We need to fight for strong encryption. And stop DRM in Web standards

Encryption is the backbone of privacy and anonymity technologies, and these technologies are an important driving force for democracy in the 21st century. Their adoption is partially equalizing the balance of power between people and governments, enabling transparency, accountability, and freedom. Intimidated, the law-enforcement arms of many governments are attempting to slow this process by banning strong encryption.

The FBI took a big swing at the right to encrypt this spring, when it attempted to force Apple to break its own encryption on an iPhone. They did not quite succeed, but it is important that we stay vigilant – they will try again to strong-arm tech companies into weakening widely-used encryption systems. We must stop them, both to protect the new political power of encryption, but also because weakening it would cause huge collateral damage to millions of innocent people using the Internet and the global financial system.

The mainstream media has covered the FBI versus Apple fight, but so far the free software movement has not been able to effectively leverage it as an opportunity to teach the public the deeper truth about our computing rights: encryption is important, but no real popular control of computers is possible without free software at the center. Programs like GnuPG, Tor, and OpenSSL are the gold standard in encryption because their free licenses grant users the transparency necessary to verify that they are secure, and the freedom to fix insecurities. If we celebrate Apple's stand for strong encryption uncritically, we miss an opportunity to point out that Apple's proprietary encryption (while it is a step up from proprietary software without encryption) still represents an evolutionary dead-end for our society.

Just as the FBI hopes to set a precedent by making Apple crack its own encryption, the DRM lobby is currently pushing for a major political victory to legitimize its restrictive technology and make it easier and cheaper to implement. DRM is software that runs on your devices and polices your behavior. It is what stops you from copying streaming videos and songs onto your hard drive, prevents you from using some programs without an Internet connection, and stops you from moving books between e-readers.

Its owners claim DRM is necessary to “protect creators” by stopping unauthorized copying. While this sounds very virtuous, it is rarely, if ever, true. The precise motivations vary, but the goal of DRM is usually either removing functionality and selling it back piecemeal, or preventing competitors from making interoperable products.

Recently, Netflix, Apple, Google, and Microsoft have crafted a new universal DRM system for the Web, called Encrypted Media Extensions (EME). They are trying to get it ratified by the W3C, which sets official Web standards. For many of the same reasons that we need to protect strong encryption, we also need to stop this power grab by those that profit from DRM.

Weakened encryption loosens our control on our computers. DRM does this as well, by encumbering our devices with proprietary code that treats us as adversaries. DRM is impossible to implement effectively with free software, so any system that requires it also locks out users that are committed to protecting their own freedom. Perhaps worst of all, the continued legal and political acceptance of DRM marginalizes our general claim to control over our computers, and legitimizes the idea that media distributors' business models should trump user freedom.

Encryption is an essential pillar in computer security, which is one of the reasons that such diverse groups are united against government attempts to weaken it. Like weakened encryption, DRM is a nightmare for security.

Because it is a black box that users are compelled to install and that is designed to be hard to remove, DRM becomes a tempting home for every kind of abuse and attack that a software author can perpetrate on a user. Even if a DRM's owner does not actually command it to attack or spy on users, others often slip through the hole it has punched in users' security.

Fearful of public scrutiny, the DRM lobby has passed laws (the Digital Millennium Copyright Act in the US, followed by similar laws and treaties in many countries) to effectively gag security researchers seeking to expose and fix vulnerabilities in systems that include DRM. This means that the best system we have for protecting users from insecure programs – independent expert review – is outlawed.

To protect user control and digital security, we need to make DRM politically expensive. Currently, we are fighting this struggle in the arena of Web standards. The free software community plays a leadership role in the fight against this backwards step for the Web, through our Defective by Design campaign. We call on anyone concerned with strong encryption to join us by signing our petition and by adding a protest selfie to our growing gallery.

There is a blooming global consciousness of the need for secure and user-controlled technology, and DRM is not a part of that picture. Resist DRM with us, and demand a Web that puts users first.