DMCA hearings, security research, opponents

Security research continued, opponents
Copyright Office: Jacqueline Charlesworth
Michelle Cho
Reagan Smith
Cy Donnelly
Steve Ruhe
John Riley
Stacy Cheney (NTIA)
Christian Troncoso, BSA | The Software Alliance: we support
good faith security testing. We are surrounded by the good guys, and we have an
interest in working with academic and independent security community. But any
possible exemption also has the potential to be exploited by the bad guys. [Has
that happened with previous exemptions?] User trust is instrumental, as is
collaboration with research community. We worry about specific authorization
for researchers to make disclosures based on the researcher’s sole judgment
before the provider has had the opportunity to address the problem. Authorizing
zero-day disclosures may enable identity theft, financial fraud, and other
serious threats. Objective must be to thwart malefactors. Congress is
considering laws on info-sharing proposals, which BSA supports. How best to
create incentives? Limit liability w/o unintended consequences. Administration
is also considering policies, such as export controls on hacking tools. Concern
is balance: responsibly disseminate tools while guarding against their falling
into the hands of those w/bad intent. Congress enacted exemptions w/careful
checks and balances to prevent ill use. Proponents argue that ambiguity =
chilling effects. Were proponents seeking narrow clarifications we wouldn’t
oppose their efforts. Proposed class does much more—broad and w/no important
Congressional intent: class 25 should be amended to permit
circumvention only when software lawfully obtained, researcher has made good
faith effort to obtain permission, solely for purpose of testing, and info is
used primarily to promote security and is maintained in a manner that doesn’t
facilitate copyright infringement or violation of the CFAA. Must avoid
unintended consequences. Info should first be shared w/developer, in best
position to fix it. Time to fix before shared more broadly. Otherwise bad
actors get window of opportunity. Not speculative: already a thriving market
for security research on zero-day vulnerabilities.
Class should be tailored in a manner consistent
w/Congressional intent, mindful of broader cybersecurity debate. Not
inadvertently help bad actors.
Charlesworth: How would we do this?
A: you’d have to find a big chilling effect, but there’s a
lot of research going on. BSA has a big interest in partnering w/community;
many actively try to incentivize by providing rewards to those who provide info
responsibly—enough time to issue a patch.
Charlesworth: how much time is this?
A: no set time. Every vulnerability is different.  Particularly w/enterprise software.  Complex systems.
Charlesworth: what percentage of members authorize research?
A: don’t know; trend for software companies to do that. Some
of them probably work behind the scenes. Many have visible programs advertised
on their websites.
Q: do your members have specific concerns about trade
A: absolutely.
Q: you said you would be ok with a narrow exemption. How to
address that?
A: build in the standard that it couldn’t involve any other
violation of applicable law, including violation of trade secrets.  [Why is 1201 needed if another law is
violated?  Why use copyright law to
enforce a different regime?]
Harry M. Lightsey, III, General Motors, LLC with Anna Shaw,
counsel for GM with Hogan & Lovells (not testifying)
Comments are solely directed at auto industry.  Controls range from engine to safety,
braking, speed, steering, airbags.  ECU
software is protected by TPMs.  If
circumvented, could present real and present concerns for the safety of the
occupants, as well as compliance w/regulatory and environmental requirements.
Proponents have no evidence of chilling effect in auto
industry, which has every incentive to encourage responsible security research.
We have, as we said in Class 22, relations with various independent
researchers/academic institutions/industry fora.  We attend Black Hat and Defcon.  We engage in efforts w/DARPA. We do our part
to encourage responsible security research. Our concerns are that a broad
exemption would harm ability to control research and have opportunity to fix
vulnerabilities before they’re widely disclosed, creating safety concerns.
Charlesworth: you asked about limiting exemptions to
vulnerabilities caused by access controls.
Troncoso: those are the only past exemptions—limited to
access controls creating security vulnerabilities. The proposal here is very
broad, applied to any type of software.
Charlesworth: but are you asking for that as a limit? Are you
ok with a narrow exemption limited to vulnerabilities caused by access
Troncoso: we’d be comfortable with that.
Charlesworth: that’s a fairly considerable limitation.
Troncoso: our motivation is the disclosure issue. If that
can be addressed and congressional intent can be integrated, we would be
comfortable w/an exemption broader than vulnerabilities specific to the access
Charlesworth: hacking into live systems—how should we think
about that issue in practical terms? There’s not a huge record of need to look
at live nuclear power plants.  How should
the Office be thinking about the concern about publishing research where a
breach could be catastrophic?
