From today, it's OK in the US to thwart DRM to repair your stuff – if you keep the tools a secret
Selling toolsets is a no-no, distributing them for free a gray area
Analysis This week the US Copyright Office ruled it's OK for Americans to break anti-piracy protections in a bunch of home and personal devices, and vehicles, in the course of fixing or tinkering with said equipment.
Mechanisms put in place to thwart unauthorized repairs or changes – such as firmware code that disables third-party replacements – can be legally circumvented to fix or adapt – deep breath – smartphones, tablets, smartwatches, routers and other wireless hotspots, digital personal assistants, and cars, trucks and tractors.
Yes, Americans, you can break anti-piracy DRM if you want to repair some of your kit – US govtREAD MORE
Up until now manufacturers have tried to lock out unofficial repairs for various reasons: partly to stop people fitting dodgy or backdoored replacements, and mostly to ensure customers fork out for official expensive parts and services.
Circumventing these restrictions can result in deliberately bricked devices, accusations of copyright violations, and lawsuits, because DRM has the DMCA – the Digital Millennium Copyright Act – as its protector.
The new rules protecting people carrying out repairs, jail-breaking their Amazon Alexas, or poking around for security flaws, come into effect in America today, Sunday, October 28.
At first glance, the rules look like a positive step. However, there are caveats you should be aware of.
There's always a catch
The main thing is that while you yourself can develop the software or hardware tools needed to circumvent the DRM, you can't sell or seemingly distribute these toolkits. Thus, someone can pay you to circumvent the protections to carry out a repair on their behalf, but you can't share how you did it.
"The ruling only granted use exemptions, but not tools exemptions," Cory Doctorow, a special adviser to the Electronic Frontier Foundation (EFF) and novelist, explained to The Register on Friday.
"Effectively the statute envisions you will make your own tools. It's completely bonkers and unrealistic."
It could also lead to people downloading what they think are newly legal repair tools that are actually spyware or some other malicious applications, Doctorow added.
"This means people will end up downloading tools that are illegal. If there's going to be no legal aboveground tools market, you don't know what you are getting. People could unknowingly be adding malware to their systems."
And, yes, even if you give away the knowledge to crack DRM away as free or open-source materials, you're not in the clear, it appears. You can't "traffic" your toolkits: this means distributing them as open-source or free downloads is a gray area.
"The tool ban potentially includes open source tools – the laws are written quite broadly," Mitch Stoltz, senior staff attorney at the EFF, told El Reg. "The law says it's illegal to traffic these tools, which covers manufacturing and selling them, and potentially also teaching people about how to make and use them."
The situation is also not great for security researchers. While the legal update from the Copyright Office gave a green light to those probing products, they seemingly aren't allowed to share how they broke something's digital defenses. That's going to limit what vulnerability research can be peer-reviewed and published.
Stoltz did give the Copyright Office credit for listening to arguments for and against the anti-piracy mechanisms, and for streamlining the process to at least reach this point. He also pointed out that, once exemptions have been granted, the office tends to not rescind them, though that that isn't guaranteed.
"The Copyright Office is a political football," Doctorow explained. "Some politicians want to bring it out of the administrative branch of government and make it the responsibility of Congress instead. That would give lobbyists a lot more power over proceedings. If the copyright office were to be ripped out of the Library of Congress then you could expect a more draconian regime as a result."
US Copyright Office suggests 'right to repair' laws a good ideaREAD MORE
The simplest solution is simply to strip DRM of its legal protections all together, Doctorow posited. That would mean outsmarting anti-piracy mechanisms within products is no longer a violation of the law. It's a goal he has said he'd like to achieve by 2025, though that the timeline is aspirational. However, it may come around even more quickly than that, thanks to an ongoing court case in Washington DC.
The lawsuit, Green v US Department of Justice, [PDF] was brought by Dr Matthew Green, assistant professor at the Johns Hopkins Information Security Institute, and computer scientist and hardware hacker Dr Bunnie Huang. In it, they are challenging section 1201 – the set of limitations and exemptions on circumventing DRM – on constitutional grounds, arguing it breaks the First Amendment.
The case is stalled in the courts, though there are signs of hope that it could be moving forward, Doctorow said. If successful, it would be a massive boost for the right to repair, but you can bet the case will be fought all the way to the US Supreme Court. ®
Sponsored: Becoming a Pragmatic Security Leader