Why the W3C Should Reject EME

If you haven't heard of it, EME, or Encrypted Media Extensions, could be a part of the W3C specification that would allow a website to control a visitors web browser. The goal would be to restrict access to content, this ranges from restricting the user's ability to record the file to their computer's memory to disabling functions such as "pause" from the browser's media player. The main goal being to satisfy media corporation's requirements to technically restrict usage of their content.

In short, it's a mechanism to allow DRM (Digital Restriction Management) to operate within standard HTML, I believe this should have no place within the works of the W3C standard. Indeed it seems to be incompatible with their own principles.

The Goals of EME

The goals of EME are to provide a standardised mechanism for a website to control the way a user views/hears/reads content.

This brings nothing constructive or beneficial to the users of the web nor to most websites. I speculate that EME only supports the interests of companies who wish to restrict their users as the technology may not be usable without a budget.

A clarification is needed, EME is in the spec, CDM (Content Decryption Module) is not. EME shouldn't require non-free software, however EME is useless without a CDM. The CDM contains the decryption key and software designed to control the user's browser, there will never be an implementation of EME without a CDM.

Although a CDM may technically be open source, such a CDM will never be used in production, it would be broken from the start. Its only purpose would be for testing.

EME is the loophole that makes CDM a standard without it being one.

In short, EME is only useful with a CDM, the CDM is only useful if it contains non-free compiled code that can control the user. So if EME becomes a standard, so does the use of CDMs.

The notion of "Premium" content

The use of the term "premium" as justification for Digital Restrictions is highly cringeworthy.

The real value of any content is relative and subjective, especially for entertainment. We should refuse any W3C standard that suggests different classes of content and that first class content makes DRM reasonable enough to include it in the spec for the open web. If DRM should be supported by the W3C it should be supported for all content, not only those of the media giants. A first step would be to no longer use the term "premium" to distinguish a superior class of content.

The Absence of DRM is Bad for the Internet

People actually say this. Without DRM the Internet would suffer the loss of services such as Netflix and that would be a fatal blow to the web and people will stop using computers and turn to Paganism.

Netflix, Microsoft, Google and other EME proponents need EME/DRM in the W3C spec because they cannot rely on non-standardised solutions such as Flash and Silverlight to deliver restricted content to all web browsers. EME would help insure that every browser can be their customer.

If they can't have it, they will figure out another solution. Either way, they have no plans of leaving the web and if they did it would be their loss. In reality they are asking the W3C to reduce their costs and make sure their businesses can reach all their customers.

Imagine If EME/CDM (DRM) existed back in the olden days of the web (when people tried to disable right clicking), what would the Internet be like today ?

Trust goes Both Ways

These restrictions mainly interest companies that distribute content to authenticated and paying users over an encrypted connection (HTTPS). This means that the only reason they would require DRM is that they do not trust their legitimate customers.

Why should users trust companies with control over their browser as a condition for a service ? There are many reasons not to, here's just a few:

Media companies, and any other company, should never be granted control over their client's computer. EME in HTML means the W3 thinks otherwise.

All Your Base are Belong to Comodo

A browser that implements the W3C specifications may include a set of CDMs, a bit like with Root Authority certificates. The big difference in this comparison is that the CDMs contain non-free code that may control the user's browser.

The user does not know of these 3rd parties. If things go along as with certificates this will render every user of the "standard set of CDMs" vulnerable to compromised and/or malicious (or submissive) CDMs. Even though CDMs are not part of the W3 spec they would appear to the average user as having the blessing of the W3 as the spec would have reserved a spot for them.

Having EME in the spec encourages users to trust CDM vendors to install their explicitly "non-free and designed to control" software, this can and should be considered a real security flaw. Anyone who compares this with Flash or Silverlight is completely missing the point, they don't have the W3C approval and they aren't part of the open web standards.

I suspect this will also encourage certain Free Software / Open Source browsers to distribute their software bundled with non-free code (CDMs) which brings me to the next point.

Accessibility

While EME could be implemented on an open source browser, making any use of it would require non-free software via CDMs (plugins/addons). EME in reality would not offer any functionality on Free Software / Open Source platforms, this part of the spec is not accessible to certain users. Perhaps some Free browsers might even omit support for EME rendering their browsers "not fully compliant".

I also wonder about issues with mainstream Free Software, like Firefox for example. The Firefox download page tries to make things insanely simple for its users, you can't even find a link to the source code, let alone the 64bit version. What do you think their download link would be if EME becomes a standard ? They would have to make a tough choice, either let their users download CDM packs separately or bundle Firefox with the CDMs, in both cases they would lose a few users.

In that sense, EME in the W3C spec promotes the end of the fully open source web browser. Either that or it promotes Schism 2.0.

Another question I have is Who will be able to use a CDM ?. This remains a bit blurry for now, however I think for it to be a W3C standard is must be something that is technically possible to implement without requiring a 3rd party. If a 3rd is mandatory then it would exclude some from using EME, either because they haven't the monetary budget or because they are denied service by available vendors. Also, publishing content using EME should be possible without the use of non-free software.

From W3C » Standards » Browsers and Authoring Tools: We should be able to publish regardless of the software we use

DRM is Broken

As a person who has been around long enough to see attempts to implement DRM constantly break, I don't believe that this time it will work. If private entities wish to pursue their endless quest for user restriction they should probably do so outside the scope of "open standards".

The counter argument is that EME/CDM is not going to be 100% effective but will be difficult and/or inconvenient to bypass for most users. So we all agree it's already broken, we will have to wait to see how much of an inconvenience it really is.

That said, why should the W3C work on something defective by design ?

Trojan Horse 2.0

The EME spec was initiated by Google, Microsoft and Netflix and they are very present to defend DRM on the W3's various mailing lists, including the one created to discuss the legitimacy of the EME/CDM, Restricted Media. Many of the arguments for DRM have little to do with good reasons to include it in the W3C specs, it's mostly about Hollywood requirements for their "premium" content, and replacing Flash with something harder to get rid of.

I don't oppose companies developing and promoting an open standard that serves their private purposes, I just don't think it's in the interests of the open, accessible and shareable web and hence has no place within the W3C. By progressing the status of EME the W3C appears to be supporting corporate requests even though they contradict the W3's goals, they are, excluding Free Software from the W3's web and putting the content producer in control of the user. Well, at least the content producers that can afford to use a CDM.

Not to mention the potential trojan horse that could/would be the CDMs. EME could really re-define what "The Open Web" means.

Something to Sign

If for any reason you agree that DRM technologies should not be actively supported by the W3C then please do sign this petition.

Further Reading

Here are a few links from others with other views (pro or con):