Getting Better All the Time: Security Research and the DMCA
Written by Stan Adams
Every three years, the U.S. Copyright Office considers whether the anti-circumvention provision of the Digital Millennium Copyright Act (DMCA) is (or is likely to) make it difficult for people to use copyrighted works in ways that do not infringe copyright. This provision, Section 1201, makes it illegal to bypass the digital locks, sometimes called technological protection measures (TPMs) or access controls, that prevent you from accessing the computer code embedded in everything from DVDs to pacemakers. The trouble is that Section 1201 does not distinguish between circumventing TPMs to infringe copyright and circumventing for legitimate reasons, such as modification (think unlocking a smartphone) or repair (fixing a car). So the Copyright Office conducts rulemaking to create temporary exemptions to Section 1201 so that people can legally access this software.
In this and the previous round of exemptions, CDT joined computer scientists and researchers in asking the Office for a broad exemption for security research. The Office approved the exemption in 2015, paving the way for more beneficial research into the security and safety of many products containing copyrighted computer code. This exemption helped researchers by giving them more legal certainty, which had the added benefit of encouraging manufacturers to work with researchers rather than threatening them with lawsuits.
This time around, CDT and others asked the Office to remove many of the limitations and conditions from the previous exemption so that researchers might work on even more kinds of products and systems and enjoy even greater legal certainty in the future. Although the Copyright Office did not recommend all of our proposals, Acting Register Karyn Temple’s recommendations represent a significant improvement over the 2015 exemption. These recommendations have already been approved by the Librarian of Congress and a final rule will issue in the Federal Register on October 26.
The biggest improvement to the temporary exemption for security research is the removal of the so-called “device limitation,” which limited the applicability of the exemption to research performed on devices “primarily designed for use by individual consumers,” “motorized land vehicles,” some implantable medical devices, and voting machines. The new exemption expands the scope to include computer programs operating on devices, machines, computers, systems, or networks. This expansion will allow researchers to test the security of many more types of devices and systems, such as industrial-scale HVAC systems.
Another limitation in the previous exemption required research to be carried out in a “controlled environment,” which created uncertainty for researchers who feared that research performed outside of a laboratory might not qualify for the exemption. In an effort to clarify this limitation, the Register recommended the removal of the word “controlled,” but preserving the rest of the limitation, which requires research to be carried out in an environment “designed to avoid any harm to individuals or the public.” Although there may still be some uncertainty about the implications of the word “designed,” the Register makes clear her position that testing outside of a lab will be covered by the exemption so long as common sense precautions are taken. This added certainty will allow researchers to test the security of devices and systems in environments that more accurately reflect real-world conditions, while still ensuring that such research will not create safety risks for participants or bystanders.
Although the Register declined to recommend the removal of other limitations, she did include in her recommendations some helpful guidance as to the Office’s interpretation of a few of those limitations. First, the Register clarified that, while any devices on which researchers wish to work must still be “lawfully acquired,” eligibility for the exemption should not be limited by “restrictive contractual terms purporting to limit the use of hardware on which the copyrighted software is running.” This guidance is helpful in terms of clarifying the Office’s intended bounds for the exemption as it applies to things a researcher might “acquire,” such as a mobile device, a car, or a voting machine. To address research on things that are too big or too expensive for a researcher to acquire, like industrial control systems, the Register included a clause allowing such research with the authorization of the owner or operator of the system.
Second, although the Register declined to recommend the removal of the “access limitation,” which requires that research be “solely” for the purpose of “testing, investigation, or correction,” she clarified that activities such as teaching and peer review are not prohibited. This is an important clarification for many researchers in the academic community for whom research without the ability to publish and discuss their results is of little value.
Third, the Register clarified, but did not remove, the “use limitation” which requires that information gained through research “is not used or maintained in a manner that facilitates copyright infringement.” According to the Register, this limitation only applies to the researcher’s use and maintenance of the information and does not depend on the actions of third parties who might use the information to infringe copyright.
Finally, the Register declined to remove the requirement that research must be in accordance with all other laws, specifically including the Computer Fraud and Abuse Act (CFAA). She explained that, to the extent that other laws deter security research, it is those laws and not Section 1201 of the DMCA that inhibit researchers, therefore removing the limitation would not change researchers’ ability to (legally) conduct research. It is true that the 1201 exemptions cannot remove the obligation to comply with other laws; indeed, researchers (and everyone else) will always be on the hook for compliance with the law. It is unclear why a researcher who inadvertently violates an obscure state law in the course of her research should then also be liable under copyright law.
Overall, this round of the 1201 triennial rulemaking has been a great success. CDT applauds the Copyright Office and Acting Register’s efforts to improve both the process and the exemptions. It worked. The streamlined process saved the time and resources of all interested parties and resulted in broader, more useful exemptions. But there is still room for improvement. CDT looks forward to working with the Office and others to reduce Section 1201’s barriers to non-infringing uses of copyrighted works and to providing more legal certainty for the researchers helping to improve the security of computer software, devices, and systems.