New Copyright Rules Offer Improvements for Security Researchers, But Need for Legislative Reform Continues

WASHINGTON DC – Today, the Librarian of Congress (LOC) issued highly-anticipated new exceptions to the Digital Millennium Copyright Act (DMCA). Section 1201 of the DMCA makes it unlawful to tamper with digital locks that control access to copyrighted works such as movies, books, and software, but the Librarian of Congress is authorized to grant limited exemptions to that provision every three years. The rules issued today offer much-needed improvements for technology security researchers whose work has at times been stymied by the legal gray areas of how the DMCA applies to certain types of research. The rules also create a few new exemptions, including for audiovisual clips used in the course materials of online courses, for consumers who wish to “unlock” tablets so they can switch service carriers, and for medical patients who wish to retrieve their own patient data off of medical devices.  

As the Open Technology Institute (OTI) has explained, Congress passed the DMCA in the 1990s to combat copyright infringement—however, the intervening years have shown it to be susceptible to abuse by those who wish to chill a broad range of activities that constitute fair use, or would otherwise serve the public interest. Today’s rules work to address this problem by, among other things, declaring that “good-faith security research” on individual consumer devices, voting machines, vehicles, and implantable medical devices is not barred by the DMCA.

Unfortunately, the new rules contain a number of wordy limitations that perpetuate the need for researchers, educators, and everyday consumers to consult legal counsel before proceeding with activities that clearly have nothing to do with copyright infringement. Once again, the LOC’s triennial rulemaking underscores the continuing need for legislative reform to the 17-year-old DMCA.

As part of the rulemaking process that led to the development of today’s updated DMCA rules, OTI filed comments outlining the need for procedural changes to the rulemaking process, and supported security research exemptions in reply comments, testimony, and responses to post-hearing questions.

The following statement may be attributed to Laura Moy, Senior Policy Counsel at OTI:

“We applaud the Librarian of Congress, with input from the Register of Copyrights and National Telecommunications and Information Administration, for taking steps to clear up some legal murkiness that chills crucial security research. Today’s rules recognize that security research, even when it breaks digital locks, does a valuable service to society. Unfortunately, the updated rules still leave questions about applicability to research on remote-hosted applications, and on devices that are used by multiple consumers at one time. The rules still make it difficult for researchers to determine at the outset of a new project whether their activities are legal.

“Although they include improvements, ultimately these updated rules don’t eliminate the need for educators, researchers, medical patients, and consumers to agonize over complicated rules to determine the legality under copyright law of activities that don’t infringe copyright. Owing to a broken process and the outdated nature of a 20-year-old ‘digital’ law, the rules contain a number of odd distinctions that defy common sense. It’s time for Congress, the Copyright Office, rights-holders, and the public to work together to update the DMCA, and we look forward to collaborating with others to do so.

The final rules may be viewed here.