Extensions to DMCA exemptions allow security researchers to continue doing their job

Why it matters: Security researchers will be allowed to continue telling us about vulnerabilities in consumer software thanks to the Copyright Office extending existing exemptions to Section 1201 of the DMCA. The Office also strengthened the allowances for those in the security field to study industrial and enterprise applications as well as fixed systems that lie outside of the lab.

If you were ever to say that the Digital Millennium Copyright Act (DMCA) is a poorly-worded, intentionally vague law ripe with the potential for abuse, it is not likely that you would find many who would argue with you aside from maybe large record companies and the like. In fact, anyone who tried to make a rebuttal could be shot down merely by pointing to the Section 1201 triennial review process. If the law were correctly written, it would not need reviews every three years to add or extend exemptions to it.

The Section 1201 review just concluded on Friday and security researchers are breathing a collective sigh of relief --- again. Exemptions to the DMCA pertaining to the analysis of software in search of security vulnerabilities have been extended for another three years and expanded slightly.

Specifically, the exemptions protect whitehat hackers from being prosecuted for uncovering flaws in copyrighted materials. Such research is so important that it is unbelievable that the security industry even has to go beg the Copyright Office for these exemptions every three years.

"It's important for many security researchers to have some certainty before they begin a project --- or release results --- that someone isn't going to be able to use Section 1201 to stop them from releasing the results of their work," Blake Reid, Associate Clinical Professor at Colorado Law, told Motherboard. "Section 1201 also has criminal provisions, and no researcher wants to end up in jail for discovering a vulnerability."

The Copyright Office agrees that researchers perform an essential job and should not be at risk of jail time for informing the public of security risks found in software and device firmware.

"[Researchers] provided an example of a recent computer security conference in which thousands of participants relied on the existing exemption to examine and test electronic voting devices---the results of which were reported to election officials to improve the security of their voting systems," said the Copyright Office.

One change to the exemption this time around is the removal of a device limitation. Previously researchers were only allowed to analyze software on consumer products. Therefore things like the cryptographic hardware used in banking applications, networking equipment, and industrial controls systems were off-limits.

Another modification was the removal of the "controlled environment limitation." This caveat previously restricted researchers to studying software only within a formal laboratory. This made it virtually impossible to look at the firmware of fixed systems such as internet-enabled HVAC systems.

Activists and researchers are glad the exemptions have been extended and expanded, but still feel that greater DMCA reform is needed.

"The exemptions process allows the US Government to take a small but important step to rebalance the scales towards the timely disclosure of security defects. It's not enough," said DMCA activist Cory Doctorow. "The DMCA should be clarified so that there is never any question that telling people the truth about defective products is not a copyright violation. Anything less is short of the mark. But this is the little step the Copyright Office can take, and I'm grateful they took it."