On 28 October 2016, the US Copyright Office issued a ruling that security researchers may circumvent technological measures that control access to copyrighted works if it is done in good faith, in furtherance of a controlled research, and on a consumer device. The ruling allows security researchers to investigate and discover security vulnerabilities by reverse engineering or circumventing controls without fear of legal recourse. The rul-ing provides that such actions do not violate the Digital Millennium Copyright Act (“DMCA”), provided it does not violate other laws such as the Computer Fraud and Abuse Act (CFAA).
Under the ruling, a qualified research environment must meet six main requirements: (1) the computer programme, or any devices on which those programmes run, must be law-fully acquired; (2) during research, the device and computer programme should operate solely for the purpose of good-faith testing, investigation and/or correction of a security flaw or vulnerability; (3) the research must be conducted in a controlled setting designed to avoid harm to individuals or the public; (4) the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer programme operates, or those who use such devices or machines; (5) the information is not used or maintained in a manner that facilitates copyright in-fringement; and (6) the research must not begin before 28 October 2016. It also notes that disclosure of the findings is a factor in determining whether the action was done in good faith, but does not explicitly require it.
The exemption covers all devices or machines primarily designed for use by individual consumers. It cited as examples, toothbrushes, home thermostats, connected applianc-es, cars, and smart TVs and medical devices that are not connected to humans during research. It also noted, however, that the exemption does not apply to “highly sensitive systems such as nuclear power plants and air traffic control systems.”
The ruling of the US Copyright Office of 28 October 2016 is available at:
Autor Jonathan Perl, Counsel, Regulatory Affairs, Locus Telecommunications, Inc.
primarily published in the EMR-Newsletter 01/2017