In this episode of The Security Ledger podcast (#95): has the Digital Millennium Copyright Act taken us over a bridge too far? We talk with two experts about the case of Eric Lundgren, a celebrated e-waste recycler who has been sentenced to 15 months in prison and fined $50,000 for DMCA violations. Also: we speak with one of the Ivy League students who designed IoT Inspector, software that can analyze your home network for vulnerable devices.
Is Eric Lundgren’s Case the Bridge Too Far for the DMCA?
When celebrated electronics recycler Eric Lundgren was sentenced to 15 months in prison and fined $50,000 last month for distributing Microsoft Windows “restore disks” to extend the lives of recycled computers, the most common reaction in the mainstream media was “how could this happen?”
“All too easily,” has been the answer of digital rights- and legal activists. Indeed, the ruling by The U.S. Court of Appeals for the 11th Circuit was just the latest skirmish in a decades long battle over the extent and intent of the 1998 Digital Millennium Copyright Act. Those nearly two decades have seen a steady erosion of consumer rights and a tendency towards harsher and more punitive enforcement of copyright laws.
A landmark piece of legislation, the DMCA was written to protect movies, video games and other intellectual property from piracy by criminalizing the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works. It also criminalized the act of circumventing any access control used to secure copyrighted material – the (in)famous Section 1201 – requiring petitioners to ask the government for waivers to conduct security- or academic research or explore fair use of electronic devices.
But, as Lundgren’s case shows nearly 20 years after the DMCA was signed into law, it is not only being used to secure copyrighted material from piracy but also to proscribe use of products in ways that benefit the manufacturers’ bottom lines. Increasingly, copyright protection tools – so called “digital rights management – is being used to lock out third party service providers, repair technicians and even the devices rightful owners from simple acts like replacing broken parts or installing software or hardware of their choosing.
In that light, Lundgren’s case marks just the latest battle on the DMCA’s ever expanding front. But could it also mark a turning point? In the first segment of our podcast, we invited two experts into the studio to discuss the U.S. Government’s case against Mrl Lundgren and where things go from here:
Jennifer Granick (@Granick) is a surveillance and cybersecurity counsel with the ACLU’s Speech, Privacy and Technology Project and the author of the book American Spies: Modern Surveillance, Why You Should Care, and What To Do About It. And Kyle Wiens (@kwiens) is the founder of iFixit.com , the free repair manual and an outspoken advocate of the right to repair.
In our interview, we talk about the Lundgren and his passion for electronic waste reuse and recycling, the long and complicated partnership between Microsoft and the US Department of Justice in pursuing DMCA violations and how it is that distributing software images that Microsoft gives away for free amounted to $700,000 in damages for the Redmond, Washington company.
“You have a case with zero economic damages for Dell and zero economic damages for Microsoft and yet you have someone going to jail for 15 months,” said Granick.
Weird Science: the (Young) Minds behind the IoT Inspector
In our second segment: if you’re listening to this podcast then you’re probably well aware that The Internet of Things is a morass of poorly coded, poorly architected and loosely deployed devices that pose all manner of security risks to individuals, families and companies.
But how do you know whether the devices attached to your home network are secure, or among the population of insecure and vulnerable devices? That was a question that researchers at Princeton, NYU and UC Berkeley and other universities tackled recently. Their solution: IoT Inspector, a software based tool that can analyze the traffic on a network, identify connected “things” and analyze them for security weaknesses.
In our second segment, we invited Noah Apthorpe, a Ph.D student at the Computer Science Dept. at Princeton University and one of the creators of IoT inspector to come in and talk about his group’s work and research on more than 50, different devices. Security problems were rampant, Apthorpe said, but varied by the type of device. Among the biggest problems: loose connections to third party providers that could become leak sensitive data or become avenues for attack and compromise.
“The simplest devices like say a lightbulb seem to have relationships with third parties that are functional,” said Apthorpe. “They have a third party crash reporting service or use a remote command and control,” he said. But the more complicated the device, the more complex the web of third party connections. Look at devices like smart appliances and TVs, he said, and “there might be advertisers or entities where we’re not sure how they’re using the data or what data they’re collecting.”
Check out our full conversation in this week’s podcast, above!