Security Researchers Temporarily Exempt From DMCA for Research Into Devices, Programs
Security researchers doing controlled research on consumer devices are temporarily exempt from the Digital Millennium Copyright Act as long as they don't violate the Computer Fraud and Abuse Act, starting Friday as authorized by the Librarian of Congress, wrote FTC…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Tech Policy Fellow Aaron Alva in a Friday blog post. Researchers previously couldn't investigate security vulnerabilities because DMCA makes it illegal to circumvent controls that prevent access to copyrighted material, he said. But the LOC has allowed exemptions from time to time for various technologies to take away any legal hurdle and protect conduct, he said. Alva said that in this case security researchers must act in good faith and meet a few requirements to be exempt, such as legally acquiring a device or software and doing research in a controlled setting to avoid harming the public. He said if the requirements are met then a researcher can test a connected toaster and gauge the risk from attack, but not steal a toaster, hack into it or set it on fire. "The exemption covers a broad array of consumer devices such as electric toothbrushes, home thermostats, connected appliances, cars, and smart TVs," as well as medical devices, he said, but it doesn't apply to "highly sensitive systems such as nuclear power plants and air traffic control systems."