Posts with tag "drm"

DRM will unravel the Web

By Christopher Allan Webber on Mon 18 September 2017

I'm a web standards author and I participate in the W3C. I am co-editor of the ActivityPub protocol, participate in a few other community groups and working groups, and I consider it an honor to have been able to participate in the W3C process. What I am going to write here though represents me and my feelings alone. In a sense though, that makes this even more painful. This is a blogpost I don't have time to write, but here I am writing it; I am emotionally forced to push forward on this topic. The W3C has allowed DRM to move forward on the web through the EME specification (which is, to paraphrase Danny O'Brien from the EFF, a "DRM shaped hole where nothing else but DRM fits"). This threatens to unravel the web as we know it. How could this happen? How did we get here?

Like many of my generation, I grew up on the web, both as a citizen of this world and as a developer. "Web development", in one way or another, has principally been my work for my adult life, and how I have learned to be a programmer. The web is an enormous, astounding effort of many, many participants. Of course, Tim Berners-Lee is credited for much of it, and deserves much of this credit. I've had the pleasure of meeting Tim on a couple of occasions; when you meet Tim it's clear how deeply he cares about the web. Tim speaks quickly, as though he can't wait to get out the ideas that are so important to him, to try to help you understand how wonderful and exciting this system it is that we can build together. Then, as soon as he's done talking, he returns to his computer and gets to hacking on whatever software he's building to advance the web. You don't see this dedication to "keep your hands dirty" in the gears of the system very often, and it's a trait I admire. So it's very hard to reconcile that vision of Tim with someone who would intentionally unravel their own work... yet by allowing the W3C to approve DRM/EME, I believe that's what has happened.

I had an opportunity to tell Tim what I think about DRM and EME on the web, and unfortunately I blew it. At TPAC (W3C's big conference/gathering of the standards minds) last year, there was a protest against DRM outside. I was too busy to take part, but I did talk to a friend who is close to Tim and was frustrated about the protests happening outside. After I expressed that I sympathized with the protestors (and that I had even indeed protested myself in Boston), I explained my position to my friend. Apparently I was convincing enough where they encouraged me to talk to Tim and offer my perspective; they offered to flag them down for a chat. In fact Tim and I did speak over lunch, but -- although we had met in person before -- it was my first time talking to Tim one-on-one, and I was embarassed for that first interaction would me to be talking about DRM and what I was afraid was a sore subject for him. Instead we had a very pleasant conversation about the work I was doing on ActivityPub and some related friends' work on other standards (such as Linked Data Notifications, etc). It was a good conversation, but when it was over I had an enormous feeling of regret that has been on the back of my mind since.

Here then, is what I wish I had said.

Tim, I have read your article on why the W3C is supporting EME, and that I know you have thought about it a great deal. I think you believe what you are doing what is right for the web, but I believe you are making an enormous miscalculation. You have fought long and hard to build the web into the system it is... unfortunately, I think DRM threatens to undo all that work so thoroughly that allowing the W3C to effectively green-light DRM for the web will be, looking back on your life, your greatest regret.

You and I both know the dangers of DRM: it creates content that is illegal to operate on using any of the tooling you or I will ever be able to write. The power of DRM is not in its technology but in the surrounding laws; in the United States through the DMCA it is a criminal offense to inspect how DRM systems work or to talk about these vulnerabilities. DRM is also something that clearly cannot itself be implemented as a standard; it relies on proprietary secrecy in order to be able to function. Instead, EME defines a DRM-shaped hole, but we all know what goes into that hole... unfortunately, there's no way for you or I to build an open and interoperable system that can fit in that EME hole, because DRM is antithetical to an interoperable, open web.

I think, from reading your article, that you believe that DRM will be safely contained to just "premium movies", and so on. Perhaps if this were true, DRM would still be serious but not as enormous of a threat as I believe it is. In fact, we already know that DRM is being used by companies like John Deere to say that you don't even own your own tractor, car, etc. If DRM can apply to tractors, surely it will apply to more than just movies.

Indeed, there's good reason to believe that some companies will want to apply DRM to every layer of the web. Since the web has become a full-on "application delivery system", of course the same companies that apply DRM to software will want to apply DRM to their web software. The web has traditionally been a book which encourages being opened; I learned much of how to program on the web through that venerable "view source" right-click menu item of web browsers. However I fully expect with EME that we will see application authors begin to lock down HTML, CSS, Javascript, and every other bit of their web applications down with DRM. (I suppose in a sense this is already happening with javascript obfuscation and etc, but the web itself was at least a system of open standards where anyone could build an implementation and anyone could copy around files... with EME, this is no longer the case.) Look at the prevelance of DRM in proprietary applications elsewhere... once the option of a W3C-endorsed DRM-route exists, do you think these same application developers will not reach for it? But I think if you develop the web with the vision of it being humanity's greatest and most empowering knowledge system, you must be against this, because if enough of the web moves over to this model the assumptions and properties of the web as we've known it, as an open graph to free the world, cannot be upheld. I also know the true direction you'd like the web to go, one of linked data systems (of which ActivityPub is somewhat quietly one). Do you think such a world will be possible to build with DRM? I for one do not see how it is possible, but I'm afraid that's the path down which we are headed.

