- From: Cory Doctorow <cory@eff.org>
- Date: Wed, 28 Jun 2017 16:25:07 -0700
- To: Joseph Lorenzo Hall <joe@cdt.org>, Tim Berners-Lee <timbl@w3.org>
- Cc: w3c-ac-forum <w3c-ac-forum@w3.org>, public-html-media@w3.org
- Message-ID: <c2312938-7acb-e2ac-9ab7-eb12a93f9e40@eff.org>
Hey, Joe! Thank you for this. I think it's notable for being only the
second time that an actual meaningful compromise has been offered in
respect of EME, DRM and anti-circumvention liability (the other one was
EFF's initial proposal for a wider-scoped covenant).
That is to say, this is the first proposal since the initial covenant
that actual would affect how EME interacted with the world -- as opposed
to voluntary, nonbinding policy working groups whose (again, nonbinding)
work product wouldn't even be ready when and if EME was published.
EFF is very supportive of the idea of immunizing security researchers
from liability for revealing defects in browsers, even if they do so
without permission from vendors. Indeed, no immunity is required if
permission is granted, to say nothing of the fact that it's absurd to
say that companies should EVER get to decide who/when/how defects in
their products can be revealed.
With all that said, we can't support this. If a W3C standard creates new
legal rights for its members -- the right to stop people from uttering
true facts about defects in products,to stop people who adapt technology
for people with disabilities, to kill competing interoperable products,
then the W3C should take every feasible step to undo this unintended
consequence of its standardisation.
New legal rights from technical standards are bugs, not features. CDT's
proposal starts from the premise that the W3C has it in its power to
limit the exercise of anti-circumvention laws, but stops short of the
obvious use of that power: preventing the use of anti-circumvention
except when there is some bona fide cause of action, such as copyright
infringement, theft of trade secrets, or tortious interference.
Standards should be a means of maximizing interoperability, not a
coercive tool for firms to punish competitors who engage in lawful conduct.
But we are very interested in what other members say about this. The
very narrow covenant you've described falls short of addressing the
concerns of the wider security community (vulnerabilities that don't
impact the privacy dimension are still vulnerabilities that can be used
to attack literally billions of web users!), and is totally silent on
the question of accessibility.
But the DRM advocates in the W3C -- and the Director -- have
consistently said that W3C-standardized DRM is better than
industry-based, ad-hoc DRM because the former creates meaningful privacy
protections that the industry wouldn't bother with, left to its own devices.
If industry promises privacy, but won't swear not to punish people who
reveal that their privacy promise has been broken, then they're not
promising much of anything.
Which is why we're very interested in hearing what entertainment
industry members like Netflix, Cable Labs, Comcast, RIAA and the MPAA,
as well as DRM vendors and implementers like Adobe, Google, Apple,
Microsoft and Mozilla have to say about this.
Thanks,
Cory
On 06/28/2017 02:50 PM, Joseph Lorenzo Hall wrote:
> I would like to propose a compromise on the issue of EME going forward
> that I think might make both sides, so to speak, a bit sad and a bit
> happy at the same time:
>
> The idea would be to adopt a covenant, but make it very narrow.
>
> That is, we would essentially limit the scope of a litigation
> non-aggression covenant to specifically cover privacy and security
> researchers examining implementations of w3c specifications for
> privacy and security flaws. For example, the batteryStatus research
> from Lukasz and Arvidn (and subsequent pulling of that feature from
> browsers) is a good example of the kind of work we want to make sure
> researchers know they will face little risk working on:
> http://randomwalker.info/publications/battery-status-case-study.pdf )
>
> Since there were so many objections (23 I believe), the Director has a
> firm basis for saying that there is definitely substantial support
> for a covenant here, but by limiting the scope of the covenant to a
> very narrow set of activities related to discovering privacy and
> security flaws in implementations of w3c specifications, the covenant
> will be less open-ended to those opposed to the covenant and gets to
> the heart of a core concern of the supporters (security research
> protections).
>
> This may be a crazy idea, but I think it could actually move things
> forward (it is a typical CDT answer: everyone will be a little upset,
> rather than some people being very very upset and some not at all).
>
> I'd of course welcome thoughts as this strikes me as a very unusual
> place for w3c members and w3m to be in.
>
> Cheers, Joe
>
--
FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
--
Cory Doctorow
Apollo 1201 Project
cory@eff.org
For avoidance of doubt: This email does not constitute permission to add
me to your mailing list.
READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from
any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
entered into with your employer, its partners, licensors, agents and
assigns, in perpetuity, without prejudice to my ongoing rights and
privileges. You further represent that you have the authority to release
me from any BOGUS AGREEMENTS on behalf of your employer.
As is the case with every email you've ever received, this email has not
been scanned for all known viruses.
Duh.
--
FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
--
Cory Doctorow
doctorow@craphound.com
Wickr: doctorow
For avoidance of doubt: This email does not constitute permission to add
me to your mailing list.
blog: boingboing.net
upcoming appearances: craphound.com/?page_id=4667
books (novels, collections graphic novels, essay collections): craphound.com
latest novel: Walkaway
latest nonfiction: Information Doesn't Want to Be Free
latest graphic novel: In Real Life
podcast: feeds.feedburner.com/doctorow_podcast
latest YA novel: Homeland craphound.com/homeland
latest short story collection: Expanded Overclocked
Join my mailing list and find out about upcoming books, stories,
articles and appearances:
http://www.ctyme.com/mailman/listinfo/doctorow
READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from
any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
entered into with your employer, its partners, licensors, agents and
assigns, in perpetuity, without prejudice to my ongoing rights and
privileges. You further represent that you have the authority to release
me from any BOGUS AGREEMENTS on behalf of your employer.
As is the case with every email you've ever received, this email has not
been scanned for all known viruses.
Duh.
--
FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
--
Cory Doctorow
Apollo 1201 Project
cory@eff.org
For avoidance of doubt: This email does not constitute permission to add
me to your mailing list.
READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from
any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
entered into with your employer, its partners, licensors, agents and
assigns, in perpetuity, without prejudice to my ongoing rights and
privileges. You further represent that you have the authority to release
me from any BOGUS AGREEMENTS on behalf of your employer.
As is the case with every email you've ever received, this email has not
been scanned for all known viruses.
Duh.
Received on Wednesday, 28 June 2017 23:25:45 UTC