Tuesday, May 26, 2015

DMCA hearings: security research proponents

Library of Congress DMCA exemption hearings
Proposed Class 25: Software – security research
This proposed class would allow researchers to circumvent access controls in relation to computer programs, databases, and devices for purposes of good-faith testing, identifying, disclosing, and fixing of malfunctions, security flaws, or vulnerabilities.
Copyright Office: Jacqueline Charlesworth
Michelle Choe
Regan Smith (main questioner)
Cy Donnelly
Steve Ruhe
John Riley
Stacy Cheney (NTIA)
Charlesworth: goal is to clarify record, hone in on areas of controversy rather than restating written comments. Interested in refining/defining broad classes in relation to the support in the record.  Court reporter (so my report is far from definitive!). (Also note that I am not good at ID’ing people.)
Matthew Green, Information Security Institute, Department of Computer Science, Johns Hopkins University
Research in area of computer security and applied cryptography.  Risks posed by DMCA to legitimate security research: discovered serious vulnerabilities in a computer chip used to operate one of the largest wireless payments systems and widely used automotive security system.  Naïve: didn’t know what expected to happen when notified manufacturer, but believed it would involve discussion and perhaps repairs and mitigations we developed. That’s not what happened. Instead, a great deal of resistance from chip manufacturer, and active effort to get us to suppress our research and not publish vulnerabilities.  Instead of repairing the system, mfgr spent considerable resources to stop us from publishing, including raising specter of expensive lawsuit based on 1201. Small component was reverse engineering of software and bypassing extraordinarily simple TPM. 1201 was never intended to prevent security researchers from publishing, but it’s hard to argue merits/intent of law when you’re a penniless grad student.
Charlesworth: why isn’t 1201(j) enough?
A: My understanding is that there’s the bypass issue and the trafficking issues. Both potentially an issue depending on what it means to traffic.  Bypassing the TPM was raised to us at the time.
Blake Reid, Samuelson-Glushko Technology Law & Policy Clinic at Colorado Law: Existing exemptions for (j), (g), and (f) for research/reverse engineering, but as we detailed in comments, there are shortcomings in each.  (j) fails to provide the up-front certainty needed for an exemption, because, e.g., it’s got a multifactor test that depends on things like how the info was used and whether the info was used/maintained in a manner that doesn’t facilitate infringement.  We might well try an argument for applying the exemptions if god forbid he was sued, but as we’ve asked the Office for before we want further up-front clarity for good faith security testing/research. That was the basis of 2006 and 2010 exemptions and we hope for them again.
Green: my incident was 2004.
Charlesworth: would the activities described fall into one of the exemptions?
Reid: Don’t want to opine—again if we were in court I’d absolutely they were covered, there was no ©’d work, etc. but if advising Prof. Green beforehand, hypothetically, there would be reason to be nervous b/c of the ambiguous provisions of the law. The issue of certainty.

Green: we were advised at the time by the EFF, pro bono. We were told they could provide no guarantee that any of the exemptions would protect us if we were sued. They didn’t say we were violating the law, but the complexities of the exemptions were such that they provided no guarantee.
Charlesworth: did you know that before or after?
Green: before, during, after.
Charlesworth: you sought legal advice before?
Green: yes, my prof had a similar experience.
Charlesworth: but you proceeded anyway.
Green: yes, b/c we believed it was necessary. We were fortunate to have the EFF, which gave us the confidence to go forward; we felt that the probability was relatively low.  The system’s been repaired. But w/out that the system might still be broken today. I now begin every project w/ a call to a lawyer for a 1201 mitigation possibility. I still get pro bono representation, but many researchers aren’t so fortunate. Also, good faith research shouldn’t require lawyers; increases the cost of every project.
