As posted on Web gets built-in copy protection hooks with a few key flaws
Like it or not, the web is getting some built-in padlocks. The World Wide Web Consortium has decided to publish Encrypted Media Extensions, a standard for hooking copy protection into web-based streaming video, without making significant changes to a version agreed to in March. While it’s not perfect, the W3C argues (you still need to deal with a vendor’s content decryption module), it’s purportedly better than the make-it-yourself approach media providers have to deal with right now. There do appear to be some improvements to the status quo for digital rights management. However, there are more than a few detractors — there are concerns that the W3C simply ignored concerns in the name of expediency.
The format sets consistent expectations for privacy and security (a company can’t send unnecessary network traffic and must give you the option to clear long-lasting data). It’s theoretically better for competition, too, since streaming newcomers won’t need to make you install a plugin to start watching. EME may also help accessibility for the hearing- or vision-impaired by working at a level where it doesn’t interfere with playback or accessibility info, and it isn’t supposed to prevent use in open source software.
However, it’s evident that the Consortium is punting on some topics. For one thing, there’s no common interface between approaches to decrypting video — the organization would like to have one, but it didn’t want to hold back the initial spec. Likewise, the group didn’t think it was worthwhile to pursue a "covenant" promising that companies wouldn’t abuse the law to crack down on people bypassing EME for legitimate reasons, such as improving accessibility. And what if you want to archive material for posterity? The W3C sees this as a problem with both copyright law and the DRM itself, not the hooks used to integrate that DRM.
And it’s decisions like those that are leaving openness advocates fuming. Cory Doctorow, a digital rights activist who has long opposed virtual copy protection, has pointed out some key problems. Without that covenant, it could be difficult to verify whether or not a company is living up to those privacy and security practices. A company could take legal action against security researchers simply because they showed that you could bypass a given DRM scheme. On top of this, the need for a licensed decryption module may favor incumbents like Netflix or Amazon. Even if money isn’t an issue, the mess of patent licenses could be. They’ll also have to promise to prevent activities that are technically legal, such as watching a movie from one EU country while you’re living in another.
And while the technology doesn’t strictly hinder accessibility efforts, it doesn’t streamline them either. You can’t automatically flag sections of a show that might trigger epileptic seizures, for instance, since the DRM would prevent it.
There are hints that the W3C will improve the extensions in an eventual revision, and organizations like the Electronic Frontier Foundation hope to appeal the decision. Both of those processes could take a long time, however, so you could see streaming services implementing this first take on EME for a long while before there are any tweaks. While the format is unlikely to do much damage to the openness of the internet (it’s not as if most providers were streaming unprotected video before), it’s far from ideal.