W3C home > Mailing lists > Public > public-html-media@w3.org > April 2017

Re: Response from Director to formal objection "Turn off EME by default and activate only with express permission from user"

From: Mark Watson <watsonm@netflix.com>
Date: Mon, 10 Apr 2017 11:09:16 -0700
Message-ID: <CAEnTvdCPzOvU2oVO6PH5vaPUYE1X-XbjX0yzkgoAn9vUuHUE9w@mail.gmail.com>
To: Harry Halpin <hhalpin@ibiblio.org>
Cc: "public-html-media@w3.org" <public-html-media@w3.org>
On Mon, Apr 10, 2017 at 10:22 AM, Harry Halpin <hhalpin@ibiblio.org> wrote:

>
>
> On Mon, Apr 10, 2017 at 6:18 AM, Mark Watson <watsonm@netflix.com> wrote:
>
>> Hi Harry,
>>
>> I agree you should have a response to your objection.
>>
>> You should take a look at the Chrome bug you cited. I believe what
>> happened is that the ability to disable Widevine went away when the ability
>> to disable plugins went away (along, I presume, with the ability to install
>> arbitrary plugins). Chrome have now introduced an explicit setting for
>> disabling protected content.
>>
>> You don't mention the main argument on this issue which is that User
>> Agent implementors are best placed to decide what permissions should be
>> mandatory, considering the security of their whole platform and the
>> relative risks from different components based on their own detailed
>> knowledge of those components. You argue that CDMs are necessarily a
>> greater risk than the rest of the implementation but even if this is true
>> we cannot say that the difference in risk is always sufficient that it
>> justifies mandatory *a priori* consent. Only the UA implementor has the
>> knowledge and broader perspective on their implementation to make that
>> judgement.
>>
>>
> That is clearly not true, as there is a conflict of interest by UA
> implementers who are also trying to make money from DRM-enabled content
> (such as Google creates both Chrome and  Youtube Red).
>

​Different from their conflict-of-interest when it comes to making money
from ads ?

If you don't trust the UA vendor with user security and privacy, I think
all bets are off.​


>
> Furthermore, UA implementers may not be aware of the security bugs in
> their own browsers, and thus the need for independent security research and
> audits by neutral third-parties, including end-users.
>

​This is why they do things like pwn2own.


> Therefore, due to the bizarre legal framework around DRM and the DMCA, the
> *conservative* and safe bet is to believe that the risk MUST justify
> mandatory a priori consent. If we did it for WebRTC, I see no reason why it
> cannot be done for EME.
>

​We're not arguing about whether it could be done, only whether it should
be done.
​

>
>
>   cheers,
>     harry
>
>
>
>
>> ...Mark
>>
>> On Mon, Apr 10, 2017 at 9:54 AM, Harry Halpin <hhalpin@ibiblio.org>
>> wrote:
>>
>>> Everyone,
>>>
>>> Perhaps Tim Berners-Lee (the Director) overrode my objection, but I
>>> haven't been updated and see no evidence. Also, as is often, if Tim
>>> Berners-Lee did not actually attend the transition call for Encrypted Media
>>> Extensions but either PLH or Ralph Swick acted as Director, I would like to
>>> know and demand an explicit response to my formal objection, which was
>>> viewed as in-scope by both the editors and the chair of the HME WG.
>>>
>>> Barring a decision I agree with from, I'm going to re-file my formal
>>> objection. Note that recently there has been moves to make EME (and thus,
>>> DRM) not only on-by-default, but mandatory - and hard, if not impossible,
>>> at least to disable by users [1]. This is a blatant violation of the rights
>>> of the user to control what software is on their device, and I'm surprised
>>> this feature was not agreed on by HME WG.
>>>
>>> Furthermore, it is blatantly hypocritical of the W3C to not address this
>>> concern in the Proposed Recommendation, as user control has been enforced
>>> in other specifications such as WebRTC where there are similar concerns for
>>> user fatigue. Indeed, I am stating that a user MUST be informed at least
>>> once and explicitly agree *before* an EME and, if not already pre-installed
>>> in the OS, the black box of CDM is sent to their device.
>>>
>>> The arguments from W3C PR and the HME WG that a 'sandbox' is somehow a
>>> magical solution to user concerns over security and privacy with DRM is
>>> equally incorrect. Browsers, including in particular sandboxes, routinely
>>> have vulnerabilities [2]. There is plenty of evidence that no sandbox is
>>> secure, including those put around CDMs. For an evidence, see the recent
>>> pwn2own results, and we should expect more hacks soon particularly on the
>>> kinds of DRM enabled by EME.
>>>
>>>      cheers,
>>>         harry
>>>
>>> [1] http://boingboing.net/2017/01/30/google-quietly-makes-optiona.html
>>> [2] https://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-
>>> and-safari-hacked-460k-awarded-in-total/
>>>
>>
>>
>
Received on Monday, 10 April 2017 18:09:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 15:49:19 UTC