The call for copyright reform in America has grown so loud that Congress has finally heard it. Lawmakers have ordered a slate of studies to look into how to fix what has become a broken system, and activists are cautiously optimistic that this could be the first step toward reform. The source of the fracture? The Digital Millennium Copyright Act.
The DMCA was passed in 1998 as an anti-piracy statute effectively making it illegal to circumvent copy protections designed to prevent pirates from duplicating digital copyrighted works and selling or freely distributing them. It also makes it illegal to manufacture or distribute tools or techniques for circumventing copy controls.
But in reality the controversial law's effects have been much broader by allowing game developers, music and film companies and others to keep a tight control on how consumers use their copyrighted works, preventing them in some cases from making copies of their purchased products for their own use or from jailbreaking smartphones and other devices to use them in ways the manufacturers dislike.
The DMCA has two problematic sections: section 1201, which deals with the circumvention of copy-protections, and section 512, which allows a copyright holder to send a so-called takedown notice to web sites and others believed to be infringing a copyright. Both have been abused by companies for purposes unrelated to copyright protection, which has led civil liberties groups and others to call for reform of the law to clarify its scope. For example, companies have used it to thwart competitors and to stifle free speech and security research.
Lexmark, the maker of laser printers, used the DMCA in 2002 to prevent third-party companies from selling refilled toner cartridges for its printers. Lexmark cartridges use authentication so that non-authenticated cartridges won't work with its printers. But a company named Static Control Components figured out how the verification worked and produced chips to approve refilled cartridges sold by third-party companies. Lexmark sued but lost.
Apple used the DMCA in 2009 to stifle the speech of members of the online forum BluWiki. When forum members engaged in a speculative discussion about ways they might unlock their iPods to sync music playlists between iPods and iPhones without having to use iTunes, Apple used the DMCA to strong-arm BluWiki into taking down the discussion. But the site pushed back, and Apple eventually backed down.
A study released this year by researchers at UC Berkeley and Columbia University found that about a third of DMCA takedown notices are on shaky legal ground, based on a sampling of some 108 million takedown notices issued over a six-month period. Bogus takedown notices fall into many categories, but one example involves a San Francisco news station that once used the DMCA to try to erase a reporting blunder. When one of its broadcasters was duped by a trickster into reading fake names of pilots allegedly involved in an air collision, the station sent YouTube DMCA takedown notices to remove videos of the blunder.
But bogus takedown notices aren't the only problem. Companies have also tried to use the DMCA as an anti-hacking law to sue for unauthorized computer access. In 2007, for example, Ticketmaster sued RMG Technologies under the DMCA for creating scripts that bypassed CAPTCHAS and ticket limits to rapidly purchase event tickets in bulk from Ticketmaster's site and re-sell them. Ticketmaster used the DMCA instead of the Computer Fraud and Abuse Act because the latter required the company to show that the computer access resulted in $5,000 or more in system damages to Ticketmaster.
Companies have also used the DMCA to keep vehicle owners beholden to authorized dealers for service and repairs. The John Deere company, for example, has refused to unlock its proprietary tractor software to let farm owners repair their own vehicles, leaving tractor owners in fear of DMCA lawsuits if they try to crack the software protections themselves.
DMCA restrictions like this, however, don't just make customers beholden to companies, they can also help hide wrongdoing. Last year, university researchers uncovered something fishy going on with Volkswagen emissions but couldn't determine what exactly was causing it. Eventually, regulators learned that Volkswagen had embedded secret code in its software to help its vehicles cheat emissions tests. Critics pointed out that had these researchers or others had the freedom to explore Volkswagen's software without the threat of a DMCA violation, the chat code might have been uncovered sooner.
The issue with Volkswagen points to a core problem with the DMCA and its stifling of legitimate research. The security community and the software industry has long been at odds over companies threatening legal action under the DMCA to prevent researchers from publicly disclosing software vulnerabilities found in their programs, particularly when those flaws are in the copy-protection mechanisms the companies craft.
