- From: Coralie Mercier <coralie@w3.org>
- Date: Sun, 20 Mar 2016 16:37:57 +0200
- To: "w3c-news@w3.org" <w3c-news@w3.org>
Dear Media, Analysts and Friends of W3C,
Today W3C is making available information about W3C and Encrypted Media
Extensions (EME). There has been greater public focus around the EME work
at W3C due to a FSF conference which is taking place this weekend.
In order to address some of the issues on EME work at W3C, we have
prepared a factsheet:
Information about W3C and Encrypted Media Extensions (EME)
March 2016
https://www.w3.org/2016/03/EME-factsheet.html
This document provides background information about the World Wide Web
Consortium (W3C), clarifies definitions and current activities regarding
its work in HTML and Encrypted Media Extensions (EME), and corrects
misconceptions about "EME putting DRM in HTML".
For media and analysts, please contact: w3t-pr@w3.org to schedule an
interview with W3C staff.
Kind regards,
Coralie Mercier, Head of W3C Marketing & Communications
Text version:
-------------
[1]W3C
[1] http://www.w3.org/
Information about W3C and Encrypted Media Extensions (EME)
March 2016
This document provides background information about the World
Wide Web Consortium (W3C), clarifies definitions and current
activities regarding its work in HTML and Encrypted Media
Extensions (EME), and corrects misconceptions about "EME
putting DRM in HTML".
It became public Sunday 20 March and may be updated to add
clarifications or more information.
[2]☰ Contents
* [3]About W3C
+ [4]What is W3C
+ [5]How W3C works
* [6]Enabling rich media experiences on the Web with
Encrypted Media Extensions (EME)
+ [7]Rich media experiences in HTML5
+ [8]W3C Members' diverse interests
+ [9]W3C Member request to develop API for Encrypted
Media Extensions (EME)
* [10]About Digital Rights Management (DRM)
+ [11]How did DRM become a discussion point for the web
platform?
+ [12]Digital Rights Management systems
* [13]About Encrypted Media Extensions (EME)
+ [14]What are Encrypted Media Extensions (EME)
+ [15]EME work at W3C
+ [16]W3C Perspectives on EME
+ [17]Objections to W3C work on EME
* [18]FAQ: Clarifications about EME and DRM
+ [19]Does EME create a new way to allow DRM into the
Web?
+ [20]Why did W3C get involved in something as
controversial as encrypted content?
+ [21]By standardizing EME, will companies force users
to accept DRM for web videos in the browsers?
+ [22]Does EME open a security hole that could allow
malicious code to run on my computer, with privileged
access to the system?
+ [23]Is EME putting DRM in HTML?
+ [24]If W3C didn't standardize EME then wouldn't DRM on
the Web have died out? Isn't the W3C keeping DRM on
the Web by standardizing EME?
+ [25]What if W3C stops the EME work now?
+ [26]Why doesn't W3C outlaw DRM?
+ [27]Does DRM on the Web make things worse for users
and their rights?
+ [28]How have EME users been helped since W3C took it
up?
+ [29]EME has been controversial because some people
have associated its use with the legal risk of
reporting security flaws and copyright circumvention.
Can the W3C do more to help users concerned about
these issues?
* [30]Related links
* [31]Media Contact
About W3C
What is W3C
The World Wide Web Consortium (W3C) is an international
standards organization that develops the technical standards
and guidelines for the Web. W3C was founded in 1994 by Sir Tim
Berners-Lee, inventor of the Web, and Director of the W3C. Dr.
Jeff Jaffe is the CEO of the W3C. Together they guide the W3C
in its mission “to lead the Web to its full potential.”
For more than 20 years, W3C has developed new standards so that
the Web works on different devices, in different languages, for
people of all abilities, and will meet the needs of diverse
industries.
How W3C works
As a technical standards consortium, W3C is a membership
organization with representatives from business and industry,
academia, governments and non-profit organizations. Its 412
Members, together with W3C staff, lead the technical work and
determine the direction for new work on the Web. W3C staff are
affiliated with one of four host organizations as part of a
joint consortium among MIT, ERCIM, Keio University and Beihang
University.
Tim Berners-Lee, inventor of the WWW, Founder of the W3C and
its Director, is the lead technical architect at W3C. His
responsibilities include assessing consensus within W3C for
architectural choices, publication of technical reports,
chartering new Groups, appointing group Chairs, "tie-breaker"
for appeal of a Working Group decision and deciding on the
outcome of formal objections.
