W3C home > Mailing lists > Public > public-html-media@w3.org > June 2017

Re: A potential compromise on EME?

From: Cory Doctorow <cory@eff.org>
Date: Thu, 29 Jun 2017 05:48:17 -0700
To: Jeff Jaffe <jeff@w3.org>, Mark Watson <watsonm@netflix.com>
Cc: Joseph Lorenzo Hall <joe@cdt.org>, Tim Berners-Lee <timbl@w3.org>, w3c-ac-forum <w3c-ac-forum@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <67807f0c-43e8-650b-2e92-bdad194968d9@eff.org>
Jeff, I think there's a significant difference, which is that Joe's
proposal is the first one to date -- since the initial covenant -- that
would materially improve EME.

Cory

On 06/28/2017 06:28 PM, Jeff Jaffe wrote:
> Joe,
> 
> I appreciate your continued efforts to find a place in the middle on
> this issue.
> 
> As Mark points out, variations on this theme have been proposed before.
> 
> As you can see from the thread, neither Netflix nor EFF support this. 
> Unfortunately, there have been several compromise proposals that have
> been floated, but none were able to get traction.
> 
> Jeff
> 
> 
> On 6/28/2017 7:43 PM, Mark Watson wrote:
>>
>>
>> On Wed, Jun 28, 2017 at 4:25 PM, Cory Doctorow <cory@eff.org
>> <mailto:cory@eff.org>> wrote:
>>
>>     Hey, Joe! Thank you for this. I think it's notable for being only the
>>     second time that an actual meaningful compromise has been offered in
>>     respect of EME, DRM and anti-circumvention liability (the other
>>     one was
>>     EFF's initial proposal for a wider-scoped covenant).
>>
>>
>> ​It's similar to the proposal made by Yandex when this was first
>> discussed more than a year ago. There was little interest then.​
>>  
>>
>>
>>     That is to say, this is the first proposal since the initial covenant
>>     that actual would affect how EME interacted with the world -- as
>>     opposed
>>     to voluntary, nonbinding policy working groups whose (again,
>>     nonbinding)
>>     work product wouldn't even be ready when and if EME was published.
>>
>>     EFF is very supportive of the idea of immunizing security researchers
>>     from liability for revealing defects in browsers, even if they do so
>>     without permission from vendors. Indeed, no immunity is required if
>>     permission is granted, to say nothing of the fact that it's absurd to
>>     say that companies should EVER get to decide who/when/how defects in
>>     their products can be revealed.
>>
>>     With all that said, we can't support this. If a W3C standard
>>     creates new
>>     legal rights for its members -- the right to stop people from uttering
>>     true facts about defects in products,to stop people who adapt
>>     technology
>>     for people with disabilities, to kill competing interoperable
>>     products,
>>     then the W3C should take every feasible step to undo this unintended
>>     consequence of its standardisation.
>>
>>     New legal rights from technical standards are bugs, not features.
>>     CDT's
>>     proposal starts from the premise that the W3C has it in its power to
>>     limit the exercise of anti-circumvention laws, but stops short of the
>>     obvious use of that power: preventing the use of anti-circumvention
>>     except when there is some bona fide cause of action, such as copyright
>>     infringement, theft of trade secrets, or tortious interference.
>>
>>     Standards should be a means of maximizing interoperability, not a
>>     coercive tool for firms to punish competitors who engage in lawful
>>     conduct.
>>
>>     But we are very interested in what other members say about this. The
>>     very narrow covenant you've described falls short of addressing the
>>     concerns of the wider security community (vulnerabilities that don't
>>     impact the privacy dimension are still vulnerabilities that can be
>>     used
>>     to attack literally billions of web users!), and is totally silent on
>>     the question of accessibility.
>>
>>     But the DRM advocates in the W3C -- and the Director -- have
>>     consistently said that W3C-standardized DRM is better than
>>     industry-based, ad-hoc DRM because the former creates meaningful
>>     privacy
>>     protections that the industry wouldn't bother with, left to its
>>     own devices.
>>
>>     If industry promises privacy, but won't swear not to punish people who
>>     reveal that their privacy promise has been broken, then they're not
>>     promising much of anything.
>>
>>     Which is why we're very interested in hearing what entertainment
>>     industry members like Netflix, Cable Labs, Comcast, RIAA and the MPAA,
>>     as well as DRM vendors and implementers like Adobe, Google, Apple,
>>     Microsoft and Mozilla have to say about this.
>>
>>
>> ​I don't have anything new to say. So - for once - I am going to
>> refrain from ​repeating what I have said before.
>>
>> ...Mark
>>
>>  
>>
>>
>>     Thanks,
>>
>>     Cory
>>
>>
>>     On 06/28/2017 02:50 PM, Joseph Lorenzo Hall wrote:
>>     > I would like to propose a compromise on the issue of EME going
>>     forward
>>     > that I think might make both sides, so to speak, a bit sad and a bit
>>     > happy at the same time:
>>     >
>>     > The idea would be to adopt a covenant, but make it very narrow.
>>     >
>>     > That is, we would essentially limit the scope of a litigation
>>     > non-aggression covenant to specifically cover privacy and security
