You may have thought that if you owned your digital devices, you were allowed to do whatever you like with them. In truth, even for possessions as personal as your car, PC, or insulin pump, you risked a lawsuit every time you reverse-engineered their software guts to dig up their security vulnerabilities---until now.
Last Friday, a new exemption to the decades-old law known as the Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans to hack their own devices without fear that the DMCA's ban on circumventing protections on copyrighted systems would allow manufacturers to sue them. One exemption, crucially, will allow new forms of security research on those consumer devices. Another allows for the digital repair of vehicles. Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair.
"This is a tremendously important improvement for consumer protection," says Andrea Matwyshyn, a professor of law and computer science at Northeastern University. "The Copyright Office has demonstrated that it understands our changed technological reality, that in every aspect of consumers’ lives, we rely on code," says Matwyshyn, who argued for the exemptions last year.
For now, the exemptions are limited to a two-year trial period. And the security research exemption in particular only applies to what the Copyright Office calls "good-faith" testing, "in a controlled environment designed to avoid any harm to individuals or to the public." As Matwyshyn puts it, "We’re not talking about testing your neighbor’s pacemaker while it’s implanted. We’re talking about a controlled lab and a device owned by the researcher."
But within those restrictions, the exemptions remove a looming fear of DMCA lawsuits that has long hung over the security research community. "There's a universe of security vulnerabilities that the law keeps researchers from figuring out and telling you about, but are nonetheless present in devices you use every day," says Kit Walsh, an attorney with the Electronic Freedom Foundation. "For the next two years, that threat will be lifted for many forms of security research that are really important."
Section 1201 of the DMCA has for years forbidden hackers from reverse-engineering many computer systems---even ones that they owned---in an attempt to prevent Americans from circumventing protections on the intellectual property of manufacturers. Sony used the law, for instance, to sue reverse-engineer George Hotz for hacking the Sony Playstation to allow it to run unauthorized software. (Sony and Hotz eventually settled that lawsuit in 2011, after Hotz agreed to stop reverse0engineering Sony's products.) Tractor manufacturer John Deere last year cited the law to argue that tractor owners couldn't repair certain software components of their vehicles.
Even important security research aimed at public safety has long fallen under the DMCA's ban, says Josh Corman, one of the co-founders of the consumer security group I Am The Cavalry. He points to recent research that has shown that Johnson and Johnson insulin pumps could be hacked to induce an overdose, that Jeeps could be hacked over the internet to control their brakes and transmission, and that Volkswagen had rigged its software to systematically cheat emissions testing.
All of the researchers behind those discoveries risked DMCA lawsuits, he says. The new exemptions, Corman argues, provide legal cover to reverse-engineers who otherwise may not explore critical subjects. "Some researchers have good lawyers, or they hope nobody takes the case," says Corman. "But for people who are more risk averse or don't want to be made an example of, this removes some risk."
It's tough to measure just how much the DMCA hacking restrictions have stymied research over the nearly two decades since its inception. But Corman points to the case of one security researcher, Brian Knopf, who held off on reporting security vulnerabilities in his wife's Medtronic neurotransmitter for fear of a DMCA lawsuit. And he notes that since GM launched a vulnerability disclosure program in January that offered some assurance it wouldn't sue helpful hackers, it's received hundreds of reports of security vulnerabilities in its cars. "Simply the act of removing the fear of reprisal allowed people to report things that could have affected GM’s customers or their livelihood," says Corman.
The new DMCA exemptions don't mean open season for hackers---even the friendly, research-focused kind. Aside from the Copyright Office's "good-faith" restrictions, researchers can still be sued or prosecuted under the Computer Fraud and Abuse Act if, for instance, they're determined to be gaining "unauthorized access" to a computer they don't own. The measure allows research on personal devices, but not the internet services to which they connect.
And again, the exemptions are set to expire after two years. But Corman, of I Am the Cavalry, is hopeful that the security research community can demonstrate enough research results during that time to convince the Copyright Office to lift the ban for good, a move he says would make us all safer.
"It’s our belief and hope that if we can create a body of evidence for the positive effects this research brings, we can bring about a permanent exemption," Corman says. "When you remove a barrier to disclosure, you avail yourself of the opportunity to fix these things."
