A Qualified Win for Cybersecurity Researchers in DMCA Triennial Rulemaking

Today, the Library of Congress released its final rule granting a number of three-year exemptions from the Digital Millennium Copyright Act’s (DMCA) prohibition against circumvention of technological measures controlling access to copyrighted works. The subject matter of exempted classes ranges from massive open online open courses to vehicles and medical devices. Of particular note, the final rule grants an exemption for security research. CDT has focused on winning this exemption, arguing that the DMCA’s prohibition chills essential cybersecurity research and has little to do with copyright infringement. The granted exemption is an acknowledgment of the importance of security research and the unnecessary legal risks security researchers currently face under the DMCA.

The work of the Librarian, the Copyright Office, and the National Telecommunications and Information Administration (NTIA) in granting the security research exemption is certainly commendable. Once in effect, the exemption will mean that researchers are no longer required to get permission from the rightsholder before performing critical security research or disclosing results. At the same time, after our initial reading of the rule, we are concerned that some limitations on the security research exemption are unwarranted and will unduly limit its effectiveness. For example, the exemption’s limitation to devices and machines “primarily designed for use by individual consumers” leaves significant questions open regarding security research on networks or software not embedded on consumer devices.

Of principal concern is the Librarian’s decision to delay the effectiveness of the exemption for twelve months. Given that the exemption lasts for only three years, a one-year delay means that after spending the next year in legal limbo, researchers will have only two years to perform any research that relies on the exemption. That limitation will force researchers and academic institutions to lower their horizons and may also create obstacles in funding their work. The Librarian’s justification for the delay — to give other government agencies more time to “respond” to the exemption — also suggests that agencies may seek further limitations for particular subject matter.

Looking to the proceeding as a whole, the Librarian granted a number of exemptions that respond to consumers’ growing expectations to use, repair, and modify the content, vehicles, and other devices they own in the manner they choose. At the same time, many of the granted exemptions contain complicated qualifications and limitations that could undermine their usefulness. The sheer complexity of some of the granted exemptions — and the need to re-request them every three years — suggests that DMCA rulemaking proceedings are simply not the best vehicle for industrial policymaking where copyright infringement is, at most, a tangential concern.

While there is a lot to like in the rule released today, it also points to the need for a broader conversation on the purpose and scope of the DMCA triennial review. As CDT continues its analysis of the final rule, the Register of Copyrights’ recommendation, and the NTIA’s review, we also look forward to engaging in that broader conversation.