W3C home > Mailing lists > Public > public-html-media@w3.org > June 2017

Re: A potential compromise on EME?

From: Cory Doctorow <cory@eff.org>
Date: Wed, 28 Jun 2017 16:48:19 -0700
To: Mark Watson <watsonm@netflix.com>
Cc: Joseph Lorenzo Hall <joe@cdt.org>, Tim Berners-Lee <timbl@w3.org>, w3c-ac-forum <w3c-ac-forum@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <119ce817-70ff-91b9-76d0-2fda90f8bcca@eff.org>


On 06/28/2017 04:43 PM, Mark Watson wrote:
> 
> 
> On Wed, Jun 28, 2017 at 4:25 PM, Cory Doctorow <cory@eff.org
> <mailto:cory@eff.org>> wrote:
> 
>     Hey, Joe! Thank you for this. I think it's notable for being only the
>     second time that an actual meaningful compromise has been offered in
>     respect of EME, DRM and anti-circumvention liability (the other one was
>     EFF's initial proposal for a wider-scoped covenant).
> 
> 
> ​It's similar to the proposal made by Yandex when this was first
> discussed more than a year ago. There was little interest then.​
>  

Was that one binding?

> 
> 
>     That is to say, this is the first proposal since the initial covenant
>     that actual would affect how EME interacted with the world -- as opposed
>     to voluntary, nonbinding policy working groups whose (again, nonbinding)
>     work product wouldn't even be ready when and if EME was published.
> 
>     EFF is very supportive of the idea of immunizing security researchers
>     from liability for revealing defects in browsers, even if they do so
>     without permission from vendors. Indeed, no immunity is required if
>     permission is granted, to say nothing of the fact that it's absurd to
>     say that companies should EVER get to decide who/when/how defects in
>     their products can be revealed.
> 
>     With all that said, we can't support this. If a W3C standard creates new
>     legal rights for its members -- the right to stop people from uttering
>     true facts about defects in products,to stop people who adapt technology
>     for people with disabilities, to kill competing interoperable products,
>     then the W3C should take every feasible step to undo this unintended
>     consequence of its standardisation.
> 
>     New legal rights from technical standards are bugs, not features. CDT's
>     proposal starts from the premise that the W3C has it in its power to
>     limit the exercise of anti-circumvention laws, but stops short of the
>     obvious use of that power: preventing the use of anti-circumvention
>     except when there is some bona fide cause of action, such as copyright
>     infringement, theft of trade secrets, or tortious interference.
> 
>     Standards should be a means of maximizing interoperability, not a
>     coercive tool for firms to punish competitors who engage in lawful
>     conduct.
> 
>     But we are very interested in what other members say about this. The
>     very narrow covenant you've described falls short of addressing the
>     concerns of the wider security community (vulnerabilities that don't
>     impact the privacy dimension are still vulnerabilities that can be used
>     to attack literally billions of web users!), and is totally silent on
>     the question of accessibility.
> 
>     But the DRM advocates in the W3C -- and the Director -- have
>     consistently said that W3C-standardized DRM is better than
>     industry-based, ad-hoc DRM because the former creates meaningful privacy
>     protections that the industry wouldn't bother with, left to its own
>     devices.
> 
>     If industry promises privacy, but won't swear not to punish people who
>     reveal that their privacy promise has been broken, then they're not
>     promising much of anything.
> 
>     Which is why we're very interested in hearing what entertainment
>     industry members like Netflix, Cable Labs, Comcast, RIAA and the MPAA,
>     as well as DRM vendors and implementers like Adobe, Google, Apple,
>     Microsoft and Mozilla have to say about this.
> 
> 
> ​I don't have anything new to say. So - for once - I am going to refrain
> from ​repeating what I have said before.
> 
> ...Mark
> 
>  
> 
> 
>     Thanks,
> 
>     Cory
> 
> 
>     On 06/28/2017 02:50 PM, Joseph Lorenzo Hall wrote:
>     > I would like to propose a compromise on the issue of EME going forward
>     > that I think might make both sides, so to speak, a bit sad and a bit
>     > happy at the same time:
>     >
>     > The idea would be to adopt a covenant, but make it very narrow.
>     >
>     > That is, we would essentially limit the scope of a litigation
>     > non-aggression covenant to specifically cover privacy and security
>     > researchers examining implementations of w3c specifications for
>     > privacy and security flaws. For example, the batteryStatus research
>     > from Lukasz and Arvidn (and subsequent pulling of that feature from
>     > browsers) is a good example of the kind of work we want to make sure
>     > researchers know they will face little risk working on:
>     >
>     http://randomwalker.info/publications/battery-status-case-study.pdf
>     <http://randomwalker.info/publications/battery-status-case-study.pdf> )
>     >
>     > Since there were so many objections (23 I believe), the Director has a
>     > firm basis for saying that  there is definitely substantial support
>     > for a covenant here, but by limiting the scope of the covenant to a
>     > very narrow set of activities related to discovering privacy and
>     > security flaws in implementations of w3c specifications, the covenant
