Hacker News new | past | comments | ask | show | jobs | submit login
An Open Letter to Members of the W3C Advisory Committee (eff.org)
260 points by DiabloD3 on May 12, 2016 | hide | past | web | favorite | 43 comments



> We've proposed a simple solution, patterned after the existing W3C patent policy. The patent policy doesn't take a position on whether patents are good or bad, but it does hold that standards are more open if you don't have to license a patent to implement them, so W3C members are required to promise not to sue others for practicing their patents when implementing W3C recommendations.

> Our proposal does the same thing, except for anti-circumvention rights (rather than patents). Members who participate in the Media Extensions Working Group will have to make a legally binding promise not to use anti-circumvention laws to aggress against security researchers or implementers. All other rights and causes of action -- trade secrecy, copyright, tortious interference, breach of contract -- are intact.

This sounds like a reasonable compromise. Having a W3C standard that can't actually be implemented by anyone except those that are explicitly granted a license is not a standard: it's really just proprietary software, and feels like going back to the days of Flash, Java and Active-X applets, only worse, because it's a legal problem instead of a technical one.

I'm definitely against the idea of DRM in any W3C standards without this type of provision, but I'm not sure if this is enough or not.


The language sounds too slippery to me. Implementors won't be sued, they say, but who decides who is an implementor? What is an implementation and what is an undesirable hack? Who is a security researcher and who is persona non grata?

If I make a time shifting system, to use the article's example, but the standard says the protocol must be played live, am I an implementor of the standard, or a nefarious hacker?

What if I create software which lets people abroad watch content from PBS Nova (currently blocked by geo-IP)?

I might even screw up and implement something usable for "bad things" by accident. Am I then an infringer, if I neither properly implemented the standard nor conducted research on it?


The covenant they're proposing doesn't appear to distinguish between implementors, security researchers, and others. It just forbids, altogether, civil suits for circumventing or stripping copy protection (17 USC 1202-1203).

However, this only protects you from suits over circumvention. You are presumably still eminently liable for your PBS Nova scenario, for instance.


I don't think anyone can (and hope that no one is ever allowed to) legally standardize presentation. Some of the examples cited in the open letter include changes to presentation (and time shifting) to suit end user requests and accessibility needs.

One could also argue that 'fast forwarding' is a form of selective time-shifting for personal use. The analog equivalent to this would be getting up to use the restroom or make a snack during an over the air television broadcast; or even switching to another channel during that set of ads.


"Members who participate in the Media Extensions Working Group will have to make a legally binding promise not to use anti-circumvention laws to aggress against security researchers or implementers."

Note that this promise only refers to 17 USC 1203, which deals with civil offenses, i.e. a lawsuit.

Circumventing access controls is also a criminal offense under 17 USC 1204 (if done "willfully and for purposes of commercial advantage or private financial gain") and it's not possible for a company to waive the government's ability to prosecute that crime.


Does anyone else think that the purported victim of a crime should always have the right to waive it? If the victim is society, then no, but if something's a crime because it harms an identifiable party and that party doesn't want them to be prosecuted, is there any good reason for the law to prosecute them anyway?


I don't. Whether it's relevant to computers or patent law I don't know, but there are certain areas where it's seen as important that the victim is denied the right to absolve the perpetrator. For example, this comes up a lot in domestic abuse cases.

(not to say that these kind of domestic abuse policies don't have their own controversy... but nonetheless the situation isn't a cut-and-dry obviously-this-is-better type of thing)


In general, one concern is that criminal suspects might threaten victims with violence to get them to withdraw their support for a prosecution. The legal system also uses this concern to justify legally-compelled testimony.


Agreed. However, isn't it possible that there are some crimes where this isn't really an issue, such as circumventing DRM?


It's hard for me to put myself in the shoes of someone who thinks this law is a good idea in the first place -- I've been protesting against the idea of legal restrictions on DRM circumvention since 1999 and I think ยง1201 was and is a huge mistake.

I guess you could imagine having a set of criminal offenses where coercion of victims appears especially unlikely, but I'm not sure of how to identify or define those.



This opens the victim up to intimidation by the perpetrator. Which might also be illegal (for example threatening to hire someone to assault your family members if you don't let the person go), but then that can be waived as well. It allows large criminal organizations to rule through fear.

