DMCA chilling effects: How copyright law hurts security research.

It was hard to believe, but the student insisted it was true. He had discovered that compact discs from a major record company, Sony BMG, were installing dangerous software on people’s computers, without notice. The graduate student, Alex Halderman (now a professor at the University of Michigan), was a wizard in the lab. As experienced computer security researchers, Alex and I knew what we should do: First, go back to the lab and triple-check everything. Second, warn the public. But by this point, in 2005, the real second step was to call a lawyer. Security research was increasingly becoming a legal minefield, and we wanted to make sure we wouldn’t run afoul of the Digital Millennium Copyright Act. We weren’t afraid that our research results were wrong. What scared us was having to admit in public that we had done the research at all. Meanwhile, hundreds of thousands of people were inserting tainted music CDs into their computers and receiving spyware. In fact, the CDs went beyond installing unauthorized software on the user’s computer. They also installed a “rootkit”—they modified the Windows operating system to create an invisible area that couldn’t be detected by ordinary measures, and in many cases couldn’t be discovered even by virus checkers. The unwanted CD software installed itself in the invisible area, but the rootkit also provided a safe harbor for any other virus that wanted to exploit it. Needless to say, this was a big security problem for users. Our professional code told us that we had to warn them immediately. But our experience with the law told us to wait. The law that we feared, the DMCA, was passed in 1998 but has been back in the news lately because it prohibits unlocking cellphones and interferes with access by people with disabilities ... We were worried about the part of the DMCA called 17 U.S.C. § 1201(a)(1), which says that “No person shall circumvent a technological measure that effectively controls access to a work protected under [copyright law].” We had to disable the rootkit to detect what it was hiding, and we had to partially disable the software to figure out what it was doing. An angry record company might call either of those steps an act of circumvention, landing us in court. Instead of talking to the public, we talked to our lawyer ... We sat on our Sony BMG CD spyware results for almost a full month. In the meantime, another researcher, Mark Russinovich, went public with a detailed technical report on one of the two CD spyware systems. When nobody sued him, we decided to go public.  In the weeks that followed, things happened quickly. Sony BMG recognized that it had overstepped, it distributed an uninstaller for the spyware, we discovered that the uninstaller opened further security holes in users’ computers, the record company recalled the affected CDs, and we determined that the CDs were reporting users’ listening habits back to the record company. Class action suits were filed. The Federal Trade Commission investigated, and the company eventually settled the FTC charges, agreeing to reimburse affected consumers up to $150 for damage to their computers ... The good news is that this problem is easily fixed. Congress could amend the DMCA to create a robust safe harbor for legitimate research—not limited to encryption, not tied down with detailed requirements and limitations. There is a growing groundswell to address the DMCA’s ban on unlocking cellphones and its roadblocks to access for the disabled. Bills have been introduced in Congress to legalize cellphone unlocking. While we’re tinkering with the statute, let’s create a safe harbor for the researchers who can be our early warning system against unpleasant surprises in the next generation of technologies ..."