W3C misses the point with inadequate security guidance

Yesterday, the project manager of W3C (World Wide Web Consortium) announced unofficial guidance for organizations facing reports of user-threatening vulnerabilities in their programs or Web sites.

The W3C, which sets the Web's technical specifications, hopes to appease Defective by Design and other critics concerned about threats to the Web's security posed by EME (Encrypted Media Extensions), a proposal to enshrine DRM (Digital Restrictions Management) in Web standards.

The guidance, released by the W3C Project Manager Philippe Le Hégaret, takes the form of a rough template that companies can adapt to create their own public-facing policies for handling the disclosure of vulnerabilities by external security researchers. It is based on the policy used by Netflix, a prominent supporter of EME.

Le Hégaret's ostensible solution misses the point. Creating a favorable environment for catching vulnerabilities is an admirable goal. But these types of vulnerabilities are only the tip of the iceberg that is the harm of DRM in Web standards.

As Web users have attested through our anti-EME selfie campaign and in-person protests in Boston, USA and Lisbon, Portugal, DRM erodes the foundational social contract of the free Web. It spies on users, sending their media-use habits back to companies. It chills remixing and commentary by preventing otherwise legally-protected reuse of media. It creates lock-in and walled gardens, throwing cold water on interoperability and competition. It makes it more difficult to make media accessible to people with disabilities. By definition, it denies users' control over their computers because it is black box software that is impossible to modify. Even if every company fixed every DRM vulnerability disclosed by every security researcher, these effects would persist.

Even as a half-measure to mitigate only the security risks of DRM in Web standards, we expect the guidance to be ineffective. It encourages non-binding policies which reserve companies' rights to sic their lawyers on security researchers. In fact, these policies may even empower such legal attacks by helping companies cast researchers as irresponsible when researchers are forced to break the policies to adequately protect the public. Security research expert Rich Kulawiec thoroughly laid out the security case against the W3C guidance in a recent post to the W3C's public-security-disclosure list.

We urge the universities, nonprofits and companies that make up the W3C membership to pledge to block the advancement of EME, and Web users to make sure the W3C knows they disapprove of its willingness to normalize DRM.

We have been fighting EME since 2013, and we will not back off because the W3C presents weak guidance as a fig leaf for DRM-using companies to hide their disrespect for users' rights. Companies can impose DRM without the W3C; but we should make them do it on their own, so it is seen for what it is—a subversion of the Web's principles—rather than normalize it or give it endorsement.