US copyright law places broad restrictions on what people are allowed do with copyrighted content.
The U.S. Copyright Office regularly reviews these exemptions to Section 1201 of the DMCA, which generally prevents the public from ‘tinkering’ with DRM-protected software and devices.
These provisions are renewed every three years after the Office hears input from stakeholders and the general public. This process also allows interested parties to suggest new exemptions.
Exemptions For Good Faith Security Research
In recent years we have covered exemptions for game archivists but there are many more on the table. This includes the ability for experts to bypass copyright restrictions to conduct good-faith security research.
This exemption already exists but many people believe that it’s rather limited in its current form, which reads as follows:
Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates, or is undertaken on a computer, computer system, or computer network on which the computer program operates with the authorization of the owner or operator of such computer, computer system, or computer network, solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986.
This text used to be more restrictive and was adjusted three years ago, following a proposal from Computer Science & Engineering Professor Alex Halderman. This year, Halderman submitted a new proposal, trying to expand this exemption further and reduce the risk for security researchers.
Among other things, the professor would like the word “solely” removed from the text, as well as the requirement that a device has to be “lawfully acquired” and that circumvention does “not violate any applicable law.”
GitHub Backs Halderman Proposal
This proposal is currently being considered and this week various parties offered their support in letters submitted to the US Copyright Office. This includes developer platform GitHub which, following the RIAA/youtube-dl debacle, said it would get more involved in this process.
According to GitHub, developers are often facing fear, uncertainty, and doubt (FUD) with regard to legal issues. This may lead them not to start a project that could have benefited society as a whole.
Source of FUD
“Section 1201 is a source of FUD as applied to good faith security research. It can be asserted even when a court has decided that there is no copyright infringement of the underlying work,” GitHub writes.
“It’s a reason why a developer can’t be confident that there won’t be repercussions for engaging in legitimate, non-infringing security research and related development activities. It’s a reason why they might decide to do a different project, with less impact, that doesn’t help make us all safer to the same extent.”
GitHub urges the US Copyright Office to focus the exemptions on eliminating FUD. Removing the requirement that all actions are “solely” for the purpose of good-faith security research is crucial. GitHub argues that as long as an activity is consistent with conducting good-faith security research, it should not matter if all steps are “solely” focused on security.
“The Halderman et al. proposal draws clearer lines out of fuzzy lines in the current exemption, giving more certainty to researchers, academics, and enterprises conducting security research. It should be taken seriously,” Github adds.
Department of Justice Support
The Halderman proposal is widely supported by developers and researchers, but there’s also backing from less expected parties, such as the US Department of Justice.
In a comment to the Copyright Office, the Department of Justice’s Computer Crime and Intellectual Property Section agrees that it’s a good idea to drop the requirement that circumvention does “not violate any applicable law”.
The DoJ argued against this three years ago, but it now agrees that this language is troublesome.
“[W]e are now persuaded that replacing the existing requirement that research not violate ‘any applicable law’ with alternative explanatory language would provide equally sufficient notice of the need to comply with applicable law.
“This change would also reduce the chance that potentially valuable research projects may be discouraged by fears by fears that inadvertent or minor violations of an unrelated law could result in substantial liability under the DMCA,” the DoJ writes.
Not a Free Pass to Violate Laws
The DoJ still believes that researchers who intentionally violate the law should be held accountable. However, the current language is too broad and subjects researchers to all sorts of liabilities.
“It thus may discourage valuable research projects that would otherwise be undertaken if researchers could be more certain the exemption would apply,” the DoJ writes.
These are strong words coming from the Department of Justice which will likely weigh strongly. However, the DoJ doesn’t support the Halderman proposal in full.
For example, the DoJ doesn’t agree that the word “solely” should be removed from the exemption, nor does it see the need to strip the condition that a device has to be “lawfully acquired.”