DOJ Writes to Copyright Office: Security Research is Cool.

On June 28, the Computer Crime and Intellectual Property Section (CCIPS) of the Department of Justice sent a letter to the Copyright Office. In this letter, CCIPS voiced its support for CDT’s request that the Office expand an exemption under Section 1201 of the Digital Millennium Copyright Act (DMCA) that allows computer security researchers to find and repair flaws and vulnerabilities in programs without running afoul of copyright law. (For those wondering how computer scientists might violate copyright law, the short answer is, “Because Section 1201 is too broad.” For a longer explanation, check out our past posts about the previous exemptions, the exemption process, and how the Office improved that process this year.)

Thanks to the Office’s streamlined process in this round, we were able to suggest improvements to the exemption granted in the last proceeding. Essentially, CDT asked the Office to remove each of the many conditions and limitations built into the previous exemption to create an unambiguous exemption for good-faith computer security research, so that researchers can search for vulnerabilities without fear of copyright liability. Although some interest groups opposed our petition, their concerns were largely unrelated to the rights granted to copyright holders. Some even tried to depict copyright law as the last barrier between civilized society and a world overrun by hackers.

Fortunately the DOJ, which is responsible for enforcing the criminal provisions of the DMCA, has a far more reasonable view on the relationship between the anti-circumvention provisions of the DMCA, computer crime, and security research. To wit:

“As critically important as the integrity of voting machines or the safety of motorized land vehicles are the American public, the DMCA was not created to protect either interest, and is ill-suited to do so. To the extent such devices now contain copyrighted works protected by technological protection measures, the DMCA serves to protect those embedded works. However, the DMCA is not the sole nor even the primary legal protection preventing malicious tampering with such devices, or otherwise defining the contours of appropriate research. The fact that malicious tampering with certain devices or works could cause serious harm is reason to maintain legal prohibitions against such tampering, but not necessarily to try to mirror all such legal prohibitions within the DMCA’s exemptions.”

Well said. CDT has made this point in all of our filings on this subject with the Office, and it is validating to hear it from the top computer crime enforcement agency. The letter goes on to support most of CDT’s requests to remove ambiguous conditions and arbitrary limitations from the existing exemption, while highlighting the importance of independent security research in everything from consumer devices to industrial grade servers and network switching equipment.

To express our appreciation for both the letter and the Copyright Office’s willingness to accept it into the record for this exemption proceeding, we and our colleagues at the Samuelson-Glushko Technology Law & Policy Clinic submitted a response to the letter. We hope the Office will give the CCIPS letter due consideration as it prepares its recommendations for the next round of exemptions.

Security researchers have enough legal parameters to negotiate; copyright law needn’t be one of them.