The World Wide Web Consortium wants to give companies a veto over warnings about browser defects

I’m pretty much done here because we’re retreading ground, and you’re continuing with namecalling, which suggests that you’ve made up your mind and are interested in winning, not discussing.

Some quick points:

• “Something would have” replaced DRM, “guaranteed.” Except, as I explain upstream, this is nearly impossible without a standards body to paper over antitrust. Nothing replaced music DRM.

• Flash in a sandbox is better than Flash without a sandbox: neither is good if it’s illegal to report vulns.

• EME isn’t covered under 1201: anyone who asserts this as fact is either underinformed or choosing to recklessly oversimplify. As I explained in detail above, 1201 has analogs all over the world with differing contours that have never been cataloged; in the US, leading 1201 experts disagree with you; the firms involved have acted as though EME has 1201 coverage; the W3C has also done so (creating guidelines that would be pointless if 1201 didn’t confer a right to censor security disclosures) and the W3C’s chief strategist, a widely respected cyberlawyer, disagrees with you. You can keep asserting that 1201 doesn’t cover EME, but if you don’t engage with these arguments, I have nothing further to say on the subject.

• The fact that 1201 is being increasingly invoked is, in fact, germane to a discussion of whether standardizing 1201-covered technologies presents a risk of it being invoked over them. Saying “nope” isn’t meaningful engagement with that argument.

• There are already international rules governing the trade in weaponized 0-days and other vulns, which EFF has been very engaged with (google “wassenar”).

• Limitations on the disclosure of vulns – like the ones the W3C is creating – is beneficial to the cyber-arms trade, because that trade relies upon longevity in its vulns, and that longevity is best combatted with rapid disclosure

• The W3C’s guidelines implicitly AND explicitly acknowledge that EME creates risk for security researchers – and then sets out the normative terms under which the organization believes it would be legitimate to exploit the legal oddity in order to silence researchers.

But that’s it, I’m done. At this point, I’ve engaged with you thoroughly, and without namecalling, in more than one thread, and in return I’ve got personal attacks, defensive subject-changing, and a lack of substantive engagement.

I’m relatively certain that you’ll be back for more as this fight goes on.

But I’ve got 50-some W3C members who are ready to vote to block EME, and I’m going to continue to campaign against the best-funded, largest, most litigation-happy companies in the tech and entertainment world while you stick up for their right to sue security researchers, tell people not to support EFF’s work, and blithely dismiss the concerns of hundreds of security researchers, legal experts, the Royal National Institute for Blind People, Vision Australia, Lawrence Livermore Labs, Oxford, Eindhoven, and the German National Library.

wait what… namecalling? winning? not sure what you are referring to, all i’m doing is pointing out claims that are false. like the one you keep making about EME containing DRM.

No, not something would replace DRM, a new form of DRM would replace Flash DRM, which of course has already happened. No need to argue, this is past tense and that is exactly what happened. Also, music DRM isn’t gone, it still exists, and ironically was standardized prior to being dropped by several large media outlets. They did not drop it because of lack of standardization.

The standardization of EME does not affect reportability or discoverability of vulnerabilities, but it does dramatically reduce the surface attack vectors from such vulnerabilities should they occur.

BINGO. Despite you direct previous claims to the contrary that EME increases 1201 vulnerability for security researchers. The DMCA is the only thing that affects that, the very term comes from the DMCA. EME isn’t covered precisely because it doesn’t contain any DRM, otherwise it would be covered. You are right about people making that claim thought.

Saying EME has had any impact on 1201 cases as the EFF claimed it would is very key to the conversation. And “nope” is the correct answer.

The W3C hasn’t put any limitations on discussing vulnerabilities or on researching vulnerabilities. Guides and Standards are not capable of that, laws like the DMCA are the only thing capable of that.

I’ve never personally attacked you. Only the merits of certain points and the correctness of certain facts.

Well, anytime you claim that EME contains DRM, it is nice to point out for new readers that isn’t true, so they aren’t misinformed.

Well, if that results in the downfall of DRM we’ll all thank you someday. If it doesn’t that is a huge cost to the end user for no gain.

Except neither the standard nor the guidelines allow security researchers to be sued. That is all done under the DMCA which I am against. I know you’ve missed this every comment, but again, I’m not for DRM or IP. I’m against the DMCA. If you and your hundreds of people that agree with you want to keep making false claims like EME contains DRM, or having EME standardized increases risks for security researchers, i’ll keep point out why those are not true and why claiming that they are is actually hurting the anti-drm cause. My position is and always has been distinctly different then the one you try and paint.

