The World Wide Web Consortium (W3C) announced on Monday that it has approved Encrypted Media Extensions (EME) as a Recommendation, meaning that it’s now an official standard. This announcement marks the end of a very contentious debate about the role, if any, that DRM should have in web browser environments and open web standards.
EME is a mechanism for embedding DRM functionality directly into web browsers in a secure way. It’s intended primarily but not exclusively for video content.
The debate over EME pitted two points of view against each other. One of them was based on an assumption that Hollywood studios and other copyright holders were going to continue using DRM for digital content distribution for the foreseeable future. The idea was that it would be better to use DRM over web interfaces based on open, interoperable standards than to do it over closed, proprietary apps such as for iOS, Android, or Smart TVs. The argument is that if premium content apps remain in closed environments, the open web environment will diminish in overall importance to end-users. The entities behind this argument included the web browser giants (mainly Microsoft and Google) as well as Netflix and the major Hollywood studios.
The other point of view is that DRM is antithetical to open standards and should not be part of the web environment at all; and furthermore that eradicating DRM from the open web should hasten its overall demise. This was the position of organizations such as the Electronic Frontier Foundation (EFF) (through the involvement of Cory Doctorow, the Captain Ahab of DRM), the Free Software Foundation, and some library groups. That viewpoint lost out, prompting the EFF to resign from W3C membership. Even open-source standard-bearer Mozilla, keeper of the Firefox browser, ended up supporting EME after a lot of internal Sturm und Drang.
EME has actually been in use for a couple of years, even though it hasn’t been a full-fledged W3C standard. The nominal technical problem it solves is that it’s not possible to implement DRM encryption securely within a browser environment. It involves a software component called a Content Decryption Module (CDM), which is a secure execution environment embedded within a browser; it’s best thought of as an air-tight seal for a DRM client technology that works within a browser.
EME code within web pages includes routine calls that find out whether the browser and client device platform both support the DRM in which a piece of content is encrypted. If they do support it, then EME acts as a conduit between the DRM client inside the CDM and the DRM license server to request licenses, obtain keys, and decrypt the content for playback within the browser.
Leaving aside the wisdom of including DRM in web browsers, the big problem with EME is that it’s not really a standard DRM scheme. It’s more like a set of standard plumbing adapters that enable DRM vendors to have their servers talk to their clients. It has turned out to be a way to compromise the interoperability of web browsers by using CDMs to tie browsers to specific DRM clients; in other words, to use DRM as a way of bringing walled gardens into browser environments that are supposed to be interoperable via HTML. In that sense, EME is more like a narrower version of previous proprietary browser plug-in environments, like Adobe’s Flash, Microsoft’s Silverlight, and Google’s NPAPI — one that’s focused solely on premium video delivery.
The primary walled garden builders are — no surprise — Google, Microsoft, and Apple. It’s possible for a browser to support a CDM for any DRM scheme, but that requires changes to the browser’s code and therefore requires the browser maker’s cooperation (as well as that of the DRM vendor). In other words, there’s no standard way to install the plumbing adapters into a browser; each browser maker has its own way of doing it. So it’s possible, for example, that Microsoft could build support for a CDM for Google Widevine DRM into its Internet Explorer or Edge browsers, as well as a CDM for its own PlayReady DRM. And in fact Microsoft made noises a couple of years ago about enabling CDMs for non-Microsoft DRMs. But of course that hasn’t happened.
So, Microsoft’s browsers only support CDMs for PlayReady. Google’s Chrome only supports Widevine. Apple’s Safari browser only supports Apple’s FairPlay DRM, and only on OS X devices (Macs, Macbooks), not on iOS (iPhones, iPads) — presumably because Apple prefers its closed app environment to the open web. Mozilla’s Firefox supports both Widevine and Adobe’s Primetime DRM.
Netflix has also been heavily involved in the design of EME. It’s not a walled garden builder (in this sense, at least), but it is a walled garden enabler. Netflix’s infrastructure is complex enough to be able to manage the large and growing variety of device, OS, and browser combinations, many of which require different DRM setups — all seamlessly, so that no matter what device you’re on or browser you’re using, Netflix just works. The same is not true of smaller Internet video services that don’t have the copious technical resources that Netflix has — startups in particular. Thus, Netflix benefits from EME by helping stave off competition.
DRM vendors have argued — with some justification — that making DRM client environments interoperable across browsers compromises their security. And in fairness, the DRM community has achieved some measure of interoperability on the server side, by specifying a common encryption standard (CENC) that works with a wide variety of DRM technologies, so that content need only be encrypted once (for each codec and resolution) instead of once for each DRM.
But the encryption scheme is only part of a DRM mechanism: the licenses that DRMs deliver to clients to enable playback and other user operations, for example, aren’t interoperable. This gives rise to complex multi-DRM framework software from vendors like Intertrust, Irdeto, and Verimatrix, which helps abstract away the complexity of managing video delivery across multiple DRMs.
This isn’t the first time that Hollywood has pushed for DRM standards, which would make it easier for video service providers to offer different content access models and user experiences across multiple platforms without undue complexity. And it isn’t the first time that consumer platform vendors have pushed back and insisted on some type of walled gardens. (UltraViolet was a previous example of this process.) Because the latter entities are the ones that ultimately have to pay for and implement the DRM that Hollywood demands, they spin it to their own ends.
Proliferation of multiple DRMs across geometric combinations of devices and platform software is a problem, especially for video — an expensive and complex barrier to innovation and competition among video service providers. And in the end, EME doesn’t do much to solve the problem. It makes cross-browser implementation less kludgy than with previous browser plug-in schemes. But otherwise it’s a lost opportunity to make things meaningfully easier for service providers so that they can launch and maintain more easily, and provide more choice of legal content offers for consumers.