But in some situations it does seem to be what one would want (for example the under age people arrested for sexting pictures of themselves). However, if we could rely on common sense in these situations, the people would never be arrested in the first place.


You can make second order crimes unwaivable.

Re common sense: if it was in the law, prosecutors wouldn't matter.


I think it depends on the crime.

My main issue is that it leaves open an opportunity to intimidate the victim into waiving the prosecution. Sometimes it is helpful to look at extremes to highlight the point: if a young child was abused by a patent, then was influenced by the parent who didn't abuse them this would be unjust.

In a more everyday case, if a woman is beaten by her partner and it is witnessed, I feel that person should be prosecuted regardless of the feelings of the victim - domestic violence, in my view, is often perpetuated because a spouse or partner will not speak up - normally because they are psychologically dependent on their abuser.

These are obviously crimes of violence. If a crime is committed against a corporation, on the other hand then I think that they should be allowed to waive the prosecution.


You can require the victim to be of age. I don't have a good idea on how to deal with the second example, but perhaps you could issue restraining orders if a judge thinks it's warranted, regardless of waivers, and if that's violated the person goes to jail for the original crime, regardless of waivers? Then judges could still protect people.


How do you get the person before the judge?


They get arrested when police catch them, same as now.


Yup, that's a decent solution. If only we ran things, eh?


What in the W3C EME standard cannot be freely implemented? As far as I know, EME is just a communications standard between the browser and components that are not part of the browser to allow those components to provide media data for the browser to display.

EME can be used to communicate with proprietary DRM components, but those DRM components are not part of the standard, and there is nothing that I've seen in EME that makes DRM the only thing it can be used for.

For instance, couldn't EME be used to make a system to protect the privacy of people sharing personal videos? Encrypt the video and upload to a web server that all the parties sharing have access to. Distribute the decryption keys to the people intended to share the video. Use EME to interface the browser to a component that uses that key to decrypt the video on the fly.

From the browser's point of view there is not really any significant difference between a video that is encrypted for DRM and one that is encrypted for privacy. In the former case those who encrypted it want to keep the key secret from the viewer, whereas in the latter case they want to keep the key secret from third parties. To the browser, these look the same: there is encrypted video, and the browser needs something to decrypt that and hand it the decrypted data for it to display.


> What in the W3C EME standard cannot be freely implemented? As far as I know, EME is just a communications standard between the browser and components that are not part of the browser to allow those components to provide media data for the browser to display.

That, sadly, isn't the case. (It would be much better if it were!) All the existing EME modules are embedded as part of the browser, and there definitely isn't any standardised API to communicate with a module external to the browser.

All EME defines is an API on HTMLMediaElement to communicate with this abstract module, which yes, would allow the case of hiding the key from third parties to be addressed.


> All the existing EME modules are embedded as part of the browser

The CDMs used by Firefox, Chrome and Opera on Windows and Mac are distinct downloadables although the browsers handle the download automatically.

The CDMs used by Chrome for Android, Edge and Safari are bundled with the underlying platform and aren't embedded in the browser (though these browsers are bundled with their platform).


> From the browser's point of view there is not really any significant difference between a video that is encrypted for DRM and one that is encrypted for privacy. In the former case those who encrypted it want to keep the key secret from the viewer, whereas in the latter case they want to keep the key secret from third parties. To the browser, these look the same: there is encrypted video, and the browser needs something to decrypt that and hand it the decrypted data for it to display.

If you hiding the key from person who is intended recipient you are implementing a DRM, not solution that provides privacy.

The problem that you are mentioning is already solved, and you don't need to hide key from the viewer. It happens as follows:

- content is encrypted using randomly generated symmetric key

- the key is then encrypted using asymmetric public keys of recipients

The recipient has all information necessary to decrypt the information. If your goal is to hide from the recipient the one time key that is only used for the content that the recipient supposed to be able to view, then you're implementing DRM.


> For instance, couldn't EME be used to make a system to protect the privacy of people sharing personal videos

Not really. If you want to use the Clear Key key system for privacy, you need to deliver the key over https. (Plain http plus Web Crypto doesn't work against an active adversary.)

To get the key over https, the hosting page needs to be https. Then, due to cross-scheme CORS being prohibited, you also have to fetch the media (MSE segments) over https.

