Allowing security research on consumer devices (including wearables and the IoT) is obviously necessary. This had been illegal under the Digital Millennium Copyright Act, until today. Hopefully this will translate into better security for our devices.
Read more about today’s decision by the Library of Congress, on the FTC’s blog: https://www.ftc.gov/news-events/blogs/techftc/2016/10/dmca-security-research-exemption-consumer-devices
With the stroke of a pen, the Librarian of Congress has authorized security researchers who are acting in good faith to conduct controlled research on consumer devices so long as the research does not violate other laws such as the Computer Fraud and Abuse Act (CFAA). This temporary exemption to the Digital Millennium Copyright Act (DMCA) begins today. The new temporary exemption is a big win for security researchers and for consumers who will benefit from increased security testing of the products they use.
The Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent controls that prevent access to copyrighted material. The result is that under the DMCA, researchers can’t investigate and discover security vulnerabilities if doing so requires reverse engineering or circumventing controls such as obfuscated code. The Librarian of Congress can adopt exemptions to the DMCA’s anti-circumvention statute for various technologies. These exemptions have allowed individuals to unlock tablets and wearables, jailbreak mobile devices, circumvent brand-specific 3D ink restrictions on 3D printers, and more. Exemptions take away a legal hurdle and help protect conduct without fear of legal recourse. It is important to note that the rule requires a careful setup and testing environment in order to fall under the good faith security research exemption, and does not exempt researchers from other laws such as the CFAA.