Green: two issues. Should you be testing live systems?  That can be dangerous. However, there are
other directly applicable laws, like the CFAA, specifically designed to deal
with that. I have never viewed the DMCA as specifically applicable to that case.  Is it something we should be using 1201
for?  Does that benefit us as a
society?  Clearly it does not. We know
that there are a number of systems that whether you’re accessing in real time
or as separate copies, the results can lead to finding major safety issues. The
value of fixing them is very high.
Charlesworth: saw a news report about someone who allegedly
hacked into a live operating airplane system. [Are they being charged with a criminal
violation of 1201?] They may be doing it for what they perceive to be good
purposes. Security researchers could make a mistake—exposed a flaw, but also
isn’t that scary?  Would you be willing
to limit this to not-live systems?  Maybe
that should be debated in Congress.
Green: I speak for all the researchers here when I say that
story is not something we endorse. No ethical researcher should be working on
live systems.
Reid: In addition to distinguishing that story, the vast
majority of the research we’re talking about is aimed at fixing problems in a
safe way.   
Charlesworth: but how do we limit the exemption to ethical
research? There needs to be linedrawing to notify the public of what they can
and can’t do. [Is that copyright law’s job, to reintroduce the entire legal
code into 1201 exemptions?]  We’re trying
to consider potential narrowing so that people feel that the exemption would be
consistent w/congressional intent and the goals of the proceeding.  So are you willing to exclude live systems?
Doesn’t think there’s much of a record on live systems. 
Reid: Urge you to consider that however this gets treated in
this proceedings, as Green mentioned there are a number of other laws here.
Collateral concerns about tampering are illegal under a whole bunch of laws.
The question you ought to ask: is the DMCA the last line of defense for
airplanes? Are we relying on © to protect airplanes? (A) we’re not, (B) if we
were that would be troubling, (C) we are so far away from the purpose of the
DMCA to protect (c) works from (c) infringement.  Nothing in the airplane story involves circumvention,
FBI affidavit doesn’t cite 1201.  Legal
and policy venues exist to address these; the Office need not worry about
enabling behavior that’s illegal under other laws b/c it will still be illegal.
There are complicated contours to this discussion, and these discussions should
happen in other venues.  We’re in support of having those venues
participate and apply those laws and policies. But (c) is not the place to do
it, and you don’t need to, and 1201 doesn’t require you to. [Applause!]
Belovin: We are here to avoid breaking laws. We don’t want
to violate the CFAA or airplane hijacking laws. 
© infringement is almost never a concern unless you have a copy of the
system.  The guy who allegedly tried to
hack the airplane in flight wasn’t copying Boeing’s software. As a pragmatic
matter, if I’m testing a system for security flaws in a way that could possibly
involve copying, I have to have the thing in my possession. This is not a CFAA
exemption request.
Charlesworth: couldn’t you hack in through the internet?
Belovin: you’d have to violate the CFAA first.  The larger violation there is the hacking.
The more probable case is not involving the DMCA, but stealing source code—this
is not protected by TPMs under the DMCA, it’s protected by ordinary enterprise
security controls and firewalls. The DMCA was intended to protect copyright
violations, not a CFAA supplement. 
Matwyshyn: Airplane incident facts are in dispute, but the
security community is not rallying. 
Homicide laws are the first line of defense. Whether a TPM was
circumvented is irrelevant.
Charlesworth: b/c of how the law is written, we have to
consider these issues. [Why?  That’s not
in the exemption standard—it’s noninfringing use, as Betsy
Rosenblatt eloquently said
Blaze: back to the issue of disclosure—remember that repair
is important, but so is warning consumers against defective products.  The Snort toy: if I were a parent, even
before it’s fixed, I’d want to know. Disclosure to parents is important even at
the price of embarrassment to the vendor. Give the benefit of the process not merely
to the developer: users are stakeholders as well.
Lightsey: no evidence of chill in auto industry. Given
dramatic consequence on safety, proponents have not met burden of showing need
for an exemption. Saying there are other laws and regulations is not sufficient
in this context. We feel the DMCA is a relevant protection and we encourage the
ability to engage w/security researchers responsibly.
