Researchers who hack into everything from thermostats to Facebook so they can identify and help patch security holes may get a little assistance from Congress.
Legislation proposed last week would change copyright law to make it easier for these security researchers—not malicious hackers—to find and expose software vulnerabilities without getting in trouble for it.
The 1998 Digital Millennium Copyright Act made it illegal to get around technology protections—that includes ripping DVDs, copying video games, and in some cases, even jailbreaking your own smartphone. One provision of the act offers exemptions for certain activities. Ostensibly, security research is one of those activities, but the way the law is set up makes it difficult to get exemptions for research, critics say.
“Under current law, the only real way that you can safely conduct research is to make sure that you have the absolute permission of whoever’s device or network or computer you’re performing that research on,” said Erik Stallman, Director of the Open Internet Project at the Center for Democracy and Technology.
Sometimes the owner of a computer or network is clear: For example, you will likely get in trouble for hacking Google’s servers without the company’s permission. In other cases, ownership is less obvious. In most cases, even though you may own a smartphone or a car, the software they use is the property of the manufacturer. Unless the Librarian of Congress issues a specific exemption, modifying the software of your own devices can be a violation of copyright law.
A bill introduced by Democrats Sen. Ron Wyden and Rep. Jared Polis on Thursday would lift some of the legal barriers that make computer research fraught with liability issues and could make security research easier in two major ways:
First, it would unravel some of the limitations that create “a lot of uncertainty and potentially catastrophic liability for computer security researchers,” Stallman said. The proposed bill removes a reference to the Computer Fraud and Abuse Act, which acts as an added layer of liability that threatens computer researchers.
And second, the bill lists computer research as one of the considerations the Librarian of Congress should take into account when deciding whether or not to make an exemption. The update would lower the burden of proof researchers face when applying for exemptions, and make it much easier to renew them after their three-year term is up, a change which Sherwin Siy, vice president of legal affairs at Public Knowledge, called a “vast improvement.”
The bill likely faces an uphill battle. A more comprehensive attempt to make changes to the DMCA, spearheaded by Rep. Zoe Lofgren in 2013, died in the 113th Congress. Siy says this bill could do better because of its narrower scope, but sidestepped making a more detailed prognosis.
Wyden said he’s banking on the support of online activists. “When the Internet community has united to fight bad law, there have been remarkable successes,” he said. “I’m counting on that same level of support and activism here.”
But the bill’s supporters might face tough resistance. “Any user-focused copyright reform legislation will encounter well-organized opposition,” said Stallman. “But it’s still worth the effort.”
What We're Following See More »
A new short film by the BBC, which premiered in the U.S. this weekend, explores the question of whether President Trump sexually harassed women in the 1980s and 1990s. Witnesses say they saw the president at cocaine-fueled parties harassing women as young as 17.
"Two days after President Trump’s summit with Russian President Vladimir Putin, Russian officials offered a string of assertions about what the two leaders had achieved. 'Important verbal agreements' were reached at the Helsinki meeting, Russia’s ambassador to the United States, Anatoly Antonov, told reporters in Moscow Wednesday, including preservation of the New Start and INF agreements," and cooperation in Syria.
"Two weeks before his inauguration, Donald J. Trump was shown highly classified intelligence indicating that President Vladimir V. Putin of Russia had personally ordered complex cyberattacks to sway the 2016 American election. The evidence included texts and emails from Russian military officers and information gleaned from a top-secret source close to Mr. Putin, who had described to the C.I.A. how the Kremlin decided to execute its campaign of hacking and disinformation. Mr. Trump sounded grudgingly convinced, according to several people who attended the intelligence briefing. But ever since, Mr. Trump has tried to cloud the very clear findings that he received on Jan. 6, 2017, which his own intelligence leaders have unanimously endorsed."