Slashdot Mirror

← Back to Stories (view on slashdot.org)

How DMCA Rulemaking Has a Chilling Effect On Security Research (vice.com)

Posted by Soulskill on from the don't-make-things-better-or-people-get-mad dept.

citadrianne writes: Jay Radcliffe is a security researcher with diabetes. In 2011, he gave a talk at Black Hat, showing how his personal insulin pump could be hacked—with potentially deadly consequences. As a result of his 2011 presentation, he worked with the Department of Homeland Security and the Food and Drug Administration to address security vulnerabilities in insulin pumps. "The specific technical details of that research have never been published in order to protect patients using those devices," he wrote in his testimony to the Librarian of Congress and the U.S. Copyright Office. Every three years, the Librarian of Congress puts a whole bunch of people through a twisted bureaucratic process called DMCA (Digital Millennium Copyright Act) rulemaking. Technically speaking, DMCA rulemaking doesn't make things illegal or legal per se, but many people—like Jay Radcliffe—look to the rulemaking for a green light to do their work.

20 of 31 comments (clear)

  1. Ok, this takes the cake by Opportunist · · Score: 5, Insightful

    I've seen a lot of pointless summaries. Meaningless even. Utterly useless and nondescript, not even worth being probed whether it's some kind of astroturfing.

    But this time I'm almost positive that it has to be written by some kind of bot that dug out the words that are guaranteed to press some buttons with the average Slashdot reader to get voted up for the front page. What the heck does this summary say? Someone showed his insulin pump can be hacked. Ok. Then he does some research and that research doesn't get published. Ok, makes sense considering that the info can kill people. And then some nonsequitor about the DMCA is tacked on.

    What the hell is that about?

    Know what would really be interesting? Whether or not the makers of those pumps have actually reacted and improved their security. Or whether our lawmakers at least plan to do something about the security of medical devices. But what the fuck is this?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Ok, this takes the cake by complete+loony · · Score: 4, Insightful

      Is this more to your liking?

      Jay Radcliffe gave a talk at Black Hat, showing how his personal insulin pump could be hacked. If he wants to know that the security research he is planning will not run afoul of the DMCA, he's going to need an army of lawyers to comb through the DMCA rulemaking performed every three years by the Librarian of Congress. This process is a useless garbage train that’s gone completely off the tracks. Copyright law is rarely sensible, but at this point, DMCA section 1201 has spiraled entirely out of the realm of copyright and into a Kafka-esque hellscape.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:Ok, this takes the cake by Noah+Haders · · Score: 5, Informative

      I actually read the thing. This is a better summary:
      * The DMCA forbids users from bypassing security measures. This is the infamous sec 1201 that caught up DVD Jon and others. If somebody bypasses technical security measures, they are at risk from getting fined or whatever under this provision.
      * This risk obviously sinks security research, especially institutional or company-level. If you're some dude in your moms basement, sure you can try to be a leet haxor, but if you're in academia you probably want to mostly keep your nose clean to protect your job. Sounds like a legit concern to me.
      * DMCA has a provision that grants exceptions to certain activities or topics so that work under this topic won't get tripped up by sec 1201. This is an escape valve for the security research, because if a security research wants to do work on the security of medical devices, he can apply for an exemption on this topic and then not worry about legal headaches down the road. Most recently, there were exemptions for security research on medical devices, voting machines, cars, and tractors.
      * These exemptions expire every three years and need to be renewed. This is the Triannial Review Process. According to the article, this process is very burdensome to complete.
      * So, there's the rub. The researchers are not sure if their work may expose them to legal risks under section 1201. Congress provided a safety valve to provide assurance when appropriate. However this safety valve was implemented with so much onerous red tape that it makes the approvals process difficult, time consuming, and there's no assurance of getting a good outcome.

      SO! Because of the way DMCA was designed and implemented, it effects security research into topics that don't really have anything to do with copyrighted works. This is the chilling effect that the headline mentions.

    3. Re:Ok, this takes the cake by bws111 · · Score: 3, Informative

      The DMCA does not forbid bypassing security measures, it forbids bypassing technological copyright protection methods. Furthermore, it specifically ALLOWS security testing, with the permission of the owner or operator of the thing being tested.

