Last week, the U.S. Copyright Office granted exemptions to security researchers to allow them to search for potential flaws in car computer systems and medical devices – free from the threat of any legal repercussions.
Every three years, the Librarian of Congress issues new rules on Digital Millennium Copyright Act (DMCA) exemptions. Section 1201 of the DMCA, prohibits the circumvention of the technological methods that are used to protect against unlawful copying of copyright works. However, in a significant ruling, the Librarian of Congress has now granted exemptions for “good-faith security research” to be carried out on computer software that runs on cars, tractors and other motorised land vehicles, as well as medical devices to be implanted in patients and their accompanying personal monitoring systems.
The U.S. Copyright Office, which is a department of the Library of Congress, defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement”.
The exemption would therefore appear to be directed primarily towards research labs and R&D departments, as opposed to lone hackers, who can ensure that the testing is performed in a “controlled environment” without risk to the public and not on a local highway, for example.
However, although the exemptions have been unanimously welcomed by security researchers, there has been some consternation that the ruling forbids tinkering with software that controls “telematics or entertainment systems”, while there has been widespread disappointment that the ruling will not come into effect for one year. So any researchers who wish to avoid the risk of legal action will have to wait until the exemptions enter into US law.
But despite the delay, the ruling has been applauded by the Electronic Frontier Foundation (EFF), which was one of the organisations who petitioned for the DMCA exemptions. Kit Walsh, a staff attorney at the EFF, said “We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers, and that the Librarian has acted to promote competition in the vehicle aftermarket and protect the long tradition of vehicle owners tinkering with their cars and tractors”.
Of course, it remains to be seen how the automotive industry will actually respond to the ruling – will it now embrace the security researchers as a valuable diagnostic asset (as did the IT industry) or will it continue to oppose their tinkering efforts at every opportunity? It is difficult to say, but the fierce opposition by the industry to the DMCA exemptions, together with the recent publication of a draft bill to make car hacking illegal, indicate that the industry may not be ready just yet to drive off into the sunset with the security researchers.