DMCA updated – toaster penetration testing gets green light in America
Exemption allows security research, for two years at least
A year late, the US Librarian of Congress on Friday published an updated list of exemptions to the Digital Millennium Copyright Act's prohibition on circumventing digital access controls.
These exemptions to Section 1201 of the DMCA describe the circumstances under which – until the rules get revisited in two years time – individuals can access, copy, and manipulate copyrighted digital content without fear of infringement claims.
Since 2003, the DMCA rulemaking process has happened every three years. But "the Copyright Office and the Librarian of Congress unlawfully and pointlessly delayed [the 2015 exemptions]," Electronic Frontier Foundation (EFF) staff attorney Kit Walsh said in a blog post on Thursday.
According to Walsh, opponents of the exemptions for security research and for vehicle owners voiced concern about consequences that could arise from allowing reverse engineering, leading the Copyright Office to delay those exemptions for a year.
The exemptions cover:
- The use of recorded and streaming video in educational and documentary contexts.
- The use of electronic literary works in conjunction with assistive technologies.
- Jailbreaking phones and tablets to enable interoperability or remove unwanted software.
- Efforts to access automobile software.
- Efforts to make non-functioning video games accessible.
- Efforts to bypass 3D printer materials controls.
- Efforts by patients to access data in personal medical devices.
- Attempts to reverse-engineer software for security research.
"The new temporary exemption is a big win for security researchers and for consumers who will benefit from increased security testing of the products they use," said Aaron Alva, Tech Policy Fellow at the Federal Trade Commission, in a blog post.
Security researchers still have to abide by the Computer Fraud and Abuse Act. In addition, the terms of the exemption specify that reverse-engineering or deobfuscating code must be "carried out in a controlled environment designed to avoid any harm to individuals or the public."
Furthermore, any information gained from such activity must be used to promote the security of the type of device on which the code runs or the security of the people using the device. And the fruits of such research must be maintained in a way that avoids facilitating copyright infringement.
"So, if you meet all of the requirements, this temporary exemption allows you to test a connected toaster to assess the risk that an attacker might cause your bagel to combust or remotely monitor your toaster pastry habit," Alva said. "But, of course, it does not authorize anyone to steal a toaster, hack into a neighbor's toaster, or set toasters on fire in close proximity to flammable materials."
For its part, the EFF would prefer to see the entire DMCA rulemaking process burn to the ground. "DMCA 1201, and the rulemaking process, create unconstitutional restraints on speech, and need to be struck down by a court or fixed by Congress," said Walsh.
The EFF filed a lawsuit to do just that in July. ®