Reid: We predicted in 2006 that Sony rootkit wouldn’t be the last dangerous/malfunctioning TPM. We vastly underestimated the widespread vulnerabilities that can be caused by and concealed by TPMs—intermingled with everyday consumer goods including cars, medical devices, internet software.  Chilling effects have become ever more pernicious—a roomful of nation’s top security researchers stand before you today highlighting the threats they, their colleagues, and their students face in trying to make America a safer place to live. Existing exemptions show security to be a priority but are not enough to avoid attempts to silence their work, which is protected by the First Amendment and protects the public.  In 2006, Peters rejected projection of worsening TPMs and recommended against a broad exemption, but that prediction was prescient.  Lengthy record of security vulnerabilities that could have been avoided w/a workable exemption.  Researchers before you today are the good guys. They care about abiding by the law and they need breathing space. W/out your help they will lose an arms race to bad guys who don’t care about violating 1201.
Q: 1201 exemption for video games—was that too small?
Reid: the issue was not with the piece of the exemption that was granted, but that the vulnerabilities around DRM patched w/video games was just one piece of evolving threat.  Evolving piece was in things like cars, medical devices. It was the narrow piece that said security researchers could look at TPMs only for video games.
Q: but the exemption had other limits—info must be used primarily to promote security of owner/operator, and must not be used to promote copyright infringement.  Does that restrict research?
Reid: it’s hard to tell you—the subsequent vulnerabilities were not necessarily in video games. Folks took a look at exemptions and said video game exemptions were too narrow to do research.  If added to broad exemption, we’d have some of the same concerns—don’t have certainty w/words like “primarily.”
Q: your proposal is “for the purpose”—how much more certainty does that provide you? Existing statute says “solely”—congressional intent?
Reid: the more certainty we can get, the more mileage researchers will get. Post hoc judgments are problematic b/c it’s hard to say up front what the primary purpose is.
Q: but there will always be post hoc judgments.  We also have to ask what is good faith.  We have to draft language for an exemption—we want to understand what kinds of limitations might be appropriate in language that balances need for less post hoc analysis with some definition of what it is we are allowing.  Congress did act in this area, which is guidance about what Congress was thinking at the time.  [But the exemption procedure is also guidance about what Congress was thinking at the time.]
Reid: clarity about what these limits mean: being used to facilitate © infringement—opponents have said that simply publishing information about a TPM/software might facilitate copyright infringement. Guidance that the acts we’re concerned about here, outlined in the comments: investigating, research in classroom environment mostly, being able to publicly disclose in responsible way the results are covered. If you enable that, that’s the most important piece we’re looking for in limitations.
Charlesworth: tell me more about a classroom environment. Should an exemption be tied to academic community.
Reid: Student ability to work on this is really important, but we wouldn’t support a classroom use limit. Private sector and amateur security researchers are really important, building skillsets.
Charlesworth: should a university researcher oversee all of this research?
Green: very concerned about that. The most dynamic/important research is being done by people in the private sector, commercial security researchers. The vehicle security research is funded by DARPA but worked on by Charlie Miller, unaffiliated w/university. Very similar with other kinds of research. Some is authorized, but the vast majority is done by private individuals w/access to devices. Recent cases: researchers told to back off b/c of DMCA.  One happened just a couple of weeks ago.
Andy Sayler, Samuelson-Glushko Technology Law & Policy Clinic at Colorado Law: Heartbleed, Shellshock, numerous vulnerabilities in the last year.  Logjam—a week ago.
Q: was that done without circumvention?

Green: we don’t know.  Some public spec, some looking at devices.
Sayler: note that much security research is funded by the gov’t. 1201 is used to discourage independent security research.  Congress didn’t intend good faith research to be suppressed, but they’re ambiguous/undue burdens.  Ioactive researcher was threatened w/DMCA for exposing vulnerabilities in Cyberlock locks.  Significant personal risk/unreasonable legal expenses to mitigate risk.
Mark Stanislav, Rapid7 security consultant: Last year assessed Snort, a toy that lets parents communicate with children over the internet.  Oinks to signal new message. Child can reply. The security features were flawed; unauthorized person could communicate w/child’s device and could access name, DOB, and picture of child as well. Contacted the vendor; despite my offer to go into details w/engineers, vendor wouldn’t engage and made legal threat, saying I must’ve hacked them.  Productive dialogue eventually occurred and resolved issues. Situation made me fear for my livelihood.