Enabling rich media experiences on the Web with Encrypted Media
Extensions (EME)
Rich media experiences in HTML5
One area of W3C standards work that has been very well received
globally is HTML5 —the cornerstone of the Open Web Platform—
which enables rich media on the Web, including audio, video and
graphics. Because of HTML5, people can now view videos on the
Web without downloading plug-ins or using specific devices. W3C
members from many industries, including entertainment and media
companies, made significant contributions to the HTML5
specification that is in wide global use today.
W3C Members' diverse interests
As a member organization, W3C welcomes participation from
diverse stakeholders from all industries and interest groups:
users, public interest organizations, researchers, as well as
industries with a variety of models of doing business.
Different industries pursue different business models and
choose organizational structures such as non-profit,
for-profit, private, public, etc. Each stakeholder typically
brings their own requirements to W3C.
W3C Member request to develop API for Encrypted Media Extensions
(EME)
In February 2012 several W3C members proposed Encrypted Media
Extensions (EME) to extend HTMLMediaElement that would replace
the need for users to download and install "plug-ins" with a
standard API (Application Programming Interface) that would
automatically discover, select and interact with a
third-party's protected content. The work was declared "in
scope" (within the scope of work set out for the HTML Working
Group) by Director Tim Berners-Lee in September 2013.
About Digital Rights Management (DRM)
How did DRM become a discussion point for the web platform?
In many parts of the world, media, entertainment and publishing
industries produce and sell products such as journals, movies
and books that people can purchase through various channels,
including the Web. In the physical world purchase transactions
are made in a secure physical location. On the Web, one control
mechanism typically used by content owners is called "digital
rights management" or DRM which tells users that the product
being offered —such as streaming a new movie release— costs
money or has limitations on how consumers may use it. W3C
members identified a need to create a standard way to enforce
the various DRM policies used by different organizations.
Digital Rights Management systems
DRM systems are access control technologies that are used to
constrain access to or use of proprietary hardware and
copyrighted works. Some content producers/owners feel DRM are
necessary to their business so that their products (videos and
other media) are not stolen or copied. Some estimates put movie
industries revenue losses from illegal distribution at around
[32]3-4 billion a year.
[32]
https://www.quora.com/How-much-income-does-the-film-industry-lose-to-piracy?share=1
However, many consumers feel that DRM systems can be too
restrictive or take over control of their devices. Others note
that there has been a severe negative impact on cryptography
and security research since some forms of cryptanalytic
research can be considered to be in violation of laws the DMCA
and result in [33]penalties or jail time for security
researchers.
[33]
https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act#Effect_on_research
The Free Software community and others object to the concept of
DRM. They do not accept DRM on the Web in any form, and some
advocates believe that content on the Web should be free as a
first principle (by which they mean "liberty" not "free of
charge"). They also believe that once content appears on their
machine that they should fully control it. The FSF has stated
that they object to Netflix, Spotify and many other common paid
streaming services or any proprietary software or operating
systems. Both [34]Jeff Jaffe's and [35]Tim Berners-Lee's blog
posts discussed these issues in more detail in 2013.
[34] https://www.w3.org/blog/2013/05/perspectives-on-encrypted-medi/
[35]
https://www.w3.org/blog/2013/10/on-encrypted-video-and-the-open-web/
About Encrypted Media Extensions (EME)
What are Encrypted Media Extensions (EME)
[36]Encrypted Media Extensions (EME) is currently a draft
specification developed by W3C members in the HTML Media
Extensions Working Group to develop an Application Programming
Interface (API) that enables Web applications to interact with
content protection systems to allow playback of encrypted audio
and video on the Web. The EME specification enables
communication between Web browsers and digital rights
management (DRM) agent software to allow HTML5 video play back
of DRM-wrapped content such as streaming video services without
third-party media plugins. This specification does not create
nor impose a content protection or Digital Rights Management
system. Rather, it defines a common API that may be used to
discover, select and interact with such systems as well as with
simpler content encryption systems.
[36] http://www.w3.org/TR/encrypted-media/
Implementation of Digital Rights Management is not required for
compliance with this specification. The EME API supports use
cases ranging from simple Clear Key decryption to high value
video. Only the Clear Key system, which does not require a DRM
component, is required to be implemented as a common baseline.
EME is not required for compliance with the HTML specification.
Web browser support for EME is optional; if a browser does not
support encrypted media, it will not be able to play encrypted
media. As of 2015 most major browsers - Google Chrome, Internet
Explorer, Safari, Opera and Firefox - already implement EME API
even though it is not yet a W3C standard. Some browsers
implement EME natively and some (like Firefox) have a sandboxed
solution.
EME work at W3C
The use of the Web for streaming video services has increased
tremendously in past years. Many people in the world are eager
to have access to videos on the Web and content creators are
eager to safely share their products with the public. At W3C,
we are working to enable video on the Web to be standardized on
the Open Web.
