[Cryptography] copyright office DMCA exemptions rulemaking - looking for input

Miles Fidelman mfidelman at meetinghouse.net
Thu Jan 29 08:28:48 EST 2015

Hi Folks,

The United States Copyright Office is conducting the sixth triennial
rulemaking proceeding under the Digital Millennium Copyright Act
(“DMCA”) concerning possible exemptions to the DMCA's prohibition
against circumvention of technological measures that control access to
copyrighted works.  (https://federalregister.gov/a/2014-29237)

One of the proposed exemptions is relevant to those of us interested in
software security matters - which, I assume, includes many on this list.

Proposed Class 25: Software—Security Research, to "allow researchers to
circumvent access controls in relation to computer programs, databases,
and devices for purposes of good-faith testing, identifying, disclosing,
and fixing of malfunctions, security flaws, or vulnerabilities."

I seem to find myself leading an effort to draft a statement from the
ACM, supporting the exemption - along the lines of:
- security and integrity of computer software is critical in a broad
variety of areas - voting, SCADA systems, medical systems, etc., etc.
- testing and validating such software is critical and <a good thing>
- as professional computer scientists and engineers, we can't perform
such testing and validation under threat of Federal Felony prosecution
under the DMCA for violating copyright as part of reverse engineering,
penetration testing, and otherwise (attempting to) circumvent protection
(obviously, we'll be expanding on that language)

Going beyond motherhood statements, it would be VERY helpful to have
some specific examples to cite of research that was not done, for fear
of prosecution under DMCA.  And it occurs to me that folks here
might be able to provide such examples.

So... if you have either:
a. published some research that didn't go as far as you'd like, for fear
of DMCA violation, and/or
b. not performed some research that you consider compelling, for fear of
prosecution (or conducted, but not published :-)

Can you send some details my way.  Ultimately, what would be most
helpful would be personal statements that we can attach to the submission.

Note that time is short - submissions are due on 2/6, and we'll need at
least a few days for review, comment, and voting on the final official
submission ACM makes.

Thanks very much,

Miles Fidelman

In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

More information about the cryptography mailing list