EFF Asks Court To Block The DOJ From Prosecuting Researcher For DMCA Violations

A few more wrinkles have appeared in the EFF's attempted legal destruction of the DMCA's anti-circumvention clause. Back in July, the EFF -- along with researchers Bunny Huang and Matthew Green -- sued the government, challenging the constitutionality of Section 1201 of the DMCA. As it stands now, researchers are restricted by the limitations built into the anti-circumvention clause. The Library of Congress can grant exceptions, but these are only temporary, lasting three years and generally vanishing at the end of that term.

Projects and research efforts continue to be thwarted by this provision, opening up those who circumvent DRM and other protective measures to the possibility of prosecution. And their options when facing charges are severely limited. There is no "fair use" exception to Section 1201 of the DMCA -- something the EFF would like to see changed.

The threat of prosecution may be mostly existential, but it's still far from nonexistent. This is why the EFF has requested a preliminary injunction that would prevent the DOJ from trying to put its client in jail.

The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.

[...]

But publishing the book, tentatively entitled Practical Cryptographic Engineering, could land Green in jail under an onerous and unconstitutional provision of copyright law. To identify security vulnerabilities in a device he has purchased, Green must work directly with copyrighted computer code, bypassing control measures meant to prevent the code from being accessed.

The injunction request [PDF] points out that -- in addition to the anti-circumvention clause being a form a prior restraint -- Green will be performing the sort of actions the DOJ has prosecuted people for in the past.

A rigorous and effective audit of a computer system's security requires that Dr. Green analyze the software controlling the system. Often, secure computer systems prevent access to their software code through technological protection measures ("TPMs") such as encryption, username/password combinations, or physical memory restrictions preventing a user from accessing certain stored information. An adversary seeking to extract information about the software code or about the system's user, or to install their own malicious software, would seek to bypass these measures in order to maximize their ability to locate and exploit vulnerabilities.

To identify security flaws, Dr. Green must do the same; indeed, finding and reporting on the vulnerability of these access controls is a critical part of auditing the security of the system. If he does not bypass access controls in a computer system, Dr. Green's research is significantly limited. While he may be able to discover some vulnerabilities, he cannot determine with confidence whether devices are secure against an adversary willing to circumvent access controls.

The DOJ has already responded (sort of) to some of the claims raised in the EFF's injunction request. Its motion to dismiss [PDF] -- filed the same day as the EFF's injunction request -- claims the EFF and Matthew Green have no standing to challenge Section 1201 of the DMCA. Not only that, but they cannot provide any evidence prosecution is likely if Green continues with his research work.

Plaintiffs' claims should be dismissed in their entirety. As an initial matter, Plaintiffs lack standing to raise their First Amendment claims on a pre-enforcement basis because the assertions in their Complaint fail to establish a credible threat of prosecution, under the DMCA's criminal enforcement provision, for engaging in constitutionally-protected activity. None of the Plaintiffs claims to have been threatened with criminal prosecution. Plaintiffs' conclusory assertion that others have been prosecuted under the DMCA in the past, for unidentified reasons, is insufficient to establish that Plaintiffs face a credible threat, as is their assertion that third parties might bring suit against them under a separate civil private right of action. Moreover, Plaintiffs fail plausibly to assert that the acts of circumvention and trafficking that they wish to undertake qualify as speech or expressive conduct that is entitled to First Amendment protection but prohibited by the DMCA.

The DOJ's arguments roughly align with the assertions made in its motion to dismiss in a lawsuit brought by security researchers and the ACLU against the much-hated CFAA. Once again, the DOJ recognizes that Green's book may be covered by the First Amendment, but actions taken during its compilation may not be.

In both cases, though, the statutes lend themselves to punishing security researchers for performing security research. While the DOJ may have no intention of prosecuting Green for his work, the anti-circumvention clause allows it to hold onto that option for as long as it wants to. The only way to guarantee this won't happen is to obtain an injunction, but chances are the court won't be as interested in staving off the theoretical as it will be in examining the First Amendment claims.