Digital Rights Advocates Call for Investigation Around W3C’s DRM Extension

Digital rights advocates are again pleading with the World Wide Web Consortium (W3C) to reconsider standardizing DRM in Encrypted Media Extensions, a draft specification that would ultimately feed into HTML 5.

Digital rights advocates are again pleading with the World Wide Web Consortium (W3C) to reconsider standardizing DRM in Encrypted Media Extensions, a draft specification that would ultimately feed into HTML 5.

Advocacy groups like the Electronic Frontier Foundation (EFF) and security researchers alike have gone on record decrying the move, stressing it could have implications for competition, or anyone who discloses browser vulnerabilities.

“Browsers are among the most common technologies in the world, with literally billions of daily users. Any impediment to reporting vulnerabilities in these technologies has grave implications,” Cory Doctorow, an activist and special advisor with the EFF, wrote in a post to the group’s Deeplinks blog Wednesday.

“Now more than ever, we can’t afford any structural impediments to identification and disclosure of browser defects.”

Doctorow, who also co-edits the blog Boing Boing, previously served as the EFF’s European Affairs Coordinator in the mid-2000s. He rejoined the EFF in 2015 with a focus on eradicating digital rights management.

A “Candidate Recommendation” for EME, published on the W3C mailing lists last month by the HTML Media Extensions Working Group chairman, Microsoft’s Paul Cotton, prompted the blog post. As far as specification timelines go, a candidate recommendation is the second of a four level maturity system. It basically means that the group responsible for the standard, in this case EME, are satisfied and believe the standard meets its technical requirements.

The EFF has been vocal in its opposition to the standard. Doctorow has penned several blogs over the last year describing how EME would essentially bake DRM into the HTML5 standard and registered a Formal Objection to W3C’s recommendation just a few days after it was published. Wednesday’s blog entry marks the group’s latest public plea to the security community.

DRM is subject to legal protection through laws already on the books worldwide like the United States’ DMCA, Canada’s Bill C-11, and additional EU laws. Those laws, the EFF believes, could allow a company to threaten researchers who identify vulnerabilities in browsers that have HTML5 implemented.

A slew of security luminaries, including Bruce Schneier, Ron Rivest, J. Alex Halderman, Ron Deibert, to name a few, signed off on a proposal in March that insists the W3C ensures researchers are protected before the consortium moves forward with its DRM work. The “covenant,” as Doctorow refers to it, would require members to sign and agree not to use the DMCA or similar laws to attack security researchers.

Cotton rejected the proposal outright in June, claiming that discussion around “such a proposed covenant is NOT in the scope of the current HTML Media Extensions WG charter.”  While the W3C has previously rationalized the importance of security research in blog entries, it claims its failed to find common ground among its membership over the covenant.

Doctorow points out that the security of browsers has become even more paramount of late as they increasingly become integrated into pacemakers, cars, home security systems, and other IoT devices.

Browsers continue to be a target for both researchers and attackers alike.

Last month Israeli and German researchers found a vulnerability that allows pirates to copy video from sites like Netflix and Amazon Video. The vulnerability, for which the researchers produced a proof of concept, allows criminals to sidestep Widevine, DRM technology, used by Chrome. The researchers were unsure whether or not Firefox and Opera, which use the same technology, are affected, but are reportedly looking into it.

Doctorow and the EFF claim they’re going to continue fighting what’s turning into an uphill battle against the W3C. But in the meantime, both are urging researchers to “subject all EME implementations to the closest possible scrutiny.”

“The black hats who are already doing this are not bound by fear of the DMCA, and they are delighted to have an attack surface that white hats are not allowed to investigate in detail,” he wrote.

Car hackers and phone jailbreakers were granted exemptions to the DMCA’s anti-circumvention rules last fall by the Library of Congress. Those exemptions were a big win for security researchers and came a few months after researchers Charlie Miller and Chris Valasek demonstrated a vulnerability in Uconnect, a computer featured in some Jeep vehicles.

Suggested articles