A small group of very vocal musicians has decided that the new target of their anger, after attacking cyberlockers, search engines and torrent sites, should be legal, authorized streaming services. They’ve decided that the payouts from these…
Legal threat against security researcher claims he violated lock's copyright
Mike Davis from Ioactive found serious flaws in the high-security the
Cyberlock locks used by hospitals, airports and critical
infrastructure, but when he announced his findings, he got a legal
threat that cited the Digital Millennium Copyright Act.
Jeff Rabkin, a partner at the “elite international law firm” Jones Day
sent the thinly veiled threat on April 29, asking Ioactive to help him
discover whether “intellectual property laws such as the
anticircumvention provision of the Digital Millennium Copyright Act” had
been violated in the course of Davis’s research.
The 1998 DMCA prohibits actions that assist in bypassing “effective
means of access control” to copyrighted works. It’s the statute that
lets Apple prevent competitors from launching rival App Stores, and
stops companies from selling DVD-ripping software.
The problems with the DMCA have metastasized as computer code has become
a critical part of everything we own, from cars and tractors to fridges
and pacemakers, and even to our locks. The prohibition on helping
people get past the locks that manufacturers use to force their
customers to buy spares, parts and add-ons from the original vendor and
not a cheaper competitor may also be covered by the DMCA, hence this
letter, which supposes that publishing information about flaws in a lock
violates copyright law.
In security circles, it’s axiomatic that researchers must be free to
discover and disclose flaws in the systems that we rely on, because it’s
the only way to harden our vital security systems. Preventing
researchers from publishing doesn’t prevent bugs from being exploited –
what a white-hat hacker can discover and disclose, a black-hat hacker
can independently rediscover and weaponize – but it does ensure that
the customers for security are denied the information they need to
evaluate the security decisions they’ve made.
Rabkin and Jones Day are quite possibly barking up the wrong tree here. Two early DMCA cases – Skylink and Lexmark
– tested whether the law stretched to preventing competitors from
reverse-engineering devices in order to make interoperable spares and
consumables (garage door openers and printer cartridges) and in both
cases, the Federal Circuit found that the DMCA could not be used to
prevent this sort of activity.
Disclosing vulnerabilities isn’t exactly parallel to Lexmark/Skylink. In
those cases, an original manufacturer sued a commercial rival, and the
judges took offense at the use of copyright law to such a nakedly
anti-competitive purpose. To me, it’s clear that disclosing the drastic
defects that a manufacturer made in its products is of the same
character as making competing products – a legitimate and socially
vital process that is obviously out of copyright’s scope.
The Ars Technica article has attracted some commentary from Mike Davis
himself, who speculates that the real issue is that the locks were not
designed to be upgraded in the field, and that his discovery might put
the manufacturer in the difficult position of having to replace the
locks, rather than upgrading them.
Rabkin has disputed Davis’s findings, but he’s also sought to chill the
publication of those findings. You can’t really have it both ways: if
the findings are incorrect, then there’s no risk in their being
published. The normal scientific/scholarly process will run its course,
and other researchers will or won’t be able to replicate those findings
and validate or disprove them. But to argue that something is incorrect
and to simultaneously seek to prevent us from reading it smacks of
defensive cowardice and substituting intimidation for debate.