163 行
8.6 KiB
HTML
163 行
8.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8" ?>
|
|
|
|
<html>
|
|
<version>1</version>
|
|
|
|
<head>
|
|
<title>Open Letter on European Commission about DRM in HTML5</title>
|
|
</head>
|
|
<body>
|
|
<h1>Open Letter to European Commission about DRM in HTML5</h1>
|
|
|
|
<p>To: Commissioner Cecilia Malmstroem (Home Affairs)</p>
|
|
|
|
<p>CC: Antonio Tajani (Enterprise)<br />
|
|
Viviane Reding (Justice)<br />
|
|
Joaquin Almunia (Competition)<br />
|
|
Michel Barnier (Internal Market)<br />
|
|
Neelie Kroes (Digital Agenda)</p>
|
|
|
|
<p>Dear Commissioner Malmstroem,</p>
|
|
|
|
<p>we are writing to you on the occasion of the international Day Against
|
|
Digital Restrictions Management, which today is being celebrated around the
|
|
world. We are very concerned about the security of European citizens, and
|
|
we ask you to take action to protect them.</p>
|
|
|
|
<p>The Free Software Foundation Europe (FSFE) is an independent charitable
|
|
non-profit dedicated to promoting Free Software and freedom in the
|
|
information society. Today we would like to direct your attention to a very
|
|
specific threat to the freedom and security of computer users
|
|
everywhere.</p>
|
|
|
|
<p>Both at work and in our personal lives, we conduct a large part of our
|
|
activity through Web browsers. Ever more of our work and life migrates into
|
|
the digital domain, and many people use a growing number of web services to
|
|
work, create, socialise, and express themselves. Businesses and public
|
|
sector organisations similarly rely on web browsers as crucial tools to
|
|
perform their everyday tasks.</p>
|
|
|
|
<p>Recently, the importance of the Web browser was highlighted when <a
|
|
href="http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being">numerous
|
|
state agencies and IT security companies warned about a long-standing
|
|
critical security problem in the widely used Microsoft Internet Explorer
|
|
browser</a>, soon followed by warnings of a <a
|
|
href="http://helpx.adobe.com/security/products/flash-player/apsb14-13.html">vulnerability
|
|
in the also widely used Adobe Flash Player</a>.</p>
|
|
|
|
<p>These incidents were only the most recent ones to highlight the
|
|
importance of ensuring that such a crucial piece of software as the Web
|
|
browser is fully under the control of its user. The <a
|
|
href="https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_downloads/anwender/software/BSI-CS_071.html">German
|
|
Federal Office of Information Security (BSI) issued a list of
|
|
recommendations for secure Web browsers and their components</a> for
|
|
use in companies and public bodies on April 14. The BSI notes that due to
|
|
the way they are used, "Web browsers are exposed to especially high risk
|
|
from malware". In the list of recommendations for a secure Web browser,
|
|
the BSI includes the demand that <strong>Web browsers and their components should
|
|
be completely auditable</strong> (Point 1.6). </p>
|
|
|
|
<p>Web browsers like Mozilla Firefox or the Chromium browser have succeeded
|
|
in this regard, providing the public with web browsers that are not only
|
|
fully auditable, but which can also be freely shared and improved. This is
|
|
in line with the <a href="/freesoftware/standards/def.html">Open Standards</a>
|
|
approach which has made it possible for the Internet and the World Wide Web
|
|
to thrive and grow into its current role as a vital platform for economic
|
|
activity, social interaction without borders, and unchained creativity.</p>
|
|
|
|
<p>The protocols on which the Internet is built, such as the TCP/IP stack
|
|
and the HTML standard, are fully open and implemented in myriad <a
|
|
href="/freesoftware/freesoftware.html">Free Software</a> products. Free
|
|
Software powers the vast majority of Web servers, smartphones, embedded
|
|
devices, and many other applications of technology. The rise of today's
|
|
leading Web companies, such as Google, Facebook, and Amazon, would not have
|
|
been possible without Free Software, and they could not operate without it
|
|
today. Whatever European companies step up to challenge them are inevitably
|
|
going to rely on Free Software and Open Standards as well. Free Software and
|
|
Open Standards are both the foundation of our digital world, and the condicio
|
|
sine qua non for its future.</p>
|
|
|
|
