The World Wide Web Consortium wants to give companies a veto over warnings about browser defects


Originally published at:


So suppose Behemoth Software aggressively sues and even presses criminal charges against anybody who criticizes their products. And suppose Garage Software thanks those same researchers for their partnership. Eventually, won’t Behemoth’s browser be wide-open to every hacker? And won’t the public find out, and shun their products?

That said, I do business with 2-3 companies whose websites won’t work with any browser except Internet Explorer. Maybe when they get hacked… no, they’ll just demand tougher penalties as it happens again and again. I will never understand.


So who do we yell at at the W3C? Is there any internal divisions that can be exploited, or people who are more sympathetic to anti-DRM mandates?


don’t worry, this is “fake news” using “alternative facts”.

The w3C never standardized DRM, only the discovery hooks, which don’t contain any of the drm itself, zero zip, zilch, nada. It is a FACT that this new standard contains zero DRM and exposes zero additional risk to security researchers. the drm decryption blobs are just as proprietary and third party as they always have been. the reason they did this was to protect browser users and make implementing and interfacing with these types of technologies easier for small parties.

A certain group, who is hardline anti-drm, doesn’t want to see these improvements to the usability aspect of drm because the usability flaws in drm are one of their main talking points on drm being anti-consumer, so they are actively lying about this change including drm (it doesn’t), exposing security researchers to additional risk (it doesn’t), and neglecting to mention that this standard has already been baked into browsers for some time before it was standardized, aka, nothing even changed, pure FUD. This same dishonest group has been trying to pressure the w3C to add a pact to their charter, which is unprecedented, inappropriate, and would fragment the standard. They want members of the standard to make a blanket pact against suing people exposing flaws in their software, whether white hat responsibly exposing them, or maliciously selling them. The w3C and all its members have pointed out how inappropriate adding this to a standardization charter is, it isn’t the place to do any such political maneuver.

The w3C has been listening though, so they are creating a voluntary guide for their members about security research, and the best practices for interacting with security researchers, like not suing white hat researchers who practice responsible discourse, etc. This is a positive direct response to the previously mentioned group. How does that group respond? They go even more batshit crazy and claim that this is a guide about how to sue security researchers (it is not), rather then a guide about best industry practices when interacting with security researchers. Again they are dishonestly spinning a positive thing as negative for political purposes.

I used to support the organization in mention, but i’ve stopped after their dishonest attacks on the w3c. lying to your supporters, being dishonest, working against positive change…i can’t get behind those things even to support a political agenda (getting rid of drm) that i usually support. they are hurting the cause.


Thank you.


So all the security issues have resulted in the public eschewing flash and windows?


I regret that I can only like your comment once. With his smear campaign against the W3c, Doctorow has successfully ensured that I will never donate to the EFF and that will always be wary about supporting causes that the EFF supports.


Exactl… wait, what?


I dunno, bro…the EFF does lots of great work, and will probably continue to do so.


Yes. And at this point, all that good work is tainted in my mind with this stupid anti-drm on the web crusade. It forces me to ask, “is this one of the good things they do, or is this more of their holy war against all things DRM?”

I can no longer trust them to always be on a side I can support. So anything they support, I have to ask myself, is this really a good thing? And anything they oppose, I have to ask myself, are they on the right side here?

It’s like if Goodwill took a break from helping the poor to campaign against meat eating. Or if the NAACP sometimes took a detour into being against vaccinations.


EME is, in the view of EFF attorneys (who have done more 1201 litigation and amicus work than any other group of attorneys in the country), likely to give rise to 1201 threats.

This view is endorsed by Wendy Seltzer, a well-known cyberlawyer, who is also head of strategy for the W3C:

Furthermore, there are 1201-like regimes in virtually every industrial nation (the sole exception being Israel). Each one has its own contours and coverage, and there is literally no legal authority who can say, comprehensively, that EME will not give rise to liability under one of these 1201-alike anticircumvention regimes.

More evidence that EME gives rise to 1201 liability can be found in the W3C process itself: first, the W3C has announced a new work product to determine when its members should invoke 1201 over EME research (if the W3C does not believe that EME gives rise to 1201 liability, there would be no basis for this work); and second, the extreme aversion by W3C members to adopting a 1201 nonaggression covenant over EME suggests that they, too, believe that EME confers a right of action under 1201 (otherwise, there would be no cost to adopting such a covenant).

EFF has fought the DMCA since 1997, when it was a twinkle in Barney Frank and Jack Valenti’s eye: if you think that fighting DRM and anti-circumvention law is a detour in EFF policy, you haven’t been paying attention.


I’m perfectly familiar with the eff’s stance, and history of fighting drm, they are leading the charge in the war against drm.

I read that last time you posted it, problem is the reasons they give for it being likely to increase lawsuits against security researchers are all false. eme contains zero drm. eme maintains the exact same binary third party separation drm has had since its inception on the web.

all the w3c was doing was standardizing eme, how does standardizing something that already exists change risk? it doesn’t.

eme was first implemented in 2013 and already in every major browser for well over a year yet we saw zero uptick in threats against security researchers. it has been a full year, did no one get the memo? apparently not.

i’m not for drm or ip and against both on principal, i’m fine with the eff fighting drm. i’m not cool with the eff fighting eme in an underhanded way with easily falsifiable reasons and alternative facts. eme is a huge positive step forward.


Or we could just go back to flash, silverlight, and whatever other nightmare plug in the vendor decides to code up cause that just worked wonderful before. /s


We don’t know what kinds of threats researchers received in private; we do know, however, that there was a showstopper bug in Google’s EME implementation that sat unreported for six years, and was only made public after an Israeli researcher reported it (Israel, again, is the only country without a 1201-like regime):

That illustrates that threats are not the only risk: chilling effects matter too. In this docket at the US Copyright Office, security researchers from the academy and industry document the extensive chilling effects of 1201 on research and reporting:

There has been extensive use of EME in the major browsers prior to standardization, but that doesn’t mean that standardization confers no benefit upon EME; quite the contrary, there has been enormous investment in standardizing EME because the fragmented implementations made DRM not viable for the web. There is W3C member confidentiality binding me here, but I think it would stretch to saying that there was evidence of enormous capital commitments by the primary beneficiaries of DRM for the web.

I have participated in multiple multi-stakeholder video DRM standardization efforts (XRML/OASIS; CPCM/DVB; Broadcast Flag/BPDG; ARDG/CPTWG) and standards bodies are absolutely critical to making multi-vendor DRM work. For one thing, standards bodies substantially mitigate the antitrust liability otherwise looming in such negotiations – there are large parts of the standardization process that would be literally illegal if the W3C was not convening EME standardization through the Media Extensions WG.

The idea that the W3C is a kind of nice-to-have bow being tied around EME’s fait accompli is wrong as a matter of demonstrable fact and theory. The extensive commits and public bug-wrangling/use-case development on he ME-WG list are evidence of the former; the legal issues that W3C governance sweeps away demonstrate the latter.

Furthermore, the W3C itself is acknowledging that they are creating a new right to silence security researchers out of thin air, and, rather than eliminating this as a bug in the interaction between standardization and law, they are treating it as a feature and convening a new discussion to determine the best practices for wielding this weapon.

So, to sum up: the entities that believe that the W3C is creating a new legal risk for security researchers (not to mention accessibility workers and innovative new market-entrants) include:

  • The W3C itself
  • The W3C’s head of strategy
  • The lawyers who’ve been involved with more DMCA 1201 cases than any other lawyers in the country
  • Hundreds of security researchers
  • A collection of principle investigators from the computer science department at MIT, the W3C’s host institution
  • The Open Source Initiative, which amended its definition of “open standard” to exclude EME on the basis that it doesn’t include a 1201 nonaggression covenant


Or abandon DRM, as was the case with music.


That would be my choice but to beat up W3C for making a common API that all providers need to use for whatever encryption/drm they want to use on their end does not strike me as evil.
People want their HBO GO/NEFLIX/HULU and those are the companies you need to beat up on.


so this huge increase in legal risks has all been carried out via private threats outside of the courts, what’s more amazing is that none of this has trickled out to the courts or press. or maybe there was no change. hmmm.

so, how many flaws were disclosed and undisclosed in flash in that timeperiod? yeah eme is bad, lets go back. undisclosed bugs are pretty normal. some researchers responsibly disclose, some sell black market, some sell grey market government. this is normal. some threats are disclosed, some aren’t. this is normal. and a GOOD reason to NOT have a blanket security researcher immunity pact.

