This year’s Digital Millennium Copyright Act (DMCA) triennial review (PDF, legalese) contained some great news. Particularly, breaking encryption in a product in order to repair it has been deemed legal, and a previous exemption for reverse engineering 3D printer firmware to use the filament of your choice has been broadened. The infosec community got some clarification on penetration testing, and video game librarians and archivists came away with a big win on server software for online games.

Moreover, the process to renew a previous exemption has been streamlined — one used to be required to reapply from scratch every three years and now an exemption will stand unless circumstances have changed significantly. These changes, along with recent rulings by the Supreme Court are signs that some of the worst excesses of the DMCA’s anti-circumvention clause are being walked back, twenty years after being enacted. We have to applaud these developments.

However, the new right to repair clause seems to be restricted to restoring the device in question to its original specifications; if you’d like to hack a new feature into something that you own, you’re still out of luck. And while this review was generally favorable of opening up technology to enable fair use, they didn’t approve Bunnie Huang’s petition to allow decryption of the encryption method used over HDMI cables, so building your own HDMI devices that display encrypted streams is still out. And the changes to the 3D printer filament exemption is a reminder of the patchwork nature of this whole affair: it still only applies to 3D printer filament and not other devices that attempt to enforce the use of proprietary feedstock. Wait, what?

Finally, the Library of Congress only has authority to decide which acts of reverse engineering constitute defeating anti-circumvention measures. This review does not address the tools and information necessary to do so. “Manufacture and provision of — or trafficking in — products and services designed for the purposes of circumvention…” are covered elsewhere in the code. So while you are now allowed decrypt your John Deere software to fix your tractor, it’s not yet clear that designing and selling an ECU-unlocking tool, or even e-mailing someone the decryption key, is legal.

Could we hope for more? Sure! But making laws in a country as large as the US is a balancing act among many different interests, and the Library of Congress’s ruling is laudably clear about how they reached their decisions. The ruling itself is worth a read if you want to dive in, but be prepared to be overwhelmed in apparent minutiae. Or save yourself a little time and read on — we’ve got the highlights from a hacker’s perspective.

Right to Repair, But Not to Tinker

Support of the right to repair is the big win coming out of this week’s ruling, and strangely enough the legality of hacking on the firmware of children’s toys stems from the original work of farmers to fix their tractors. All land vehicles got an exemption in 2015 (PDF) that included decrypting the ECU and engine diagnostics, “undertaken by the authorized owner” and excluding the entertainment and telematics subsystems. It was argued that the exemption for the entertainment system was intended to prevent people from turning their cars into mobile copyright violation machines.

But based on strong lobbying by repair-industry groups and by farmers who wanted to fix the air conditioning in their tractors, these restrictions were lifted this year. Not only can you work on any system necessary, but you can authorize others to do so on your behalf. And the class of use cases, “Class 7: Computer Programs — Repair”, has been expanded to include “other types of software-enabled devices, including appliances, computers, toys, and other Internet of Things devices”. This is a big deal for anyone who wants to fix anything with firmware.

But it is not a victory for hackers, tinkerers, or anyone who wants to do something original with a device that they own. In particular, the phrase “lawful modification” was included in a proposed draft of the ruling, along with a clause to allow “the acquisition, use, and dissemination of circumvention tools in furtherance of diagnosis, repair, and modification”. As mentioned above, circumvention tools are outside of the Library’s jurisdiction, so no ruling on tooling. And while the “lawful modification” clause was retained in the particular section covering vehicles, it was struck from the devices and IoT section with the rationale that it was “not defined with sufficient precision to conclude as a general category it is likely to be noninfringing”. You are still not allowed to break encryption to modify or add functionality to a device that you own. That hits us right in the Hackaday. Boo!

Unlocking and Jailbreaking

If you lawfully buy a cell phone, tablet, fitness tracker, or similar, you may now unlock the software in order to change service providers. This expands on the previous ruling that was limited to cell phones, and removes the previous requirement that the phones be used — a provision put in to prevent people from reselling loss-leader phones by untethering them from their carriers without ever registering them.

It was recently ruled that cellphones could be jailbroken in order to install whatever software the owner wanted. The EFF wanted this exemption extended to voice assistant devices (Echo, Siri, Home, etc.) and also to enable or disable hardware or software features of the device, and they got their wish. That you’re now free to jailbreak and install software on these additional platforms is a huge win.

