Earlier this month Rep. Farenthold (R,TX) introduced HR 905,
the You Own Devices Act. This bill address some of the copywrite issues
related to software used to operate equipment.
Software Copywrite Issues
The bill amends 17
USC 109, “Limitations on exclusive rights: Effect of transfer of particular
copy or phonorecord”. It adds a new paragraph (f) to the section. That
paragraph addresses the transfer of certain computer programs.
The first provision codifies the legal transfer of the
software that “enables any part of a machine or other product to operate” {§109(f)(1)} when that
machine or product is legally sold or otherwise transferred.
The second provision addresses software updates. It
specifies that the right to receive any software changes related “in whole or
in part to security or error correction” {§109(f)(2)} is transferred along with
any transfer of the equipment that the software operates.
The third provisions prohibits the retention of a copy of
the software when a party transfers the equipment and/or software to another party.
Moving Forward
Farenthold is a member of the House Judiciary Committee (the
committee to which this bill was assigned for consideration) so there is a decent
possibility that this bill could be considered in committee. There may be some
opposition to the update provisions of this bill from some software vendors, so
it is unclear at this point if there would be enough support in the House for
the bill to allow it to be considered under suspension of the rules. It is
unlikely that this bill would make it to the floor of the House under a rule.
If the bill were considered in the House, I suspect that it
would pass.
Commentary
I think that this bill could end up being important for
security researchers. The first provision allowing that legally buying software
operated equipment automatically includes the legal transfer of the copy of the
operation software precludes a vendor from threatening to prosecute researchers
for illegally accessing the software.
The second provision means that when a researcher finds a
vulnerability in a piece of control system software and the vendor issues an
update or patch, the researcher is entitled to obtain a copy of that patch or
update as long as he owns a piece of equipment that uses that software to
operate. This would make it easier for the researcher to determine the efficacy
of the fix.
One software related copywrite issue that is not addressed
in this bill is the legal right to modify software used to operate a piece of
equipment.
Posts
No comments:
Post a Comment