Last updated at Tue, 25 Apr 2023 20:47:26 GMT

Today the Library of Congress officially publishes its rule-making for the latest round of exemption requests for the Digital Millennium Copyright Act (DMCA).  The advance notice of its findings revealed some good news for security researchers as the rule-making includes a new exemption to the DMCA for security research:

“(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986, as amended and codified in title 18, United States Code; and provided, however, that, except as to voting machines, such circumvention is initiated no earlier than 12 months after the effective date of this regulation, and the device or machine is one of the following:

(A) A device or machine primarily designed for use by individual consumers (including voting machines);

(B) A motorized land vehicle; or

(C) A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, that is not and will not be used by patients or for patient care.

(ii) For purposes of this exemption, “good-faith security research” means accessing a computer program solely for purposes of goodfaith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.”

Basically this means that good-faith security research on consumer-centric devices, motor vehicles and implantable medical devices is no longer considered a violation of the DMCA (with caveats detailed below). It's a significant step forward for security research, reflecting a positive shift in the importance placed on research as a means of protecting consumers from harm.

A brief history of the DMCA

The DMCA was passed in 1998 and criminalizes efforts to circumvent technical controls that are designed to stop copyright infringement. It also criminalizes the production and dissemination of technologies created for the purpose of circumventing these technical controls. That's an incredibly simplified explanation of what the law does, and this is a good time for me to remind you that I'm not a lawyer.

The statute includes a number of exceptions that relate to security research – one for reverse engineering (section 1201 (f)), encryption research (section 1201(g)), and security testing (section 1201(j)); however, these are very limited in what they allow. Acknowledging that technology moves fast, the statute also includes provisions for a new rule-making every three years, during which, requests for new and additional exemptions can be made. These are reviewed through a lengthy process that includes opportunities for support and opposition to the exemptions to be lodged with the Library of Congress. After reviewing these arguments, the Copyright Office makes a recommendation to the Library of Congress, who then issues a rule-making that either approves or rejects the submitted exemptions. Exemptions that are approved will automatically expire at the end of the three year window (as opposed to the exceptions, which are permanent unless subject to a change via legislative reform through Congress).

Today's rule-making is the product of the latest round of exemption requests. A number of submissions relating to research were filed – a couple for a broad security research exemption, one for medical devices, one for cars, and even something for tractors.  The Library of Congress effectively rolled these into one exemption, which is why it covers consumer-centric devices, automobiles, and implantable medical devices.

What does the new exemption mean for security research?

Well firstly, it's an important acknowledgement of two things: 1) that research is critical for consumer protection, and 2) that laws like the DMCA can negatively impact research.

This is significant not only in what it allows within the context of the DMCA, but also that it sets a precedent and presents an opportunity for a broader discussion on these two points in the Government arena.

In terms of what is specifically allowed now, users are able to circumvent technical protections to conduct research on consumer-centric devices, automobiles, and implantable medical devices (that are not or will not be used for patient care).

This is not carte-blanche though, and it's important to understand that.  There are a number of limits and questions raised by the language of the exemption:

  • You are allowed to circumvent technical controls to conduct research, but you are NOT allowed to make, sell, or otherwise disseminate tools for circumventing these controls. So you can only conduct research to the extent that it doesn't require such tools.
  • The exemption won't come into effect for a year. This is so other relevant agencies can update their policies. In his article on Boing Boing, Corey Doctorow points out that “the power to impose waiting times on exemptions at these hearings is not anywhere in the statute, is without precedent, and has no basis in law.” (Interestingly, the Library of Congress is excluding research on voting machines from the year delay.)

It remains to be seen what the agencies referenced (Department of Transport, Environmental Protection Agency, and the Food and Drug Administration) will do and how that will impact the way this exemption can be applied. It's probably fair to say the exemption's dissenters will be actively lobbying them to find a way to limit the impact of the exemption.  It falls to those of is in the security research community to try to engage these agencies to ensure they understand why research is important, and to try to address any concerns they may have.

  • The research must apply to consumer-centric devices (or cars, or implantable medical devices). What does that mean and where do you draw the line?  For example, we regularly hear of research findings in SOHO routers or printers.  These are devices designed for use in both home and work environments.  Do they count as “primarily designed for use by individual consumers?” I really hope these kinds of devices are included in this classification as they do represent a great deal of consumer risk. It's also somewhat strange to me that we're not granting business users the same protections we're giving individual consumer users.
  • The exemption does NOT allow for research on devices relating to critical infrastructure or nuclear power. It's understandable that these areas raise considerable concern, but at the same time, do we really want flaws in these systems to be left unmitigated?  Doesn't that create more opportunities for bad actors to attack high value targets, potentially with very serious repercussions?
  • For medical devices, the research cannot be conducted on devices that are being, or will be, used for patient care.  That seems pretty reasonable to me.

Also, it's important to remember that, as noted above, the rule-making resets every three years, so this exemption will be in effect for a maximum of two years before we have to reapply and go through the entire process again (because of the year delay the Library of Congress has imposed on the exemption).

But it IS a positive step?

Yes, despite these qualifiers and limitations, I believe it is a positive step.  This is not just because in-and-of itself it enables more research to be conducted without concern of legal action, but also because it may indicate a bigger shift.

Just last week, I wrote a blog about a proposed legislative amendment that was significantly rewritten in response to feedback from the security research community.  The TL;DR of that post is that it seems like a hugely positive step that the amendment's authors were prepared to engage and listen to the research community, and were concerned about avoiding negative consequences that would chill security research.

Couple that with this exemption being approved, and I continue to have hope that we're starting to see a shift in the way the Government sector understands and values security research.  I'm also seeing a shift in the way the research community engages the Government, and how're we're participating in discussions that will shape our industry.

It's not a silver bullet; given the complexity of the challenges we're addressing, we're not going to solve concerns around the right-to-research overnight. It's going to be a long path, but every step counts.  And today I think we may have taken “one giant leap” for research-kind

~ @infosecjen