<p>HTML5 is the latest revision of the HTML standard. It is hard to think
|
|
of a standard that is more crucial for the World Wide Web. HTML5 will
|
|
deliver a number of important improvements, and is set to be the basis of
|
|
the World Wide Web for the coming years, and to allow for the kind of rich,
|
|
responsive interactivity that will allow browsers to replace "apps" as
|
|
controllers for everything from thermostats to automobiles.</p>
|
|
|
|
<p>This is why we are very concerned about efforts currently in progress at
|
|
the World Wide Web Consortium, which oversees many of the key standards on
|
|
which the Internet and the World Wide Web are based, to <strong>encourage use of
|
|
the Content Decryption Module (CDM)</strong> which cannot be audited. The CDM,
|
|
though not specified in the HTML5 standard itself, is required by the
|
|
so-called "Encrypted Media Extension" (EME), developed by a W3C working
|
|
group. This extension's primary purpose is to satisfy the desire of a
|
|
limited number of content providers with traditional business models to
|
|
generate revenue through restrictive distribution practices. With EME, the
|
|
W3C would be <strong>building a bridge to let content providers take control of
|
|
users' computers</strong>, letting them impose restrictions far in excess of what
|
|
consumers' rights and copyright allow.</p>
|
|
|
|
<p>The discussion about EME at W3C is largely driven by a few large
|
|
US-based companies, and except the BBC <a
|
|
href="https://blogs.fsfe.org/gerloff/2014/04/29/w3c-whos-working-on-drm-in-html5/">takes
|
|
place without significant European involvement</a>. Given these
|
|
circumstances, the discussion will likely result in a solution that fails to
|
|
take the needs of European citizens, businesses and governments fully into
|
|
account.</p>
|
|
|
|
<p>Auditing the Content Decryption Module will be difficult, because the source
|
|
code of this functionality will be a closely held secret of the company
|
|
which provides it. Performing such an audit and reporting security flaws
|
|
would also be <strong>illegal in the many countries which have adopted so-called
|
|
"anti-circumvention" laws</strong>. Reporting a security problem in CDM would expose
|
|
the reporter to the risk of prosecution for making a circumvention
|
|
device.</p>
|
|
|
|
<p>In consequence, individuals, companies and organisations (including the
|
|
European Commission) would likely end up increasing the amount of software
|
|
with unknowable security problems which it uses in a high-risk setting.</p>
|
|
|
|
<p><strong>Integrating DRM facilities into HTML5 is the antithesis of everything
|
|
that has made the Internet and the World Wide Web successful</strong>. It is
|
|
directly contrary to the interests of the vast majority of Internet users
|
|
everywhere, and especially in Europe.</p>
|
|
|
|
<h2>Recommendations</h2>
|
|
|
|
<p>The discussions within W3C are now at a crucial juncture in this regard.
|
|
It is still just about possible to prevent the W3C from making it too easy
|
|
to effectively require the inclusion of such secret, inauditable software
|
|
in Web browsers.</p>
|
|
|
|
<ul>
|
|
|
|
<li>We urge the Commission to engage with the W3C and ensure that the
|
|
organisation takes these concerns on board as it decides on the adoption
|
|
of the Encrypted Media Extension (EME).</li>
|
|
|
|
<li>We further ask the Commission to underline its commitment to the
|
|
security and freedom of Europe's citizens by pledging not to make use of
|
|
the Encrypted Media Extension in its own infrastructure, even if EME
|
|
would be standardised by W3C.</li>
|
|
|
|
<li>At a minimum, the W3C should require covenants from EME participants
|
|
through which they promise not to take action against entities who report
|
|
and demonstrate vulnerabilities in EME and the CDM; and covenants to
|
|
safeguard entities who reverse-engineer and publish details of EME and
|
|
CDM implementations for the purpose of interoperability, including
|
|
interoperability with Free Software.</li>
|
|
|
|
</ul>
|
|
|
|
<p>At FSFE, we look forward to supporting the Commission in taking the
|
|
appropriate actions to safeguard the interests of Europe's citizens and
|
|
companies, and remain at the Commission's service.</p>
|
|
|
|
<p>
|
|
Sincerely,<br />
|
|
Karsten Gerloff, President Free Software Foundation Europe
|
|
</p>
|
|
|
|
</body>
|
|
</html>
|