Note loosening impl requirements is out of scope in SOTD

[tidoust]

Concerns were raised during the review of the new Media Working Group charter about the possible impact of the features being added to EME on user privacy, interoperability, royalty-free implementation of the standard and access to media.

This adjusts the Status of this Document section to clarify that loosening of implementation requirements that were published in the W3C Recommendation is per charter out of scope for the Media Working Group.

---

Preview | Diff

[npdoty]

I think it's good to have clarity on scope. I do think the group should plan to make updates to the privacy considerations section, though, to note the potential impacts of the new method and its likely use for fingerprinting users and detecting whether hardware is attached or not.

[marcoscaceres]

A bit more expanded:

This specification defines an extension to the Encrypted Media Extensions (EME) framework. It does not modify the baseline implementation requirements for Content Decryption Modules (CDMs) or user agents, as defined in the EME specification.

However, the Media Working Group recognizes that new features related to content protection, device capabilities, and hardware enforcement can have broader impacts on user rights and platform interoperability. In particular, this extension may introduce new considerations around:

• Privacy, such as fingerprinting surfaces related to hardware or CDM configuration;
• Accessibility, where content protection mechanisms may interfere with assistive technologies or prevent post-processing for accessible media presentation;
• Equitable access, where technical or commercial constraints may disproportionately limit access for users on alternative platforms, older devices, or in under-resourced settings;
• Interoperability, as inconsistencies in CDM behavior, hardware enforcement, or media capability queries can result in divergent implementations across browsers and devices.

These impacts are discussed further in the Privacy and Security Considerations, Accessibility Considerations, and related sections. Where applicable, the Working Group documents known risks and trade-offs, and encourages implementers to mitigate negative effects.

The Working Group aims to support an interoperable web ecosystem and encourages future extensions to explicitly balance content protection goals with user privacy, accessibility, equitable media access, and multi-vendor interoperability.

This might be in it's own section, or the introduction or something...

[chrisn]

We have a work in progress PR that considers the security and privacy impacts of each feature addition the group has been working on so far: #550. Our charter requires us to document accessibility considerations in each spec. EME doesn't currently have an Accessibility Considerations section, but this could be a place to document them.

[npdoty]

Just saying more broadly that all of these features will have impacts, but that the impacts will be documented and hopefully balanced in some way doesn't appear to set any clear limits on the scope at all. I agree that the group should document those things if it chooses to standardize this new and potentially harmful technology.

Balancing "content protection goals" against these other properties would seem to be re-negotiating the priority of constituencies in a way that significantly demotes users. I think better would be to explicitly note that the group will prioritize privacy, accessibility, media access and interoperability. If a proposal harms those features, then the group shouldn't pursue it, even if it advances some other stakeholder's goals.