As Authorities Crack Down on Cyber Security Attacks, U.S. Copyright Office Lifts Ban on Hacking Your Own Devices

November 11, 2016 | Privacy, Data & Cyber Law

The U.S. Copyright Office (the “Office”) has recently issued an exemption to the Digital Millennium Copyright Act (the “Act”), which prohibits users from hacking their own digital devices. Pursuant to 17 U.S.C. § 702, the Office is authorized to promulgate rules and regulations regarding copyright policies and other intellectual property issues. The Act was first passed in 1998 to promote legitimate use of new technologies but prohibit circumvention of digital locks and encryptions that manufacturers place on devices to protect copyrighted material. The new exemption will apply to many “internet of things” devices” or in other words, everyday devices that are connected to the internet and have the capability of receiving and transmitting data, including cell phones, cars, and medical devices.

The exemption will also open opportunities for research in cyber security. As the Office explained in its final rule, the exemption permits “conducting good-faith testing for and the identification, disclosure and correction of malfunctions, security flaws and vulnerabilities in computer programs.” As many researchers explain, reverse engineering and modification of existing software is essential to advancing cyber security. In the past, however, while many researchers may have illegally hacked into their own devices in the privacy of their own homes, they did not publish their findings in fear of being prosecuted. Thus, the new exemption will promote security, innovation and competition by encouraging researchers to disclose their findings. It will allow researchers to be proactive in developing cyber security defenses before ill-intentioned hackers have an opportunity to exploit vulnerabilities in computer programs and software.

However, the exemption is not without limitation. Most importantly, it does not permit research that is intended to facilitate copyright infringement. Aside from this good-faith requirement, researchers can only hack devices that they lawfully acquire. They are prohibiting from accessing computers that they do not own or internet services used by the devices they hack. In addition, the research must be conducted in a controlled setting to eliminate any risk of harm to the public.

It is also important to note that the exemption has been issued as only a trial run and will be temporarily in effect for the next two years. Thereafter, stakeholders will have an opportunity to comment on the success of the exemption and whether it should be extended or made permanent.

Related Publications


Legal updates and news delivered to your inbox