FUD chills: GitHub stands with security researchers on DMCA Section 1201
Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack.…
Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack. Current DMCA Section 1201 rules should be clearer, otherwise they will continue to chill security research and leave everyone less safe. To this end, GitHub has filed comments with the Copyright Office supporting a request by Professor J. Alex Halderman and others for a broader safe harbor for good faith security research.
Our comments are part of the Eighth Triennial Section 1201 Proceeding for exemptions to the Digital Millennium Copyright Act’s prohibition against circumventing technological protection measures (“circumvention”). That’s a mouthful, I know. If you’d like a refresher, see our previous post about the process.
Our comments emphasize four points:
- GitHub stands for developers and against FUD (fear, uncertainty, and doubt). FUD chills security research, and we need more security research—not less.
- Developers of all kinds—including individuals and large corporations—must conduct security research to secure the software their users depend on. The tendency of past and current debates to focus narrowly on academics misses the reality of modern software development and deployment not considered by this 22-year-old law.
- There is a tremendous amount of overlap between quality assurance and the narrower heading of ‘security research.’ Yet, the rules today require that circumvention be solely focused on security research, endangering developers who may want to build and debug in addition to ensuring their software and computing environment is safe and secure.
- Modern developers depend on automation and virtualization services for security testing. With dependency trees commonly in the hundreds and supply chain attacks becoming more common, we believe developers should be able to use automated tools and virtualization to improve the security of their computing environment without worrying that the tooling will inadvertently run afoul of not being solely for security research instead of quality control more generally.
When developers face less FUD, they can make software more secure, and we’re all better off. We hope that the Copyright Office will agree. You can find the full text of our comments here.
Follow GitHub Policy on Twitter for updates about the laws and regulations that impact developers
Tags:
Written by
Related posts
Announcing GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone
Applications for the new GitHub Secure Open Source Fund are now open! Applications will be reviewed on a rolling basis until they close on January 7 at 11:59 pm PT. Programming and funding will begin in early 2025.
Software is a team sport: Building the future of software development together
Microsoft and GitHub are committed to empowering developers around the world to innovate, collaborate, and create solutions that’ll shape the next generation of technology.
Does GitHub Copilot improve code quality? Here’s what the data says
Findings in our latest study show that the quality of code written with GitHub Copilot is significantly more functional, readable, reliable, maintainable, and concise.