- From: Cory Doctorow <cory@eff.org>
- Date: Thu, 29 Jun 2017 05:48:17 -0700
- To: Jeff Jaffe <jeff@w3.org>, Mark Watson <watsonm@netflix.com>
- Cc: Joseph Lorenzo Hall <joe@cdt.org>, Tim Berners-Lee <timbl@w3.org>, w3c-ac-forum <w3c-ac-forum@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>
- Message-ID: <67807f0c-43e8-650b-2e92-bdad194968d9@eff.org>
Jeff, I think there's a significant difference, which is that Joe's
proposal is the first one to date -- since the initial covenant -- that
would materially improve EME.
Cory
On 06/28/2017 06:28 PM, Jeff Jaffe wrote:
> Joe,
>
> I appreciate your continued efforts to find a place in the middle on
> this issue.
>
> As Mark points out, variations on this theme have been proposed before.
>
> As you can see from the thread, neither Netflix nor EFF support this.
> Unfortunately, there have been several compromise proposals that have
> been floated, but none were able to get traction.
>
> Jeff
>
>
> On 6/28/2017 7:43 PM, Mark Watson wrote:
>>
>>
>> On Wed, Jun 28, 2017 at 4:25 PM, Cory Doctorow <cory@eff.org
>> <mailto:cory@eff.org>> wrote:
>>
>> Hey, Joe! Thank you for this. I think it's notable for being only the
>> second time that an actual meaningful compromise has been offered in
>> respect of EME, DRM and anti-circumvention liability (the other
>> one was
>> EFF's initial proposal for a wider-scoped covenant).
>>
>>
>> It's similar to the proposal made by Yandex when this was first
>> discussed more than a year ago. There was little interest then.
>>
>>
>>
>> That is to say, this is the first proposal since the initial covenant
>> that actual would affect how EME interacted with the world -- as
>> opposed
>> to voluntary, nonbinding policy working groups whose (again,
>> nonbinding)
>> work product wouldn't even be ready when and if EME was published.
>>
>> EFF is very supportive of the idea of immunizing security researchers
>> from liability for revealing defects in browsers, even if they do so
>> without permission from vendors. Indeed, no immunity is required if
>> permission is granted, to say nothing of the fact that it's absurd to
>> say that companies should EVER get to decide who/when/how defects in
>> their products can be revealed.
>>
>> With all that said, we can't support this. If a W3C standard
>> creates new
>> legal rights for its members -- the right to stop people from uttering
>> true facts about defects in products,to stop people who adapt
>> technology
>> for people with disabilities, to kill competing interoperable
>> products,
>> then the W3C should take every feasible step to undo this unintended
>> consequence of its standardisation.
>>
>> New legal rights from technical standards are bugs, not features.
>> CDT's
>> proposal starts from the premise that the W3C has it in its power to
>> limit the exercise of anti-circumvention laws, but stops short of the
>> obvious use of that power: preventing the use of anti-circumvention
>> except when there is some bona fide cause of action, such as copyright
>> infringement, theft of trade secrets, or tortious interference.
>>
>> Standards should be a means of maximizing interoperability, not a
>> coercive tool for firms to punish competitors who engage in lawful
>> conduct.
>>
>> But we are very interested in what other members say about this. The
>> very narrow covenant you've described falls short of addressing the
>> concerns of the wider security community (vulnerabilities that don't
>> impact the privacy dimension are still vulnerabilities that can be
>> used
>> to attack literally billions of web users!), and is totally silent on
>> the question of accessibility.
>>
>> But the DRM advocates in the W3C -- and the Director -- have
>> consistently said that W3C-standardized DRM is better than
>> industry-based, ad-hoc DRM because the former creates meaningful
>> privacy
>> protections that the industry wouldn't bother with, left to its
>> own devices.
>>
>> If industry promises privacy, but won't swear not to punish people who
>> reveal that their privacy promise has been broken, then they're not
>> promising much of anything.
>>
>> Which is why we're very interested in hearing what entertainment
>> industry members like Netflix, Cable Labs, Comcast, RIAA and the MPAA,
>> as well as DRM vendors and implementers like Adobe, Google, Apple,
>> Microsoft and Mozilla have to say about this.
>>
>>
>> I don't have anything new to say. So - for once - I am going to
>> refrain from repeating what I have said before.
>>
>> ...Mark
>>
>>
>>
>>
>> Thanks,
>>
>> Cory
>>
>>
>> On 06/28/2017 02:50 PM, Joseph Lorenzo Hall wrote:
>> > I would like to propose a compromise on the issue of EME going
>> forward
>> > that I think might make both sides, so to speak, a bit sad and a bit
>> > happy at the same time:
>> >
>> > The idea would be to adopt a covenant, but make it very narrow.
