Battle lost: EME is a W3C recommendation


A few months ago I wrote about this subject. It turns out I was very, very wrong. Not because EME is a good idea. It is not. It is in the same stupidity class as putting a hornet’s nest inside your car as you are about to start a 2h summer drive.

Bryan Lunduke brilliantly explains why.

No, I was wrong because I thought nobody would care enough to support Encrypted Media Extensions as a standard feature in browsers (since it’s already available in FF and Chrome as an option anyway), and because all the techs and privacy orgs were against it. I honestly thought this would have been enough to kill the proposal.

Yet, 6 months later, money and lobbying have proven to speak louder than reason and common sense. Against all odds, EME not only lives, but is here to stay.

I applaud the balls on the EFF to do the only right thing to do in this regard, which was to abandon the deaf clusterfuck of interests that plague the W3C. If you are not there to be heard, best not to be there at all.

The people who claim to defend the interests of the open web have demonstrated that such openness is no longer a priority.

Browsers are now recommended to include a closed piece of code that nobody can verify, experiment with or otherwise validate from a cybersecurity perspective. DRM laws make it illegal to do so. And history shows these things always work as intended. Just ask Intel. They know.

The world at large does not want to listen to the technical arguments, and corporate interests just want them eliminated altogether. All because “users”, all too eager to consume content, while trusted to pay for things with their plastic, cannot possibly be trusted to watch a movie without copying it. Or so we’re told.

In any case, you can’t say we didn’t warn you. We, the ones who give a shit about your machine being actually yours and acting as your attorney rather than your parole officer, we actually warned everybody. We warned that all boundaries would eventually be at risk.

Browsers were a nice common ground, because they provided this boundary: there were a ton of them and some of the relevant ones were open. For the longest time browsers provided a nice compromise for content delivery: open and trusted, yet found roughly everywhere. Millions of web applications were built, providing information, services and functionality to whoever wanted it, in a cross-platform, no-hassle way. We have now lost one side of this equation.

“But Firefox and Chrome already had this. What’s the big deal?”

The big deal is that FF and Chrome provided EME as an option. Other browsers had a reasonable expectation that 99.99% of sites out there did not need this, so EME was largely irrelevant except for a niche. Browsers will now be expected to implement EME, which means that browsers who want to remain 100% open will basically not be implementing web standards correctly.

A 100% open browser is essential for security on the open web, because once you give up trusting the user agent, the privacy boundary is dead. The clean separation between your computer and the untrusted code coming from the web is compromised.

But hey, why complain? Netflix is working well now.