Q: did you discuss DMCA exemptions? 
Stanislav: I wasn’t privy to the lawyers’ conversations. I understood that I was at risk.  My goal was protecting children, but it wasn’t worth a lawsuit.  I found vulnerabilities in my own webcam that would allow a criminal to access it.  Direct risks to privacy and safety. I contacted the vendor and offered assistance. Final email, after friendly to threatening, wanted me to meet w/them b/c they said I might have accessed confidential information.  Entrepreneurs who made Snort have gone on to win numerous awards.  What if a criminal had abused these and put children in harm’s way? Webcam: new leadership came in and apologized. Research prevented harm, privacy violations, allowed businesses to fix critical flaws before adverse impact. We help people/businesses who don’t know they’re in harm’s way/putting people in harm’s way.  We live in a time when a mobile phone can control an oven. Smart TVs have microphones listening to us all the time. Please help widen the collective efforts of security research; the researchers who stay away from research b/c of DMCA are problems.
Steve Bellovin, Columbia University: Researched in private sector for decades. Academic research is generally concerned with new classes of vulnerabilities. Finding a buffer overflow in a new device is unpublishable, uninteresting. Most of the flaws we see in devices we rely on are serious but known vulnerabilities. Not the subject of academic research; the independent researchers are the ones actively protecting us. Students unlikely to do it; I discourage my PhD students from looking for known vulnerabilities because it won’t get them credit.
As a HS student, I wrote a disassembler so I could study source code. That’s what got me to where I am today.  Arguably would be illegal today, if I wanted to look at a smartphone. Four years later, I caught my first hackers. I teach my students how to analyze and attack programs. I coauthored the first book on firewalls and internet security.  You have to know how to attack in order to secure a system. To actually try an attack is a hallmark assignment; it’s not the only way, but it is one of the ways.  Is a copyright owner who profited a great deal from copyright, but wants a balance.  1853 treatise on whether it’s ok to discuss lockpicking: truthful discussion is a public advantage.  Harm is counterbalanced by good.
Andrea Matwyshyn, Princeton University: These questions are about frivolous litigation that attempts to suppress discussion around existing flaws that may harm consumers, critical infrastructure, economy.  Help curb frivolous 1201 litigation.
Charlesworth: on the issue of disclosure: you’re suggesting that mfgrs tend to shut down the conversation, but isn’t there a countervailing interest in giving mfgr some time to correct it before public dissemination?  I understand bad hats are out there already, but hacking into something more mundane like a video console there are probably people who don’t know how to do that who might be educated by disclosure.
Matwyshyn: there are two types of companies. Some are very receptive to this—FB, Google, Tesla have bounty programs who compensate researchers.  Processes in place w/clear reporting mechanism on websites and internal ID’d personnel. The second type has not yet grown into that sophisticated model.  So it’s this second category that doesn’t possess the external hallmarks of sophistication that react viscerally, through overzealous legal means and threats.  The Powerpoint I shared has a copy of one of the DMCA threats received Apr. 29, 2015.  Hearing Exh. 10, letter from Jones Day to Mike Davis, security researcher at Ioactive, a security consultant.  Regards repeated attempts to contact Cyberlock about their product.  They used DMCA as a threat.
Q: Cyberlock seemed to have taken the position that Davis insufficiently disclosed. [Actually it indicates that he didn’t want to talk to Jones Day, not that he didn’t want to talk to Cyberlock, which makes sense.]
Matwyshyn: he was ready to share that with technical team.  Subsequent followup email in record explains and identifies prior instances of threat.
Q: if you granted the proposed exemption in full, would that change the outcome? If a company is going to engage in frivolous litigation, we can’t stop that.
