- From: Joseph Lorenzo Hall <joe@cdt.org>
- Date: Thu, 8 Sep 2016 07:53:28 -0400
- To: David Singer <singer@apple.com>
- Cc: Mark Watson <watsonm@netflix.com>, Harry Halpin <hhalpin@w3.org>, Paul Cotton <Paul.Cotton@microsoft.com>, "public-html-media@w3.org" <public-html-media@w3.org>
On Wed, Sep 7, 2016 at 11:57 AM, David Singer <singer@apple.com> wrote: > > > OK, there are risks from at least: > 1) installing new software (OS X, for example, has security settings to enable you to lock down to the signed installs from the App Store) > 2) using software that might have been subject to less security analysis (e.g. because of a fear of the DMCA) > 3) a combination of the above. > > The OS might warn people who install new software. EFF might warn people who buy devices with built-in DRMs. The EFF might suggest that that warning be stronger for installed DRMs. > > But I still haven’t got to the EME interface... Yes, as you said up-thread EME will in most cases be open and analyzable in UA implementations. EME is an interface to working with CDMs for video, which will necessarily increase risks to web users in your category (2) above. (It may also set precedent for future CDM/DRM interfaces for things that would dramatically reduce the openness and user-oriented control of the web platform... e.g., DRM interfaces for text, images, page source, etc.) I would like to be able to tell researchers they can analyze a CDM and attempt to verify that it is doing certain things and not doing other things. (The Sony rootkit compact disc DRM that Alex Halderman examined as part of his PhD thesis is an obvious poster child for important work here.) While CDM producers may not be W3C members, content distribution and UA developers tend to be members, and it would be great if all of those in the room at W3C could agree that it's best for the web platform if: 1) as Mark and David have detailed, the existing EME spec has taken care with user consent and experience; 2) that CDM producers and those that utilize or implement CDM interfaces agree that having third-party analysis of these modules is important for accountability and simply finding bugs; 3) the parties at least at W3C developing these standards can agree to a [litigation non-aggression covenant/something else?] that would give researchers some certainty in their work. -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 Tech Prom, CDT's Annual Dinner, is April 20, 2017! https://cdt.org/annual-dinner
Received on Thursday, 8 September 2016 11:54:53 UTC