Shostack + Friends Blog Archive


DMCA vs. Security Research

Last month, I commented on how the DMCA was preventing research on spyware:

…the legal cloud that overhangs this sort of research. That legal cloud was intentionally put there by the copyright industry, in the form of the Digital Millennium Copyright Act. The law makes it hard to understand what research you can perform when copyright protection is involved. [From “Sony’s Rootkit and the DMCA.”]

It turns out that there were researchers who were holding off on publication because of the DMCA. That delay caused thousands of computers to become infected, and millions to remain infected:

Researchers like Professor Edward Felten and Alex Halderman waste valuable research time consulting attorneys due to concerns about liability under the DMCA. They must consult not only with their own attorneys but with the general counsel of their academic institutions as well. Unavoidably, the legal uncertainty surrounding their research leads to delays and lost opportunities. In the case of the CDs at issue, Halderman and Felten were aware of problems with the XCP software almost a month before the news became public, but they delayed publication in order to consult with counsel about legal concerns. This delay left millions of consumers at risk for weeks longer than necessary. [From “The DMCA Should Not Protect Spyware.”]

The costs of restricting research are always high, but often invisible. I’m glad to see this research becoming visible, so we can assess, in small part, those costs.