Thawing Chilled Security Research: An Opportunity for the Copyright Office
Written by Stan Adams
As the world becomes increasingly dependent on “smart” devices, powered by software and connected to networks, the security of the software and firmware they run on increases in importance. Whether in video games, medical devices, automobiles, or the infrastructure of the Internet, security vulnerabilities offer opportunities for malicious actors to cause widespread and potentially drastic damage.
According to the White House, recent and increasingly common exploits of these vulnerabilities “clearly demonstrate the need to accelerate collective efforts to increase” cybersecurity. But computer scientists and security researchers who hunt down (and fix) vulnerabilities face uncertain criminal and civil liability under the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Digital Millennium Copyright Act (DMCA).
Without an exemption, circumventing access controls can lead to significant legal consequences, even if no copyright infringement occurs.
This year, the Copyright Office has the opportunity to solve part of that problem and reduce the uncertainty the DMCA creates for security research. The Copyright Office’s sixth triennial rulemaking under the DMCA may offer some relief from one particular disincentive to security research. Through triennial rulemakings, the Copyright Office and the Librarian of Congress can grant temporary exemptions to the DMCA’s section 1201 prohibition on the circumvention of access controls protecting copyrighted works. Without an exemption, circumventing access controls can lead to significant legal consequences, even if no copyright infringement occurs.
As more and more products and services involve access-controlled software, computer security researchers must often bypass these controls, and risk facing lawsuits, to perform their research. For example, testing the security and functionality of a car’s firmware requires researchers to first unlock the digital lock protecting that firmware. Even if they own the car, without an exemption, researchers could face liability under the DMCA. This is particularly disturbing when research involves no copyright infringement and ultimately benefits consumers. Bugs must be found before they can be fixed.
Earlier this year, CDT filed an initial comment supporting a proposed exemption for computer security research. Not surprisingly, some industrial copyright owners (including almost all automakers) opposed this exemption. Almost none of the opponents’ arguments against the exemption stem from copyright-related concerns. Instead, opponents cite concerns about public safety, supply chain integrity, and ironically, other regulatory regimes that are better suited than copyright to address their concerns.
An exemption would be an important step forward in an ongoing, multifaceted effort to enhance cybersecurity and improve conditions for more robust, productive, and beneficial security research.
CDT, joined by copyright experts and security researchers, made precisely this point in reply comments recently filed with the Copyright Office in its current Section 1201 proceeding. This comment includes a statement signed by more than 30 security researchers highlighting both the importance of independent computer security research and the disincentives Section 1201 and other laws create for researchers.
An exemption would be an important step forward in an ongoing, multifaceted effort to enhance cybersecurity and improve conditions for more robust, productive, and beneficial security research. Congress is also contributing to this ongoing effort: The “Breaking Down Barriers to Innovation Act,” introduced by Senator Wyden and Representative Polis, would make it easier to obtain (and preserve) exemptions under 1201 while also expanding the statute’s existing exemptions. Representative Lofgren’s “Unlocking Technology Act” would likewise broaden the scope of permissible reasons for circumvention under Section 1201 to include any non-infringing use of a work protected by copyright and an access control. Hopefully these efforts and others move us towards a world that encourages independent security research aimed at enhancing cybersecurity.