>>     > researchers examining implementations of w3c specifications for
>>     > privacy and security flaws. For example, the batteryStatus research
>>     > from Lukasz and Arvidn (and subsequent pulling of that feature from
>>     > browsers) is a good example of the kind of work we want to make sure
>>     > researchers know they will face little risk working on:
>>     >
>>     http://randomwalker.info/publications/battery-status-case-study.pdf <http://randomwalker.info/publications/battery-status-case-study.pdf>
>>     )
>>     >
>>     > Since there were so many objections (23 I believe), the Director
>>     has a
>>     > firm basis for saying that  there is definitely substantial support
>>     > for a covenant here, but by limiting the scope of the covenant to a
>>     > very narrow set of activities related to discovering privacy and
>>     > security flaws in implementations of w3c specifications, the
>>     covenant
>>     > will be less open-ended to those opposed to the covenant and gets to
>>     > the heart of a core concern of the supporters (security research
>>     > protections).
>>     >
>>     > This may be a crazy idea, but I think it could actually move things
>>     > forward (it is a typical CDT answer: everyone will be a little
>>     upset,
>>     > rather than some people being very very upset and some not at all).
>>     >
>>     > I'd of course welcome thoughts as this strikes me as a very unusual
>>     > place for w3c members and w3m to be in.
>>     >
>>     > Cheers, Joe
>>     >
>>     --
>>
>>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>>
>>     --
>>
>>     Cory Doctorow
>>     Apollo 1201 Project
>>
>>     cory@eff.org <mailto:cory@eff.org>
>>
>>     For avoidance of doubt: This email does not constitute permission
>>     to add
>>     me to your mailing list.
>>
>>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>>     employer, to release me from all obligations and waivers arising from
>>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>>     I have
>>     entered into with your employer, its partners, licensors, agents and
>>     assigns, in perpetuity, without prejudice to my ongoing rights and
>>     privileges. You further represent that you have the authority to
>>     release
>>     me from any BOGUS AGREEMENTS on behalf of your employer.
>>
>>     As is the case with every email you've ever received, this email
>>     has not
>>     been scanned for all known viruses.
>>
>>     Duh.
>>     --
>>
>>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>>
>>     --
>>
>>     Cory Doctorow
>>     doctorow@craphound.com <mailto:doctorow@craphound.com>
>>     Wickr: doctorow
>>
>>     For avoidance of doubt: This email does not constitute permission
>>     to add
>>     me to your mailing list.
>>
>>     blog: boingboing.net <http://boingboing.net>
>>     upcoming appearances: craphound.com/?page_id=4667
>>     <http://craphound.com/?page_id=4667>
>>     books (novels, collections graphic novels, essay collections):
>>     craphound.com <http://craphound.com>
>>     latest novel: Walkaway
>>     latest nonfiction: Information Doesn't Want to Be Free
>>     latest graphic novel: In Real Life
>>     podcast: feeds.feedburner.com/doctorow_podcast
>>     <http://feeds.feedburner.com/doctorow_podcast>
>>     latest YA novel: Homeland craphound.com/homeland
>>     <http://craphound.com/homeland>
>>     latest short story collection: Expanded Overclocked
>>
>>     Join my mailing list and find out about upcoming books, stories,
>>     articles and appearances:
>>
>>     http://www.ctyme.com/mailman/listinfo/doctorow
>>     <http://www.ctyme.com/mailman/listinfo/doctorow>
>>
>>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>>     employer, to release me from all obligations and waivers arising from
>>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>>     I have
>>     entered into with your employer, its partners, licensors, agents and
>>     assigns, in perpetuity, without prejudice to my ongoing rights and
>>     privileges. You further represent that you have the authority to
>>     release
>>     me from any BOGUS AGREEMENTS on behalf of your employer.
>>
>>     As is the case with every email you've ever received, this email
>>     has not
>>     been scanned for all known viruses.
>>
>>     Duh.
>>     --
>>
>>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>>
>>     --
>>
>>     Cory Doctorow
>>     Apollo 1201 Project
>>
>>     cory@eff.org <mailto:cory@eff.org>
>>
>>     For avoidance of doubt: This email does not constitute permission
>>     to add
>>     me to your mailing list.
>>
>>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>>     employer, to release me from all obligations and waivers arising from
>>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>>     I have
>>     entered into with your employer, its partners, licensors, agents and
>>     assigns, in perpetuity, without prejudice to my ongoing rights and
>>     privileges. You further represent that you have the authority to
>>     release
>>     me from any BOGUS AGREEMENTS on behalf of your employer.
>>
>>     As is the case with every email you've ever received, this email
>>     has not
>>     been scanned for all known viruses.
>>
>>     Duh.
>>



Received on Thursday, 29 June 2017 12:49:03 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 June 2017 12:49:04 UTC