|Chilling Effects Clearinghouse > Anticircumvention (DMCA) > Weather Reports > A New DMCA Exemption for Security Research|
A New DMCA Exemption for Security Research
Blake Ellis Reid, Chilling Effects Clearinghouse, August 06, 2010
Abstract: By now, most readers have probably heard about the six newly minted exemptions to the anti-circumvention measures of the Digital Millennium Copyright Act (DMCA), announced last week by the Librarian of Congress. For the uninitiated, Ars Technica and David Abrams of Chilling Effects have excellent overviews of the exemptions, which provide much-needed legal cover for a variety of activities including jailbreaking and unlocking cell phones, decrypting DVDs for non-commercial remixes, and several others.
Of particular interest to folks in the security community is the exemption granted for security research on video game digital rights management (DRM) systems, stemming from both realized and potential security holes in systems like Safedisc and SecuROM.
This exemption was the brainchild of University of Michigan professor and DMCA exemption veteran Alex Halderman, who successfully lobbied with Ed Felten in 2006 for a similar exemption for security research on audio CD DRM in the wake of the Sony rootkit episode. I had the opportunity to work with Alex on the video game exemption under the excellent guidance and supervision of professors Paul Ohm, Harry Surden, and Brad Bernthal via the Glushko-Samuelson Technology Law and Policy Clinic at the University of Colorado Law School; we also received tremendous support from the Electronic Frontier Foundation and a coalition of professional and academic security researchers.
With the exemption officially on the books, some researchers may be considering research agendas directed at analyzing security flaws and vulnerabilities posed by video game DRM systems. While the exemption provides significant legal cover from the threat of DMCA lawsuits by DRM and game manufacturers, some questions about the DMCA's anti-circumvention measures remain unanswered, and traps may lie in wait for the unwary. In this post, I've attempted to lay out a rough sketch of the mechanics of the anti-circumvention measures and the video game exemption, focusing in particular on areas that may prove problematic for researchers.
(Obligatory disclaimer: this is not legal advice and shouldn't be taken as such; researchers should consult university, in-house, or outside counsel before proceeding with a research agenda that involves circumventing DRM.)
At the outset, an overview of the anti-circumvention measures is in order. First, the DMCA distinguishes between two types of DRM systems: access controls and copy controls. Access controls are those that (you guessed it) control access to the underlying copyrighted work (here, a video game), while copy controls are those that restrict the ability to reproduce, distribute, publicly perform/display, or make derivative works of the game.
Second, the DMCA addresses two types of activities: circumvention and trafficking. Circumvention is the actual cracking, picking, or breaking of the digital lock on the game, while trafficking involves the creation and distribution of tools designed for circumvention. (If you think the latter definition sounds nebulous, you're right - more later.)
With these definitions in mind, the DMCA bans three activities: 1) circumventing access controls (the "basic provision"); 2) trafficking in access control circumvention tools (the "trafficking ban"); and 3) trafficking in copy control circumvention tools (the "additional violations"). The astute reader will notice that the DMCA does not ban circumventing copy controls; in practice, however, most video game DRM systems likely serve as both access controls and copy controls, so any circumvention will likely be barred by the basic provision.
These distinctions are important because the various exemptions to the DMCA arguably only apply to specific provisions. So, even if an exemption gets a researcher out of liability under the basic provision, she may nonetheless be liable under the trafficking ban and/or the additional violations.
It's worth noting that there are several permanent statutory exemptions written into the DMCA; most relevant to security researchers are those for reverse engineering, encryption research, and security testing. Though an in-depth analysis is beyond the scope of this post, it should suffice to note these exemptions are loaded with caveats that may render them inapplicable to many security research agendas.
With that in mind, the new video game DRM exemption to the basic provision may provide superior protection for research agendas covering video game DRM. The exemption textually applies to:
(4) Video games accessible on personal computers and protected by technological protection measures that control access to lawfully obtained works, when circumvention is accomplished solely for the purpose of good faith testing for, investigating, or correcting security flaws or vulnerabilities, if:
Researchers should pay careful attention to the following caveats when thinking about the exemption:
Though the exemption obviously comes with some baggage, we hope that it will provide some utility for researchers interested in the security of DRM systems who might have otherwise been scared off by the threat of lawsuit.
Cross-posted at Freedom to Tinker.