Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses
from the copyright-where-it-doesn't-belong dept
However, the part that I wanted to focus on is related to a discussion we were just having a few weeks ago, in which General Motors (which was not the target of this particular hack) claimed that any sort of tinkering with their software, such as to discover these kinds of security holes, should be considered copyright infringement, thanks to Section 1201 of the DMCA. Section 1201, also known as the anti-circumvention provision, says circumventing "technological protection measures" (TPMs) -- even for reasons that have nothing to do with copyright -- should be deemed copyright infringement and subject to all the statutory damages (up to $150k per violation!) that copyright allows. Some have been pushing for an exemption for things like security researchers tinkering with new connected car systems to make sure they're safe. And GM and other automakers have said "no way." GM's argument is, more or less, that the company would prefer to put its head in the sand, and not have security researchers help it discover security flaws in its systems -- leaving only malicious attackers to find those.
While proponents such as Electronic Frontier Foundation characterize the exemption as merely allowing the vehicle owners to “tinker” with their vehicles “in a decades-old tradition of mechanical curiosity and self-reliance,” if granted, the proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations.Of course, copyright is not the right law to be relying on if you think that tinkering with your software could lead to safety problems. Instead, it seems to be the law that automakers are relying on to try to hide some of the security vulnerabilities in their cars.
The Association of Global Automakers goes even further with its argument, basically saying that since they already let security researchers of their own choosing do research, no one else should be able to do that research also:
Automobile manufacturers are not adverse to external input and have a long and symbiotic history with aftermarket businesses and others, but are justifiably unwilling to risk public safety, security, and environmental wellness by compromising quality controls and oversight. Moreover, the exemption is unnecessary given that automobile manufacturers already provide access to their valuable copyrighted materials for the precise purposes proposed. By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure. The very real risk that ostensibly legitimate research unwittingly undermines vehicle security by serving as a guidebook to software vulnerabilities that enables or even accelerates illicit hacking and malicious modifications to automotive software weighs heavily against the proposed exemption. The balance of benefit versus detriment, in view of all factors involved, simply dictates against the proposed exemption.In short, since security researchers might find a really serious hole in our software that might put lives in danger, we're much better off using copyright law to make sure no one's even looking for such a hole. Are they serious? Wouldn't it be much better to give people incentives to find these kinds of security flaws so the automakers can fix them rather than relying on security-by-head-in-the-sand?
Finally, the Alliance of Automobile Manufacturers also opposed the exemption for some fairly bizarre reasons, claiming that it would magically free up researchers to disclose how a vulnerability works without first informing the manufacturer:
By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices – such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors – to protect the safety and security of members of the public. For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.This is bullshit. There is nothing in removing the liability for circumvention that changes industry best practices of first alerting the manufacturer. That would still be standard practice. What it would do, however, is stop those manufacturers from responding by threatening a ridiculous copyright infringement lawsuit instead of realizing they need to fix a real problem in their systems. And if the automakers don't think such threats happen, we've got plenty of examples to send their way.
If the automakers are serious about wanting to make sure their cars on the road are safe, they should be encouraging this kind of research (though perhaps not on actual highways... ). But the fact that copyright law is blocking some of this kind of research is a real travesty.