[encrypted-media] Formal Objection: EME should be 'off by default'

hhalpin has just created a new issue for https://github.com/w3c/encrypted-media:

== Formal Objection: EME should be 'off by default'  ==
As my previous formal objection and clear suggestion for a spec improvement was ignored (and closed) without my express agreement (https://github.com/w3c/encrypted-media/issues/304), I'd like to re-open the Formal Objection.

Again, *normative* text that require user consent would help address the security and privacy concerns over the EME. It should be added in the Security Section part of the current EME spec: https://www.w3.org/TR/encrypted-media/#security

"A conforming implementation of this specification MUST ensure that this API cannot be used without the user's express permission due to the inherent risks in the activation of a CDM in a user agent. The API MUST be disabled by default, and should only be activated when the user gives express consent and is fully informed on a per-origin basis.

In particular, this is stronger text than is currently included in the specificaton, as this text does mandate off by default (uses MUST) and notes that an EME-enabled Key System always presents security concerns that are greater other user agent features (due to DMCA).

Indeed, I am stating that a user MUST be informed at least once and explicitly agree *before* EME is activated for any use, and, if not already pre-installed in the OS, the black box of CDM is sent and activated on their device.

I do not agree with the argument that user fatigue means that the user should not be informed. This ended up not being the case with WebRTC, a very frequently used API. Compared to WebRTC, I am only asking a user MUST give explicit consent at least once.

Worse, it appears since my original objection that Chrome has made some moves to making EME/DRM on by default and mandatory since my initial objection (http://boingboing.net/2017/01/30/google-quietly-makes-optiona.html), and difficult if not impossible to turn off. This is frankly unacceptable from a security and privacy standpoint, as well as from the viewpoint of user control and fundamental rights. 

The arguments from W3C PR and the HME WG that a 'sandbox' is somehow a magical solution to user concerns over security and privacy with DRM is equally incorrect. Browsers, including in particular sandboxes, routinely have vulnerabilities (https://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/). There is plenty of evidence that no sandbox is secure, including those put around CDMs. For an evidence, see the recent pwn2own results, and we should expect more hacks soon particularly on the kinds of DRM enabled by EME.

This is explicitly different in scope and effect from : #288 and #332, as the latter does not acknowledge that there are always security concerns with DRM/EME and therefore is far too vague by not requiring implementers to give users control. 

I look forward to an actual response from the HME Working Group. If a response is not given, I believe there is clear violation of W3C process in ignoring of a rather reasonable demand to protect users. The supposed loss of user engagement from a single 'enabling' click hurts only the profit margins of a few  copyright holders, while DRM/EME poses a security threat to all users. It should not be silently installed and then made difficult, if not impossible, to turn off.




Please view or discuss this issue at https://github.com/w3c/encrypted-media/issues/386 using your GitHub account

Received on Monday, 10 April 2017 17:06:52 UTC