Re: Formal objections to Encrypted Media Extensions from David Singer on 2016-09-07 (public-html-media@w3.org from September 2016)

From: David Singer <singer@apple.com>
Date: Wed, 07 Sep 2016 17:07:08 +0200
To: Mark Watson <watsonm@netflix.com>
Cc: Harry Halpin <hhalpin@w3.org>, Paul Cotton <Paul.Cotton@microsoft.com>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-id: <4E3A5108-027C-4EB6-9888-30938B598DEE@apple.com>

> On Sep 7, 2016, at 16:57 , Mark Watson <watsonm@netflix.com> wrote:
> 
> Harry, all,
> 
> Regarding Harry's objection, I do agree with Harry that it is in scope of the group and he has made a concrete proposal. IIUC, the "user harm" Harry is referring to is the increased security and privacy risk that he believes users are necessarily subjected to through the unprompted use of EME. He argues that users are necessarily subjected to this risk with EME because of the effect of the DMCA on security research (Harry, correct me if I am paraphrasing incorrectly).

OK, thanks. But I think EME per se can be implemented in open-source and other software; it’s analyzable, and so on. Yes, there is an implied risk to users when they use DRMs as they are installing software that is not only binary-only (true of a lot they install) but for which the DMCA may have chilled security research as well. A warning of that type when DRM systems are installed might be appropriate, but as far as I know, EME does NOT facilitate the installation of DRMs. Once the user has decided to install one, I see absolutely no value in asking them “are you sure you want it actually to work?” which is what a UE prompt would be asking.

So, I am still feeling a disconnect here…sorry.

> It's true that we have not had extensive discussion on this, but several people have posted the reasons why they disagree. And I have not seen a lot of support.
> 
> Whilst it is obvious that users are necessarily subjected to privacy risks by unprompted disclosure of goe-location, it is not obvious that significantly increased security and privacy risks necessarily follow from the use of EME: Indeed, we have made substantial efforts to avoid this and it is one of the key advantages of EME over plugins. There are certainly cases where there are privacy concerns - in particular when distinctive identifiers are used - and we do require prompts in those cases. However, the overall risk depends very much on the User Agent implementation and the steps the User Agent implementor has taken to mitigate those risks. I would like to incentivize  user agent implementors to take such steps as are necessary to bring their implementation to a risk level where prompts are not necessary. I would also like to give sites an incentive to move from plugins to EME. Mandating a prompt removes one such incentive.
> 
> A further point was that user attention to security prompts is a scarce resource. Decisions on it's use - where there is doubt - should be take at a User Agent level, not at the level of individual features.
> 
> ...Mark

David Singer
Manager, Software Standards, Apple Inc.

Received on Wednesday, 7 September 2016 15:08:02 UTC