Source files of fsfe.org, pdfreaders.org, freeyourandroid.org, ilovefs.org, drm.info, and test.fsfe.org. Contribute: https://fsfe.org/contribute/web/
https://fsfe.org
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
162 lines
8.6 KiB
162 lines
8.6 KiB
<?xml version="1.0" encoding="UTF-8" ?> |
|
|
|
<html> |
|
<version>1</version> |
|
|
|
<head> |
|
<title>Open Letter on European Commission about DRM in HTML5</title> |
|
</head> |
|
<body> |
|
<h1>Open Letter to European Commission about DRM in HTML5</h1> |
|
|
|
<p>To: Commissioner Cecilia Malmstroem (Home Affairs)</p> |
|
|
|
<p>CC: Antonio Tajani (Enterprise)<br /> |
|
Viviane Reding (Justice)<br /> |
|
Joaquin Almunia (Competition)<br /> |
|
Michel Barnier (Internal Market)<br /> |
|
Neelie Kroes (Digital Agenda)</p> |
|
|
|
<p>Dear Commissioner Malmstroem,</p> |
|
|
|
<p>we are writing to you on the occasion of the international Day Against |
|
Digital Restrictions Management, which today is being celebrated around the |
|
world. We are very concerned about the security of European citizens, and |
|
we ask you to take action to protect them.</p> |
|
|
|
<p>The Free Software Foundation Europe (FSFE) is an independent charitable |
|
non-profit dedicated to promoting Free Software and freedom in the |
|
information society. Today we would like to direct your attention to a very |
|
specific threat to the freedom and security of computer users |
|
everywhere.</p> |
|
|
|
<p>Both at work and in our personal lives, we conduct a large part of our |
|
activity through Web browsers. Ever more of our work and life migrates into |
|
the digital domain, and many people use a growing number of web services to |
|
work, create, socialise, and express themselves. Businesses and public |
|
sector organisations similarly rely on web browsers as crucial tools to |
|
perform their everyday tasks.</p> |
|
|
|
<p>Recently, the importance of the Web browser was highlighted when <a |
|
href="http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being">numerous |
|
state agencies and IT security companies warned about a long-standing |
|
critical security problem in the widely used Microsoft Internet Explorer |
|
browser</a>, soon followed by warnings of a <a |
|
href="http://helpx.adobe.com/security/products/flash-player/apsb14-13.html">vulnerability |
|
in the also widely used Adobe Flash Player</a>.</p> |
|
|
|
<p>These incidents were only the most recent ones to highlight the |
|
importance of ensuring that such a crucial piece of software as the Web |
|
browser is fully under the control of its user. The <a |
|
href="https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_downloads/anwender/software/BSI-CS_071.html">German |
|
Federal Office of Information Security (BSI) issued a list of |
|
recommendations for secure Web browsers and their components</a> for |
|
use in companies and public bodies on April 14. The BSI notes that due to |
|
the way they are used, "Web browsers are exposed to especially high risk |
|
from malware". In the list of recommendations for a secure Web browser, |
|
the BSI includes the demand that <strong>Web browsers and their components should |
|
be completely auditable</strong> (Point 1.6). </p> |
|
|
|
<p>Web browsers like Mozilla Firefox or the Chromium browser have succeeded |
|
in this regard, providing the public with web browsers that are not only |
|
fully auditable, but which can also be freely shared and improved. This is |
|
in line with the <a href="/freesoftware/standards/def.html">Open Standards</a> |
|
approach which has made it possible for the Internet and the World Wide Web |
|
to thrive and grow into its current role as a vital platform for economic |
|
activity, social interaction without borders, and unchained creativity.</p> |
|
|
|
<p>The protocols on which the Internet is built, such as the TCP/IP stack |
|
and the HTML standard, are fully open and implemented in myriad <a |
|
href="/freesoftware/freesoftware.html">Free Software</a> products. Free |
|
Software powers the vast majority of Web servers, smartphones, embedded |
|
devices, and many other applications of technology. The rise of today's |
|
leading Web companies, such as Google, Facebook, and Amazon, would not have |
|
been possible without Free Software, and they could not operate without it |
|
today. Whatever European companies step up to challenge them are inevitably |
|
going to rely on Free Software and Open Standards as well. Free Software and |
|
