DMCA Exemptions will Boost IoT Security Research


In-brief: After a year in limbo, the Librarian of Congress moved last week to allow a number of exceptions to the U.S. Digital Millennium Copyright Act (DMCA) that will clear the way for researchers to explore smart vehicles and other products. 

After a year in limbo, the Librarian of Congress moved last week to allow a number of exceptions to the U.S. Digital Millennium Copyright Act (DMCA) that will clear the way for researchers to delve into the security of connected products, including smart vehicles and other products.

In an announcement on Friday, the Federal Trade Commission (FTC) announced the approval of the exceptions – a year late – in a notice on the Commission website on Friday. The exemptions allow security researchers “who are acting in good faith” to conduct “controlled research” on consumer devices, provided the research doesn’t violate federal laws like the Computer Fraud and Abuse Act (CFAA).

The Digital Millennium Copyright Act, passed in 1998, made it illegal to circumvent copyright protections in digital products. While intended to protect software as well as digital media from piracy, the anti circumvention protection has been broadly applied to limit the ability of product owners to modify or even repair products that run software. And, since the law was written, the number of products that run software has vastly expanded and led to tension – for example: with farmers who wish to be able to diagnose and repair problems with their own farm machinery, or car enthusiasts interested in tweaking, modifying or just understanding the software that runs their vehicle.

However, the DMCA does allow for exemptions to the circumvention restrictions: three-year grace periods in which the Librarian of Congress can allow for certain types of activities that otherwise might qualify as DMCA violations. At the conclusion of the three years, exceptions must be renewed. And just last week, the 2015 list of exemptions was finally approved…a year late.

“The new temporary exemption is a big win for security researchers and for consumers who will benefit from increased security testing of the products they use,” the FTC said in its statement.

Included under the exemption are what the FTC describes as “a broad array of consumer devices such as electric toothbrushes, home thermostats, connected appliances, cars, and smart TVs.” Individuals can conduct research on medical devices “so long as the devices are not connected to humans during research.” The exemption, however, does not apply to “highly sensitive systems such as nuclear power plants and air traffic control systems,” FTC said.

“This is a good step. It’s good that the Copyright Office and the Librarian of Congress agree that security research is a good thing and that Section 1201 is getting in the way,” said Kitt Walsh, a staff attorney at The Electronic Frontier Foundation (EFF), referring to the part of the DMCA that prohibits the circumventing of copyright protections like Digital Rights Management (DRM) technology.

Walsh calls the DMCA law and Section 1201 “fundamentally flawed,” and the EFF and other technology and civil liberties advocates have long decried it as overly broad legislation that has stifled innovation in the name of copyright protection.

The recent exceptions are a case in point. Walsh notes that the exceptions for conducting security research enacted last week were identical to those proposed a year ago, but postponed. The reason, she said, was resistance from the automotive and agribusiness (companies like GM and John Deere), which argued that customers might use access to the underlying vehicle software to circumvent pollution controls. (The Environmental Protection Agency signed on to that idea, as well.)

The compromise decision -a year’s delay in granting the exception for security research on vehicles, shortening the window for allowable research from three years to just two. Walsh notes that the government essentially used a law designed to protect copyright for purposes that had nothing to do with copyright (environmental protection, for example).

The EFF and other civil liberties groups have proposed that Congress create a permanent exception for security of “motorized land vehicles,” essentially carving out a permanent exception for researchers like Chris Valasek and Charlie Miller, who discovered a remotely exploitable hole in Fiat Chrysler vehicles.

EFF is also going a step further: trying to establish that Section 1201 of the DMCA is unconstitutional, violating the First Amendment protection of free expression. “We’re arguing that Section 1201 keeps you from participating in lawful speech,” Walsh said. The lawsuit, Green vs. US Department of Justice is filed on behalf of Matthew Green, a professor, cryptographer and security researcher at Johns Hopkins University. Green is seeking to publish a book that details security research on a variety of devices. Publishing such information, under current law, could violate Section 1201 of the DMCA, Walsh said.

That suit, which was filed in July, is still in its early stages and the EFF is seeking an injunction against further exemptions under Section 1201 until the case is resolved.  In the meantime, Walsh recommends that researchers take advantage of the exception they’ve been granted. Wrangling over its renewal will likely start in just a year’s time!

Comments are closed.