Information about W3C and Encrypted Media Extensions (EME) March 2016

Author(s) and publish date

Published:: 20 March 2016

This document provides background information about the World Wide Web Consortium (W3C), clarifies definitions and current activities regarding its work in HTML and Encrypted Media Extensions (EME), and corrects misconceptions about "EME putting DRM in HTML".

It became public Sunday 20 March and may be updated to add clarifications or more information.

About W3C

What is W3C

The World Wide Web Consortium (W3C) is an international standards organization that develops the technical standards and guidelines for the Web. W3C was founded in 1994 by Sir Tim Berners-Lee, inventor of the Web, and Director of the W3C. Dr. Jeff Jaffe is the CEO of the W3C. Together they guide the W3C in its mission “to lead the Web to its full potential.”

For more than 20 years, W3C has developed new standards so that the Web works on different devices, in different languages, for people of all abilities, and will meet the needs of diverse industries.

How W3C works

As a technical standards consortium, W3C is a membership organization with representatives from business and industry, academia, governments and non-profit organizations. Its 412 Members, together with W3C staff, lead the technical work and determine the direction for new work on the Web. W3C staff are affiliated with one of four host organizations as part of a joint consortium among MIT, ERCIM, Keio University and Beihang University.

Tim Berners-Lee, inventor of the WWW, Founder of the W3C and its Director, is the lead technical architect at W3C. His responsibilities include assessing consensus within W3C for architectural choices, publication of technical reports, chartering new Groups, appointing group Chairs, "tie-breaker" for appeal of a Working Group decision and deciding on the outcome of formal objections.

Encrypted Media Extensions (EME) and Rich Media on the Web

Rich media experiences in HTML5

One area of W3C standards work that has been very well received globally is HTML5 —the cornerstone of the Open Web Platform— which enables rich media on the Web, including audio, video and graphics. Because of HTML5, people can now view videos on the Web without downloading plug-ins or using specific devices. W3C members from many industries, including entertainment and media companies, made significant contributions to the HTML5 specification that is in wide global use today.

W3C Members' diverse interests

As a member organization, W3C welcomes participation from diverse stakeholders from all industries and interest groups: users, public interest organizations, researchers, as well as industries with a variety of models of doing business. Different industries pursue different business models and choose organizational structures such as non-profit, for-profit, private, public, etc. Each stakeholder typically brings their own requirements to W3C.

W3C Member request to develop API for Encrypted Media Extensions (EME)

In February 2012 several W3C members proposed Encrypted Media Extensions (EME) to extend HTMLMediaElement that would replace the need for users to download and install "plug-ins" with a standard API (Application Programming Interface) that would automatically discover, select and interact with a third-party's protected content. The work was declared "in scope" (within the scope of work set out for the HTML Working Group) by Director Tim Berners-Lee in September 2013.

About Digital Rights Management (DRM)

How did DRM become a discussion point for the web platform?

Digital Rights Management (DRM) is commonly used to limit distribution of journals, movies and books that people purchase through the Web. W3C members identified a need to create standards to make the use of DRM more transparent and seamless on the Web.

Digital Rights Management systems

DRM systems are access control technologies that are used to constrain access to or use of proprietary hardware and copyrighted works. DRM is commonly used to ensure that products (videos and other media) are not stolen or copied. Some estimates put movie industries revenue losses from illegal distribution at around 3-4 billion a year. Laws preventing the circumvention of DRM exist in a number of countries worldwide, including the DMCA in the United States.

The Free Software community and others object to the concept of DRM. They do not accept DRM on the Web in any form, and some advocates believe that content on the Web should be free as a first principle (by which they mean "liberty" not "free of charge"). They also believe that once content appears on their machine that they should fully control it. The FSF has stated that they object to Netflix, Spotify and many other common paid streaming services or any proprietary software or operating systems. Both Jeff Jaffe's and Tim Berners-Lee's blog posts discussed these issues in more detail in 2013.

About Encrypted Media Extensions (EME)

What are Encrypted Media Extensions (EME)

Encrypted Media Extensions (EME) is currently a draft specification developed by W3C members in the HTML Media Extensions Working Group to develop an Application Programming Interface (API) that enables Web applications to interact with content protection systems to allow playback of encrypted audio and video on the Web. The EME specification enables communication between Web browsers and digital rights management (DRM) agent software to allow HTML5 video play back of DRM-wrapped content such as streaming video services without third-party media plugins. This specification does not create nor impose a content protection or Digital Rights Management system. Rather, it defines a common API that may be used to discover, select and interact with such systems as well as with simpler content encryption systems.

Implementation of Digital Rights Management is not required for compliance with this specification. The EME API supports use cases ranging from simple Clear Key decryption to high value video. Only the Clear Key system, which does not require a DRM component, is required to be implemented as a common baseline.

