EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

EFF says security researchers are impinged by DMCA laws that prevent reverse engineering software to find security flaws.

The Electronic Frontier Foundation filed a lawsuit Thursday against the U.S. Government over a provision within the Digital Millennium Copyright Act that it says impinges on free speech and hobbles security researchers ability to do their job.

The lawsuit asks the court to strike down¬†the¬†highly contentious Section 1201 of the DMCA that restricts the reverse engineering of systems which protects copyrighted material such as films, audio and computer code. Section 2101 has been at the center of heated debates in the past regarding access to copyrighted material lawfully-purchased and an owners’ fair use rights to use or remix that content.

The EFF lawsuit aims to protect security researchers as well computer engineers and inventors. Plaintiffs include Matthew Green, assistant professor in the Information Security Group at John Hopkins Whiting School of Engineering and Andrew Huang and his company Alphamax. Huang is a computer scientist and inventor developing devices for editing digital video streams.

“Before I begin my security research I need to call my lawyer for counsel and have my students sign retainers for legal representation. Then I need to make promises that my research doesn’t veer from the narrow scope of what I stated it would be,” Green said in an interview with Threatpost. “The weight of that pressure definitely effects how I do my research and its outcome.”

Kit Walsh, EFF staff attorney said that Section 2101 is a significant impediment to security threat research.

“Research into medical device safety and automobile safety make us safer. Right now researchers have to watch their back and are often threatened with lawsuits for bugs and flaws they uncover. Section 2101 doesn’t make us safer. It impinges on researchers’ First Amendment rights to share vital research that could save lives and keep us safe in a world increasingly reliant on computer code,” Walsh said to Threatpost.

The EFF maintain that current “good faith security research” exemptions do not adequately protect security researchers from legal exposure should they reverse engineer software. Walsh said that since the 18-year-old DMCA Act was enacted and the anti-circumvention and anti-trafficking provisions enforced there have been dozens of instances of researchers and inventors legally challenged and silenced for their research.

Three prominent cases involving the DMCA’s Section 2101 include Edward Felten and the release of a scientific paper on how to defeat Secure Digital Music Initiative (SDMI), a lawsuit against Eric Corley (publisher of 2600: The Hacker Quarterly magazine) regarding the distribution of DeCSS and the case United States v. ElcomSoft and Dmitry Sklyarov where Sklyarov created a software program that could circumvent Adobe Systems e-book copy protection.

“The government cannot broadly ban protected speech and then grant a government official excessive discretion to pick what speech will be permitted, particularly when the rule-making process is so onerous,” said Walsh in the court filing. “If future generations are going to be able to understand and control their own machines, and to participate fully in making rather than simply consuming culture, Section 1201 has to go.”

EFF’s lawsuit was filed with co-counsel Brian Willen, Stephen Gikow, and Lauren Gallo White of Wilson Sonsini Goodrich and Rosati.

Suggested articles