Security research is vital to protecting the computers we all depend on and the people who have integrated electronic devices into their daily lives. To conduct security research, we need to protect researchers and give them the tools to find and fix vulnerabilities. The anti-circumvention provisions of the Digital Millennium Copyright Act, Section 1201, may cast a shadow over security research, and sadly, the progress we have made through the DMCA rule-making process has failed. been sufficient to eliminate this shadow.
DMCA reform has long been part of the EFF agenda, in order to protect security researchers and others from its often troublesome consequences. We have taken legal action to overturn the onerous provisions in Section 1201 that violate the First Amendment, we‘We’ve advocated for exemptions in every three-year rule-making process, and the Coders Rights Project helps advise security researchers on the legal risks they face in conducting and disclosing research.
Today, we are honored to support a group of companies and security organizations that are showing public support for good faith research on cybersecurity, opposing the use of Section 1201 of the DMCA to remove the software and tools necessary for this research. In the statement below, signatories united to urge policymakers and lawmakers to reform Section 1201 to enable the provision and use of security research tools for good faith research purposes. , and to urge businesses and prosecutors to refrain from using Section 1201 to unnecessarily target tools. used for security research.
The full statement:
We, the undersigned, write to caution against using Section 1201 of the Digital Millennium Copyright Act (DMCA) to remove software and tools used for good faith cybersecurity research. Security and encryption researchers are helping build a more secure future for all of us by identifying vulnerabilities in digital technologies and raising awareness so that these vulnerabilities can be mitigated. Indeed, some of the most critical cybersecurity vulnerabilities of the past decade, such as Heartbleed, Shellshock, and DROWN, have been uncovered by independent security researchers.
However, too many legitimate researchers face serious legal challenges that prevent or hinder their work. One of these critical legal challenges stems from the DMCA provisions that prohibit providing the public with technologies, tools, or services that bypass technological safeguards (such as bypassing shared default credentials, weak encryption , etc.) to access copyrighted software without the permission of the software owner. 17 USC 1201 (a) (2), (b). This creates the risk of private prosecution and criminal penalties for independent organizations that provide researchers with technologies that can help strengthen software security and protect users. Device security research, which is vital to increasing the safety and security of people around the world, often requires these technologies to be effective.
Good faith security researchers depend on these tools to test for security holes and software vulnerabilities, not to infringe copyright. While Sec. 1201 (j) is intended to provide an exemption for good faith safety testing, including the use of technological means, the exemption is both too narrow and too vague. More importantly, the suitability of 1201 (j) for the use, development or sharing of security testing tools is also limited; the tool must be intended for “the sole purpose” of testing security and not otherwise violate the DMCA’s prohibition on providing circumvention tools.
If security researchers must obtain permission from the software vendor to use third-party security tools, it significantly impedes the independence and ability of researchers to test software security without conflict of interest. Furthermore, it would be unrealistic, time consuming and risky to require every security researcher to create their own bespoke security testing technologies.
We, the undersigned, believe that legal threats to the creation of tools that allow people to conduct security research are actively undermining our cybersecurity. Section 1201 of the DMCA should be used in such circumstances with great caution and taking into account broader security concerns, and not just for competitive economic advantage. We urge policy makers and legislators to reform Section 1201 to enable the provision and use of security research tools for good faith research purposes.
Black Hills Information Security
Cyber Security Coalition
Electronic Frontier Foundation
Big Idea Studio
I fix it
SANS Institute of Technology
Social Exploits LLC