You may have thought that if you owned your digital devices, you were allowed to do whatever you like with them. In truth, even for possessions as personal as your car, PC, or insulin pump, you risked a lawsuit every time you reverse-engineered their software guts to dig up their security vulnerabilities—until now.
Last Friday, a new exemption to the decades-old law known as the Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans to hack their own devices without fear that the DMCA's ban on circumventing protections on copyrighted systems would allow manufacturers to sue them. One exemption, crucially, will allow new forms of security research on those consumer devices. Another allows for the digital repair of vehicles. Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair.
Unfortunately, the exemptions are only temporary and will need to be re-approved the next time the Copyright Office reviews its exemptions, in 2018.
Related Stories
In the cybersecurity world, the law doesn't always treat the good guys like good guys.
As Harley Geiger put it in a talk titled, "Fighting for Legal Protection for Security Researchers" at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, "doesn't seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm."
Yet laws at both the federal and state level, "tend to undermine that," he said.
Geiger, director of public policy at Rapid7, cited laws like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA), which he said in crucial areas fail to allow for a distinction between researchers, who are simply trying to improve cybersecurity, and criminal hackers.
The story goes on to reference how the Librarian of Congress has allowed a temporary reprieve (as we covered in It's Finally Legal to Hack Your Own Devices (Even Your Car).) But, as much as that may improve things for the time being, it falls short of what is really needed for security professionals to examine and test systems.
So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?
(Score: 0, Funny) by Anonymous Coward on Wednesday November 02 2016, @02:24PM
Moderate me Agree because I'm thinking what we're all thinking!
(Score: 2) by Gaaark on Wednesday November 02 2016, @10:56PM
I moderated you funny because I'm thinking what we're all thinking.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 5, Informative) by VLM on Wednesday November 02 2016, @02:39PM
Its gone thru the journalist filter so many times I'm not sure whats actually changing.
I'm pretty sure its this
https://www.federalregister.gov/documents/2015/10/28/2015-27212/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control#h-12 [federalregister.gov]
And the wikipedia interpretation of the above at:
https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act#Anti-circumvention_exemptions [wikipedia.org]
has a list of ten interesting things although the journalists insist it exclusively applies to cars and pacemakers.
If the copyright owner shuts down the server for a multiplayer game or online authenticated game, anything you personally own as long as its for "good faith security research", interoperability, software removal, if you own a device and have authorization to connect to the network you can have your way with the device firmware if you need to, any ebook that interferes with ADA compliance can be ripped, you can rip and sample for the usual fair use reasons video thats encrypted as long as you don't rip the whole thing, shitty 3d printers that try the overpriced ink strategy by microchipping the PLA have zero legal protection now, you can break into a medical device to "steal" your own medical data and that data is now yours (silo busting digital xrays for example). And the cheezy as hell examples of car and pacemaker the journalists are fixated on although they're not as interesting.
(Score: 1, Insightful) by Anonymous Coward on Wednesday November 02 2016, @04:33PM
Maybe back in the mid-'00s this would have mattered, but with the current generations of signed firmware, unless the LoC forces companies to release signing keys for discontinued products, this hacking allowance is irrelevant since most of the devices are now tamperproof at the silicon level, and some or all of the software is immutable without having those keys to allow replacement and execution of user-modified images which don't pass the checksums or decryption sequences.
The fact that the government hasn't put more effort into protecting consumer rights really goes to show who is more important in globalized, nevermind american society today. 'Ownership' of hardware means jack when others control the keys to its overall operation.
(Score: 0) by Anonymous Coward on Wednesday November 02 2016, @03:31PM
If you use tune software to tune your ECM, the dealer will not honor the warranty if you blow an engine. Argue about it all you want about the right to modify the engine control parameters, the dealer will still say it caused the engine damage.
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 02 2016, @04:38PM
in most states, given emission control requirements.
California for instance it definitely is, since this qualifies as modifying emission control systems, and will fail you on smog, just like modifying the carbuerator, running a piggyback unit, etc. Plenty of other electronics in your car you could modify, but most of them could have serious unintended consequences without more documentation on the system's expectations and operations. And I am pretty sure your car would become uninsured/uninsurable if this became known to your insurance company, similiar to the warrnty example by the parent post.
Yay for freedom and liberty in America. Because I totally feel like I can do ANYTHING here without running afoul of a dozen laws and committing at least one felony! </sarcasm>
(Score: 0) by Anonymous Coward on Wednesday November 02 2016, @05:19PM
If you are so burdened by regulation you could always move to Somalia.
(Score: 1) by Fauxlosopher on Wednesday November 02 2016, @06:48PM
OR, we as individuals and/or groups, could examine the foundation of USian law to determine which laws are valid and which (if any) are invalid. Pro-tip: the US Supreme Court is itself a construct of law, so trying to claim that the USSC is the font of all declarations to determine lawfulness is fallacious circular reasoning.
