Security Experts:

Cybersecurity Companies Join Forces Against Controversial DMCA Section

The Electronic Frontier Foundation (EFF) along with nearly two dozen cybersecurity companies have signed a statement regarding the use of a controversial section of the Digital Millennium Copyright Act (DMCA) against security researchers.

The DMCA is a copyright law that was passed in 1998. It prohibits the production and dissemination of technology, devices, or services designed to circumvent measures that control access to copyrighted works.

One section of the DMCA, section 1201, has posed some problems for the cybersecurity community.

According to the U.S. Copyright Office, “section 1201 prohibits the circumvention of technological measures employed by or on behalf of copyright owners to protect access to their works (also known as ‘access controls’), as well as the trafficking in technology or services that facilitate such circumvention. It also prohibits trafficking in technologies or services that facilitate circumvention of technological measures that protect the exclusive rights granted to copyright owners...”

Section 1201’s goal is to fight music and movie piracy, but the EFF has long argued that it poses research and technology restrictions that inhibit free speech, harm competition and threaten digital security.

The organization has filed a lawsuit challenging the constitutionality of the provisions in section 1201. It also managed to obtain exemptions for repairing devices, creating videos, jailbreaking devices, and conducting security research.

However, the EFF believes more needs to be done when it comes to the controversial section, so it has teamed up with many cybersecurity companies to stand up against its use to suppress the tools necessary to conduct good faith security research.

The list of companies includes Bishop Fox, Bitwatcher, Black Hills Information Security, Bugcrowd, Cybereason, Cybersecurity Coalition, Digital Ocean, disclose.io, Grand Idea Studio, GRIMM, HackerOne, Hex-Rays, iFixIt, Luta Security, McAfee, NCC Group, NowSecure, Rapid7, Red Siege, SANS Technology Institute, SCYTHE and Social Exploits LLC.

An example was provided by Dan Petro, a security researcher at Bishop Fox. “Anyone can apply ROT13 encryption on an app or device, and suddenly it becomes a crime to ‘break the technical protection measure’ they put in place. So DMCA 1201 can quickly be abused as a magic wand you can wave to make any app or device illegal to inspect, reverse engineer, or find vulnerabilities in if you’re a vendor,” Petro explained.

Section 1201 of the DMCA was also used recently by Apple in a lawsuit against virtualization company Corellium over a tool that can be used to conduct security research.

The statement signed by the EFF and the cybersecurity companies points out that their main concern is related to the DMCA prohibiting entities from providing technologies, tools or services to the public that bypass protection measures, such as bypassing shared default credentials, or weak encryption. They argue that those providing the technologies and tools used by researchers to improve software security face lawsuits and criminal penalties due to current exemptions for good faith security testing being “too narrow and too vague.”

“DMCA Section 1201 should be used in such circumstances with great caution and in consideration of broader security concerns, not just for competitive economic advantage,” reads the statement signed by the EFF and the cybersecurity companies. “We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good faith security research. In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.”

Related: New Bill in Georgia Could Criminalize Security Research

Related: Voatz Under Fire From Infosec Community Over Its Views on Security Research

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.