Section 1201 Security Research Exemption

On October 26, 2018, based upon the recommendation of the Acting Register of Copyrights, the Librarian of Congress adopted exemptions to Section 1201 of the Digital Millennium Copyright Act (DMCA), which prohibits circumvention of technological measures that control access to copyrighted works. On behalf of its clients Ed Felten and Alex Halderman, and working together with the Center for Democracy and Technology, the TLPC helped secure a set of important changes to a pre-existing exemption for good-faith security research, expanding the ability for security researchers to legally test device and system software for cybersecurity vulnerabilities without violating the DMCA and risking criminal liability.

Important caveat: this post is intended only as general information and does not constitute legal advice. If readers wish to utilize the new exemptions granted by the Librarian, they should consult independent legal counsel before doing so.

Continue reading “Section 1201 Security Research Exemption”

Last Week in Tech Policy #65: Fake News, Real Concerns

(by John Schoppert, Colorado Law 3L)

On Friday, February 16th, Special Counsel Robert Mueller announced the indictment of 13 Russian nationals on charges of conspiracy to defraud the United States. The announcement serves as the latest development in Mueller’s investigation into potential collusion between the Kremlin and the Trump campaign during the 2016 presidential election. More concretely, it provides further evidence that Russian operatives played a critical role in disrupting the 2016 election atop near-unanimous consensus among American intelligence agencies.

The indictments track the work of a so-called “troll factory” located in St. Petersburg, which designed and deployed divisive content over social media platforms to encourage collaboration within extreme groups online. More specifically, Russian operatives stole the identities of American citizens, posed as political activists, created posts affiliated with extreme ideologies and paid individuals to locally organize protests and rallies. While many debate over whether the Russians pushed for any one candidate over the other—as opposed to creating chaos more generally—based on internal documents, it appears that disruptive efforts were aimed at supporting the campaigns of Donald Trump and Bernie Sanders, and undermining that of Hillary Clinton.

Continue reading “Last Week in Tech Policy #65: Fake News, Real Concerns”

Last Week in Tech Policy #63: War Games: Nuclear Deterrence Against Cyberattacks

(by Alex Kimata, Colorado Law 3L)

Could a massive cyber attack start a nuclear war?  Early in February, after weeks of rumors, the Department of Defense released the 2018 Nuclear Posture Review and alluded to the idea that for the first time cyberattacks could be met with nuclear deterrence.

Continue reading “Last Week in Tech Policy #63: War Games: Nuclear Deterrence Against Cyberattacks”

TLPC Files Three DMCA Comments for Disability Services, Multimedia E-Books, and Security Research

Today, TLPC student attorneys filed three long form comments with the Copyright Office as part of the seventh triennial Section 1201 proceeding. Under Section 1201 of the DMCA, parties may petition the Copyright Office every three years to create or update exemptions when the DMCA adversely affects noninfringing activities.

Sophia Galleher filed a comment to enable better access to films and other copyrighted works for people with disabilities. Susan Miller and Angel Antkers, along with colleagues at the UC Irvine Intellectual Property, Art, and Technology (IPAT) Clinic, filed a comment to enable artistic expressions like fan fiction by expanding the allowed uses of multimedia e-books. Elizabeth Field and Justin Manusov filed a comment to better protect good faith security researchers.

Continue reading “TLPC Files Three DMCA Comments for Disability Services, Multimedia E-Books, and Security Research”

Last Week in Tech Policy #57: Medjacking

(by Justin Manusov, Colorado Law 3L)

Hacking. Tapping. Cracking. Medjacking.

In the TV show Homeland episode Broken Hearts, a CIA informant  is forced to retrieve a serial number that corresponds to the American Vice President’s pacemaker. A terrorist gains access to the VP’s pacemaker, accelerates his heartbeat and induces a heart attack.

Former Vice President Dick Cheney revealed that when he had a device implanted to regulate his heartbeat in 2007, he had his doctors disable its wireless capabilities to prevent a possible assassination attempt.

The health IT community is beginning to take medjacking seriously.

Continue reading “Last Week in Tech Policy #57: Medjacking”

Last Week in Tech Policy #56: LEDs Talk About Lights!

(By Sophia Galleher, Colorado Law 2L)

Some people enter Newark Airport and look up. The lights, like many LEDs, seem almost too crisp—too bright. But most travelers, perhaps worried about missing a connection or losing a wayward child in the terminal, rush through the airport without raising a brow; the LEDs lights, twinkling down from their chic, architectural fixtures, don’t really beg much thought. They seem innocuous enough.

But just know, the next time you walk through Newark Airport, that those lights are watching you.

Continue reading “Last Week in Tech Policy #56: LEDs Talk About Lights!”

Last Week in Tech Policy #54: Challenges of Apprehending and Combating Cybercriminals

(by Jordan Demo, Colorado Law 2L)

The recent Equifax breach affecting approximately 143 million people has left many to call for justice—but justice for whom? After-the-fact investigations have tended to focus on whether the targeted entities took sufficient or reasonable measures to protect their systems. But what is the process for bringing attackers to justice? How are attackers who take the personal information of companies and individuals held accountable? What can be done to help deter this kind of behavior?

Continue reading “Last Week in Tech Policy #54: Challenges of Apprehending and Combating Cybercriminals”

Last Week in Tech Policy #53: Equifax and Data Breach in the Modern Era

(by Susan Miller, Colorado Law 2L)

A cyberattack on Equifax, a consumer credit reporting agency, was announced last week. The breach was especially problematic for a variety of reasons:

  1. Equifax’s job is to gather and maintain sensitive personal information. Yet it learned of the breach in July but failed to inform the public of the breach until September, taking more than two months to give consumers notice of the breach.
  2. The breach put the personal information of 143 million Americans, nearly one-third of the entire population, at risk. This personal information includes names, social security numbers, birth dates, addresses, driver’s license numbers, and in some cases, credit card numbers.
  3. Three Equifax executives sold their stock days only days after the company learned of the attack and before the public was notified.

Equifax is offering free credit monitoring and, thanks to angry consumers, waived fees for setting up credit freezes through Equifax.

Continue reading “Last Week in Tech Policy #53: Equifax and Data Breach in the Modern Era”

Last Week in Tech Policy #48: Playpen and Government Hacking

(by Sergey Frolov, University of Colorado Computer Science Ph.D candidate)

In the U.S., it is illegal to produce, distribute, and possess child pornography. Playpen is a now-defunct child pornography website. The FBI managed to trace the site’s operators, then obtained a warrant and seized the web server on which the site ran.

However, instead of shutting the server down immediately, the FBI continued to operate Playpen for an additional 13 days. During that time, according to the Electronic Frontier Foundation, the FBI sent malware to visitors to the site in order to identify and prosecute them for possession of child pornography.

Continue reading “Last Week in Tech Policy #48: Playpen and Government Hacking”

Last Week in Tech Policy #47: W3C and EME—Is DRM Being Inserted in Your Web Browser?

(By Lucas Ewing, Colorado Law 2L)

The World Wide Web Consortium (W3C) is an international organization whose goal is to set standards for the World Wide Web. Due to W3C’s highly technical subject matter, internal discussions rarely broach the public discourse, but recently, open internet advocates and some W3C members have expressed concern over plans to endorse Encrypted Media Extensions (EMEs).

Continue reading “Last Week in Tech Policy #47: W3C and EME—Is DRM Being Inserted in Your Web Browser?”