Copyright Office Realizes The DMCA Fucks With Security Research While The W3C Still Doesn't See It
from the what-a-world dept
Last week, the Copyright Office finally released a report that it had been working on for some time, looking specifically at Section 1201 of the DMCA. In case you’re new around here, or have somehow missed all the times we’ve spoken about DMCA 1201 before, that’s the “anti-circumvention” part of the DMCA. It’s the part that says it’s against copyright law to circumvent (or provide tools to circumvent) any kind of “technological protection measures,” by which it means DRM. In short: getting around DRM or selling a tool that gets around DRM — even if it’s not for the purpose of infringing on any copyrights — is seen as automatically infringing copyright law. This is dumb for a whole host of reasons, many of which we’ve explored in the past. Not only is the law dumb, it’s so dumb that Congress knew that it would create a massive mess for tons of legitimate uses. So it built in an even dumber procedure to try to deal with the fact it passed a dumb law (have you noticed I have opinions on Section 1201?).
Specifically, every three years, people and companies can petition the Copyright Office/Librarian of Congress to “exempt” certain technologies or uses from 1201, saying that it is legal to circumvent the technological protection measures in that case, for the succeeding three years (yes, after three years, the original exemption expires, unless it is renewed). This triennial review process has historically been an (annoying) joke, where people basically have to beg the Copyright Office to let them, say, get around DVD DRM, in order to make documentaries. Or, famously, that time in 2012 when the Librarian of Congress refused to renew the phone unlocking exemption, magically making it illegal to unlock your phone for no clear reason at all. The whole thing is fairly described as a hot mess.
And, it really harms our own security the most.
That’s because security researchers often need these exemptions the most, because they don’t want to be accused of violating copyright law for doing their jobs in figuring out where there are weaknesses and vulnerabilities in various technologies. So, many of the applied for exemptions tend to come from the security community — and sometimes they’re granted, and other times they are not. A year ago, some security researchers (along with the EFF) sued the US government, arguing that 1201 violates the First Amendment, scaring off security researchers, and providing none of the usual defenses against infringement, such as fair use (which the Supreme Court has argued is a necessary First Amendment valve on copyright). That case is still waiting for a judge to rule on early motions (and it’s waiting a long time).
Given all that as background, it’s somewhat fascinating (and marginally surprising) to see that the Copyright Office officially agrees that the 1201 setup totally sucks for security researchers, and it would actually like Congress to fix that. The report specifically recommends expanding the existing “permanent exemption” for certain types of “security testing” to make it more applicable to a wider set of security practices:
… the Office recommends that Congress consider expanding the exemption for security testing under section 1201(j). This could include expanding the definition of security testing, easing the requirement that researchers obtain authorization, and abandoning or clarifying the exemption?s multifactor test for eligibility.
There’s another section in the law for “encryption research” and, again, the Copyright Office recognizes that should be expanded:
The exemption for encryption research under section 1201(g) may benefit from similar revision, including removal of the requirement to seek authorization and clarification or removal of the multifactor test.
For what it’s worth, the report (obviously remembering how it got basically mocked and burned by everyone for removing the cell phone unlocking exemption in 2012) now asks for phone unlocking to be designated a permanent exemption under the law.
These are fairly small changes being sought by the Copyright Office, but it strikes me as somewhat incredible (and very disappointing) that this small bit of enlightenment goes much further than the World Wide Web Consortium’s (W3C) view on DRM and security research. As you may recall, there’s this ongoing battle over DRM in HTML 5. When the W3C refused to block it outright, some members came up with a fairly straightforward no-brainer rule: all members had to agree not to go after security researchers for circumventing the DRM in HTML 5. And the W3C rejected that proposal.
In other words, the Copyright Office — famous for its historically expansionist view of copyright, as well as its general tilt towards supporting Hollywood over everyone else — is now recognizing that it’s obvious that security researchers should have the right to circumvent DRM without violating copyright law, while the W3C — famous for promoting an open web — is against this. This is “up is down, night is day, cats & dogs living together” kind of stuff. Maybe someone should let the W3C know that it’s position on security researchers and DRM is now more extremist than the Copyright Offices?
Either way, at the very least, Congress should follow up on this report and expand the exemptions for security research. It doesn’t just help out those researchers, it helps all of us when security researchers are able to do their jobs and help to protect us all.
