Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Cybersecurity Companies Join Forces Against Controversial DMCA Section

The Electronic Frontier Foundation (EFF) along with nearly two dozen cybersecurity companies have signed a statement regarding the use of a controversial section of the Digital Millennium Copyright Act (DMCA) against security researchers.

The Electronic Frontier Foundation (EFF) along with nearly two dozen cybersecurity companies have signed a statement regarding the use of a controversial section of the Digital Millennium Copyright Act (DMCA) against security researchers.

The DMCA is a copyright law that was passed in 1998. It prohibits the production and dissemination of technology, devices, or services designed to circumvent measures that control access to copyrighted works.

One section of the DMCA, section 1201, has posed some problems for the cybersecurity community.

According to the U.S. Copyright Office, “section 1201 prohibits the circumvention of technological measures employed by or on behalf of copyright owners to protect access to their works (also known as ‘access controls’), as well as the trafficking in technology or services that facilitate such circumvention. It also prohibits trafficking in technologies or services that facilitate circumvention of technological measures that protect the exclusive rights granted to copyright owners…”

Section 1201’s goal is to fight music and movie piracy, but the EFF has long argued that it poses research and technology restrictions that inhibit free speech, harm competition and threaten digital security.

The organization has filed a lawsuit challenging the constitutionality of the provisions in section 1201. It also managed to obtain exemptions for repairing devices, creating videos, jailbreaking devices, and conducting security research.

However, the EFF believes more needs to be done when it comes to the controversial section, so it has teamed up with many cybersecurity companies to stand up against its use to suppress the tools necessary to conduct good faith security research.

The list of companies includes Bishop Fox, Bitwatcher, Black Hills Information Security, Bugcrowd, Cybereason, Cybersecurity Coalition, Digital Ocean, disclose.io, Grand Idea Studio, GRIMM, HackerOne, Hex-Rays, iFixIt, Luta Security, McAfee, NCC Group, NowSecure, Rapid7, Red Siege, SANS Technology Institute, SCYTHE and Social Exploits LLC.

Advertisement. Scroll to continue reading.

An example was provided by Dan Petro, a security researcher at Bishop Fox. “Anyone can apply ROT13 encryption on an app or device, and suddenly it becomes a crime to ‘break the technical protection measure’ they put in place. So DMCA 1201 can quickly be abused as a magic wand you can wave to make any app or device illegal to inspect, reverse engineer, or find vulnerabilities in if you’re a vendor,” Petro explained.

Section 1201 of the DMCA was also used recently by Apple in a lawsuit against virtualization company Corellium over a tool that can be used to conduct security research.

The statement signed by the EFF and the cybersecurity companies points out that their main concern is related to the DMCA prohibiting entities from providing technologies, tools or services to the public that bypass protection measures, such as bypassing shared default credentials, or weak encryption. They argue that those providing the technologies and tools used by researchers to improve software security face lawsuits and criminal penalties due to current exemptions for good faith security testing being “too narrow and too vague.”

“DMCA Section 1201 should be used in such circumstances with great caution and in consideration of broader security concerns, not just for competitive economic advantage,” reads the statement signed by the EFF and the cybersecurity companies. “We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good faith security research. In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.”

Related: New Bill in Georgia Could Criminalize Security Research

Related: Voatz Under Fire From Infosec Community Over Its Views on Security Research

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem