Biz & IT —

DRM in HTML5 takes its next step toward standardization

Web group also pushes measures to protect security researchers who find DRM flaws.

DRM in HTML5 takes its next step toward standardization

Encrypted Media Extensions (EME), a mechanism by which HTML5 video providers can discover and enable DRM providers offered by a browser, has taken the next step on its contentious road to standardization. The World Wide Web Consortium (W3C), the standards body that oversees most Web-related specifications, has moved the EME specification to the Proposed Recommendation stage.

The next and final stage is for the W3C's Advisory Committee to review the proposal. If it passes review, the proposal will be blessed as a full W3C Recommendation.

Ever since W3C decided to start working on a DRM proposal, there have been complaints from those who oppose DRM on principle. The work has continued regardless, with W3C director and HTML inventor Tim Berners-Lee arguing that—given that DRM is already extant and, at least for video, unlikely to disappear any time soon—it's better for DRM-protected content to be a part of the Web ecosystem than to be separate from it.

Berners-Lee argued that, for almost all video providers, the alternative to DRM in the browser is DRM in a standalone application. He also argued that these standalone applications represent a greater risk to privacy and security than the constrained, sandboxed environment of the Web. He acknowledges that DRM has problems, chiefly the difficulties it imposes for fair use, derivative works, and backups. He notes, however, that a large body of consumers don't appear overly concerned with these issues, as they continue to buy or subscribe to DRM-protected content.

Thus far, these concerns have been substantially ignored, as they're problems that are inherent to DRM rather than problems with any one particular specification. Setting aside these concerns is implicit in the decision to develop the EME specification in the first place.

EME does not itself define any DRM scheme. The only mandatory requirement is to provide a clear key system that uses plain-text (unprotected) keys for decrypting protected content.

W3C did respond to certain other concerns. In particular, security researchers feared that reports of bugs in DRM systems could land the consortium in legal hot water if those bugs created the possibility of circumventing the DRM protection. The chief culprit here is the US's Digital Millennium Copyright Act (DMCA). The DMCA prohibits circumventing any "Technical Protection Measure," though other jurisdictions—including Canada, the EU, and Australia—have comparable legislation.

To that end, W3C is developing a set of security best practices for disclosure of such flaws. These rules are consistent with common "coordinated disclosure" policies, wherein organizations are given a reasonable time to respond to and repair flaws prior to their public disclosure. Significant for the DRM issue, they also require the organization to not bring suit against anyone disclosing flaws or cooperating with any law enforcement investigation related to such disclosure.

The Advisory Committee review period runs until April 13. The decision can go one of several ways: If it isn't accepted as a full Recommendation, it can be knocked back to a Candidate Recommendation or Working Draft for further work and improvement, or it can be published as a Working Group Note. This option exists for specifications in which W3C fails to form any kind of consensus and chooses to abandon work on a particular proposal.

Even if the EME spec is abandoned at the last minute and fails to make the grade as a Recommendation, all the major browsers—Chrome, Internet Explorer, Edge, Firefox, and Safari—already implement draft versions, and there are compatible DRM modules from Google, Microsoft, and Adobe. Sites including Netflix and YouTube can both EME to stream encrypted video within the browser without the need for plugins such as Silverlight or Flash.

Channel Ars Technica