EME is not required for compliance with the HTML specification. Web browser support for EME is optional; if a browser does not support encrypted media, it will not be able to play encrypted media. As of 2015 most major browsers - Google Chrome, Internet Explorer, Safari, Opera and Firefox - already implement EME API even though it is not yet a W3C standard. Some browsers implement EME natively and some (like Firefox) have a sandboxed solution.

EME work at W3C

The use of the Web for streaming video services has increased tremendously in past years. Many people in the world are eager to have access to videos on the Web and content creators are eager to safely share their products with the public. At W3C, we are working to enable video on the Web to be standardized on the Open Web.

We want a Web which is rich in content. We want a Web which is universal in that it can contain anything. If, in order to be able to access media like video on the Web, we are required to have some form of content protection we feel it is better for it to be discussed in the open at W3C. We feel it would be better for the technology to be in a browser and better for everyone to use an interoperable open standard.

By making the technology in a browser which can be open source, users can then use their own Web browser, available on a general purpose computer, instead of a special proprietary, locked silo, device or plug-in. By creating an API that all DRM systems can use, playback in a Web browser will be possible (via Content Decryption Modules), thus helping to support an open Web. Developers who use HTML5 for video can create play back video directly without external dependency on third party apps (like Adobe Flash or Microsoft Silverlight) and without inheriting security vulnerabilities from those third party apps.

The EME specification provides a framework for media that can work across multiple browsers or operating systems on a broad range of devices, including phones, laptops etc. - not locking the user into one device or one choice. With EME, the browser, not the content provider, has control of the communication. The EME API supports a simple set of content encryption capabilities and requires content protection system-specific messaging to be mediated by the Web page rather than separate and outwardly controlled communication between the encryption system and a license or other server.

The EME API itself is intended to be DRM neutral; it can support multiple DRM providers. This means that no one company will have control as the single DRM provider. The EME API does not define DRM functionality. The only mandate is that all browsers must implement key encryption via Clear Key. Clear Key allows that media can be encrypted with a key and then played back simply by providing that key and can be built into the browser.

W3C Perspectives on EME

W3C CEO Jeff Jaffe noted in May 2013 that the W3C standards process:

"…is a consensus process whereby we bring together vast and diverse interested parties to collaborate and achieve consensus to address the never-ending ways in which the Web drives increased value to society. The key objective is to maximize interoperability and openness – values that have served us well."

W3C's Director, Tim Berners-Lee, acknowledged and directly addressed in October 2013 some of the controversy around the EME issue, stating:

"If content protection of some kind has to be used for videos, it is better for it to be discussed in the open at W3C, better for everyone to use an interoperable open standard as much as possible, and better for it to be framed in a browser which can be open source, and available on a general purpose computer rather than a special purpose box…
W3C is a place where people discuss possible technology. The HTML Working Group charter is about the scope of the discussion. W3C does not and cannot dictate what browsers or content distributors can do. By excluding this issue from discussion, we do not exclude it from anyone’s systems...
It is worth thinking, though, about what it is we do not like about existing DRM-based systems, and how we could possibly build a system which will be a more open, fairer one than the actual systems which we see today. If we, the programmers who design and build Web systems, are going to consider something which could be very onerous in many ways, what can we ask in return?"

Objections to W3C work on EME

W3C's work on EME has been criticized and characterized by some as "putting DRM into HTML." The W3C is not creating DRM policies and it is not requiring that HTML use DRM. Organizations choose whether or not to have DRM on their content. The EME API can facilitate communication between browsers and DRM providers but the only mandate is not DRM but a form of key encryption (Clear Key). EME allows a method of playback of encrypted content on the Web but W3C does not make the DRM technology nor require it. EME is an extension. It is not required for HTML nor HMTL5 video.

In late 2015, the Electronic Frontier Foundation has put on the W3C table a DRM Circumvention Nonaggression Covenant proposed by EFF for W3C Consideration. The W3C Technical Architecture Group (TAG) convened a special session to discuss it at the October 2015 W3C all-group Meeting (TPAC), in particular regarding certain pieces of legislation which have had a chilling effect on security research on software. As a result, the TAG has stated its support for a Strong and Secure Web Platform noting the importance of security research on software as well as broad testing and audit. (See FAQ entry)

FAQ: Clarifications about EME and DRM

Does EME create a new way to allow DRM into the Web?

No. The Digital Millennium Copyright Act (DMCA) was passed by Congress in the US in 1998 (*) and the EU Copyright Directive was passed in 2001 (**) and they include provisions to prevent circumvention of DRM, with selected exemptions. DRM on the Web has been supported in plug-ins for a long time (e.g.: in the Adobe Flash plug-in).

Why did W3C get involved in something as controversial as encrypted content?

If encrypted media is going to be on the Web (as users and content providers continue to want) the W3C wants it to be done in a Web-friendly, open, and global way. We want to make sure that content providers can pursue their business models on the Web (and streaming video is one of the fastest growing areas of Web use) and that Web users can access safely and legally the videos they want without invasive "black box" devices.