Filed Under: anti-circumvention, copyright office, dmca, dmca 1201, drm, research, security, triennial review
Companies: w3c
Comments on “Copyright Office Realizes The DMCA Fucks With Security Research While The W3C Still Doesn't See It”
W3C allowed malware (DRM) into html5, what else could we expect?
Is this article advocating an approach whereby we slowly chip away at bad policy in the hopes that it will eventually crumble? Or does the author believe that security research exemptions are enough and to let the rest of this travesty stand?
I’m really conflicted about whether to support this viewpoint.
Re: Re:
I don’t know how you could possibly read the first paragraph of this article and conclude that Masnick “believe[s] that security research exemptions are enough and to let the rest of this travesty stand”.
Security research exemptions are a good start. No more, no less.
Please
Please try to refrain from using foul language in your headlines. I really like this site and the stories posted, but I have a hard time sending links to NSFW content.
Re: Please
Also don’t mention Comcast in your headlines as that inevitably leads to NSFW language.
Re: Re: Please
I thought saying Comcast was already foul enough.
Re: Please
Foul language fouls the person using it.
Does the W3C really have the power to prevent DRM?
It seems to me that if Microsoft, Google and enough content providers agree to implement an “extension” to DHTML, it will happen and the W3C will simply start sliding into irrelevance. I’m not saying that DRM is a good idea, either morally or practically, just that a standards body with no legal control over the internet may have to admit it to the standard if it wants to continue to play a role. And if any of the members derive income from or related to their membership of the committee, they may well place continued relevance above principled irrelevance.
Re: Does the W3C really have the power to prevent DRM?
In other words, "We must join with Sauron. It would be wise, my friend."
And yes, that’s Berners-Lee’s justification for allowing DRM into the W3C specs.
That’s why the EFF proposed a compromise that would require every signatory to contractually agree not to sue security researchers for copyright infringement. Berners-Lee demurred and instead suggested voluntary compliance.
I somewhat sympathize with the W3C here. If their members promise not to go after any security researcher, then anyone who is breaking DRM in an effort to achieve exactly what DRM is there to prevent can just say they are doing “security research…yeah, that’s the ticket”.
It’s pretty easy to determine whether someone is working on behalf of a legitimate educational institution, accessibility organization, archive or library, and whether their DRM circumvention is being done for purposes other than piracy.
There are few such formal institutions in the security research realm. There is no registry of who the white-hats are. I can see how the W3C members would not want to hand the black-hats a “security researcher” immunity.
That said, they could just take a more nuanced stance.
Re: Re:
Except that black-hats will generally just ignore the wishes of the W3C anyway.
Re: Re:
This strikes me as a variation on the old "bloggers aren’t real journalists, therefore they don’t have freedom of the press" argument. I don’t accept the premise that only specific favored classes have First Amendment protections — and make no mistake, this is a First Amendment issue.
Disclosing browser vulnerabilities serves the public interest. If people use those vulnerabilities to illegally download movies, then go after the people who are illegally downloading movies, not the people who disclosed the vulnerabilities.
Relaxing the law would just create a huge legal escape hatxh for hackers.
“We weren’t hacking we were doong security research! Da, research!”
Re: Re:
This is an imaginary problem. There are legal exceptions to many laws. None of them have created your chicken little scenario where people can simply say “but exception!” and that’s that.
Re: Re:
Legalizing drinking would just create a huge legal escape hatch for drunk drivers.
"I wasn’t drinking and driving! Look, this isn’t even a car, it’s a house! A house! Jesus Christ, can’t you tell the difference between a car and a house? What the hell is wrong with you?"
Legalizing chicken ownership would just create a huge legal escape hatch for cockfighting.
"This isn’t a cockfighting ring! There’s only one chicken here, and she’s a hen! She’s pecking at the ground! Why are you arresting me?"
Legalizing breathing would just create a huge legal escape hatch for murder.
"I didn’t murder anybody! Yes, I know technically murderers also draw in oxygen to live, and would be unable to murder if they didn’t do so dang much breathing. But you’re breathing too, right at this very minute! Hey, nice stun gun, Officer!" bzzzzt thump
Legalizing encryption would just create a huge legal escape hatch for terrorism.
…wait, that one’s not a joke; there are actual high-ranking government officials all over the world who seriously fucking claim that with a straight face.
