fsfe-website/activities/drm/open-letter-ec-drm-html.en.xhtml

<?xml version="1.0" encoding="UTF-8" ?>

<html>
  <version>1</version>

	<head>
		<title>Open Letter on European Commission about DRM in HTML5</title>
	</head>
	<body>
		<h1>Open Letter to European Commission about DRM in HTML5</h1>

    <p>To: Commissioner Cecilia Malmstroem (Home Affairs)</p>

    <p>CC: Antonio Tajani (Enterprise)<br />
       Viviane Reding (Justice)<br />
       Joaquin Almunia (Competition)<br />
       Michel Barnier (Internal Market)<br />
       Neelie Kroes (Digital Agenda)</p>

		<p>Dear Commissioner Malmstroem,</p>

    <p>we are writing to you on the occasion of the international Day Against
    Digital Restrictions Management, which today is being celebrated around the
    world. We are very concerned about the security of European citizens, and
    we ask you to take action to protect them.</p>

    <p>The Free Software Foundation Europe (FSFE) is an independent charitable
    non-profit dedicated to promoting Free Software and freedom in the
    information society. Today we would like to direct your attention to a very
    specific threat to the freedom and security of computer users
    everywhere.</p>
    
    <p>Both at work and in our personal lives, we conduct a large part of our
    activity through Web browsers. Ever more of our work and life migrates into
    the digital domain, and many people use a growing number of web services to
    work, create, socialise, and express themselves. Businesses and public
    sector organisations similarly rely on web browsers as crucial tools to
    perform their everyday tasks.</p>
    
    <p>Recently, the importance of the Web browser was highlighted when <a
    href="http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being">numerous
    state agencies and IT security companies warned about a long-standing
    critical security problem in the widely used Microsoft Internet Explorer
    browser</a>, soon followed by warnings of a <a
    href="http://helpx.adobe.com/security/products/flash-player/apsb14-13.html">vulnerability
    in the also widely used Adobe Flash Player</a>.</p>
    
    <p>These incidents were only the most recent ones to highlight the
    importance of ensuring that such a crucial piece of software as the Web
    browser is fully under the control of its user. The <a
    href="https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_downloads/anwender/software/BSI-CS_071.html">German
    Federal Office of Information Security (BSI) issued a list of
    recommendations for secure Web browsers and their components</a> for
    use in companies and public bodies on April 14. The BSI notes that due to
    the way  they are used, "Web browsers are exposed to especially high risk
    from malware".  In the list of recommendations for a secure Web browser,
    the BSI includes the demand that <strong>Web browsers and their components should
    be completely auditable</strong> (Point 1.6). </p>
    
    <p>Web browsers like Mozilla Firefox or the Chromium browser have succeeded
    in this regard, providing the public with web browsers that are not only
    fully auditable, but which can also be freely shared and improved. This is
    in line with the <a href="/freesoftware/standards/def.html">Open Standards</a>
    approach which has made it possible for the Internet and the World Wide Web
    to thrive and grow into its current role as a vital platform for economic
    activity, social interaction without borders, and unchained creativity.</p>
    
    <p>The protocols on which the Internet is built, such as the TCP/IP stack
    and the HTML standard, are fully open and implemented in myriad <a
    href="/freesoftware/freesoftware.html">Free Software</a> products. Free
    Software powers the vast majority of Web servers, smartphones, embedded
    devices, and many other applications of technology. The rise of today's
    leading Web companies, such as Google, Facebook, and Amazon, would not have
    been possible without Free Software, and they could not operate without it
    today. Whatever European companies step up to challenge them are inevitably
    going to rely on Free Software and Open Standards as well. Free Software and
    Open Standards are both the foundation of our digital world, and the condicio
    sine qua non for its future.</p>
    
    <p>HTML5 is the latest revision of the HTML standard. It is hard to think
    of a standard that is more crucial for the World Wide Web. HTML5 will
    deliver a number of important improvements, and is set to be the basis of
    the World Wide Web for the coming years, and to allow for the kind of rich,
    responsive interactivity that will allow browsers to replace "apps" as
    controllers for everything from thermostats to automobiles.</p>
    
    <p>This is why we are very concerned about efforts currently in progress at
    the World Wide Web Consortium, which oversees many of the key standards on
    which the Internet and the World Wide Web are based, to <strong>encourage use of
    the Content Decryption Module (CDM)</strong> which cannot be audited. The CDM,
    though not specified in the HTML5 standard itself, is required by  the
    so-called "Encrypted Media Extension" (EME), developed by a W3C working
    group. This extension's primary purpose is to satisfy the desire of a
    limited number of content providers with traditional business models to
    generate revenue through restrictive distribution practices. With EME, the
    W3C would be <strong>building a bridge to let content providers take control of
    users' computers</strong>, letting them impose restrictions far in excess of what
    consumers' rights and copyright allow.</p>
    
    <p>The discussion about EME at W3C is largely driven by a few large
    US-based companies, and except the BBC <a
    href="https://blogs.fsfe.org/gerloff/2014/04/29/w3c-whos-working-on-drm-in-html5/">takes
  place without significant European involvement</a>.  Given these
    circumstances, the discussion will likely result in a solution that fails to
    take the needs of European citizens, businesses and governments fully into
    account.</p>
    
    <p>Auditing the Content Decryption Module will be difficult, because the source
    code of this functionality will be a closely held secret of the company
    which provides it. Performing such an audit and reporting security flaws
    would also be <strong>illegal in the many countries which have adopted so-called
    "anti-circumvention" laws</strong>. Reporting a security problem in CDM would expose
    the reporter to the risk of prosecution for making a circumvention
    device.</p>
    
    <p>In consequence, individuals, companies and organisations (including the
    European Commission) would likely end up increasing the amount of software
    with unknowable security problems which it uses in a high-risk setting.</p>
    
    <p><strong>Integrating DRM facilities into HTML5 is the antithesis of everything
    that has made the Internet and the World Wide Web successful</strong>. It is
    directly contrary to the interests of the vast majority of Internet users
    everywhere, and especially in Europe.</p>
    
    <h2>Recommendations</h2>
    
    <p>The discussions within W3C are now at a crucial juncture in this regard.
    It is still just about possible to prevent the W3C from making it too easy
    to effectively require the inclusion of such secret, inauditable software
    in Web browsers.</p>
   
    <ul>
    
      <li>We urge the Commission to engage with the W3C and ensure that the
      organisation takes these concerns on board as it decides on the adoption
      of the Encrypted Media Extension (EME).</li>
    
      <li>We further ask the Commission to underline its commitment to the
      security and freedom of Europe's citizens by pledging not to make use of
      the Encrypted Media Extension in its own infrastructure, even if EME
      would be standardised by W3C.</li>
    
      <li>At a minimum, the W3C should require covenants from EME participants
      through which they promise not to take action against entities who report
      and demonstrate vulnerabilities in EME and the CDM; and covenants to
      safeguard entities who reverse-engineer and publish details of EME and
      CDM implementations for the purpose of interoperability, including
      interoperability with Free Software.</li>

    </ul>
    
    <p>At FSFE, we look forward to supporting the Commission in taking the
    appropriate actions to safeguard the interests of Europe's citizens and
    companies, and remain at the Commission's service.</p>

 		<p>
      Sincerely,<br />
      Karsten Gerloff, President Free Software Foundation Europe
		</p>

	</body>
</html>