Re: Formal objections to Encrypted Media Extensions

On Wed, Sep 7, 2016 at 8:07 AM, David Singer <singer@apple.com> wrote:

>
> > On Sep 7, 2016, at 16:57 , Mark Watson <watsonm@netflix.com> wrote:
> >
> > Harry, all,
> >
> > Regarding Harry's objection, I do agree with Harry that it is in scope
> of the group and he has made a concrete proposal. IIUC, the "user harm"
> Harry is referring to is the increased security and privacy risk that he
> believes users are necessarily subjected to through the unprompted use of
> EME. He argues that users are necessarily subjected to this risk with EME
> because of the effect of the DMCA on security research (Harry, correct me
> if I am paraphrasing incorrectly).
>
> OK, thanks. But I think EME per se can be implemented in open-source and
> other software; it’s analyzable, and so on. Yes, there is an implied risk
> to users when they use DRMs as they are installing software that is not
> only binary-only (true of a lot they install) but for which the DMCA may
> have chilled security research as well. A warning of that type when DRM
> systems are installed might be appropriate, but as far as I know, EME does
> NOT facilitate the installation of DRMs. Once the user has decided to
> install one, I see absolutely no value in asking them “are you sure you
> want it actually to work?” which is what a UE prompt would be asking.
>
> So, I am still feeling a disconnect here…sorry.
>

I think the two points are:
- non-ClearKey Key Systems may be pre-installed in some User Agents, or
automatically installed by the User Agent
- one could argue that consent should be per-origin

Indeed, where there *is* a genuine privacy risk, consent should be obtained
and should be per origin. This is what we require for some distinctive
identifier cases, for example.

So, the argument is basically whether there *always* exists risks of this
kind or whether we believe User Agents can mitigate those sufficiently (or
at least should be given an opportunity to do so).

...Mark


>
> > It's true that we have not had extensive discussion on this, but several
> people have posted the reasons why they disagree. And I have not seen a lot
> of support.
> >
> > Whilst it is obvious that users are necessarily subjected to privacy
> risks by unprompted disclosure of goe-location, it is not obvious that
> significantly increased security and privacy risks necessarily follow from
> the use of EME: Indeed, we have made substantial efforts to avoid this and
> it is one of the key advantages of EME over plugins. There are certainly
> cases where there are privacy concerns - in particular when distinctive
> identifiers are used - and we do require prompts in those cases. However,
> the overall risk depends very much on the User Agent implementation and the
> steps the User Agent implementor has taken to mitigate those risks. I would
> like to incentivize  user agent implementors to take such steps as are
> necessary to bring their implementation to a risk level where prompts are
> not necessary. I would also like to give sites an incentive to move from
> plugins to EME. Mandating a prompt removes one such incentive.
> >
> > A further point was that user attention to security prompts is a scarce
> resource. Decisions on it's use - where there is doubt - should be take at
> a User Agent level, not at the level of individual features.
> >
> > ...Mark
>
> David Singer
> Manager, Software Standards, Apple Inc.
>
>

Received on Wednesday, 7 September 2016 15:48:06 UTC