By Frode Hernes


October 30, 2017

After a lot of controversy, drama, and in-fighting at World Wide Web Consortium (W3C), we finally have an international standard for access to protected content from HTML and JavaScript.

Encrypted Media Extensions or EME is the name of an API that can be used by a web app running in a standard browser, to use content protection (or DRM). With this standard, Video-on-Demand services and Streaming Music services such as Netflix and Spotify can implement their services as standard Web Apps, without relying on non-standard plug-ins (such as Flash or Silverlake), or on native code applications.



There has been a lot of objections against DRM, and against enabling it in HTML and, after the final approval of the standard, the Electronic Frontier Foundation (EFF) decided to resign from W3C.

Yet today, DRM is an important part of how we enjoy content. Whether it’s Netflix, Spotify, HBO, Tidal or one of the thousands of other premium services, we interact with DRM constantly. Most don’t seem to mind, and few probably think about it.

So from our standpoint, this is quite simple. Video and music streaming (OTT) are exploding and users demand premium content. Think Hollywood blockbusters, music that’s topping the charts, etc. The owners of that content have decided that they need to protect it.

Their decision to protect their content left us with a choice. Either we create a standard way to protect content in any web browser, or we sit idly by while a handful of powerful companies control access to content.



To understand the merits of this argument, it’s important to understand that EME is not DRM. EME provides a standard API for JavaScript applications to access content protection in web browsers but does not touch the actual DRM. The DRM itself is normally provided by the platform, delivered by specialist companies like Google, Microsoft, and Adobe, tightly integrated with the hardware by the chipset manufacturer, and available to non-HTML Apps without using EME.

Moreover, without a standard method of incorporating DRM in the browser, video streaming would be reserved for proprietary apps linking to platform-DRM, such as Java apps on Android and Swift or Objective C apps on iOS, etc. The content owner would need to write one app per platform, and the shipment volumes of the platform would be used to decide priorities.



This would exclude many Smart TVs, Linux desktop users, and the users of browsers from vendors that do not have their own tie-ins to content protection, e.g. browsers from companies like Mozilla, Opera, and Vivaldi. (Up to now, PC browsers have relied on MS Silverlight and Adobe Flash plugins for protected content, but these are in general not available on TVs or mobile devices. Even on PCs they have now reached the end of their life, and have been discontinued by their makers and the browser vendors).

Providing access to protected content with EME is the only way that standard HTML platforms can compete with proprietary apps and platforms. And, having protected content available on standardized platforms is the only way that we can have competition in the device OS and web browser markets. Without it, there would be less room for innovation and creativity, and more control handed to the big corporations that control the leading platforms on PCs, handhelds, and TVs.

We can all agree that content protection has been proven to be easy to circumvent, opens up to new vulnerabilities and has been prone to give users limited choices and a worse experience, and we can even discuss if DRM is a bad idea altogether, but this is not a problem with EME, and my belief is that EME does not in itself cause more DRM in the world. Instead, EME levels the playing field for everyone.



EFF points out that protected content makes it harder to provide specialized user interfaces, for instance to people with disabilities, and that there are difficulties for security researchers to detect and responsibly disclose vulnerabilities before they are exploited by malicious parties. In both cases,  this is a problem with content protection and encryption, not with EME, and not having EME only moves the problem to even more closed apps, and solves nothing.

The real problem is with governments that make the dissection of DRM-related technology illegal, even to people working to create solutions for accessibility or to detect and responsibly disclose security vulnerabilities. That fight is important but must be taken with the regulatory bodies, not with the people building the standard.



In an age of streaming, DRM is an unobtrusive reality. We use it all the time without objection. Undermining a standards-based approach to make content protection available equally serves only the interests of the largest players in the ecosystem. The winners who took all get to keep taking, and that stifles the innovation, progress, and openness so central to the web.

Editor’s Note: This post originated as a response to an article on NRKBeta. They published our response here (in Norwegian). This English-language text is similar but edited for different audiences.