Proposed Update to Copyright Rules Eases Barriers to Security Research

A bill to amend the Digital Millennium Copyright Act would make it easier for researchers to expose security vulnerabilities without running afoul of the law.

The librarian of Congress is in charge of granting exemptions to the Digital Millenium Copyright Act. (National Journal)

Researchers who hack into everything from thermostats to Facebook so they can identify and help patch security holes may get a little assistance from Congress.

Legislation proposed last week would change copyright law to make it easier for these security researchers—not malicious hackers—to find and expose software vulnerabilities without getting in trouble for it.

The 1998 Digital Millennium Copyright Act made it illegal to get around technology protections—that includes ripping DVDs, copying video games, and in some cases, even jailbreaking your own smartphone. One provision of the act offers exemptions for certain activities. Ostensibly, security research is one of those activities, but the way the law is set up makes it difficult to get exemptions for research, critics say.

"Under current law, the only real way that you can safely conduct research is to make sure that you have the absolute permission of whoever's device or network or computer you're performing that research on," said Erik Stallman, Director of the Open Internet Project at the Center for Democracy and Technology.

Sometimes the owner of a computer or network is clear: For example, you will likely get in trouble for hacking Google's servers without the company's permission. In other cases, ownership is less obvious. In most cases, even though you may own a smartphone or a car, the software they use is the property of the manufacturer. Unless the Librarian of Congress issues a specific exemption, modifying the software of your own devices can be a violation of copyright law.

A bill introduced by Democrats Sen. Ron Wyden and Rep. Jared Polis on Thursday would lift some of the legal barriers that make computer research fraught with liability issues and could make security research easier in two major ways:

First, it would unravel some of the limitations that create "a lot of uncertainty and potentially catastrophic liability for computer security researchers," Stallman said. The proposed bill removes a reference to the Computer Fraud and Abuse Act, which acts as an added layer of liability that threatens computer researchers.

And second, the bill lists computer research as one of the considerations the Librarian of Congress should take into account when deciding whether or not to make an exemption. The update would lower the burden of proof researchers face when applying for exemptions, and make it much easier to renew them after their three-year term is up, a change which Sherwin Siy, vice president of legal affairs at Public Knowledge, called a "vast improvement."

The bill likely faces an uphill battle. A more comprehensive attempt to make changes to the DMCA, spearheaded by Rep. Zoe Lofgren in 2013, died in the 113th Congress. Siy says this bill could do better because of its narrower scope, but sidestepped making a more detailed prognosis.

Wyden said he's banking on the support of online activists. "When the Internet community has united to fight bad law, there have been remarkable successes," he said. "I'm counting on that same level of support and activism here."

But the bill's supporters might face tough resistance. "Any user-focused copyright reform legislation will encounter well-organized opposition," said Stallman. "But it's still worth the effort."