>> >
>> > That is, we would essentially limit the scope of a litigation
>> > non-aggression covenant to specifically cover privacy and security
>> > researchers examining implementations of w3c specifications for
>> > privacy and security flaws. For example, the batteryStatus research
>> > from Lukasz and Arvidn (and subsequent pulling of that feature from
>> > browsers) is a good example of the kind of work we want to make sure
>> > researchers know they will face little risk working on:
>> >
>> http://randomwalker.info/publications/battery-status-case-study.pdf <http://randomwalker.info/publications/battery-status-case-study.pdf>
>> )
>> >
>> > Since there were so many objections (23 I believe), the Director
>> has a
>> > firm basis for saying that there is definitely substantial support
>> > for a covenant here, but by limiting the scope of the covenant to a
>> > very narrow set of activities related to discovering privacy and
>> > security flaws in implementations of w3c specifications, the
>> covenant
>> > will be less open-ended to those opposed to the covenant and gets to
>> > the heart of a core concern of the supporters (security research
>> > protections).
>> >
>> > This may be a crazy idea, but I think it could actually move things
>> > forward (it is a typical CDT answer: everyone will be a little
>> upset,
>> > rather than some people being very very upset and some not at all).
>> >
>> > I'd of course welcome thoughts as this strikes me as a very unusual
>> > place for w3c members and w3m to be in.
>> >
>> > Cheers, Joe
>> >
>> --
>>
>> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>>
>> --
>>
>> Cory Doctorow
>> Apollo 1201 Project
>>
>> cory@eff.org <mailto:cory@eff.org>
>>
>> For avoidance of doubt: This email does not constitute permission
>> to add
>> me to your mailing list.
>>
>> READ CAREFULLY. By reading this email, you agree, on behalf of your
>> employer, to release me from all obligations and waivers arising from
>> any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
>> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>> I have
>> entered into with your employer, its partners, licensors, agents and
>> assigns, in perpetuity, without prejudice to my ongoing rights and
>> privileges. You further represent that you have the authority to
>> release
>> me from any BOGUS AGREEMENTS on behalf of your employer.
>>
>> As is the case with every email you've ever received, this email
>> has not
>> been scanned for all known viruses.
>>
>> Duh.
>> --
>>
>> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>>
>> --
>>
>> Cory Doctorow
>> doctorow@craphound.com <mailto:doctorow@craphound.com>
>> Wickr: doctorow
>>
>> For avoidance of doubt: This email does not constitute permission
>> to add
>> me to your mailing list.
>>
>> blog: boingboing.net <http://boingboing.net>
>> upcoming appearances: craphound.com/?page_id=4667
>> <http://craphound.com/?page_id=4667>
>> books (novels, collections graphic novels, essay collections):
>> craphound.com <http://craphound.com>
>> latest novel: Walkaway
>> latest nonfiction: Information Doesn't Want to Be Free
>> latest graphic novel: In Real Life
>> podcast: feeds.feedburner.com/doctorow_podcast
>> <http://feeds.feedburner.com/doctorow_podcast>
>> latest YA novel: Homeland craphound.com/homeland
>> <http://craphound.com/homeland>
>> latest short story collection: Expanded Overclocked
>>
>> Join my mailing list and find out about upcoming books, stories,
>> articles and appearances:
>>
>> http://www.ctyme.com/mailman/listinfo/doctorow
>> <http://www.ctyme.com/mailman/listinfo/doctorow>
>>
>> READ CAREFULLY. By reading this email, you agree, on behalf of your
>> employer, to release me from all obligations and waivers arising from
>> any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
>> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>> I have
>> entered into with your employer, its partners, licensors, agents and
>> assigns, in perpetuity, without prejudice to my ongoing rights and
>> privileges. You further represent that you have the authority to
>> release
>> me from any BOGUS AGREEMENTS on behalf of your employer.
>>
>> As is the case with every email you've ever received, this email
>> has not
>> been scanned for all known viruses.
>>
>> Duh.
>> --
>>
>> FOR PUBLIC SAFETY REASONS, THIS EMAIL HAS BEEN INTERCEPTED BY YOUR
>> GOVERNMENT AND WILL BE RETAINED FOR FUTURE ANALYSIS
>>
>> --
>>
>> Cory Doctorow
>> Apollo 1201 Project
>>
>> cory@eff.org <mailto:cory@eff.org>
>>
>> For avoidance of doubt: This email does not constitute permission
>> to add
>> me to your mailing list.
>>
>> READ CAREFULLY. By reading this email, you agree, on behalf of your
>> employer, to release me from all obligations and waivers arising from
>> any and all NON-NEGOTIATED agreements, licenses, terms-of-service,
>> shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure,
>> non-compete and acceptable use policies ("BOGUS AGREEMENTS") that
>> I have
>> entered into with your employer, its partners, licensors, agents and
>> assigns, in perpetuity, without prejudice to my ongoing rights and
>> privileges. You further represent that you have the authority to
>> release
>> me from any BOGUS AGREEMENTS on behalf of your employer.
>>
>> As is the case with every email you've ever received, this email
>> has not
>> been scanned for all known viruses.
>>
>> Duh.
>>
Received on Thursday, 29 June 2017 12:49:03 UTC