Human rights coalition from the global south to W3C: don't put DRM in web standards!

Originally published at:

1 Like

I still feel confused every time this comes up. Here is my understanding of the issue:

The W3C sets standards for the web, but if you are using the web through a commercial product (like a browser you didn’t write yourself) it’s up to the creator of that product to implement those standards. display-inline is a standard option for the display attribute in css but if I use an older browser I might need to implement with float and clear, or maybe none of that is supported at all. So creating a standard is creating an accepted set of ways that browsers will communicate with web pages about how EMEs work, not creating the DRM itself. This is more like standard set of commands to talk to DRM systems so that all the web browsers know how to implement things if they want their browsers to be compatible with websites with protected content.

Right now if I watch a video online it is likely through Flash or Silverlight, plugins that I run in my browser. These plugins are doing the same work that the EMEs are going to do, but in a way that is totally controlled by a third party. If I don’t want DRM I can disable these plugins, but the result of that is I can’t watch Netflix or Youtube (and many other things). If EMEs take the place of these, then not implementing them would mean the same - no Netflix, Youtube, etc. If EMEs are not put in as a standard then we’ll continue to work with the plugin solution which means having and extra party to be beholden to.

The DMCA is a shit law but it’s also an American law. It’s absurd that the act of circumventing DRM is itself illegal, but it’s only illegal in countries that have made it illegal. Putting EMEs in the W3C doesn’t make the DMCA apply in India. But similarly, if the W3C takes a stand against DRM that won’t have any impact on the DMCA’s application in America or in the delivery of content protected by DRM through plugins.

I get that people are fighting this and I feel like there is a subtlety to the whole thing I’m missing. I’ve read the statement about it from the W3C. I’ve communicated with Mozilla about their decision to include this functionality in Firefox if it becomes a standard. I feel like this is a step in the right direction - including a standard for something that the majority if web users want but that is currently only accessibly through plugins.

Most users are at the mercy of browsers and at the mercy of the companies that supply content through browsers. Most users of how risky something like Flash is. Is this change going to make those things better, worse, or no change? My impression at this point is that it won’t change the extent to which users are at the mercy of content providers but that it will reduce user risk from plugins.

1 Like

This is the way I see it as well.

To put it more succinctly, DRM is a fact of life for premium web content. Would you rather have it standardized or stick with the status quo of what we have today (completely proprietary, non-interoperable, and unportable)?

If the W3C does nothing here, it’s not like existing web-based DRM goes away.

The DMCA’s provisions are mirrored in the legal systems of every industrialized nation except Israel. In the EU, they’re part of the EUCD (Article 6); in Canada, Bill C-11; in Australia it’s part of the country’s bilateral Free Trade Agreement with the US; it is part of the Central American Free Trade Agreement and the bilaterals with the Andean nations; in New Zealand, bill 92A.

To be clear, the W3C is not being asked to choose between “standardizing DRM” and “not standardizing DRM.” The current vote is really a choice between “standardizing DRM without shielding the open web from laws like the DMCA” and “making DRM, but simultaneously extending the existing W3C policy framework to include the new laws in play that come with DRM standardization.”

The W3C already makes its members surrender their patent rights as a condition of participation. Danny Weitzner, who created that policy at the W3C, has endorsed EFF’s proposal to extend it to cover the rights members will get under the DMCA (and global lookalikes) once the W3C starts standardizing DRM.

To put it more succinctly, DRM is a fact of life for premium web content.

I think a lot of people would have said this about music, but over the past decade, DRM for music has disappeared, even in streaming services. It’s also gone away for library audiobooks – a pure “rental” model!

Without the old APIs that HTML5 gets rid of, implementing DRM was transcendentally hard: every browser and every streaming service needed to set up explicit deals to make them work. That level of complexity might well have sent video DRM to the same trashheap of history that music DRM ended up on.

Would you rather have it standardized or stick with the status quo of what we have today (completely proprietary, non-interoperable, and unportable)?

Let’s stipulate that DRM is inevitable: it still doesn’t follow that the W3C can or should make it better.

As a counterexample, consider “lawful interception” tools, the cyberweapons that police forces use to break into the browsers of their suspects to spy on them. These are a thing in the world that isn’t going away soon, and they’re a mess: dangerous, sloppy, and prone to abuse. A W3C standardization of back-doors in browsers might indeed make them “better.”

But the W3C won’t standardise lawful interception tools (I hope!) because these are antithetical to the goal of making an open web that empowers its users, rather than controlling them.

The W3C doesn’t solve everyone’s web-related problems, nor should it. It isn’t standardizing ads that can defeat ad-blockers, or cookies that can’t be rejected, or many other difficult-to-perfect tools that address real business needs of many web stakeholders, because the W3C explicitly rejects solving problems that make the web more closed.

The argument that users benefit when bad things work well can be applied to literally any technology, no matter how user-hostile. The W3C needs to explain why standardised DRM is good for the open web, beyond being notionally better than proprietary DRM.


[citation needed]

Purchased media, sure. But, streaming media? Apple Music, Spotify, and Groove wrap all their streamed media in DRM.

(ETA and thank you for taking the time to reply!)

1 Like

You’re right, but many (notably Youtube, arguably the most successful streaming music service on the web) do not – and as mentioned, neither do library audiobook loans, which are $20-80 products that the user is explicitly not allowed to save. So I think the conclusion we can draw is that DRM occurs sometimes, and not others, and is not inevitable.

But back to the main point, the W3C isn’t being asked to walk away from making DRM; it’s being asked to bring its membership policies into line with the new risks that arise from doing so.


Okay, this part of it makes sense to me. I still think this would have limited effect - the law would still be the law, and if circumventing DRM is against the law then that doesn’t require the rights holder of the content protected by DRM to be involved. You could say, “I’ll never use the DMCA” but people could still be punished under the DMCA for illegal use of your product.

This has me sold.

1 Like

I think there’s a chance the covenant could miss some bad actors at the margin, which could be fixed by locating it in the W3C’s patent pool, not in its membership agreement (so everyone who implemented a web-browser or any other W3C standard would have to agree to DRM non-aggression as a license condition).

But the W3C’s patent policy presents an instructive parallel, in that the vast majority of patent aggression comes from trolls, who are not W3C members and not subject to the W3C’s membership agreement.

Nevertheless, the W3C’s patent policy is an unalloyed good – though it doesn’t protect everyone from patent liability, it certainly changes represents a large risk-mitigation.

The W3C’s membership presently includes the major studios, all the major DRM vendors, all the major browser vendors, etc – this really does capture most of the potential DRM aggressors.

This has me sold.

Thank you!

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.