In our digital age, cybersecurity plays a crucial role in resolving consumer concerns regarding data breaches. Nevertheless, United States copyright laws prohibit the effective use of cybersecurity tools that disrupt malicious hackers from accessing personal (and sensitive) information. One law that is especially detrimental to defending against malicious attackers is the Digital Millennium Copyright Act (“DMCA“).
The DMCA is a unique regulatory mechanism created by the U.S. copyright system. The DMCA attempts to protect content creators while balancing the content users’ (i.e., researchers, consumers, etc.) freedom of ownership after purchasing copyrighted material. The foundation of the DMCA was centered around the United States’ commitment to observe two treaties passed by the World Intellectual Property Organization—dealing with copyright’s involvement with modern information systems such as the Internet. The objective of Title I of the DMCA was to “begin updating national laws for the digital era” and, as stated in the Joint Study of Section 1201(g), to “facilitate the robust development and worldwide expansion of electronic commerce, communications, research, development, and education in the digital age.”
Section 1201 of the DMCA makes circumventing technological measures that “effectively control access” to copyrighted works illegal. This prohibits security researchers from engaging in activities meant to protect consumers (and their data). Nonetheless, several short-term solutions can help protect security researchers and allow them to continue their essential work. These solutions include the exemption process, reliance on legal safe harbors, maintaining privacy and anonymity, obtaining written permission, and seeking legal counsel. As a result, security researchers can continue their work without fear of legal repercussions and can help protect computer systems and users from potential security threats.
Background on Section 1201
The technological developments that have come to pass—due to the digital age—shifted the U.S. Copyright Office from its original goal of registering and serving copyright records to regulating copyright usage by implementing laws like the DMCA. The DMCA covers various topics, from Fair Use exemptions to the recent provisions prohibiting the circumvention of technological protection measures (“TPM”) on computer programs for good-faith security research. The new rules provide that “good-faith security research“ means:
accessing a computer program solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in an environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines and is not used or maintained in a manner that facilitates copyright infringement.
Importantly, though, Section 1201 prohibits the circumvention of “a technological measure that effectively controls access to a work.” TPMs take many forms, such as Digital Rights Management (“DRM”). DRM is a method of limitation used by copyright holders to restrict how digital files are used. For example, Nat Meysenburg illustrated that if you purchase an eBook “but are prevented from copying it from your [eBook] reader to your phone, that is likely DRM at work.” Additionally, regarding the anti-circumvention prohibition, Section 1201 stops distribution tools used to upset TPMs (i.e., anti-trafficking provisions).
Understanding cybersecurity, the purpose of security research, and the courts’ interpretations of these matters are essential to developing reasonable regulations addressing the issues surrounding security research and vulnerability reporting. iPads, smartwatches, fitness trackers, wireless earphones, virtual assistants, and so on have started bringing sci-fi tropes to life. All these tropes were thought to be impossible just a few decades ago. Changes to the language of the law could provide more clarity and protection for security researchers investigating systems to improve security. In addition, companies can adopt best practices that encourage and support security research, such as implementing bug bounty programs and creating a transparent process for reporting and addressing vulnerabilities. Combining these solutions could help create a more supportive and secure environment for security researchers to conduct their work while protecting the rights of copyright holders.
Security Researchers and Section 1201
The Cybersecurity & Infrastructure Security Agency (“CISA”) defines cybersecurity as being “the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.” In other words, cybersecurity is a system of defenses to protect against the threat of malicious attacks and unintentional damage—e.g., protecting web-associated systems, software, and information.
For example, regulatory laws like the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the E.U. General Data Protection Regulation—the world’s most developed and thought-out privacy and security law—require any organization that stores patient or customer data to have relevant security processes and technologies in place. HIPAA, among other laws, involves using identity and access control systems in addition to encryption. The consequence of noncompliance may result in civil or criminal penalties—opening the door to lawsuits against companies. On the other hand, compliance with these requirements reduces the cybersecurity threats and cyber-related risks, especially those from vulnerabilities, and provides for “[a] well-implemented cybersecurity blanket allow[ing] companies to offer their most essential services even through outages and natural disasters.”
Vulnerabilities have been and continue to be exploited at an alarming rate, undermining national security, critical cyber infrastructure, and personal privacy. Devices connecting to the internet create vulnerabilities open “to remote manipulation, exploitation, and attack[s].” Importantly, cyber-attacks can have a direct effect on one’s livelihood. It is in the physical world, as opposed to the cyber world, where cybersecurity research is tangibly appreciated. The multitude of research conducted in cybersecurity continuously adds to the greater good and reduces the billions lost to all cyber-attacks. Another area where security research is of paramount importance is cyber warfare. Cyber warfare is a serious threat affecting national safety and businesses’ privacy.
