November 4, 2016
Until now, people risked a lawsuit if they reverse-engineered their cars, PCs or even insulin pumps. Now, there’s an exemption to the Digital Millennium Copyright Act that protects those who want to hack a device they own, without fearing that the manufacturer of that device will sue them. More specifically, the exemption covers security research on consumer devices, and digital repair of vehicles. The Library of Congress’ Copyright Office enacted the exemption in October 2015, but implementation was delayed for a year.
Wired reports, however, that the exemptions are only for a two-year “trial period” and aimed strictly at “good faith” testing in “a controlled environment designed to avoid any harm to individuals or to the public.” Northeastern University professor of law and computer science Andrea Matwyshyn, who worked for those exemptions, calls it “a tremendously important improvement for consumer protection.”
“The Copyright Office has demonstrated that it understands our changed technological reality, that in every aspect of consumers’ lives, we rely on code,” she said.
The exemption won’t let you tinker with “your neighbor’s pacemaker while it’s implanted,” but it does “remove a looming fear of DMCA lawsuits that has long hung over the security research community.”
“There’s a universe of security vulnerabilities that the law keeps researchers from figuring out and telling you about, but are nonetheless present in devices you use every day,” said Electronic Freedom Foundation attorney Kit Walsh. “For the next two years, that threat will be lifted for many forms of security research that are really important.”
DMCA’s Section 1201 has prevented consumers from “circumventing protections on the intellectual property of manufacturers.” Among manufacturers who invoked Section 1201 are Sony, which sued “reverse-engineer George Hotz for hacking the Sony PlayStation to allow it to run unauthorized software,” and John Deere, which prevented tractor owners from repairing “certain software components of their vehicles.”
Consumer security group I Am The Cavalry co-founder Josh Corman notes that even “important security research aimed at public safety” has been banned, pointing to “recent research that has shown that Johnson & Johnson insulin pumps could be hacked to induce an overdose, that Jeeps could be hacked over the Internet to control their brakes and transmission, and that Volkswagen had rigged its software to systematically cheat emissions testing.”
Despite implementation of the exemption, researchers can still “be sued or prosecuted” for gaining “unauthorized access” to a computer they don’t own and the exemptions do not include the Internet services to which devices connect. Still, Corman is upbeat.
“It’s our belief and hope that if we can create a body of evidence for the positive effects this research brings, we can bring about a permanent exemption,” he said. “When you remove a barrier to disclosure, you avail yourself of the opportunity to fix these things.”