Every three years, the Librarian of Congress issues new rules on Digital Millennium Copyright Act exemptions. Acting Librarian David Mao, in an order (PDF) released Tuesday, authorized the public to tinker with software in vehicles for "good faith security research" and for "lawful modification."

The decision comes in the wake of the Volkswagen scandal, in which the German automaker baked bogus code into its software that enabled the automaker's diesel vehicles to reduce pollutants below acceptable levels during emissions tests.

"I am glad they granted these exemptions," said Sherwin Siy, vice president for legal affairs for Public Knowledge in Washington, DC. "I am not glad it was necessary for them to do so in the first place."

The auto industry, and even the Environmental Protection Agency, opposed the vehicle-tinkering rules that were proposed by the Electronic Frontier Foundation and others. About every 36 months, the Librarian of Congress and the Copyright Office entertain proposals for exemptions to the DMCA, which was passed in 1998. The DMCA prohibits circumventing encryption or access controls to copy or modify copyrighted works. The ultimate decision rests with the Librarian of Congress.

Under the ruling, both exemptions don't become law for at least a year—something that perplexed Siy. "Who needs a year to prep for this," he said. The modification ruling forbids tinkering with software that controls "telematics or entertainment systems." The research provision also allows a DMCA exemption for voting machines and medical devices, too.

The EFF applauded the decision but was disappointed in the year-long delay.

"This 'access control' rule is supposed to protect against unlawful copying," said EFF attorney Kit Walsh. "But as we've seen in the recent Volkswagen scandal—where VW was caught manipulating smog tests—it can be used instead to hide wrongdoing hidden in computer code. We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers, and that the Librarian has acted to promote competition in the vehicle aftermarket and protect the long tradition of vehicle owners tinkering with their cars and tractors. The year-long delay in implementing the exemptions, though, is disappointing and unjustified. The VW smog tests and a long run of security vulnerabilities have shown researchers and drivers need the exemptions now."

The government said the exemption applies to a "personal automobile, commercial motor vehicle, or mechanized agricultural vehicle."

The government defined good-faith security research as means of "accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement."

The "lawful modification" of vehicle software was authorized "when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation."

Sen. Ron Wyden (D-Oregon) said the DMCA exemption-review process is "broken."

"I am pleased that the ruling recognizes many legitimate and valuable activities, such as security research of software in the devices we use every day—from cars to pacemakers,” Wyden said in a statement. "But the fact remains that no matter how many exemptions are granted, the process for granting exemptions to the DMCA is broken. For example, a review every three years simply does not keep up with the pace of innovation and places burdens on users who have to repeatedly ask permission for the same activity. Congress must bring copyright into the 21st century and make common-sense reforms to the triennial review process."