We want a Web which is rich in content. We want a Web which is
universal in that it can contain anything. If, in order to be
able to access media like video on the Web, we are required to
have some form of content protection we feel it is better for
it to be discussed in the open at W3C. We feel it would be
better for the technology to be in a browser and better for
everyone to use an interoperable open standard.
By making the technology in a browser which can be open source,
users can then use their own Web browser, available on a
general purpose computer, instead of a special proprietary,
locked silo, device or plug-in. By creating an API that all DRM
systems can use, playback in a Web browser will be possible
(via Content Decryption Modules), thus helping to support an
open Web. Developers who use HTML5 for video can create play
back video directly without external dependency on third party
apps (like Adobe Flash or Microsoft Silverlight) and without
inheriting security vulnerabilities from those third party
apps.
The EME specification provides a framework for media that can
work across multiple browsers or operating systems on a broad
range of devices, including phones, laptops etc. - not locking
the user into one device or one choice. With EME, the browser,
not the content provider, has control of the communication. The
EME API supports a simple set of content encryption
capabilities and requires content protection system-specific
messaging to be mediated by the Web page rather than separate
and outwardly controlled communication between the encryption
system and a license or other server.
The EME API itself is intended to be DRM neutral; it can
support multiple DRM providers. This means that no one company
will have control as the single DRM provider. The EME API does
not define DRM functionality. The only mandate is that all
browsers must implement key encryption via Clear Key. Clear Key
allows that media can be encrypted with a key and then played
back simply by providing that key and can be built into the
browser.
W3C Perspectives on EME
W3C CEO [37]Jeff Jaffe noted in May 2013 that the W3C standards
process:
[37] https://www.w3.org/blog/2013/05/perspectives-on-encrypted-medi/
"…is a consensus process whereby we bring together vast and
diverse interested parties to collaborate and achieve
consensus to address the never-ending ways in which the Web
drives increased value to society. The key objective is to
maximize interoperability and openness – values that have
served us well."
W3C's Director, Tim Berners-Lee, acknowledged and [38]directly
addressed in October 2013 some of the controversy around the
EME issue, stating:
[38]
https://www.w3.org/blog/2013/10/on-encrypted-video-and-the-open-web/
"If content protection of some kind has to be used for
videos, it is better for it to be discussed in the open at
W3C, better for everyone to use an interoperable open
standard as much as possible, and better for it to be framed
in a browser which can be open source, and available on a
general purpose computer rather than a special purpose box…
W3C is a place where people discuss possible technology. The
HTML Working Group charter is about the scope of the
discussion. W3C does not and cannot dictate what browsers or
content distributors can do. By excluding this issue from
discussion, we do not exclude it from anyone’s systems...
It is worth thinking, though, about what it is we do not
like about existing DRM-based systems, and how we could
possibly build a system which will be a more open, fairer
one than the actual systems which we see today. If we, the
programmers who design and build Web systems, are going to
consider something which could be very onerous in many ways,
what can we ask in return?"
Objections to W3C work on EME
W3C's work on EME has been criticized and characterized by some
as "putting DRM into HTML." The W3C is not creating DRM
policies and it is not requiring that HTML use DRM.
Organizations choose whether or not to have DRM on their
content. The EME API can facilitate communication between
browsers and DRM providers but the only mandate is not DRM but
a form of key encryption (Clear Key). EME allows a method of
playback of encrypted content on the Web but W3C does not make
the DRM technology nor require it. EME is an extension. It is
not required for HTML nor HMTL5 video.
In late 2015, the Electronic Frontier Foundation has put on the
W3C table a [39]DRM Circumvention Nonaggression Covenant
proposed by EFF for W3C Consideration. The W3C Technical
Architecture Group (TAG) convened a special session to discuss
it at the October 2015 W3C all-group Meeting (TPAC), in
particular regarding certain pieces of legislation which have
had a chilling effect on security research on software. As a
result, the TAG has [40]stated its support for a Strong and
Secure Web Platform noting the importance of security research
on software as well as broad testing and audit. (See FAQ entry)
[39] https://www.eff.org/pages/objection-rechartering-w3c-eme-group
[40]
https://www.w3.org/blog/TAG/2015/11/16/strong-web-platform-statement/
FAQ: Clarifications about EME and DRM
Does EME create a new way to allow DRM into the Web?
No. The Digital Millennium Copyright Act (DMCA) was passed by
Congress in the US in 1998 ([41]*) and the EU Copyright
Directive was passed in 2001 ([42]**) and they include
provisions to prevent circumvention of DRM. DRM on the Web has
been supported in plug-ins for a long time (e.g.: in the Adobe
Flash plug-in).
