The Center for Democracy & Technology, along with six leading experts and academics, submitted comments regarding a proposed exemption under 17 U.S.C. Section 1201 for Software Security Research. The group believes the Copyright Office should grant the petitions for an exemption covering good-faith security research. An overview of the comments is below, with full comments available for download.
An exemption for software security research is essential to promote the active research and testing efforts necessary to keep pace with evolving cybersecurity risks.
Software and related access controls are increasingly embedded in a wide range of systems, from consumer goods to medical devices to infrastructure to industrial equipment. This trend carries tremendous opportunities, but it inevitably will bring a raft of new security flaws and vulnerabilities as well. Due to the widespread integration of software in tangible products and physical world processes, these flaws pose risks that are qualitatively different from the risks associated with traditional security defects confined to the digital environment. The emergence of the Internet of Things is one example of the spreading risk.1
In this rapidly evolving environment, active security research and testing are crucial. Without an exemption, however, the DMCA’s anti-circumvention provisions will substantially chill such research, for the same reasons the Copyright Office cited in granting previous exemptions for CD and video game security testing: the scope of the security exception in 1201(j) is simply not clear2 and that lack of clarity chills the kind of security research that needs to happen today.
Given the rapid proliferation in the kinds of products and systems subject to software-based security flaws and vulnerabilities, an exemption needs to cover more than just a single product or class of product. Product-by-product exemptions – say, for security research regarding the software contained in Internet-connected thermostats – would make little sense in a world where harmful flaws may exist in any of a wide variety of products or systems. Security researchers need appropriate legal latitude to engage in good faith security research. If researchers are forced to wait for the next triennial review process each time they discover that software on an additional type of specific product carries significant security vulnerabilities, the damage will already be done. In a world moving at Internet speed, security researchers cannot help protect the public if each new research effort has to be put on hold until the next triennial permission cycle.
For these reasons, the Copyright Office should grant the petitions for an exemption covering good-faith security research. Without such an exemption, security risks will lie unaddressed and the public will be substantially less safe.