How DMCA Rulemaking Has a Chilling Effect On Security Research

citadrianne writes: Jay Radcliffe is a security researcher with diabetes. In 2011, he gave a talk at Black Hat, showing how his personal insulin pump could be hacked—with potentially deadly consequences. As a result of his 2011 presentation, he worked with the Department of Homeland Security and the Food and Drug Administration to address security vulnerabilities in insulin pumps. "The specific technical details of that research have never been published in order to protect patients using those devices," he wrote in his testimony to the Librarian of Congress and the U.S. Copyright Office. Every three years, the Librarian of Congress puts a whole bunch of people through a twisted bureaucratic process called DMCA (Digital Millennium Copyright Act) rulemaking. Technically speaking, DMCA rulemaking doesn't make things illegal or legal per se, but many people—like Jay Radcliffe—look to the rulemaking for a green light to do their work.

Re:Ok, this takes the cake

[Noah+Haders]

I actually read the thing. This is a better summary:
* The DMCA forbids users from bypassing security measures. This is the infamous sec 1201 that caught up DVD Jon and others. If somebody bypasses technical security measures, they are at risk from getting fined or whatever under this provision.
* This risk obviously sinks security research, especially institutional or company-level. If you're some dude in your moms basement, sure you can try to be a leet haxor, but if you're in academia you probably want to mostly keep your nose clean to protect your job. Sounds like a legit concern to me.
* DMCA has a provision that grants exceptions to certain activities or topics so that work under this topic won't get tripped up by sec 1201. This is an escape valve for the security research, because if a security research wants to do work on the security of medical devices, he can apply for an exemption on this topic and then not worry about legal headaches down the road. Most recently, there were exemptions for security research on medical devices, voting machines, cars, and tractors.
* These exemptions expire every three years and need to be renewed. This is the Triannial Review Process. According to the article, this process is very burdensome to complete.
* So, there's the rub. The researchers are not sure if their work may expose them to legal risks under section 1201. Congress provided a safety valve to provide assurance when appropriate. However this safety valve was implemented with so much onerous red tape that it makes the approvals process difficult, time consuming, and there's no assurance of getting a good outcome.

SO! Because of the way DMCA was designed and implemented, it effects security research into topics that don't really have anything to do with copyrighted works. This is the chilling effect that the headline mentions.

Re:That's not what the DMCA says.

[Qzukk]

They're not making a copy of anything

And? The word in the sentence you quoted is "bypassing". It doesn't matter if once you bypass the security measure you copy the copyrighted work or not, the law says that you shall not bypass the protection, and the courts have indeed decided that the law means exactly what it says, which is what leads to us having to get special permission from the Library of Congress to unlock our cellphones.

Re:Ok, this takes the cake

[bws111]

The DMCA does not forbid bypassing security measures, it forbids bypassing technological copyright protection methods. Furthermore, it specifically ALLOWS security testing, with the permission of the owner or operator of the thing being tested.