Security research under the DMCA: A quest for flexibility and certainty
Written by Stan Adams
By Stan Adams and Andy Sayler.
CDT recently filed its response to the Copyright Office’s last round of questions regarding a proposed security research exemption to the Digital Millennium Copyright Act’s Section 1201 anti-circumvention provision. This exemption would provide a clearer legal environment for important research into the security of the software and devices on which we all rely by removing the legal ambiguities around Section 1201. The Copyright Office’s questions, which it formally asked after conducting public hearings on the proposed exemption, focused on two issues which the Office had not previously addressed in this proceeding:
- Whether the proposed exemption should regulate researchers’ disclosure of their research?
- Whether the proposed exemption should incorporate compliance with other (non-copyright) laws as a condition for eligibility?
In our comments, we requested that the Copyright Office both refrain from conditioning the exemption on specific disclosure requirements and refrain from entangling the exemption with a patchwork of unrelated laws. These actions are necessary to ensure that the proposed exemption accomplishes it’s goal of clarifying the legal landscape surrounding Section 1201 and good-faith security research.
During the recent public hearing, the disclosure debate arose from the question of if and how security researchers must disclose vulnerabilities they discover to whomever may be responsible for repairing the vulnerability before alerting the public to the vulnerability. While this kind of coordinated disclosure is a common best practice of the security research community, cementing such requirements under copyright law impairs researchers’ ability to help consumers and end users, impairs researchers’ ability to further the state of the art, and falls outside the Office’s purview of preventing copyright infringement.
Controlling disclosure through an exemption would also undermine efforts to create an unambiguous exemption for security research by raising fundamental questions about the researcher’s obligations under the exemption. For example, under such a requirement, what should a security researcher do when the party responsible for the software can not be contacted or even identified? What about when the software was created by hundreds of individual contributors, as is the case in most open source projects? Or when fixing a common flaw requires massive multi-party coordination (as in Heartbleed)? How could a single, fixed disclosure method adequately address the broad diversity of situations in which vulnerabilities should be disclosed?
Without the certainty that security research will not incur liability and without the flexibility necessary to appropriately disclose that research, Section 1201 will continue to hinder the safety and security of the digital world.
Good-faith security researchers are well versed in the nuanced complexities surrounding vulnerability disclosure, and already follow a range of evolving best-practice guidelines to ensure the disclosure of discovered vulnerabilities in the manner that best serves the public interest. It is thus neither necessary nor desirable for the Copyright Office to expressly regulate such practices via the proposed exemption. Those practices are best addressed through discussions and collaborations among researchers, vendors, and other interested parties that provide for flexibility and evolving understanding of cybersecurity threats and the best way to address them. On its own, the triennial review is an inadequate process and forum for those discussions.
Nor should copyright law make eligibility for the proposed exemption dependent on compliance with other laws. Security researchers should not need to wade through the additional uncertainty and murkiness of laws completely unrelated to copyright to be able to avoid liability for (non-copyright-infringing) circumvention under the DMCA. Dealing with the ambiguities in Section 1201’s application to security research is already hard enough.
Congress, while crafting the DMCA, recognized that a per se rule against circumvention could have the unintended consequence of limiting the public’s right to make non-infringing use of works guarded by technological protection measures. This important recognition is the reason behind the statute’s exemptions and its safety-valve — the Copyright Office’s authorization to grant exemptions to the rule through the triennial proceeding process. To function effectively as safety-valves for non-infringing uses, exemptions granted by the Office should be clear and unencumbered so that non-infringing use may continue and so that those wishing to exercise the exemption are not shadowed by legal uncertainty.
That security researchers have spent a decade petitioning the Office for a clearer exemption demonstrates the importance of security research, the insufficiency of Section 1201’s existing statutory exemption for security testing, and the need for an unambiguous exemption. Without the certainty that security research will not incur liability and without the flexibility necessary to appropriately disclose that research, Section 1201 will continue to hinder the safety and security of the digital world.