DMCA security research exemption for consumer devices

Share This Page

With the stroke of a pen, the Librarian of Congress has authorized security researchers who are acting in good faith to conduct controlled research on consumer devices so long as the research does not violate other laws such as the Computer Fraud and Abuse Act (CFAA). This temporary exemption to the Digital Millennium Copyright Act (DMCA) begins today. The new temporary exemption is a big win for security researchers and for consumers who will benefit from increased security testing of the products they use.

The Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent controls that prevent access to copyrighted material. The result is that under the DMCA, researchers can’t investigate and discover security vulnerabilities if doing so requires reverse engineering or circumventing controls such as obfuscated code. The Librarian of Congress can adopt exemptions to the DMCA’s anti-circumvention statute for various technologies. These exemptions have allowed individuals to unlock tablets and wearables, jailbreak mobile devices, circumvent brand-specific 3D ink restrictions on 3D printers, and more. Exemptions take away a legal hurdle and help protect conduct without fear of legal recourse. It is important to note that the rule requires a careful setup and testing environment in order to fall under the good faith security research exemption, and does not exempt researchers from other laws such as the CFAA.

This blog post describes some of the basics of the DMCA security research exemption, and possible avenues of security research that relate to consumer devices.

What type of research environment does the exemption require?

There are at least four main requirements researchers must meet when setting up a research environment in order to fall under the exemption. First, the computer program, or any devices on which those programs run, must be “lawfully acquired.”  Second, during research, the device and computer program should operate “solely for the purpose of good-faith security research.” This means, in part, that the research “must be conducted in a controlled setting designed to avoid harm to individuals or the public.” Third, the research must not begin before today, October 28, 2016.

What is “good-faith security research”?

The rule defines “good-faith security research” as “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.”

The rule discusses responsible disclosure as a factor that shows good faith in security testing. Although the rule does not explicitly require disclosure, the rule does suggest that promoting the security of devices includes responsibly disclosing vulnerabilities to companies.

So, if you meet all of the requirements, this temporary exemption allows you to test a connected toaster to assess the risk that an attacker might cause your bagel to combust or remotely monitor your toaster pastry habit. But, of course, it does not authorize anyone to steal a toaster, hack into a neighbor’s toaster, or set toasters on fire in close proximity to flammable materials. If you have any questions about the scope of the exemption, please contact the Library of Congress directly.

What consumer devices are included in the exemption?

The rule notes that “a device or machine primarily designed for use by individual consumers” falls within the exemption. The exemption covers a broad array of consumer devices such as electric toothbrushes, home thermostats, connected appliances, cars, and smart TVs.  The exemption even covers medical devices so long as the devices are not connected to humans during research.  The exemption, however, does not apply to “highly sensitive systems such as nuclear power plants and air traffic control systems.”

FTC’s research interests

At this year’s DEF CON, the FTC identified ways researchers can help the FTC protect privacy and security. We asked a number of research questions, including:

  • How can IoT device manufacturers and platforms ensure better IoT security?
  • What defensive measures can prevent one vulnerable IoT device from compromising other devices on the same network?
  • What techniques help better identify and address vulnerabilities in IoT devices?
  • How can sensor-based monitoring technologies protect the privacy of consumers?

The upcoming exemption may provide new opportunities for answering these and other questions. As always, we are open to hearing about your research. You can contact us at research@ftc.gov.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.

Comments

How's this differ from the security exemption already in the DMCA?

Pages

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.