Shocker: DOJ's Computer Crimes And Intellectual Property Section Supports Security Researchers DMCA Exemptions

Well here's a surprise for you. The DOJ's Computer Crime and Intellectual Property Section (CCIPS) has weighed in to support DMCA 1201 exemptions proposed by computer security researchers. This is... flabbergasting.

In case you don't know, Section 1201 of the Digital Millennium Copyright Act (DMCA) is the "anti-circumvention" part of the law. It's the part of the law that makes it infringement to get around any "technological measure" to lock down copyright covered material, even if breaking those locks has nothing whatsoever to do with copyright infringement. It's a horrible law that has created all sorts of negative consequences, including costly and ridiculous lawsuits about things having nothing to do with copyright -- including garage door openers and printer ink cartridges. In fact, Congress knew the law was dumb from the beginning, but rather than dump it entirely as it should have done, a really silly "safety valve" was added in the form of the "triennial review" process.

The triennial review is a process that happens every three years (obviously, per the name), in which anyone can basically beg the Copyright Office and the Librarian of Congress to create exemptions for cracking DRM for the next three years (an exemption -- stupidly -- only lasts those three years, meaning people have to keep reapplying). Over the years, this has resulted in lots of silliness, including the famous decision by the Librarian of Congress to not renew an exemption to unlock mobile phones a few years back. Many of the exemption requests come from security researchers who want to be able to crack systems without being accused of copyright infringement -- which happens more frequently than you might think.

Historically, law enforcement has often been against these exemptions, because (in general) they often appear to dislike the fact that security researchers find security flaws. This is, of course, silly, but many like to take a "blame the messenger" approach to security research. That's why this new comment from the DOJ's CCIPS is so... unexpected.

Many of the changes sought in the petition appear likely to promote productive cybersecurity research, and CCIPS supports them, subject to the limitations discussed below.

Incredibly, CCIPS even points out that those who are opposed to these cybersecurity research exemptions are misunderstanding the purpose of 1201, and that it should only be used to stop activity that impacts copyright directly. This is the kind of thing we've been arguing for years, but many companies and government agencies have argued that because 1201 helps them, no exemptions should be granted. But here, the DOJ explains that's not how it works:

Some comments opposing removal of any existing limitation on the security research exemption suggest, implicitly or explicitly, that the DMCA's security research exemption itself poses a danger merely because it fails to prohibit a type of research to which the commenter objects. However, the purpose of the DMCA is to provide legal protection for technological protection measures, ultimately to protect the exclusive rights protected by copyright. As critically important as the integrity of voting machines or the safety of motorized land vehicles are the American public, the DMCA was not created to protect either interest, and is ill-suited to do so. To the extent such devices now contain copyrighted works protected by technological protection measures, the DMCA serves to protect those embedded works. However, the DMCA is not the sole nor even the primary legal protection preventing malicious tampering with such devices, or otherwise defining the contours of appropriate research. The fact that malicious tampering with certain devices or works could cause serious harm is reason to maintain legal prohibitions against such tampering, but not necessarily to try to mirror all such legal prohibitions within the DMCA's exemptions.

There's a lot more in the comment, but... I'm actually impressed. Of course, the letter does note that part of the reason it wants this exemption is to enable security researchers to figure out how to crack into encrypted phones, but that's actually a reasonable position for the DOJ to take. Far better than seeking to backdoor encryption. Finding flaws is fair game.

All in all, this is a welcome development, having the DOJ's CCIPS recognize that security research is useful, and that it shouldn't be blocked by nonsense copyright anti-circumvention rules.