Cybersecurity experts and voting machine makers are fighting over laws that would allow researchers to test for vulnerabilities and report them without fear of legal retribution. Section 1201 of the 1998 Digital Millennium Copyright Act (DMCA) made it illegal to bypass security measures that prevent access to copyrighted material, such as software. Over the years, however, the U.S. Copyright Office has created exemptions to Section 1201 to grant “good-faith” hackers the ability to research consumer device security, such as cell phones, tablets, smart appliances, connected cars and medical devices. Now, as the Copyright Office mulls expanding those exemptions to allow access to a broader array of technology — and voting machines in particular — security researchers and vendors are voicing their disagreements about the value of such an expansion. The office held a hearing fielding comments from stakeholders on Tuesday.
“A large fraction of security research really isn’t about devices that individual consumers are using but it’s about devices that are critical to business, to industry, to making the communications networks and the systems that we all rely on operate correctly and securely,” said University of Michigan professor and election security researcher J. Alex Halderman, a proponent of expanding the exemption.
… Regan Smith, deputy general counsel for the Copyright Office, wanted to know from Englund whether vendors are incentivized on their own to secure their systems. Englund replied that his three clients — Dominion Election Systems, Election Systems & Software and Hart InterCivic — are competitors and therefore have an incentive to edge each other out.
Kit Walsh, an attorney with the Electronic Frontier Foundation, countered that vendors incentivized more so to shut good-faith hackers out.
“They’re discovering vulnerabilities and putting public pressure on the companies, too, to get them fixed. And when the election vendors … say they compete on security, that’s competing on the perception of security of their purchasers. And that’s kind of why there’s a financial interest from these companies not to allow their brand to be tarnished by truthful reporting about vulnerabilities in their software,” Walsh said.