Chilling Effects
Home Weather Reports Report Receiving a Cease and Desist Notice Search the Database Topics
Topic HomeFAQsMonitoring the legal climate for Internet activity
Samuelson Law, Technology and Public Policy Clinic
 Chilling Effects Clearinghouse > Anticircumvention (DMCA) > Weather Reports > A New DMCA Exemption for Security Research Printer-friendly version
 Quick Search:
 Site Guide

Clearinghouse Topic Areas:

  • ACPA
  • Chilling Effects
  • Copyright
  • Copyright and Fair Use
  • Court Orders
  • Defamation
  • Derivative Works
  • DMCA Notices
  • DMCA Safe Harbor
  • DMCA Subpoenas
  • Documenting Your Domain Defense
  • Domain Names and Trademarks
  • E-Commerce Patents
  • Fan Fiction
  • International
  • John Doe Anonymity
  • Linking
  • No Action
  • Patent
  • Piracy or Copyright Infringement
  • Protest, Parody and Criticism Sites
  • Responses
  • Reverse Engineering
  • Right of Publicity
  • Trade Secret
  • Trademark
  • UDRP
  • Uncategorized

  • sunny

    A New DMCA Exemption for Security Research

    Blake Ellis Reid, Chilling Effects Clearinghouse, August 06, 2010

    Abstract: By now, most readers have probably heard about the six newly minted exemptions to the anti-circumvention measures of the Digital Millennium Copyright Act (DMCA), announced last week by the Librarian of Congress. For the uninitiated, Ars Technica and David Abrams of Chilling Effects have excellent overviews of the exemptions, which provide much-needed legal cover for a variety of activities including jailbreaking and unlocking cell phones, decrypting DVDs for non-commercial remixes, and several others.

    Of particular interest to folks in the security community is the exemption granted for security research on video game digital rights management (DRM) systems, stemming from both realized and potential security holes in systems like Safedisc and SecuROM.

    This exemption was the brainchild of University of Michigan professor and DMCA exemption veteran Alex Halderman, who successfully lobbied with Ed Felten in 2006 for a similar exemption for security research on audio CD DRM in the wake of the Sony rootkit episode. I had the opportunity to work with Alex on the video game exemption under the excellent guidance and supervision of professors Paul Ohm, Harry Surden, and Brad Bernthal via the Glushko-Samuelson Technology Law and Policy Clinic at the University of Colorado Law School; we also received tremendous support from the Electronic Frontier Foundation and a coalition of professional and academic security researchers.

    With the exemption officially on the books, some researchers may be considering research agendas directed at analyzing security flaws and vulnerabilities posed by video game DRM systems. While the exemption provides significant legal cover from the threat of DMCA lawsuits by DRM and game manufacturers, some questions about the DMCA's anti-circumvention measures remain unanswered, and traps may lie in wait for the unwary. In this post, I've attempted to lay out a rough sketch of the mechanics of the anti-circumvention measures and the video game exemption, focusing in particular on areas that may prove problematic for researchers.

    (Obligatory disclaimer: this is not legal advice and shouldn't be taken as such; researchers should consult university, in-house, or outside counsel before proceeding with a research agenda that involves circumventing DRM.)

    The Basics

    At the outset, an overview of the anti-circumvention measures is in order. First, the DMCA distinguishes between two types of DRM systems: access controls and copy controls. Access controls are those that (you guessed it) control access to the underlying copyrighted work (here, a video game), while copy controls are those that restrict the ability to reproduce, distribute, publicly perform/display, or make derivative works of the game.

    Second, the DMCA addresses two types of activities: circumvention and trafficking. Circumvention is the actual cracking, picking, or breaking of the digital lock on the game, while trafficking involves the creation and distribution of tools designed for circumvention. (If you think the latter definition sounds nebulous, you're right - more later.)

    With these definitions in mind, the DMCA bans three activities: 1) circumventing access controls (the "basic provision"); 2) trafficking in access control circumvention tools (the "trafficking ban"); and 3) trafficking in copy control circumvention tools (the "additional violations"). The astute reader will notice that the DMCA does not ban circumventing copy controls; in practice, however, most video game DRM systems likely serve as both access controls and copy controls, so any circumvention will likely be barred by the basic provision.

