W3C home > Mailing lists > Public > public-html-media@w3.org > January 2017

Re: On HME extension and vulnerability disclosure programs

From: Cory Doctorow <cory@eff.org>
Date: Sun, 29 Jan 2017 05:57:35 -0600
To: chaals@yandex-team.ru, Philippe Le Hégaret <plh@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <2710e25d-5fbe-bf21-3088-5f4354ad8260@eff.org>
Thank you, Chaals.

The document with accessibility use-cases is quite specific, while all
the dismissals of it have been very vague, and made appeals to authority
("technical experts who are passionate advocates for accessibility who
have carefully assessed the technology over years have declared that
there isn't a problem") rather than addressing those issues.

How, for example, would the 1 in 4000 people with photosensitive
epilepsy be able to do lookaheads in videos to ensure that upcoming
sequences passed the Harding Test without being able to decrypt the
stream and post-process it through their own safety software? How would
someone who was colorblind use Dankam to make realtime adjustments to
the gamut of videos to accommodate them to the idiosyncrasies of their
vision and neurology?

I would welcome substantive discussion on these issues -- rather than
perfunctory dismissals. The fact that W3C members who specialize in
providing adaptive technology to people with visual impairments on three
continents have asked the Director to ensure that EME doesn't interfere
with their work warrants a substantive reply.

