On October 26, 2018, based upon the recommendation of the Acting Register of Copyrights, the Librarian of Congress adopted exemptions to Section 1201 of the Digital Millennium Copyright Act (DMCA), which prohibits circumvention of technological measures that control access to copyrighted works. On behalf of its clients Ed Felten and Alex Halderman, and working together with the Center for Democracy and Technology, the TLPC helped secure a set of important changes to a pre-existing exemption for good-faith security research, expanding the ability for security researchers to legally test device and system software for cybersecurity vulnerabilities without violating the DMCA and risking criminal liability.
Important caveat: this post is intended only as general information and does not constitute legal advice. If readers wish to utilize the new exemptions granted by the Librarian, they should consult independent legal counsel before doing so.
To test device and system software for cybersecurity vulnerabilities, security researchers often must circumvent (or attempt to circumvent) technological protection measures (TPMs) that prevent unauthorized access to copyrighted software. Without an exemption, circumvention of TPMs is prohibited under Section 1201 in many jurisdictions.
In 2015, the Librarian of Congress exempted from Section 1201 the circumvention of TPMs for good-faith security research. However, a number of caveats tightly limited the scope of this exemption. With substantial limitations on the exemption, security researchers could still risk liability under Section 1201 when they circumvented TPMs for non-approved devices or when using certain methods. In particular, the 2015 exemption applied only to research:
- Performed on devices “primarily designed for individual use by consumers, to motorized land vehicles, and to certain categories of medical implant devices“;
- Performed in “controlled environments designed to avoid any harm to individuals or to the public.”
- That did not otherwise violate “any applicable law, including without limitation the Consumer Fraud and Abuse Act of 1986.”
On behalf of our clients, we argued that these limitations to the 2015 security research exemption adversely affected researchers from engaging in good-faith, fair-use investigations into the security of device and system software. For instance, we argued that the exemption’s “Device Limitation,” by strictly constraining the exemption to consumer devices, prevented researchers from investigating an enormous variety of larger systems like building automation systems, avionics, traffic control infrastructure, or voting machines (just to name a few).
We further argued against limiting the exemption only to security research performed in “controlled environments,” which suggested that the exemption only applied to security research performed in laboratories. We stressed that restricting the circumvention restriction to laboratory-based security research risked preventing essential field research where the environment is purposefully uncontrolled, allowing researchers to measure variations caused by undetected sources, clarify causation from correlation, improve reliability, and perform verification.
Finally, we argued that making the circumvention exemption for software security research contingent on not violating “any applicable law” would adversely affect security research because researchers may be unaware of the vast patchwork of possible laws. We noted that security research can implicate numerous federal and state regulations, with legal uncertainty and uneven application in different jurisdictions.
The Acting Register of Copyrights agreed with many of these arguments and proceeded to recommend that the “Device Limitation” be eliminated and the “Controlled Environment Limitation” be narrowed as a part of the renewal of the 2015 security research exemption. After being adopted by the Librarian of Congress, the exemption now apply to research conducted on all “computer programs,” so long as the programs are located on devices that have been lawfully acquired or are on systems whose owners/operators have given authorization for the research. Furthermore, the current exemption no longer requires security research take place in a “controlled environment,” and now only requires that research be conducted generally in an “environment designed to avoid any harm to individuals or the public.”
The Acting Register was not persuaded, however, that requiring security researchers to follow all “applicable laws” to be eligible for the exemption would adversely affect good-faith research and disagreed that the 2015 exemption’s “law-abiding” requirement hindered security research. This limitation will remain in the language for the security research exemption.
Now that the Librarian of Congress has expanded the security research exemption, researchers can probe the security and vulnerabilities of a much-expanded range of device and system software with less risk of liability. The resulting research will no doubt be invaluable in helping make a wide array of modern technologies safer and more secure.
The final exemption language is below:
(b) Classes of copyrighted works. Pursuant to the authority set forth in 17 U.S.C. 1201(a)(1)(C) and (D), and upon the recommendation of the Register of Copyrights, the Librarian has determined that the prohibition against circumvention of technological measures that effectively control access to copyrighted works set forth in 17 U.S.C. 1201(a)(1)(A) shall not apply to persons who engage in noninfringing uses of the following classes of copyrighted works:
. . .
(11)
(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates, or is undertaken on a computer, computer system, or computer network on which the computer program operates with the authorization of the owner or operator of such computer, computer system, or computer network, solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986.
(ii) For purposes of this paragraph (b)(11), “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in an environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.