Reverse Engineering and Security

A big question going into this round was whether the infosec community would get its exemption renewed, and there were some questions about who had to own the system in question that were relevant for penetration testing. The infosec community came through with a number of suggestions, and it paid off in spades! The exemption is relatively straightforward: “good-faith security research” on a “lawfully acquired” device or “with the authorization of the owner or operator” is exempt if it doesn’t violate any applicable law.

Software and Video Game Archives

In the last decade, the Library of Congress began taking video games seriously. As part of this push, they’ve passed exemptions to the DCMA for non-profit libraries and archives of video games. That’s good news. This time around, the big question was what to do with online games when the server ceases to exist. Would you be allowed to copy or reverse engineer the server? The answer is a limited “yes” — only for the purposes of preservation and when performed physically on the premises of the library, which is great news for archivists. But no so good if you just want to play the game. Bummer.

3D Printer Filament

The 2015 exemptions allowed reverse engineering 3D printer firmware to defeat chipped filament spools, allowing you to print with whatever you want. Almost. Under pressure from Stratasys, which claimed that people could create unspecified public health (not copyright!) issues by using unlicensed filament, a clause was added to the otherwise reasonable exemption: “that the exemption shall not extend to any computer program on a 3D printer that produces goods or materials for use in commerce”. This would prevent you from hacking the filament reel’s chipping if you intended to sell the parts, and was stripped from this year’s version of the exemption. Good riddance!

HDMI, HDCP

Hackaday friend Bunnie Huang likes to hack on HDMI encryption. Imagine that you had a CCTV stream pushed out over HDMI, and that you simply wanted to overlay the date and time in the upper left hand corner. Or maybe you’re a video artist who’d like to play around with the video coming out of a modern set-top box. You can’t, because the stream is encrypted with High-bandwidth Digital Content Protection (HDCP). The master key for HDCP was released in 2010, and its circulation remains a DMCA violation, but it’s an open secret at this point.

Bunnie petitioned to get an exemption for breaking HDCP for fair-use applications, and was denied. We love Bunnie and we love video hacking, but we can also see how the number of potential copyright violators outnumber the hardware hackers and are thus “likely to be infringing” and there just weren’t many fair-use uses. Hackers, if you want to see an exemption for this in three years, start building fair use HDCP applications — the master key is out there and the Library needs a compelling justification to break HDCP.

The DMCA: An Over-broad Law, Made Slightly Better by Exemptions

So much for this round’s exemptions. But how did we even get here? The DMCA, enacted in 1998, did two things. First, it brought US copyright practice in line with international norms and shielded online content providers from liability if users uploaded infringing content — the “safe harbor” provision. This may have saved the Internet as we know it: nobody would be willing to host submitted content if they could be sued into oblivion for something they didn’t upload or control.

Secondly, as part of the furor around Napster and the digital sharing of music, the DMCA criminalized breaking encryption that’s designed to protect copyrighted works, and prohibited dissemination or sale of tools (or knowledge) designed to break this encryption. This “anti-circumvention” section, intended to protect copyright, opened Pandora’s box.

Suddenly the copyrighted firmware that keeps track of how many pages were printed on an inkjet cartridge was protected by encryption, and cracking that encryption in order to refill and reuse the cartridge became the crime of defeating anti-circumvention measures, until finally ruled OK by the Supreme Court in 2017. John Deere fought hard to maintain that the code in the ECU of their tractors is protected by the DMCA, in an attempt to prevent farmers from working on their tractors under penalty of law. The DMCA made it illegal to jailbreak used cellphones in order to change carriers, because the subscription data was copyrighted and encrypted.

The way out of this insanity is to petition the Library of Congress for an exemption. Indeed, all of the above anti-circumvention restrictions were lifted by exemption in the past. But, as you have surely noticed, these exemptions are piecemeal and hyper-specific, and the state of play can change every three years. For instance, in 2012, jailbreaking phones to switch carriers was legalized, but the same was not true for tablets. Now, they’re both exempted. In 2009, an exemption was granted to decrypt e-books so that blind people could use read-aloud software with them, provided there were no unlocked versions available. In 2012, this was broadened to all e-books, and this exemption is still in force. Only recently could you legally hack on your DRM’ed tractor, and only this year can you hire an independent mechanic to do it.

In my opinion, the anti-circumvention clause of the DMCA is a flawed law. It legislates on a tangentially related topic — encryption — while intending to prevent another crime — copyright infringement — that was already illegal before the DMCA existed. As we’ve often seen from its myriad abuses and exemptions over the last twenty years, it’s not serving its intended purpose as much as providing a legal basis for anti-competitive and anti-innovative business strategies. I’m not sure that I’m hopeful for its removal, however, so I’ll continue to cheer every little exemption that we can get.