Good news for security researchers: The Library of Congress announced that it would renew and even expand protections for security testing under Section 1201 of the Digital Millennium Copyright Act (DMCA). Although we believe the security testing exemption could still use improvement, we applaud the Library of Congress’ continuing commitment to protecting good faith security research.

Background

Sec. 1201 of the DMCA prohibits circumventing technological protection measures (TPMs, like encryption, authentication requirements, region coding, etc.) to access copyrighted works, including software, without permission of the copyright holder. That creates criminal penalties and civil liability for independent security research that does not obtain authorization for each TPM circumvention from the copyright holders of software.

[For additional background on what DMCA Sec. 1201 is and why it’s important for security research, please see this earlier post.]

The Library of Congress created a three-year exemption for security testing to DMCA Sec. 1201 in 2015. The temporary exemption rule granted more protection to good faith security research than the DMCA itself. The exemption was up for renewal in 2018. The Copyright Office telegraphed that it would renew the 2015 security testing exemption, using a welcome new presumption of renewal for previously approved exemptions, so the renewal was expected.

Beyond renewal, several groups - including Rapid7 and our colleagues - recommended expanding the security testing exemption to provide good faith researchers with greater legal protection. Several other groups opposed expansion. The question of whether and how to expand the security testing exemption is what the Library of Congress considered over the last several months.

Expansion and rule

The Library of Congress chose to expand on its 2015 security testing exemption for DMCA Sec. 1201 in two ways:

  1. The Librarian of Congress is removing the device limitation, so now software on more classes of computers can be tested - as long as the researcher owns the computer or has the authorization of the computer owner.

    Previously the research exemption was limited to
    "a) A device or machine primarily designed for use by individual consumers (including voting machines);
    b) A motorized land vehicle; or
    c) A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, that is not and will not be used by patients or for patient care.
    "

This expansion means researchers can circumvent technological protection measures on software for cybersecurity testing on devices that previously did not fit into those categories. However, before you go hacking your drone over a crowd in restricted airspace, check out the requirements in the rest of the rule (copied in full below) and remember that the exemption only applies to DMCA and not other laws.

  1. The Librarian is removing "controlled" from the "controlled environment" limitation, so that it's just an environment designed to avoid harm.

    Previously, the research exemption required
    "where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public,"

As the Librarian explained, this change is intended to eliminate ambiguity on what qualifies as “controlled” and to better enable researchers to perform tests in “live” environments. But the environment must still be safe and, as before, the testing must be performed subject to the other requirements in the rule. Killing a car on a highway is still no-go. Heh.

So here's the 2018-2021 security exemption text in full:

Accordingly, the Acting Register recommends that the Librarian designate the following class:

(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates, or is undertaken on a computer, computer system, or computer network on which the computer program operates with the authorization of the owner or operator of such computer, computer system, or computer network, solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986.

(ii) For purposes of this paragraph (b)(11), “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in an environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.

Good, but room for improvement

There are other reforms that did not make the cut. In particular, scaling back the requirement that all other laws and regulations be obeyed in order to qualify for the research exemption - "and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986." Rapid7 and other proponents pointed out that this “other laws” restriction creates legal uncertainty for researchers by making the exemption contingent on compliance with even obscure regulations - county electrical codes, for example - that have little to do with digital security or copyright.

Although that recommendation received support from DOJ and NTIA, in addition to the other exemption proponents, the Library of Congress declined to make this change. The Register of Copyrights noted the DMCA itself [at 17 USC 1201(j)(2)] includes this "all other laws" limitation. The Register also noted there wasn't enough of a record concretely demonstrating that security research was chilled because Sec. 1201 included this "other laws" requirement - not whether other broad laws chilled research, but only whether the addition of potential 1201 liability to those other laws chilled research. This is a high bar to meet in 2021.

Overall, however, this is a good outcome for security researchers. The Library of Congress once again demonstrated its understanding of the importance of independent cybersecurity research to society, and that security testing does not infringe on the exercise of copyright. The next opportunity for changing the temporary security testing exemption is in 2021, but in the meantime we join the Register of Copyrights in calling on Congress to consider legislative reforms to DMCA Sec. 1201 to protect good faith security researchers on a permanent basis.

Now, let’s put these expanded legal protections to use!