Troncoso: Stanislav explained that he reached out first to
mfgr, notwithstanding the bluster he was ultimately able to work w/them to
ensure the vulnerability was fixed. He didn’t disclose until after it was
fixed. That gets to the norm that we’re seeing even in researchers in this
room. Consistent w/companies’ interests in protecting consumers.  Professor Green’s initial filing: he
indicates he always provides disclosure before disclosing vulnerabilities to
the public. It’s a key issue to us, critical to public safety.

Green: I always attempt to provide disclosure. Sometimes it’s not possible, as when
there are 1000s of websites. Sometimes you notify, and they are not able to
remediate it. They tell you there’s no fix or they’ll take a year. Then you
have the obligation to look at the end user/consumers and that has to affect
your calculation. Android is rarely updated by carriers. Google will make a
patch, but 90% of consumers may be vulnerable a year later. You have to decide
based on what’s right for consumers and not based on what’s good for software
Stanislav: In the case of the Snort and camera, with both
were reported through the helpdesk because there was no front door. Took days
to convince them that there was an issue to kick upstairs. Had a ticket closed
on him and had to reopen w/Snort. Only reason this got solved was that my
company was going to disclose publicly. At that point reporter reached out;
vendor said they’d never heard from a researcher before [i.e., it did not tell
the truth]; then the CEO reached out to him on the thread they’d already been
having. The internet of things comes from innovators—not large legal teams that
understand complex legal situations; they will fight back in an attempt to shut
you up.
Matywyshn: indeed, car companies like Tesla are state of the
art. But unfortunately there’s a large degree of variation across car
manufacturers. Some haven’t fully staffed security teams and have many openings—it
would be beneficial to engage with security community. Tesla, for example, is ISO
compliant and doesn’t oppose our approach. 
If every car company was on the level of Tesla, we wouldn’t be
concerned, but security researchers are concerned.
Belovin: I’m in favor of notification, but one issue is
whether or not the vendor would have the legal right to block or delay
publication interacts in a bad way w/university policies. I may not accept a
grant that gives the funding agency the right to block outside publication.
University sees this as a matter of academic freedom. Mirrored in an odd place
in the law on export controls.  What is “export”?  You can’t teach foreign nationals certain
things—one of the things it says in the law is that fundamental research is ok,
but what is that?  One criterion: can
someone else block publication?  If
someone else can block publication, then export controls apply, which causes
very serious chilling effects of its own.
Blake: we found sweeping vulnerabilities in election
software.  Research authorized by
customers (state gov’ts) not by voting machine vendors.  We were indemnified under state law and there
was some contractual back and forth w/the vendors that I wasn’t privy to—grey area.
One of the issues we addressed was whether to give the vendors advance notice
to fix. We normally do try to give notice, we felt that allowing end users to
remediate immediately outweighed the benefits of not notifying the users and
allowing vendors time to repair things that would take more time to fix than
the next election. Vendors didn’t see our results until they were made public.
Moy: Emphasize again the importance of disclosing not only
so the vulnerability can be remedied but so that consumers can make an informed
choice.  If a vendor can stall
publication for 6 months/year but continue to market the product in the
meantime, that’s an enormous problem w/major implications for consumers.
Charlesworth: could some be addressed by high-level
communication: there is a security problem?
Moy: maybe for some, not all. There will be cases where the
nature of the vulnerability is important. Consider the BMW vulnerability
publicized in January—remote unlocking. 
Details might be important to certain consumers—couldn’t be exploited to
unlock other people’s cars, not your own; don’t know if that’s true but
consumers could make decisions for themselves.
Charlesworth: but it’s not step by step instructions. Why
would an ordinary consumer need to know that?
Moy: ordinary consumers include people who understand how
the tech works. I wouldn’t be able to
exploit a vulnerability even if you handed me a detailed paper about it.  [Likewise.]
Charlesworth: but what about enabling a certain group of
people who might not otherwise have known about it—not sophisticated ones.  [So, sophisticated enough to understand the
disclosure’s detailed, but not sophisticated enough to do it themselves.  Charlesworth is suggesting that researchers
publish “step by step instructions” for a hack. But I don’t think that
describes most of what they do, or not in that sense.  I read
descriptions of Heartbleed, but that doesn’t mean it was step by step.]  Why would I need to know the way in which someone
can exploit the Snort?
Moy: Who’s going to translate the nature of the
Charlesworth: Stanislav will.  The company refuses to fix it, so he
publishes an article saying this toy has a problem.  I wouldn’t then need line by line
instructions in order to make a decision about possessing that toy.  Why is that so hard to concede?
