Our Position on the Digital Millennium Copyright Act (DMCA) and the Need to Safeguard Tools for Responsible Security Researchers

Today, we are joining our peers in the security industry in cautioning against Section 1201 of the Digital Millennium Copyright Act (DMCA). While the law is well intended and is meant to prevent piracy and copyright infringement by protecting Digital Rights Management (DRM) measures, the law is very broad and may unintentionally limit what research can be performed by responsible, trusted testers. As part of the offensive security community, we strongly believe that good faith security and encryption research is a critical component in safeguarding privacy and building more secure technologies for everyone.

Every day, researchers rigorously test products and applications from responsible vendors to help them proactively identify and fix vulnerabilities before hackers can exploit them. Unfortunately, some companies hide behind Section 1201 to make their code, software, and other services illegal to assess from a security perspective. By unintentionally (or intentionally) blocking security researchers and making these activities illegal, these companies hinder testing efforts that could benefit the public by protecting their rights and the privacy of their data.

As Bishop Fox security researcher Dan Petro puts it, “Anyone can apply ROT13 encryption on an app or device, and suddenly it becomes a crime to ‘break the technical protection measure’ they put in place. So DMCA 1201 can quickly be abused as a magic wand you can wave to make any app or device illegal to inspect, reverse engineer, or find vulnerabilities in if you’re a vendor.”

You might remember DMCA 1201 from the Sony lawsuit filed against George Hotz (@geohot) when he identified methods to jailbreak PlayStation 3s and told others about it.

“For Bishop Fox and other responsible security researchers, Section 1201 essentially makes it impossible to legally perform research on whole technologies and devices,” added Vinnie Liu, CEO of Bishop Fox. “In order to inspect how a software, app, or device works, we have to bypass the ‘technical protection measure’ as defined by this law. As currently written, we are concerned that the legislation is too broad and far reaching and has the potential to unintentionally prevent valuable research that keeps people safe online.”

Below is the official statement on the EFF site, which we have signed:

We the undersigned write to caution against use of Section 1201 of the Digital Millennium Copyright Act (DMCA) to suppress software and tools used for good faith cybersecurity research. Security and encryption researchers help build a safer future for all of us by identifying vulnerabilities in digital technologies and raising awareness so those vulnerabilities can be mitigated. Indeed, some of the most critical cybersecurity flaws of the last decade, like Heartbleed, Shellshock, and DROWN, have been discovered by independent security researchers.

However, too many legitimate researchers face serious legal challenges that prevent or inhibit their work. One of these critical legal challenges comes from provisions of the DMCA that prohibit providing technologies, tools, or services to the public that circumvent technological protection measures (such as bypassing shared default credentials, weak encryption, etc.) to access copyrighted software without the permission of the software owner. 17 USC 1201(a)(2), (b). This creates a risk of private lawsuits and criminal penalties for independent organizations that provide technologies to researchers that can help strengthen software security and protect users. Security research on devices, which is vital to increasing the safety and security of people around the world, often requires these technologies to be effective.

Good faith security researchers depend on these tools to test security flaws and vulnerabilities in software, not to infringe on copyright. While Sec. 1201(j) purports to provide an exemption for good faith security testing, including using technological means, the exemption is both too narrow and too vague. Most critically, 1201(j)’s accommodation for using, developing or sharing security testing tools is similarly confined; the tool must be for the "sole purpose" of security testing, and not otherwise violate the DMCA’s prohibition against providing circumvention tools.

If security researchers must obtain permission from the software vendor to use third-party security tools, this significantly hinders the independence and ability of researchers to test the security of software without any conflict of interest. In addition, it would be unrealistic, burdensome, and risky to require each security researcher to create their own bespoke security testing technologies.

We, the undersigned, believe that legal threats against the creation of tools that let people conduct security research actively harm our cybersecurity. DMCA Section 1201 should be used in such circumstances with great caution and in consideration of broader security concerns, not just for competitive economic advantage. We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good faith security research In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.

Black Hills Information Security

Bugcrowd

Bitwatcher

Bishop Fox

Cybersecurity Coalition

Cybereason

disclose.io

Electronic Frontier Foundation

Grand Idea Studio

GRIMM

HackerOne

Hex-Rays

iFixIt

Luta Security

McAfee

NCC Group

NowSecure

Rapid7

Red Siege

SANS Technology Institute

SCYTHE

Social Exploits LLC