June 22, 2017

Ted Shapiro and Sunniva Hansson explain that the World Wide Web Consortium (W3C) has been working on a web standard called Encrypted Media Extensions (EME), that will enable browsers to communicate seamlessly with external content protection systems. This article was first published on Lexis®PSL TMT.

What has the W3C been working on?
W3C is the organisation developing standards and guidelines for the web. Its members include representatives from industry, academia, governments and civil society. Its modest mission is ‘to lead the Web to its full potential.’ W3C’s standard-setting work enables web pages to be delivered to web users in a consistent manner, making the world wide web easier to use.

One area of W3C’s standards work is HTML5, which is the latest version of hypertext markup language, the behind-the-scenes code that delivers web pages. One of the reasons for updating HTML was that its previous iteration did not naturally accommodate so-called rich media, that is, audiovisual content. Instead, proprietary video players and plug-ins were developed and used, such as QuickTime, Flash and Silverlight. While these work adequately, they are not necessarily the most user-friendly of inventions. For example, they need to be downloaded before the user can watch or listen to content, they require frequent updates and, crucially, they come with security risks, for example, viruses.

With the added capabilities of HTML5, however, external software is no longer necessary to deliver audiovisual content on the web. We can now watch audio visual content in our browsers without having to download a plug-in or use an app.

Given that high-value content delivered on the web requires technological protection to prevent unauthorised copying and dissemination, W3C has been working on a framework, called Encrypted Media Extensions (EME), that will enable browsers to communicate seamlessly with external content protection systems. In brief, EME is a generic interface that allows web browsers to interact with content protection systems to allow playback of encrypted audiovisual content. This is done via content decryption modules. However, EME is not in itself a content protection system, it simply enables browsers to discover and interact with such systems.

What’s the background to EME?
Copyright works can be copied and distributed widely and instantaneously in the digital environment. This is great because licensed distributors of content can provide consumers with access to a wealth of content, which they can read, view or listen to when they want and how they want. Unfortunately, it also means that the copying and distribution of works can be done on an enormous scale without licence or authorisation by the rightholders, thereby undermining licensed distribution platforms and, by extension, investment in and creation of content.

Copyright content therefore needs to be delivered safely over the internet—this is where content protection systems, also known as technological protection measures (TPMs) or digital rights management (DRM), come in.

TPMs are technologies that are used to prevent unauthorised copying of and access to copyright protected content. TPMs are protected under international copyright treaties, for example, the 1996 WIPO Copyright Treaty, which requires contracting parties to provide: ‘Adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention and restrict acts, in respect of their works, which are not authorised by the authors concerned or permitted by law.’

At the EU-level, the legal protection of TPMs is found in the InfoSoc Directive 2001/29/EC, as well as in the older Conditional Access Directive 98/84/EC. These legal protections have been transposed into the national laws of all the Member States of the EEA.

With the advent of HTML5, the streaming of video offered by over-the-top (OTT) services, such as Netflix, has become tremendously popular. It was therefore necessary to find a way in which TPMs could be applied to the delivery of such content to web browsers and web-enabled devices supporting HTML5.

In fact, EME is already widely used on the web. Many platforms, such as Netflix and YouTube, support HTML5 video and all major browsers have now implemented and deployed EME to enable the safe delivery of content.

What are the pros and cons of the proposed standard?
The pros are many. For most of us, EME is simply more user-friendly than other solutions. You now no longer need to download and update plug-ins to watch content, it can be done directly through your browser. There are other pros, too. For example, the move away from plug-ins reduces user exposure to security risks and thus increases privacy protection, making it harder for hackers to access user data.

The EME interface is also ‘TPM neutral’, meaning it supports all TPM providers. No one company has control, meaning that OTT services are no longer ‘locked into’ the use of a single DRM, thus increasing competition and innovation in the space.

Are there cons? Not with EMEs per se. However, it should be noted that the interplay between TPMs and exceptions to copyright is sometimes a source of tension. Namely, with regards to what happens when the beneficiary of an exception to an exclusive right is restricted from using the copyright protected work because the content is protected by TPMs. At the EU-level, such a situation is fairly sensibly dealt with by requiring Member States to put in place a legal mechanism whereby rights holders can be required to make available to the beneficiary of an exception the means of benefiting from that exception, subject to certain conditions. Rights holders must only do so where the user has had legal access to the content in the first place and only to the extent necessary to benefit from the exception.

For the sake of completeness, we note that a fringe politician in the European Parliament has addressed an open letter to the European Commission on this matter raising two primary concerns:

• use of exceptions, and
• security risks

The first concern is a legitimate one, but, as noted above, is already adequately addressed in EU law. The second concern is somewhat curious, as just about everyone, including the W3C, agrees that EME coupled with content decryption modules are a safer option than plug-ins.

Finally, we note that certain fringe groups in the US, ideologically opposed to TPMs, have also raised objections to EMEs on a number of accounts, such as implementation issues for open-source browsers and lack of interoperability. By and large, these objections are simply an alternative way of attacking the very notion of technological protection measures. If one accepts that distribution of high-value content over the web requires TPMs, then EME is a way of enabling safe content distribution over the web. The alternative is not to have no TPM on the web, the alternative is that content distributions is moved away from the web to closed systems, such as proprietary apps and set-top boxes.

What is the latest development and what will happen next?
EME is currently a draft specification developed by W3C members in the HTML Media Extensions Working Group. We are now waiting for W3C to publish a ‘recommendation’ approving EME, thus making it a web standard.

As noted above, a number of major OTT services already deliver content protected audio visual content over the web and most major browsers already support EME. Thus, the recommendation from W3C will recognise what is, in effect, the status quo. In addition, it may encourage more OTT service providers to move toward delivery of content directly over the web, instead of through proprietary players.

Interviewed by Giverny Tattersfield. This article was first published on Lexis®PSL TMT on 12 June 2017. Click for a free trial of Lexis®PSL.