Security Research and the DMCA: The Copyright Office streamlines the exemption process

In late October, the Copyright Office announced that it plans to make it easier for people to fully use their lawfully purchased items, choose which mechanics work on their cars, and improve the security of software-enabled devices. Under current law, Section 1201 of the Digital Millennium Copyright Act (DMCA), it’s illegal to circumvent the technological protection measures (TPMs) that limit the use, modification, and repair of software. TPMs are ubiquitous; they’re in everything from smartphones to cars and coffee makers, acting as digital locks on the computer code within. And bypassing these locks can trigger criminal penalties, even with a good, non-infringing reason. However, the law also includes a process by which the Librarian of Congress and the Copyright Office can issue exemptions to this flat ban on circumvention. The triennial exemptions allow the bypassing of TPMs for certain non-infringing purposes, but these exemptions are only valid for three years.

In the most recent exemption proceedings, the Copyright Office plans to recommend the renewal of every exemption granted in the last round of the Section 1201 triennial rulemaking. Previously, the Office has required those asking for exemptions to start from scratch with each new rulemaking, which forced petitioners to (re)prove that the exemptions were both necessary and non-infringing. But this year, the Office streamlined the process by offering the option to simply renew the exemptions granted in the previous round. This is a significant improvement because it saves both the petitioners and the Office the trouble of reinventing the wheel. The Office’s recommendation to renew all the exemptions also provides those who depend on them with more certainty that they will continue to be covered in the next three years. For some, such as computer scientists conducting research on the security flaws and vulnerabilities in software and devices, this certainty is even more valuable because their research projects may extend beyond the three-year time window or the funding for future projects may hinge on exemption coverage.

In the last triennial rulemaking, CDT and our partners in the civil society community worked to secure an exemption for security research. This exemption has improved the legal landscape for researchers, but contains limitations and conditions that inhibit this socially beneficial work. These limitations and conditions, which include restrictions on what kinds of devices are eligible, are not based on concerns about copyright infringement, but stem instead from concerns about how DMCA exemptions might interact with other laws. For example, the exemption explicitly incorporates the Computer Fraud and Abuse Act (CFAA). That means that researchers must not only comply with Section 1201, but also commit to not “exceed authorized access” to the devices and systems they test. This creates another potential layer of liability for researchers and is especially problematic because the CFAA is notorious for its inconsistent interpretation in courts. Adding this uncertainty, plus the threat of double liability, diminishes the value of the exemption in terms of legal certainty for researchers. From our perspective, copyright law should focus on copyright. Although some research practices may incur liability under other laws, doing so should not also make you liable under the DMCA.

Fortunately, thanks to the newly streamlined rulemaking process, CDT, along with computer scientists and other groups, have already asked the Office for an expanded exemption in the upcoming proceeding. We hope to remove or refine the limitations and conditions in the existing exemption so that researchers may look into a broader range of systems and devices for flaws and vulnerabilities, and to do so with more confidence that they won’t run afoul of the DMCA.

The first round of comments and evidence in support of these petitions for expanded exemptions closes December 18, followed by an opportunity for opposing comments in February, and a final round of reply comments in March. After the close of the public comment phase, the Office will consider the public comments and the views of the Assistant Secretary for Communications and Information of the Department of Commerce (the head of the National Telecommunications and Information Administration (NTIA)) and then issue its own recommendations to the Librarian of Congress. Historically, the Librarian has followed the recommendations of the Office nearly to the letter, but it is ultimately the Librarian’s responsibility to determine whether exemptions should be offered to whom and for what purposes.

We will follow up with more blogs and our official filings as the proceeding develops.