1. All regulations are subservient to laws
2. All lower laws are subservient to higher laws
3. The highest law of USian land is the US Constitution
4. The US Constitution itself cannot possess more authority than its source
5. The source of authority for the US Constitution is no greater than that possessed by a single, random USian person, due to the Philadelphia Convention resting on no authority other than that which its delegates possessed, which in turn was given to them ultimately by lone individual voters whose authority does not increase in scope with numbers (illegal for 1 person to mug a stranger; still illegal for 1,000,000)
No need for USians to move to Somalia; just start treating illegal laws and the criminals that operate under them the way they ought to be: ignore them, and if criminals confront you, deal with them as the criminals they are. (Admittedly, this approach is much easier to successfully implement the more like-minded and helpful folk are nearby. Finding such folk starts with spreading simple premises such as the one within this post.)
(Score: 0) by Anonymous Coward on Thursday November 03 2016, @12:15AM
If you're so burdened by the NSA's mass surveillance, you could always move to Somalia. Do you honestly think that's a rational response to anything? If you want to argue that the specific regulations in discussion are good, then fucking do so. Argumentation!
(Score: 0) by Anonymous Coward on Wednesday November 02 2016, @05:31PM
The tune software I was looking at for a GM vehicle will advance the timing curve, boost the turbo, give you better gas mileage and more power. The drawback is you have to run premium gas or the pistons will become screen tops. It will still pass the California smog test both at the tailpipe and computer, it's a hidden software update not seen from a scan tool.
(Score: 2) by Bogsnoticus on Wednesday November 02 2016, @10:32PM
Why is it so many people complain about "having" to run premium when they modify their car?
Would you get a new spray job, and then park it under a tree to allow it to be covered in sap and birdshit?
Would you buy a $5k suit, and then sew Megadeth patches all over it?
Buy a toilet and then proceed to just shit in the bath tub?
Genius by birth. Evil by choice.
(Score: 2) by Gaaark on Wednesday November 02 2016, @10:59PM
Buy a toilet and then proceed to just shit in the bath tub?
Hell ya! The dog drinks from the toilet.... duh! :)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Grishnakh on Wednesday November 02 2016, @09:49PM
This stuff has been governed by the Magnusson-Moss Warranty Act since 1975. You can make any modifications to your car that you want (except perhaps in emission-controlled areas, that's another argument), and the dealer/manufacturer cannot refuse to honor the warranty, *unless* they can reasonably prove that your modification is what caused the issue.
So yes, changing your ECM software, and then bringing your car to the dealer because it blew a hole in the piston, is likely to result in a refusal to honor the warranty (if they find out the software was modified). Or, changing your wheels to something radically different from the car's wheels, and then filing a claim when your suspension breaks, is also likely to result in a refusal.
But they can't refuse to honor the warranty when your engine dies just because you put some Goodyear tires on instead of OEM Firestones (in the same size).
(Score: 4, Informative) by NotSanguine on Wednesday November 02 2016, @06:12PM
Or is he just a poor proofreader?
From TFA:
The DMCA [wikipedia.org] went into effect in 1998, some 18 years ago (I suppose you could say 1.8 decades, I guess). Perhaps what moron^W Greenberg was referring to was the 1996 WIPO copyright treaty which is two (count 'em) decades old, or that it was an update to the Copyright Act of 1976 [wikipedia.org], which is four decades old.
Regardless, can't we find better sources than Wired? I'll answer this question myself. No one else is reporting on this because the most recent modifications to the list of DMCA section 1201 exemptions went into effect on October 28, 2015 [copyright.gov] not last Friday.
I guess Andy Greenberg is less a moron than he is just a little behind the times.
Additional coverage here:
https://www.techdirt.com/articles/20151027/10131232649/library-congress-releases-dmca-anti-circumvention-exemptions-hot-mess.shtml [techdirt.com]
https://www.eff.org/deeplinks/2015/10/victory-users-librarian-congress-renews-and-expands-protections-fair-uses [eff.org]
https://library.osu.edu/blogs/copyright/2015/12/30/new-dmca-exemptions/ [osu.edu]
http://www.ipwatchdog.com/2015/11/09/copyright-office-dmca-exemptions-for-automotive-software-jailbreaking-smart-tvs/id=62834/ [ipwatchdog.com]
http://www.theverge.com/2015/10/27/9622066/jailbreak-unlocked-tablet-smart-tvs-dmca-exemption-library-of-congress [theverge.com]
https://www.fsf.org/news/library-of-congress-issues-limited-exemptions-to-dmca-anti-circumvention-provisions-but-leaves-users-without-full-control-over-their-own-computing [fsf.org]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NotSanguine on Wednesday November 02 2016, @06:13PM
Oops. Forgot this one from Ars Technica:
http://arstechnica.com/tech-policy/2015/10/us-regulators-grant-dmca-exemption-legalizing-vehicle-software-tinkering/ [arstechnica.com]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Wednesday November 02 2016, @09:30PM
The DMCA went into effect in 1998, some 18 years ago (I suppose you could say 1.8 decades, I guess).