Matwyshyn: I believe it would help a lot.  The note from Ioactive’s general counsel: GC’s perspective is that it seeks a strong basis for defense.  Expresses concern that litigation to the point of discovery can cost $250,000. When we’re talking about a small security consultancy or independent researcher, engaging w/the legal system is cost prohibitive.  A roadmap exemption would give a one-line statement of reassurance that a GC or security researcher could send to a potential plaintiff. W/exemption, Jones Day would be less likely to threaten DMCA as basis for potential litigation.  Provided that Cyberlock has in place a reporting channel that the researcher used, and researcher disclosed the list of disclosables we proposed, that would provide a clear roadmap for both sides’ relationship in the context of a vulnerability disclosure.  Significant improvement in murkiness, more easily discernable question of fact.
Q: One of the elements is that the manufacturer had an internal management process. How would a researcher verify that?
Matwyshyn: the researcher needs a prominently placed reporting channel. The additional requirements are not researcher-centric, but assist figuring out what happened if something went awry. The researcher need only assess whether there is a prominently placed reporting channel. 
Q: you want a front door, but you’ve put other elements in your proposal—the creation of an internal corporate vulnerability handling process. Opponents have said a researcher wouldn’t even know if the company had such processes in place. How would they know?
Matwyshyn: the later parts are only for a subsequent finder of fact. Supposed the researcher used the front door and then the sales department loses the report—the exemption protects the researcher.
Q: but does it give ex ante comfort?  The researcher won’t know if that will happen. 
A: if it goes off the rails b/c the internal processes weren’t in place, the researcher has a second tier ability to defend if the disclosure results in a threat.
Bellovin: In almost 30 years, it’s been remarkably hard to find ways to report security vulnerabilities. I know security people and can generally find an artificial channel.  But put yourself in the position of someone who has found a flaw and doesn’t know me.  If this vulnerability is a threat to safety, public disclosure is a boon.
Matwyshyn: Henninger attempted to contact 61 companies about a vulnerability. 13 had contact info; the rest she had to guess at a point of contact. 28 humans responded out of 61.  A different 13 said they’d already fixed it.  6 subsequently released security advisories b/c of her report. 3 were after the intervention of ICS-Cert contacting the provider in question.
Q: the suggestion is that she made a good faith attempt that she documented attempts to notify.  Isn’t that a more objective standard than having her know the internal processes. 
Matwyshyn: the judgment point for the researcher is “is there a front door”?
Q: in many cases they may have a front door [note: contradicted by the record], but you could try to figure that out and keep a record if your attempt was unsuccessful.   You shouldn’t have to know the internal workings of the company. [This is the proposal, though!  Right now you have to know the internal workings to reach someone if there’s no front door. Under the proposal, you don’t have to know the internal workings, but you know that if you deliver through the front door you are protected!]
Matwyshyn: right now you get a chill even with documented attempts.
Q: but some companies will just threaten you no matter what.  You won’t avoid that entirely. If we go down this road, how will people know?  If the standard relies on how people handle things, how will they know?
Matwyshyn: if the front door exists, the researcher should use it. If the disclosure goes off the rails, the researcher gets an extra boost.  W/out legal team, you can assess whether there is a front door and thus whether you should use it.
Q: why shouldn’t they try other methods if there isn’t a front door? You try to figure out who owns something in copyright all the time. You’re saying we should have a standard that everyone has to have a front door. [Why is this a copyright issue? What is the nexus with copyright infringement? Why not follow the ISO security recommendations? Why would the Copyright Office have a basis for knowing better than the ISO standard how vulnerabilities should be reported?]
Matwyshyn: The ISO standard was negotiated across years and stakeholders.
Q: those are big companies, and this law would apply across the board.  Manufacturers who don’t have the resources might not know.  We have to think of them as well. [B/c of their copyright interests?]
Matwyshyn: could identify copyright contact as point of contact. 
Q: for DMCA that’s a statutory requirement. [Um, “requirement” if the companies want the DMCA immunity. If they want people to report vulnerabilities to them, why not have them follow a similar process?]
Matwyshyn: Congress did discuss security as well—you can expand the concept/clarify it.
Matthew Blaze, University of Pennsylvania: History of security research, including on Clipper chip and electronic voting systems.  Two specific examples of DMCA issues, though it loomed over every nontrivial work I’ve done since 1998.  Analogous to Ioactive/Cyberlock issue, in 2003 I decided to look at applications of crypto techniques to other types of security: mechanical locks. Discovered a remarkably similar flaw to that discovered by Ioactive: could take ordinary house key and convert it into master key into one that would open all locks in a building.  Real world impact and interesting use of crypto; master key systems need to have their security evaluated. Purely mechanical, no TPMs. And so publishing was simple and without fear.  But other work is chilled by the DMCA. Example: in 2011, w/grad students studied P25, a communication system used as a digital 2-way radio by first responders, including federal gov’t.  Examined standards for the system as well as the broad behavior of a variety of radio products that used them. Discovered a number of weaknesses and usability failures, and discovered ways in which the protocols could lead to implementation failures. To study those failures, we would’ve needed to extract the firmware from actual devices. But we were sufficiently concerned that in order to extract the firmware and reverse engineer it, and in particular develop tools that would allow us to extract the firmware, we would run afoul of the DMCA. So we left a line of research untouched. If we had the resources and the time to engage a large legal effort to denote parameters, we could possibly navigate that, but under the DMCA as written we decided it was too risky.
Q: why not 1201(j)?
Blaze: w/o getting into atty-client privilege, the essential conclusion was that we were in treacherous territory, primarily b/c we would have needed to reverse engineer, see if implementation failures we anticipated were present, and effectively build our own test bed along the way. We approached a few manufacturers and attempted to engage with them and were ignored or rebuffed every time. We realized the relationship would be hostile if we proceeded.  The anti-trafficking provision would have been particularly problematic b/c we needed tools for extracting—a colleague in Australia examining the same system had developed some tools and expressed interest in working w/us, but we couldn’t.
Q: is there a norm of trying to disclose before publication?
Blaze: certainly there are simple cases and hard cases. In simple case, we find particular flaw in particular product w/well defined manufacturer w/a point of contact. Sometimes we can find an informal channel.  As someone who is an academic in the security community and wants to work in the public interest, I don’t want to do harm.  Disclosing to the vendor is certainly an important part. But in other cases, even identifying the stakeholders is often not so clear. Flaws found in libraries used to build a variety of other products: we won’t always know what all, most or even some of the dominant stakeholders.
Q: when you do know, is it a norm to disclose in advance as opposed to concurrently?
Blaze: it has to be case by case. There is a large class of cases when we have a specific product that is vulnerable, and we can say “if this mfgr repairs, we can mitigate.” But other cases it’s less clear where the vulnerability is present and it may be more prudent to warn the public immediately that the product is fundamentally unsafe. Reluctant to say there’s a norm b/c of the range of circumstances.
Green: In some cases like last week there’s mass disclosure—you can’t notify the stakeholders all at once. If you notify, they may leak it before you want it public which can cause harm.  Sometimes you want to be very selective.  If, let’s say, 200 companies are affected, you can go to Google/Apple and trust the info won’t leak, but beyond that the probability that the problem becomes public before you want it to is almost one—I’ve had that happen.  Heartbleed was an unintended leak—too many people were notified of a mass vulnerability, and many systems including Google and Yahoo! were not patched as a result of the two weeks early disclosure.
Charlesworth: so are you saying that disclosure should be limited?
Green: there is no single answer you can write down to cover it all. Heartbleed: massive vulnerability affected 1000s of sites. Google = Google would fix and protect maybe 50% of end users on internet. Yahoo! = protect 25%. As you go to a smaller website, now you’re protecting 200 people but probability of leak is fairly high. Then criminals can exploit vulnerability before it’s patched.  Has to be customized to potential vulnerabilities.
Reid: you’re hearing a theme that this is an issue for the judgment of security researchers, and it’s only b/c of the DMCA that suddenly this is the realm of copyright law. Getting pretty fair afield of Congressional intent to mediate these judgments and their complexities, which take a lot of negotiation, as Matwyshyn underscored w/ISO. We would strongly caution the Office against being too prescriptive. (1) If there wasn’t a lock involved, we’d just be talking about fair use. In that case it would be up to the researcher how to disclose. Whatever copying was necessary for research would be the only issue; the fruits of the research would be free and clear. (2) Remember the First Amendment interests and the prohibition on prior restraint. Rigid structure on when someone is allowed to speak, even if the policy judgments weren’t complicated.
