Principles of DRM Nonaggression for Open Standards

An “open standard” must not prohibit conforming implementations in open source software. (See Open Standards Requirement for Software).

When an open standard involves content restriction technology commonly known as Digital Rights Management (DRM)—either directly specifying an implementation of DRM or indirectly consuming or serving as a component within DRM technology—the laws in some jurisdictions against circumvention of DRM may hinder efforts to develop open source implementations of the standard. In order to make open source implementations possible, an open standard that involves DRM needs an agreement from the standards body and the authors of the standard not to pursue legal action for circumvention of DRM. Such an agreement should grant permission to:

  • circumvent DRM in implementations of the open standard
  • distribute implementations of the open standard, even if the implementation modifies some details of the open standard
  • perform security research on the open standard or implementations of the open standard, and publish or disclose vulnerabilities discovered

Reference Example

The W3C is currently reviewing the following DRM nonaggression covenant for their open standards working groups. This draft document embodies the principles of DRM nonaggression for open standards, and may serve as a valuable resource for other groups drafting similar policies.

1. Scope of Obligations

The following covenant applies to all participants (W3C Members, W3C
Team members, invited experts, and members of the public) in a Working
Group for the development of a specification that provides a content
protection or Digital Rights Management system or a substantial
component of such a system, or that requires or recommends such a system.

2. The DRM Circumvention Nonaggression Covenant proposed by EFF for W3C Consideration

Each participant irrevocably covenants that it will not bring or join
suit against any person under 17 U.S.C. § 1203, or under any other law,
of any jurisdiction, that regulates the circumvention of technological
measures that effectively control access to a work protected by
copyright, where the act complained of is one of the following, or
relates to one of the following under a theory of secondary liability:

(a) the circumvention of any implementation of the specification;

(b) the publication of any non-compliant implementation of the
specification; or

(c) the publication or disclosure of any vulnerability in the
specification or in any implementation of the specification.