Research into IoT Security Is Finally Legal

For years, the DMCA has been used to stifle legitimate research into the security of embedded systems. Finally, the research exemption to the DMCA is in effect (for two years, but we can hope it'll be extended forever).

Posted on November 7, 2016 at 5:33 AM • 11 Comments

Comments

Who?November 7, 2016 6:47 AM

Someone that wants exploiting bugs on this technology for profit, or just for fun, will not care about the legal consequences of his acts. Denying the right to legally research these bugs only stops people with legitimate goals. It is like declaring illegal the use of strong cryptography. It does not stop wrongdoers, only people that complies with laws.

Clive RobinsonNovember 7, 2016 8:18 AM

It would help a lot of people if the EFF named the departed persons responsible for delaying this by a year rather than just saying they have both departed.

It lets the offenders off of the hook, to go on and do similar or other illegal acts that benifit those with the money and resources to flout legislation for their own benifit.

Even if the two persons were not acting under the inducments of the lobyists or others, it significantly calls into question their abilities and or morals and capabilities.

Thus the general public should not only know who these people are but who they met with and when and any "hospitality" or similar they enjoyed.

OTherwise the wheel will turn another turn or more down a very undesirable road, which significantly hurts those who honestly pay their taxes that payed for the two persons to act against the common taxpayers interests.

dingbatNovember 7, 2016 8:47 AM

@Clive

the article gives the posts, they probably are public record, connect the dots.

TedNovember 7, 2016 11:37 AM

The Federal Trade Commission (FTC) created the Office of Technology Research and Investigation (OTRI) in 2015. Their office provides a very helpful overview to the “DMCA security research exemption for consumer devices” on FTC’s blog “Tech@FTC.”

https://www.ftc.gov/news-events/blogs/techftc/2016/10/dmca-security-research-exemption-consumer-devices

From the article: “So, if you meet all of the requirements, this temporary exemption allows you to test a connected toaster to assess the risk that an attacker might cause your bagel to combust or remotely monitor your toaster pastry habit. But, of course, it does not authorize anyone to steal a toaster, hack into a neighbor’s toaster, or set toasters on fire in close proximity to flammable materials. If you have any questions about the scope of the exemption, please contact the Library of Congress directly.”


.

Clive RobinsonNovember 7, 2016 12:43 PM

@ Ulrich Roche, Dingbat,

Would this apply?

Some think the chocolate factory has been pumping Obama to do "Murder Most foul in the library" and this sacking is but step 1 in the embers of the Presidency to "pay back" Silicon Valley, prior to Clinton geting in to carve lumps out of their plans, (so she pays back to the other side which has supported her) or the unknown of Trumping man. Who ever wins this battle the one thing that is certain is that it will be the consumer that pays the price...

http://www.theregister.co.uk/2016/10/24/murder_in_the_library_of_congress/

Money QuoteNovember 7, 2016 6:00 PM

FTFA (that I read on rarest of occasions)

The Copyright Office officials wrongly imagined that other agencies had been depending upon the DMCA for environmental, medical, and auto safety policy and delayed the implementation of the exemptions for one year to give them time to “respond” to the change (a change in a rule those agencies likely had never before considered, let alone relied upon).

Wow. An occasional spark of truth and sanity. I think the EFF isn't always as spot-on as I'd like them to be, but this article was well worth the read.

WhiskersInMenloNovember 7, 2016 10:15 PM

Gargle....
It is astounding that these regulations have the force of law.
With an edit a bureaucrat can pass a new law without debate or discussion.
Yes, congress is supposed to review regulation changes but the reality
is they do not have line by line veto or edit. N. B. here is no presidential
veto.....

Regulations are at the root of an astounding pile of dissatisfaction in the
population at large. Regulations can be a medical rule for parts per trillion of
some substance that can now be measured by a new instrument being
sold by some company in the pocket of some golf club clientele. That substance
may have no evidentiary result and documents that show it to be bad
at the new levels. Not all regulations are bad but the process has vast risks.
Patents and patent trolls come to mind too.

This is critical because the internet is regulated by regulations not law
at this point. Security and hacking by TLAs is managed by internal
departmental regulations. NDAs hide the functionality of machinery that
is more and more used in extra legal invasions of privacy of entire communities
within the range of a single tower or multiple towers if multiple stingrays.
Numbers hundreds to thousands... area coverage: Manhattan, that is about 1 block, Dallas, 2-3 miles,
Wyoming about 15 miles.


SecResearcherNovember 8, 2016 4:56 PM

DMCA affords research into anything, already. If you are a security researcher (which I believe can easily be validated by previous proven experience).

Glad this change was made, but I certainly already had been performing extensive research into the area, though had not published anything, yet.

Only time I am really aware of any American researcher falling afoul of the law is when they ignore, entirely, responsible disclosure guidelines. (Which, if you are a researcher of a certain years of experience you helped instrument as what are reasonable requests.)

While some who have done this have been made popular, in the industry, it is well understood that what they really did was ass and for, as the old term went, 'media whoring'.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.