute the decryption keys to
the people intended to share the video. Use EME to interface the browser to a
component that uses that key to decrypt the video on the fly.

From the browser's point of view there is not really any significant
difference between a video that is encrypted for DRM and one that is encrypted
for privacy. In the former case those who encrypted it want to keep the key
secret from the viewer, whereas in the latter case they want to keep the key
secret from third parties. To the browser, these look the same: there is
encrypted video, and the browser needs something to decrypt that and hand it
the decrypted data for it to display.

~~~
the8472
You don't need an EME blackbox to protect privacy.

You simply need client-side decryption for that case, which can be done in a
transparent sandbox with audited open source code.

~~~
alphapapa
But they're never going to agree to that, because then it would be trivial to
dump the decrypted stream to a file. Right?

~~~
DiabloD3
But it is trivial anyhow. DRM doesn't actually work, never has, never will;
and attempting to criminalize it (such as mentioned elsewhere around here)
will only serve to increase piracy, not decrease it.

~~~
alphapapa
Yes yes, I'm on your side here. The point is that if the decryption module
were open-source, it would be _trivial_ to do it, and there would be lots of
implementations of it, while if it were a binary blob, it would significantly
raise the bar. They know this, so they'll never agree to having it be open-
source.

------
morley
I have to say: I like this approach of offering an alternative far better
thank a blanket "please don't do this thing because it's bad." Admittedly, I
don't follow the EFF's actions as much as others, so maybe this is more common
than I think, but it seems fresh to me. Their alternative seems like it could
be palatable to a reasonable Media Extensions Working Group member (though I
guess they could claim that the definition of a "security researcher or
implementer" is unreasonably broad).

------
hackuser
The EFF's public communication is much improved recently, IMHO. Even with
strong interest in these issues and with technical expertise, formerly I could
hardly bear to make sense of their postings.

This one still could use a tl;dr summary at the top, but the vast improvement
is heartening - without good public messaging, their mission seemed very
difficult. Now I feel like there's a chance.

------
zer00eyz
Because of this article and comments here, I went to look at what w3c
membership, and donations look like.

[https://www.w3.org/Consortium/fees?countryCode=US&quarter=04...](https://www.w3.org/Consortium/fees?countryCode=US&quarter=04-01&year=2016#results)

Ultimately the w3c is doing something that is in the best interest of its
participants and NOT in the interest of users, or consumers.

In this document (
[http://www.w3.org/Consortium/Process/Process-19991111/backgr...](http://www.w3.org/Consortium/Process/Process-19991111/background.html)
) the w3c claims:

 _" W3C is a non-profit organization funded partly by commercial members. Its
activities remain vendor neutral, however."_

Yet I can find no US IRS 990, or foreign equivalent.

Fundamentally this structure doesn't look like a non profit. It also doesn't
look like it has the best interests of the community (us) as a whole in mind.
IANAL but I have to wonder if it is possible to challenge the w3c on its
continued use of "non-profit". I also wonder if there is a way to put pressure
on them to allow non profit orgianzations free access to these committees
outside of collecting a fee from them, as it strikes me as an un-needed
burden.

------
Aelinsaar
Fair enough, but shouldn't this letter be to Google and Apple and the other
companies that are really making this happen?

~~~
dannyobrien
The W3C advisory committee is composed of representatives of all the members,
including Google and Apple.

~~~
jack9
There is a chance that DRM is a forgone eventuality. Why is there no competing
standards committee?

~~~
Aelinsaar
Well, if they're competing with Google, and Apple, etc... would they really be
_competing_ or just existing?

------
natch
> Working Group will have to make a legally binding promise not to use anti-
> circumvention laws to aggress against _security researchers_ or
> _implementers_.

(emphasis added above)

OK EFF I love you, but when did you start leaving end users off of your list
of people you want to protect against litigious aggression?

Regular end users want to do fair-use things like pause and download too,
without being sued, right?

------
bearcobra
After reading the discussion yesterday on the Save Firefox post
[[https://news.ycombinator.com/item?id=11678516](https://news.ycombinator.com/item?id=11678516)],
I'm still unclear if EME is a compromise that provides a standard for
proprietary DRM solutions to talk to any browser, or a backdoor that will
allow media companies to remove user control and decide which browsers win. If
it's the former, that feels like a good thing compared to the proprietary
plug-in days of yore.

~~~
TD-Linux
The latter. The standard does not specify the interface that the DRM blobs
talk to the browser, or even that it's an interface at all as opposed to a
built in feature of a proprietary browser.

------
hungnv
at first I guess it'd be great, finally eff found a solution that any
companies can implement their own security layer that's compliant with new
standard and EME, but it's not. Even if W3C accepted this open letter and
changed, there would be nothing changed at all.

