We are pleased to bring to you another guest post by our Fellowship applicant Divij Joshi. Divij graduated from NLS, Bangalore in 2016 and is currently working at a leading law firm in Mumbai. This is his second submission for the Fellowship.
Should DRM be an integral part of the Open Web?
Divij Joshi
The future of the World Wide Web is the subject of a heated debate as the World Wide Web Consortium (“W3C”), the main standard setting body for the World Wide Web, is set to adopt the Encrypted Media Extensions (“EME”) standard. This post seeks to explain what the adoption of EME by the W3C implies and its implications to the open web. (Long post ahead)
W3C? EME? DRM? WTH?!
Before delving deeper into the issue, a quick primer to explain the role of the W3C and the EME standard would be helpful.
The story begins with the adoption of the HTML5 standard by the W3C as the standard language for presenting content on the web. The W3C is the primary standard setting body for the adoption of protocols on the World Wide Web. Its membership consists of hundreds of industry, civil society as well as government representatives, who collectively take decisions on which protocols to adopt for the web. The protocols and specifications published by the W3C (which includes the HTML language and its subsequent variations) allow for anyone to create web pages and browsers which are universally accessible, indexable and globally interoperable. The adoption of such standards is essential to the adoption of the web as the crucial tool for media, culture and commerce on the internet, since it creates a framework for technologies from various producers to work in sync with each other, and provides assurance that any future technologies are also similarly interoperable.
During the development of the HTML5 standard, several industry players began lobbying for a standard which allows easier playback of content which is protected using Digital Rights Management (“DRM”) technologies. DRM technologies encompass a range of technical solutions adopted by content distributors to prevent the ‘unauthorized use’ of their works by end users, by retaining control over digital content and limiting their ability to freely copy and/or use content. DRM allows rights holders to place digital locks which encrypt content and control when and how it can be decrypted (a familiar example is geographical locks on DVD players). While DRM is used ostensibly to enforce copyright and prevent piracy, it essentially redraws the balance drawn by publicly deliberated copyright laws in favour of rights holders, by preventing use of media except with the permission of the rights owner, even if it constitutes fair use. DRM has been widely adopted by content providers, including Amazon for Ebooks, major record labels, as well as Microsoft, Google and Netflix to protect online content. DRM is controversial for several reasons, which have been covered on this blog previously, and are explained later on.
Now let’s break down how media playback (specifically video) used to work on the web, and how HTML5 is changing that. Playing videos on the web used to require plug-in software, downloaded specially by users for that purpose, such as Adobe Flash, which handled the entire operation of video playback, and when videos started getting DRM-encrypted, these plug-ins also had the capability to decrypt the videos as per the requirements of the content provider. With the implementation of HTML5, these plug-ins are rendered irrelevant to actually playing videos on web pages, which is great, because plug-ins are a security nightmare and truly cumbersome to user experience. However, DRM-encumbered video still needs an implementation software which will allow the decryption of the content. This new implementation is known as a Content Decryption Module (“CDM”), which comprises of a class of non-standardized and proprietary DRM systems which serves the limited purpose of decryption of encrypted content.
The EME standard on HTML5 has been developed to allow the implementation of CDMs for decrypting videos (and potentially other media). Without delving too much into the technicalities, (which you can read about here and here), the EME essentially allows browsers to support CDMs for relaying content on web pages, by specifying a method (called an Application Programing Interface) by which any browser can communicate with any CDM. The CDM itself may be included as part of a browser, software, hardware, or an operating system and controls decryption of content and authentication of the use of the media, to allow the playback of media. The explicit purpose EME standard is to work as a necessary standard component in conjunction with a CDM.
DRM versus the Open Web
Critics of the EME standard, such as the Free Software Foundation and the Electronic Frontier Foundation, principally object to the web being developed to facilitate the rights of DRM users instead of dissuading the use of such technologies. They argue that its adoption is antithetical to the purposes of the W3C, and abdicates its responsibility to ensuring compatibility and accessibility. A large part of the criticism stems not only from what DRM makes possible (namely, restrictions on the access and use of media), but how it is implemented, i.e., the necessary introduction of closed and proprietary software as a part of the web.
For CDMs to be effective, they must necessarily be closed systems, which must hide certain data from the users to prevent its manipulation. Thus, the source code for DRM systems cannot be scrutinized or altered for improvement, nor can it be used freely. These DRM systems are now being implemented as a part of browsers and other software components instead of as additional plug-ins. A CDM so implemented potentially has unrestricted access to a user’s computer and information, which can be exploited. Closed-source DRM software makes users’ systems vulnerable to security flaws which cannot be easily audited, and in many jurisdictions, these flaws cannot be exposed without potentially attracting legal liability under anti-circumvention laws.
This is effectively the situation under the US Digital Millennium Copyright Act, which can be used to prohibit circumvention of DRM, even for security research. Recently, a proposal was floated within the W3C for members to agree to a ‘non-aggression’ covenant, i.e. to agree to not prosecute security researchers for circumventing DRM. However, this proposal was rejected, exacerbating fears of the misuse of anti-circumvention laws under the EME systems. While India, on the other hand, more sensibly restricts its anti-circumvention measures (under Section 65A of the Copyright Act) to the intentional violation of statutory rights under the Copyright Act, a recent Delhi High Court decision implies that protection to security researchers under Indian law is precarious.
Implementing closed source CDMs in a system would also imply that the browser cannot be entirely open source, as this would reveal the working of the CDM. This can potentially have the cascading effect of browsers being required to be closed source, unless the closed-source component is specifically isolated. While some browsers like Mozilla Firefox have attempted to find a workaround by isolating the CDM component to limit its interference with a user’s system, even this mechanism does not entirely allow for the software to be freely implemented and/or altered.