Since https already provides privacy, Clear Key EME doesn't add privacy value beyond protecting against untrusted CDN staff. But if you deliver some JPEGs over the same CDN, you have to trust the CDN staff anyway.

Don't try to post hoc rationalize DRM-motivated constructs as privacy measures.


You don't need an EME blackbox to protect privacy.

You simply need client-side decryption for that case, which can be done in a transparent sandbox with audited open source code.


That's already part of the EME standard, implemented in the browser (so as open source as the browser is).

https://w3c.github.io/encrypted-media/#clear-key


But they're never going to agree to that, because then it would be trivial to dump the decrypted stream to a file. Right?


But it is trivial anyhow. DRM doesn't actually work, never has, never will; and attempting to criminalize it (such as mentioned elsewhere around here) will only serve to increase piracy, not decrease it.


Yes yes, I'm on your side here. The point is that if the decryption module were open-source, it would be trivial to do it, and there would be lots of implementations of it, while if it were a binary blob, it would significantly raise the bar. They know this, so they'll never agree to having it be open-source.


If we're talking about privacy (protecting the user from "the cloud") and not copy-protection (protecting our media overlords from the user) then I don't see the problem.


Eh, those media companies will simply leave the WG. The most notable one there is Netflix, and if their choice is being in the WG or having content, they'll choose the latter.


I have to say: I like this approach of offering an alternative far better thank a blanket "please don't do this thing because it's bad." Admittedly, I don't follow the EFF's actions as much as others, so maybe this is more common than I think, but it seems fresh to me. Their alternative seems like it could be palatable to a reasonable Media Extensions Working Group member (though I guess they could claim that the definition of a "security researcher or implementer" is unreasonably broad).


The EFF's public communication is much improved recently, IMHO. Even with strong interest in these issues and with technical expertise, formerly I could hardly bear to make sense of their postings.

This one still could use a tl;dr summary at the top, but the vast improvement is heartening - without good public messaging, their mission seemed very difficult. Now I feel like there's a chance.


Because of this article and comments here, I went to look at what w3c membership, and donations look like.

https://www.w3.org/Consortium/fees?countryCode=US&quarter=04...

Ultimately the w3c is doing something that is in the best interest of its participants and NOT in the interest of users, or consumers.

In this document ( http://www.w3.org/Consortium/Process/Process-19991111/backgr... ) the w3c claims:

"W3C is a non-profit organization funded partly by commercial members. Its activities remain vendor neutral, however."

Yet I can find no US IRS 990, or foreign equivalent.

Fundamentally this structure doesn't look like a non profit. It also doesn't look like it has the best interests of the community (us) as a whole in mind. IANAL but I have to wonder if it is possible to challenge the w3c on its continued use of "non-profit". I also wonder if there is a way to put pressure on them to allow non profit orgianzations free access to these committees outside of collecting a fee from them, as it strikes me as an un-needed burden.


Fair enough, but shouldn't this letter be to Google and Apple and the other companies that are really making this happen?


The W3C advisory committee is composed of representatives of all the members, including Google and Apple.


There is a chance that DRM is a forgone eventuality. Why is there no competing standards committee?


Well, if they're competing with Google, and Apple, etc... would they really be competing or just existing?


Seconded. These big companies along with the likes of Hollywood are the ones pushing w3c.


Yep. It's worth keeping the w3c in mind, but they're not the source of the pressure, just subject to it at overwhelming levels.


> Working Group will have to make a legally binding promise not to use anti-circumvention laws to aggress against security researchers or implementers.

(emphasis added above)

OK EFF I love you, but when did you start leaving end users off of your list of people you want to protect against litigious aggression?

Regular end users want to do fair-use things like pause and download too, without being sued, right?


After reading the discussion yesterday on the Save Firefox post [https://news.ycombinator.com/item?id=11678516], I'm still unclear if EME is a compromise that provides a standard for proprietary DRM solutions to talk to any browser, or a backdoor that will allow media companies to remove user control and decide which browsers win. If it's the former, that feels like a good thing compared to the proprietary plug-in days of yore.


The latter. The standard does not specify the interface that the DRM blobs talk to the browser, or even that it's an interface at all as opposed to a built in feature of a proprietary browser.


at first I guess it'd be great, finally eff found a solution that any companies can implement their own security layer that's compliant with new standard and EME, but it's not. Even if W3C accepted this open letter and changed, there would be nothing changed at all.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: