Partnering with EU policymakers to ensure the Cyber Resilience Act works for developers
We’re looking forward to working with policymakers to improve cybersecurity and support developers.
The Digital Millennium Copyright Act (DMCA) is a 22-year old United States law meant to strike a complicated balance between art, code, and speech on the net -- impacting users…
The Digital Millennium Copyright Act (DMCA) is a 22-year old United States law meant to strike a complicated balance between art, code, and speech on the net — impacting users of platforms like GitHub. DMCA rules are under review, and you have an opportunity to help shape the anti-circumvention landscape.
The U.S. Copyright Office is currently seeking comments from the public on proposed exemptions to the DMCA §1201 that prohibits circumventing “technological measures” — like encryption or digital rights management (DRM) — that prevent copying or accessing a copyrighted work. Developer input matters: the Copyright Office pays attention to comments about the real-world impact DRM has on developers’ ability to lawfully use software and other copyrighted materials.
Though all proposed exemptions are somewhat relevant to developers — DRM and other technical measures are typically implemented in software — this post highlights eight classes of proposed exemptions that are likely to be of particular interest to the larger software development ecosystem. You can find more information about submitting comments to the Copyright Office here.
The exemption process gives a path to permit circumvention for uses that are permitted because they are not copyright infringement. Without the exemption process, circumvention for some security research, accessibility, or device repair would not be permitted by law. Current exemptions address these topics, and the Copyright Office is considering proposals to expand them to broader use cases. Developer stories are critical to educating the Copyright Office about how DMCA anti-circumvention impacts software development and innovation.
The exemption process has two limitations. First, the exemptions are not automatically renewed: the petitions must be refiled every three years. Second, even when circumvention is permitted, publishing or sharing tools that enable circumvention are not. In practice, because each person needs to create the tools from scratch, this means that those who are less technically savvy may not be able to take advantage of the exemptions. So if a tool were “primarily designed” for circumventing DRM, even if that circumvention was for an exempted or non-infringing purpose, the exemptions do not make it lawful to publish or share the circumventing portions of that tool.
The Copyright Office has categorized new proposed exemptions into 17 classes, with eight of particular interest to the developer ecosystem highlighted below.
Tinkering with our devices — for repairs, to improve performance, for interoperability, or just to learn — is core to why many of us became developers. As computers are integrated into more devices, the freedom to tinker has taken on increased significance, while also raising concerns around computerized devices that impact health, safety, privacy, and security. The Copyright Office has grouped current proposals related to tinkering into three classes.
Class 12: Computer Programs–Repair
The Copyright Office has already reinstated exemptions that permit circumvention for diagnosis and repair of computer programs — but limited to smartphones, home appliances, and motor vehicles. Modification of software functionality is only allowed for motor vehicles.
Proposals to broaden the exemption assert that these exemptions are too narrow as software-enabled devices are increasingly integrated into modern life. They argue that people’s ability to control the devices they own requires that legal repair, diagnosis, and modification should not be limited by the DMCA.
The range of proposals range from the broad to the specific. Broadly, the Electronic Frontier Foundation (EFF) and iFixit and the Repair Association have each proposed blanket exemptions that would allow owners of any software-enabled device to diagnose, repair, and modify it. More specifically, two new proposals seek to expand the previous exemptions for diagnosis, maintenance, and repair to computer programs and data files from medical devices. They argue that, absent the exemption, hospitals must go to approved contractors for repair and diagnosis, harming patient care as was seen with COVID-19 ventilators.
In prior rulemaking sessions, opponents of such proposals included a wide range of entities voicing concern that broad exemptions could impact safety, health, privacy, and environmental concerns. The Copyright Office highlighted the dilemma of reviewing copyright exemptions that introduced increasingly more complex non-copyright issues, and which may need to be addressed outside of the rulemaking process.
Class 11: Computer Programs–Jailbreaking
Current renewed exemptions permit jailbreaking for the purpose of enabling interoperability of applications on hardware devices — but limited to smartphones, smart TVs, and voice assistant devices.
In addition to the broader exceptions proposed in Class 12, two more limited expansions have been suggested. First, the Software Freedom Conservancy has proposed a new exemption to permit the owners of routers and other networking devices to install alternate firmware, arguing that this would enable users to install or update software to fix security flaws. Second, arguing that the line between what is a “smart TV” versus devices designed to display video on a TV, like a streaming box, is blurred, the EFF’s proposal seeks to clarify the current exemption for smart TVs includes these types of devices.
Class 10: Computer Programs–Unlocking
Current renewed exemptions permit circumvention for unlocking devices to allow them to connect to alternate wireless carriers. But this exemption only applies to cellphones, tablets, and mobile hotspots.
To account for the expanding market and aftermarket for 4G and 5G devices like IoT, the Institute of Scrap Recycling has filed two proposals: one to broadly expand the exemption to any 4G or 5G connected device and the other more narrowly expanding it to only cellular connected computers.
Class 13: Computer Programs—Security Research
Security research will often require circumvention of encryption and other protection measures in order to collect data or probe for vulnerabilities. The sensitive nature of this work makes it difficult for researchers to obtain funding or pursue this research outright, and researchers have received legal threats when attempting to report security flaws. (GitHub seeks to address this in part through our Bug Bounty Legal Safe Harbor for researchers). Though the DMCA statute contains a permanent security research exemption, security researchers have argued that without better clarity about when they might be subjected to liability, there is a chilling effect on security research that may result in less secure software and underreporting of security vulnerabilities.
The current security research exemption largely tracks an exception baked into the DMCA itself. It permits circumvention to access a computer program for “good-faith” security research that is “solely” for the purpose of testing, investigating, and fixing a bug and where the information derived from the research is used “primarily to promote the security or safety” of the related devices. The expansion proposals argue that, in practice, these potentially subjective caveats in the current exemption chill legitimate security research, creating two types of issues.
First, if researchers speak about or publish their research after they have conducted it, does this conduct after their research is complete invalidate their “good faith” exemption? If so, does that infringe freedom of speech? A coalition of J. Alex Halderman, the Center for Democracy and Technology, and the Association for Computing Machinery propose removing these subjective terms to provide greater certainty for researchers to conduct research and speak freely about their findings. Similarly, prior commentators have suggested that developers taking advantage of the exemption should adopt responsible reporting procedures when disclosing their findings, but as the Copyright Office has noted, the rulemaking process may not have sufficient authority to impose non-copyright requirements on research findings.
Second, are researchers exempted if they also test whether personal devices respect privacy, or does this violate the “solely” and “primary” requirements? The Software Freedom Conservancy proposed expanding the security research exemption to clarify that “good-faith security research” covers testing, investigation, and/or correction of privacy-related issues and allows modification to protect personal information.
Class 17: All Works—Accessibility Uses
Current exemptions permit circumvention for a series of uses to enable access to copyrighted media for people with disabilities. However, these exemptions are specific to categories of copyrighted works, for example e-books and films, and to particular circumstances of use, like education. A coalition of disability and library organizations argued that this patchwork presents challenges for disabled people, who must have both the resources to pursue circumvention and to develop a legal understanding of the specific exemptions to §1201. The coalition proposes a blanket exemption that comprehensively allows circumvention to “enable equitable access to copyrighted works for people who have disabilities” in order to meaningfully lower barriers to access.
Of the remaining proposals, three may be of particular interest to developers:
You have an opportunity to let your voice be heard. Developers can provide comments on proposed exemptions by submitting comments to the Copyright Office. Comments must be submitted for each separate class of exemption and should provide evidence related to the need for or harm caused by the exemption. In general, the Copyright Office has noted that real-world examples of evidence will be more compelling than hypotheticals. The Copyright Office also published what information it would find useful for each class. Comments can suggest specific language for the Copyright Office to adopt.
The first round of comments in support of the proposals is due December 14. The next round of comments in opposition of the proposals are due February 9, 2021. View the detailed process timeline and make your voice heard by submitting a comment here today.