US DMCA rules updated to give security experts legal backing to research

crednopsec.pngNopSec

The US government have updated and published a new list of exemptions to the Digital Millennium Copyright Act, a move perhaps long-overdue which will protect cybersecurity professionals from prosecution when reverse-engineering products for research purposes.

On Friday, the US Copyright Office and the Librarian of Congress published the updated rules on the federal register.

The DMCA regulations now include exceptions relating to security research and vehicle repair relevant to today’s cybersecurity field. For the next two years, researchers can circumvent digital access controls, reverse engineer, access, copy and manipulate digital content which is protected by copyright without fear of prosecution — within reason.

The exceptions to Section 1201 of the DMCA were born from two years of prompting by the Electronic Frontier Foundation (EFF) and other public interest groups.

While the DMCA makes it illegal to circumvent controls that prevent access to copyrighted material, researchers are now able to find vulnerabilities and bugs by reverse engineering or circumventing controls in the spirit of what the US Federal Trade Commission (FTC) calls “good faith” research.

If research is conducted in “good faith,” the FTC defines such as:

“Accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.”

The list of exemptions include:

  • Computer programs operating on legal devices and software reverse engineered for cybersecurity research
  • Consumer devices, such as smartphones, tablets and voting machines for research purposes
  • Vehicle testing
  • Medical device exploration by patients to access data
  • Video games, libraries and video streaming for educational purposes

According to Tech Policy Fellow Aaron Alva at the FTC, the changes do not, however, give security researchers a free pass to run riot. They still must abide by the US Computer Fraud and Abuse Act (CFAA) and, in the purpose of good faith research, tinkering must “be conducted in a controlled setting designed to avoid harm to individuals or the public.”

In other words, you can test a connected toaster or your own security system, but the DMCA will not protect you if you break into your neighbor’s Wi-FI or networks (not to mention other rules and regulations that would be broken by doing so.)

According to EFF attorney Kit Walsh, the changes are “long overdue” and while the office “unlawfully and pointlessly delayed their implementation,” the revisions will promote security, innovation and competition, as well as give the next generation of engineers the chance to refine their skills “by taking their devices apart to see how they work.”

“Tinkerers and researchers need to access the copyrighted software in their devices, and there was no credible argument that they would infringe any copyright,” Walsh said. “The one-year delay, then, was not only a violation of law, not only pointless, but actively counterproductive, just as we (and thousands of you) told the Copyright Office and the Librarian.”

The EFF finds the delay, which has likely hampered researchers in exploring software and products across both the enterprise and consumer realms in the quest for vulnerabilities and security flaws to fix, insufferable — and would simply like to see DMCA 1201 removed entirely.

The non-profit says the rulemaking process “create[s] unconstitutional restraints on speech” but while it exists, the EFF hopes the government body does not use the DMCA “as an all-purpose, discretionary tool to restrict non-infringing conduct and speech.”

More security news