Feds Expand Security Researchers' Ability to Hack Without Going to Jail
"No researcher wants to end up in jail for discovering a vulnerability."
Friday, the Librarian of Congress and US Copyright Office renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they’ve extended some essential exemptions ensuring that computer security researchers won’t be treated like nefarious criminals for their contributions to society.
We’ve long noted how security researchers are frequently treated like criminals by companies that don’t appreciate having security flaws and vulnerabilities in their products exposed or discussed. That’s often not helped by the vague language of the DMCA, which critics argue has been an overreaching mess with near-endless potential for collateral damage.
As part of an effort to keep the DMCA timely, Congress included a so-called “safety valve” dubbed the Section 1201 triennial review process that, every three years, mandates that activists and concerned citizens beg the Copyright Office and the Librarian of Congress to craft explicit exemptions from the law to ensure routine behavior won’t be criminalized.
As we’ve already noted, this year’s list of exemptions go a long way toward ensuring that those that hack DRM to repair their own devices won’t be treated like criminals, while other exemptions will help in the archival and preservation of classic video games.
But in its latest ruling, the Copyright Office also granted extensions to arguably-essential exemptions governing computer security research.
Researchers “provided an example of a recent computer security conference in which thousands of participants relied on the existing exemption to examine and test electronic voting devices—the results of which were reported to election officials to improve the security of their voting systems,” the Copyright Office stated.
Blake Reid, Associate Clinical Professor at Colorado Law, told Motherboard the extension was immensely important for the ability of researchers to do their work without fear of legal harassment by clarifying some key portions of the DMCA.
“It’s important for many security researchers to have some certainty before they begin a project—or release results—that someone isn’t going to be able to use Section 1201 to stop them from releasing the results of their work,” Reid said. “Section 1201 also has criminal provisions, and no researcher wants to end up in jail for discovering a vulnerability.”
The exemptions still have some caveats.
Specifically, the Copyright Office ruling only applies to “use exemptions,” not “tools exemptions”—meaning security researchers still can’t release things like pen-testing tools that bypass DRM, or even publish technical papers exploring how to bypass bootloaders or other Trusted Platform Modules to test the security of the systems behind them.
But other modest changes to the rules were incredibly helpful, notes Reid.
Specifically, the new exemption removes a “device limitation” from previous exemptions that potentially limited researchers to investigating software only on “consumer” devices; hindering their ability to investigate security vulnerabilities in things like the cryptographic hardware used in banking applications, networking equipment, and industrial control systems.
The new exemption also modified the “controlled environment limitation” from the previous exemption, which was often read to imply that researchers had to conduct their work in a formal laboratory, potentially hindering research into things like integrated building systems like internet-connected HVAC systems.
Fortunately the Copyright Office has, in recent years, been more willing to at least acknowledge the way in which the DMCA routinely stifles research. It has also been willing to streamline the process for petitioners, who used to be forced to make entirely new arguments each and every time they requested exemptions.
Still, the entire Section 1201 triennial review process remains, at its heart, a largely bureaucratic, ridiculous and cumbersome affair that’s no replacement for better laws or meaningful DMCA reform.
"The exemptions process allows the US Government to take a small but important step to rebalance the scales towards the timely disclosure of security defects. It's not enough,” activist and author Cory Doctorow told Motherboard.
“The DMCA should be clarified so that there is never any question that telling people the truth about defective products is not a copyright violation,” he added. “Anything less is short of the mark. But this is the little step the Copyright Office can take, and I'm grateful they took it."