W3C home > Mailing lists > Public > public-html-media@w3.org > April 2017

Re: Response from Director to formal objection "Turn off EME by default and activate only with express permission from user"

From: Harry Halpin <hhalpin@ibiblio.org>
Date: Mon, 10 Apr 2017 06:22:33 -1100
Message-ID: <CAE1ny+4y-DYz4uta9hUL=w02J3y3FTUFSek_qryVyZ-QNkxt1w@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: "public-html-media@w3.org" <public-html-media@w3.org>
On Mon, Apr 10, 2017 at 6:18 AM, Mark Watson <watsonm@netflix.com> wrote:

> Hi Harry,
>
> I agree you should have a response to your objection.
>
> You should take a look at the Chrome bug you cited. I believe what
> happened is that the ability to disable Widevine went away when the ability
> to disable plugins went away (along, I presume, with the ability to install
> arbitrary plugins). Chrome have now introduced an explicit setting for
> disabling protected content.
>
> You don't mention the main argument on this issue which is that User Agent
> implementors are best placed to decide what permissions should be
> mandatory, considering the security of their whole platform and the
> relative risks from different components based on their own detailed
> knowledge of those components. You argue that CDMs are necessarily a
> greater risk than the rest of the implementation but even if this is true
> we cannot say that the difference in risk is always sufficient that it
> justifies mandatory *a priori* consent. Only the UA implementor has the
> knowledge and broader perspective on their implementation to make that
> judgement.
>
>
That is clearly not true, as there is a conflict of interest by UA
implementers who are also trying to make money from DRM-enabled content
(such as Google creates both Chrome and  Youtube Red).

Furthermore, UA implementers may not be aware of the security bugs in their
own browsers, and thus the need for independent security research and
audits by neutral third-parties, including end-users. Therefore, due to the
bizarre legal framework around DRM and the DMCA, the *conservative* and
safe bet is to believe that the risk MUST justify mandatory a priori
consent. If we did it for WebRTC, I see no reason why it cannot be done for
EME.


  cheers,
    harry




> ...Mark
>
> On Mon, Apr 10, 2017 at 9:54 AM, Harry Halpin <hhalpin@ibiblio.org> wrote:
>
>> Everyone,
>>
>> Perhaps Tim Berners-Lee (the Director) overrode my objection, but I
>> haven't been updated and see no evidence. Also, as is often, if Tim
>> Berners-Lee did not actually attend the transition call for Encrypted Media
>> Extensions but either PLH or Ralph Swick acted as Director, I would like to
>> know and demand an explicit response to my formal objection, which was
>> viewed as in-scope by both the editors and the chair of the HME WG.
>>
>> Barring a decision I agree with from, I'm going to re-file my formal
>> objection. Note that recently there has been moves to make EME (and thus,
>> DRM) not only on-by-default, but mandatory - and hard, if not impossible,
>> at least to disable by users [1]. This is a blatant violation of the rights
>> of the user to control what software is on their device, and I'm surprised
>> this feature was not agreed on by HME WG.
>>
>> Furthermore, it is blatantly hypocritical of the W3C to not address this
>> concern in the Proposed Recommendation, as user control has been enforced
>> in other specifications such as WebRTC where there are similar concerns for
>> user fatigue. Indeed, I am stating that a user MUST be informed at least
>> once and explicitly agree *before* an EME and, if not already pre-installed
>> in the OS, the black box of CDM is sent to their device.
>>
>> The arguments from W3C PR and the HME WG that a 'sandbox' is somehow a
>> magical solution to user concerns over security and privacy with DRM is
>> equally incorrect. Browsers, including in particular sandboxes, routinely
>> have vulnerabilities [2]. There is plenty of evidence that no sandbox is
>> secure, including those put around CDMs. For an evidence, see the recent
>> pwn2own results, and we should expect more hacks soon particularly on the
>> kinds of DRM enabled by EME.
>>
>>      cheers,
>>         harry
>>
>> [1] http://boingboing.net/2017/01/30/google-quietly-makes-optiona.html
>> [2] https://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-
>> and-safari-hacked-460k-awarded-in-total/
>>
>
>
Received on Monday, 10 April 2017 17:23:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 15:49:19 UTC