Article Title
Security Researchers Battle Against the DMCA
Abstract
In the digital age, cybersecurity plays a principal role in resolving consumer concerns regarding data breaches. Nevertheless, United States copyright laws prohibit the effective use of cybersecurity tools that disrupt malicious hackers from gaining access to personal (and sensitive) information. One law, in specific, that is detrimental to the defense against malicious attackers is the Digital Millennium Copyright Act (“DMCA”). Specifically, section 1201 of the DMCA prohibits the circumvention of copyrighted information. Malicious hackers have various tools and techniques to obtain unauthorized access to personal information via software vulnerabilities. Importantly, these vulnerabilities often result in the theft of consumers’ personal information; however, physical harm may also occur. Autonomous vehicles, for example, are ripe for software security concerns. Malicious hackers can and do attack safety-critical systems like engines and brakes. Moreover, medical devices often have vulnerabilities in their software systems—leading to severe injury or death by, for example, implantable defibrillators. So, naturally, software systems have bugs that put consumer dataatrisk—otherwise,therewouldbenoneedforprivacypolicies. However, laws like the DMCA that hinder the activities of security researchers are counterintuitive to the remediation of these bugs (and consumer safety). On October 12, 1998, the U.S. Congress passed the DMCA, amending U.S. copyright law to address the relationship between copyright and the internet. Congress’reasonforpassingtheDMCAwastoaddresstheconcerns of copyright holders who felt that there were too few protections for their work(s). Unfortunately, when writing the DMCA, Congress could not anticipate the rapid growth of technology and how ill-equipped the legal system is to keep up with technological advancements. Now, the DMCA overreaches its intended powers and subjects security researchers to criminal liability. The current technological climate calls for improved reliability and guidance regarding existing legal authorities, as well as how investigations should be held concerning security research. In addition, researchers are increasingly becoming independent and no longer affiliating themselves with institutions that housed them in the past (such as universities). This means they are moving away from restrictive research houses and opening to the public about vulnerabilities that would have previously been prohibited under contract— limiting those who can bring claims against researchers. Significantly, this is affecting the way inexperienced vendors go about handling reports. The connection between security research and certain consumer safety is where most of this argument lays its foundation. Public awareness of the benefits of security research will improve policy decisions, providing further understanding of contributions made to digital safety and security.