    4. Re: Ok, this takes the cake by guruevi · · Score: 1

      Exactly, this security researcher not publishing his research out of DMCA concerns is bullocks. There are broad exceptions in the DMCA to permit reverse engineering and research. Either he can do it or he is a scaremonger trying to get some attention. Anyone can reprogram an insulin pump with the right tools, whether or not it is viable remotely or long distance is another issue completely.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:Ok, this takes the cake by Opportunist · · Score: 1

      Sorry, my English fails sometimes when using loanwords that are loans in pretty much any language I speak.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Ok, this takes the cake by Opportunist · · Score: 1

      Yes. Yes it is. Any chance that you could do the summaries instead of that writer-bot they employ now?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. You know what's really strange about DMCA? by U2xhc2hkb3QgU3Vja3M · · Score: 2

    If you remove the last letter, you get DMC, a.k.a. DeLorean Motor Company. And if you replace the first letter you get YMCA.

    Fight for your bitcoins!

  3. DMCA interpretation fail by viperidaenz · · Score: 1

    What is section (j) of DMCA 1201 for?
    https://www.law.cornell.edu/us...
    It explicitly allows for white-hat security testing.

    Can someone explain how what this guy is doing does not fall under section j?
    Did he just give up reading the law at section a, where it says "You can't do this, unless there is a library of congress rule to allow it"?

    1. Re:DMCA interpretation fail by Anonymous Coward · · Score: 2

      Did you read (j)(1) to the end of the line?

      with the authorization of the owner or operator of such computer, computer system, or computer network.

      $50 says the diabetic pump company doesn't authorize anyone to perform security testing on their equipment, inside or out of their company.

    2. Re:DMCA interpretation fail by bws111 · · Score: 1

      He owns the pump, he can test it.

    3. Re:DMCA interpretation fail by viperidaenz · · Score: 1

      The owner of the device, not the copyright owner.
      It means you can research your own things, not other people's without their permission.

  4. Re:That's not what the DMCA says. by viperidaenz · · Score: 2

    The code that runs the insulin pump is copyrighted.

    There's probably also copyrighted data tables in there that gets fed in to algorithms as well.

  5. Re:That's not what the DMCA says. by Qzukk · · Score: 4, Informative

    They're not making a copy of anything

    And? The word in the sentence you quoted is "bypassing". It doesn't matter if once you bypass the security measure you copy the copyrighted work or not, the law says that you shall not bypass the protection, and the courts have indeed decided that the law means exactly what it says, which is what leads to us having to get special permission from the Library of Congress to unlock our cellphones.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  6. If your country blocks you by AHuxley · · Score: 3, Insightful

    Can academics even recover their basic freedoms in the USA? Academic and First Amendment questions seem moot.
    Having to show hidden work to a bureaucrat and beg for academic indulgences to even talk to your peers and other experts?
    To have to find funds to pay for expensive legal experts to even prepare to talk in pubic or share results.
    "When academics are scared off from doing security research, consumers suffer."
    Find another nation where crypto and technological ability is embraced, welcomed and can be talked about, sold, open sourced.
    Is it fun to know your code has to have a gov ready trap door or back door or the ability to even give a presentation is a legal issue?
    Or the presentation is quickly and totally removed by a university. Your hard work is airbrush from academia.
    VPN to a good job and offer your ability to parts of the world where maths, education and code skill are still valued and wanted.
    The money, time and effort wasted in front of bureaucrats and lawyers is taking away from your inalienable freedoms and pursuit of happiness.

    --
    Domestic spying is now "Benign Information Gathering"
  7. Re:That's not what the DMCA says. by Z00L00K · · Score: 1

    Making it illegal to hack copyright protections means that only criminals will hack the copyright protections.

    It will be like the 20's when the prohibition of alcohol caused the criminals to become very powerful. It's the same thing all over again - feeding the big time crime gangs.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  8. Re:many eyes make shallow bugs? by Z00L00K · · Score: 1

    Time to lay off the drugs now.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  9. A Failure of Imagination by mbrotzman.jhu · · Score: 1

    Laws are so vague that most Americans commit three felonies per day so you might as well make them count. The same security researchers who complain about the DMCA blocking their research will gladly go down to the corner to but pot or Torrent the newest season of Game of Thrones. If an anonymous person in a foreign country "leaks" some code from a secured device then hey, that's fair game. Unfortunately, academic researchers feed the need to blab about every step in the process. Do you think those security research firms who sell vulnerabilities to various governments for cold hard cash give one lick about the DMCA? They know how to keep their mouths shut.

  10. Re:That's not what the DMCA says. by viperidaenz · · Score: 1

    Security researchers have their own exemptions in the DMCA.

    If you own the devices you're researching or have permission from their owners and you plan to tell the copyright owner about any vulnerabilities you find, it's perfectly legal.

  11. Re:That's not what the DMCA says. by Z00L00K · · Score: 1

    I'll tell them - in 25 years.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.