I'm sure you've thought of these things too, so what could be your reason for deciding to go ahead with supporting DRM anyway? My suspicion is it's two things contributing to this:

  1. Fear that the big players will pick up their ball and leave. I suspect there's fear of another WHATWG, that the big players will simply pick up their ball and leave.
  2. Most especially, and related to the above, I suspect the funding and membership structure of the W3C is having a large impact on this. Funding structures tend to have a large impact on decision making, as a kind of Conway's Law effect. W3C is reliant on its "thin gruel" of funding from member organizations (which means that large players tend to have a larger say in how the web is built today).

I suspect this is most of all what's driving the support for DRM within the W3C. However, I know a few W3C staff members who are clearly not excited about DRM, and two who have quit the organization over it, so it's not that EME is internally a technology that brings excitement to the organziation.

I suppose at this point, this is where I diverge with the things I could have said in the past and did not say as an appeal to not allow the W3C to endorse EME. Unfortunately, today EME made it to Recommendation. At the very least, I think the W3C could have gone forward with the Contributor Covenant proposed by the EFF, but did not. This is an enormous disappointment.

What do we do now? I think the best we can do at this point, as individual developers and users, is speak out against DRM and refuse to participate in it.

And Tim, if you're listening, perhaps there's no chance now to stop EME from becoming a Recommendation. But your voice can still carry weight. I encourage you to join in speaking out against the threat DRM brings to unravel the web.

Perhaps if we speak loud enough, and push hard enough, we can still save the web we love. But today is a sad say, and from here I'm afraid it is going to be an uphill battle.

EDIT: If you haven't yet read Cory Doctorow / the EFF's open letter to the W3C, you should.

Memories of a march against DRM

By Christopher Allan Webber on Wed 23 March 2016

Protesting EME before the Microsoft building

Above image CC BY 3.0, originally here, and here's a whole gallery of images.

I participated in a rally against the W3C endorsing DRM last Sunday. I know it was recorded, but I haven't seen any audio or video recordings up yet, and some friends have asked what really happened there. I thought I'd write up what I remembered.

First, some context: the rally (and subsequent roundtable discussion) wasn't officially part of LibrePlanet, but it did happen right after it. This was one of the busiest free software focused weeks of my life, and just earlier in the week I had been participating in the Social Web Working Group at the W3C, trying to hammer out our work on federation and other related standards. I'm so excited about this work, that it stands out in an interesting contrast to my feelings on a different "standards in the W3C" issue: the real danger that the W3C will endorse DRM by recommending the Encrypted Media Extensions specification.

Before I get to the rally itself, I want to dispel what I think has been some intentional muddying of the issue by advocates of the specification. Let's turn to the words of the specification itself:

This specification does not define a content protection or Digital Rights Management system. Rather, it defines a common API that may be used to discover, select and interact with such systems as well as with simpler content encryption systems. Implementation of Digital Rights Management is not required for compliance with this specification: only the Clear Key system is required to be implemented as a common baseline.

Whew! That doesn't sound so bad does it? Except, oh wait, reading this you might think that this isn't about DRM at all, and that's an intentional piece of trickery by the authors of this specification. As Danny O'Brien later said at the panel (I'm paraphrasing here): "While it's true that the specification doesn't lay out a method for implementing DRM, it instead lays out all the things that surround this hole. The thing is, it's a DRM shaped hole, and indeed DRM is the only thing that fits in that hole."

So once you look at it that way, yes, it's a DRM-enabling specification. We have other programs and standards for handling "encryption". Encryption is good, because it empowers users. The goal of this specification is to make space for something to fit onto your computer to strip you of your computing power and freedom.

With that said, onto the memories of the evening.

The march started outside MIT’s Ray and Maria Stata Center, where the W3C offices are. There were a good number of people there, though I didn't count them. I'm guessing it was 50 or so people, which is not bad turnout at all for a post-busy-conference everyone-is-probably-exhausted march. Despite anticipating being totally exhausted, I was surprised to find that I wasn't, and neither was anyone around me. Everyone seemed super fired up.

