The World Wide Web Consortium (W3C), the international standards organization for the web, has approved a new DRM system for streaming video, which has many supporters of the open web and security researchers expressing their concern. Encrypted Media Extensions, or EME as the new standard is called, enables browsers to natively support copy protection systems, making insecure third-party plugins a thing of the past.
However, many people are concerned that the new standard gives too much power to streaming services and browser makers, while at the same time restrains researchers and users of those services. One point of contention is that EME offers no protection for security researchers that hunt for bugs or vulnerabilities. In many countries, the act of bypassing DRM is considered a crime even if it is done for legal purposes like security research. The new EME standard does not protect such researchers from possible prosecution. Another issue is that under EME, there is no standardized way to decrypt a protected video stream, which may lead to browser makers having to license a vendor's specific decryption module, causing implementation issues for open-source browsers and possibly hurting new ones that wish to enter the market.
Tim Berners-Lee, the inventor of the web, along with W3C project manager Philippe Le Hégaret, disagree with those concerns. In a note about EME’s approval, they state that having a single DRM system supported in the EME standard enables browser developers to easily implement it in their software. Furthermore, users will be safer because they will not be required to download and install third-party plugins, which are often riddled with vulnerabilities. Berners-Lee also claims that the standard better protects users’ privacy because browsers have more control over what is shared with the content provider. In addition, they write that they did not want to postpone the approval of the standard just because all participants could not agree on a solution for safeguarding security researchers from legal issues.
The Electronic Frontier Foundation has a lengthy post on its blog expressing concern about EME and it also intends to appeal the W3C’s decision. Users of streaming video services are probably not going to notice any changes because of EME’s approval, as it has already been supported by all major browsers and streaming video providers like Netflix since late 2015.