W3C home > Mailing lists > Public > public-html-media@w3.org > June 2017

Re: A potential compromise on EME?

From: Jeff Jaffe <jeff@w3.org>
Date: Wed, 28 Jun 2017 21:28:49 -0400
To: Mark Watson <watsonm@netflix.com>, Cory Doctorow <cory@eff.org>
Cc: Joseph Lorenzo Hall <joe@cdt.org>, Tim Berners-Lee <timbl@w3.org>, w3c-ac-forum <w3c-ac-forum@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <8cd1e7ac-c525-c65e-c099-2706fd0ff6a6@w3.org>
Joe,

I appreciate your continued efforts to find a place in the middle on 
this issue.

As Mark points out, variations on this theme have been proposed before.

As you can see from the thread, neither Netflix nor EFF support this.  
Unfortunately, there have been several compromise proposals that have 
been floated, but none were able to get traction.

Jeff


On 6/28/2017 7:43 PM, Mark Watson wrote:
>
>
> On Wed, Jun 28, 2017 at 4:25 PM, Cory Doctorow <cory@eff.org 
> <mailto:cory@eff.org>> wrote:
>
>     Hey, Joe! Thank you for this. I think it's notable for being only the
>     second time that an actual meaningful compromise has been offered in
>     respect of EME, DRM and anti-circumvention liability (the other
>     one was
>     EFF's initial proposal for a wider-scoped covenant).
>
>
> ​It's similar to the proposal made by Yandex when this was first 
> discussed more than a year ago. There was little interest then.​
>
>
>     That is to say, this is the first proposal since the initial covenant
>     that actual would affect how EME interacted with the world -- as
>     opposed
>     to voluntary, nonbinding policy working groups whose (again,
>     nonbinding)
>     work product wouldn't even be ready when and if EME was published.
>
>     EFF is very supportive of the idea of immunizing security researchers
>     from liability for revealing defects in browsers, even if they do so
>     without permission from vendors. Indeed, no immunity is required if
>     permission is granted, to say nothing of the fact that it's absurd to
>     say that companies should EVER get to decide who/when/how defects in
>     their products can be revealed.
>
>     With all that said, we can't support this. If a W3C standard
>     creates new
>     legal rights for its members -- the right to stop people from uttering
>     true facts about defects in products,to stop people who adapt
>     technology
>     for people with disabilities, to kill competing interoperable
>     products,
>     then the W3C should take every feasible step to undo this unintended
>     consequence of its standardisation.
>
>     New legal rights from technical standards are bugs, not features.
>     CDT's
>     proposal starts from the premise that the W3C has it in its power to
>     limit the exercise of anti-circumvention laws, but stops short of the
>     obvious use of that power: preventing the use of anti-circumvention
>     except when there is some bona fide cause of action, such as copyright
>     infringement, theft of trade secrets, or tortious interference.
>
>     Standards should be a means of maximizing interoperability, not a
>     coercive tool for firms to punish competitors who engage in lawful
>     conduct.
>
>     But we are very interested in what other members say about this. The
>     very narrow covenant you've described falls short of addressing the
>     concerns of the wider security community (vulnerabilities that don't
>     impact the privacy dimension are still vulnerabilities that can be
>     used
>     to attack literally billions of web users!), and is totally silent on
>     the question of accessibility.
>
>     But the DRM advocates in the W3C -- and the Director -- have
>     consistently said that W3C-standardized DRM is better than
>     industry-based, ad-hoc DRM because the former creates meaningful
>     privacy
>     protections that the industry wouldn't bother with, left to its
>     own devices.
>
>     If industry promises privacy, but won't swear not to punish people who
>     reveal that their privacy promise has been broken, then they're not
>     promising much of anything.
>
>     Which is why we're very interested in hearing what entertainment
>     industry members like Netflix, Cable Labs, Comcast, RIAA and the MPAA,
>     as well as DRM vendors and implementers like Adobe, Google, Apple,
>     Microsoft and Mozilla have to say about this.
>
>
> ​I don't have anything new to say. So - for once - I am going to 
> refrain from ​repeating what I have said before.
>
> ...Mark
>
>
>     Thanks,
>
>     Cory
>
>
>     On 06/28/2017 02:50 PM, Joseph Lorenzo Hall wrote:
>     > I would like to propose a compromise on the issue of EME going
>     forward
>     > that I think might make both sides, so to speak, a bit sad and a bit
>     > happy at the same time:
>     >
>     > The idea would be to adopt a covenant, but make it very narrow.
>     >
>     > That is, we would essentially limit the scope of a litigation
>     > non-aggression covenant to specifically cover privacy and security
>     > researchers examining implementations of w3c specifications for
>     > privacy and security flaws. For example, the batteryStatus research
>     > from Lukasz and Arvidn (and subsequent pulling of that feature from