[41]
https://en.wikipedia.org/wiki/Digital_rights_management#Digital_Millennium_Copyright_Act
[42]
https://en.wikipedia.org/wiki/Digital_rights_management#European_Union
Why did W3C get involved in something as controversial as encrypted
content?
If encrypted media is going to be on the Web (as users and
content providers continue to want) the W3C wants it to be done
in a Web-friendly, open, and global way. We want to make sure
that content providers can pursue their business models on the
Web (and streaming video is one of the fastest growing areas of
Web use) and that Web users can access safely and legally the
videos they want without invasive "black box" devices.
By standardizing EME, will companies force users to accept DRM for
web videos in the browsers?
No, EME does not make a Web browser a DMCA-protected "black
box." DRMs under EME can be sandboxed, as [43]Google and
[44]Mozilla have done. The Content Decryption Modules (CDM) are
handled separately and continue to be controlled by the DRM
provider.
[43]
https://groups.google.com/a/chromium.org/forum/#!msg/chromium-dev/exotX6Nf_z0/CBRBHNDQbmMJ
[44]
https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/
Does EME open a security hole that could allow malicious code to run
on my computer, with privileged access to the system?
In the Firefox and Chrome case, the CDM code is certainly
different in nature from the majority of the UA implementation
and this does raise security issues which have led both of
those browsers to sandbox the CDM ([45]***).
[45] https://lists.w3.org/Archives/Public/www-tag/2014Sep/0039.html
Is EME putting DRM in HTML?
No, EME is not DRM for HTML ([46]****). It does not in any way
prevent you from using "view source" on HTML. It is not
necessary to encrypt video to use it on the Web either. Whether
the browser is set to accept encrypted content can be the
user's choice.
[46] https://my.fsf.org/civicrm/profile/create?gid=183&reset=1
If W3C didn't standardize EME then wouldn't DRM on the Web have died
out? Isn't the W3C keeping DRM on the Web by standardizing EME?
Flash was already on its way out before EME precisely because
browsers already supported encrypted video, just not in a
standard way.
What if W3C stops the EME work now?
EME is already widely [47]deployed on the Web. Netflix supports
HTML5 video using EME with supported browsers Google Chrome,
Firefox, Microsoft Edge, Internet Explorer, Safari and Opera.
Browsers that do not support EME can use plugins such as Adobe
Flash or Microsoft Silverlight to deliver encrypted video
(though support for these plugins is being phased out). YouTube
supports the HTML5 MSE. Version 4.3 and subsequent versions of
Android support EME.
[47] https://en.wikipedia.org/wiki/Encrypted_Media_Extensions
Why doesn't W3C outlaw DRM?
The W3C is a technical standards organization. Those that
believe that laws (like DMCA) which support DRM are unethical
should use the legal processes in their countries to get those
laws overturned.
Does DRM on the Web make things worse for users and their rights?
Whether people have a right to make a copy of
downloaded/streamed video data is an important question and
should be treated as a separate issue from on-demand
downloading and direct access to the video hardware / frame
buffer. EME does not affect the question of user rights - it
only affects whether video content providers, such as movie
distribution companies, need to use a standard API or different
mechanisms for each browser on each platform. Also, many users
would rather have an easy, legal way to access content on their
Web browser than face penalties for accidental misuse or
circumvention.
How have EME users been helped since W3C took it up?
As [48]Mark Watson noted in response to a March 2016 blog post
by Joi Ito: both the EME spec and the implementations have
evolved significantly. DRMs under EME can be sandboxed, as
Google and Mozilla have done, such that the DRM has no network
access and is permitted to persist data or otherwise access the
machine only as allowed by the (open source) sandbox. Also
there are strict rules for privacy-sensitive identifiers and
user consent and users can completely disable the DRM, clear
its storage, and reset any identifiers. Sites using EME will
also be required to deploy HTTPS. Watson noted:
[48]
http://pubpub.ito.com/pub/dmca-drm-aml-kyc-backdoors/discussions/56e606f3d0dfe93800897dae
"These changes in how DRM is integrated with the web
(because it was, as has been mentioned, very much there
before all of this) likely would not have happened without
the W3C’s involvement."
EME has been controversial because some people have associated its
use with the legal risk of reporting security flaws and copyright
circumvention. Can the W3C do more to help users concerned about
these issues?
The W3C Technical Architecture Group (TAG) has stated its
support for a Strong and Secure Web Platform noting the
importance of security research on software as well as broad
testing and audit. They stated:
"The Web has been built through iteration and collaboration,
and enjoys strong security because so many people are able
to continually test and review its designs and
implementations. As the Web gains interfaces to new device
capabilities, we rely even more on broad participation,
testing, and audit to keep users safe and the web’s security
model intact. Therefore, W3C policy should assure that such
broad testing and audit continues to be possible, as it is
necessary to keep both design and implementation quality
high."
The importance of security and testing has also been emphasized
by the W3C Advisory Board. W3C is working on several
initiatives to make the Web more secure.
Related links
[49]DRM Non-Aggression on the Table at W3C, by Danny O'Brien,
March 16, 2016
[49]
https://www.eff.org/deeplinks/2016/03/drm-non-aggression-table-w3c
[50]Why anti-money laundering laws and poorly designed
copyright laws are similar and should be revised, by Joi Ito,
March 12, 2016
[50] http://pubpub.ito.com/pub/dmca-drm-aml-kyc-backdoors
[51]An invitation to the free-software community for real
dialog by Mike Smith, March 11, 2016
[51]
https://www.w3.org/blog/2016/03/an-invitation-to-the-free-software-community-for-real-dialog/
[52]Show them the world is watching. Stop the Hollyweb by Zak
Rogoff, March 7, 2016
[52]
https://www.defectivebydesign.org/show-them-the-world-is-watching-stop-drm-in-html
[53]W3C EME is not DRM (nor other fear-mongering TLAs) by
Adrian Roselli, January 14, 2014
[53]
http://adrianroselli.com/2014/01/w3c-eme-is-not-drm-nor-other-fear.html
[54](Austening ourselves to the full Brontë) Please Bring Me
More Of That Yummy DRM Discussion, by Robin Berjon, January 10,
2014
[54] http://berjon.com/yummy-drm/
[55]We are Huxleying ourselves into the full Orwell, by Cory
Doctorow, January 9, 2014
[55]
http://mostlysignssomeportents.tumblr.com/post/72759474218/we-are-huxleying-ourselves-into-the-full-orwell
[56]On Encrypted Video and the Open Web, by Tim Berners-Lee,
October 9, 2013
[56]
https://www.w3.org/blog/2013/10/on-encrypted-video-and-the-open-web/
[57]Dear EFF: please don’t pick the wrong fight, by Chris
Adams, October 4, 2013
[57] http://chris.improbable.org/2013/10/4/dear-eff/
[58]Lowering Your Standards: DRM and the Future of the W3C by
Danny O'Brien, October 2, 2013
[58] https://www.eff.org/deeplinks/2013/10/lowering-your-standards
[59]DRM and HTML5: it's now or never for the Open Web, by Harry
Halpin, June 6, 2013
[59]
http://www.theguardian.com/technology/2013/jun/06/html5-drm-w3c-open-web
[60]DRM in HTML5 is a victory for the open Web, not a defeat,
at Ars Technica, May 10, 2013
[60]
http://arstechnica.com/business/2013/05/drm-in-html5-is-a-victory-for-the-open-web-not-a-defeat/
[61]Perspectives on Encrypted Media Extension Reaching First
Public Working Draft, by Jeff Jaffe, May 9, 2013
[61] https://www.w3.org/blog/2013/05/perspectives-on-encrypted-medi/
[62]DRM at the W3C? Not such a Bad Idea., by John Foliot, April
25, 2013
[62] http://john.foliot.ca/drm-at-the-w3c/
[63]What I wish Tim Berners-Lee understood about DRM, by Cory
Doctorow, March 12, 2013
[63]
http://www.theguardian.com/technology/blog/2013/mar/12/tim-berners-lee-drm-cory-doctorow
Media Contact
Send media enquiries to [64]w3t-pr@w3.org.
__________________________________________________________
[64] mailto:w3t-pr@w3.org
[65]Coralie Mercier, W3C Marketing & Communications, Editor
$Id: EME-factsheet.html,v 1.15 2016/03/20 18:28:21 coralie
Exp $
Copyright © 2016 W3C ^® ([66]MIT, [67]ERCIM, [68]Keio,
[69]Beihang) [70]Usage policies apply.
[65] https://www.w3.org/People/#coralie
[66] http://www.csail.mit.edu/
[67] http://www.ercim.eu/
[68] http://www.keio.ac.jp/
[69] http://ev.buaa.edu.cn/
[70] https://www.w3.org/Consortium/Legal/ipr-notice
--
Coralie Mercier - W3C Marketing & Communications - http://www.w3.org
mailto:coralie@w3.org +336 4322 0001 http://www.w3.org/People/CMercier/
Received on Sunday, 20 March 2016 20:38:00 UTC