Copyright Office Realizes The DMCA Fucks With Security Research While The W3C Still Doesn't See It
from the what-a-world dept
Last week, the Copyright Office finally released a report that it had been working on for some time, looking specifically at Section 1201 of the DMCA. In case you're new around here, or have somehow missed all the times we've spoken about DMCA 1201 before, that's the "anti-circumvention" part of the DMCA. It's the part that says it's against copyright law to circumvent (or provide tools to circumvent) any kind of "technological protection measures," by which it means DRM. In short: getting around DRM or selling a tool that gets around DRM -- even if it's not for the purpose of infringing on any copyrights -- is seen as automatically infringing copyright law. This is dumb for a whole host of reasons, many of which we've explored in the past. Not only is the law dumb, it's so dumb that Congress knew that it would create a massive mess for tons of legitimate uses. So it built in an even dumber procedure to try to deal with the fact it passed a dumb law (have you noticed I have opinions on Section 1201?).
Specifically, every three years, people and companies can petition the Copyright Office/Librarian of Congress to "exempt" certain technologies or uses from 1201, saying that it is legal to circumvent the technological protection measures in that case, for the succeeding three years (yes, after three years, the original exemption expires, unless it is renewed). This triennial review process has historically been an (annoying) joke, where people basically have to beg the Copyright Office to let them, say, get around DVD DRM, in order to make documentaries. Or, famously, that time in 2012 when the Librarian of Congress refused to renew the phone unlocking exemption, magically making it illegal to unlock your phone for no clear reason at all. The whole thing is fairly described as a hot mess.
And, it really harms our own security the most.
That's because security researchers often need these exemptions the most, because they don't want to be accused of violating copyright law for doing their jobs in figuring out where there are weaknesses and vulnerabilities in various technologies. So, many of the applied for exemptions tend to come from the security community -- and sometimes they're granted, and other times they are not. A year ago, some security researchers (along with the EFF) sued the US government, arguing that 1201 violates the First Amendment, scaring off security researchers, and providing none of the usual defenses against infringement, such as fair use (which the Supreme Court has argued is a necessary First Amendment valve on copyright). That case is still waiting for a judge to rule on early motions (and it's waiting a long time).
Given all that as background, it's somewhat fascinating (and marginally surprising) to see that the Copyright Office officially agrees that the 1201 setup totally sucks for security researchers, and it would actually like Congress to fix that. The report specifically recommends expanding the existing "permanent exemption" for certain types of "security testing" to make it more applicable to a wider set of security practices:
... the Office recommends that Congress consider expanding the exemption for security testing under section 1201(j). This could include expanding the definition of security testing, easing the requirement that researchers obtain authorization, and abandoning or clarifying the exemption’s multifactor test for eligibility.
There's another section in the law for "encryption research" and, again, the Copyright Office recognizes that should be expanded:
The exemption for encryption research under section 1201(g) may benefit from similar revision, including removal of the requirement to seek authorization and clarification or removal of the multifactor test.
For what it's worth, the report (obviously remembering how it got basically mocked and burned by everyone for removing the cell phone unlocking exemption in 2012) now asks for phone unlocking to be designated a permanent exemption under the law.
These are fairly small changes being sought by the Copyright Office, but it strikes me as somewhat incredible (and very disappointing) that this small bit of enlightenment goes much further than the World Wide Web Consortium's (W3C) view on DRM and security research. As you may recall, there's this ongoing battle over DRM in HTML 5. When the W3C refused to block it outright, some members came up with a fairly straightforward no-brainer rule: all members had to agree not to go after security researchers for circumventing the DRM in HTML 5. And the W3C rejected that proposal.
In other words, the Copyright Office -- famous for its historically expansionist view of copyright, as well as its general tilt towards supporting Hollywood over everyone else -- is now recognizing that it's obvious that security researchers should have the right to circumvent DRM without violating copyright law, while the W3C -- famous for promoting an open web -- is against this. This is "up is down, night is day, cats & dogs living together" kind of stuff. Maybe someone should let the W3C know that it's position on security researchers and DRM is now more extremist than the Copyright Offices?
Either way, at the very least, Congress should follow up on this report and expand the exemptions for security research. It doesn't just help out those researchers, it helps all of us when security researchers are able to do their jobs and help to protect us all.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anti-circumvention, copyright office, dmca, dmca 1201, drm, research, security, triennial review
Companies: w3c
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
I'm really conflicted about whether to support this viewpoint.
[ link to this | view in chronology ]
Re:
Security research exemptions are a good start. No more, no less.
[ link to this | view in chronology ]
Please
[ link to this | view in chronology ]
Re: Please
[ link to this | view in chronology ]
Re: Re: Please
[ link to this | view in chronology ]
Re: Please
[ link to this | view in chronology ]
Does the W3C really have the power to prevent DRM?
[ link to this | view in chronology ]
Re: Does the W3C really have the power to prevent DRM?
In other words, "We must join with Sauron. It would be wise, my friend."
And yes, that's Berners-Lee's justification for allowing DRM into the W3C specs.
That's why the EFF proposed a compromise that would require every signatory to contractually agree not to sue security researchers for copyright infringement. Berners-Lee demurred and instead suggested voluntary compliance.
[ link to this | view in chronology ]
It's pretty easy to determine whether someone is working on behalf of a legitimate educational institution, accessibility organization, archive or library, and whether their DRM circumvention is being done for purposes other than piracy.
There are few such formal institutions in the security research realm. There is no registry of who the white-hats are. I can see how the W3C members would not want to hand the black-hats a "security researcher" immunity.
That said, they could just take a more nuanced stance.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
This strikes me as a variation on the old "bloggers aren't real journalists, therefore they don't have freedom of the press" argument. I don't accept the premise that only specific favored classes have First Amendment protections -- and make no mistake, this is a First Amendment issue.
Disclosing browser vulnerabilities serves the public interest. If people use those vulnerabilities to illegally download movies, then go after the people who are illegally downloading movies, not the people who disclosed the vulnerabilities.
[ link to this | view in chronology ]
"We weren't hacking we were doong security research! Da, research!"
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Legalizing drinking would just create a huge legal escape hatch for drunk drivers.
"I wasn't drinking and driving! Look, this isn't even a car, it's a house! A house! Jesus Christ, can't you tell the difference between a car and a house? What the hell is wrong with you?"
Legalizing chicken ownership would just create a huge legal escape hatch for cockfighting.
"This isn't a cockfighting ring! There's only one chicken here, and she's a hen! She's pecking at the ground! Why are you arresting me?"
Legalizing breathing would just create a huge legal escape hatch for murder.
"I didn't murder anybody! Yes, I know technically murderers also draw in oxygen to live, and would be unable to murder if they didn't do so dang much breathing. But you're breathing too, right at this very minute! Hey, nice stun gun, Officer!" bzzzzt thump
Legalizing encryption would just create a huge legal escape hatch for terrorism.
...wait, that one's not a joke; there are actual high-ranking government officials all over the world who seriously fucking claim that with a straight face.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Was that your point, or is there something I'm missing as well?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Teh haxxors
If you think that malicious attackers are not researching vulnerabilities for exploitation because of some US copyright laws you are sorely mistaken. Please remember that the attackers are working to penetrate your systems and extracts whatever information they can, be that credit card info, medical records, trade secrets, etc. Then to sell that information to the highest bidder. They already have intention to commit several felonies, so a copyright violation is not exactly a deterrent.
This push is for the security researchers out there who find a vulnerability but are afraid to disclose it because some manufacturers would rather pursue the researcher for copyright violations than fix their insecure code or snake oil. Mind you, these vulnerabilities still exist whether the security researchers publish them or not. So what would you prefer:
[ link to this | view in chronology ]
Re: Re: Teh haxxors
[ link to this | view in chronology ]
Re: Re: Re: Teh haxxors
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
DRM in HTML5
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Seeking correction
Dear Sir,
I'm seeking a correction in this particular section of your article:
"When the W3C refused to block it [DRM] outright, some members came up with a fairly straightforward no-brainer rule: all members had to agree not to go after security researchers for circumventing the DRM in HTML 5. And the W3C rejected that proposal."
Instead of "the W3C rejected", it would be accurate to use "most W3C Members rejected", or "a majority of W3C Members rejected".
Indeed, the proposal was balloted (several times), as are all proposals at the W3C [1], and there was no consensus to adopt it.
To say that the W3C rejected the proposal is simply wrong. W3C is a consortium of Members and its constituency steers the work.
Kind regards,
Coralie Mercier
Head of W3C Marketing & Communications
[1] https://www.w3.org/2017/Process-20170301/#ReviewAppeal
[ link to this | view in chronology ]
Re: Seeking correction
If the way the WC3 decides such things is by voting on proposals, and this proposal was voted down (multiple times!), then how is it not correct to say that the WC3 rejected the proposal?
If your objection is that saying that the WC3 rejected it makes it look as if the decision was unanimous, and all members of the WC3 agreed with that decision:
Saying that the WC3 rejected it is not saying that every member of the WC3 rejected it, only that the organization as an entity did so. As far as I can see, the only ways to demonstrate that the WC3 did not reject a proposal would be to either show that the WC3 actually accepted that proposal, to show that the proposal was never presented to the WC3, or to show that the WC3 never came to a decision on the presented versions of that proposal (and even that last might be argued to constitute rejection).
If your objection is that saying that the WC3 rejected it makes it look as if the decision was unilateral, and made without regard to the opinions of the WC3's members:
The fact that (an apparent majority of?) the members of the WC3 agreed with the rejection does not make it any less a rejection, and in fact would reflect negatively on those members rather than just on the WC3 as a unit.
If your objection is something else, please clarify what it is that you find objectionable about this.
[ link to this | view in chronology ]