TLPC Advocates for Expansion of Security Research Exemption to Section 1201 of the DMCA

(by Wilson D. Scarbeary, Colorado Law 3L)

Section 1201 of the Digital Millennium Copyright Act (DMCA) prohibits the circumvention of technological protection measures (TPMs) that control access to copyrighted works. Every three years, the Copyright Office holds a rulemaking to consider temporary exemptions to this prohibition on circumvention of TPMs for noninfringing activities such as accessibility, repair, and security research.

Security research has become a critical aspect of our modern cybersecurity architecture, and renewing and expanding this exemption is critical to enable security research into devices ranging from voting machines to personal devices. The TLPC took part in the development of an early temporary exemption for security research in 2008, and has participated in each triennial review since then. This cycle, the TLPC worked on behalf of our client, Professor J. Alex Halderman of the University of Michigan, along with the Center for Democracy and Technology and the United States Technology Policy Committee of the Association of Computing Machinery.

On December 15, 2020 TLPC Student Attorneys Cara Groseth, Lucas Knudsen, and Wilson D. Scarbeary filed comments asking the office to expand the existing exemption by removing two classes of limitations in the existing exemption, the Other Laws Limitations and the Use Limitations. The Other Laws Limitations complicate the exemption by conditioning applicability on a number of non-copyright legal regimes in ways that introduce significant uncertainty for researchers. The Use Limitations cabin permissible security research in ways that creates uncertainty concerning ancillary activities such as scholarship, criticism, and technical diligence. In the first round of comments, the TLPC also received support from other proponents including HackerOne, Rapid7, and the Software Freedom Conservancy.

On March 10, 2021, the TLPC filed reply comments to address opposition comments and supplement the record in favor of the expanded security research limitation. While opposition comments advanced largely speculative claims that expanding the security research exemption would facilitate infringement, the TLPC provided evidence that expansion was not only warranted, but necessary to ensure the security research can continue to play a central role in cybersecurity architecture.

During the reply round, TLPC received supportive comments from the Department of Justice (DOJ) concerning the Other Laws Limitations which largely addressed the conditional issues with the exemption identified by the proponents. This proposed language also received support from Rapid7 in their initial comments. GitHub—a platform frequently used by security researchers and other developers—also praised TLPC’s petition for seeking to make the exemption clearer.

On April 8, the TLPC participated in hearings before the Copyright Office on the record concerning the expanded security research exemption. Panelists included TLPC director Blake Reid, student Wilson D. Scarbeary, CDT’s Stan Adams, and Professor Halderman. Panelists urged the Office to address the limitations consistent with the petition and comments. Professor Halderman explained how the existing exemptions chill security research, providing examples from his extensive personal experience. The final decision from the Office will be forthcoming.