How DMCA Rulemaking Has a Chilling Effect On Security Research

citadrianne writes: Jay Radcliffe is a security researcher with diabetes. In 2011, he gave a talk at Black Hat, showing how his personal insulin pump could be hacked—with potentially deadly consequences. As a result of his 2011 presentation, he worked with the Department of Homeland Security and the Food and Drug Administration to address security vulnerabilities in insulin pumps. "The specific technical details of that research have never been published in order to protect patients using those devices," he wrote in his testimony to the Librarian of Congress and the U.S. Copyright Office. Every three years, the Librarian of Congress puts a whole bunch of people through a twisted bureaucratic process called DMCA (Digital Millennium Copyright Act) rulemaking. Technically speaking, DMCA rulemaking doesn't make things illegal or legal per se, but many people—like Jay Radcliffe—look to the rulemaking for a green light to do their work.

Ok, this takes the cake

[Opportunist]

I've seen a lot of pointless summaries. Meaningless even. Utterly useless and nondescript, not even worth being probed whether it's some kind of astroturfing.

But this time I'm almost positive that it has to be written by some kind of bot that dug out the words that are guaranteed to press some buttons with the average Slashdot reader to get voted up for the front page. What the heck does this summary say? Someone showed his insulin pump can be hacked. Ok. Then he does some research and that research doesn't get published. Ok, makes sense considering that the info can kill people. And then some nonsequitor about the DMCA is tacked on.

What the hell is that about?

Know what would really be interesting? Whether or not the makers of those pumps have actually reacted and improved their security. Or whether our lawmakers at least plan to do something about the security of medical devices. But what the fuck is this?

Re:Ok, this takes the cake

[Noah+Haders]

I actually read the thing. This is a better summary:
* The DMCA forbids users from bypassing security measures. This is the infamous sec 1201 that caught up DVD Jon and others. If somebody bypasses technical security measures, they are at risk from getting fined or whatever under this provision.
* This risk obviously sinks security research, especially institutional or company-level. If you're some dude in your moms basement, sure you can try to be a leet haxor, but if you're in academia you probably want to mostly keep your nose clean to protect your job. Sounds like a legit concern to me.
* DMCA has a provision that grants exceptions to certain activities or topics so that work under this topic won't get tripped up by sec 1201. This is an escape valve for the security research, because if a security research wants to do work on the security of medical devices, he can apply for an exemption on this topic and then not worry about legal headaches down the road. Most recently, there were exemptions for security research on medical devices, voting machines, cars, and tractors.
* These exemptions expire every three years and need to be renewed. This is the Triannial Review Process. According to the article, this process is very burdensome to complete.
* So, there's the rub. The researchers are not sure if their work may expose them to legal risks under section 1201. Congress provided a safety valve to provide assurance when appropriate. However this safety valve was implemented with so much onerous red tape that it makes the approvals process difficult, time consuming, and there's no assurance of getting a good outcome.

SO! Because of the way DMCA was designed and implemented, it effects security research into topics that don't really have anything to do with copyrighted works. This is the chilling effect that the headline mentions.