If protecting encryption is important, then so is fighting DRM and keeping it out of Web standards


With law enforcement calling for a ban on strong encryption, activists are working to communicate to the public why crypto is more than just a technical issue — defending it is a matter of personal privacy and political freedom. But weakened encryption isn’t the only threat that computer users are facing from irresponsible institutions. The DRM (Digital Restrictions Management) lobby is gunning for a change to the Web’s technical standards, which would do damage to our privacy and freedom as well.

DRM is software that runs on your devices and polices your behavior. It’s what stops you from copying streaming Netflix videos and Spotify songs onto your hard drive, prevents you from using some programs without an Internet connection, and blocks you from moving books between ereaders.

Its owners claim DRM is necessary to “protect creators” by stopping unauthorized copying. While this sounds very virtuous, it’s not usually true. The precise motivations vary, but the goal of DRM is usually either removing functionality and selling it back piecemeal, or preventing competitors from making interoperable products.

DRM has a natural expansionist tendency — some users always try to escape it by moving to other platforms, and if it does not keep up by colonizing those platforms, it loses its influence. Since the dawn of DRM, a cohort of media and technology companies have mounted a relentless legal and technical campaign to expand its control by integrating it more deeply into all corners of the digital world.

Recently, Netflix, Apple, Google, and Microsoft have crafted a new universal DRM system for the Web, and are trying to get it ratified by the the World Wide Web Consortium, which sets official Web standards. For many of the same reasons that we need to protect strong encryption, we also need to stop this power grab by those that profit from Digital Restrictions Management.




The DRM lobby is currently pushing for a major political victory to legitimize its controversial technology. Netflix, Apple, Google, and Microsoft have crafted a new universal DRM system for the Web, and are trying to get it ratified by the the World Wide Web Consortium, which sets official Web standards. The proposal is called Encrypted Media Extensions, or EME. You might be wondering — if encryption is good and DRM is bad, then why is the DRM proposal called Encrypted Media Extensions? DRM and encryption have an ironic and counterintuitive relationship: DRM systems often use their own internal encryption to harden themselves against users who try to break the digital shackles. Sometimes DRM proponents refer to it simply as encryption to give it legitimacy.

As eminent technologists and activists have noted (e.g. Joi Ito, Richard Stallman, Cory Doctorow, Bruce Schneier, and scores of other security researchers), digital restrictions in Web standards would make the DRM problem worse for the public. It would make it easier and cheaper to implement DRM on the Web and set another precedent of giving the DRM lobby free reign over our technical infrastructure. Though they are woven from some of the same digital cloth, DRM and encryption are diametrically opposed in their social impact. For at least two of the same reasons that we need to protect strong encryption, we also need to eliminate DRM:

Popular control versus centralized control

As unchecked government surveillance, politically-motivated Internet shutdowns, and Web censorship teach us, laws and infrastructure that require the public to cede control of our computers to powerful institutions can easily become risks to democracy. As such, they should bear a high burden of proof to society.

Weakened encryption weakens our control of our computers, by allowing an entry point for others to meddle with our digital lives. DRM also weakens our control, by encumbering our devices with code that treats us as adversaries. DRM is impossible to implement effectively with free software, so any system that requires it also effectively locks out users that are committed to protecting their own digital sovereignty. Perhaps worst of all, the continued legal and political acceptance of DRM legitimates the idea that media owner’s business models trump the will of the general public. DRM does not — and weakened encryption does not — have real, fairly distributed social benefits to bear that burden of proof.

Security and privacy

Encryption is an essential pillar in computer security, which is one of the reasons that such diverse groups are united against government attempts to weaken it. Like weakened encryption, DRM is bad for security.

Sometimes a DRM’s owner actually commands it spy on users or install malware on their computers. Sometimes third parties slip through the hole DRM has punched in users’ security for their own ends. The last case of either that was widely covered in the media was the 2005 Sony rootkit scandal — when users were mistreated in both aforemention ways — but computer security experts assert that DRM continues to be a real threat.

Fearful of public scrutiny, the DRM lobby has passed laws (the Digital Millenium Copyright Act in the US, followed by similar laws and treaties in many countries) to muzzle security researchers seeking to expose and fix vulnerabilities in DRM. This means that the best system we have for protecting users from insecure programs — independent expert review — is outlawed for a broad class of widely-used software.

Fight back

If you feel that strong encryption is important, I hope I’ve convinced you that resisting DRM is too. DRM-using companies are pushing to expand and elevate its role in the Web. In my role as campaigns manager at the Free Software Foundation, I’m working to put as much pressure as possible on the W3C to reject the universal DRM system for the Web. You can take action by signing our petition and adding a protest selfie (a Web-native medium of expression) to the growing gallery.

Today’s wonky technical issues are the next generation’s foundational political and security concerns. Right now, just under half the world’s population uses the Web. That number will only continue to grow, and the way we build Web infrastructure now will ripple into the political realities of the future. Each computer user stands to benefit from the power of encryption and be disempowered by DRM.

There is a blooming global consciousness of the need for secure and user-controlled technology, and DRM is not a part of that picture. Resist DRM with us, and demand a Web that puts users first.

More about the campaign against DRM in Web standards

This is a rewrite of the earlier post “If iPhones should have strong encryption, then the Web should not include DRM.”