A problem:
On July 17, the Environmental Protection Agency advised the Copyright Office against granting temporary exemptions to the copyright laws prohibiting the circumvention of the technological protection measures (TPMs) designed to prevent access to vehicles’ embedded software. The agency warned that, without the TPM’s and the prohibition of their circumvention under the Digital Millennium Copyright Act (DMCA), car owners would access and modify their vehicle’s software in ways that might violate the Clean Air Act.
This reasoning, echoed in letters from the Department of Transportation, the Food and Drug Administration, and the California Air Resources Board, illustrates the respective levels of trust agencies accord to the public, themselves, and the industries they regulate. True, regulations can be complex and difficult to understand, but financial incentives to skimp or cheat are not. True, agencies do have subject matter expertise, but shielding software from independent research leaves the agency as the lone watchdog. True, there are some who would circumvent TPMs and modify software for less-than-benign purposes, but that’s exactly why we need all the help available in making sure software is secure against attacks and exploits. These agencies may believe that we are all safer as long as circumventing TPMs is illegal, but CDT believes otherwise.
The reasoning behind Section 1201 of the DMCA is this: it’s easy to make and distribute unlimited, perfect copies of digital works, and the content industry lacked faith in copyright infringement penalties alone as a deterrent (despite the availability of statutory damages as high as $150,000 per violation), so it built digital fences around its content, then made it illegal to cross the fence. From an industry perspective, it may make sense to add more legal protection to your already-legally protected assets. Here, however, it seems that the EPA wants to enlist copyright law to protect the atmosphere, while the other agencies would use it to protect the public from itself. Whatever this may say about regulatory approaches, it certainly says something about how far from copy protection the use of Section 1201 has strayed.
Two months after the EPA’s letter, researchers unafraid of doing things the hard way, discovered that VW (the only entity able to legally access or authorize accessing the code in its vehicles’ emissions-controlling software) has been using that software to violate the Clean Air Act for years. Although the researchers in this case did not circumvent VW’s embedded software, doing so would have been a more direct method of investigation. Would researchers have discovered VW’s secret sooner without Section 1201 of the DMCA standing guard? Maybe. Would circumvention in that case fit within one of Section 1201’s built-in, but untested exemptions? Uncertain. What is certain is that the current state of the law around Section 1201 is a source of potential liability for anyone who, without the software owner’s’ permission, circumvents TPMs to verify software’s security or functionality.
Even if the DMCA did effectively deter some tinkering (which does not infringe copyright), the fact that it also could help conceal VW’s eco-transgressions in a fog of legal risk effectively undermined the EPA’s regulatory objectives and denied the public the benefit of a valuable resource: independent research.
A good solution:
Start with the most obvious: grant the exemptions proposed by the Electronic Frontier Foundation in the most recent round of the Copyright Office’s triennial rulemaking that would allow auto owners to research the security and safety of the software upon which their own vehicles rely. Next, grant the exemption proposed by security researchers that would allow them to conduct good-faith security research more generally. In one form or another, researchers need assurance that they will not fall afoul of the law in the course of their research. CDT commented on the importance of security research (twice) in the Copyright Office’s triennial exemption proceeding, and again in the Department of Commerce’s proposal to modify its export control rules implementing the Wassenaar Agreement. As the DMCA’s research-chilling effects continue to surface, more voices echo our concerns.
As we place more and more of our individual and collective trust in software, software-controlled devices, and networks, we need assurance that software remains secure and does what it claims. CDT believes that security cannot be assured by obscurity. Apparently, neither can regulatory compliance. But more eyes looking, and more hands testing, and more brains devising solutions can help grant such assurances.
Legal prohibitions targeted at copyright infringement should not deter beneficial research. Likewise, the ability of the public and software makers to appropriately respond to discovered flaws will be improved by the researchers’ freedom to talk about their findings. This freedom to research, share, and discuss publicly, advances understanding of both our technology and regulatory objectives. That should be one lesson we take away from Fahrvergnugen-gate.