Revealing Tech’s Inconvenient Truths – How a 20th Century law threatens this year’s Defcon, Black Hat, B-Sides and other security talks
Congress has never made a law saying, "Corporations should get to decide who gets to publish truthful information about defects in their products,"— and the First Amendment wouldn't allow such a law — but that hasn't stopped corporations from conjuring one out of thin air, and then defending it as though it was a natural right they'd had all along.
But in 1998, Bill Clinton and his Congress enacted the Digital Millennium Copyright Act (DMCA), a giant, gnarly hairball of digital copyright law that included section 1201, which bans bypassing any "technological measure" that "effectively controls access" to copyrighted works, or "traffic[ing]" in devices or services that bypass digital locks.
Notice that this does not ban disclosure of defects, including security disclosures! But decades later, corporate lawyers and federal prosecutors have constructed a body of legal precedents that twists this overbroad law into a rule that effectively gives corporations the power to decide who gets to tell the truth about flaws and bugs in their products.
Likewise, businesses and prosecutors have used Section 1201 of the DMCA to attack researchers who exposed defects in software and hardware. Here's how that argument goes: "We designed our products with a lock that you have to get around to discover the defects in our software. Since our software is copyrighted, that lock is an 'access control for a copyrighted work' and that means that your research is prohibited, and any publication you make explaining how to replicate your findings is illegal speech, because helping other people get around our locks is 'trafficking.'"
EFF has [sued the US government to overturn DMCA 1201](https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-section-1201-research-and-technology-restrictions-violate) and we [just asked the US Copyright Office](https://www.eff.org/deeplinks/2018/02/eff-vs-iot-drm-omg) to reassure security researchers that DMCA 1201 does not prevent them from telling the truth.
Cory Doctorow [u/doctorow]: Special Advisor to Electronic Frontier Foundation
Mitch Stoltz [/u/effmitch]: Senior Staff Attorney for the Electronic Frontier Foundation
Note! Though one of us is a lawyer and EFF is a law firm, we're (almost certainly) not your lawyer or law firm, and this isn't legal advice. If you have a legal problem you want to talk with EFF about, get in touch at [[email protected]](mailto:[email protected])