Consider the classic American animated cartoon series Scooby-Doo, Where Are You! The cartoon is about a group of friends and their talking Great Dane, Scooby-Doo, investigating and solving out-of-this-world mysteries. Just as the mystery gang investigates and solves mysteries, security researchers are responsible “for investigating malware, analyzing and understanding their capabilities, documenting the incidents of compromise[s], and” implementing best practices. This custom is referred to as penetration testing or red team activity.
In these cases, tools and strategies are employed to actively investigate a company’s functioning applications with penetration tests to locate any possible security vulnerabilities that hackers may attempt to exploit. Vulnerability assessments begin by “evaluat[ing] if the system or product is susceptible to any known vulnerabilities” and trying to identify or uncover any new vulnerabilities in those systems or products. Part of this activity includes providing threat levels for each vulnerability; sometimes, the security researcher “recommends remediation or mitigation” tactics. Incentivizing vulnerability assessments will lead to cyber defense enablement and eliminating antiquated laws, sometimes preventing or hindering effective cyber research. Security researchers are experts in detecting and correcting technology flaws, helping protect consumers from potential vulnerabilities.
Unfortunately, current laws do not provide legal clarity for these professionals and can put them at risk of prosecution if they make certain discoveries or report specific findings. To ensure that this vital work is done safely and responsibly, it is time for lawmakers to step up and create a permanent anti-circumvention exception or entirely new law that will allow security researchers to legally support companies while protecting consumers and improving device manufacturing processes. This revamps of the DMCA should ensure that security researchers are not liable for discovering and reporting security flaws and vulnerabilities in technology if their actions are done ethically and responsibly. It is also important that this law clearly defines what is considered ethical research, including the types of activities allowed and those prohibited to prevent malicious behavior from taking advantage of such protections. With these measures in place, companies will be better protected from cyberattacks while consumers can enjoy peace of mind knowing that researchers are actively working to make the technology safer.
Financial Importance of Cybersecurity
Data breaches can be costly for businesses in terms of financial losses, reputational damage, and regulatory fines. Recently, there has been a significant increase in the quantity and size of data breaches that affect businesses across numerous industries. According to a report by the Ponemon Institute, the average data breach cost in 2020 was $3.86 million. In 2022, it was $4.35 million—an increase of 12.7%. This report includes direct costs like legal fees, notification expenses, and regulatory fines, as well as indirect costs in the form of loss of consumers, damages to brand reputation, and decreased employee productivity. Moreover, the report highlighted the cost of data breaches in the healthcare industry, which was most affected at $9.23 million on average.
Similarly, financial institutions are particularly vulnerable to data breaches due to the nature of the data they handle. A financial institution ”encompasses a broad range of business operations . . . including banks, trust companies, insurance companies” and all others engaged in the business of financial and monetary transactions. A 2020 study published by VMware showed a 238% increase in cyberattacks targeting financial institutions. In addition, the Boston Consulting Group reported that “financial services firms [are] 300 times more” likely to experience a cyberattack than other companies. Not surprisingly, estimates show that the financial services industry could lose up to $210 per record breach—higher than the average across all other industries except healthcare, which is at $429 per record.
Another critical cost of data breaches for financial institutions is regulatory fines. For example, in 2022, the Securities and Exchange Commission announced that its charges against a financial firm were settled in an amount of $35 million for the firm’s failure to properly “dispose of devices containing its consumers’” personally identifiable information. Security researchers are critical in mitigating the likelihood of these fines and can provide businesses with valuable feedback on their cybersecurity policies and procedures. By testing an institution’s security defenses and processes, security researchers can help companies identify areas of improvement and make recommendations to strengthen their overall cybersecurity posture.
Proposals to Section 1201 Going Forward
Security researchers should be incentivized to conduct ethical hacks and report vulnerabilities or product weaknesses that the vendor would otherwise be unaware of. Stemming from this, more industries would likely invest additional resources in cybersecurity programs to develop secure devices “as companies will attempt to avoid public shaming based on flaws in their software detected by ethical hackers.” It is essential, however, to understand that this would, by no stretch of the imagination, completely prevent malicious hacking but will go a long way in reducing the vulnerabilities that may allow loss and risk to be realized via malicious hacking. Companies should be grouped by industry to come up with a consensus on how they would like to disclose vulnerabilities, followed by seeking the help of security research professionals to determine the most feasible manner(s) suggested. In Taking The Pulse of Hacking: A Risk Basis for Security Research, Joseph Lorenzo Hall and Stan Adams recommend that to reduce personal risks associated with vulnerability disclosure, security researchers should consider remaining anonymous and instead refer to intermediaries to handle disclosures. Ensuring researchers have the support of government agencies will reduce the chilling effects on a researcher’s choice of project and having to remain anonymous to do good.