Charlesworth: did you brief the First Amendment issues?
Reid: not in detail.
Charlesworth: Congress considered this in making disclosure a factor.  What you’re saying is that sometimes you should disclose, sometimes not. 
Reid: Congress can’t contravene the 1A, even in enacting the DMCA.
Charlesworth: but looking at disclosure to manufacturer is a factor—maybe that’s not such a bad way to think about it.
Reid: factors mentioned in (j), to extent compatible w/1A, can be read as probative of intent to do security testing or something else. Reading them as limitations of speech after circumvention performed is constitutionally troubling.
Charlesworth: that’s a brand new argument, and I’m not troubled by (j), but there’s a lot of commentary about disclosure.  Google has a 90-day disclosure standard; you’re saying there should be no standard, though Congress clearly had something in mind.  [Would having a front door be consistent with being the kind unlikely to leak?]
Blake: As academics and members of the public research community, the aim of our work is to disclose it. The scientific method demands disclosure.  Someone building tools to infringe is not engaging in research.  The issue is whether or not the work is kept secret or disclosed to the vendor, not whether it’s disclosed to the vendor in advance. No one here is advocating keeping research secret—trying to protect research we will publish and will benefit everyone.
Mellovin: twice in my career I’ve withheld from publication significant security flaws—once in 1991 to delete a description of an attack we didn’t know how to counter. Because security community wasn’t aware of this publicly, the bad guys exploited the flaws before fixes were put in place. It was never seen as urgent enough.  Published the paper in 1995, once we saw it being used in the wild and b/c original memo shared only with a few responsible parties ended up on a hacker’s site. Security community didn’t care until it became public.
Other case: vendors were aware of the problem and didn’t see a fix; once it was in the wild, others in the community applied more eyes and found a fix. In both cases, trying private disclosure actually hurt security.
Matwyshyn: (1) 1201(i) concerns are slightly different. (2) In our findings we did discuss the First Amendment, should the panel wish to review the cited law review article. (3) Google’s a member of the Internet Association, which supports our approach. (4) Frivolous litigation: the benefit of a clear exemption allows them to feel more comfortable contacting vendors earlier, rather than needing to weigh the risk of litigation to themselves; later contacting is now something you do to mitigate risk that they’ll sue you before you disclose. Providing comfort would encourage earlier contacts.
Laura Moy, New America’s Open Technology Institute
I’ve encouraged the Office to focus on © issues and not weigh the policy issues as opponents have suggested.  But consumer privacy is relevant b/c the statutory exemption for privacy indicates Congress’s concern therefor. Some opposition commenters have cited privacy concerns to grant an exemption—but that’s wrong.  Remove roadblocks to discover security vulnerabilities.  As many others have pointed out, vulnerabilities often expose consumer info and they need to be found. Malicious attackers are not waiting for the good guys; they race to do their own research. They are succeeding. Last year, CNN reported 110 million Americans’ info had been exposed—these are just the ones we know about.  Need to find them as soon as possible, dismantling roadblocks.
Vulnerabilities should be disclosed so consumers can incorporate security concerns into decisionmaking. Consumers have a right to information they can use to make informed choices. Also bolsters vendors’ economic incentives to invest in security—publicity can be harmful if a product is insecure, and that’s as it should be. As a consumer, you should know of known vulnerabilities to Cyberlock’s product before you purchase.
Vulnerabilities should be disclosed so that regulators enforcing fair trade practices know whether vendors are adhering to the promises they’ve made and using good security practices. FTC says failure to secure personal information can violate FTCA; state laws too. Enforcement requires understanding of security. Often rely on independent researchers.  FTC recognizes that security researchers play a critical role in improving security.
