Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Cybersecurity Companies Join Forces Against Controversial DMCA Section

The Electronic Frontier Foundation (EFF) along with nearly two dozen cybersecurity companies have signed a statement regarding the use of a controversial section of the Digital Millennium Copyright Act (DMCA) against security researchers.

The Electronic Frontier Foundation (EFF) along with nearly two dozen cybersecurity companies have signed a statement regarding the use of a controversial section of the Digital Millennium Copyright Act (DMCA) against security researchers.

The DMCA is a copyright law that was passed in 1998. It prohibits the production and dissemination of technology, devices, or services designed to circumvent measures that control access to copyrighted works.

One section of the DMCA, section 1201, has posed some problems for the cybersecurity community.

According to the U.S. Copyright Office, “section 1201 prohibits the circumvention of technological measures employed by or on behalf of copyright owners to protect access to their works (also known as ‘access controls’), as well as the trafficking in technology or services that facilitate such circumvention. It also prohibits trafficking in technologies or services that facilitate circumvention of technological measures that protect the exclusive rights granted to copyright owners…”

Section 1201’s goal is to fight music and movie piracy, but the EFF has long argued that it poses research and technology restrictions that inhibit free speech, harm competition and threaten digital security.

The organization has filed a lawsuit challenging the constitutionality of the provisions in section 1201. It also managed to obtain exemptions for repairing devices, creating videos, jailbreaking devices, and conducting security research.

However, the EFF believes more needs to be done when it comes to the controversial section, so it has teamed up with many cybersecurity companies to stand up against its use to suppress the tools necessary to conduct good faith security research.

The list of companies includes Bishop Fox, Bitwatcher, Black Hills Information Security, Bugcrowd, Cybereason, Cybersecurity Coalition, Digital Ocean,, Grand Idea Studio, GRIMM, HackerOne, Hex-Rays, iFixIt, Luta Security, McAfee, NCC Group, NowSecure, Rapid7, Red Siege, SANS Technology Institute, SCYTHE and Social Exploits LLC.

An example was provided by Dan Petro, a security researcher at Bishop Fox. “Anyone can apply ROT13 encryption on an app or device, and suddenly it becomes a crime to ‘break the technical protection measure’ they put in place. So DMCA 1201 can quickly be abused as a magic wand you can wave to make any app or device illegal to inspect, reverse engineer, or find vulnerabilities in if you’re a vendor,” Petro explained.

Section 1201 of the DMCA was also used recently by Apple in a lawsuit against virtualization company Corellium over a tool that can be used to conduct security research.

The statement signed by the EFF and the cybersecurity companies points out that their main concern is related to the DMCA prohibiting entities from providing technologies, tools or services to the public that bypass protection measures, such as bypassing shared default credentials, or weak encryption. They argue that those providing the technologies and tools used by researchers to improve software security face lawsuits and criminal penalties due to current exemptions for good faith security testing being “too narrow and too vague.”

“DMCA Section 1201 should be used in such circumstances with great caution and in consideration of broader security concerns, not just for competitive economic advantage,” reads the statement signed by the EFF and the cybersecurity companies. “We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good faith security research. In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.”

Related: New Bill in Georgia Could Criminalize Security Research

Related: Voatz Under Fire From Infosec Community Over Its Views on Security Research

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.