Re: Response from Director to formal objection "Turn off EME by default and activate only with express permission from user" from Harry Halpin on 2017-04-12 (public-html-media@w3.org from April 2017)

From: Harry Halpin <hhalpin@ibiblio.org>
Date: Wed, 12 Apr 2017 09:41:09 -1100
To: David Singer <singer@apple.com>
Cc: Paul Cotton <Paul.Cotton@microsoft.com>, Mark Watson <watsonm@netflix.com>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <CAE1ny+7ND_21SKuoxLb-m0yZNmmXSDFehjT6Bm3FNKyRBOuL0Q@mail.gmail.com>

On Wed, Apr 12, 2017 at 8:23 AM, David Singer <singer@apple.com> wrote:

>
> > On Apr 12, 2017, at 11:55 , Harry Halpin <hhalpin@ibiblio.org> wrote:
> > > I said, contra Mark's agrument that browser vendors are neutral, that
> there is collusion
> >
> > OK, earlier you accused me of not reading.  The *definition* of the word
> you used — collusion — is that it is secret or illegal activity intended to
> cheat or deceive, and I gave you verbatim one such definition above. Did
> you read it?
> >
> > David - I don't have at hand the precise dictionaries you do.
>
> I assure you that the word you used is always pejorative. For example “is
> collusion pejorative?” typed into Google yields, as the first hit, The
> Columbia Guide to American Standard English, which says (again, verbatim):
>
> "collude, collusion: these words are always pejorative; they involve
> cooperation for dishonest, illegal, unethical,, or immoral purposes. To
> collude is “to connive”."
>
> > Yes, because above. You are throwing around accusations based on a
> dictionary definition you find convenient to avoid the objection.
>
> Now you are being insulting again. Please stop.
>
> > Do you think browser implementers are always neutral?
>
> I have very little idea what you mean by neutral here. If we get back to
> the discussion, you could explain. I do not believe that there is any
> collusion going on in the industry.
>
> > I would prefer a reasonable argument to emotional demands for apologies
> and intentional misreading of words,
>
> I would also prefer a reasoned argument over wild accusations; I rather
> hoped you would apologize and we would move on.
>
> > and I do not apologize nor retract the rather self-evident statement
> that the various parts of components, which include browsers, work in ways
> that can indeed be collusion (see EC ruling on Google link earlier) and can
> but are of course not necessarily illegal.
>
> And so you dig in deeper.
>

Again, whether or not particular companies are engaged in collusion and to
what extent it is illegal is up to courts to decide, not me. Again, I think
it's collusion but not illegal, as it's likely legal due to the fact it's
happening in a reputable standards body.  I do not mean the term
'collusion' in a pejorative manner, but this is a self-evident part of
multi-sided markets with platforms the existing top three browser vendors.

On an aside, rather than denying there is interaction between various parts
of a company as you seem to be doing, perhaps simply admitting that revenue
is gained via combining DRM on the client with various server-side services
like video-streaming may be a good way to avoid an anti-trust actions by
government regulators like the EC - because then it's no longer secret or
hidden. Regardless, I'm not a lawyer and so you may wish to talk to Wendy
Seltzer at W3C about the details of anti-trust, and I'm sure she can be
give competent advise on how the W3C interacts with anti-trust
investigations around EME and DRM as started by European Parliament.

Furthermore, while open standards are normally enough to escape collusion,
if the open standard is dependent on a proprietary component such as CDM,
then it's very possible that it could be anti-trust due to the fact that
the existing browser vendors are creating a barrier to entry for new
innovation and new browsers in the market. I believe the browser Brave
would agree with this line, and it's unclear if 'clearKey' helps. See
Cory's issue here: https://github.com/w3c/encrypted-media/issues/379

The EC may also be the tip of the iceberg here. So if you are looking for
pejorative language that accuses browser vendors of being part of 'digital
colonialism', here's the official letter of the JustNet Coalition, the
various groups in the Global South who are quite angry about EME, to Tim
Berners-Lee:

http://justnetcoalition.org/2017/W3C_EME_objection.pdf
https://github.com/w3c/encrypted-media/issues/387

Now, back to the *actual* which is security. The argument is due to the
fact that DRM, as enabled by EME, is insecure by design due to lack of
auditability, it is sensible to simply admit browsers have imperfect
security and browser implementers are not neutral, and simply allow EME to
be 'off by default.' Given video existed on the Web pre-EME with plug-ins,
I doubt this would massively hurt user retention. I do not think
"sand-boxing" is a reasonable argument to say the entire EME/DRM standard
is secure and private, for reasons enumerated earlier.

 It would be nice if Apple had someone involved in security commenting on
this discussion rather than engage in off-topic discussions. After all,
installing a CDM in a silent upgrade and turning it on without my
permission, despite the fact that CDM could - and likely in my opinion -
cause security and damage is quite an insult to users and security
researchers like myself.

   cheers,
    harry

> David Singer
> Manager, Software Standards, Apple Inc.
>
>

Received on Wednesday, 12 April 2017 20:41:46 UTC