Last Week in Tech Policy #47: W3C and EME—Is DRM Being Inserted in Your Web Browser?

(By Lucas Ewing, Colorado Law 2L)

The World Wide Web Consortium (W3C) is an international organization whose goal is to set standards for the World Wide Web. Due to W3C’s highly technical subject matter, internal discussions rarely broach the public discourse, but recently, open internet advocates and some W3C members have expressed concern over plans to endorse Encrypted Media Extensions (EMEs).

What are EMEs?

Encrypted Media Extensions provide a standard interface (API) through which webpages and applications can access any encrypted video or audio that is protected by a Digital Rights Management (DRM) scheme. The EME standard makes it simple for any application to interact with any encrypted content regardless of the underlying DRM. It removes the need for third party plug-ins like Adobe Flash or Microsoft Silverlight.

For this reason, DRM advocates and content providers (like Netflix, Google, Microsoft, and Apple) proposed the adoption of the standard into all HTML5 platforms. Proponents argue that adoption would make it more difficult for pirates to scrape content from legitimate streaming services and provide it for free on illegal servers.

W3C is expected to make a decision on whether to adopt the standard by April 14. The major browsers, Chrome, Safari, Edge/Internet Explorer, and, Firefox, have all already incorporated EME into their platforms. EME has also been endorsed by the W3C’s director, Tim Berners-Lee, who is widely credited as the inventor of the World Wide Web. So, with this adoption and widespread endorsement, why is the EME standard considered controversial?


Cory Doctorow, a W3C member and well-known science-fiction author, has led the charge against the EME standard. His cohorts include blockchain companies, accessibility organizations, the Electronic Frontier Foundation, the German National Library, and Oxford University.

Because the EME requires an encryption key in order to access the DRM-protected content, opponents worry that large media companies in Hollywood can use their ownership of that key in order to gain leverage over app-developers and undermine the open internet.

Open internet advocates also worry that implementing EME will insert a program into the platform whose code is proprietary, and cannot be checked or improved upon by other programmers. W3C and other open internet advocates prefer open-source code because it can crowd-source the job of finding bugs and vulnerabilities in the code. EME critics argue that if the code isn’t being checked by security researchers, it presents a higher risk of being exploited by malicious actors, adversely affecting the user. They also consider it inherently democratic to allow the public to view the underlying code.

Finally, this controversy is part of a larger fight over DRM. DRM is code used by media companies to restrict what users can do with digital copies of copyrighted works. It usually restricts users’ ability to make copies of the content, but can also restrict the time, location, or number of uses, among other things.

Another concern for DRM critics is the potential for legal ramifications. Section 1201 of the Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent DRM under many circumstances, potentially including, searching the code for bugs and vulnerabilities, transforming the underlying copyrighted work into more accessible formats for people with disabilities, and a number of actions traditionally considered fair use.

In the face of U.S. pressure in trade and treaty negotiations, many other countries have adopted similar laws. DRM opponents fear that placing proprietary code in the platform protected by the force of law will be the end of the open internet.

Tim Berners-Lee and others at W3C contend that if they don’t endorse EME, the media companies will still seek to impose their DRM through the use of 3rd party apps. They argue that EME is preferable over apps because an app requires installation on the user’s machine and thus gives the developer access to troves of user information, and thus that EME is the safer choice for privacy advocates.

They also contend that EME is not the proper venue for battling DRM, and that energy would be better spent at the policy level lobbying to remove the teeth from Section 1201 of the DMCA. Finally, the W3C also encourages companies to implement bug-bounty programs to encourage security researchers by guaranteeing immunity from prosecution, though they make no claims as to the success of these programs.

Cory Doctorow offered a compromise in June 2016: make all W3C members promise not to use DMCA or its analogous laws in other countries against fair users in exchange for endorsing EME. But the W3C could not reach consensus on the issue. Either EME will be implemented with all its potential legal baggage, or not at all.

What Do You Think?

Is EME as dangerous as its critics claim? Should DRM be protected by the force of law? Are media companies trying to undermine the open internet?