What Is Web DRM?
The new standard, referred to colloquially as Web DRM, is officially known as EME, or Encrypted Media Extensions. The World Wide Web Consortium (W3C) approved the framework at the behest of digital media giants like Netflix who want to make distributing DRM-encumbered video a little easier for their end users. It’s a laudable goal, and one we could all benefit from.
Right now Netflix needs to use Microsoft’s Silverlight plugin in order to stream DRM-protected video to their customers’ browsers. This isn’t ideal: Not only does it require the user to install software before they can use the service, but it’s also fairly insecure. Plugins like Silverlight and Flash are some of the least secure features on the Web, providing huge attack surfaces for hackers that require constant updating to stay ahead of their many security holes. And since Netflix doesn’t have much control over Silverlight’s development, they can’t do a lot to fix these problems directly.
The Web DRM standard purports to fix this snarl of bad software by building a standard DRM system into every browser. Then, Netflix could use that now-standardized channel to distribute DRM-protected videos to users. And that’s a good thing: we’re all for improved ease of use and fewer plugins. But security commentators and researches have expressed skepticism about the new standard’s security and usability.
What’s Wrong with Web DRM?
DRM has done a lot of work to accrue the bad reputation it has. Many digital rights management solutions make life difficult for legitimate users, requiring buggy and insecure software or imposing obnoxious limitations on legally-purchased content. Even functional DRM can seem unfair since the restrictions placed on content are often unclear until after the content is purchased. Free web advocates complain that DRM treats the end user like an adversary, assuming ill intent and forcing users to jump through onerous hoops while doing little to nothing to deter actual bad actors.
So when folks started talking about a Web standard for DRM, it’s no surprise that a lot of tech evangelists were suspicious. After so many mediocre-at-best attempts to enable DRM on the Web, would embedding DRM into every web browser really be a good idea? No points for guessing what advocates thought.
Writing for the EFF, open web advocate Corey Doctorow says the standard provides “no safeguards whatsoever for accessibility, security research or competition,” consolidating undue power in the hands of existing industry leaders. As written, the standard includes no provision for security researchers to attempt to discover security holes in the DRM, limiting such crucial security work to either the developers of the standard or black-hat hackers. As we’ve learned in multiple security leaks over the last year, including Meltdown and Spectre, developers are not super great at finding vulnerabilities in their own software, whatever it may be. Instead of the next security hole in your machine coming from an open-source library or system-critical component, attackers could come in through your Web DRM system. It could also make content harder to access for those with disabilities and make entry into media-based markets difficult for new competitors. And with the imminent end of Net Neutrality, we don’t need to make moving in to markets more difficult for new competitors.
In an FCC-style move, the W3C approved the standard despite widespread disagreement. It ignored a compromise covenant championed by EFF, Archive.org, a UN official, security researchers and other open web advocates. Instead, they approved a rigid version of the DRM standard with “no protections and no compromises at all,” writes Doctorow.
For the advocates, Web pioneer and WC3 board member Tim Berners-Lee posted a detailed response saying that the EME spec “remains a better alternative for users than other platforms” and stating that concerns raised by the EFF and others have already been addressed.
What Does Web DRM Mean for You?
While Web DRM in the form of EME might be coming soon, it’s not here yet. The standard seeks to standardize the design of DRM browser extensions, which could make it easier for companies to implement DRM into their video content. It doesn’t force web browsers to implement DRM, and it still allows for the use of video without DRM. It if it works perfectly, Web DRM might be transparent to the user, but this seems unlikely. Instead, EME could have far reaching effects, making consuming content a more difficult, user-hostile experience. And with DRM’s poor track record of success, it’s hard to be anything but skeptical.