Beau Woods posted a tweet with the URL for: Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies.
Cutting to the chase:
…
(i)Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates, or is undertaken on a computer, computer system, or computer network on which the computer program operates with the authorization of the owner or operator of such computer, computer system, or computer network, solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986.(ii) For purposes of this paragraph (b)(11), “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in an environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.
… (page 65)
I have long puzzled over claims of fearing DMCA enforcement by security researchers. The FBI is busy building illegal silencers for the mentally ill. Or engaging in other illegal, if not insane, activities. When would the FBI find the time to pursue security researchers when fantasies about Russian/Chinese/North Korean election “interference” are rippling through Washington?
Although phrased as “fear of prosecution,” the DCMA issue for white hats was one of advertising. Advertising a hack could annoy a vendor. Annoying vendors along with your identity and location seemed like a bad plan. But with a DMCA exemption, white hats are free to spam the Internet with their latest “research.”
Not that I mind white hats advertising but drawing lines based on the economic interests of stakeholders doesn’t always point to greater freedom. Today it worked in favor of security researchers and possibly consumers, but there’s no guarantee that will always be the result.