Last week, the Copyright Office finally released a report that it had been working on for some time, looking specifically at Section 1201 of the DMCA. In case you're new around here, or have somehow missed all the times we've spoken about DMCA 1201 before, that's the "anti-circumvention" part of the DMCA. It's the part that says it's against copyright law to circumvent (or provide tools to circumvent) any kind of "technological protection measures," by which it means DRM. In short: getting around DRM or selling a tool that gets around DRM -- even if it's not for the purpose of infringing on any copyrights -- is seen as automatically infringing copyright law. This is dumb for a whole host of reasons, many of which we've explored in the past. Not only is the law dumb, it's so dumb that Congress knew that it would create a massive mess for tons of legitimate uses. So it built in an even dumber procedure to try to deal with the fact it passed a dumb law (have you noticed I have opinions on Section 1201?).
Specifically, every three years, people and companies can petition the Copyright Office/Librarian of Congress to "exempt" certain technologies or uses from 1201, saying that it is legal to circumvent the technological protection measures in that case, for the succeeding three years (yes, after three years, the original exemption expires, unless it is renewed). This triennial review process has historically been an (annoying) joke, where people basically have to beg the Copyright Office to let them, say, get around DVD DRM, in order to make documentaries. Or, famously, that time in 2012 when the Librarian of Congress refused to renew the phone unlocking exemption, magically making it illegal to unlock your phone for no clear reason at all. The whole thing is fairly described as a hot mess.
And, it really harms our own security the most.
That's because security researchers often need these exemptions the most, because they don't want to be accused of violating copyright law for doing their jobs in figuring out where there are weaknesses and vulnerabilities in various technologies. So, many of the applied for exemptions tend to come from the security community -- and sometimes they're granted, and other times they are not. A year ago, some security researchers (along with the EFF) sued the US government, arguing that 1201 violates the First Amendment, scaring off security researchers, and providing none of the usual defenses against infringement, such as fair use (which the Supreme Court has argued is a necessary First Amendment valve on copyright). That case is still waiting for a judge to rule on early motions (and it's waiting a long time).
Given all that as background, it's somewhat fascinating (and marginally surprising) to see that the Copyright Office officially agrees that the 1201 setup totally sucks for security researchers, and it would actually like Congress to fix that. The report specifically recommends expanding the existing "permanent exemption" for certain types of "security testing" to make it more applicable to a wider set of security practices:
... the Office recommends that Congress consider expanding the exemption for security testing under section 1201(j). This could include expanding the definition of security testing, easing the requirement that researchers obtain authorization, and abandoning or clarifying the exemption’s multifactor test for eligibility.
There's another section in the law for "encryption research" and, again, the Copyright Office recognizes that should be expanded:
The exemption for encryption research under section 1201(g) may benefit from similar revision, including removal of the requirement to seek authorization and clarification or removal of the multifactor test.
For what it's worth, the report (obviously remembering how it got basically mocked and burned by everyone for removing the cell phone unlocking exemption in 2012) now asks for phone unlocking to be designated a permanent exemption under the law.
These are fairly small changes being sought by the Copyright Office, but it strikes me as somewhat incredible (and very disappointing) that this small bit of enlightenment goes much further than the World Wide Web Consortium's (W3C) view on DRM and security research. As you may recall, there's this ongoing battle over DRM in HTML 5. When the W3C refused to block it outright, some members came up with a fairly straightforward no-brainer rule: all members had to agree not to go after security researchers for circumventing the DRM in HTML 5. And the W3C rejected that proposal.
In other words, the Copyright Office -- famous for its historically expansionist view of copyright, as well as its general tilt towards supporting Hollywood over everyone else -- is now recognizing that it's obvious that security researchers should have the right to circumvent DRM without violating copyright law, while the W3C -- famous for promoting an open web -- is against this. This is "up is down, night is day, cats & dogs living together" kind of stuff. Maybe someone should let the W3C know that it's position on security researchers and DRM is now more extremist than the Copyright Offices?
Either way, at the very least, Congress should follow up on this report and expand the exemptions for security research. It doesn't just help out those researchers, it helps all of us when security researchers are able to do their jobs and help to protect us all.