YOU MAY HAVE thought that if you owned your digital devices, you were allowed to do whatever you like with them. In truth, even for possessions as personal as your car, PC, or insulin pump, you risked a lawsuit every time you reverse-engineered their software guts to dig up their security vulnerabilities—until now.Last Friday, a new exemption to the decades-old law known as the Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans to hack their own devices without fear that the DMCA’s ban on circumventing protections on copyrighted systems would allow manufacturers to sue them. One exemption, crucially, will allow new forms of security research on those consumer devices. Another allows for the digital repair of vehicles. Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress’s Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair.
“This is a tremendously important improvement for consumer protection,” says Andrea Matwyshyn, a professor of law and computer science at Northeastern University. “The Copyright Office has demonstrated that it understands our changed technological reality, that in every aspect of consumers’ lives, we rely on code,” says Matwyshyn, who argued for the exemptions last year.For now, the exemptions are limited to a two-year trial period. And the security research exemption in particular only applies to what the Copyright Office calls “good-faith” testing, “in a controlled environment designed to avoid any harm to individuals or to the public.” As Matwyshyn puts it, “We’re not talking about testing your neighbor’s pacemaker while it’s implanted. We’re talking about a controlled lab and a device owned by the researcher.”
But within those restrictions, the exemptions remove a looming fear of DMCA lawsuits that has long hung over the security research community. “There’s a universe of security vulnerabilities that the law keeps researchers from figuring out and telling you about, but are nonetheless present in devices you use every day,” says Kit Walsh, an attorney with the Electronic Freedom Foundation. “For the next two years, that threat will be lifted for many forms of security research that are really important.”Section 1201 of the DMCA has for years forbidden hackers from reverse-engineering many computer systems—even ones that they owned—in an attempt to prevent Americans from circumventing protections on the intellectual property of manufacturers. Sony used the law, for instance, to sue reverse-engineer George Hotz for hacking the Sony Playstation to allow it to run unauthorized software. (Sony and Hotz eventually settled that lawsuit in 2011, after Hotz agreed to stop reverse0engineering Sony’s products.) Tractor manufacturer John Deere last year cited the law to argue that tractor owners couldn’t repair certain software components of their vehicles.