How DMCA Rulemaking Has a Chilling Effect On Security Research (vice.com) 31
citadrianne writes: Jay Radcliffe is a security researcher with diabetes. In 2011, he gave a talk at Black Hat, showing how his personal insulin pump could be hacked—with potentially deadly consequences. As a result of his 2011 presentation, he worked with the Department of Homeland Security and the Food and Drug Administration to address security vulnerabilities in insulin pumps. "The specific technical details of that research have never been published in order to protect patients using those devices," he wrote in his testimony to the Librarian of Congress and the U.S. Copyright Office. Every three years, the Librarian of Congress puts a whole bunch of people through a twisted bureaucratic process called DMCA (Digital Millennium Copyright Act) rulemaking. Technically speaking, DMCA rulemaking doesn't make things illegal or legal per se, but many people—like Jay Radcliffe—look to the rulemaking for a green light to do their work.
Ok, this takes the cake (Score:5, Insightful)
I've seen a lot of pointless summaries. Meaningless even. Utterly useless and nondescript, not even worth being probed whether it's some kind of astroturfing.
But this time I'm almost positive that it has to be written by some kind of bot that dug out the words that are guaranteed to press some buttons with the average Slashdot reader to get voted up for the front page. What the heck does this summary say? Someone showed his insulin pump can be hacked. Ok. Then he does some research and that research doesn't get published. Ok, makes sense considering that the info can kill people. And then some nonsequitor about the DMCA is tacked on.
What the hell is that about?
Know what would really be interesting? Whether or not the makers of those pumps have actually reacted and improved their security. Or whether our lawmakers at least plan to do something about the security of medical devices. But what the fuck is this?
Re: (Score:2)
Sorry, my English fails sometimes when using loanwords that are loans in pretty much any language I speak.
Re:Ok, this takes the cake (Score:5, Insightful)
Is this more to your liking?
Jay Radcliffe gave a talk at Black Hat, showing how his personal insulin pump could be hacked. If he wants to know that the security research he is planning will not run afoul of the DMCA, he's going to need an army of lawyers to comb through the DMCA rulemaking performed every three years by the Librarian of Congress. This process is a useless garbage train that’s gone completely off the tracks. Copyright law is rarely sensible, but at this point, DMCA section 1201 has spiraled entirely out of the realm of copyright and into a Kafka-esque hellscape.
Re: (Score:2)
Yes. Yes it is. Any chance that you could do the summaries instead of that writer-bot they employ now?
Re:Ok, this takes the cake (Score:5, Informative)
I actually read the thing. This is a better summary:
* The DMCA forbids users from bypassing security measures. This is the infamous sec 1201 that caught up DVD Jon and others. If somebody bypasses technical security measures, they are at risk from getting fined or whatever under this provision.
* This risk obviously sinks security research, especially institutional or company-level. If you're some dude in your moms basement, sure you can try to be a leet haxor, but if you're in academia you probably want to mostly keep your nose clean to protect your job. Sounds like a legit concern to me.
* DMCA has a provision that grants exceptions to certain activities or topics so that work under this topic won't get tripped up by sec 1201. This is an escape valve for the security research, because if a security research wants to do work on the security of medical devices, he can apply for an exemption on this topic and then not worry about legal headaches down the road. Most recently, there were exemptions for security research on medical devices, voting machines, cars, and tractors.
* These exemptions expire every three years and need to be renewed. This is the Triannial Review Process. According to the article, this process is very burdensome to complete.
* So, there's the rub. The researchers are not sure if their work may expose them to legal risks under section 1201. Congress provided a safety valve to provide assurance when appropriate. However this safety valve was implemented with so much onerous red tape that it makes the approvals process difficult, time consuming, and there's no assurance of getting a good outcome.
SO! Because of the way DMCA was designed and implemented, it effects security research into topics that don't really have anything to do with copyrighted works. This is the chilling effect that the headline mentions.
Re:Ok, this takes the cake (Score:4, Informative)
The DMCA does not forbid bypassing security measures, it forbids bypassing technological copyright protection methods. Furthermore, it specifically ALLOWS security testing, with the permission of the owner or operator of the thing being tested.
Re: Ok, this takes the cake (Score:2)
Exactly, this security researcher not publishing his research out of DMCA concerns is bullocks. There are broad exceptions in the DMCA to permit reverse engineering and research. Either he can do it or he is a scaremonger trying to get some attention. Anyone can reprogram an insulin pump with the right tools, whether or not it is viable remotely or long distance is another issue completely.
Re: (Score:3)
The code that runs the insulin pump is copyrighted.
There's probably also copyrighted data tables in there that gets fed in to algorithms as well.
Re: (Score:2)
Making it illegal to hack copyright protections means that only criminals will hack the copyright protections.
It will be like the 20's when the prohibition of alcohol caused the criminals to become very powerful. It's the same thing all over again - feeding the big time crime gangs.
Re: (Score:2)
Security researchers have their own exemptions in the DMCA.
If you own the devices you're researching or have permission from their owners and you plan to tell the copyright owner about any vulnerabilities you find, it's perfectly legal.
Re: (Score:2)
I'll tell them - in 25 years.
Re:That's not what the DMCA says. (Score:5, Informative)
And? The word in the sentence you quoted is "bypassing". It doesn't matter if once you bypass the security measure you copy the copyrighted work or not, the law says that you shall not bypass the protection, and the courts have indeed decided that the law means exactly what it says, which is what leads to us having to get special permission from the Library of Congress to unlock our cellphones [arstechnica.com].
You know what's really strange about DMCA? (Score:3)
If you remove the last letter, you get DMC, a.k.a. DeLorean Motor Company [delorean.com]. And if you replace the first letter you get YMCA.
Fight for your bitcoins! [coinbrawl.com]
Re: (Score:2)
Time to lay off the drugs now.
DMCA interpretation fail (Score:2)
What is section (j) of DMCA 1201 for?
https://www.law.cornell.edu/us... [cornell.edu]
It explicitly allows for white-hat security testing.
Can someone explain how what this guy is doing does not fall under section j?
Did he just give up reading the law at section a, where it says "You can't do this, unless there is a library of congress rule to allow it"?
Re: (Score:2)
Did you read (j)(1) to the end of the line?
$50 says the diabetic pump company doesn't authorize anyone to perform security testing on their equipment, inside or out of their company.
Re: (Score:2)
He owns the pump, he can test it.
Re: (Score:2)
The owner of the device, not the copyright owner.
It means you can research your own things, not other people's without their permission.
If your country blocks you (Score:4, Insightful)
Having to show hidden work to a bureaucrat and beg for academic indulgences to even talk to your peers and other experts?
To have to find funds to pay for expensive legal experts to even prepare to talk in pubic or share results.
"When academics are scared off from doing security research, consumers suffer."
Find another nation where crypto and technological ability is embraced, welcomed and can be talked about, sold, open sourced.
Is it fun to know your code has to have a gov ready trap door or back door or the ability to even give a presentation is a legal issue?
Or the presentation is quickly and totally removed by a university. Your hard work is airbrush from academia.
VPN to a good job and offer your ability to parts of the world where maths, education and code skill are still valued and wanted.
The money, time and effort wasted in front of bureaucrats and lawyers is taking away from your inalienable freedoms and pursuit of happiness.
A Failure of Imagination (Score:1)