There was good news for the white hat community on Friday after a new exemption to the Digital Millennium Copyright Act (DMCA) was finally authorized, removing a major legal barrier for security researchers.
The new temporary exemption effectively means that, as long as they abide by the Computer Fraud and Abuse Act (CFAA), researchers can do things like jailbreak phones, reverse engineer and circumvent obfuscated code in tech that allows access to copyrighted material.
The Federal Trade Commission explained:
“There are at least four main requirements researchers must meet when setting up a research environment in order to fall under the exemption. First, the computer program, or any devices on which those programs run, must be ‘lawfully acquired.’ Second, during research, the device and computer program should operate ‘solely for the purpose of good-faith security research.’ This means, in part, that the research ‘must be conducted in a controlled setting designed to avoid harm to individuals or the public.’ Third, the research must not begin before today, October 28, 2016.”
Electronic Frontier Foundation staff attorney, Kit Walsh, welcomed the temporary exemption, which will be in force for the next two years.
However, she claimed they had been “unlawfully and pointlessly delayed” for a year.
“Those limits were a result of opponents’ claims that removing DMCA liability for security researchers and vehicle owners who tinker with their own cars (or merely look at the code inside) would lead to a host of unlawful and undesirable activity, from auto theft, to spying, to safety violations and destruction of the environment,” she said in a blog post.
The head of the Copyright Office and the acting librarian of Congress who conducted the last rulemaking have now both left their positions, and the new librarian is choosing a new head for the Copyright Office.
It is hoped the newcomers will be more sympathetic to the security research community.