Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Cybersecurity Companies Join Forces Against Controversial DMCA Section

The Electronic Frontier Foundation (EFF) along with nearly two dozen cybersecurity companies have signed a statement regarding the use of a controversial section of the Digital Millennium Copyright Act (DMCA) against security researchers.

The Electronic Frontier Foundation (EFF) along with nearly two dozen cybersecurity companies have signed a statement regarding the use of a controversial section of the Digital Millennium Copyright Act (DMCA) against security researchers.

The DMCA is a copyright law that was passed in 1998. It prohibits the production and dissemination of technology, devices, or services designed to circumvent measures that control access to copyrighted works.

One section of the DMCA, section 1201, has posed some problems for the cybersecurity community.

According to the U.S. Copyright Office, “section 1201 prohibits the circumvention of technological measures employed by or on behalf of copyright owners to protect access to their works (also known as ‘access controls’), as well as the trafficking in technology or services that facilitate such circumvention. It also prohibits trafficking in technologies or services that facilitate circumvention of technological measures that protect the exclusive rights granted to copyright owners…”

Section 1201’s goal is to fight music and movie piracy, but the EFF has long argued that it poses research and technology restrictions that inhibit free speech, harm competition and threaten digital security.

The organization has filed a lawsuit challenging the constitutionality of the provisions in section 1201. It also managed to obtain exemptions for repairing devices, creating videos, jailbreaking devices, and conducting security research.

Advertisement. Scroll to continue reading.

However, the EFF believes more needs to be done when it comes to the controversial section, so it has teamed up with many cybersecurity companies to stand up against its use to suppress the tools necessary to conduct good faith security research.

The list of companies includes Bishop Fox, Bitwatcher, Black Hills Information Security, Bugcrowd, Cybereason, Cybersecurity Coalition, Digital Ocean, disclose.io, Grand Idea Studio, GRIMM, HackerOne, Hex-Rays, iFixIt, Luta Security, McAfee, NCC Group, NowSecure, Rapid7, Red Siege, SANS Technology Institute, SCYTHE and Social Exploits LLC.

An example was provided by Dan Petro, a security researcher at Bishop Fox. “Anyone can apply ROT13 encryption on an app or device, and suddenly it becomes a crime to ‘break the technical protection measure’ they put in place. So DMCA 1201 can quickly be abused as a magic wand you can wave to make any app or device illegal to inspect, reverse engineer, or find vulnerabilities in if you’re a vendor,” Petro explained.

Section 1201 of the DMCA was also used recently by Apple in a lawsuit against virtualization company Corellium over a tool that can be used to conduct security research.

The statement signed by the EFF and the cybersecurity companies points out that their main concern is related to the DMCA prohibiting entities from providing technologies, tools or services to the public that bypass protection measures, such as bypassing shared default credentials, or weak encryption. They argue that those providing the technologies and tools used by researchers to improve software security face lawsuits and criminal penalties due to current exemptions for good faith security testing being “too narrow and too vague.”

“DMCA Section 1201 should be used in such circumstances with great caution and in consideration of broader security concerns, not just for competitive economic advantage,” reads the statement signed by the EFF and the cybersecurity companies. “We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good faith security research. In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.”

Related: New Bill in Georgia Could Criminalize Security Research

Related: Voatz Under Fire From Infosec Community Over Its Views on Security Research

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.