FUD chills: GitHub stands with security researchers on DMCA Section 1201
Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack.…
Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack. Current DMCA Section 1201 rules should be clearer, otherwise they will continue to chill security research and leave everyone less safe. To this end, GitHub has filed comments with the Copyright Office supporting a request by Professor J. Alex Halderman and others for a broader safe harbor for good faith security research.
Our comments are part of the Eighth Triennial Section 1201 Proceeding for exemptions to the Digital Millennium Copyright Act’s prohibition against circumventing technological protection measures (“circumvention”). That’s a mouthful, I know. If you’d like a refresher, see our previous post about the process.
Our comments emphasize four points:
- GitHub stands for developers and against FUD (fear, uncertainty, and doubt). FUD chills security research, and we need more security research—not less.
- Developers of all kinds—including individuals and large corporations—must conduct security research to secure the software their users depend on. The tendency of past and current debates to focus narrowly on academics misses the reality of modern software development and deployment not considered by this 22-year-old law.
- There is a tremendous amount of overlap between quality assurance and the narrower heading of ‘security research.’ Yet, the rules today require that circumvention be solely focused on security research, endangering developers who may want to build and debug in addition to ensuring their software and computing environment is safe and secure.
- Modern developers depend on automation and virtualization services for security testing. With dependency trees commonly in the hundreds and supply chain attacks becoming more common, we believe developers should be able to use automated tools and virtualization to improve the security of their computing environment without worrying that the tooling will inadvertently run afoul of not being solely for security research instead of quality control more generally.
When developers face less FUD, they can make software more secure, and we’re all better off. We hope that the Copyright Office will agree. You can find the full text of our comments here.
Follow GitHub Policy on Twitter for updates about the laws and regulations that impact developers
Tags:
Written by
Related posts
GitHub and JFrog partner to unify code and binaries for DevSecOps
This partnership between GitHub and JFrog enables developers to manage code and binaries more efficiently on two of the most widely used developer platforms in the world.
2024 GitHub Accelerator: Meet the 11 projects shaping open source AI
Announcing the second cohort, delivering value to projects, and driving a new frontier.
Introducing GitHub Copilot Extensions: Unlocking unlimited possibilities with our ecosystem of partners
The world of Copilot is getting bigger, improving the developer experience by keeping developers in the flow longer and allowing them to do more in natural language.