Anyway, if you choose to reply your call, I don’t hold any hope of us ever reaching any sort of mutual understanding on this subject. I do think people deserve straight shooting when it comes to these types of complex issues, and that crying wolf and misleading propaganda hurts the cause.

Not to mention once this is proven false that can be used as a crowbar to bludgeon with. They hand their enemies a powerful weapon to demonize and denounce.

Is it Tuesday?

Not to mention I actually run the bounty program for a w3c member and a browser maker. We don’t sue researchers. Period. Full stop. We thank them for telling us about issues, we fix them, and we pay bounties.

This crusade by Cory and the EFF has been told in a misleading manner from the start. This might be why they seem to get zero traction with the w3c (I really don’t know as I’m not a participant or representative to that body but several of my immediate coworkers are, including being specification authors). Anyone working on a browser and familiar with what’s going on with the EME knows how much BS the EFF is pushing here. I really can’t, for the life of me, figure out why unless going “Full Stallman” is a thing. It is inaccurate on their part and I know they’ve been told, both politely and rudely, in great detail how it is so. All that and Cory continues to bang this drum, year after year.

Point to a company that ships an EME and which has threatened a security researcher for reporting a vuln. I’ll wait.

We thank them for telling us about issues, we fix them, and we pay bounties.

You’re laboring under a misapprehension that the only entity with standing to sue over vulns in DRM is browser vendors: it’s also DRM vendors and rightsholders, e.g. W3C members MPAA, Disney, Comcast, etc. Indeed, a W3C member and EME implementer, Adobe, is the only entity to ever successfully press to have a security researcher criminally charged and sent to jail in the USA for 1201 violations.

The EFF proposal to the W3C is that member should, as a quid pro quo for being able to do more with EME at a standards body (which offers substantial shielding from antitrust liability) than they could ever do in a pure industry forum, make a binding promise not to use the new right they get by implementing this new kind of W3C standard to attack three groups of people:

1. Security researchers

2. People implementing assistive technology for disabled people

3. Competitors engaged in legitimate activity – defined as activity that would be legal if not for the anticircumvention rules (that is, activity that doesn’t involve direct or contributory infringement, theft of trade secrets, tortious interference, etc)

Your unnamed employer may not sue security researchers, but unless it’s Mozilla, it’s a publicly traded company that will undergo significant management changes in the future – given that your employer is unwilling to pledge not to abuse the DMCA, and given that we have no way to know who will be running the company in 5 or 10 years, and given that standards can be baked in for decades, why should we assume that there is no risk here?

The other side of the coin is the perception of risk. As the Copyright Office docket demonstrates, security researchers from industry and the academy, including leading commercial research outfits (eg Rapid7) and major academic institutions (eg Johns Hopkins and Princeton) are routinely told by their general counsel that they are not allowed to even try to report vulns in 1201-covered technologies.

The obvious answer, if your employer is interested in ensuring that these researchers can come forward, is to make a binding assertion that the EME implementation isn’t a 1201-covered system (as W3C head of strategy Wendy Seltzer has suggester), or make a binding promise not to use 1201 in cases where the conduct is lawful save for the circumvention (as EFF has suggested).

Your co-workers who tell you EFF has no traction on this are not being forthcoming with you. There are now between 40 and 50 committed W3C members, including virtually every cryptocurrency company (they don’t like restrictions on security disclosures); virtually all of the charities and private organizations devoted to accessibility; major government labs; a major national library; a browser vendor; multiple nonprofits; multiple for-profits.

The W3C is a consensus-based organization, which typically requires overwhelming support from participating members to advance a standard. At this rate, they are unlikely to even muster a majority – let alone an overwhelming one – to support further advancement of the spec.

It’s true that the Director can declare, by fiat, that a contentious issue will go one way or another, but that, in turn, can be vetoed by a no-confidence vote of 21 or 22 members – which, given that there are 40-50 supporting limits on 1201 at W3C, is a real possibility.

Point to a company that ships an EME and which has threatened a security researcher for reporting a vuln. I’ll wait.

Adobe (you can stop waiting).

As a nontechnical person, I can get lost in the details sometimes. Let me see if I’ve got this right.

EFF vs W3C, the TL,DR version

Scene: a bright, sunny day in FOSSville on the World Wide Web. Tim Berners-Lee is sitting outside the W3C “web standards workshop.”

Netflix and Disney drive up on their browser scooters. Each scooter is pulling a large wagon. Netflix’s wagon has a Windows logo on it. Sitting on each wagon is an identical Mafia enforcer, each wears a T-shirt that says DRM.

Disney: Hi Tim.

Tim: Hey Disney. Hi Netflix. Um, who are those guys, and why are they riding in those… things?

Netflix: That’s our friend DRM. He protects our content. And those things are why we came to talk to you.

Disney: DRM won’t fit in a browser. And the only thing we could find that would let us bring him onto the web are these wagons from Adobe. Which our browsers can barely pull. I’ve had to replace my engine three times this year alone.

Netflix (proudly): I got mine from Microsoft. It’s only blown my engine twice this year.

Tim: I see (looks into Disney’s wagon, backs away quickly) It’s… it’s filled to the brim with zero day exploits and bugs. And my god, the smell. (looks again) Good grief, the whole thing is held together with string and chewing gum. (Kicks the trailer hitch, which bears an old and faded Netscape logo). Wow, this is really old. Amazing it still works at all.

DRM: That’s some nice content you have there. Pity if something were to happen to it.

Disney: (to DRM) Be polite, he’s not a customer.

DRM: Whatever. Same diff.

Disney (to Tim): You see our problem.

Tim: (under his breath) Looks to me like you have two problems.

Disney: sorry? No, no, DRM is our protector. We couldn’t possibly go anywhere without him.

Tim (brightly): Well, I don’t see how we can help you. We just do standards for Web scooters here.

Netflix: Oh, we understand. But our coders have come up with this (shows Tim a sketch of a sidecar). It’s called a CDM.

Disney: We were wondering if you could modify our scooters so they could carry these sidecars? Then we’ll be able to bring DRM along without the nasty old wagons.

Tim: You guys have been bringing those wagons to every person on the internet?

Disney: unfortunately. Like we said, it’s the only way we can bring DRM along.

Tim: Well, that has to stop. (decisively) I’ll help you guys. I’ll need to have schematics for the sidecars, though.

DRM: No schematics. No blueprints. Those are secret.

Tim: Well, I have to have something to work with. A spec of some kind.

Netflix (hands Tim a thin binder): You’re cleared to see this part of the spec. It should be all you need.

Tim: I’ll see what I can do.

Disney: thanks Tim.

Netflix: Yeah, thanks so much. We’ll be in touch.

Netflix and Disney drive away. Cory Doctorow approaches, angrily.

Cory: Did I just see you talking to DRM?

Tim: No, I was talking to Disney and Netflix. They tell me they never go anywhere without DRM.

Cory: DRM is evil. And here you were chatting with him!

Tim (sighs): Disney and Netflix wanted me to make them some browser APIs so they could carry a sidecar. That’s all. I wasn’t talking to DRM.

Cory: Traitor! Once I tell the EFF who you were cozying up to, there’ll be no going back. We will be at war!

Tim: You’ve been drinking Kool-aid with Richard Stallman again, haven’t you?

Cory: @#$%$%!

Tim Berners-Lee goes inside. Cory Doctorow begins pelting the W3C building with tomatoes as the curtain falls.

That’s pretty funny, except that the ending is missing some details.

Tim: This is just about doing the technical work! Cory, your problem is with DRM laws, which I agree are terrible, but this isn’t a project to give companies legal rights, just technical solutions.

Cory: Great! I have a solution that uses the existing W3C signature policies to ensure that this is a purely technical matter, not a legal matter.

DRM advocates (whom I can’t name, because of W3C confidentiality rules): No way, those legal rights are the whole point!

Tim: Huh, I guess we are making a legal weapon after all.

Cory: Told you so. This is nuts: you said the W3C isn’t in the business of making legal weapons, and you said that this particular legal weapon was anthitetical to the open web. What are you going to do about it?

Tim: Shrug. Maybe we can make guidelines telling security researchers when they can maybe expect to get away with telling the truth about defects in our members’ implementations? Of course, there would still be no guarantee that our members would let them get away with those embarrassing revelations. But I can’t see what else we could possibly do. Who could have foreseen this amazing and unfortunate outcome?

Cory: ::significant look::

So why are people refusing to sign up?

And, yes, I do work for Mozilla. You actually know me, Cory. We’ve corresponded by email, on twitter, and in person. I helped get you into Mozilla to give a speech when, frankly, a bunch of senior folks never wanted you around again from what I could tell. I just don’t use my legal name here due to the turn of the Internet of people emailing your employer if you say something they don’t like these days (or doxing you). If you reflect a moment, I suspect you can figure out who I am. Others here also know me from that context (and before I changed my profile name to not have my name in it).

Every time you name drop Mozilla in one of your keynotes and articles with half-truths and distortions to push your point, you lose friends at Mozilla (and the EFF does as well, which is probably why folks were resistant to you speaking there). I’m not going to do a point by point counter on what you said. It was already done earlier by @redesigned better than I could have done it and he’s right.

What I will say is that if your proposal so transparently made sense and was an on its face good, you wouldn’t have spent the last year and half making the same arguments trying to get folks to sign up. They would have just signed up. So, clearly, there are other factors at play here.

The fact is that you make an argument at a particular slant, ignore the responses you’ve gotten from various folks involved, and have basically not altered one line of your thinking and public rhetoric in response to discussions since this started. I know you’ve had frank discussions with policy people at companies and they’ve still not come around. @redesigned has it right. The problem here is the DMCA. Going after (and belittling) browser vendors as people “betraying” their mission and users (which you’ve said many times) doesn’t convince people. Get the law changed or overturned. Quit making us into your scapegoats. As far as I can see (personal opinion) we’ve clearly stated why we support the EME as an improvement on the existing and real world nature of binary plugins (like Flash and Silverlight) to move things into a standardized space that is safer for users. I know you don’t care that users want to watch Netflix or the Superbowl but the users sure do.

You got me on Adobe suing a researcher. I should have said “over the EME.” That said, I work with bounty program folks at other companies and in the security space and I talk to a lot of researchers. You’re the only person who has ever said to me that the fear here is that they’ll get sued over research on DRM or the EME. The real issue here is some big corporate entities will sue over security research, not that the W3C’s work will enable a new threat of that. Perhaps your next cause should be the EFF going after big companies that sue security researchers instead? I’d be behind that. Making my employer the scapegoat in every keynote for everything you hate and “betraying” our users? Not so much.

Can’t or won’t?

If the former, then how do you know who they are or the substance of what they’ve said?

If the latter, you and the EFF aren’t W3C members, so what’s stopping you?

EFF is a W3C member, and I am bound by W3C member-confidentiality rules, as I am EFF’s Advisory Committee rep.

I helped get you into Mozilla to give a speech when, frankly, a bunch of senior folks never wanted you around again from what I could tell.

Thanks.

What I will say is that if your proposal so transparently made sense and was an on its face good, you wouldn’t have spent the last year and half making the same arguments trying to get folks to sign up. They would have just signed up. So, clearly, there are other factors at play here.

I don’t believe this is an accurate version of how people’s minds change. There are 400-some W3C members. I contacted ever one of their AC reps by email. The majority didn’t answer (indeed, many bounced). However, once I was able to get their attention and have discussions with the right policy person (or people - this cuts across internal divisions) they signed up, in ever-accelerating numbers.

The fact is that you make an argument at a particular slant, ignore the responses you’ve gotten from various folks involved

I think I’ve engaged in detail with these arguments. For example, here’s a FAQ that addresses most of them:

Going after (and belittling) browser vendors as people “betraying” their mission and users (which you’ve said many times) doesn’t convince people.

The discussion with both Moz and W3C began as a private one. When those discussions didn’t go anywhere – and when the bad choices the two orgs made led to real-world risks – we moved from private to public discourse.

Moz is a force for good when it does good. It can’t claim to be a force for good when it takes choices to preserve its market share at the expense of its mission.

Get the law changed or overturned.

That’s why we’re suing the USG:

Our clients include a Matthew Green, a security researcher who believes that 1201 prevents him from publishing the research the NSF is paying him to do.

Quit making us into your scapegoats.

I’m sorry that Moz feels “scapegoated” - I believe I’ve consistently explained Moz’s rationale for making the choice. But being Moz’s friend shouldn’t require giving it a pass when it gets it wrong, especially when it gets it really wrong.

You’re the only person who has ever said to me that the fear here is that they’ll get sued over research.

Here are several hundred researchers who believe this is the case:

Including Mozillans, the W3C’s CTO, the co-editor of ISO 29147 Vulnerability disclosure, etc.

Also: here is a list of researchers who told the US Copyright Office that this is a serious problem, including the then-deputy CTO of the White House, Bruce Schneier, Matt Blaze, etc:

http://copyright.gov/1201/2015/comments-020615/

Allow me to gently suggest that you are experiencing selection bias: by definition, you will only come into contact with security researchers who do not fear retaliation for disclosure, because you run a disclosure program.

I thought this seemed weird, so I just googled it and can find no instance in which I said this. You can also see everything I’ve written about Moz on Boing Boing here:

https://boingboing.net/author/cory_doctorow_1/page/2?s="moz"

It’s possible that I have, but I’d be interested in a citation.

I had a version of this discussion on Twitter with Al XXXXX (I don’t know if this is Al again?) and after some discussion and an examination of the record, he concluded that he had a mistaken impression of the way I have discussed Moz’s role in EME.

Whether or not this is Al, I think you would be well-served to seek out the statements you found so offensive and review them to see whether they really are as hard on Moz as they struck you at the time. I am generally very careful about how I talk about Moz, though there are also times when I may have slipped up during a Q&A or similar. But I’d be interested to see where that happened, if you know.

Yes, I am Al. I remember our conversation but I’ve also listened to quite a few of your public speeches and podcast interviews since then and I hear Mozilla mentioned a lot when your DRM stump speech (or even general discussion) comes up. Since I regularly purge my twitter account contents of anything older than a month back in time, I no longer have access to those tweets in question.

So, maybe I’m just misremembering but I do know that when you discuss DRM on stage at a conference or in an audio interview, I hear my company’s name an awful lot. That is for sure true. Whether your take on our involvement with the EME is accurately characterized, could be discussed. I’m pretty much done here. Usually, I don’t bother to really get into it on DRM beyond a superficial level here on BoingBoing because there isn’t much point. You’re an evangelist and an advocate for a certain point of view and I very well understand why Mozilla has done what it has done.

I’ll repeat now what I said then: you are entitled to your own opinions, but not your own facts. I think you would be very hard pressed to find an instance in which I’ve discussed the W3C without mentioning all the major browser vendors. I don’t think there’s a single instance in which I singled out Moz. I would be interested if you had any evidence to the contrary (and I remind you that the last time we had this discussion, you concluded that I was right).*

• The obvious exception: https://www.eff.org/deeplinks/2016/04/save-firefox

I don’t pay attention to when you mention Chrome, so, frankly, I can’t comment on it. I didn’t say “…mentioned Mozilla and no one else…” You definitely make it sound like we’re betraying our principles. I don’t feel we are. You do. So, end of conversation there, really.

I understand the point you are making about facts or opinions. I can pay attention henceforth and look for examples but I’m not going to go back and re-listen to all of your keynotes and interviews that I’ve heard. I generally like your other work, so I follow it on the Internet, podcasting your interviews and such. I just don’t agree with the approach you are taking in your public articles and presentations and doubt that this approach is going to “win” this battle when done this way. Maybe I’m wrong though, so far, the W3C seems to be continuing on its merry way so I don’t feel like you’re having the effect that you and the EFF want. Maybe I’m wrong and the W3C will reverse its stance. I do agree with @redesigned’s criticisms of what is being said and how it is being characterized though.

With 40-50 members, and enough to call a no confidence vote if the Director overrules them, I think it would be amazing if it were business as usual.

I can’t think of any scenario in which this results in a victory against drm.

If the EFF does manage to get the w3c to un-standardize EME what impact would that have? Every browser implemented EME prior to it being standardized. DRM on the web existed long before EME. Net impact to DRM, zero, and that is best case. worst case we backslide to more proprietary solutions that pose a greater risk to all users, and people’s confidence in the eff is eroded.

EFF: Taking the teeth out of the DMCA is the only way that the EFF will have any real impact against DRM imho. Fight the problem with a clear honest straightforward stance and i’m all onboard. Try and undermine user security, web standards, and progress with dishonest claims all while attacking the only group doing any actual real good in regards to these issues and you’ve lost my support.

This topic was automatically closed after 5 days. New replies are no longer allowed.