FUD chills: GitHub stands with security researchers on DMCA Section 1201
Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack.…
Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack. Current DMCA Section 1201 rules should be clearer, otherwise they will continue to chill security research and leave everyone less safe. To this end, GitHub has filed comments with the Copyright Office supporting a request by Professor J. Alex Halderman and others for a broader safe harbor for good faith security research.
Our comments are part of the Eighth Triennial Section 1201 Proceeding for exemptions to the Digital Millennium Copyright Act’s prohibition against circumventing technological protection measures (“circumvention”). That’s a mouthful, I know. If you’d like a refresher, see our previous post about the process.
Our comments emphasize four points:
- GitHub stands for developers and against FUD (fear, uncertainty, and doubt). FUD chills security research, and we need more security research—not less.
- Developers of all kinds—including individuals and large corporations—must conduct security research to secure the software their users depend on. The tendency of past and current debates to focus narrowly on academics misses the reality of modern software development and deployment not considered by this 22-year-old law.
- There is a tremendous amount of overlap between quality assurance and the narrower heading of ‘security research.’ Yet, the rules today require that circumvention be solely focused on security research, endangering developers who may want to build and debug in addition to ensuring their software and computing environment is safe and secure.
- Modern developers depend on automation and virtualization services for security testing. With dependency trees commonly in the hundreds and supply chain attacks becoming more common, we believe developers should be able to use automated tools and virtualization to improve the security of their computing environment without worrying that the tooling will inadvertently run afoul of not being solely for security research instead of quality control more generally.
When developers face less FUD, they can make software more secure, and we’re all better off. We hope that the Copyright Office will agree. You can find the full text of our comments here.
Follow GitHub Policy on Twitter for updates about the laws and regulations that impact developers
Tags:
Written by
Related posts
Inside the research: How GitHub Copilot impacts the nature of work for open source maintainers
An interview with economic researchers analyzing the causal effect of GitHub Copilot on how open source maintainers work.
OpenAI’s latest o1 model now available in GitHub Copilot and GitHub Models
The December 17 release of OpenAI’s o1 model is now available in GitHub Copilot and GitHub Models, bringing advanced coding capabilities to your workflows.
Announcing 150M developers and a new free tier for GitHub Copilot in VS Code
Come and join 150M developers on GitHub that can now code with Copilot for free in VS Code.