- From: Harry Halpin <hhalpin@w3.org>
- Date: Tue, 16 Aug 2016 13:28:16 +0200
- To: Paul Cotton <Paul.Cotton@microsoft.com>
- Cc: "public-html-media@w3.org" <public-html-media@w3.org>
- Message-ID: <43bfd6d2-c008-0495-738f-849e11ae830e@w3.org>
On 08/13/2016 05:05 PM, Paul Cotton wrote: > > Note that I am responding to an email and proposal from Harry from > earlier in this thread. > > https://lists.w3.org/Archives/Public/public-html-media/2016Aug/0005.html > > > > >The text I would add to the EME spec would be similar: > > > > >"A conforming implementation of this specification MUST ensure that this > > >API cannot be used without the user's express permission due to the > > >inherent risks in the activation of a CDM in a user agent. The API MUST > > >be disabled by default, and should only be activated when the user gives > > >express consent and is fully informed on a per-origin basis." > > > > This request would appear to be (at least partially) covered by the > existing text in the EME CR: > > http://www.w3.org/TR/encrypted-media/#navigator-extension-requestmediakeysystemaccess > > > > *3.1.1 Methods* > > *requestMediaKeySystemAccess* > > Note > > Calling this method may have /user-visible effects/, including > requests for user consent. This method should only be called when the > author intends to create and use a *MediaKeys* > <http://www.w3.org/TR/encrypted-media/#idl-def-MediaKeys> object with > the provided configuration. > > Requests access to the specified Key System > <http://www.w3.org/TR/encrypted-media/#key-system>. When > supportedConfigurationsis specified, the configuration specified by at > least one of its elements must be supported. The resulting > *MediaKeySystemAccess* > <http://www.w3.org/TR/encrypted-media/#idl-def-MediaKeySystemAccess> > will correspond to the first such element. > > Any permission checks or user interaction, such as a prompt, MUSTbe > performed before resolving the promise. > > Were you aware of this text in the EME specification? Can you live > with the current text since changing this text to be normative and > changing it to a MUST (I believe) would be a “breaking change” and > would require that we re-publish another EME CR? > > > > /paulc > > HME WG Chair > Paul, Thanks for noting 'use-visible effects' but it does not either explicitly 1) require a user-visible effect for fully informing the user" and "gaining their consent" as well "turning off EME by default". Simply put, the text you are noting says MAY have user-visible effects and as so is too weak to include in a test-suite or support EME being off by default. So, it does not cover my objection, which normatively requires much stronger text, including "off by default". So, no I can't live with that text and require the change (or a semantically equivalent one) that I suggest in the github repo and e-mail list: https://github.com/w3c/encrypted-media/issues/304 Thus, my formal objection still stands. cheers, harry > > > > > *From:*Harry Halpin [mailto:hhalpin@w3.org] > *Sent:* Tuesday, August 2, 2016 5:00 AM > *To:* public-html-media@w3.org > *Subject:* Re: Formal objection to Encrypted Media Extensions > progressing to Proposed Recommendation without greater user protection > > > > > > > > On 08/02/2016 03:00 AM, Paul Cotton wrote: > > > An individual who registers a Formal Objection /should/ cite > technical arguments and propose changes that would remove the > Formal Objection; > > http://www.w3.org/2015/Process-20150901/#WGArchiveMinorityViews > > > > Before I record your formal objection at [1] I would like to > ensure that your “proposed change” for your objection is understood. > > > There is prior art in HTML for similarly powerful and > privacy-invasive features such as the Geolocation API [4]. Thus, > there should be no procedural problem in requiring user consent > and disabling EME by default in all browsers. > > > > The reference you provide as a “prior art” precedent in [4] is in > a non-normative section of Geolocation API and it does NOT disable > the Geolocation API by default. Can you explain why you think > this reference is useful here? Are you suggesting similar text be > added to EME? If so could you suggest exact text that would > remove your formal objection? > > > The exact phrasing is " A conforming implementation of this > specification must provide a mechanism that protects the user's > privacy and this mechanism should ensure that no location information > is made available through this API without the user's express permission" > > To clarify, I agree that the spec should have used capitalization: " A > conforming implementation of this specification MUST provide a > mechanism that protects the user's privacy and this mechanism should > ensure that no location information is made available through this API > without the user's express permission." > > However, I do believe that all browsers *do* indeed ask for user > consent before using the Geolocation API and that it is disabled by > default, which is clear prior art for EME. This is indeed the case on > the browsers I use, but if others activate Geolocation API without > user consent, please do inform me, as I don't use Microsoft products. > > The text I would add to the EME spec would be similar: > > "A conforming implementation of this specification MUST ensure that > this API cannot be used without the user's express permission due to > the inherent risks in the activation of a CDM in a user agent. The API > MUST be disabled by default, and should only be activated when the > user gives express consent and is fully informed on a per-origin basis." > > Given there is already a place where user consent MUST be asked in the > EME spec (" User agents must ensure that users are fully informed > and/or give explicit consent before Distinctive Identifier(s) are > exposed, such as in messages from the Key System implementation"), > there is no reason why