There were some speeches from Harry Halpin and Zak Rogoff and myself to kick things off. I don't remember Harry or Zak's speeches at this stage, though I remember thinking they were pretty good. (Harry made clear that he was a W3C staff member but was acting in his own capacity.)

As for what I said, here's my rough memory:

I started MediaGoblin from the goal and vision of preserving the decentralized nature of the World Wide Web in the growing area of media publishing, through audio, video, images, and so on. Thus I was proud to join the W3C in the standards work on our work formalizing federation through ActivityPub and by participating in the Social Web Working Group. But if the W3C enables EME, it enables DRM, and this threatens to undermine all that. If this were to apply to video only, this would be threat enough to oppose it. But once that floodgate opens, DRM will quickly apply to all types of documents distributed through the web, including HTML and JavaScript. The W3C's lasting legacy has been to build a decentralized document distribution network which enables user freedom. We must not allow the W3C to become an enemy of itself. Don't let the W3C lower its standards, oppose DRM infecting the web!

Anyway, something like that!

A lot of things happened, so let me move on to memory from what happened from there in bulleted list form:

  • We marched from MIT to Microsoft. There were quite a few chants, and "rm DRM" was the most fun to chant, but notably probably the least clear to any outsiders.
  • Danny O'Brien from the EFF gave a speech in front of the Microsoft building giving a history of DRM and why we must oppose it. He noted that one of the most dangerous parts of DRM in the United States is that the DMCA makes explaining how DRM works a crime, thus talking about the issue can become very difficult.
  • After the march we went to the roundtable discussion / panel, hosted at the MIT Media Lab. It was a full room, with even more people than the march (maybe 80-100 people attending, but I'm bad at counting these things). Everyone ate some pizza, which was great times. Then Richard Stallman, Danny O'Brien, Joi Ito, and Harry Halpin all took turns speaking.
  • Richard Stallman started with an introduction to free software generally. He then went through a detailed explanation about how DRM makes user freedom impossible. He then said something funny like "I was allowed 30 minutes, but I notice I only used 15; I will use the other 15 minutes to follow up to others if necessary." (He used a good portion of them to correct people on their terminology.)
  • Danny O'Brien gave a detailed explanation of the history of the fight against DRM. He also gave his "EME is a standard with a DRM shaped hole" comment. He then gave a history of the fight of something he considered similar, the fight against software patents, and how the W3C had decided to fight patents by including rules that W3C members could not sue using patents for concepts covered by these specifications.
  • This lead into what was probably the biggest controversy among the panel members: a proposal by the EFF of a "covenant" surrounding DRM. The proposal was something like, "if the W3C must adopt EME, it should provide rules protecting the public by making members promise that they will never sue free software developers and security researchers for violating DRM." Richard Stallman had a strong response to this, saying that this is not really a compromise (Danny clarified that this proposal did not mean giving up fighting DRM) and while it could make things a little bit less dangerous, it would still be very dangerous. It could be easily circumvented as the party suing might not be a W3C member (and indeed, you could imagine many record companies or Hollywood studios who are not W3C members suing in such a scenario).
  • A W3C staff employee at one point said that if the general public was to comment on EME, it should be disagreeing on technical points, and be careful not to raise confused technical issues, as that will lead comments to being dismissed. Danny gave a nice response, saying that while he agreed that technical issues should be correctly engaged, that technical decisions are made within a policy context, so we should be careful to not tell people to limit themselves to technical-issue-only comments.
  • Joi Ito gave various anecdotes about his understanding of what lead DRM to its current rise in prominence today. He also used "intellectual property" several times, leading predictably to a terminology-correcting response from RMS.
  • One audience member suggested that if the W3C adopts EME, it shows that it can not be trusted with the responsibility of managing the web's standards. Interestingly, this seemed to be met with a good deal of approval from the crowd. It also was an interesting counter-point to the "well if the W3C doesn't do it, someone will just set up another standards body to support DRM." This "risk" to the W3C might be just as or more likely of other standards bodies emerging to replace it if it moves forward with adopting EME (but in this case, by individuals motivated by preserving the decentralized integrity of the web).
  • Harry Halpin ended the panel with a bang... first, he reiterated that in participating in this panel, he was acting independently and not as a W3C employee. (And again, to paraphrase:) "However, I will say that there are some lines that must be drawn. Permitting DRM to enter into the web is a line that must not be crossed. And if the W3C moves to recommend EME, I will resign."


And so, that was my Sunday evening. If you were going to tell me that I would end the last evening of the last day of the week even more energized than when I began it (especially after a week as busy as that!), I would not have believed you. But there it is! I'm glad I got participate.

For more coverage, read up at Defective By Design, Motherboard, and BoingBoing. Oh yeah, and sign the anti-DRM petition while you're at it!