W3C home > Mailing lists > Public > public-html-media@w3.org > June 2017

Re: A potential compromise on EME?

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 28 Jun 2017 16:43:10 -0700
Message-ID: <CAEnTvdBPCYfxfcgQY=m3QAyYA0rAZM8OsGOgqVO5APqNZUofbw@mail.gmail.com>
To: Cory Doctorow <cory@eff.org>
Cc: Joseph Lorenzo Hall <joe@cdt.org>, Tim Berners-Lee <timbl@w3.org>, w3c-ac-forum <w3c-ac-forum@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>
On Wed, Jun 28, 2017 at 4:25 PM, Cory Doctorow <cory@eff.org> wrote:

> Hey, Joe! Thank you for this. I think it's notable for being only the
> second time that an actual meaningful compromise has been offered in
> respect of EME, DRM and anti-circumvention liability (the other one was
> EFF's initial proposal for a wider-scoped covenant).
>

​It's similar to the proposal made by Yandex when this was first discussed
more than a year ago. There was little interest then.​


>
> That is to say, this is the first proposal since the initial covenant
> that actual would affect how EME interacted with the world -- as opposed
> to voluntary, nonbinding policy working groups whose (again, nonbinding)
> work product wouldn't even be ready when and if EME was published.
>
> EFF is very supportive of the idea of immunizing security researchers
> from liability for revealing defects in browsers, even if they do so
> without permission from vendors. Indeed, no immunity is required if
> permission is granted, to say nothing of the fact that it's absurd to
> say that companies should EVER get to decide who/when/how defects in
> their products can be revealed.
>
> With all that said, we can't support this. If a W3C standard creates new
> legal rights for its members -- the right to stop people from uttering
> true facts about defects in products,to stop people who adapt technology
> for people with disabilities, to kill competing interoperable products,
> then the W3C should take every feasible step to undo this unintended
> consequence of its standardisation.
>
> New legal rights from technical standards are bugs, not features. CDT's
> proposal starts from the premise that the W3C has it in its power to
> limit the exercise of anti-circumvention laws, but stops short of the
> obvious use of that power: preventing the use of anti-circumvention
> except when there is some bona fide cause of action, such as copyright
> infringement, theft of trade secrets, or tortious interference.
>
> Standards should be a means of maximizing interoperability, not a
> coercive tool for firms to punish competitors who engage in lawful conduct.
>
> But we are very interested in what other members say about this. The
> very narrow covenant you've described falls short of addressing the
> concerns of the wider security community (vulnerabilities that don't
> impact the privacy dimension are still vulnerabilities that can be used
> to attack literally billions of web users!), and is totally silent on
> the question of accessibility.
>
> But the DRM advocates in the W3C -- and the Director -- have
> consistently said that W3C-standardized DRM is better than
> industry-based, ad-hoc DRM because the former creates meaningful privacy
> protections that the industry wouldn't bother with, left to its own
> devices.
>
> If industry promises privacy, but won't swear not to punish people who
> reveal that their privacy promise has been broken, then they're not
> promising much of anything.
>
> Which is why we're very interested in hearing what entertainment
> industry members like Netflix, Cable Labs, Comcast, RIAA and the MPAA,
> as well as DRM vendors and implementers like Adobe, Google, Apple,
> Microsoft and Mozilla have to say about this.
>

​I don't have anything new to say. So - for once - I am going to refrain
from ​repeating what I have said before.

