Month: September 2017

W3C Killed Web Security

W3C Killed Web Security

W3C Logo
W3C Logo

    It’s a sad day folks…. The W3C killed web security by accepting DRM without having a caveat that protects against DMCA’s (Digital Millennium Copyright Act) unreasonable reach. Security researchers are out; hackers are in. While I am sure that most users believe that companies and creators have the right to protect their IP (Intellectual Property), I am also sure they believe in having strong security and a reasonable right to use their purchased product in whatever manner they see fit. With the web, it was a last bastion that held to those principles. It was killed both brutally and without much compunction by W3C and its corporate backers in a vain attempt to stem the tide of piracy and illegal copying.

    Let’s be clear here for a moment about the current problem. I don’t have an issue with DRM. I don’t agree with it all the time but neither do I disagree with it all the time. No, the issue is with DMCA and it’s unreasonable reach in trying and failing to protect DRM. There are two sections in the DMCA that are of great interest. The core section I am referring to is Section 1201: Circumvention of copyright protection systems.

    Section 1201 affects the web and all technologies the most and is why it is a sad day for the internet. The EFF letter to W3C addresses some of the concerns regarding Section 1201 in its implementation in web technologies.
Here are some of the critical points they made when hoping W3C would add a pretext for accepting DRM standards.

    “This covenant would allow the W3C’s large corporate members to enforce their copyrights. Indeed, it kept intact every legal right to which entertainment companies, DRM vendors, and their business partners can otherwise lay claim. The compromise merely restricted their ability to use the W3C’s DRM to shut down legitimate activities, like research and modifications, that required circumvention of DRM….
    More directly, such a covenant would have helped protect the key stakeholders, present and future, who both depend on the openness of the Web, and who actively work to protect its safety and universality. It would offer some legal clarity for those who bypass DRM to engage in security research to find defects that would endanger billions of web users; or who automate the creation of enhanced, accessible video for people with disabilities; or who archive the Web for posterity. It would help protect new market entrants intent on creating competitive, innovative products, unimagined by the vendors locking down web video.”

There is the crux of the issue and why W3C should have had clear stipulations for implementing DRM into web technologies. There really isn’t anything protecting the user and their right to circumvent DRM when it is not infringing the patent holder or IP source. Security experts are now in a quasi grey area where their work is to determine vulnerabilities but they are violating DMCA. This helps no one but the bad guys and that is just sad in the day and age where billions of users need strong security the most.

    In addition, we don’t know who did and didn’t vote in favor of the implementation of a DRM standard. The votes are secret and that should disturb us even more than the terrible overreach of DMCA’s rules. It is worth noting that W3C’s member votes aren’t always public and by default one must opt-in for public disclosure of said vote. For an organization that affects our lives, to not have public disclosure of votes by default and as enforced practice is egregious. We all know why this is the case though. Companies don’t want to look like the bad guys even when they are. So they hide in anonymity as we all are left to hang by their terrible decisions. We can make some guesses as to who voted for the standardization but don’t know who else are their accomplices. Essentially, a private group gets to affect our lives without us holding them accountable. In addition, their votes wont stop piracy or illegal copying. So all in all, they hurt themselves as well as us with nothing to show for it but the further stripping of our rights.

    While it all looks bad, there are bright spots. The US government is looking to open source its code base as much as it reasonably can. Maybe they’ll step in and decide obtrusive DRM and its protective DMCA rules are too powerful. If interested in some of their projects, check out my article covering some of the best packages released to date.