By standardizing EME, will companies force users to accept DRM for web videos in the browsers?

No, EME does not make a Web browser a DMCA-protected "black box." DRMs under EME can be sandboxed, as Google and Mozilla have done. The Content Decryption Modules (CDM) are handled separately and continue to be controlled by the DRM provider.

Does EME open a security hole that could allow malicious code to run on my computer, with privileged access to the system?

In the Firefox and Chrome case, the CDM code is certainly different in nature from the majority of the UA implementation and this does raise security issues which have led both of those browsers to sandbox the CDM (***).

Is EME putting DRM in HTML?

No, EME is not DRM for HTML (****). It does not in any way prevent you from using "view source" on HTML. It is not necessary to encrypt video to use it on the Web either. Whether the browser is set to accept encrypted content can be the user's choice.

If W3C didn't standardize EME then wouldn't DRM on the Web have died out? Isn't the W3C keeping DRM on the Web by standardizing EME?

Flash was already on its way out before EME precisely because browsers already supported encrypted video, just not in a standard way.

What if W3C stops the EME work now?

EME is already widely deployed on the Web. Netflix supports HTML5 video using EME with supported browsers Google Chrome, Firefox, Microsoft Edge, Internet Explorer, Safari and Opera. Browsers that do not support EME can use plugins such as Adobe Flash or Microsoft Silverlight to deliver encrypted video (though support for these plugins is being phased out). YouTube supports the HTML5 MSE. Version 4.3 and subsequent versions of Android support EME.

Why doesn't W3C outlaw DRM?

The W3C is a technical standards organization. Those that believe that laws (like DMCA) which support DRM are unethical should use the legal processes in their countries to get those laws overturned.

Does DRM on the Web make things worse for users and their rights?

Whether people have a right to make a copy of downloaded/streamed video data is an important question and should be treated as a separate issue from on-demand downloading and direct access to the video hardware / frame buffer. EME does not affect the question of user rights - it only affects whether video content providers, such as movie distribution companies, need to use a standard API or different mechanisms for each browser on each platform. Also, many users would rather have an easy, legal way to access content on their Web browser than face penalties for accidental misuse or circumvention.

How have EME users been helped since W3C took it up?

As Mark Watson noted in response to a March 2016 blog post by Joi Ito: both the EME spec and the implementations have evolved significantly. DRMs under EME can be sandboxed, as Google and Mozilla have done, such that the DRM has no network access and is permitted to persist data or otherwise access the machine only as allowed by the (open source) sandbox. Also there are strict rules for privacy-sensitive identifiers and user consent and users can completely disable the DRM, clear its storage, and reset any identifiers. Sites using EME will also be required to deploy HTTPS. Watson noted:

"These changes in how DRM is integrated with the web (because it was, as has been mentioned, very much there before all of this) likely would not have happened without the W3C’s involvement."

EME has been controversial because some people have associated its use with the legal risk of reporting security flaws and copyright circumvention. Can the W3C do more to help users concerned about these issues?

The W3C Technical Architecture Group (TAG) has stated its support for a Strong and Secure Web Platform noting the importance of security research on software as well as broad testing and audit. They stated:

"The Web has been built through iteration and collaboration, and enjoys strong security because so many people are able to continually test and review its designs and implementations. As the Web gains interfaces to new device capabilities, we rely even more on broad participation, testing, and audit to keep users safe and the web’s security model intact. Therefore, W3C policy should assure that such broad testing and audit continues to be possible, as it is necessary to keep both design and implementation quality high."

The importance of security and testing has also been emphasized by the W3C Advisory Board. W3C is working on several initiatives to make the Web more secure.

HTML Media Extensions to continue work, by Philippe Le Hégaret, April 5, 2016

DRM Non-Aggression on the Table at W3C, by Danny O'Brien, March 16, 2016

Why anti-money laundering laws and poorly designed copyright laws are similar and should be revised, by Joi Ito, March 12, 2016

An invitation to the free-software community for real dialog by Mike Smith, March 11, 2016

Show them the world is watching. Stop the Hollyweb by Zak Rogoff, March 7, 2016

W3C EME is not DRM (nor other fear-mongering TLAs) by Adrian Roselli, January 14, 2014

(Austening ourselves to the full Brontë) Please Bring Me More Of That Yummy DRM Discussion, by Robin Berjon, January 10, 2014

We are Huxleying ourselves into the full Orwell, by Cory Doctorow, January 9, 2014

On Encrypted Video and the Open Web, by Tim Berners-Lee, October 9, 2013

Dear EFF: please don’t pick the wrong fight, by Chris Adams, October 4, 2013

Lowering Your Standards: DRM and the Future of the W3C by Danny O'Brien, October 2, 2013

DRM and HTML5: it's now or never for the Open Web, by Harry Halpin, June 6, 2013