W3C Refuses to Protect Security Researchers Studying DRM Web Extension

[Exterminator]

Ian Hickson, spokesperson for WHATWG (Web Hypertext Application Technology Working Group), the standards group in charge of HTML, that provides the actual specification for approval to the W3C, is lambasting the latter for its lack of attitude in the DRM dispute.

DRM ("Digital Rights Management" or "Digital Restrictions Management") is one of the extensions that are part of the EME (Encrypted Media Extensions) specification. EME is currently a draft at the W3C (World Wide Web Consortium), the organization that will decide if to approve it as an official specification for browser vendors to implement.

The DRM is essentially a module that will allow copyright owners to enforce their rights inside the user's browsers the way they want and see fit, blocking access to multimedia content, or requiring payment to access files, regardless if they're downloaded from an official or pirated source.

DRM is a step backwards for the Web
Browser makers and the W3C have been incredibly supportive of this module, even if there have been many that have criticized it. Among them is the EFF (Electronic Frontier Foundation), who has dedicated an entire series of blog posts describing the ESE DRM module as the devil's spawn.

Hickson, a Google engineer and the WHATWG main spokesperson, is not a fan of the DRM either, dedicating a Google+ post to it in which he writes: "DRM's purpose is to give content providers control over software and hardware providers."

He and many others have pointed out that the DRM module is technically flawed and contains many technical implementation issues that are very hard to resolve.

Of course, the copyright protection groups behind the DRM module don't seem to care, since the module is nothing short of legal leverage, which they'll have in case the DRM module gets approved inside ESE.

While the way copyright groups will use the DRM module as leverage against browser makers and hardware vendors is another topic for another day, there is also another category of people impacted by the DRM, and those are security researchers.

Security researchers exposed to legal harrassment
The poor fellows trying to secure browsers against attacks via the technically flawed DRM module are legally exposed to being sued by large Hollywood studios and music labels.

This is because the DRM falls under the protection of the DMCA law, which under clauses 17 U.S.C. § 1201 and 1203: "No person shall circumvent a technological measure that effectively controls access to a work protected under this title", and "Any person injured by a violation of section 1201 or 1202 may bring a civil action in an appropriate United States district court for such violation".

These clauses give copyright owners the right to sue a security engineer testing the DRM for implementation flaws in browsers. If one of them finds a security hole that might expose the copyrighted content to easy pirating AND users to web-based attacks, he can't disclose the issue publicly without the permission from all the affected copyright groups. Otherwise, he risks getting sued.

It's safe to say that copyright owners will never allow a security researcher to disclose an urgent security issue if they risk exposing their "precious" content.

WHATWG aligns with EFF against W3C and copyright groups
Hickson says that the W3C has the legal leverage to force copyright owners to sign an agreement not to sue security researchers. But, they are not using this power. The EFF submitted such a proposal in the past.

"The W3C is refusing to require this," Hickson writes. "We call on the W3C to change their mind on this. The security of the Web technology stack is critical to the health of the Web as a whole."

The W3C has never explained its weird stance on DRM before. Hickson also has a theory. "It is clear that the W3C allowing DRM technologies to be developed at the W3C is just a naked ploy for the W3C to get more (paying) member companies to join."

This stance from W3C has driven the Free Culture Foundation to write a very critical blog post against the web standards body in 2013, calling "W3C’s plan for DRM in HTML5 [...] a betrayal to all Web users."