消除DMCA第1201条的寒蝉效应

最后更新于2021年12月12日星期日15:21:47 GMT

版权局发布了 最新的规则 on exemptions to Section 1201 of the Digital Millennium Copyright Act (DMCA). Great news: Legal protections for independent security research have once again been meaningfully strengthened. On the whole, these protections are now significantly greater than they were just a few years ago.

Some quick background: DMCA Section 1201 restricts security research on software without authorization of the owner of the copyright of the software, 即使是研究人员拥有的设备上的软件. This has long been criticized as having an adverse chilling effect on legitimate security research that would otherwise benefit consumers. 然而, the Librarian of Congress (acting through the Copyright Office) can establish exceptions to DMCA Section 1201, 必须每三年更新一次. 一个三年周期刚刚结束, with the Copyright Office issuing an 更新异常 for security research.

[For additional background information on why DMCA is important for security research, please see 这篇早前的文章.]

最近的变化:删除了“所有其他法律”的要求

在此最新更新之前, the security researcher exception provided legal protection from Section 1201 only if the researcher was compliant with every other law or regulation in the whole world, 无论多么晦涩. If that sounds burdensome 和 Kafkaesque, that’s because it is.

We made this “obey all other laws” issue the focus of our advocacy on Section 1201 throughout 2020 和 2021. As we 认为 广泛 版权署前, the “all other laws” limitation meant security 研究人员 could lose liability protection under Section 1201 for inadvertently violating laws with significant gray area (like 业内人士), 与安全无关的次要法律(如电气法规), 或者严格的外国法律(比如中国的法律) 规则 有关漏洞披露).

Rapid7 提出了 解决此问题的特定语言. 谢天谢地，司法部(DOJ) 正式介入 with the Copyright Office 和 supported our 提出了 language. Without the DOJ’s action to support good-faith security 研究人员, 这种努力很可能不会成功. 然后是部门. 商务部 加入支持 语言也是如此.

2021年10月，版权局下发了一份 更新异常 for security research that adopted our 提出了 language 和 删除d the “all other laws” requirement. This effectively killed the most harmful remaining aspect of the previous rule, representing major progress in legal protection for security 研究人员 under DMCA Section 1201. ,司法部, NTIA, 和 Copyright Office were united in expanding protection is a sign of the growing consensus on the importance of this activity.

The change to the language essentially turns the requirement of compliance with all other laws into a helpful reminder that other laws may still 应用. 语言看起来是这样的:

引人注目: ，并且不违反任何适用法律, including without limitation the Computer Fraud 和 Abuse Act of 1986, 如第18篇所修订和编纂, 美国法典."

插入: Good-faith security research that qualifies for the exemption under paragraph (b)(16)(i) of this section may nevertheless incur 其他适用法律规定的责任, including without limitation the Computer Fraud 和 Abuse Act of 1986, 如第18篇所修订和编纂, 美国法典, 和 eligibility for that exemption is not a safe harbor from, 或者辩护, 其他适用法律规定的责任.”

长途的宣传

Many h和s — too many to adequately thank here — 工作 tirelessly to ensure security 研究人员 were protected from DMCA Section 1201. 这确实是一个社区的努力.

对我们来说, Rapid7 has been engaged in advocacy to protect security research under DMCA Section 1201 for the better part of a decade. 证词 从Rapid7 研究人员 帮助建立了第一个安全研究豁免 in 2015. 但2015年的豁免是有限的，2016年我们 反复 按下 the Copyright Office to support expanded protections 和 reform the rulemaking process, 及版权局 实现 我们的许多建议. 在版权局2018年的豁免周期内，我们 认为 against holding security 研究人员 liable for what third parties do with research results, 由版权局负责 同意. The 2018 cycle also greatly expanded the types of devices within the scope of the researcher protection. 现在，在2021年，我们 工作 说服版权局 删除 “任何其他法律”限制.

总的来说，这是一个很大的进步. Rapid7 has put real time 和 effort into living up to its values in support of independent cybersecurity research, 它已经结出了果实.

虽然得到了改进，但第1201条仍然存在缺陷

这些成果意义重大，值得欢迎. 仍然, it is astonishing just how much time 和 effort were required to wade through the sea of FUD 和 bureaucracy to achieve this progress. 这证明了监管惰性的危险.

在DMCA方面还有很多工作要做. While the security researcher protections are now greatly strengthened under DMCA Section 1201, 这有助于解决其对研究的寒蝉效应, 这项法律仍有许多缺陷. 正如Rapid7所指出的, DMCA Section 1201 continues to be a legal risk for the use of security tools — something the researcher exemption does not address. 在安全之外, DMCA继续影响修复权, 残疾人士无障碍设施, 教育, 还有更多. 这是一项迫切需要彻底改革的法律.

就美国计算机犯罪法律而言, DMCA Section 1201 is surely among the most unsound 和 anachronistic. 如果DMCA第1201条今天在国会提出, it would be derided as toxic 和 never advance far enough to receive a vote. DMCA Section 1201’s most beneficial use now is as a smoldering example of how a sweeping restriction on widely used technology can become an absurd burden as technology matures. We should celebrate the erosion of DMCA Section 1201 even as we lament that this erosion is gradual.

Our respect 和 gratitude go to all the advocates who spent their time 和 resources working with the Copyright Office to drive this progress.