>     > browsers) is a good example of the kind of work we want to make sure
>     > researchers know they will face little risk working on:
>     >
>     http://randomwalker.info/publications/battery-status-case-study.pdf
>     <http://randomwalker.info/publications/battery-status-case-study.pdf>
>     )
>     >
>     > Since there were so many objections (23 I believe), the Director
>     has a
>     > firm basis for saying that  there is definitely substantial support
>     > for a covenant here, but by limiting the scope of the covenant to a
>     > very narrow set of activities related to discovering privacy and
>     > security flaws in implementations of w3c specifications, the
>     covenant
>     > will be less open-ended to those opposed to the covenant and gets to
>     > the heart of a core concern of the supporters (security research
>     > protections).
>     >
>     > This may be a crazy idea, but I think it could actually move things
>     > forward (it is a typical CDT answer: everyone will be a little
>     upset,
>     > rather than some people being very very upset and some not at all).
>     >
>     > I'd of course welcome thoughts as this strikes me as a very unusual
>     > place for w3c members and w3m to be in.
>     >
>     > Cheers, Joe
>     >
>     --
>
>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>
>     --
>
>     Cory Doctorow
>     Apollo 1201 Project
>
>     cory@eff.org <mailto:cory@eff.org>
>
>     For avoidance of doubt: This email does not constitute permission
>     to add
>     me to your mailing list.
>
>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>     employer, to release me from all obligations and waivers arising from
>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>     I have
>     entered into with your employer, its partners, licensors, agents and
>     assigns, in perpetuity, without prejudice to my ongoing rights and
>     privileges. You further represent that you have the authority to
>     release
>     me from any BOGUS AGREEMENTS on behalf of your employer.
>
>     As is the case with every email you've ever received, this email
>     has not
>     been scanned for all known viruses.
>
>     Duh.
>     --
>
>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>
>     --
>
>     Cory Doctorow
>     doctorow@craphound.com <mailto:doctorow@craphound.com>
>     Wickr: doctorow
>
>     For avoidance of doubt: This email does not constitute permission
>     to add
>     me to your mailing list.
>
>     blog: boingboing.net <http://boingboing.net>
>     upcoming appearances: craphound.com/?page_id=4667
>     <http://craphound.com/?page_id=4667>
>     books (novels, collections graphic novels, essay collections):
>     craphound.com <http://craphound.com>
>     latest novel: Walkaway
>     latest nonfiction: Information Doesn't Want to Be Free
>     latest graphic novel: In Real Life
>     podcast: feeds.feedburner.com/doctorow_podcast
>     <http://feeds.feedburner.com/doctorow_podcast>
>     latest YA novel: Homeland craphound.com/homeland
>     <http://craphound.com/homeland>
>     latest short story collection: Expanded Overclocked
>
>     Join my mailing list and find out about upcoming books, stories,
>     articles and appearances:
>
>     http://www.ctyme.com/mailman/listinfo/doctorow
>     <http://www.ctyme.com/mailman/listinfo/doctorow>
>
>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>     employer, to release me from all obligations and waivers arising from
>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>     I have
>     entered into with your employer, its partners, licensors, agents and
>     assigns, in perpetuity, without prejudice to my ongoing rights and
>     privileges. You further represent that you have the authority to
>     release
>     me from any BOGUS AGREEMENTS on behalf of your employer.
>
>     As is the case with every email you've ever received, this email
>     has not
>     been scanned for all known viruses.
>
>     Duh.
>     --
>
>     FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>     GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>
>     --
>
>     Cory Doctorow
>     Apollo 1201 Project
>
>     cory@eff.org <mailto:cory@eff.org>
>
>     For avoidance of doubt: This email does not constitute permission
>     to add
>     me to your mailing list.
>
>     READ CAREFULLY. By reading this email, you agree, on behalf of your
>     employer, to release me from all obligations and waivers arising from
>     any and all NON-NEGOTIATED  agreements, licenses, terms-of-service,
>     shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>     non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>     I have
>     entered into with your employer, its partners, licensors, agents and
>     assigns, in perpetuity, without prejudice to my ongoing rights and
>     privileges. You further represent that you have the authority to
>     release
>     me from any BOGUS AGREEMENTS on behalf of your employer.
>
>     As is the case with every email you've ever received, this email
>     has not
>     been scanned for all known viruses.
>
>     Duh.
>
>
Received on Thursday, 29 June 2017 01:29:03 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 June 2017 01:29:03 UTC