Are you really quibbling that 18 years is not "decades?" It's darn close to 20 years, and in most common parlance the difference isn't worth raising a fuss over. It's not like he/she is trying to round 12 years, or even 15 years into 20.
Technically you are correct [xkcd.com] that it is just "a lot over a decade old but not quite two yet." [xkcd.com]
(Score: 3, Interesting) by NotSanguine on Wednesday November 02 2016, @10:17PM
Actually, as I looked into it, I was less concerned with the poor usage of the English language than I was with the fact that this mastermind was reporting on year-old news as if it were current.
Beyond that, words have meaning. I wouldn't have quibbled with "nearly two-decades old" or even "two decades-old." Moreover, this wasn't a missive to his girlfriend, an email to his mom, or even an Op-ed piece. It purports to be journalism. When you claim to be reporting actual happenings, statements, occurrences and/or other things loosely-termed "facts," one should be held to reasonable standards.
Regardless, I'm glad I looked a little further though, as it shows that Andy Greenberg is not only a poor writer (especially for someone who's supposed to be a journalist), but has problems even determining what year it is. Or did you miss the bit where he claims that DMCA exemptions that actually went into effect a year ago [documentcloud.org], were just going into force last Friday [wired.com]?
As for what you're calling pedantry, expect more of the same from me, as required, in the future. If that means you don't read what I post, all the better, so I won't need to read your inane replies.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Thursday November 03 2016, @09:23AM
Maybe he wrote it last year, and it took so long until it got published? ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Phoenix666 on Thursday November 03 2016, @01:01AM
wonkeymonkey says, NO!
Washington DC delenda est.
(Score: 2) by maxwell demon on Thursday November 03 2016, @09:19AM
Well, technically if you say you could care less you are correct, as you could care too little to even make a comment on how little you care about it. ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by butthurt on Thursday November 03 2016, @04:09PM
from TFS (emphasis added):
Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair.
(Score: 2) by NotSanguine on Thursday November 03 2016, @04:27PM
from TFS (emphasis added):
Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair.
Fair enough. However, that applied only to voting machines and vehicles. All the other exemptions were in force as of 10/28/2015.
cf. http://www.ipwatchdog.com/2015/11/09/copyright-office-dmca-exemptions-for-automotive-software-jailbreaking-smart-tvs/id=62834/ [ipwatchdog.com]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1) by butthurt on Thursday November 03 2016, @06:28PM
Says your link: "[...] voting machine security research cannot begin for more than a year, delaying it past the next presidential vote." Boo.
(Score: 2) by NotSanguine on Thursday November 03 2016, @10:52PM
I said: "However, that applied only to voting machines and vehicles. All the other exemptions were in force as of 10/28/2015."
Not sure what your point might be. Those were the exemptions that were delayed. Full stop.
If you'd like me to repeat myself, again, just let me know.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by butthurt on Friday November 04 2016, @12:00AM
Let me explain. According to the article you linked, the provision about voting machines won't take effect until after this month's elections. Hence the fruits of such research won't be available prior to those elections, which is unfortunate.
(Score: 2) by NotSanguine on Friday November 04 2016, @12:15AM
Let me explain. According to the article you linked, the provision about voting machines won't take effect until after this month's elections. Hence the fruits of such research won't be available prior to those elections, which is unfortunate.
I misunderstood your point. My apologies.
Yes, that is unfortunate. I'm not sure how concerned I should be about that, but I guess we'll find out soon enough, since I'm sure that many folks will be taking a close look at voting machines as soon as they can.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Informative) by NotSanguine on Thursday November 03 2016, @11:39PM
The text of the exemption for vehicles reads as follows:
The other exemption delay is related to "good faith" security research to discover security flaws:
The above is from http://www.copyright.gov/fedreg/2015/80fr65944.pdf. [copyright.gov]
All the rest of the exemptions have been in effect since 1/28/2015.
Better yet, read the above document yourself and draw your own conclusions.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by mendax on Wednesday November 02 2016, @06:46PM
Does this mean I can finally rip my own DVDs? After all, they are an electronic device of a sort. Perhaps the same could be said about Blu-ray disks, although I do not rip those.
It's really quite a simple choice: Life, Death, or Los Angeles.