Proposed Update to Copyright Rules Eases Barriers to Security Research

A bill to amend the Digital Millennium Copyright Act would make it easier for researchers to expose security vulnerabilities without running afoul of the law.

The librarian of Congress is in charge of granting exemptions to the Digital Millenium Copyright Act.
National Journal
Kaveh Waddell
Add to Briefcase
Kaveh Waddell
April 20, 2015, 4:01 p.m.

Re­search­ers who hack in­to everything from ther­mo­stats to Face­book so they can identi­fy and help patch se­cur­ity holes may get a little as­sist­ance from Con­gress.

Le­gis­la­tion pro­posed last week would change copy­right law to make it easi­er for these se­cur­ity re­search­ers—not ma­li­cious hack­ers—to find and ex­pose soft­ware vul­ner­ab­il­it­ies without get­ting in trouble for it.

The 1998 Di­git­al Mil­len­ni­um Copy­right Act made it il­leg­al to get around tech­no­logy pro­tec­tions—that in­cludes rip­ping DVDs, copy­ing video games, and in some cases, even jail­break­ing your own smart­phone. One pro­vi­sion of the act of­fers ex­emp­tions for cer­tain activ­it­ies. Os­tens­ibly, se­cur­ity re­search is one of those activ­it­ies, but the way the law is set up makes it dif­fi­cult to get ex­emp­tions for re­search, crit­ics say.

“Un­der cur­rent law, the only real way that you can safely con­duct re­search is to make sure that you have the ab­so­lute per­mis­sion of who­ever’s device or net­work or com­puter you’re per­form­ing that re­search on,” said Erik Stall­man, Dir­ect­or of the Open In­ter­net Pro­ject at the Cen­ter for Demo­cracy and Tech­no­logy.

Some­times the own­er of a com­puter or net­work is clear: For ex­ample, you will likely get in trouble for hack­ing Google’s serv­ers without the com­pany’s per­mis­sion. In oth­er cases, own­er­ship is less ob­vi­ous. In most cases, even though you may own a smart­phone or a car, the soft­ware they use is the prop­erty of the man­u­fac­turer. Un­less the Lib­rar­i­an of Con­gress is­sues a spe­cif­ic ex­emp­tion, modi­fy­ing the soft­ware of your own devices can be a vi­ol­a­tion of copy­right law.

A bill in­tro­duced by Demo­crats Sen. Ron Wyden and Rep. Jared Pol­is on Thursday would lift some of the leg­al bar­ri­ers that make com­puter re­search fraught with li­ab­il­ity is­sues and could make se­cur­ity re­search easi­er in two ma­jor ways:

First, it would un­ravel some of the lim­it­a­tions that cre­ate “a lot of un­cer­tainty and po­ten­tially cata­stroph­ic li­ab­il­ity for com­puter se­cur­ity re­search­ers,” Stall­man said. The pro­posed bill re­moves a ref­er­ence to the Com­puter Fraud and Ab­use Act, which acts as an ad­ded lay­er of li­ab­il­ity that threatens com­puter re­search­ers.

And second, the bill lists com­puter re­search as one of the con­sid­er­a­tions the Lib­rar­i­an of Con­gress should take in­to ac­count when de­cid­ing wheth­er or not to make an ex­emp­tion. The up­date would lower the bur­den of proof re­search­ers face when ap­ply­ing for ex­emp­tions, and make it much easi­er to re­new them after their three-year term is up, a change which Sher­win Siy, vice pres­id­ent of leg­al af­fairs at Pub­lic Know­ledge, called a “vast im­prove­ment.”

The bill likely faces an up­hill battle. A more com­pre­hens­ive at­tempt to make changes to the DMCA, spear­headed by Rep. Zoe Lof­gren in 2013, died in the 113th Con­gress. Siy says this bill could do bet­ter be­cause of its nar­row­er scope, but sidestepped mak­ing a more de­tailed pro­gnos­is.

Wyden said he’s bank­ing on the sup­port of on­line act­iv­ists. “When the In­ter­net com­munity has united to fight bad law, there have been re­mark­able suc­cesses,” he said. “I’m count­ing on that same level of sup­port and act­iv­ism here.”

But the bill’s sup­port­ers might face tough res­ist­ance. “Any user-fo­cused copy­right re­form le­gis­la­tion will en­counter well-or­gan­ized op­pos­i­tion,” said Stall­man. “But it’s still worth the ef­fort.”

What We're Following See More »
Manchin Will Vote To Confirm Pompeo
3 hours ago
Bolton Chaired Anti-Muslim Think Tank
5 hours ago

Until last month, National Security Advisor John Bolton chaired the New York-based nonprofit Gatestone Institute, which promoted "misleading and false anti-Muslim news." The group published articles warning of a looming “jihadist takeover” of Europe leading to a “Great White Death," alleged that “no-go zones” existing in Europe due to violence from Muslim migrants, and published one story called: “Rape Capital of the West," which focused on Somali migrants in Sweden. The research, which was occasionally amplified by Russian media outlets and Twitter bots, also criticized mainstream European leaders for failing to confront the so-called crisis.

Armenian Prime Minister Resigns
5 hours ago

"Armenian Prime Minister Serzh Sargsyan has resigned following days of large-scale street protests against him." Sargsyan had previously served 10 years as President, and protestors accused him of clinging to power. "In 2015, Armenians voted in a referendum to shift the country from a presidential to a parliamentary system, stripping powers from the president and giving them to the prime minister." Sargsyan's government has also been criticized for failing to ease tensions with Azerbaijan and Turkey, and "for its close ties to Russia, whose leader Vladimir Putin also moved between the positions of president and prime minister to maintain his grip on power."

French President Macron Visits White House
6 hours ago

President Trump "welcomes French President Emmanuel Macron the White House" today to begin a three-day state visit "expected to be dominated by U.S.-European differences on the Iran nuclear deal and souring trade relations." Trump has vowed to scrap the Iran nuclear deal "unless European allies strengthen it by mid-May." After meetings on Monday and Tuesday, Macron will address Congress on Wednesday, "the anniversary of the day that French General Charles de Gaulle addressed a Joint Session of Congress in 1960."

Tennessee Waffle House Shooter Had Firearm Card Revoked
6 hours ago

"A sheriff in Illinois says Travis Reinking," the suspect in a mass shooting that killed four people in a Tennessee Waffle House on Sunday, had his state firearms card revoked last year by state police, but that "his guns were given to his father with the promise that they wouldn’t be shared with his son ... Huston says Reinking’s father has a valid firearm ownership card, and his officers didn’t believe they had any authority to seize the weapons." Police are still searching for the 29-year-old suspect.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.