...Mark



>
> Thanks,
>
> Cory
>
>
> On 06/28/2017 02:50 PM, Joseph Lorenzo Hall wrote:
> > I would like to propose a compromise on the issue of EME going forward
> > that I think might make both sides, so to speak, a bit sad and a bit
> > happy at the same time:
> >
> > The idea would be to adopt a covenant, but make it very narrow.
> >
> > That is, we would essentially limit the scope of a litigation
> > non-aggression covenant to specifically cover privacy and security
> > researchers examining implementations of w3c specifications for
> > privacy and security flaws. For example, the batteryStatus research
> > from Lukasz and Arvidn (and subsequent pulling of that feature from
> > browsers) is a good example of the kind of work we want to make sure
> > researchers know they will face little risk working on:
> > http://randomwalker.info/publications/battery-status-case-study.pdf )
> >
> > Since there were so many objections (23 I believe), the Director has a
> > firm basis for saying that  there is definitely substantial support
> > for a covenant here, but by limiting the scope of the covenant to a
> > very narrow set of activities related to discovering privacy and
> > security flaws in implementations of w3c specifications, the covenant
> > will be less open-ended to those opposed to the covenant and gets to
> > the heart of a core concern of the supporters (security research
> > protections).
> >
> > This may be a crazy idea, but I think it could actually move things
> > forward (it is a typical CDT answer: everyone will be a little upset,
> > rather than some people being very very upset and some not at all).
> >
> > I'd of course welcome thoughts as this strikes me as a very unusual
> > place for w3c members and w3m to be in.
> >
> > Cheers, Joe
> >
> --
>
> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>
> --
>
> Cory Doctorow
> Apollo 1201 Project
>
> cory@eff.org
>
> For avoidance of doubt: This email does not constitute permission to add
> me to your mailing list.
>
> READ CAREFULLY. By reading this email, you agree, on behalf of your
> employer, to release me from all obligations and waivers arising from
> any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
> entered into with your employer, its partners, licensors, agents and
> assigns, in perpetuity, without prejudice to my ongoing rights and
> privileges. You further represent that you have the authority to release
> me from any BOGUS AGREEMENTS on behalf of your employer.
>
> As is the case with every email you've ever received, this email has not
> been scanned for all known viruses.
>
> Duh.
> --
>
> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>
> --
>
> Cory Doctorow
> doctorow@craphound.com
> Wickr: doctorow
>
> For avoidance of doubt: This email does not constitute permission to add
> me to your mailing list.
>
> blog: boingboing.net
> upcoming appearances: craphound.com/?page_id=4667
> books (novels, collections graphic novels, essay collections):
> craphound.com
> latest novel: Walkaway
> latest nonfiction: Information Doesn't Want to Be Free
> latest graphic novel: In Real Life
> podcast: feeds.feedburner.com/doctorow_podcast
> latest YA novel: Homeland craphound.com/homeland
> latest short story collection: Expanded Overclocked
>
> Join my mailing list and find out about upcoming books, stories,
> articles and appearances:
>
> http://www.ctyme.com/mailman/listinfo/doctorow
>
> READ CAREFULLY. By reading this email, you agree, on behalf of your
> employer, to release me from all obligations and waivers arising from
> any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
> entered into with your employer, its partners, licensors, agents and
> assigns, in perpetuity, without prejudice to my ongoing rights and
> privileges. You further represent that you have the authority to release
> me from any BOGUS AGREEMENTS on behalf of your employer.
>
> As is the case with every email you've ever received, this email has not
> been scanned for all known viruses.
>
> Duh.
> --
>
> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>
> --
>
> Cory Doctorow
> Apollo 1201 Project
>
> cory@eff.org
>
> For avoidance of doubt: This email does not constitute permission to add
> me to your mailing list.
>
> READ CAREFULLY. By reading this email, you agree, on behalf of your
> employer, to release me from all obligations and waivers arising from
> any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have
> entered into with your employer, its partners, licensors, agents and
> assigns, in perpetuity, without prejudice to my ongoing rights and
> privileges. You further represent that you have the authority to release
> me from any BOGUS AGREEMENTS on behalf of your employer.
>
> As is the case with every email you've ever received, this email has not
> been scanned for all known viruses.
>
> Duh.
>
>
Received on Wednesday, 28 June 2017 23:43:45 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 28 June 2017 23:43:46 UTC