EFF is suing the US government to invalidate the DMCA's DRM provisions

The Electronic Frontier Foundation has just filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the "Digital Rights Management" provision of the law, a notoriously overbroad law that bans activities that bypass or weaken copyright access-control systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will accept third-party lightbulbs; tapping into diagnostic info in your car or tractor to allow an independent party to repair it) and reporting security vulnerabilities in these devices.

EFF is representing two clients in its lawsuit: Andrew "bunnie" Huang, a legendary hardware hacker whose NeTV product lets users put overlays on DRM-restricted digital video signals; and Matthew Green, a heavyweight security researcher at Johns Hopkins who has an NSF grant to investigate medical record systems and whose research plans encompass the security of industrial firewalls and finance-industry "black boxes" used to manage the cryptographic security of billions of financial transactions every day.

Both clients reflect the deep constitutional flaws in the DMCA, and both have standing to sue the US government to challenge DMCA 1201 because of its serious criminal provisions (5 years in prison and a $500K fine for a first offense).

The US Trade Rep has propagated the DMCA's anticircumvention rules to most of the world's industrial nations, and a repeal in the US will strengthen the argument for repealing their international cousins.

Huang has written an inspirational essay explaining his reasons for participating in this suit, explaining that he feels it is his duty to future generations:

Our recent generation of Makers, hackers, and entrepreneurs have developed under the shadow of Section 1201. Like the parable of the frog in the well, their creativity has been confined to a small patch, not realizing how big and blue the sky could be if they could step outside that well. Nascent 1201-free ecosystems outside the US are leading indicators of how far behind the next generation of Americans will be if we keep with the status quo.

Our children deserve better.

I can no longer stand by as a passive witness to this situation. I was born into a 1201-free world, and our future generations deserve that same freedom of thought and expression. I am but one instrument in a large orchestra performing the symphony for freedom, but I hope my small part can remind us that once upon a time, there was a world free of such artificial barriers, and that creativity and expression go hand in hand with the ability to share without fear.

Update: Matthew Green has also published a statement on his involvement in the case:

There's a saying that no good deed goes unpunished. The person who said this should have been a security researcher. Instead of welcoming vulnerability reports, companies routinely threaten good-faith security researchers with civil action, or even criminal prosecution. Companies use the courts to silence researchers who have embarrassing things to say about their products, or who uncover too many of those products' internal details. These attempts are all too often successful, in part because very few security researchers can afford a prolonged legal battle with well-funded corporate legal team.

This might just be a sad story about security researchers, except for the fact that these vulnerabilities affect everyone. When security researchers are intimidated, it's the public that pays the price. This is because real criminals don't care about lawsuits and intimidation – and they certainly won't bother to notify the manufacturer. If good-faith researchers aren't allowed to find and close these holes, then someone else will find them, walk through them, and abuse them.

In the United States, one of the most significant laws that blocks security researchers is Section 1201 of the Digital Millennium Copyright Act (DMCA). This 1998 copyright law instituted a raft of restrictions aimed at preventing the "circumvention of copyright protection systems." Section 1201 provides both criminal and civil penalties for people who bypass technological measures protecting a copyrighted work. While that description might bring to mind the copy protection systems that protect a DVD or an iTunes song, the law has also been applied to prevent users from reverse-engineering software to figure out how it works. Such reverse-engineering is a necessary party of effective security research.

The EFF's complaint, filed minutes ago with the US District Court, is as clear and comprehensible an example of legal writing as you could ask for. It builds on two recent Supreme Court precedents (Golan and Eldred), in which the Supremes stated that the only way to reconcile free speech with copyright's ability to restrict who may utter certain words and expressions is fair use and other exemptions to copyright, which means that laws that don't take fair use into account fail to pass constitutional muster.

In this decade, more and more companies have figured out that the DMCA gives them the right to control follow-on innovation and suppress embarrassing revelations about defects in their products; consequently, DMCA 1201-covered technologies have proliferated into cars and tractors, medical implants and home security systems, thermostats and baby-monitors.

With this lawsuit, the EFF has fired a starter pistol in the race to repeal section 1201 of the DMCA and its cousins all over the world: to legitimize the creation of commercial businesses that unlock the value in the gadgets you've bought that the original manufacturers want to hoard for themselves; to open up auditing and disclosure on devices that are disappearing into our bodies, and inside of which we place those bodies.

I've written up the lawsuit for the Guardian:

Suing on behalf of Huang and Green, EFF's complaint argues that the wording of the statute requires the Library of Congress to grant exemptions for all conduct that is legal under copyright, including actions that rely on fair use, when that conduct is hindered by the ban on circumvention.

Critically, the supreme court has given guidance on this question in two rulings, Eldred and Golan, explaining how copyright law itself is constitutional even though it places limits on free speech; copyright is, after all, a law that specifies who may utter certain combinations of words and other expressive material.

The supreme court held that through copyright's limits, such as fair use, it accommodates the first amendment. The fair-use safety valve is joined by the "idea/expression dichotomy", a legal principle that says that copyright only applies to expressions of ideas, not the ideas itself.

In the 2015 DMCA 1201 ruling, the Library of Congress withheld or limited permission for many uses that the DMCA blocks, but which copyright itself allows – activities that the supreme court has identified as the basis for copyright's very constitutionality.

If these uses had been approved, people such as Huang and Green would not face criminal jeopardy. Because they weren't approved, Huang and Green could face legal trouble for doing these legitimate things.


America's broken digital copyright law is about to be challenged in court
[Cory Doctorow/The Guardian]

Why I'm Suing the US Government
[Andrew "bunnie" Huang]

Section 1201 of the DMCA Cannot Pass Constitutional Scrutiny

[Kit Walsh/EFF]

(Image: Bunnie Huang, Joi Ito, CC-BY)