The W3C (the organization now responsible for developing the Epub standard) has taken the position that researchers should have to get a company’s permission before revealing security flaws or software defects in that company’s products.
The World Wide Web Consortium has just signaled its intention to deliberately create legal jeopardy for security researchers who reveal defects in its members’ products, unless the security researchers get the approval of its members prior to revealing the embarrassing mistakes those members have made in creating their products. It’s a move that will put literally billions of people at risk as researchers are chilled from investigating and publishing on browsers that follow W3C standards.
It is indefensible.
But last weekend, the W3C signalled that it would ignore all of these concerns, and instead embrace and extend the legal encumbrances created by its DRM work, creating a parallel working group that would develop “voluntary guidelines” for its members to employ when deciding whether to use the legal rights the W3C has created for them with EME to silence security researchers.
So why would this matter to the ebook world?
Back in 2014, I brought you the news that Adobe was spying on users and sending user data to its servers in clear text over the internet.
I was able to publish that story because there was nothing to stop me from revealing Adobe’s dirty little secret, but if the W3C gets its way that is going to change.
Once the W3C creates those legal guidelines for tech companies to sue researchers, what are the chances that researchers will leak a security issue to the press?
The chances will be virtually nil, and that is important to you and me because my original source on that story was a researcher who was so afraid of retribution that they made me promise to conceal their identity.
Next time around a source could be intimidated to the point that they won’t even leak a security issue in secret, and that helps no one other than the company trying to keep its dirty laundry from being aired in public.
The W3C is creating conditions where we will one day wake up to a security flaw which hackers found first, and used against us. And the hackers will have gotten the chance to use the flaw because legitimate researchers – those who are trying to stay inside the law – will be too afraid to expose the flaw.
I don’t know whether the W3C’s goal is to make us all less safe, or to be a stooge for tech company’s, but either way this plan is going to accomplish those goals quite nicely.
image by aag_photos