Today the Library of Congress published a final rule in the Federal Register (80 FR 65944-65964) listing the latest exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works. The rule amends 37 CFR 201.40 which prescribes the classes of copyrighted works for which the Librarian of Congress has determined that shall for a three-year period be subject to the exemption provided in 17 USC. 1201(a)(1)(B) from the prohibition against circumvention of technological measures that effectively control access to copyrighted works set forth in §1201(a)(1)(A).
The Proposed Classes
The Librarian considered 24 classes of works that would be included in the revised §201.40(b). These included the following classes under the security and safety research provisions of §1201(j):
• Class 22: Vehicle Software;
• Class 25: Software;
• Class 27A: Medical Device Software
As should be expected, there were significant industry objections to the approvals of these classes. Additionally, objections were raised by DOT about the vehicle software class and by FDA about the medical device software class. Comments supporting the three classes specifically and a broad exemption for all computer programs were received from the National Telecommunications and Information Administration (NTIA).
Based upon the comments received during both the public and government comment portions of the rulemaking, the Register recommended that:
• The good-faith security research exemption should be limited to “research on computer programs within devices or machines primarily designed for use by individual consumers (including voting machines), motorized land vehicles, and implanted medical devices and their corresponding monitoring systems”;
• As a general matter, the exemption should not go into effect until twelve months after the effective date of the new regulation with an exemption for voting machines, on the ground that there was no public safety issue;
• Security research must be conducted in a controlled setting designed to avoid harm to individuals or the public;
• The information derived from the research activity be used primarily to promote the security or safety of the devices containing the computer programs on which the research is conducted, or of those who use those devices
The Approved Exemption
The exact language of the approved exemption for security research on computer software can be found at §201.40(b)(7). It provides that good-faith security research on computer programs that does not otherwise violate federal law (specifically 18 USC 1030) may circumvent technological protection measures (TPMs) without violating copyright law as long as that research is conducted on:
• A device or machine primarily designed for use by individual consumers (including voting machines);
• A motorized land vehicle; or
• A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, which is not and will not be used by patients or for patient care.
The exemption goes on to limit that research to accessing the software for the purposes of “testing, investigation and/or correction of a security flaw or vulnerability” and doing so in “a controlled environment designed to avoid any harm to individuals or the public”. Information from the research must be used “promote the security or safety of the class of devices or machines on which the computer program operates”.
Finally it must be noted that the exempted security research cannot start until October 28th, 2016 except for research on voting machines which can start today. This was done to provide affected government agencies a chance to limit potential harm from such research by additional regulation where necessary.
The fact that this exemption was limited to the three specific classes of devices was based in large part because those were the devices for which an exemption had been requested by researchers. Those petitions documented the fact that researchers in these areas had had actions taken against them by copyright holders due to the security research that they had conducted on these types of devices. Thus they demonstrated that the generic security research protections provided by §1201(j) were inadequate and required specific exemption under regulation.
In three years, these exemptions will not be automatically renewed when the 7th Triennial Process is completed. The petitions will again have to be submitted demonstrating that the conditions that led to the adoption of today’s exemptions still occur. Researcher need to insure that they start the documentation process all over again. Researchers seeking to expand the security research exemption to other types of devices will be able to build upon this approval, but they will still need adequate documentation.