Moy: that would be enough for some consumers, not for
Charlesworth: Why?
Moy: sufficient for some, but not for other  more sophisticated consumers. I’m having a
difficult time imagining how to write a disclosure requirement that would be
written so that you could disclose, but not enough to replicate it technically.
Charlesworth: (j): solely to promote the owner/operator’s
security. Part of the policy was that you weren’t necessarily advising the
world how to do this.  Doing the research
in a way that didn’t enable malicious actors. 
Congress put the test in here to deal w/the complications—whether you
use the research responsibly. [With
respect to copyright
, though, is a very different question than “are you
providing a net benefit to the world?”]
Moy: Q depends also on how the company deals w/security. Is it
something that could be fixed, or does it represent a major flaw?  Security experts should be able to analyze
that and explain to us if necessary.
Charlesworth: is a high level disclosure better than none?
Moy: more information for consumers in the market is
generally a good thing, but that doesn’t get to the reasons we want disclosure.

Stanislav: (1) At the time of the webcam—CEO said my research was inaccurate
and misleading. I’ve presented it publicly now; when a story like this comes
out and the vendor says I’m lying I can prove it. (2) Prevention: if the
intermediary-users (web companies etc.) don’t know the specific details of the
vulnerability in the meantime until the vendor patches it, then they can’t fix
it on an intermediate basis.
Sayler: the individual disclosure is useful for consumers
who may recognize that the problem may be replicated in other devices.
Replication is hugely important, and it requires public disclosure for those of
us in the community who do this kind of work.
Many of the flaws we discover, we’re not the first—many are
already available on the black market. Allowing disclosure will not increase the
number of zero-day exploits.
Charlesworth: the concern is you may be educating people
about the unknowns.
Sayler: it’s a balance: it might happen, but you are also
protecting millions of people. Extraordinarily hard to codify what the proper
behavior is.  Thus we should rely on
researchers’ good faith (and other laws). 
Far outweighs the downsides.
Lightsey: to protect the record, on behalf of GM,
cybersecurity is something we take very seriously. We have a senior leader at
GM. The industry is committed to voluntary privacy principles, including
promise to maintain reasonable security, enforceable under §5 of FTCA.  [Though as Moy says, how will you know if
they’re following through?]
Troncoso: Potential for companies to decide not to fix a
problem. But we do have regulators in place to handle those issues. If they
encounter pushback from software companies unwilling to fix problems, urge them
to go to the FTC.  [Right, because they
have so many resources.]
Charlesworth: what would the FTC do?
Tronsoco: they’ve been willing to bring enforcement actions
against companies not employing sufficient security standards.  Building in a disclosure requirement is
critical to avoid perverse incentives to keep research hidden so it’s more
valuable on black/gray markets. 
Potential for exemption to be exploited by bad actors.
Stallman: part of the value of exploits trafficked in black
market is secrecy. Publication is a way to make an existing but unknown
vulnerability lose its value. 
Blaze: There is a bright line between legitimate research
and black market: we publish our work and we’re required to do so by the
scientific method.  You asked about a
compromise disclosure in which we describe existence of vulnerability w/o
describing how to exploit. With some examples it might be possible to describe
the vulnerability/remediation w/o enough detail to exploit. But many, many
others describing the existence would make exploit trivially easy: the
difference between the exploit and who’s vulnerable is nonexistent.  No line to be drawn unless we want “there’s a
terrible, lifethreatening problem with GM cars” to be the disclosure—“this
model has a brake problem” is better.
Charlesworth: but saying there’s a brake problem is
different than line by line discussions.
Blaze: sometimes it is possible, but in other cases it’s
not. [Perhaps we should trust the programmer/security researcher and not the
person who doesn’t program here?] Vulnerability might be: if you turn the key
three times the brake stops working. The only way to know is to try it. There
is no other way to describe it. This varies across the spectrum. There is not a
generally applicable line meaningfully separating them.
Charlesworth: when you publish, sometimes you refrain from
giving detailed information. [Charlesworth has a specific idea of “line by line
instructions” that is not consistent w/the programmers’.]
Blaze: sometimes.  We
ask whether it’s necessary to include details. Sometimes it’s in the middle,
and you can disclose 90% and a determined person could ferret it out. An
essential property of the scientific process is to publish reproducible,
testable results that others can build upon. Readers of scientific papers need
to be able to verify and reproduce.
