Primer: What new DMCA exemptions mean for hackers
The federal government wrapped up an unusual tech policy rite last month by carving a few more holes out of a major intellectual-property law. That should help Americans fix more of their devices and their apps, but it leaves the underlying regulatory regime still needing repair.
This latest triennial review by the U.S. Copyright Office of the Digital Millennium Copyright Act weakened the 1998 law’s ban on picking digital locks on copyrighted material. These new exemptions to the DMCA’s Section 1201 clause, which reads, “No person shall circumvent a technological measure that effectively controls access to a work protected under this title,” cover not just software but hardware controlled by code.
These are the important security advances among the exemptions published on October 26:
- It’s now legal to unlock not just used phones, tablets, and wearable devices for use on a different wireless network, but new ones as well
- You can now jailbreak voice assistant devices (as in, an Amazon Alexa or a Google Home) to allow them to run legal programs
- Your right to access the software in cars, trucks, and tractors to diagnose, repair, and modify it now extends to their telematics and entertainment systems
- It’s newly legal to access the software in home appliances and smart-home gadgets to diagnose, maintain, and repair it
- Disabling digital locks to conduct security research on software is no longer subject to earlier restrictions to specified classes of devices.
The office’s rules also maintain the existing patchwork of exemptions that, for instance, permit breaking digital rights management (DRM) restrictions on audiobooks and DVDs for commentary, criticism, and education, and making them accessible to people with impaired senses. In some cases, they expand these rights–for example, as in the case of an exemption covering online games that no longer have a functioning server.
Picking locks vs. purchasing lockpicking tools
A leading “right to repair” proponent credits the Copyright Office, a branch of the Library of Congress, for being more open-minded than it was during its 2015 DMCA exemptions review.
“There was a ruling three years ago where they really split the baby in half,” says Kyle Wiens, co-founder and CEO of the tech repair site iFixit. “This time, they were much less cautious.”
In a post on his site, Wiens called this “a sweeping victory.” But for all his good cheer about the Copyright Office’s decisions, he notes that the DMCA’s broader provisions banning trafficking in circumvention tools still limit this new liberty’s practical utility.
“The problem, at this point, is that [the Copyright Office is] limited by the statute in what they can do,” he says.
Kit Walsh, a staff attorney with the Electronic Frontier Foundation, agreed. “The rulemaking cannot create exemptions to the ban on ‘trafficking’ in circumvention technologies and services, so this process cannot enable a market for breaking DRM,” she wrote in an e-mail.
“I’m hopeful that we will see more documentation of how these systems work,” Wiens says, pointing to an effort to decode the telematics on John Deere tractors. But those anti-trafficking provisions make any resulting remedies unnecessarily artisanal.
“We’re going to need a market for third-party securing of your IoT systems,” he says. “You kind of need somebody to go out there and root the device you bought three years ago—root it and patch it.”
Walsh noted that it’s also unclear how far you can go under these new exemptions to make something better versus repair it.
“There is some scope of correcting vulnerabilities that is permitted under the security-related exemptions,” she wrote. “Installing different software, rather than, say, a patch, would be less likely to be permissible.”
No sure safe haven for security research
A government office saying something is legal, meanwhile, may not stop companies from trying to intimidate outsiders poking around in their software.
“I imagine vendors who don’t want people poking through their code will find other tools of legal harassment, if they can’t use the DMCA,” e-mailed Dave Touretzky, a computer science professor at Carnegie Mellon University.
He tangled with DMCA anti-circumvention rules 18 years ago, when a court tried to quash the distribution of software defeating playback restrictions on DVDs—a move he mocked by showing all the different ways one could share this DeCSS code.
The Copyright Office’s expansion of engineering liberty also leaves entire categories of connected hardware off-limits.
“Commercial HVAC / automation systems, industrial IoT, and pretty much anything else that isn’t in the above categories is excluded,” Wiens observed in an e-mail. “Boats, [planes], drones—you name it.”
The next triennial DMCA exemptions update may fix that. But it can’t fix the underlying flaw hard-coded into that law: It bans the use of tools with legal and illegal applications instead of banning the illegal applications themselves.
“I think the entire notion of anti-circumvention provisions is wrong,” CMU’s Touretzky wrote. “I would strike them down entirely, on the grounds that (a) what I do in private is no one else’s business, and (b) inhibiting the ability to make fair use of copyrighted works is not in the public interest.”
And as more and more hardware can’t function without code inside it, the scope of the DMCA’s anti-circumvention provision expands ever outward, distorting debates over topics far beyond its stated purpose of protecting copyright.
“The 1201 hearings center the Copyright Office in these really complex debates about everything from election security to environmental protection, and their mandate is…copyright law,” Meredith Rose, policy counsel with the advocacy group Public Knowledge, wrote in an email. “How much should the Copyright Office take into consideration these much larger policy debates, and how much should we want them to be in the position to be arbiter of things like whether security researchers can study voting machines?”