Once More, With Feeling: Security Research Should Not Be Chilled by Uncertainty in Copyright Law

This week CDT, along with the US Technology Policy Committee of the Association for Computing Machinery and Professor Alex Halderman (represented by Prof. Blake Reid and the incredible students at the Samuelson-Glushko Technology Law and Policy Clinic at Colorado Law), filed comments in support of our joint petition for an expanded exemption under Section 1201 of the Digital Millennium Copyright Act (DMCA).

Every three years, the U.S. Copyright Office considers whether the anti-circumvention provision of the DMCA is (or is likely to) make it difficult for people to use copyrighted works in ways that do not infringe copyright. This provision, Section 1201, makes it illegal to bypass the digital locks, sometimes called technological protection measures (TPMs) or access controls, that prevent you from accessing the computer code embedded in everything from DVDs to pacemakers. The trouble is that Section 1201 does not distinguish between circumventing TPMs to break the law and infringe copyright, and circumventing TPMs for lawful and legitimate reasons, such as unlocking a smartphone, repairing a car, or researching security vulnerabilities in voting machines and other software. So the Copyright Office conducts rulemakings to create three-year-long exemptions to Section 1201 so that people can legally access this software.

In this and the two previous rounds of exemptions, CDT joined computer scientists and researchers in asking the Office for a broad exemption for security research. The Office approved the exemption in 2015, paving the way for more beneficial research into the security and safety of many products containing copyrighted computer code. This exemption helped researchers by giving them more legal certainty, which had the added benefit of encouraging manufacturers to work with researchers rather than threatening them with lawsuits.

This week, CDT and others once again asked the Copyright Office to remove many of the limitations and conditions from the previous exemption so that security researchers would enjoy even greater legal clarity in the future. We asked for the removal of these conditions and limitations because they add uncertainty to the legal calculus researchers must do before starting a project, but also because the conditions and limitations do not address copyright concerns.

For example, we asked the Office to eliminate from the current exemption language that makes it unclear whether researchers could, without risking liability under Section 1201, publish their research or warn the public about unpatched security vulnerabilities in software or devices. We also asked the Office to remove a condition that could impose liability under Section 1201 if researchers commit even minor, unintentional violations of “any applicable law” in the US. The Office of course cannot make researchers exempt from other laws, but it should not expand liability under Section 1201 to encompass violations of non-copyright law– especially laws as broad and inconsistently interpreted as the Computer Fraud and Abuse Act (CFAA).

The 8th triennial rulemaking process will run through the spring of 2021. We hope the Office will grant our petition and add some much-needed certainty for researchers working in good faith to improve the security of software and devices we use every day.

Read the full comments here.