Mike Davis from Ioactive found serious flaws in the high-security the Cyberlock locks used by hospitals, airports and critical infrastructure, but when he announced his findings, he got a legal threat that cited the Digital Millennium Copyright Act.
Jeff Rabkin, a partner at the "elite international law firm" Jones Day sent the thinly veiled threat on April 29, asking Ioactive to help him discover whether "intellectual property laws such as the anticircumvention provision of the Digital Millennium Copyright Act" had been violated in the course of Davis's research.
The 1998 DMCA prohibits actions that assist in bypassing "effective means of access control" to copyrighted works. It's the statute that lets Apple prevent competitors from launching rival App Stores, and stops companies from selling DVD-ripping software.
The problems with the DMCA have metastasized as computer code has become a critical part of everything we own, from cars and tractors to fridges and pacemakers, and even to our locks. The prohibition on helping people get past the locks that manufacturers use to force their customers to buy spares, parts and add-ons from the original vendor and not a cheaper competitor may also be covered by the DMCA, hence this letter, which supposes that publishing information about flaws in a lock violates copyright law.
In security circles, it's axiomatic that researchers must be free to discover and disclose flaws in the systems that we rely on, because it's the only way to harden our vital security systems. Preventing researchers from publishing doesn't prevent bugs from being exploited — what a white-hat hacker can discover and disclose, a black-hat hacker can independently rediscover and weaponize — but it does ensure that the customers for security are denied the information they need to evaluate the security decisions they've made.
Rabkin and Jones Day are quite possibly barking up the wrong tree here. Two early DMCA cases — Skylink and Lexmark — tested whether the law stretched to preventing competitors from reverse-engineering devices in order to make interoperable spares and consumables (garage door openers and printer cartridges) and in both cases, the Federal Circuit found that the DMCA could not be used to prevent this sort of activity.
Disclosing vulnerabilities isn't exactly parallel to Lexmark/Skylink. In those cases, an original manufacturer sued a commercial rival, and the judges took offense at the use of copyright law to such a nakedly anti-competitive purpose. To me, it's clear that disclosing the drastic defects that a manufacturer made in its products is of the same character as making competing products — a legitimate and socially vital process that is obviously out of copyright's scope.
The Ars Technica article has attracted some commentary from Mike Davis himself, who speculates that the real issue is that the locks were not designed to be upgraded in the field, and that his discovery might put the manufacturer in the difficult position of having to replace the locks, rather than upgrading them.
Rabkin has disputed Davis's findings, but he's also sought to chill the publication of those findings. You can't really have it both ways: if the findings are incorrect, then there's no risk in their being published. The normal scientific/scholarly process will run its course, and other researchers will or won't be able to replicate those findings and validate or disprove them. But to argue that something is incorrect and to simultaneously seek to prevent us from reading it smacks of defensive cowardice and substituting intimidation for debate.
Thursday's advisory from security firm IOActive is notable not only for the serious security issues it reported in the CyberLock line of access control systems, which are certified to meet a wide range of US governmental requirements and certifications. The report is also the topic of a legal threat from CyberLock attorneys who invoked draconian provisions of the Digital Millennium Copyright Act if IOActive disclosed the vulnerabilities. A redacted version of a letter CyberLock outside attorneys sent IOActive researcher Mike Davis has reignited a long-standing tension between whether it should be legally permissible for researchers to publicly disclose unfixed vulnerabilities in the products they test.
"Of course, as you know, the public reporting of security vulnerabilities can have significant consequences," Jeff Rabkin, a partner at the Jones Day law firm wrote in a letter dated April 29, one day before IOActive published the advisory. "[Redacted company name] also takes the protection and enforcement of its intellectual property rights seriously and, prior to any public reporting, wants to ensure that there has been no violation of those rights, including [redacted company name]'s license agreements or other intellectual property laws such as the anticircumvention provision of the Digital Millennium Copyright Act. Presumably, IOActive is aligned with ensuring responsible disclosure and compliance with the laws."
Lawyers threaten researcher over key-cloning bug in high-security lock [Dan Goodin/Ars Technica]
IOActive Security Advisory [Mike Davis/Ioactive] [PDF]