Matwyshyn: There’s a whole array of mitigation measures
researchers regularly use—timing, detail, a bundle of best practices.
Charlesworth: are those written down?
Matwyshyn: they’re contingent on the nature of the reproducibility.
The ISO standards are the closest.
On the point of 0-day vulnerability markets – the researcher’s
perspective is: I know a vulnerability. (1) Do I sell it and make a quick buck,
or (2) undertake laborious and personally risky process of contacting vendors
and maybe having them threaten me w/DMCA, work for months.
Charlesworth: so there’s overlap w/bad guys?
Matwyshyn: the US gov’t purchases zero-days regularly. But
most vulnerabilities are known—a researcher will find that this product hasn’t
been patched with a ten-year-known vulnerability. Don’t want the DMCA to deter
contacting the company.
FTC: I served as privacy advisor. But it is an agency with
limited resources.  There isn’t a formal
intake mechanism for security researchers to report problem. The FTC can’t
mediate DMCA threats from vendors.
Charlesworth: you’re suggesting that people might sell
research on the black market if they don’t get the exemption.
Matwyshyn: The zero-day market is a very small sliver.
Charlesworth: how does it play into the exemption process?
Matwyshyn: in the absence of a regulatory regime, which we
don’t have.
Charlesworth: well, we have 1201. You’re assuming someone has
discovered—have they broken the law or not?
Matwyshyn: if they may
have circumvented, we want them to report it. 
Charlesworth: why would they care?
Matwyshyn: because the act of disclosure currently exposes
them to liability. We want to nudge them towards disclosure.
Charlesworth: does that actually happen?
Belovin: an ex-NSA hacker has stated that he sold an exploit
to the US gov’t. Here’s someone who’s finding and publishing vulnerabilities
and also sold it to the intelligence community.
I served as chief technologist to the FTC for a year. FTC
doesn’t have the resources to act as intermediary in these cases. It does not
resolve individual cases about kinds of research people can do.  Security researchers: take auto hacking. One
case involved vulnerabilities in the wireless tire pressure monitor. I never
would’ve looked there, but once I was pointed in that direction, any competent
researcher could replicate the issue within a few weeks. Asking the right
question is often the very hardest part of this kind of research.  Different remediation measures are indicated
depending on the type of issue.
Reid: Underscore Belovin’s point about remedies. It’s not just
about understanding and explaining vulnerability. Sometimes consumers can take
an actual remedial action, which sometimes takes some detail.  If your car has a software problem, you may
want to know how to fix it. Look at how auto industry handles other types of
problems: airbag recall; we now know every detail, including every factory the
airbags came from.  That is useful
information.  We lack that useful
information about how to deal with the risks of hackers hacking our cars, which
allows consumers to apply pressure.
Q: Talk about norms—is there anything in standards that
could identify a security researcher v. a black hat?
Matwyshyn: someone who discloses flaws for security and
works to better systems. ISO standards are evolving. The leads have stated that
they are happy to directly consider any issues the Copyright Office panel feels
should be discussed.
ISO is an organization that has traditionally been closed;
lots of corporate standards; will push for openness of these standards because
of the tremendous social value of an exemption.
Charlesworth: it’s a little hard to draft a law based on
something no one can see.  [From your
lips to Congress’s ears! [TPP reference]]
Reid: we’d be comfortable w/ a limitation that makes clear
it has to be for noninfringing purposes, the statute is geared for that and it’s
easy to write in.
Q: what about not in violation of any other laws?
Reid: defers to papers.
Matwyshyn: suboptimal framing b/c many of the chilling
effects involve people leveraging DMCA to threaten with CFAA etc.
Charlesworth: we will not grant an exemption that says you
can violate other laws.  [I don’t think
that’s what’s been asked for; see Betsy Rosenblatt again.  Shall we say “you can’t use the exemption if
you’re going to commit murder”?]
Belovin: one reason there’s no consensus on reporting—it’s
often very hard to understand how best to disclose; judgment calls. More
germane: there’s a fear of vendors not acting in good faith. There is a
chilling effect. Rightly or wrongly, we’ve seen enough instances where the DMCA
has been used as a club, even with no copyright interests, that researchers don’t
want to give someone else the power to suppress them.

from Blogger

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

1 Response to DMCA hearings, security research, opponents

  1. Pingback: TLPC Testifies at Copyright Office DMCA Section 1201 Hearings | Samuelson-Glushko Technology Law & Policy Clinic (TLPC)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s