Cory

On 01/29/2017 05:48 AM, chaals@yandex-team.ru wrote:
> 
> 
> 28.01.2017, 12:43, "Cory Doctorow" <cory@eff.org>:
>> Thank you, Philippe.
>>
>> A couple of questions:
>>
>> 1. Would publication of EME as a W3C rec be affected by this best
>> practices work, or does the Director envision that EME would go out with
>> no protections for security disclosures while this work trailed behind it?
> 
> I would also like to know the answer. It *seems* to envision a path along those lines, but I trust that at minimum there would not be a W3C Recommendation before such work has been published.
> 
>> 2. Members have expressed other concerns regarding anti-circumvention
>> and EME -- for example, Vision Australia, SSB Bart, the Royal National
>> Institute for Blind People, Media Access Australia, Braillenet and
>> Benetech have all expressed concerns about the need to immunize those
>> who circumvent to add accessibility features (note that all of these
>> members have granted me permission to disclose their concerns and votes
>> in polls on charter renewal and publication).
>>
>> These members represent, I believe, all of the W3C members that
>> represent visually disabled people and people with other
>> sensory/physical disabilities.
> 
> No, they do not. Nomensa, Deque and TPG spring to mind. I think it is also fair to say that companies like IBM, HP, Microsoft, Apple and Google have done a lot of important work to ensure the rights of people with disabilities can be exercised in practice - even while it is fair to acknowledge that they have a patchy record.
> 
>> A list of accessibility use-cases that require this protection, and a
>> further discussion, can be found in this document:
>>
>> https://www.eff.org/deeplinks/2016/03/interoperability-and-w3c-defending-future-present
> 
> Against which technical experts who are passionate advocates for accessibility who have carefully assessed the technology over years have declared that there isn't a problem.
> 
> I suspect the truth is somewhere in the middle, but I cetainly don't recognise your claims as unarguably factual.
> 
>> Is the Director going to take any action on the concerns of the entire
>> visual impairment caucus of the W3C?
> 
> That seems to misrepresent the situation.
> 
> cheers
> 
> Chaals
> 
>> Cory
>>
>> On 01/27/2017 03:41 PM, Philippe Le Hégaret wrote:
>>>  All,
>>>
>>>  This is an update on the status of the HTML Media Extensions charter
>>>  extension and the Proposed Recommendation transition request for the
>>>  Encrypted Media Extensions specification.
>>>
>>>  Further to the recent review regarding the HTML Media Extensions Working
>>>  Group, the Director has been reviewing the expressions of support to
>>>  continue the work as well as the objections to continuing the work in
>>>  its present form.
>>>
>>>  While the Director recognized the technical progress and stability of
>>>  the work, the lack of consensus to protect security researchers remained
>>>  an issue. The Director had asked the Team to find a resolution that was
>>>  agreed to by both supporters of the charter extension and objectors. The
>>>  team was unable to find such a resolution. The Director has concluded
>>>  that the best practical method to improve protections at this stage is
>>>  to overrule the objections of the charter extension, but establish
>>>  momentum for protection by establishing best practices for responsible
>>>  vulnerability disclosure.
>>>
>>>  In the interest of promoting vulnerability disclosure programs, W3C will
>>>  establish a set of guidelines intended to protect security and privacy
>>>  researchers when proper and reasonable disclosure procedures are followed.
>>>
>>>  Specifically, the W3C Team will publish on 2 March 2017 a set of
>>>  guidelines for vulnerability disclosure programs that protect security
>>>  and privacy researchers as a W3C Team submission. This will represent
>>>  our initial sense of best practice and will serve as input for further
>>>  work in this space. Prior to the publication of the team submission,
>>>  input will be welcome on public-security-disclosure@w3.org. The
>>>  Responsible Vulnerability Disclosure program [1] established by Netflix
>>>  will be used as a starting point.
>>>
>>>  Following the 2 March date, the W3C Director will send a Call for Review
>>>  for the Encrypted Media Extensions Proposed Recommendation, soliciting
>>>  feedback and expression of interest for the specification and the
>>>  initial draft of W3C guidelines for security and privacy researchers
>>>  disclosure programs.
>>>
>>>  The Working Group Charter [2] is hereby extended until 30 April 2017.
>>>
>>>  More information could be found at
>>>    https://www.w3.org/2017/01/GVDP-factsheet.html
>>>
>>>  Philippe
>>>
>>>  [1] https://help.netflix.com/en/node/6657#gsc.tab=0
>>>  [2] http://www.w3.org/2013/09/html-charter.html
>> --
>>
>> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>>
>> --
>>
>> Cory Doctorow
>> doctorow@craphound.com
>> Wickr: doctorow
>>
>> For avoidance of doubt: This email does not constitute permission to add
>> me to your mailing list.
>>
>> blog: boingboing.net
>> upcoming appearances: craphound.com/?page_id=4667
>> books (novels, collections graphic novels, essay collections): craphound.com
>> latest nonfiction: Information Doesn't Want to Be Free
>> latest graphic novel: In Real Life
>> podcast: feeds.feedburner.com/doctorow_podcast
>> latest novel: Homeland craphound.com/homeland
>> latest short story collection: With a Little Help craphound.com/walh
>>
>> Join my mailing list and find out about upcoming books, stories,
>> articles and appearances:
>>
>> http://www.ctyme.com/mailman/listinfo/doctorow
>>
>> READ CAREFULLY. By reading this email, you agree, on behalf of your
>> employer, to release me from all obligations and waivers arising from
>> any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
>> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
>> entered into with your employer, its partners, licensors, agents and
>> assigns, in perpetuity, without prejudice to my ongoing rights and
>> privileges. You further represent that you have the authority to release
>> me from any BOGUS AGREEMENTS on behalf of your employer.
>>
>> As is the case with every email you've ever received, this email has not
>> been scanned for all known viruses.
>>
>> Duh.
> 
> -- 
> Charles McCathie Nevile - standards - Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
> 
> 
-- 

FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS

--

Cory Doctorow
doctorow@craphound.com
Wickr: doctorow

For avoidance of doubt: This email does not constitute permission to add
me to your mailing list.

blog: boingboing.net
upcoming appearances: craphound.com/?page_id=4667
books (novels, collections graphic novels, essay collections): craphound.com
latest nonfiction: Information Doesn't Want to Be Free
latest graphic novel: In Real Life
podcast: feeds.feedburner.com/doctorow_podcast
latest novel: Homeland craphound.com/homeland
latest short story collection: With a Little Help craphound.com/walh

Join my mailing list and find out about upcoming books, stories,
articles and appearances:

http://www.ctyme.com/mailman/listinfo/doctorow

READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from
any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
entered into with your employer, its partners, licensors, agents and
assigns, in perpetuity, without prejudice to my ongoing rights and
privileges. You further represent that you have the authority to release
me from any BOGUS AGREEMENTS on behalf of your employer.

As is the case with every email you've ever received, this email has not
been scanned for all known viruses.

Duh.



Received on Sunday, 29 January 2017 11:58:13 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 29 January 2017 11:58:14 UTC