drm has been on the web for a while, thinking that if you block a positive standard that enables all our modern media consumption, it will stop drm is crazy. attacking the standard body for being the only group trying to make everything work together in a realistic way is also crazy and hurts all the users. but of course the eff has shown they don’t really care about the users, just making a stink about drm.

no they don’t. they don’t say that, and the only thing that would create that is a law, not a voluntary guide. the new guide is actually in direct response to the eff and all about, responsibly with the security industry and protecting legitimate security research. but of course the eff has shown they don’t really care about the security researchers, just making a stink about drm.

which explains why so much underhanded attack on the standards body.

standards bodies are also the things that make standards, you know, the thing that makes everything work together and all our lives better and keeps us safer.

um, no. you can’t just make up a list, especially when some of them have made public statements in contrary.


or maybe there was no change. hmmm.

There is a significant change, which can be tracked, by examining the docket on the Copyright Office’s 1201 triennial hearings.

so, how many flaws were disclosed and undisclosed in flash in that timeperiod?

It’s far from certain that untenable Flash would have perisisted in the face of intractable problems replacing it with a semi-standardized alternative. In any event, Mozilla’s EME implementation includes Adobe’s DRM – basically, replacing Flash video with…Flash video.

the only thing that would create that is a law, not a voluntary guide.

No, the thing that creates this is standardizing – for the first time in W3C history – a technology that is covered under section 1201 of the DMCA.

The W3C didn’t create software patent law, but they recognized that if they allowed patent assertion by their members over standardized subject-matter, they would be publishing web standards that created new liability for implementers, so they took immediate steps to limit that liability.

Incidentally, another one of the people who endorses a 1201 nonaggression covenant is former W3C staffer and MIT CSAIL Principle Investigator Danny Weitzner, who was the architect of the patent policy.

new guide is actually in direct response to the eff and all about, responsibly with the security industry and protecting legitimate security research

The new guide is an acknowledgement that the W3C has created a new right to sue security researchers for disclosing true facts about defects in its members’ products, where no such right existed before.

EFF is entirely in support of guidelines for how companies can offer enticements and assurances to security researchers: the W3C guidelines spell out when these companies can threaten to bankrupt those researchers for declining to take them up on the offer.

If you think that supporting researchers getting to choose when and how they disclose is evidence of “not really caring” about security researchers, while creating guidelines specifying when those researchers should be threatened with millions in legal damages is “protecting legitimate security research,” you are operating under some very strange assumptions.

which explains why so much underhanded attack on the standards body.

Literally everything we’ve done, we’ve done in public. I don’t know what you mean by “underhanded.”

“um, no. you can’t just make up a list, especially when some of them have made public statements in contrary.”

Which ones?


Except for not being even slightly like those things at all.


There has been an increase in cases against security researchers due to eme? oh wait, nope.

no, but something would have, that is guarenteed.

yes. but eme offers additional protections, making an adobe drm blob TONS safer then a browser plugin. Again one of the many benefits to users from eme.

the discovery mechanism and browser side isn’t covered under the dmca though. only the binary blobs, this is one of those easily falsifiable statements i was referring to. and the standardizing the discovery didn’t create any right out of thin air, the right to which you refer was indeed passed via LAW, in the form of the dmca. Which is what you should be fighting, the dmca.

no. it is a voluntary guide of best practices for interacting with security researchers.

i do think industry guidelines are important for security researchers. someone selling exploits to regimes and police states, or criminal organizations, is different then someone who is working to make things safer for users. some types of invasion or breaking cause actual damages, some do not. we need a way to outline what activities and behaviors are acceptable and protected and should be encouraged, and which are damaging. which ones need consent and which ones do not. etc. operating without that is even more strange. of course these are all determined by LAWS not guidelines or standards. The eff needs to focus on reforming the horrible dmca, that is the only thing that will be effective. Attacking the standards group that enables all the positive modern goodness in the pipe dream that DRM will go away without a standard even though that is where it arose in the fist place, is ineffective. Worse it hurts the cause, similar to the dishonest “war on drugs” efforts did, because the misinformation is blatantly wrong and misleading.

i meant dishonest, disingenuous, i did not mean in private.

first on the list or starters.