APC statement on World Wide Web Consortium move towards standardising digital rights management
, April 2017
Frank La Rue, Assistant Director-General for Communication and Information at UNESCO, has publicly expressed concern to the main international standards-setting body for the web, the World Wide Web Consortium (W3C), on the implementation of a technical change known as encrypted media extensions (EME). EME standardises a practice called digital rights management (DRM) and would lead to excessive information controls, as well as introducing security vulnerabilities at the application, or web browser, layer.
W3C is an international body that is narrowly focused on standards and protocol setting for the world wide web, whose official recommendations affect the content delivery layer of the internet through web browsers. W3C’s most prominently stated value is openness, followed by interoperability and content neutrality. While W3C has a staff and an advisory board, its standardisation work is done through open and transparent democratic processes by technical experts from governments, the private sector, civil society and academia.
Since 2012, the HyperText Markup Language (HTML) Media Extensions Working Group of the W3C has been considering a new technical standard called the EME, which extends the existing functionality of HTML’s media element to play encrypted content. There has been continuous resistance to the EME recommendation since its inception, in the form of petitions and protests, resignation of W3C staff and, in March 2016, an open letter against standardising insecure DRM signed by hundreds of security researchers.
As La Rue points out, there are two main issues introduced by EME that deeply affect and put at risk users’ rights. The most important issue is that DRM diminishes the right to seek and receive information and directly challenges the W3C’s commitment to an open web. Introducing a default, restrictive technical control of information at the application layer means that users are powerless to gain access to illegitimately restricted content with circumvention tools. This puts at risk fair use, as well as adaptation of content for localisation and accessibility. An additional consideration is that the proposed standard gives corporations control over how security researchers identify and publish security vulnerabilities. At worst, this provision makes independent vulnerability research a criminal offence. There is no perceived value added by this provision to the standard other than to further protect corporate intellectual property.
Despite the resistance from within W3C, Tim Berners-Lee, W3C director and founder of the World Wide Web, published a post in February 2017 saying that he supports the implementation of EME in HTML5. W3C also published a response to La Rue’s letter, which essentially characterises the EME standard as an improvement on DRM and puts the responsibility of respecting freedom of expression and access to information on UNESCO and civil society, failing to acknowledge the implications of W3C’s own work on these fundamental rights. There remains widespread confusion about if and when there will be a vote on this issue among working group members.
Influential corporations have stated that DRM protects their intellectual property and also keeps consumers safe from malicious, unauthorised content. And when that intellectual property is in the form of content, like a film or a song, they use various technical mechanisms termed digital rights management. Corporations have proposed that DRM become standardised in web browsers with a technical specification known as encrypted media extensions, despite the fact that it has already been shown that DRM stifles innovation and makes legitimate access to information difficult.
As with any open, multistakeholder decision-making body, W3C is not without occasional controversy. In the past, W3C has weighed the interest of users over corporations on issues such as patents and intellectual property. However, the argument has been made that the source of the current controversy, the adoption of EME, would fully accommodate corporate DRM and creates an unprecedented tension between supporting corporate rights and protecting user rights, with much for the latter to lose.
Concrete suggested actions for W3C working group members
APC believes protocols and standards play an integral role in protecting human rights. The internet is a decentralised network that empowers voices from the margins rather than the centre. Its technical standards and protocols reflect its values, as they allow it to operate in this decentralised and open manner. Furthermore, the process by which standards and protocols are set reflects democratic principles.
As UN Special Rapporteur on the right to freedom of opinion and expression David Kaye noted in his 2016 report to the UN Human Rights Council, technical standards have profound implications for freedom of expression. Specifically citing the role of the W3C in his report, he urged private actors to develop and implement policies that take into account their potential impact on human rights and to ensure the greatest possible transparency in their policies, standards and actions that implicate the freedom of expression and other fundamental rights.
We applaud W3C’s history of approaching copyright and patents in ways that respect and empower users while balancing corporate influence and interests. We believe the best approach in the case of DRM is to draw from these past experiences and push back against corporate pressure and influence, to ensure that the fundamental right to freedom of expression, which includes the right to seek and receive information, is respected.
Indeed, the DRM system exists, but the role of a technical standards body such as W3C is to facilitate an open, interoperable and content-neutral web, guided by international human rights standards, in particular the principles of necessity and proportionality, when it comes to consideration of any standards that would limit access to content. Even as a private actor, W3C should assess the implications of its standards and policies to examine their possible implications for human rights, openness and accessibility.
It is critical to support the security research community with bug bounty programmes and other innovations that facilitate collective identification and mitigation of security vulnerabilities. Lastly, it is especially important when in the midst of intense controversy to remain committed to democratic decision making that is transparent and inclusive.
For more information
- Listen to an audio episode about DRM from the Reply All podcast here.
- Read the APC issue paper Human rights and Internet protocols: Comparing processes and principles “here”:https://www.apc.org/en/node/16122.