In 1998, Congress passed a law called the Digital Millennium Copyright Act that was designed to fight piracy by making it a felony to "circumvent" copy-protection schemes. But over the last 15 years, the law has morphed into an all-purpose method to prevent consumers, security researchers, or almost anyone else from modifying devices they've legally purchased.
A new filing from a team of computer security researchers (several of whom are former colleagues of mine) illustrates how broad the DMCA's reach has become. The Librarian of Congress has the power to grant exceptions to the DMCA every three years. The researchers are seeking permission to perform security research on "technological protection measures" — digital locks — that are baked into a growing number of consumer products. Here's how they describe the systems they'd like to study:
Any TPM and its underlying computer code that may contain a malfunction, security flaw or vulnerability potentially exposes the public to increased risk of harm. Such harms may include, without limitation, serious physical injury or death of natural persons, individually or en masse, property damage or financial harms.
The researchers note that the DMCA could interfere with their ability to perform research to improve the security of "insulin pumps, pacemakers and other medical devices," "car components, such as the computer code that controls braking and acceleration systems," "internet-enabled consumer goods in the home, such as digital smoke alarms or carbon monoxide detectors," and more.
Why researchers need to circumvent digital locks
These are not hypothetical concerns. The filing is heavily footnoted, with examples of real-world security flaws in each of these categories. For example, in 2012 researchers found Medtronic insulin pumps were "vulnerable to a hacking attack that could let someone break into the devices from hundreds of feet away, disable security alarms and dump insulin directly into diabetics’ bloodstreams."
These systems are becoming vulnerable to hackers because they increasingly have complex software embedded in them. And this embedded software is also the hook that triggers potential liability under the DMCA. Obviously, Medtronic isn't worried about people trading pirated insulin pump software on BitTorrent. But the DMCA's anti-piracy language is written broadly enough that Medtronic can use it to effectively make it illegal for anyone to tinker with the software in its devices.
You probably don't want to tinker with the software on your grandmother's insulin pump. But it's important that computer scientists be allowed to do so, because that makes it more likely that defects in insulin pump software will be caught before grandma gets hurt.
The DMCA can inhibit research — with dangerous consequences
Other filings in the same regulatory proceeding offer additional examples of the DMCA's excessive breadth. Here's a filing requesting permission to repair farm equipment that, increasingly, contains locked-down software. Here's a filing seeking permission to bypass digital locks when doing so is necessary to repair a car. Here's a request for an exemption for "wearable technologies, such as smart watches and health monitoring devices, smart meters, connected appliances, connected precision-guided commercial equipment." Here's one seeking permission to unlock 3-D printers in order to use third-party feedstock (the 3-D equivalent of printer ink).
As software gets baked into more and more products, the DMCA is getting more and more burdensome. This summer, Congress passed legislation modifying the DMCA to allow consumers to unlock their cell phones in order to take them to another carrier.
But it should have taken the opportunity to do a comprehensive rethink of the DMCA. It's not realistic to expect Congress or the Librarian of Congress to deal with these issues on a case-by-case basis. Tinkering with products you own should be legal by default.