Cybersecurity firms battle DMCA rules over good-faith research
A cohort of cybersecurity companies has signed an open letter asking for reforms to existing DMCA rules in order to protect researchers.
The Digital Millennium Copyright Act (DMCA), signed into US law decades ago, aims to protect intellectual property rights.
However, IP laws can be abused by vendors to suppress research going public that could be damaging or embarrassing for a brand — and one area, in particular, Section 1201, has long caused cybersecurity professionals issues when it comes to research and disclosure.
Section 1201 contains a number of anti-circumvention mandates, including the “circumvention of technological measures” to “descramble a scrambled work, to decrypt an encrypted work, or otherwise, to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”
As explained by Bishop Fox researcher Dan Petro, encryption could be placed on an app, device, or within other software that is being tested, and this then means that a “technological measure” has been broken to access a vendor’s code.
“So DMCA 1201 can quickly be abused as a magic wand you can wave to make any app or device illegal to inspect, reverse engineer, or find vulnerabilities in if you’re a vendor,” Petro added.
An example cited by Bishop Fox is that of George “Geohot” Hotz, who was hit with a copyright infringement claim in 2011 after publishing a method for homebrew hacking PlayStation 3 consoles. The case was settled and Hotz received an injunction.
“Unfortunately, some companies hide behind Section 1201 to make their code, software, and other services illegal to assess from a security perspective,” the security firm noted. “By unintentionally (or intentionally) blocking security researchers and making these activities illegal, these companies hinder testing efforts that could benefit the public by protecting their rights and the privacy of their data.”
As an ongoing issue in the cybersecurity realm, the Electronic Frontier Foundation (EFF) has published an open letter signed by 23 organizations — at the time of writing — requesting an overhaul to existing rules.
The statement says that existing DMCA provisions undermine and suppress “good-faith cybersecurity research,” with independent researchers often finding themselves in a legal firing line for responsibly disclosing weaknesses or vulnerabilities in software — and, simply put, we need this research to continue.
“Some of the most critical cybersecurity flaws of the last decade, like Heartbleed, Shellshock, and DROWN, have been discovered by independent security researchers,” the letter reads.
Another issue with Section 1201 is noted in the EFF statement — that which prohibits “providing technologies, tools, or services to the public that circumvent technological protection measures” in order to access copyrighted property.
Third-party tools are often used in security research, and this vague provision can also cause legal problems. While there is an exemption in DMCA law for software analysis, the companies argue that it is “too narrow and too vague” and does not go far enough to protect good-faith research as tools used must be for the “sole purpose” of testing.
Signatories include Bishop Fox, Rapid7, McAfee, iFixIt, HackerOne, and Cybereason.
“We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good-faith security research,” the letter reads. “In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.”
Previous and related coverage
- Australian law enforcement found to have issues with data destruction
- IT leaders say cybersecurity funding being wasted on remote work support: survey
- A deep dive into the operations of the LockBit ransomware group
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0