The U.S. Copyright Office is calling for wide-ranging reforms of an anti-piracy law that critics say restricts the “right to tinker” and puts white-hat cybersecurity researchers in legal jeopardy.
In a little-noticed report published last week, the office questions the “overall operation and effectiveness” of Section 1201 of the Digital Millennium Copyright Act, or DMCA. The section makes it a federal crime to to circumvent or get around special “technological protection measures,” designed to prevent piracy of digital products. The law was designed to protect movies, recorded music or books from endless duplication and distribution online.
Critics of the section say that — because so many things now include software, and most has some form of anti-piracy protection — it’s effectively illegal to repair, tinker with or even look for security flaws in almost any kind of “smart” or connected product, despite an exemption under the la for security testing.
“The current exemption includes a requirement that security researchers obtain prior permission” for any testing they want to do, explained Harley Geiger, director of public policy at cybersecurity company Rapid7, saying it was “incredibly burdensome on good faith researchers.”
“One of the more important changes the Copyright Office recommends is ending that requirement,” he told CyberScoop. “Overall, the changes they want are very beneficial for cybersecurity researchers and will strengthen cybersecurity.”
The DMCA provides for a triennial rule-making process by which the Librarian of Congress, who oversees copyright, can make temporary three-year exemptions to the law. The last such process, in 2015, resulted in exemptions for cybersecurity research on cars, smart TVs and medical devices. Last week’s report was issued as the office is gearing up for the next triennial rulemaking next year. In addition, Congress amended the law in 2014 to allow unlocking of used cellphones.
In total, the report —requested last year by the ranking Democrat on the House Judiciary Committee, John Conyers of Michigan — recommends several sets of changes relevant to cybersecurity researchers:
- Congress should broaden the permanent exemption for security testing, by lifting the requirement for prior authorization and expanding the definition of security research.
- The Librarian of Congress should should be given the authority to exempt tools that owners or others covered by any exemptions use to enable lawful circumvention; currently, such tools are outlawed under the anti-trafficking provisions of the DMCA.
- The triennial rulemaking process should be streamlined and clarified and there should be a presumptive renewal of temporary exemptions where there is little opposition.
“The time and cost and effort involved [in the rulemaking exemption process] for interested parties on both sides of the issue and for the Copyright Office itself is very considerable,” said attorney Fred Jennings of the New York firm Tor Ekeland. He represented an open source software nonprofit called the Software Freedom Conservancy in the last round of the process.
Changes that simplified or streamlined the process would lessen that burden and be in line with the original intent of the law, he said. “It was intended to be easy for the public to participate,” he said, adding that right now it was not.
“Not every researcher has the resources or expertise to get involved” in the rulemaking right now, agreed Geiger.
Congressional action will be needed on the recommendations about statutory exemptions, he noted, but added that the report says the office can move forward with some changes to rulemaking process on its own authority.