     Access ControlsCopy Controls
    CircumventionBanned (basic provision)Not banned
    TraffickingBanned (trafficking ban)Banned (additional violations)

    These distinctions are important because the various exemptions to the DMCA arguably only apply to specific provisions. So, even if an exemption gets a researcher out of liability under the basic provision, she may nonetheless be liable under the trafficking ban and/or the additional violations.

    The Exemption

    It's worth noting that there are several permanent statutory exemptions written into the DMCA; most relevant to security researchers are those for reverse engineering, encryption research, and security testing. Though an in-depth analysis is beyond the scope of this post, it should suffice to note these exemptions are loaded with caveats that may render them inapplicable to many security research agendas.

    With that in mind, the new video game DRM exemption to the basic provision may provide superior protection for research agendas covering video game DRM. The exemption textually applies to:

    (4) Video games accessible on personal computers and protected by technological protection measures that control access to lawfully obtained works, when circumvention is accomplished solely for the purpose of good faith testing for, investigating, or correcting security flaws or vulnerabilities, if:
    (i) The information derived from the security testing is used primarily to promote the security of the owner or operator of a computer, computer system, or computer network; and
    (ii) The information derived from the security testing is used or maintained in a manner that does not facilitate copyright infringement or a violation of applicable law.

    Researchers should pay careful attention to the following caveats when thinking about the exemption:

    • The exemption applies only to video games. Broadly speaking, this means that the exemption doesn't cover DRM research on movies (including DVD and Blu-Ray), audio CDs, eBooks, non-video game software, or any other type of copyrighted work. More narrowly, there are some corner cases of software that may or may not constitute a video game; certain educational software comes to mind.

    • The exemption applies only to PC and Mac-based video games. That means that it doesn't cover console-based or handheld games (e.g., Wii, Xbox 360, PlayStation 3, Game Boy, etc.), though it should extend to the PC or Mac versions of games that have coincidentally been released on a console or handheld.

    • The exemption applies only to good faith security research standing alone. That means that pirates who happen to correct a security flaw in the course of cracking a game for illegal distribution don't qualify for the exemption, nor do private users who crack the DRM for non-security related purposes (such as avoiding the inconvenience of DRM, format-shifting, or making backups).

    • The exemption likely applies only to the basic provision of the DMCA, and not the trafficking ban or the additional violations. Essentially, this means that researchers can circumvent, but probably can't traffic in circumvention tools. (Though some academics have argued to the contrary, it's a tough row to hoe in light of the unfavorable text of the statute and legislative history.)

      The question, then, is what exactly "trafficking" encompasses. The DMCA is rather vague, stating that "[n]o person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof . . . " that is "primarily designed" to circumvent, has only "limited commercially significant" non-circumvention purposes, or is "marketed" for circumvention purposes.

      Two legitimate and productive outputs of security research come to mind that might nonetheless constitute trafficking under the DMCA. The first is a tool that allows end users to fix a security flaw in video game DRM by circumventing the DRM; the second is the publication of security research on video game DRM that describes how to circumvent the DRM. Do either of these fall under the DMCA's definition of trafficking? I honestly don't know, and it's extremely difficult to predict how a court would rule on the issue.

      Regardless, researchers should probably tread lightly when it comes to the output of their research. Even if the aforementioned outputs fall outside of the trafficking ban and additional violations, the caveats in subsections (i) and (ii) of the exemption place a burden on researchers to ensure that their research is only used for security-related purposes and never to facilitate copyright infringement. Ultimately, researchers will have to work with counsel (and potentially with DRM and game manufacturers) to create a set of best practices for publishing research results and fixing security flaws.

    • Finally, the video game exemption will be in effect until the Copyright Office conducts the next anti-circumvention rulemaking; although the rulemaking is supposed to take place every three years, it is unclear when the next one will take place, since the decision in the latest rulemaking was delayed for nearly nine months. It's a long ways out regardless, but researchers should take care to make sure that long-term agendas aren't threatened by the expiration of the exemption, or better yet, get involved in renewing, evolving, and expanding the exemption during the next rulemaking.

    Though the exemption obviously comes with some baggage, we hope that it will provide some utility for researchers interested in the security of DRM systems who might have otherwise been scared off by the threat of lawsuit.

    Cross-posted at Freedom to Tinker.


    Chilling Effects Clearinghouse -
    disclaimer / privacy / about us & contacts