An open letter to security researchers and practitioners:
We need you to take a stand to protect security researchers who report defects in browsers, before it's too late.
Earlier this month, the World Wide Web Consortium's Encrypted Media Extensions (EME) spec progressed to Draft Recommendation phase. This is a controversial standard for transmitting DRM-encumbered videos, and it marks the very first time that the W3C has attempted to standardize a DRM system.
This means that for the first time, W3C standards for browsers will fall under laws like the DMCA (and its international equivalents, which the US Trade Representative has spread all over the world). These laws allow companies to threaten security researchers who disclose vulnerabilities in DRM systems, on the grounds that these disclosures make it easier to figure out how to bypass the DRM.
Last summer, the Copyright Office heard from security researchers about the effect that DRM has on their work; those filings detail showstopper bugs in consumer devices, cars, agricultural equipment, medical implants, and voting machines that researchers felt they couldn't readily publish about, lest they face punitive lawsuits from the companies they embarrassed.
EFF has asked the W3C to take a minimal step to insulate their stakeholders from the legal fallout from the inclusion of DRM in their standards. Our proposal asks the W3C to bind its members to legal promises not to use the DMCA or laws like it against security researchers or implementers.
So far, the W3C executive has failed to act on this proposal, despite diverse support from a number of W3C members.
We are hosting an open letter from security, privacy and technology experts to the W3C's director, Tim Berners-Lee; and its CEO, Jeff Jaffe, asking them to make any further work on EME contingent on adopting rules to protect the open web from these bad laws.
Will you sign this letter? Some of security's leading lights have already put their names to it. We can't afford to make widely used tools like browsers off-limits to security research and disclosure, especially not as HTML5 is being positioned as a UI environment to replace apps as the primary way of interacting with sensors, actuators, embedded systems and the whole Internet of Things.
If you're willing to sign on, please send an email to with your country of residence and your institutional affiliation (if any).
Thank you,
Cory Doctorow, Apollo 1201 Project, Electronic Frontier Foundation