One of the first controversial uses of the DMCA occurred in 2001 when the FBI arrested Russian programmer Dmitry Sklyarov at the Def Con hacker conference in Las Vegas after he gave a presentation about bypassing the encryption code Adobe used for electronic books produced with Adobe Acrobat. The encryption prevented customers from making copies of their books to read on multiple systems, so Sklyarov produced a tool that bypassed this restriction and handed out a trial version at the conference with information about how to purchase the full tool. Adobe urged the FBI to act but had to withdraw its complaint after the security community rose up in protest.
That same year the Secure Digital Music Initiative (SDMI), a consortium of recording companies, consumer electronics firms and others, went after a group of researchers who discovered flaws in a digital watermarking technology the consortium developed to thwart piracy. The SDMI had actually invited hackers and researchers to try to defeat its technology, and a group of researchers led by Princeton University computer science professor Ed Felten succeeded in uncovering flaws. But when they sought to present their findings at a conference, the SDMIT threatened them with legal action under the DMCA. The researchers were eventually able to present some of their findings publicly but not until they filed a lawsuit asserting their First Amendment rights.
Something similar to Sklyarov's case occurred in 2010 when George Hotz, aka Geohot, devised and disclosed a hack that allowed him to play homemade games on his Sony PlayStation 3. The hack, unfortunately, also allowed anyone to play pirated games on the system, so Sony issued a forced firmware update to eliminate the flaw Hotz exploited. Hotz responded by releasing his own firmware for the system and disclosing the system's root keys, allowing others to subvert PlayStation 3 systems in the ways he had hacked his own. Sony sued him under the DMCA and Computer Fraud and Abuse Act, though it eventually backed down after Hotz agreed not to hack any Sony products in the future or publicly discuss ways to do so.
DMCA threats have also been made against researchers who discovered more serious security flaws in software.
In 2002, Hewlett-Packard went after researchers with SnoSoft who found 22 vulnerabilities in Tru64, its Unix operating system. HP initially accused the researchers of violating the DMCA when exploit code for one of the vulnerabilities they discovered appeared online. But the company backed down after HP employees and others warned then-CEO Carly Fiorina that the company's aggressive stance would curb future vulnerability research that could help HP create more secure software.
It's because of cases like this one---any many others targeting researchers---that the security community has long sought exemptions to the DMCA that would allow them to reverse-engineer software and disclose vulnerabilities found in systems, without facing legal threats. This is a particularly critical issue with regard to devices and systems with life-threatening and public safety implications, such as the software used in vehicles and medical devices. Car owners and patients have been fighting for the right to get access to the proprietary software embedded in their vehicles and devices, as well as the data these devices collect about them, in order to gauge the security of the systems, without having to fear a DMCA threat in the process.
The Librarian of Congress, along with the Copyright Office, is responsible for approving exemptions and over the years have done exactly this for various purposes. But the process of submitting exemptions is long and arduous and requires that those submitting requests provide extensive evidence of a need. And even when exemptions are granted, they are generally very narrow in scope and only last for three years, after which they have to be renewed or they expire. In 2006, for example, the Librarian approved a long-sought exemption to allow smartphone owners to jailbreak their devices in order to switch carriers. That exemption got expanded in 2009 to include jailbreaking for any purpose. But in 2013, the jailbreaking exemption for smartphones expired and wasn't renewed.
Last year, in the wake of several disclosures about security problems in vehicle software, the Library of Congress approved an exemption for hacking car software for the purpose of doing good-faith security research, and another exemption for the authorized owners of vehicles to bypass protections on vehicle software for diagnosis, repair or lawful modification purposes. Similarly, a new exemption for medical devices approved last year also allows patients to access data generated by an implanted device they own. But without reform of the DMCA, these and other exemptions will remain narrowly focused and have to go through the renewal process in three years.
Luckily, researchers now have three years to uncover serious problems with these systems in order to gather evidence that such exemptions are needed and should be renewed.
