“Consumer Advocates” Oppose Web Standard That Would Improve Privacy and Convenience

April 21, 2017

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

For those who follow the exciting world of web standards, this week was an important milestone. The W3C, an international web standards-setting body, has taken the penultimate step towards standardizing the way in which content protected by digital rights management (or DRM, a technology used to prevent content from being illegally pirated) is delivered to users. The standard—called encrypted media extensions (EME)—allows web browsers to play DRM-protected multimedia using HTML5, which means users will no longer need to download a third-party media plugin, such as Adobe Flash or Microsoft Silverlight, when watching videos on sites like Hulu or Netflix. Unfortunately, this standard has sparked outrage among certain anti-DRM advocacy groups who claim to be fighting for users’ interests, even though their proposed course of action would kill off an important advancement in web standards that would improve consumer privacy and convenience.

To appreciate the significance of this development, it is important to understand how video streaming on the Internet has changed in recent years. Until a few years ago, Adobe Flash was the de facto standard for displaying web videos on sites like YouTube. The problem with this setup was that browsers could not natively display video—they had to download a separate plugin to do so, these plugins were notoriously slow and buggy, and, since they did not control this code, web browser developers had their hands tied. Anyone who has ever had their browser crash or received an error about not having the latest version of a plugin when trying to watch a video can relate to this frustration. Moreover, not all devices, especially mobile devices, supported plugins like Adobe Flash. With the introduction of HTML5, multimedia playback was integrated directly into the web browser and could be viewed on all devices.

HTML5 has quickly grown to be the most popular way to display videos on the web. But until recently, it had one serious limitation: It did not natively support DRM. This meant that any business selling or renting video content that is at a high-risk of piracy, such as TV shows and movies, had to use something other than HTML5 to distribute their content. So if you wanted to watch cat videos you were in luck, but if you wanted to stream Game of Thrones on HBO GO you would either need to download a plugin or install an app to watch. EME solves that problem.

Perhaps even more importantly, EME improves both functionality and security for Internet users. It improves functionality because the media player is no longer tied to the DRM-protected content. Previously, users were limited to using the media player integrated with the software plugin needed to decrypt DRM-protected content. This means that certain features, such as pausing or fast-forwarding, may be missing, and the user experience varied across different sites. EME circumvents these issues because it is only responsible for handling any DRM-protected content. In fact, EME is really just an API (i.e. a software interface) to interact with another piece of software called the content decryption module (CDM) which does the decryption. The CDM is a small piece of code that is trusted by copyright holders to securely decrypt DRM-protected content and pass it on to the browser’s media player.

EME improves security because the CDM can be siloed from the rest of the browser and computer. For example, Mozilla implemented EME in its Firefox browser using an open-source “sandbox” that only allows the CDM to pass along the content to the browser, but nothing else. This means that even if there are security flaws with the CDM, the impact of those flaws will be limited. This is a big improvement compared to using video plugins. For example, there have been over 1,000 reported vulnerabilities in Adobe Flash Player, and these vulnerabilities put users computers and data at risk of being compromised by malware.

From copyright holders’ perspective, the goal of EME is to prevent malicious users from making unauthorized copies of their content. But EME also holds promise for increasing security for other applications outside of accessing DRM-protect multimedia. For example, patients may want to ensure that when they are viewing their medical records online using their home PCs no malware is surreptitiously scraping their health information. EME is a model for how future “secure containers” might be developed for temporarily accessing sensitive information.

Given all these benefits, it is no surprise that EME has been welcomed in most quarters. For example, the major web browsers—Google Chrome, Internet Explorer, Safari, Opera, and Firefox—have rapidly adopted EME ahead of the W3C formally adopting the standard, and Tim Berners-Lee, inventor of the Web, has expressed support.But not everyone is on-board. The EME standard has faced fierce resistance from certain advocacy groups who bristle, not so much at the standard, but at the very idea of protecting copyright online through DRM. For example, the Electronic Frontier Foundation (EFF), a notoriously anti-DRM advocacy group, did not mince words when it likened the W3C to an “arms-dealer supplying multinational companies with the materiel they need to rule the web.” The Free Software Foundation (FSF), an advocate of open-source software, staged protests against the W3C for considering the EME standard, and FSF’s founder, Richard Stallman, publicly declared “We must destroy DRM. There can be no peace with DRM.”

While these militant attitudes are to be expected from some of the more fringe and narrowly focused advocacy groups, they have begun to color the opinions of more mainstream organizations like the United Nations Educational, Scientific and Cultural Organization (UNESCO). Frank La Rue, the Assistant Director-General of Communication and Information at UNESCO, recently sent a letter to W3C expressing disapproval of the standard. He wrote “[standardized EME incorporated in the browser] could possibly undercut the use of circumvention tools to access content that is illegitimately restricted” (emphasis added). So his main objection seemed to be that EME would be effective in reducing unauthorized use of content (which is known to everyone else as piracy).

There are legitimate conversations to be had about how to make sure that DRM-protected content is still available for fair use or that this content is accessible for people with disabilities, but the lion’s share of the opposition to EME is based more on an ideological and visceral opposition to DRM and legitimate protections for copyright holders. Fortunately, it appears that the W3C is prepared to maintain its technocratic approach to setting standards and dismiss the populist outrage ginned up by EFF, FSF and their ilk. Going forward, UNESCO and others should pursue a similar course.