¹ú²úÊÓƵ

You probably know that cybersecurity is a major concern for consumers, as each week seems to bring reports of another high-profile data breach. What you may not realize is that copyright law, in the form of the Digital Millennium Copyright Act (DMCA), threatens to make it worse by standing in the way of researchers working to improve cybersecurity.

If you’re an adult living in the United States today, your personal information has probably been exposed by a malicious attacker. This time last year, CNN Money that in the preceding 12 months, attackers had exposed the personal information of 110 million Americans, or roughly half the adult population of the country. That was before widely publicized data breaches of Anthem, Premera, and CareFirst Blue Cross Blue Shield, which collectively . And even if your information has not actually been exposed, chances are you’re among the .

Attackers use a range of techniques to gain unauthorized access to personal information, one of which is exploitation of software vulnerabilities. For example, software vulnerabilities were responsible for the infamous and attacks of 2014.

Not only do vulnerabilities lead to theft of personal information and possible identity theft, but they could also threaten your physical safety. For example, as explained in a recent published by Senator Markey’s office, vulnerabilities in cars could be used to attack safety-critical systems such as the engine and brakes. Vulnerabilities in the software operating on medical devices, such as implantable defibrillators, .

, and those bugs —that much is clear to everyone. What isn’t clear to everyone is the fact that copyright law—in particular the of 1998—is hindering the activities of independent security researchers working to find and address vulnerabilities before they are exploited.

Congress passed the DMCA to combat copyright infringement. Among other things, the DMCA makes it more difficult for would-be infringers to break mechanisms put in place to protect content from unauthorized copying. But unfortunately it was written so broadly, it has been used to outlaw a broad range of activities that Congress didn’t mean to interfere with, or at least subjects those activities to unnecessary litigation. For example, the DMCA has been used to , to , and a . It even interferes with independent security researchers working to identify , including and on .

That’s why we at OTI, working with a coalition of allies, are advocating in an ongoing rulemaking proceeding at the Copyright Office for exemptions to the DMCA that would allow security researchers to do the good work they do finding software vulnerabilities, so that those vulnerabilities can be addressed and we can all be a little safer. Here’s what we’ve done on the issue:

• In February, OTI filed urging the Copyright Office to conduct the rulemaking in a manner friendly to exemption proponents and consistent with the intent of Congress;

• Also in February, OTI collaborated with the Digital Right to Repair Coalition to deliver thousands of public comments to the Copyright Office in support of proposed exemptions;

• In May, OTI filed explaining why consumer privacy interests necessitate exemptions for independent security research of software and medical devices;

• Also in May, OTI’s Kevin Bankston joined over 30 leading cybersecurity experts on a , which explained that the DMCA, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act all generate uncertainty that chills security research, and was in the DMCA rulemaking at the Copyright Office;

• In June, OTI’s Laura Moy testified in two hearings (, ) at the Copyright Office in support of proposed exemptions for software and medical device security research.

• In June, OTI and the Center for Democracy & Technology co-filed with the Copyright Office in support of security researchers.

What happens next? We wait, as the security of our personal information and, in some cases, our very lives, rests in the hands of decisionmakers at the Copyright Office and the Library of Congress, slated to rule on the exemption proposals in coming months.

But even if the result is good and we get the exemptions we’ve asked for, those exemptions will only be temporary, lasting three years, and won’t solve broader problems with the DMCA. That’s why we’re committed to long-term reform of the DMCA in Congress. As we’ve said in the past, the best way to rein in this overreaching copyright law would be to simply it so that it doesn’t interfere with activities that have nothing to do with copyright infringement, like security research.