A Call to the Security Community: The W3C's DRM Extension Must Be Investigated
The World Wide Web Consortium has published a "Candidate Recommendation" for Encrypted Media Extensions, a pathway to DRM for streaming video.
A large community of security researchers and public interest groups have been alarmed by the security implications of baking DRM into the HTML5 standard. That's because DRM -- unlike all the other technology that the W3C has ever standardized — enjoys unique legal protection under a tangle of international laws, like the US Digital Millennium Copyright Act, Canada's Bill C-11, and EU laws that implement Article 6 of the EUCD.
Under these laws, companies can threaten legal action against researchers who circumvent DRM, even if they does so for lawful purposes, like disclosing security vulnerabilities. Last summer, a who's-who America's most esteemed security researchers filed comments with the US Copyright Office warning the agency that they routinely discovered vulnerabilities in systems from medical implants to voting machines to cars, but were advised not to disclose those discoveries because of the risk of legal reprisals under Section 1201 of the DMCA.