this MUST can't be broadened. I would also > remove the "or." The user must be fully informed AND give explicit > consent. > > Furthermore, given this normative, testing for express user consent on > a per-origin basis should be part of the test-suite. > > cheers, > harry > > > > > > > /paulc > > HME WG Chair > > > > [1] https://dev.w3.org/html5/status/formal-objection-status.html > > > > *From:*Harry Halpin [mailto:hhalpin@w3.org] > *Sent:* Monday, August 1, 2016 6:42 PM > *To:* public-html-media@w3.org <mailto:public-html-media@w3.org> > *Subject:* Formal objection to Encrypted Media Extensions > progressing to Proposed Recommendation without greater user protection > > > > [Note this is a formal objection as an individual in a private > capacity, not on behalf of my organization] > > I'd like to fill a formal objection against Encrypted Media > Extensions progressing to Proposed Recommendation status without > adequate protection for users. > > I believe that this work is so problematic given the well-known > and well-documented problems with DRM, it should not happen as a > standard at all at W3C. That being said, for reasons which I do > not agree with and hope he reconsiders, the Director has approved > both the scope of the charter and the move of the Working Draft to > Candidate Recommendation. > > If it does happen, then it seems given the well-documented > problems, some harm mitigation should be pursued. The security > research community has broad support for the EFF covenant being a > normative requirement [1]. However, it appears consensus is not > forthcoming on either EME itself or the EFF covenant, with the > Technology and Policy IG also failing to gain any consensus for > even further discussion (as it failed to even get chartered). > > To myself, the danger of EME is that over the last year suddenly > over millions of people had a content decryption module installed > without their explicit consent on their computer. For many users, > such as those of Firefox, the DCM was installed via a silent > update they had no control over. Such a content decryption module > can serve as both a technical security risk, as it puts a highly > privileged process in the user's computer outside their direct > control by design, and as a legal risk subjects any inspection of > the DRM-enabled system on their computer due to the > anti-circumvention provision of the DMCA or local equivalent. > Thus, regardless of whether or not one agrees with EME, it seems > the *least* the W3C should do is warn the user about the > installation and activation of a CDM on their machine - and that > the CDM should not be installed and EME should not be activated > without explicit user consent. Thus, in all configurations, EME > should be *de-activated by default.* > > There is prior art in HTML for similarly powerful and > privacy-invasive features such as the Geolocation API [4]. Thus, > there should be no procedural problem in requiring user consent > and disabling EME by default in all browsers. While it can be > argued many users will want to watch protected videos and will > turn them on, just as many users will want to use Google Maps with > Geolocation APIs, there does not seem to be a reasonable case for > having such > powerful and possibly dangerous features enabled by default. > > Current language in the spec is so weak as it may not be enforced > and so EME does not have to be disabled by default: " User Agents > have some flexibility to determine whether consent is required for > a specific configuration and whether such consent may also apply > to other configurations. For example, consent to one configuration > may also imply consent for less powerful, more restricted > configurations. Equally, a denial of consent for one configuration > may imply denial of consent for more powerful, less restricted > configurations." > > The only place where the spec [5] makes normative statements > around consent, but due to how DRM (i.e. Key Systems) are > designed, it is unclear how the user agent should interpret these > statements > > "If a user agent chooses to support a Key System implementation > that cannot be sufficiently sandboxed or otherwise secured, the > user agent//should ensure that users are fully informed and/or > give explicit consent before loading or invoking it." > > "User Agents should ensure that users are fully informed and/or > give explicit consent before a Key System that presents security > concerns that are greater than other user agent features (e.g. DOM > content) may be accessed by an origin..." > > " User agents must ensure that users are fully informed and/or > give explicit consent before Distinctive Identifier(s) are > exposed, such as in messages from the Key System implementation." > > Although these statements show some progress towards trying to > mitigate the dangers of DRM, given that DRM systems work in > conjunction with anti-circumvention legislation that prevents a > developer from knowing whether or not they can sufficiently > sandboxed (or 'otherwise secured') and whether a Distinctive > Identifier is used by the DRM system, so the use of EME will > *always* present security concerns that are greater than the rest > of the user agent features involving the Open Web Platform. > > Is the Working Group amendable to having EME and associated DRM > systems (i.e. "Key Systems") *normatively* disabled by default in > order to protect users? > > cheers, > harry > > [1] > https://www.eff.org/deeplinks/2016/03/security-researchers-tell-w3c-protect-researchers-who-investigate-browsers > [2] > https://en.wikipedia.org/wiki/Digital_rights_management#Opposition_to_DRM > [3] > https://en.wikipedia.org/wiki/Digital_rights_management#Shortcomings > [4] > https://www.w3.org/TR/geolocation-API/#implementation_considerations > [5] https://w3c.github.io/encrypted-media/ > > >
Received on Tuesday, 16 August 2016 11:28:21 UTC