In this day and age, it’s undeniable that we need the best computer security research to keep our data and ourselves safe. However, security researchers today don’t have the freedom they need to test systems for bugs and then fix them. It turns out a somewhat obscure regulatory process – the Digital Millennium Copyright Act’s triennial circumvention review – could be a significant barrier to better security research.
The DMCA contains a prohibition, found in Section 1201 of the Act, against circumventing a “technological measure that effectively controls access” to copyrighted works. This prohibition has led to some famously bad results. Most recently, the Librarian of Congress’s decision not to renew an exception for cell phone unlocking temporarily turned every consumer who unlocked her own cell phone into a criminal. Congress ultimately intervened, and no one was fined or incarcerated.
Although prohibiting cell phone unlocking may be this provision’s most widely reviled impact to date, its application to computer security research is probably its most insidious. Because computer security research often requires testing and “breaking” technological protection measures, it can violate the terms of the DMCA’s anti-circumvention provision. As detailed in EFF’s “Unintended Consequences: Fifteen Years Under the DMCA,” rightsholders have misused Section 1201 for years to prevent the disclosure of software and hardware security vulnerabilities, and, in some cases, Section 1201 has limited or prevented security research into those vulnerabilities altogether.
The most notorious instance of this chilling effect can be seen in the example of research conducted on security vulnerabilities related to Sony’s “rootkit” copyright protection for music CDs. The vulnerability, which compromised the operating systems of half a million computers worldwide, was discovered in 2005. However, the Librarian of Congress initially denied an exemption designed to allow research on the vulnerability until 2006, after the damage had already been done.
Although the Copyright Office has worked to improve the process for requesting 1201 exemptions, the existing process simply is not suited to the legitimate needs of computer security researchers. Exemptions are granted only during the Copyright Office’s triennial review and remain in place for only three years. Thus, a researcher who wants to investigate a particular vulnerability for which no current exemption applies must wait until the next cycle, as happened in the case of the rootkit vulnerability. To secure the exemption, comments must demonstrate with evidence the adverse effects of denying the exemption that either have already occurred or “are likely to occur during the next three years.” But if the damage has already been done, the exemption came too late. And if a researcher has not been able to investigate a potential vulnerability, statements of future harm are necessarily speculative.
The exemption lasts for only three years, at which point it must be reviewed de novo. A researcher seeking to embark on an investigation of security vulnerabilities that could take longer than three years has no guarantee that a current exemption will not be narrowed or eliminated altogether.
Perhaps most critically, the exemption only applies to the anti-circumvention provision in Section 1201(a)(1). Section 1201(a)(2) separately prohibits trafficking in “any technology, product, service, device, component, or part thereof” designed primarily to circumvent a technology protection measure. Courts have held that mere publication of anti-circumvention methods can be “trafficking” and violate this provision. This creates uncertainty and litigation risk for computer security researchers seeking to publish their results.
Sections 1201(f), (g), and (j) provide express exemptions for reverse engineering, encryption research, and security testing. However, as noted in a pending security research petition filed by Dr. Matthew Green of Johns Hopkins Department of Computer Science, “these provisions include complex multifactor tests that cannot be evaluated ex ante, potential restrictions on the dissemination of research results, and requirements to seek authorizations in advance of performing research.”
The security testing exemption in Section 1201(j) presents an additional difficultly by incorporating the Computer Fraud and Abuse Act. As CDT has explained elsewhere, a researcher arguably violates the CFAA simply by exceeding the authorization given. Accordingly, a researcher who exceeds that authorization may be subject to liability under both the CFAA and the DMCA. Unsurprisingly, there is no reported case upholding a claim of good-faith security testing under this exception.
Recent security exploits such as Heartbleed and Shellshock demonstrate just how vulnerable any network or device connected to the Internet can be. And the recent Sony hack demonstrates the extent of damage that such exploits can inflict. Our best weapon against those exploits is research. To be sure, establishing the appropriate guidelines for that research will require serious discussions about disclosure, intent, and other ethical considerations. However, the Copyright Office’s triennial review of 1201 exemptions is a poor venue to undertake those discussions.
In the near term, the Copyright Office should grant the petitions for security exemptions filed by Dr. Green, EFF, and Professors Bellovin, Blaze, Felten, Halderman, and Heninger. In the long term, the Office should evaluate whether the triennial review process can be adjusted to adequately balance the interests of rightsholders with those of the security research community and all who depend on their efforts. If not, we need a better alternative.