Why Copyright Law Is Undermining Cybersecurity, And How to Fix It

You probably know that cybersecurity is a major concern for consumers, as each week seems to bring reports of another high-profile data breach. What you may not realize is that copyright law, in the form of the Digital Millennium Copyright Act (DMCA), threatens to make it worse by standing in the way of researchers working to improve cybersecurity.

If you’re an adult living in the United States today, your personal information has probably been exposed by a malicious attacker. This time last year, CNN Money reported that in the preceding 12 months, attackers had exposed the personal information of 110 million Americans, or roughly half the adult population of the country. That was before widely publicized data breaches of Anthem, Premera, and CareFirst Blue Cross Blue Shield, which collectively may have affected 1 in 3 Americans. And even if your information has not actually been exposed, chances are you’re among the majority of Americans who worry about that possibility.

Attackers use a range of techniques to gain unauthorized access to personal information, one of which is exploitation of software vulnerabilities. For example, software vulnerabilities were responsible for the infamous Heartbleed and Shellshock attacks of 2014.

Not only do vulnerabilities lead to theft of personal information and possible identity theft, but they could also threaten your physical safety. For example, as explained in a recent report on vehicle software security concerns published by Senator Markey’s office, vulnerabilities in cars could be used to attack safety-critical systems such as the engine and brakes. Vulnerabilities in the software operating on medical devices, such as implantable defibrillators, could lead to serious injury or death.

All software has bugs, and those bugs can cause big problems—that much is clear to everyone. What isn’t clear to everyone is the fact that copyright law—in particular the Digital Millennium Copyright Act of 1998—is hindering the activities of independent security researchers working to find and address vulnerabilities before they are exploited.

Congress passed the DMCA to combat copyright infringement. Among other things, the DMCA makes it more difficult for would-be infringers to break mechanisms put in place to protect content from unauthorized copying. But unfortunately it was written so broadly, it has been used to outlaw a broad range of activities that Congress didn’t mean to interfere with, or at least subjects those activities to unnecessary litigation. For example, the DMCA has been used to try to stop production of third-party printer cartridges, to try to prevent the marketing of universal transmitters for garage door openers, and a to try to prevent the marketing of third-party accessories for a video game console. It even interferes with independent security researchers working to identify vulnerabilities in computer software, including software operating in cars and on implantable medical devices.

That’s why we at OTI, working with a coalition of allies, are advocating in an ongoing rulemaking proceeding at the Copyright Office for exemptions to the DMCA that would allow security researchers to do the good work they do finding software vulnerabilities, so that those vulnerabilities can be addressed and we can all be a little safer. Here’s what we’ve done on the issue:

• In February, OTI filed comments urging the Copyright Office to conduct the rulemaking in a manner friendly to exemption proponents and consistent with the intent of Congress;

• Also in February, OTI collaborated with the Digital Right to Repair Coalition to deliver thousands of public comments to the Copyright Office in support of proposed exemptions;

• In May, OTI filed reply comments explaining why consumer privacy interests necessitate exemptions for independent security research of software and medical devices;

• Also in May, OTI’s Kevin Bankston joined over 30 leading cybersecurity experts on a Statement on Legal Impediments to Cybersecurity Research, which explained that the DMCA, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act all generate uncertainty that chills security research, and was filed in the DMCA rulemaking at the Copyright Office;

• In June, OTI’s Laura Moy testified in two hearings (1, 2) at the Copyright Office in support of proposed exemptions for software and medical device security research.

• In June, OTI and the Center for Democracy & Technology co-filed post-hearing question responses with the Copyright Office in support of security researchers.

What happens next? We wait, as the security of our personal information and, in some cases, our very lives, rests in the hands of decisionmakers at the Copyright Office and the Library of Congress, slated to rule on the exemption proposals in coming months.

But even if the result is good and we get the exemptions we’ve asked for, those exemptions will only be temporary, lasting three years, and won't solve broader problems with the DMCA. That's why we're committed to long-term reform of the DMCA in Congress. As we've said in the past, the best way to rein in this overreaching copyright law would be to simply amend it so that it doesn’t interfere with activities that have nothing to do with copyright infringement, like security research.