DRM also poses access and interoperability concerns, particularly since DRM systems (the CDMs) are mostly proprietary and cannot be freely implemented by browsers. There are several different kinds of DRM systems for encrypting content, and several methods of decryption using CDMs. For example, Google could choose to only enable Chrome (its proprietary browser) with its proprietary Widevine CDM required to decrypt YouTube videos, to the detriment of other browsers. Further, websites and web-developers would have to ensure cross-compatibility of browsers and the system used to decrypt the media, which creates difficulties with the proliferation of different kinds of CDMs.
The inevitability of DRM on the web (?)
The organizations and individuals implementing the EME standard understand and accept the concerns that DRM systems pose to user rights and to the design of the web. Sir Tim Berners Lee, publically declared that the adoption of EME by the W3C was necessary to ensure that DRM protected media could be played on the web.
This argument is premised on the assumption that content providers are not going to move away from protecting their content through DRM. Several major content providers employ DRM-protected content, and most major browsers already implement EME in some form, and some (like Chrome) have even made it a non-optional feature. Given that a majority of users now watch DRM-protected content, it is important to ensure that these users do not experience difficulties in their use of the web. The proliferation of different mechanisms to play such content would affect interoperability between browsers and make DRM implementation difficult, leading to problems in user experience. However, the development of a standardized mechanism for ensuring that DRM content can be played on browsers, at least ensures that the implementation of DRM softwares can be controlled and overseen by publicly deliberated standards, set under the auspices of the W3C. This would prevent the proliferation of security and privacy threats which the plug-in architecture posed, which has been discussed above.
If DRM video is not well supported on the web, endorses of the EME standard worry that it would push content providers and users away from the web entirely for accessing such content. They argue that native applications (such as those created by Netflix or YouTube), which can support DRM video, would replace the web as the standard tool for accessing this content, which leads users away using the web as an open and general purpose communication tool into silos created for specific kinds of content.
The debate ultimately boils down to the role of the W3C and its responsibility towards the future of the web. On the one hand, the EME standard for implementing DRM promotes interoperability and openness in the application of DRM to web content. At the same time, it undermines interoperability and openness for the web as a whole, and therefore, in taking one step forward, it takes two steps back.
W3C standards are important to ensure that the web can be implemented and used universally, without major difference in user experience across browsers or websites, and without the requirement to use multiple platforms for accessing multiple kinds of content. The fact that a web standard now explicitly recognizes and implicitly incorporates a proprietary system which is known to be flawed by design (since it is not auditable), causes deliberate interoperability issues and impedes the openness of software, is far removed from the role and vision of the W3C.
The W3C is also an important commercial platform, since the economies of scale which make internet commerce possible rely upon the broad consumer base that these web standards help create. The W3C could have used its position of substantial influence in the framing of the web to send out a clear message against the use of DRM and its incompatibility with web standards to these industries. In fact, such a compromise was arrived at only a few years ago on a similar issue relating to the protection of proprietary fonts on the internet, when proprietary font designers acceded to not using digital restrictions on their media in order to ensure W3C standardization and the larger market base that it would lead to.
Secondly, acceding to the content industry’s demands for DRM compatibility by implementing a specific DRM-enabling software into web standards sets a dangerous precedent by allowing other DRM-enabling standards to creep in for other media as well, such as books, music, games and other cultural media. While it is true that DRM systems are currently widely employed, rapidly evolving technologies are often at inflection points, which ensure whether they stagnate or whether they innovate and evolve. Critics argue that the adoption of EME would entrench a deliberately flawed system into web standards and implicitly endorses its use. By creating an environment where DRM can be made a viable, universal standard implemented on the web, without the encumbering difficulties created by non-standardization, the creative industry is being incentivized towards using DRM systems as a business model as compared to less restrictive and harmful models, such as watermarking. Instead of adopting a stance whereby it resists the encroachment of DRM upon the web, and uses its substantial influence to turn the tide against DRM, the W3C is instead reinforcing its legitimacy by reducing the transaction costs involved in encumbering online media using DRM. As a precedent, this weakens any future stance that the W3C may take against creating standards for implementing DRM content on the web, since, on a principled level, the W3C has already acceded to such a request on the grounds of ease of user experience. This decision could, in fact, result in the W3C losing relevance, particularly if stakeholders unhappy with the decision decide to move away from the W3C standards. This is a situation which has arisen in the past as well, during the W3C’s decision to abandon HTML for XML, when browser developers instead began adopting HTML standards endorsed by a different group known as WHATWG.
Whatever the outcome of the EME proposal, it marks an uncomfortable shift for the future of the open web when the body responsible for an open, user-friendly and user-controlled web, accedes to industry demands for easing the implementation of DRM over objections from other stakeholders.
Further reading on DRM, EME and web standards:
- Wendy Seltzer, The Imperfect Is The Enemy Of The Good:Anticircumvention Versus Open User Innovation, (2010) available at http://wendy.seltzer.is/pubs/seltzer-anticircumvention.pdf.
- Pamela Samuelson, DRM {And, Or, Vs.} The Law, 46 Communications Of The Acm, (April, 2003) available at http://people.ischool.berkeley.edu/~pam/papers/acm_v46_p41.pdf.
- Tim Berners Lee, On EME in HTML5, W3C Blog, (February 28, 2017), available at https://www.w3.org/blog/2017/02/on-eme-in-html5/.
- Harsh Gupta, Technical Alternative to Encrypted Media Extensions, Centre for Internet and Society, (October 20, 2016), available at http://cis-india.org/a2k/blogs/technical-alternative-to-encrypted-media-extensions.
- EME Factsheet, W3C, (March, 2016), available at https://www.w3.org/2016/03/EME-factsheet.
Image from here