Re: Re: Re:
You are tryong way too hard and missing the point way too much.
Re: Re: Re: Re:
The point seems to be that genuine problems with security researchers being endangered are rejected out of the vague fear that any rights given to them will be abused by black hats, who will ignore the laws anyway. A fear that’s being mocked by Thad because it’s not really reflected by the legal exceptions present in other areas.
Was that your point, or is there something I’m missing as well?
Re: Re: Re: Re:
An argument is a series of connected statements intended to establish a proposition. It isn’t just contradiction.
Re: Teh haxxors
If you think that malicious attackers are not researching vulnerabilities for exploitation because of some US copyright laws you are sorely mistaken. Please remember that the attackers are working to penetrate your systems and extracts whatever information they can, be that credit card info, medical records, trade secrets, etc. Then to sell that information to the highest bidder. They already have intention to commit several felonies, so a copyright violation is not exactly a deterrent.
This push is for the security researchers out there who find a vulnerability but are afraid to disclose it because some manufacturers would rather pursue the researcher for copyright violations than fix their insecure code or snake oil.
Mind you, these vulnerabilities still exist whether the security researchers publish them or not.
So what would you prefer:
Re: Re: Teh haxxors
There is another possibility – the security researchers would anonymously publish vulnerabilities. Welcome to the world of public 0-days.
Re: Re: Re: Teh haxxors
And what exactly do you think is stopping them from doing that right now?
Re: Re:
That is the same logic that politicians use to justify backdooring encryption, and that is to protect you from the bad guys we must remove that which protects you from the bad guys.
DRM in HTML5
But as Tim Berners-Lee siad “the industry wants DRM, so what can you do?”. Oh well, Tim, why don’t take a rope and find a tree – you are going to die eventually, so what can you do?
how can W3C claim to be ‘promoting the web’ when it is putting ridiculous restrictions on it’s use, by those who want to make it even better, for no good reason? to me, this smells to high heaven of Hollywood and other members of the Entertainment Industry sticking it’s Pinocchio nose into something it has no right to and fucking things up for everyone else!! the even more stupid thing is that in doing this it fails to realise or chooses to ignore through sheer bloody mindedness and unending desire to ‘keep control’ is that it is fucking up itself just as much!! how ridiculous can you get??
Seeking correction
Techdirt, c/o Mike Masnick
Dear Sir,
I’m seeking a correction in this particular section of your article:
“When the W3C refused to block it [DRM] outright, some members came up with a fairly straightforward no-brainer rule: all members had to agree not to go after security researchers for circumventing the DRM in HTML 5. And the W3C rejected that proposal.”
Instead of “the W3C rejected”, it would be accurate to use “most W3C Members rejected”, or “a majority of W3C Members rejected”.
Indeed, the proposal was balloted (several times), as are all proposals at the W3C [1], and there was no consensus to adopt it.
To say that the W3C rejected the proposal is simply wrong. W3C is a consortium of Members and its constituency steers the work.
Kind regards,
Coralie Mercier
Head of W3C Marketing & Communications
[1] https://www.w3.org/2017/Process-20170301/#ReviewAppeal
Re: Seeking correction
Speaking purely as a pseudonymous commenter, and not affiliated with Techdirt or Mike Masnick in any other way:
If the way the WC3 decides such things is by voting on proposals, and this proposal was voted down (multiple times!), then how is it not correct to say that the WC3 rejected the proposal?
If your objection is that saying that the WC3 rejected it makes it look as if the decision was unanimous, and all members of the WC3 agreed with that decision:
Saying that the WC3 rejected it is not saying that every member of the WC3 rejected it, only that the organization as an entity did so. As far as I can see, the only ways to demonstrate that the WC3 did not reject a proposal would be to either show that the WC3 actually accepted that proposal, to show that the proposal was never presented to the WC3, or to show that the WC3 never came to a decision on the presented versions of that proposal (and even that last might be argued to constitute rejection).
If your objection is that saying that the WC3 rejected it makes it look as if the decision was unilateral, and made without regard to the opinions of the WC3’s members:
The fact that (an apparent majority of?) the members of the WC3 agreed with the rejection does not make it any less a rejection, and in fact would reflect negatively on those members rather than just on the WC3 as a unit.
If your objection is something else, please clarify what it is that you find objectionable about this.