W3C Approves a DRM Standard for the Web, Raising Major Concerns for Digital Rights Groups

Last week, the World Wide Web Consortium (W3C) officially recommended the use of a web standard for integrating Digital Rights Management (DRM) into HTML5. DRM technology enables copyright holders to encrypt their media in order to restrict how consumers can access it. Restrictions can include preventing unauthorized access to the content, limiting the number and types of devices that the content can be viewed on, blocking access based on geographic location, and most importantly to the creators, preventing the work from being duplicated or transferred. The standard developed for DRM implementation into modern browsers is called Encrypted Media Extensions (EME), which was first introduced by the W3C in 2013. EME serves as a framework to allow DRM-protected content to be delivered through a web browser, without the need for additional plugins like Silverlight or Flash.

The W3C’s proposal to implement the EME standard is aimed at eliminating the need for DRM plugins entirely, so that individuals and organizations are easily able protect their content, and deliver it in such a way that is equally accessible across all browsers. In the absence of a standards-based approach for the web, there are only two options for delivering DRM-protected content to consumers: (1) browser plugins, which are practically on their death beds, and (2) creating dedicated applications for every provider’s content (e.g. Netflix, HBO, Amazon Kindle). If copyright holders want to deliver DRM-protected content through a browser, the only solution moving forward is the use of EME. It comes as no surprise then, that a representative from Netflix is listed as one of the four editors on the W3C’s proposal for EME, alongside two others from Microsoft, and one from Google.

Proponents of a more “free and open internet” argue that DRM has no place on the web. Organizations like the Free Software Foundation (FSF) believe that users should have full control over their media. They argue that DRM only provides “antifeatures,” which are features that exist “only to worsen the service for users.” Content providers often lock customers into their platforms, without any legal method of transferring their media to a competing platform if they wanted to do so. Although DRM is commonly embedded in a variety of native applications ranging from content consumption (Netflix) to content creation (Adobe Photoshop), the W3C’s recommendation to standardize it in HTML5 would give content distributors a major push towards locking down content in web-browsers as well.

Once standardized across web browsers, EME will give DRM the potential to restrict users’ rights more than ever before. This is primarily due to a clause of Section 1201 of the DMCA which states that “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” Therefore under the DMCA, bypassing DRM to identify potentially dangerous security vulnerabilities is not permitted. The penalties for losing a DMCA claim of this nature could result in a $500,000 fine as well as a five year prison sentence. Such grave penalties discourages security researchers from informing content providers about defective or dangerous code in their encrypted content or software. Even something as innocent as adding in adaptive features for disabled individuals would often also require bypassing DRM, which once again, is a clear violation under the DMCA.

These are just some of the legal complications which prompted the Electronic Frontier Foundation (EFF) to suggest improvements to the development of EME. The organization submitted a proposal to include a binding covenant that would prohibit W3C members from taking legal action against those that circumvented DRM for research or security purposes. “Under our proposal, W3C members would agree that they could only use DMCA 1201 to stop people from doing something that was already illegal, like movie piracy,” writes Cory Doctorow in a recent blog post for the EFF. Although there is widespread support for the covenant, “the companies that want DRM won’t hear of it,” he says. This seemingly reasonable suggestion was rejected by various members of the W3C, and has not been included in the final proposal.

Another major concern is that the widespread