Proposed Update to Copyright Rules Eases Barriers to Security Research

A bill to amend the Digital Millennium Copyright Act would make it easier for researchers to expose security vulnerabilities without running afoul of the law.

The librarian of Congress is in charge of granting exemptions to the Digital Millenium Copyright Act.
National Journal
Kaveh Waddell
Add to Briefcase
Kaveh Waddell
April 20, 2015, 4:01 p.m.

Re­search­ers who hack in­to everything from ther­mo­stats to Face­book so they can identi­fy and help patch se­cur­ity holes may get a little as­sist­ance from Con­gress.

Le­gis­la­tion pro­posed last week would change copy­right law to make it easi­er for these se­cur­ity re­search­ers—not ma­li­cious hack­ers—to find and ex­pose soft­ware vul­ner­ab­il­it­ies without get­ting in trouble for it.

The 1998 Di­git­al Mil­len­ni­um Copy­right Act made it il­leg­al to get around tech­no­logy pro­tec­tions—that in­cludes rip­ping DVDs, copy­ing video games, and in some cases, even jail­break­ing your own smart­phone. One pro­vi­sion of the act of­fers ex­emp­tions for cer­tain activ­it­ies. Os­tens­ibly, se­cur­ity re­search is one of those activ­it­ies, but the way the law is set up makes it dif­fi­cult to get ex­emp­tions for re­search, crit­ics say.

“Un­der cur­rent law, the only real way that you can safely con­duct re­search is to make sure that you have the ab­so­lute per­mis­sion of who­ever’s device or net­work or com­puter you’re per­form­ing that re­search on,” said Erik Stall­man, Dir­ect­or of the Open In­ter­net Pro­ject at the Cen­ter for Demo­cracy and Tech­no­logy.

Some­times the own­er of a com­puter or net­work is clear: For ex­ample, you will likely get in trouble for hack­ing Google’s serv­ers without the com­pany’s per­mis­sion. In oth­er cases, own­er­ship is less ob­vi­ous. In most cases, even though you may own a smart­phone or a car, the soft­ware they use is the prop­erty of the man­u­fac­turer. Un­less the Lib­rar­i­an of Con­gress is­sues a spe­cif­ic ex­emp­tion, modi­fy­ing the soft­ware of your own devices can be a vi­ol­a­tion of copy­right law.

A bill in­tro­duced by Demo­crats Sen. Ron Wyden and Rep. Jared Pol­is on Thursday would lift some of the leg­al bar­ri­ers that make com­puter re­search fraught with li­ab­il­ity is­sues and could make se­cur­ity re­search easi­er in two ma­jor ways:

First, it would un­ravel some of the lim­it­a­tions that cre­ate “a lot of un­cer­tainty and po­ten­tially cata­stroph­ic li­ab­il­ity for com­puter se­cur­ity re­search­ers,” Stall­man said. The pro­posed bill re­moves a ref­er­ence to the Com­puter Fraud and Ab­use Act, which acts as an ad­ded lay­er of li­ab­il­ity that threatens com­puter re­search­ers.

And second, the bill lists com­puter re­search as one of the con­sid­er­a­tions the Lib­rar­i­an of Con­gress should take in­to ac­count when de­cid­ing wheth­er or not to make an ex­emp­tion. The up­date would lower the bur­den of proof re­search­ers face when ap­ply­ing for ex­emp­tions, and make it much easi­er to re­new them after their three-year term is up, a change which Sher­win Siy, vice pres­id­ent of leg­al af­fairs at Pub­lic Know­ledge, called a “vast im­prove­ment.”

The bill likely faces an up­hill battle. A more com­pre­hens­ive at­tempt to make changes to the DMCA, spear­headed by Rep. Zoe Lof­gren in 2013, died in the 113th Con­gress. Siy says this bill could do bet­ter be­cause of its nar­row­er scope, but sidestepped mak­ing a more de­tailed pro­gnos­is.

Wyden said he’s bank­ing on the sup­port of on­line act­iv­ists. “When the In­ter­net com­munity has united to fight bad law, there have been re­mark­able suc­cesses,” he said. “I’m count­ing on that same level of sup­port and act­iv­ism here.”

But the bill’s sup­port­ers might face tough res­ist­ance. “Any user-fo­cused copy­right re­form le­gis­la­tion will en­counter well-or­gan­ized op­pos­i­tion,” said Stall­man. “But it’s still worth the ef­fort.”

What We're Following See More »
Trump Directs All-Caps Tweet at Iranian President
15 minutes ago
BBC Documentary Explores Trump's Sexual Past
25 minutes ago

A new short film by the BBC, which premiered in the U.S. this weekend, explores the question of whether President Trump sexually harassed women in the 1980s and 1990s. Witnesses say they saw the president at cocaine-fueled parties harassing women as young as 17.

Trump Backtracks on Putin's "Incredible Offer"
3 days ago
Russians Refer to "Verbal Agreements" with Trump
4 days ago

"Two days after President Trump’s summit with Russian President Vladi­mir Putin, Russian officials offered a string of assertions about what the two leaders had achieved. 'Important verbal agreements' were reached at the Helsinki meeting, Russia’s ambassador to the United States, Anatoly Antonov, told reporters in Moscow Wednesday, including preservation of the New Start and INF agreements," and cooperation in Syria.

Trump Was Shown Proof of Russian Interference Before Inauguration
4 days ago

"Two weeks before his inauguration, Donald J. Trump was shown highly classified intelligence indicating that President Vladimir V. Putin of Russia had personally ordered complex cyberattacks to sway the 2016 American election. The evidence included texts and emails from Russian military officers and information gleaned from a top-secret source close to Mr. Putin, who had described to the C.I.A. how the Kremlin decided to execute its campaign of hacking and disinformation. Mr. Trump sounded grudgingly convinced, according to several people who attended the intelligence briefing. But ever since, Mr. Trump has tried to cloud the very clear findings that he received on Jan. 6, 2017, which his own intelligence leaders have unanimously endorsed."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.