The expanded exemption sought is for software security research, which provides essential protections for active research and testing efforts into evolving cybersecurity risks. The Copyright Office has acknowledged the value of this research, as evidenced by the decision to renew the pre-existing exemption. However, the exemption contains restrictions on research methods and eligible devices, which limits and chills critical research into vulnerabilities with the threat of litigation.
As we have noted in previous exemptions, software and related access controls are increasingly embedded in a wide range of systems. The Register recognized this by granting an exemption for software security research during the last triennial period that included consumer devices, medical devices, and motor vehicles. But the exemption did not include other types of devices that increasingly include software and will also feature security flaws and vulnerabilities, like infrastructure and industrial equipment. Due to the widespread integration of software in tangible products and physical world processes, these flaws pose risks that are qualitatively different from the risks associated with traditional security defects confined to the digital environment.
In light of the rapid proliferation of products and systems subject to software-based security flaws and vulnerabilities, an exemption needs to cover more than just a single product or class of product. Product-by-product exemptions (e.g., software contained in smart thermostats) would make little sense in a world where harmful flaws may exist in any of a wide variety of products or systems. If researchers are forced to wait for the next triennial review process each time they discover that software on an additional type of specific product carries significant security vulnerabilities, the damage will already be done.
For these reasons, the Copyright Office should grant the petitions for a broader exemption covering security research under Proposed Class 10.
As documentary evidence, we have attached the “The Importance of Security Research” report authored by Joseph Lorenzo Hall, Apratim Vidyarthi, and Benjamin C. Dean. The case studies in the report detail some of the more notable discoveries in security research in recent years and help illustrate the importance of an exemption to the DMCA.