Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack. Current DMCA Section 1201 rules should be clearer, otherwise they will continue to chill security research and leave everyone less safe. To this end, GitHub has filed comments with the Copyright Office supporting a request by Professor J. Alex Halderman and others for a broader safe harbor for good faith security research.
Our comments are part of the Eighth Triennial Section 1201 Proceeding for exemptions to the Digital Millennium Copyright Act’s prohibition against circumventing technological protection measures (“circumvention”). That’s a mouthful, I know. If you’d like a refresher, see our previous post about the process.
Our comments emphasize four points:
- GitHub stands for developers and against FUD (fear, uncertainty, and doubt). FUD chills security research, and we need more security research—not less.
- Developers of all kinds—including individuals and large corporations—must conduct security research to secure the software their users depend on. The tendency of past and current debates to focus narrowly on academics misses the reality of modern software development and deployment not considered by this 22-year-old law.
- There is a tremendous amount of overlap between quality assurance and the narrower heading of ‘security research.’ Yet, the rules today require that circumvention be solely focused on security research, endangering developers who may want to build and debug in addition to ensuring their software and computing environment is safe and secure.
- Modern developers depend on automation and virtualization services for security testing. With dependency trees commonly in the hundreds and supply chain attacks becoming more common, we believe developers should be able to use automated tools and virtualization to improve the security of their computing environment without worrying that the tooling will inadvertently run afoul of not being solely for security research instead of quality control more generally.
When developers face less FUD, they can make software more secure, and we’re all better off. We hope that the Copyright Office will agree. You can find the full text of our comments here.
Follow GitHub Policy on Twitter for updates about the laws and regulations that impact developers