‘Good faith’ security research needs shielding from legal blunderbuss
Security firms and the Electronic Frontier Foundation (EFF) are lobbying for reform of the Digital Millennium Copyright Act (DCMA) to protect “good faith” information security research.
DMCA, section 1201 – provisions in the controversial US copyright enforcement law relating to the circumvention of copy-prevention systems – “cast a shadow over security research” by suppressing the development of tools and software needed to test security controls.
These so-called ‘circumvention tools’ are often needed to find and fix software vulnerabilities, but section 1201 of the DMCA works to suppress the software and tools necessary for that research, according to critics of the law.
The specific exemptions written into the act cover government research and reverse engineering, although critics argue that this is inadequate so deeper reform is needed.
The EFF and more than 20 security companies are calling for legislators to reform Section 1201 to “allow security research tools to be provided and used for good faith security research”.
Security firms backing the EFF in a statement setting out their objections to the DMCA include Bishop Fox, Bugcrowd, HackerOne, McAfee, NCC Group, and Rapid7, among others.
The process of reform, even if it is ultimately successful, may take some time, so critics of the DMCA are also urging companies and prosecutors to refrain from using section 1201 to unnecessarily target tools used for security research in the meantime.
The DMCA includes provisions that prohibit the development or sharing of tools that circumvent technological protection measures (such as bypassing shared default credentials and weak encryption) in order to access copyrighted software without the permission of the software owner.
“This creates a risk of private lawsuits and criminal penalties for independent organizations that provide technologies to researchers that can help strengthen software security and protect users,” signatories to the statement argue.
“Good faith security researchers depend on these tools to test security flaws and vulnerabilities in software, not to infringe on copyright.”
Objections over takedowns
Since the law came into effect, in 1998, there have been numerous incidents across multiple platforms where security researchers have been served notices accusing them of hosting content that contravened the DMCA.
This threat can be legitimately made against blog posts, YouTube videos, GitHub repositories, and more. Google, for example, does allow recipients of DMCA claims to file counter claims and potentially have pages restored on search engine results.
However, security researchers often lack the legal support, time or other resources needed to successfully object to takedown notices.
Ollie Whitehouse, chief technology officer at NCC Group and non-executive director at PortSwigger, told The Daily Swig that issues with the DMCA extended beyond its misuse as a content takedown mechanism.
“The issue is that DMCA is used as a legal tool to silence and/or preclude distribution of tooling from good faith security researchers,” Whitehouse explained. “As we know security research can be an uncomfortable truth for some vendors but benefits us all.
“The use of the DMCA in this manner is not what was intended and thus the need to ensure it is not used in this way,” he concluded.