An open letter to security researchers and practitioners

An open letter to security researchers and practitioners:

We need you to take a stand to protect security researchers who report
defects in browsers, before it's too late.

Earlier this month, the World Wide Web Consortium's Encrypted Media
Extensions (EME) spec progressed to Draft Recommendation phase. This is
a controversial standard for transmitting DRM-encumbered videos, and it
marks the very first time that the W3C has attempted to standardize a
DRM system.

This means that for the first time, W3C standards for browsers will fall
under laws like the DMCA (and its international equivalents, which the
US Trade Representative has spread all over the world). These laws allow
companies to threaten security researchers who disclose vulnerabilities
in DRM systems, on the grounds that these disclosures make it easier to
figure out how to bypass the DRM.

Last summer, the Copyright Office heard from security researchers about
the effect that DRM has on their work; those filings detail showstopper
bugs in consumer devices, cars, agricultural equipment, medical
implants, and voting machines that researchers felt they couldn't
readily publish about, lest they face punitive lawsuits from the
companies they embarrassed.

EFF has asked the W3C to take a minimal step to insulate their
stakeholders from the legal fallout from the inclusion of DRM in their
standards. Our proposal asks the W3C to bind its members to legal
promises not to use the DMCA or laws like it against security
researchers or implementers.

So far, the W3C executive has failed to act on this proposal, despite
diverse support from a number of W3C members.

We are hosting an open letter from security, privacy and technology
experts to the W3C's director, Tim Berners-Lee; and its CEO, Jeff Jaffe,
asking them to make any further work on EME contingent on adopting rules
to protect the open web from these bad laws.

Will you sign this letter? Some of security's leading lights have
already put their names to it. We can't afford to make widely used tools
like browsers off-limits to security research and disclosure, especially
not as HTML5 is being positioned as a UI environment to replace apps as
the primary way of interacting with sensors, actuators, embedded systems
and the whole Internet of Things.

If you're willing to sign on, please send an email to with
your country of residence and your institutional affiliation (if any).

Thank you,

Cory Doctorow
Apollo 1201 Project
Electronic Frontier Foundation