W3C home > Mailing lists > Public > public-html-media@w3.org > April 2017

Re: Response from Director to formal objection "Turn off EME by default and activate only with express permission from user"

From: Harry Halpin <hhalpin@ibiblio.org>
Date: Tue, 11 Apr 2017 10:45:54 -1100
Message-ID: <CAE1ny+5YXDeyYOSn9GuzeZdma6sOpJ+RT-AoTsrYVN+hzy=4bg@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: "public-html-media@w3.org" <public-html-media@w3.org>
On Mon, Apr 10, 2017 at 7:09 AM, Mark Watson <watsonm@netflix.com> wrote:

> On Mon, Apr 10, 2017 at 10:22 AM, Harry Halpin <hhalpin@ibiblio.org>
> wrote:
>> On Mon, Apr 10, 2017 at 6:18 AM, Mark Watson <watsonm@netflix.com> wrote:
>>> Hi Harry,
>>> I agree you should have a response to your objection.
>>> You should take a look at the Chrome bug you cited. I believe what
>>> happened is that the ability to disable Widevine went away when the ability
>>> to disable plugins went away (along, I presume, with the ability to install
>>> arbitrary plugins). Chrome have now introduced an explicit setting for
>>> disabling protected content.
>>> You don't mention the main argument on this issue which is that User
>>> Agent implementors are best placed to decide what permissions should be
>>> mandatory, considering the security of their whole platform and the
>>> relative risks from different components based on their own detailed
>>> knowledge of those components. You argue that CDMs are necessarily a
>>> greater risk than the rest of the implementation but even if this is true
>>> we cannot say that the difference in risk is always sufficient that it
>>> justifies mandatory *a priori* consent. Only the UA implementor has the
>>> knowledge and broader perspective on their implementation to make that
>>> judgement.
>> That is clearly not true, as there is a conflict of interest by UA
>> implementers who are also trying to make money from DRM-enabled content
>> (such as Google creates both Chrome and  Youtube Red).
> ​Different from their conflict-of-interest when it comes to making money
> from ads ?

Browser vendors can have conflicts of interest. In theory, this could be
making money from ads. However, in this case, DRM is a clear conflict of
interest. Google owns both Widevine and the browser, for example, and
stands to make money from streaming content that requires DRM.

> If you don't trust the UA vendor with user security and privacy, I think
> all bets are off.​

As someone who is currently in a room with the two crypto-engineers with
Mozilla, of course users should not trust the UA vendors with security and
privacy 100%. Browser vendors are usually under-resourced in terms of
security and de-prioritize user-privacy. Therefore, for *powerful features*
we require TLS. For *dangerous features* we require user consent.

For example, with WebRTC, we keep audio/video *off by default* without user
permissions. Can you please explain how WebRTC audio/video is more
dangerous than opaque DRM code? After all, both are sandboxed, no?

>> Furthermore, UA implementers may not be aware of the security bugs in
>> their own browsers, and thus the need for independent security research and
>> audits by neutral third-parties, including end-users.
> ​This is why they do things like pwn2own.

See above. I am sympathetic to UA implementors, but they are
under-resourced. At least in every company I've talked to, including
Mozilla and Google, the security and privacy engineers (if they have a
backbone, which most do) have been against DRM openly due to the security
concerns brought up in the EFF petition and consider this entire
standardization effort to be driven by DMCA requirements re streaming
encrypted content The wider and neutral security community has spoken out
and said shipping DRM with browsers that can access it via EME in dangerous.

If there is a Google, Mozilla, or Microsoft security or privacy engineer
who would like stand up and say EME is a *good thing* for user security and
the wider academic community is wrong, I'm all ears to hear their

I'm actually *more* sympathetic to browser vendors who are being forced to
implement this without adequate user protection (i.e., without it being
"off by default") than by supposedly "neutral" W3C staff and PR people who
are actively pushing a pro-DRM line in social media.

>> Therefore, due to the bizarre legal framework around DRM and the DMCA,
>> the *conservative* and safe bet is to believe that the risk MUST justify
>> mandatory a priori consent. If we did it for WebRTC, I see no reason why it
>> cannot be done for EME.
> ​We're not arguing about whether it could be done, only whether it should
> be done.

Agreed, and I think it should.


> ​
>>   cheers,
>>     harry
>>> ...Mark
>>> On Mon, Apr 10, 2017 at 9:54 AM, Harry Halpin <hhalpin@ibiblio.org>
>>> wrote:
>>>> Everyone,
>>>> Perhaps Tim Berners-Lee (the Director) overrode my objection, but I
>>>> haven't been updated and see no evidence. Also, as is often, if Tim
>>>> Berners-Lee did not actually attend the transition call for Encrypted Media
>>>> Extensions but either PLH or Ralph Swick acted as Director, I would like to
>>>> know and demand an explicit response to my formal objection, which was
>>>> viewed as in-scope by both the editors and the chair of the HME WG.
>>>> Barring a decision I agree with from, I'm going to re-file my formal
>>>> objection. Note that recently there has been moves to make EME (and thus,
>>>> DRM) not only on-by-default, but mandatory - and hard, if not impossible,
>>>> at least to disable by users [1]. This is a blatant violation of the rights
>>>> of the user to control what software is on their device, and I'm surprised
>>>> this feature was not agreed on by HME WG.
>>>> Furthermore, it is blatantly hypocritical of the W3C to not address
>>>> this concern in the Proposed Recommendation, as user control has been
>>>> enforced in other specifications such as WebRTC where there are similar
>>>> concerns for user fatigue. Indeed, I am stating that a user MUST be
>>>> informed at least once and explicitly agree *before* an EME and, if not
>>>> already pre-installed in the OS, the black box of CDM is sent to their
>>>> device.
>>>> The arguments from W3C PR and the HME WG that a 'sandbox' is somehow a
>>>> magical solution to user concerns over security and privacy with DRM is
>>>> equally incorrect. Browsers, including in particular sandboxes, routinely
>>>> have vulnerabilities [2]. There is plenty of evidence that no sandbox is
>>>> secure, including those put around CDMs. For an evidence, see the recent
>>>> pwn2own results, and we should expect more hacks soon particularly on the
>>>> kinds of DRM enabled by EME.
>>>>      cheers,
>>>>         harry
>>>> [1] http://boingboing.net/2017/01/30/google-quietly-makes-optiona.html
>>>> [2] https://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-
>>>> and-safari-hacked-460k-awarded-in-total/
Received on Tuesday, 11 April 2017 21:46:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 15:49:19 UTC