Erik Stallman, Center for Democracy & Technology: security testing done only with authorization of network operator in statutory exemption—in a world of internet enabled devices, it can be very difficult to determine who the right person is.
Q: says owner/operator of computer, not owner of software.  Even if I don’t own the software, can’t I authorize the testing?
Stallman: it’s unclear if that’s sufficient—if your banking network is connected to a VPN, it may be the source of a vulnerability.  Are the computers at your ISP covered by this? 
Q: presumably if I hire a VPN provider I can ask them for permission to test the security.  [Really? I can’t imagine the VPN provider saying yes to that under most circumstances.]  I can buy a pacemaker and run tests.  If you own that pacemaker, you can run tests.
Stallman: You may need to go up the chain. The moment you fall outside, you fall outside the exemption [e.g. if you communicate with another network].
Q: so I want to test HSBC’s systems to know if they’re secure. Will the exemption allow this test without permission of third party server?
A: Something like Heartbleed—a ubiquitous exploit on many systems. You shouldn’t need to go around and get permission. Accidental researcher: may come across vulnerability when engaged in different research. Often researchers won’t know what they’re looking for when they start looking. 1201(j) limits what they can ask.
Q: I want to test a website’s security. Can I test it under your proposal? Say I bank at HSBC and want to test it.
Stallman: So long as you’re doing good faith security research, yes.
Q: but Congressional history says shouldn’t test locks once installed in someone else’s door.  Does your proposal require any authorization, or is there a proposal requiring at least an attempt to seek authorization?
Stallman: the problem is it’s hard for the researcher to know/stay within stated scope. Or authorization can be revoked/cabined.  You could ask HSBC, but then what do you do if they say no?  Then you’re out of luck.
Q: legislative history suggests authorization is important.
Stallman: the internet environment is very different from enactment of 1201(j); House Report said that the goal would be poorly served if they had undesirable consequence of chilling legitimate research activity, and that’s the problem we have now.  1201(j) is not providing the protection that researchers now need.
Q: nuclear power plants/mass transit systems—should we allow testing of live systems?  How would this research be conducted?
Stallman: many critical infrastructure systems depend on the same software/applications that run other systems. Should not be able to stop research on systems widely in use by other people. 
Q: but if this can be tested by off the shelf software, shouldn’t it have to be?
Reid: to the extent the Office reads (j) very broadly, you could put that in the record/conclusions in the proceeding, that would be very helpful.  The primary concern: one interpretation is that the computer system is the bank. The concern is to the analogy in the legislative history—the TPM on that system is not protecting the bank’s property. It’s protecting the software. The company will claim we aren’t the owner and that we aren’t engaged in accessing a computer system, but rather engaged in accessing software running on that computer. That is the ambiguity that has crippled (j) in the past. We would agree with your interpretation of (j) in court, but when we’re trying to advise folks we have to acknowledge the multiple interpretations.
Charlesworth: we haven’t come to any conclusions about the meaning of (j). Your point is well taken.  We may get there, but we aren’t there yet.
Reid: Think about the standard for granting an exemption: the likelihood of adverse effects. You’ve heard that uncertainty produces the adverse effects. You need not have an ironclad conclusion about (j) in order to grant this exemption. If you conclude that there’s multiple interpretations but a chill, then you need to grant the exemptions.
Bellovin: (j) is for testing my own bank as an employee. I might be able to take precautions, or not. Even the most sophisticated users would have trouble mediating a flaw in an iPhone. We aren’t talking about device ownership, but vulnerabilities not in the device but rather in the software—not the flaw in our particular copy but the class of copies which manufacturers often don’t want to hear about/don’t want anyone to hear about it. If a flaw is serious enough I may not use my copy, but it’s the other instances owned by others that need protection.
Stallman: Just note that security experts have signed on to comments about the chill. General point is that because (j) has CFAA, Wiretap Act, Stored Communications etc. references, it has the unfortunate effect of compounding/amplifying uncertainty. It’s not satisfying to say that other legal murkiness means we shouldn’t address this issue—this is one thing the Office can do and send a clear signal that this is an area that Congress should look at.

No comments: