The Digitial Millennium Copyright Act (DMCA) is the United States copyright law made to comply with the two 1996 treaties by the World Intellectual Property Organization (WIPO). The DMCA provides protections to copyright owners over infringement on their protected work. Every three years the Librarian of Congress issues new rulings on the DMCA as well as exemptions. There is a balance that the DMCA has to strike when allowing what a “content user” can do after purchasing a copyrighted work. In the past, the way this balance favored has shown difficulties for many cybersecurity researchers.

Section 1201

As of October 2021, Section 1201 of the DMCA provides some exemptions for “circumvention of technological measures that control access to copyrighted works.” which it had not previously allowed. Formerly, Section 1201 hindered people who repair digital devices, filmmakers, students, etc. who use video clips, and security researchers.

Researchers nowadays have a little more freedom to do their research. There are exemptions to repair vehicles and to do “good faith security research”. Furthermore, simple modification and tinkering with devices is allowed. Also, IoT devices (Internet of Things) are covered with these exemptions.

In a recent talk at Shmoocon 2023, Harely Geiger provided more concerns about Section 1201 even after the revisal. Specifically, there is a restriction on “trafficking” within the act, which as Geiger states below, is concerning.

“So, Section 1201 of the DMCA forbids making or providing to the public any tools or technologies that are primarily for the purpose of bypassing software security safeguards, bypassing technological protection measures without, again, the authorization of the copyright holder”

“Making these technologies, offering them to the public is something that every pen-testing company does …This is something that a lot of pen-testing companies, pen testers, and people who are publishing exploits are just kind of whistling past.”

“This trafficking restriction is now the greater risk for ethical hackers under Section 1201 than the active security research itself”

Downstream effects

Unclear laws and regulations put cybersecurity researchers at risk. Without boundaries that protect their research, it can be bad for them to make discoveries and report these findings. Disincentivizing security researchers with criminal offenses for the sake of copyright holders is not how we should go forward.

You need to encourage people to work together to solve bigger problems. If we didn’t have researchers at their most efficient looking into the technology that the government, critical infrastructure, or any company uses we would be disadvantaged in defending these systems against adversaries in real engagements.

The future

We want cybersecurity researchers to only be held back by the lack of vulnerabilities, which is not happening anytime soon. The DMCA still stands outdated in the breadth of what security researchers need. There needs to be reconsideration and communication with researchers on what the necessary exemptions are to provide copyright holders with their protections without inhibiting any crucial cybersecurity research. The three-year revisals of the DMCA and Section 1201 are a good start, and keeping up with cybersecurity researchers will be important for revisions. Promoting valuable and efficient research will end up providing confidentiality, integrity, and accessibility to the systems people use everyday and rely on.