The U.S. Copyright Office has applied new DMCA exemptions to allow security researchers to find flaws in car computers, medical devices and smart home appliances.
Under DMCA, circumvention of DRM is strictly prohibited, where circumvention is defined as "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner".
Originally introduced to help Hollywood prevent people from ripping DVDs, the scope of this controversial provision of the DMCA didn't limit itself to home movie pirates, but instead, has been used (and some say abused) to prevent genuine security research.
For example, security researchers, sometimes referred to as "white hat hackers" may need to attempt to circumvent existing digital security measures in order to locate flaws before hackers of the black hat variety find the same flaws and take advantage of it for their own nefarious use. Device manufacturers, wanting to avoid public embarrassment about flawed security measures (some of which may lead to recalls), also abuse the circumvention provision to prevent researchers from doing their job. Many researchers are now afraid to tackle certain subjects, or to publicly present their findings, for fear of DMCA led copyright lawsuits.
This chilling effect may have contributed to an epidemic of hacking and malware attacks on devices ranging from smart light bulbs to security cameras, especially now with more and more devices now having public facing Internet connectability.
As a result, digital rights groups, and even the FTC, have stepped in to ask the U.S. Copyright Office to grant more exemptions to allow security researchers to do their work without fear of reprisals, and this week, the Copyright Office granted these exemptions.
The exemption now permits the circumvention of security measures as long as it is done in "good faith".
The FTC was delighted with the decision, saying the new exemptions are "a big win for security researchers and for consumers who will benefit from increased security testing of the products they use."
The EFF also welcomed the new exemptions, saying the changes "will promote security, innovation, and competition – and also help the next generation of engineers continue to learn by taking their devices apart to see how they work."
The exemptions will be available for a two-year period, after which they will be reviewed for possible extension.