Every three years, the Librarian of Congress puts a whole bunch of researchers through a twisted bureaucratic process.
Image: Anonymous via Giphy
Jay Radcliffe is a security researcher with diabetes. In 2011, he gave a talk at Black Hat, showing how his personal insulin pump could be hacked—with potentially deadly consequences.
As a result of his 2011 presentation, he worked with the Department of Homeland Security and the Food and Drug Administration to address security vulnerabilities in insulin pumps.
"The specific technical details of that research have never been published in order to protect patients using those devices," he wrote in his testimony to the Librarian of Congress and the US Copyright Office.
Every three years, the Librarian of Congress puts a whole bunch of people through a twisted bureaucratic process called DMCA (Digital Millennium Copyright Act) rulemaking. Technically speaking, DMCA rulemaking doesn't make things illegal or legal per se, but many people—like Jay Radcliffe—look to the rulemaking for a green light to do their work.
Radcliffe has studied the law—he has an undergraduate degree in Criminal Justice—and is cautious about being on the right side of it. "Most in the security industry do the research first and hope that they were on the right side of the law and don't get in trouble," he wrote in his testimony. "I wanted to make sure that I was on solid legal ground before starting my research."
Academics in computer science departments across the country do their work while glancing nervously behind them, waiting for lawsuits to drop on them
He even went out of his way to seek legal counsel. "I specifically asked the EFF to help me define what I could, and more importantly could NOT research." But that didn't do much. "This distinction is not clearly defined. There is little-to-no case law to provide guidance on these issues."
There was one thing that could provide clear guidance to Radcliffe: a DMCA 1201 exemption.
The triennial rulemaking process grants exemptions to DMCA section 1201, a provision of the DMCA that says you can't circumvent technological protection measures, such as DRM that prevents the copying of music, if doing so will result in copyright infringement.
Not getting an exemption doesn't necessarily mean that security research is illegal, it just means that academics in computer science departments across the country will be doing their work while glancing nervously behind them, waiting for lawsuits to drop on them.
DMCA section 1201 also casts a shadow over the legality of unlocking cell phones from carriers; of loading 3D printers with materials not approved by the printer manufacturer; and of ripping DRM-protected DVDs in order to archive them at libraries.
The long and the short of it is, this law is a complete shitshow.
In the very first 1201 rulemaking cycle, fifteen years ago, only two exemptions were granted.
For this three-year cycle, the Librarian of Congress granted ten exemptions, including exemptions for security research on medical devices, voting machines, cars, and tractors.
There are also exemptions for ripping video from DRM-protected DVDs for archival purposes and jailbreaking consoles for video game museums. But among the exemptions explicitly not granted: jailbreaking ebook readers and video game consoles for consumers.
These are not huge leaps forward. The security research exemptions in particular come with a one-year embargo so that federal agencies like the Food and Drug Administration, the Department of Transportation, and the Environmental Protection Agency can weigh in. The fiction here, of course, is that these other agencies actually want to be consulted, said Andy Sellars, a lawyer at Harvard Law School's Cyberlaw Clinic. There's no indication that any of these agencies even knew what DMCA rulemaking was until the Copyright Office asked them to chime in.
After all, what does copyright have to do with the FDA's drug approvals, or the EPA's emissions standards? These agencies' rules aren't in any way actually affected by the DMCA exemptions that do or don't get granted.
Whether there's an exemption in place for security research or not, messing around with an insulin pump to kill someone is still illegal. It's just that if there's an exemption, it's not a copyright violation.
In fact, it's not even clear that security research would be illegal without this exemption. People apply for exemptions because they're not sure. A big cloud of legal uncertainty dwells around section 1201. No lawsuit over security research and section 1201 has ever gone to court.
The last thing we need these days is a chilling effect on security research
But the fears of security researchers aren't hypothetical. In 2001, Princeton computer science professor Ed Felten and his colleagues were forced to withdraw a peer-reviewed paper about DRM (in this case, access controls to prevent copying or backing up information on a CD) because the Recording Industry Association of America threatened them with a lawsuit.
Section 1201 has a serious chilling effect on academic research: this field of research not only requires you to lawyer up, but to do ludicrous amounts of work every three years, just to get a measly assurance that what you're doing is definitely not a copyright violation.
When academics are scared off from doing security research, consumers suffer. Section 1201 scared off the exact kind of activity that would have uncovered Volkswagen's emissions fraud faster. The last thing we need these days is a chilling effect on security research.
But what on earth do medical devices, tractors, and voting machines have to do with copyright, anyways? (Spoiler alert: nothing).
This mission creep has not gone unnoticed.
"[The Copyright] Office should not, in its deliberations, heavily weigh unrelated matters such as greenhouse gas emissions or the quality of materials used to build aircraft, and should instead focus primarily on questions relevant to copyright law," said the National Telecommunications and Information Administration (NTIA) in its 92-page letter to the Copyright Office, during the rulemaking process.
"We have long lost the infringement part of the inquiry at that point," Andy Sellars told me.
Security research exemptions were granted during this rulemaking cycle. However, the one-year embargo on the exemptions makes the whole thing almost laughable. A year without the exemption means one year of respite, and then a year of writing requests for the next cycle of exemptions and testifying in hearings before the Copyright Office.
Many of the exemptions that succeeded were championed by public interest organizations like the Electronic Frontier Foundation and Public Knowledge, with supporting work done pro bono by law school clinics across the country. Exemptions that lost were requested by parties that didn't have full-time employees on the issues—for example, the proposed exemptions for jailbreaking video game consoles or ebook readers.
"The triennial rulemaking has evolved into a complex undertaking that is difficult, if not impossible, for individuals or entities to navigate successfully without retaining counsel," wrote Jonathan Band, an attorney and advocate who specializes in intellectual property and the internet, in March 2015.
This cycle, all manner of for-profit corporations and interest groups pitched in to oppose various exemptions. Beyond the regular suspects (like the MPAA), companies like John Deere opposed security research on its tractors, speculating that car hacking would lead to pirated music being played on stereos.
DMCA section 1201 has become a bizarre zero-sum cottage industry. Lawyers are being paid—either by nonprofits or by for-profit corporations—to throw their time and energy into a black hole. The result is, that after a long and arduous fight, video game museums get to preserve video games (over the protestations of the Entertainment Software Association). This is not exactly a huge victory, and at the same time, we must ask ourselves, why was this a victory that needed to be won at all? Why wasn't this just clearly legal in the first place?
Even the government is getting lost in this quagmire. During this cycle, NTIA sent a 92-page letter to the Copyright Office, the Register of Copyrights sent a 403-page recommendation to the Librarian of Congress, and the Librarian of Congress's ruling was 20 pages. The exemptions consisted of 2,367 words for ten exemptions, averaging 236 words per exemption.
In the 2000 rulemaking cycle, there was an average of 17.5 words per exemption.
Where are we going with this? The process is completely unsustainable. DMCA section 1201 is a useless garbage train that's gone completely off the tracks. Copyright law is rarely sensible, but at this point, 1201 has spiraled entirely out of the realm of copyright and into a Kafka-esque hellscape.
Maybe, just maybe, it's time to rethink things.