The DMCA and its Chilling Effects on Research

The Center for Democracy and Technology has a good summary of the current state of the DMCA's chilling effects on security research.

To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all types both contribute to a baseline level of security in our digital environment and, in turn, are shaped themselves by this environment, most notably when things they do upset others and result in threats, potential lawsuits, and prosecution. We've published two reports (sponsored by the Hewlett Foundation and MacArthur Foundation) about needed reforms to the law and the myriad of ways that security research directly improves people's lives. To get a more complete picture, we wanted to talk to security researchers themselves and gauge the forces that shape their work; essentially, we wanted to "take the pulse" of the security research community.

Today, we are releasing a third report in service of this effort: "Taking the Pulse of Hacking: A Risk Basis for Security Research." We report findings after having interviewed a set of 20 security researchers and hackers -- half academic and half non-academic -- about what considerations they take into account when starting new projects or engaging in new work, as well as to what extent they or their colleagues have faced threats in the past that chilled their work. The results in our report show that a wide variety of constraints shape the work they do, from technical constraints to ethical boundaries to legal concerns, including the DMCA and especially the CFAA.

Note: I am a signatory on the letter supporting unrestricted security research.

Posted on April 16, 2018 at 6:46 AM • 13 Comments

Comments

WinterApril 16, 2018 8:32 AM

"To underline the nature of chilling effects on hacking and security research,"

It was always my impression that this result was entirely intended. Those that were lobbying for this law at the time were openly hostile to research that might upset their operation.

AndrewApril 16, 2018 8:59 AM

Question, that I expect will be met with many "IANAL but...." or "best to talk to a lawyer..."

From my understanding, reverse engineering is legal, at least if you're not violating a EULA (let's not even touch EULAs for the sake of this discussion)

But where does the DMCA fit in? Can I reverse engineer a challenge-response between a device and a PC? Does that violate DMCA? What are the risks?

I'm a fan of laws and appropriate regulation, but the DMCA is over-reaching IMO.

Dr. I. Needtob AtheApril 16, 2018 10:04 AM

To me, the DMCA is like a law that you're not allowed to look under the hood of your car.

echoApril 16, 2018 10:20 AM

In the UK reverse engineering is lawful and EULAs cannot take away your rights in law. From what I can tell there is no economic meltdown in the EU because of this. It just seems to be a US revenue protection scheme but does it protect anything really? And even if it does what is the opportunity loss?

Speaking of which I was checking today whether it was still possible in the UK to buy a plaftorm ticket for a train station. The short answer is 'no'. The longer answer is book a journey to the nearest and cheapest station and don't actually use the train. For approximately £2.50 I have the equivalent of a platform ticket for more hassle and cost than need be and it still does not protect against fare dodging a more expensive route.

65535April 16, 2018 1:24 PM

@ Bruce S.

I completely agree. Worse, I think it is being highly abused.

@ Winter

"To underline the nature of chilling effects on hacking and security research," –Bruce S ‘It was always my impression that this result was entirely intended.’

I am beginning to think that last part is correct.

lazaroApril 16, 2018 4:11 PM

echo, re: "In the UK reverse engineering is lawful and EULAs cannot take away your rights in law."—not everything that's lawful is a right. Is reverse-engineering?

neillApril 16, 2018 8:13 PM

copyrights (and IMHO DMCA) may prevent economic growth:

https://www.wired.com/2010/08/copyright-germany-britain/

" ... the near absence of copyright law in eighteenth and nineteenth century Germany laid the groundwork for the “Gründerzeit”—the enormous wave of economic growth that Deutschland experienced in the middle and later nineteenth century ... "

neillApril 16, 2018 8:17 PM

(unfortunate scroll-click-incident left the post unfinished)

think about the process detailed in 'wired', and switch out some countries names ... I.P. theft and all ...

Jonathan WilsonApril 17, 2018 6:46 AM

It may be a Canadian case but this article
http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970
and the related incident shows why over-broad laws like the CFAA are a bad thing.
It shouldn't be considered "hacking" to change some data in a URL string and get back whatever data the web server chooses to give you

If the data is sensitive it should be protected with a password or other credential so you can't get at it just by changing some values in a URL string...

vas pupApril 17, 2018 10:27 AM

@lazaro: "not everything that's lawful is a right."
When something is unlawful, then government applies sanctions (I hope AFTER getting evidence, not before) meaning whatever are your moral or religious/cultural differences are, nobody cares. That is NOT defense for breaking law. In really rule of law country even unjust laws which are still on the books should be applied UNIFORMLY, not like 'for friends (or similar thinkers) everything, for others - law'. Law itself could be politically biased, application should not.
Conclusion: what is right or wrong is not uniformed criteria in particular in those case which are in grey zone (not clear bad or good for most folks).

lazaroApril 17, 2018 6:39 PM

vas pup, you missed the point. I didn't say "right", I said "a right". It's not related to morality.

Freedom of speech is often "a right", meaning a government cannot pass laws against it. Reverse engineering may simply be legal because they haven't passed laws against it yet. Or it might be that a court has recognized elements of reverse engineering as socially necessary for journalism (i.e. free speech) or education-e.g., Court rules that preventing violation of RFID chip security flaw research would violate freedom of expression for Dutch University.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.