Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

How DMCA Rulemaking Has a Chilling Effect On Security Research (vice.com) 31

citadrianne writes: Jay Radcliffe is a security researcher with diabetes. In 2011, he gave a talk at Black Hat, showing how his personal insulin pump could be hacked—with potentially deadly consequences. As a result of his 2011 presentation, he worked with the Department of Homeland Security and the Food and Drug Administration to address security vulnerabilities in insulin pumps. "The specific technical details of that research have never been published in order to protect patients using those devices," he wrote in his testimony to the Librarian of Congress and the U.S. Copyright Office. Every three years, the Librarian of Congress puts a whole bunch of people through a twisted bureaucratic process called DMCA (Digital Millennium Copyright Act) rulemaking. Technically speaking, DMCA rulemaking doesn't make things illegal or legal per se, but many people—like Jay Radcliffe—look to the rulemaking for a green light to do their work.
This discussion has been archived. No new comments can be posted.

How DMCA Rulemaking Has a Chilling Effect On Security Research

Comments Filter:
  • by Opportunist ( 166417 ) on Tuesday November 03, 2015 @07:49PM (#50859901)

    I've seen a lot of pointless summaries. Meaningless even. Utterly useless and nondescript, not even worth being probed whether it's some kind of astroturfing.

    But this time I'm almost positive that it has to be written by some kind of bot that dug out the words that are guaranteed to press some buttons with the average Slashdot reader to get voted up for the front page. What the heck does this summary say? Someone showed his insulin pump can be hacked. Ok. Then he does some research and that research doesn't get published. Ok, makes sense considering that the info can kill people. And then some nonsequitor about the DMCA is tacked on.

    What the hell is that about?

    Know what would really be interesting? Whether or not the makers of those pumps have actually reacted and improved their security. Or whether our lawmakers at least plan to do something about the security of medical devices. But what the fuck is this?

    • by complete loony ( 663508 ) <Jeremy@Lakeman.gmail@com> on Tuesday November 03, 2015 @08:47PM (#50860251)

      Is this more to your liking?

      Jay Radcliffe gave a talk at Black Hat, showing how his personal insulin pump could be hacked. If he wants to know that the security research he is planning will not run afoul of the DMCA, he's going to need an army of lawyers to comb through the DMCA rulemaking performed every three years by the Librarian of Congress. This process is a useless garbage train that’s gone completely off the tracks. Copyright law is rarely sensible, but at this point, DMCA section 1201 has spiraled entirely out of the realm of copyright and into a Kafka-esque hellscape.

    • by Noah Haders ( 3621429 ) on Tuesday November 03, 2015 @08:54PM (#50860317)

      I actually read the thing. This is a better summary:
      * The DMCA forbids users from bypassing security measures. This is the infamous sec 1201 that caught up DVD Jon and others. If somebody bypasses technical security measures, they are at risk from getting fined or whatever under this provision.
      * This risk obviously sinks security research, especially institutional or company-level. If you're some dude in your moms basement, sure you can try to be a leet haxor, but if you're in academia you probably want to mostly keep your nose clean to protect your job. Sounds like a legit concern to me.
      * DMCA has a provision that grants exceptions to certain activities or topics so that work under this topic won't get tripped up by sec 1201. This is an escape valve for the security research, because if a security research wants to do work on the security of medical devices, he can apply for an exemption on this topic and then not worry about legal headaches down the road. Most recently, there were exemptions for security research on medical devices, voting machines, cars, and tractors.
      * These exemptions expire every three years and need to be renewed. This is the Triannial Review Process. According to the article, this process is very burdensome to complete.
      * So, there's the rub. The researchers are not sure if their work may expose them to legal risks under section 1201. Congress provided a safety valve to provide assurance when appropriate. However this safety valve was implemented with so much onerous red tape that it makes the approvals process difficult, time consuming, and there's no assurance of getting a good outcome.

      SO! Because of the way DMCA was designed and implemented, it effects security research into topics that don't really have anything to do with copyrighted works. This is the chilling effect that the headline mentions.

      • by bws111 ( 1216812 ) on Tuesday November 03, 2015 @09:37PM (#50860515)

        The DMCA does not forbid bypassing security measures, it forbids bypassing technological copyright protection methods. Furthermore, it specifically ALLOWS security testing, with the permission of the owner or operator of the thing being tested.

        • Exactly, this security researcher not publishing his research out of DMCA concerns is bullocks. There are broad exceptions in the DMCA to permit reverse engineering and research. Either he can do it or he is a scaremonger trying to get some attention. Anyone can reprogram an insulin pump with the right tools, whether or not it is viable remotely or long distance is another issue completely.

  • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Tuesday November 03, 2015 @08:08PM (#50859983)

    If you remove the last letter, you get DMC, a.k.a. DeLorean Motor Company [delorean.com]. And if you replace the first letter you get YMCA.

    Fight for your bitcoins! [coinbrawl.com]

  • What is section (j) of DMCA 1201 for?
    https://www.law.cornell.edu/us... [cornell.edu]
    It explicitly allows for white-hat security testing.

    Can someone explain how what this guy is doing does not fall under section j?
    Did he just give up reading the law at section a, where it says "You can't do this, unless there is a library of congress rule to allow it"?

    • by Anonymous Coward

      Did you read (j)(1) to the end of the line?

      with the authorization of the owner or operator of such computer, computer system, or computer network.

      $50 says the diabetic pump company doesn't authorize anyone to perform security testing on their equipment, inside or out of their company.

  • by AHuxley ( 892839 ) on Tuesday November 03, 2015 @10:05PM (#50860631) Journal
    Can academics even recover their basic freedoms in the USA? Academic and First Amendment questions seem moot.
    Having to show hidden work to a bureaucrat and beg for academic indulgences to even talk to your peers and other experts?
    To have to find funds to pay for expensive legal experts to even prepare to talk in pubic or share results.
    "When academics are scared off from doing security research, consumers suffer."
    Find another nation where crypto and technological ability is embraced, welcomed and can be talked about, sold, open sourced.
    Is it fun to know your code has to have a gov ready trap door or back door or the ability to even give a presentation is a legal issue?
    Or the presentation is quickly and totally removed by a university. Your hard work is airbrush from academia.
    VPN to a good job and offer your ability to parts of the world where maths, education and code skill are still valued and wanted.
    The money, time and effort wasted in front of bureaucrats and lawyers is taking away from your inalienable freedoms and pursuit of happiness.
  • Laws are so vague that most Americans commit three felonies per day so you might as well make them count. The same security researchers who complain about the DMCA blocking their research will gladly go down to the corner to but pot or Torrent the newest season of Game of Thrones. If an anonymous person in a foreign country "leaks" some code from a secured device then hey, that's fair game. Unfortunately, academic researchers feed the need to blab about every step in the process. Do you think those secu

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray