Congress Considers Bill to Unlock Copyright Protections So You Can Lockdown Your Safety
The “Internet of Things” (or “IOT”) is a phrase with growing familiarity and significance. More and more devices are network-enabled, which means devices can not only produce data but also receive and/or transmit data and signals to other devices. Most of people own smartphones with mobile Internet access, but additional network-enabled devices have become popular, such as computers in our cars, watches, and thermostats, to name a few.
The IOT comes with consumer excitement over on-demand access to information and control, but the IOT also creates new security risks. In July, the Washington Post published a story by Craig Timber about the ability for cars with GPS and other network access features to be hacked from afar, possibly by cybercriminals. Hackers have demonstrated an ability to trigger car security alarms, turn a car’s steering wheel, and disable a car’s engine. As dangerous as driving is, these hacks are of great concern for consumers and the auto industry, as well as other IOT device manufacturers.
There is an on going debate about software that operates within IOT devices, which gives life to the hardware that provides network connectivity. The computer code comprising such software is protected by copyright law. Protection of copyright owner rights was a focus of the Digital Millennium Copyright Act of 1998 (or “DMCA”). The DMCA specifically prohibits the circumvention of technical protection measures (or “TPMs”) that copyright owners implement to block unauthorized modification, distribution, and/or copying of a copyrighted digital work.
As time has passed and technology has changed, though, critics have cited shortcomings to the DMCA’s support of TPMs. Critics claim the DMCA creates an unintended consequence of limiting security research and innovation that could otherwise improve the safety of network-enabled devices. The unintended consequence results from the fact that, unless authorization is granted by a copyright owner, the DMCA requires exemption of circumventing practices by the Librarian of Congress before anyone may lawfully attempt to circumvent and/or derive improvements for software protected by TPM. This requirement creates problems, such as requiring interested parties to demonstrate the need for an exemption every three years even if the exemption has been granted previously.
The DMCA’s support of TPMs has also had a chilling effect on the ability of skilled computer technicians and developers to maintain and fix devices because such services may violate TPMs. Relatedly, there are claims that protections for TPMs limit the ability for add-on technology to improve the accessibility of software for disabled persons, such as software used for e-readers. Copyright owners could consent to modifications and research, but this poses administrative challenges, in addition to copyright owners having a disincentive to permit such practices because they want to maintain control over their copyrighted works.
Senator Ron Wyden of Oregon and Representative Jared Polis of Colorado have plans to change the exemption process for TPMs through the Breaking Down Barriers to Innovation Act (or “Barriers Act”). Introduced this year by the two Congressman in each respective congressional house, the Barriers Act proposes an expansion of statutory exemptions for the legitimate practice of reverse engineering, researching encryption technology, protecting personally identifying information, and security testing. The Barriers Act also proposes automatic renewal of administrative exemptions unless a change of circumstances justifies retraction of the exemption. Furthermore, the Barriers Act would ease the process of obtaining an exemption by lifting some of the burden of proof for justifying an exemption away from the proponent and requiring the Librarian of Congress to look positively upon exemptions that would improve accessibility of works to persons with disabilities and/or further security research.
With these changes, security professionals may be empowered to analyze the software in devices and machines like our cars. This additional analysis may lead to an increase in options for solving security problems in our IOT devices by eliminating the limitation of only having manufacturers as problem solvers.
The Barriers Act is currently assigned to committees in the House and Senate, so it may be some time before the ultimate fate of the bill is determined. Consumer rights advocates, software developers and device manufacturers alike are likely to follow the progress of the Barriers Act. Passage and enactment of the bill could lead to improvements in the marketplace for software security research and improvements, as well as new functionalities for the IOT devices we’re growing to love. Finding and patching security bugs may enable drivers to better protect their vehicles from cybercriminals—which is both an individual benefit and a benefit to the safety of our streets as a whole.