The Assistant Director-General for Communication and Information Sir Tim Berners-Lee Director, W3C Mr Jeff Jaffe CEO, W3C Ref.: DIR/FEM/2017/45 31 March 2017 Encrypted Media Extensions UNESCO’s Constitution commits the Organisation to the free flow of information and ideas, and in this spirit, there are concerns about how a recent issue at the W3C may impact on this. In particular, the concerns are with the possible standardization for Encrypted Media Extensions (EME) in HTML 5 and its impact on how web browsers deal with encrypted video content. Our approach to this issue is specifically informed by our Member States which have agreed on the concept of Internet Universality, which in turn promotes four principles for the Internet. Summarised under the acronym of ROAM, these are human Rights, Openness, Accessibility and Multi-Stakeholder Participation. In this framework, should Internet browsers become configured to work with EME to act as a framed gateway rather than serving as intrinsically open portals, there could be risks to Rights, to Openness and Accessibility. Primarily, there is the issue of the Right to seek and receive information. To date, most filtering and blocking of content has been done at the level of the network, whereas the risk now is that this capacity could also become technically effective at the level of the browser. With standardized EME incorporated in the browser, a level of control would cascade to the user interface level. This could possibly undercut the use of circumvention tools to access content that is illegitimately restricted. While a case can be made for exceptional limitations on accessing certain content, as per international human rights standards such as the International Covenant on Civil and Political Rights, the same human rights standards are clear that this is should never be a default setting. Unfortunately, many instances of limitation of access are not legitimate in international standards as they do not meet the criteria of legality, necessity and proportionality, and legitimate purpose, and it would be regrettable if standardized EME could end up reinforcing this unfortunate situation. …/. 7, place de Fontenoy 75352 Paris 07 SP, France Tél. : +33 (0)1 45 68 42 03 +33 (0)1 45 68 42 68 www.unesco.org -2- The same complexities confront the Right to privacy, and whether a particular standardized EME could end up intruding on this right by enabling DRM video, based on non-public proprietory standards, to serve unwarranted surveillance purpose on users via the browser. This concern is reinforced by the current lack of protections for security researchers to audit EME implementations without being accused of violating copyright laws. A related concern is that while a standardized EME might reduce some insecurities related to the use of voluntary and optional plug-in use to view copyright-encrypted video, it could also equally reduce the possibilities and legalities for security researchers to identify and publicise security vulnerabilities in the combination of EME and DRM mechanisms. With a standardized EME, users would not have the choice in deciding whether they wish to “opt in” or not to a software plug-in (and any associated risks) should they wish to access DRM content via their browser. The right to a secure Internet could be compromised. There are also risks to the right to Education, and to Accessibility as well as Openness. If a particular scope were given to standardised EME, in combination with DRM mechanisms, this could impact on browsers so as to make it impossible for users to exercise their legal right of fair use of copyrighted video, including further adapting content for disabled persons. This would be to the detriment of Accessibility. The current balance of rights would be tilted towards an in-built technical bias towards intellectual property and away from other competing rights. The same technical feature could also lead, even inadvertently, to some free or openly licensed content such as open education resources being caught in the nets of EME-DRM. In some iterations, it could be that interoperability and even Net Neutrality could be adversely impacted by exploitation of standardized EME technology, thereby impacting Openness. It is the case that the application of standardized EME in a browser would be subject to local and international laws. Nevertheless, whereas law could previously apply at other levels of content production, distribution and use, the new EME would give an additional technical layer to control of expression and fair-use – subjects which are probably best treated as realms of ethical choice in an environment of technical neutrality, rather than being intrinsically constrained by a technical standard. In conclusion, in your debates at the W3C, I would like to urge that further attention be given to the issues of necessity, proportionality and the possible implications for human rights, openness and accessibility, as well as attention to compromise solutions that could ameliorate some of the risks outlined above. If the W3C is interested, UNESCO would be happy to host further discussions on this important subject. Yours sincerely, Frank La Rue