The Copyright Office meets every three years to discuss the importance of adopting exemptions to, among other things, the DMCA’s ban on circumvention. Adopting a safe harbor would be the best way for the Copyright Office to remediate harm against security researchers while following their guidelines. The safe harbor would include “the researcher disclosing the discovered vulnerability to the vendor first, waiting a mutually negotiated amount of time” for the vendor to patch and “exercising her right to publicly disclose the vulnerability.” Moreover, researching and analyzing security standards—rather than subjecting specific products to an analysis—would not violate Section 1201. Outsiders can engage in security research because the standards are promulgated openly. Often, vendors confuse this form of research with those that explore vendor products.
Notwithstanding its harsh provisions, the DMCA strives to establish a line between malicious and benevolent hackers. The distinction must be focused on “weaponization and exploitation—whether the hacker identified a flaw and reported it responsibly to the vendor, or whether she or he exploited it to cause damage.” We would take this approach to examine whether companies have the resources to review each assessment. The nature of the vulnerability is mainly determinative of whether the hacker is acting ethically or maliciously. In the time between initially attempting to exploit and exploiting, the appropriate law enforcement would need to take action to prevent ancillary harm.
The debate as to whether the Copyright Office, acting as part of the Library of Congress, has the requisite expertise to create laws regarding anti-circumvention and technology is never-ending. Suppose Congress wants to ensure that no single agency monopolizes copyright regulations. In that case, it could create a committee of digital and cyber experts to regulate and govern the DMCA. By shifting to this alternative authority, digital experts would be at the head of court hearings—eliminating current Copyright Office members’ uncertainty about how the DMCA should impact copyrighted work. In cases where exemptions are obligatory, narrowing the analysis to facts directly relevant to the questions of circumvention and infringement would be in the Office’s best interest. In a letter to the U.S. Copyright Office, the National Telecommunications and Information (“NITA”) noted the “extensive discussion of matters with no or at best a very tenuous nexus to copyright protection,” NTIA urged the Office to avoid “interpreting the statute in a way that would require it to develop expertise in every area of policy that participants may cite on the record.”
Many security researchers are moving away from restrictive research houses and opening up to the public about vulnerabilities that would have previously been prohibited under contract—limiting those who can bring claims against researchers. This is affecting the way inexperienced vendors go about handling reports. Security researchers and digital rights advocates have long argued for a permanent anti-circumvention exception to allow for lawful reporting of vulnerabilities found while researching devices or software systems.
A permanent anti-circumvention exception would give researchers peace of mind knowing that they will not face any legal consequences when providing this vital service which helps keep people safe from malicious actors. Additionally, it would allow companies to address any potential flaws before releasing products onto the market, thus further protecting consumers from potential harm caused by defective devices or software. Ultimately, this would promote open collaboration between companies and security researchers, providing better protection against malicious actors who may exploit these weaknesses to gain access to sensitive data or resources.
Conclusion
Creating an anti-circumvention exception or new law provides legal protection for security researchers while also helping improve device manufacturing processes and public safety by allowing early detection of flaws before products reach consumers’ hands. Companies must understand how vital these experts are and ensure they have a permanent presence at decision-making tables if we wish for our digital environment to remain safe from cyber threats. A permanent anti-circumvention exception or new law under Section 1201 of the DMCA is essential for protecting consumers and security researchers. Allowing researchers to legally report on vulnerabilities found during their work without fear of retribution will ensure that these issues are addressed before devices reach store shelves and put individuals at risk from malicious actors taking advantage of known exploits. It will also give companies additional assurance that their products meet safety standards before being released onto the public market, which only serves to further protect people from harm caused by defective devices or software systems.
Andre Sardaryzadeh is a J.D. Candidate at Roger Williams University School of Law, Class of 2023.
This post was adapted from his “Security Researchers Battle Against the DMCA” paper, available on SSRN. A complete publication expanding on the arguments of this blog post is now available in the Spring 2023 Edition of the Chicago-Kent Journal of Intellectual Property.
