Improving the Legal Landscape for Security Research
Written by Stan Adams
Every three years, the Copyright Office conducts a notice-and-comment rulemaking through which interested parties pursue exemptions to the Digital Millennium Copyright Act’s (DMCA) anti-circumvention provisions. Section 1201 of the DMCA, added in 1998, aims to prevent (already illegal) copyright infringement in the digital context by making it illegal to bypass the technological locks rightsholders install to control access to copies of their works. Initially, these locks were supposed to discourage unauthorized copying and distribution of digital music and movies. Today, these locks control access to copyrighted computer software and firmware embedded in everything from insulin pumps to automobiles.
Computer scientists and researchers who wish to test the security of software-driven devices may also face liability under the statute.
Unfortunately, the threat of the DMCA’s potential civil and criminal penalties discourages more than would-be copyright infringers. Computer scientists and researchers who wish to test the security of software-driven devices may also face liability under the statute. As part of an ongoing effort to maintain the careful balance of rights and limitations crucial to a copyright system that promotes science and art, CDT participated in this iteration of the Copyright Office’s exemption proceedings to support an exemption for security research.
Earlier this year, CDT filed initial comments supporting the proposed exemption for security research, followed a few months later by a second comment responding to those opposing the proposed exemption. Most recently, CDT’s Erik Stallman testified alongside computer scientists and researchers in a public hearing held by the Copyright Office concerning this exemption. This hearing provided an opportunity for proponents of the exemption to clarify facts and augment their positions with real-world evidence of the need for an exemption. Witnesses explained the shortcomings of current law, as well as the challenges they face in conducting their work and notifying both rightholders and the public when they discover an exploitable vulnerability.
Immediately following the hearing, CDT hosted a congressional briefing on the legal barriers that chill important security research. Our expert panelists, Jonathan Band, Jen Ellis, Matthew Green, Nadia Heninger, and Dan Nabel, brought their respective experiences and knowledge to bear on the relationship between security research and copyright law. The panel proposed several ways to improve the legal landscape for security research, including easing the burden of proof required in the Copyright Office’s triennial exemptions; Congressional amendments to the DMCA to hinge liability for circumvention of access controls on a nexus to actual copyright infringement; and clarification that security research is a legitimate purpose for circumventing access controls. All agreed that removing liability for security researchers serves important public and personal interests. We each want all the software we use to be secure. That’s the software in our cars, our medical devices, and even our children’s toys. The security of that software depends on the ability of independent researchers to test products and services to find and help to fix vulnerabilities before they are exploited.
The consensus on the importance of security research extends well beyond the researchers who participated in yesterday’s hearing and briefing. CDT and nearly 50 computer scientists and researchers have signed a statement illustrating the critical role that research plays in the development of secure technology and the barriers that laws like the DMCA, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act create for security researchers.
Although this round of DMCA exemption proceedings may result in a exemption that provides some certainty and protection for security researchers, the importance of their work warrants a more comprehensive solution to the legal obstacles they face. Our devices, and even our lives, depend on secure software and networks. CDT will continue to advocate for a clearer, more conducive legal environment for security research.