Open Standards are both the foundation of our digital world, and the condicio |
|
sine qua non for its future.</p> |
|
|
|
<p>HTML5 is the latest revision of the HTML standard. It is hard to think |
|
of a standard that is more crucial for the World Wide Web. HTML5 will |
|
deliver a number of important improvements, and is set to be the basis of |
|
the World Wide Web for the coming years, and to allow for the kind of rich, |
|
responsive interactivity that will allow browsers to replace "apps" as |
|
controllers for everything from thermostats to automobiles.</p> |
|
|
|
<p>This is why we are very concerned about efforts currently in progress at |
|
the World Wide Web Consortium, which oversees many of the key standards on |
|
which the Internet and the World Wide Web are based, to <strong>encourage use of |
|
the Content Decryption Module (CDM)</strong> which cannot be audited. The CDM, |
|
though not specified in the HTML5 standard itself, is required by the |
|
so-called "Encrypted Media Extension" (EME), developed by a W3C working |
|
group. This extension's primary purpose is to satisfy the desire of a |
|
limited number of content providers with traditional business models to |
|
generate revenue through restrictive distribution practices. With EME, the |
|
W3C would be <strong>building a bridge to let content providers take control of |
|
users' computers</strong>, letting them impose restrictions far in excess of what |
|
consumers' rights and copyright allow.</p> |
|
|
|
<p>The discussion about EME at W3C is largely driven by a few large |
|
US-based companies, and except the BBC <a |
|
href="https://blogs.fsfe.org/gerloff/2014/04/29/w3c-whos-working-on-drm-in-html5/">takes |
|
place without significant European involvement</a>. Given these |
|
circumstances, the discussion will likely result in a solution that fails to |
|
take the needs of European citizens, businesses and governments fully into |
|
account.</p> |
|
|
|
<p>Auditing the Content Decryption Module will be difficult, because the source |
|
code of this functionality will be a closely held secret of the company |
|
which provides it. Performing such an audit and reporting security flaws |
|
would also be <strong>illegal in the many countries which have adopted so-called |
|
"anti-circumvention" laws</strong>. Reporting a security problem in CDM would expose |
|
the reporter to the risk of prosecution for making a circumvention |
|
device.</p> |
|
|
|
<p>In consequence, individuals, companies and organisations (including the |
|
European Commission) would likely end up increasing the amount of software |
|
with unknowable security problems which it uses in a high-risk setting.</p> |
|
|
|
<p><strong>Integrating DRM facilities into HTML5 is the antithesis of everything |
|
that has made the Internet and the World Wide Web successful</strong>. It is |
|
directly contrary to the interests of the vast majority of Internet users |
|
everywhere, and especially in Europe.</p> |
|
|
|
<h2>Recommendations</h2> |
|
|
|
<p>The discussions within W3C are now at a crucial juncture in this regard. |
|
It is still just about possible to prevent the W3C from making it too easy |
|
to effectively require the inclusion of such secret, inauditable software |
|
in Web browsers.</p> |
|
|
|
<ul> |
|
|
|
<li>We urge the Commission to engage with the W3C and ensure that the |
|
organisation takes these concerns on board as it decides on the adoption |
|
of the Encrypted Media Extension (EME).</li> |
|
|
|
<li>We further ask the Commission to underline its commitment to the |
|
security and freedom of Europe's citizens by pledging not to make use of |
|
the Encrypted Media Extension in its own infrastructure, even if EME |
|
would be standardised by W3C.</li> |
|
|
|
<li>At a minimum, the W3C should require covenants from EME participants |
|
through which they promise not to take action against entities who report |
|
and demonstrate vulnerabilities in EME and the CDM; and covenants to |
|
safeguard entities who reverse-engineer and publish details of EME and |
|
CDM implementations for the purpose of interoperability, including |
|
interoperability with Free Software.</li> |
|
|
|
</ul> |
|
|
|
<p>At FSFE, we look forward to supporting the Commission in taking the |
|
appropriate actions to safeguard the interests of Europe's citizens and |
|
companies, and remain at the Commission's service.</p> |
|
|
|
<p> |
|
Sincerely,<br /> |
|
Karsten Gerloff, President Free Software Foundation Europe |
|
</p> |
|
|
|
</body> |
|
</html>
|
|
|