>     > will be less open-ended to those opposed to the covenant and gets to
>     > the heart of a core concern of the supporters (security research
>     > protections).
>     >
>     > This may be a crazy idea, but I think it could actually move things
>     > forward (it is a typical CDT answer: everyone will be a little upset,
>     > rather than some people being very very upset and some not at all).
>     >
>     > I'd of course welcome thoughts as this strikes me as a very unusual
>     > place for w3c members and w3m to be in.
>     >
>     > Cheers, Joe
>     >
>     --
> 
>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
> 
>     --
> 
>     Cory Doctorow
>     Apollo 1201 Project
> 
>     cory@eff.org <mailto:cory@eff.org>
> 
>     For avoidance of doubt: This email does not constitute permission to add
>     me to your mailing list.
> 
>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>     employer, to release me from all obligations and waivers arising from
>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
>     entered into with your employer, its partners, licensors, agents and
>     assigns, in perpetuity, without prejudice to my ongoing rights and
>     privileges. You further represent that you have the authority to release
>     me from any BOGUS AGREEMENTS on behalf of your employer.
> 
>     As is the case with every email you've ever received, this email has not
>     been scanned for all known viruses.
> 
>     Duh.
>     --
> 
>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
> 
>     --
> 
>     Cory Doctorow
>     doctorow@craphound.com <mailto:doctorow@craphound.com>
>     Wickr: doctorow
> 
>     For avoidance of doubt: This email does not constitute permission to add
>     me to your mailing list.
> 
>     blog: boingboing.net <http://boingboing.net>
>     upcoming appearances: craphound.com/?page_id=4667
>     <http://craphound.com/?page_id=4667>
>     books (novels, collections graphic novels, essay collections):
>     craphound.com <http://craphound.com>
>     latest novel: Walkaway
>     latest nonfiction: Information Doesn't Want to Be Free
>     latest graphic novel: In Real Life
>     podcast: feeds.feedburner.com/doctorow_podcast
>     <http://feeds.feedburner.com/doctorow_podcast>
>     latest YA novel: Homeland craphound.com/homeland
>     <http://craphound.com/homeland>
>     latest short story collection: Expanded Overclocked
> 
>     Join my mailing list and find out about upcoming books, stories,
>     articles and appearances:
> 
>     http://www.ctyme.com/mailman/listinfo/doctorow
>     <http://www.ctyme.com/mailman/listinfo/doctorow>
> 
>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>     employer, to release me from all obligations and waivers arising from
>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
>     entered into with your employer, its partners, licensors, agents and
>     assigns, in perpetuity, without prejudice to my ongoing rights and
>     privileges. You further represent that you have the authority to release
>     me from any BOGUS AGREEMENTS on behalf of your employer.
> 
>     As is the case with every email you've ever received, this email has not
>     been scanned for all known viruses.
> 
>     Duh.
>     --
> 
>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
> 
>     --
> 
>     Cory Doctorow
>     Apollo 1201 Project
> 
>     cory@eff.org <mailto:cory@eff.org>
> 
>     For avoidance of doubt: This email does not constitute permission to add
>     me to your mailing list.
> 
>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>     employer, to release me from all obligations and waivers arising from
>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
>     entered into with your employer, its partners, licensors, agents and
>     assigns, in perpetuity, without prejudice to my ongoing rights and
>     privileges. You further represent that you have the authority to release
>     me from any BOGUS AGREEMENTS on behalf of your employer.
> 
>     As is the case with every email you've ever received, this email has not
>     been scanned for all known viruses.
> 
>     Duh.
> 
> 

-- 

FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS

--

Cory Doctorow
doctorow@craphound.com
Wickr: doctorow

For avoidance of doubt: This email does not constitute permission to add
me to your mailing list.

blog: boingboing.net
upcoming appearances: craphound.com/?page_id=4667
books (novels, collections graphic novels, essay collections): craphound.com
latest novel: Walkaway
latest nonfiction: Information Doesn't Want to Be Free
latest graphic novel: In Real Life
podcast: feeds.feedburner.com/doctorow_podcast
latest YA novel: Homeland craphound.com/homeland
latest short story collection: Expanded Overclocked

Join my mailing list and find out about upcoming books, stories,
articles and appearances:

http://www.ctyme.com/mailman/listinfo/doctorow

READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from
any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
entered into with your employer, its partners, licensors, agents and
assigns, in perpetuity, without prejudice to my ongoing rights and
privileges. You further represent that you have the authority to release
me from any BOGUS AGREEMENTS on behalf of your employer.

As is the case with every email you've ever received, this email has not
been scanned for all known viruses.

Duh.



Received on Wednesday, 28 June 2017 23:48:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 28 June 2017 23:48:58 UTC