DMCA Review: Big Win for Right to Repair, Zero for Right to Tinker

This year’s Digital Millennium Copyright Act (DMCA) triennial review (PDF, legalese) contained some great news. Particularly, breaking encryption in a product in order to repair it has been deemed legal, and a previous exemption for reverse engineering 3D printer firmware to use the filament of your choice has been broadened. The infosec community got some clarification on penetration testing, and video game librarians and archivists came away with a big win on server software for online games.

Moreover, the process to renew a previous exemption has been streamlined — one used to be required to reapply from scratch every three years and now an exemption will stand unless circumstances have changed significantly. These changes, along with recent rulings by the Supreme Court are signs that some of the worst excesses of the DMCA’s anti-circumvention clause are being walked back, twenty years after being enacted. We have to applaud these developments.

However, the new right to repair clause seems to be restricted to restoring the device in question to its original specifications; if you’d like to hack a new feature into something that you own, you’re still out of luck. And while this review was generally favorable of opening up technology to enable fair use, they didn’t approve Bunnie Huang’s petition to allow decryption of the encryption method used over HDMI cables, so building your own HDMI devices that display encrypted streams is still out. And the changes to the 3D printer filament exemption is a reminder of the patchwork nature of this whole affair: it still only applies to 3D printer filament and not other devices that attempt to enforce the use of proprietary feedstock. Wait, what?

Finally, the Library of Congress only has authority to decide which acts of reverse engineering constitute defeating anti-circumvention measures. This review does not address the tools and information necessary to do so. “Manufacture and provision of — or trafficking in — products and services designed for the purposes of circumvention…” are covered elsewhere in the code. So while you are now allowed decrypt your John Deere software to fix your tractor, it’s not yet clear that designing and selling an ECU-unlocking tool, or even e-mailing someone the decryption key, is legal.

Could we hope for more? Sure! But making laws in a country as large as the US is a balancing act among many different interests, and the Library of Congress’s ruling is laudably clear about how they reached their decisions. The ruling itself is worth a read if you want to dive in, but be prepared to be overwhelmed in apparent minutiae. Or save yourself a little time and read on — we’ve got the highlights from a hacker’s perspective.

Right to Repair, But Not to Tinker

Support of the right to repair is the big win coming out of this week’s ruling, and strangely enough the legality of hacking on the firmware of children’s toys stems from the original work of farmers to fix their tractors. All land vehicles got an exemption in 2015 (PDF) that included decrypting the ECU and engine diagnostics, “undertaken by the authorized owner” and excluding the entertainment and telematics subsystems. It was argued that the exemption for the entertainment system was intended to prevent people from turning their cars into mobile copyright violation machines.

But based on strong lobbying by repair-industry groups and by farmers who wanted to fix the air conditioning in their tractors, these restrictions were lifted this year. Not only can you work on any system necessary, but you can authorize others to do so on your behalf. And the class of use cases, “Class 7: Computer Programs — Repair”, has been expanded to include “other types of software-enabled devices, including appliances, computers, toys, and other Internet of Things devices”. This is a big deal for anyone who wants to fix anything with firmware.

But it is not a victory for hackers, tinkerers, or anyone who wants to do something original with a device that they own. In particular, the phrase “lawful modification” was included in a proposed draft of the ruling, along with a clause to allow “the acquisition, use, and dissemination of circumvention tools in furtherance of diagnosis, repair, and modification”. As mentioned above, circumvention tools are outside of the Library’s jurisdiction, so no ruling on tooling. And while the “lawful modification” clause was retained in the particular section covering vehicles, it was struck from the devices and IoT section with the rationale that it was “not defined with sufficient precision to conclude as a general category it is likely to be noninfringing”. You are still not allowed to break encryption to modify or add functionality to a device that you own. That hits us right in the Hackaday. Boo!

Unlocking and Jailbreaking

If you lawfully buy a cell phone, tablet, fitness tracker, or similar, you may now unlock the software in order to change service providers. This expands on the previous ruling that was limited to cell phones, and removes the previous requirement that the phones be used — a provision put in to prevent people from reselling loss-leader phones by untethering them from their carriers without ever registering them.

It was recently ruled that cellphones could be jailbroken in order to install whatever software the owner wanted. The EFF wanted this exemption extended to voice assistant devices (Echo, Siri, Home, etc.) and also to enable or disable hardware or software features of the device, and they got their wish. That you’re now free to jailbreak and install software on these additional platforms is a huge win.

Reverse Engineering and Security

A big question going into this round was whether the infosec community would get its exemption renewed, and there were some questions about who had to own the system in question that were relevant for penetration testing. The infosec community came through with a number of suggestions, and it paid off in spades! The exemption is relatively straightforward: “good-faith security research” on a “lawfully acquired” device or “with the authorization of the owner or operator” is exempt if it doesn’t violate any applicable law.

Software and Video Game Archives

In the last decade, the Library of Congress began taking video games seriously. As part of this push, they’ve passed exemptions to the DCMA for non-profit libraries and archives of video games. That’s good news. This time around, the big question was what to do with online games when the server ceases to exist. Would you be allowed to copy or reverse engineer the server? The answer is a limited “yes” — only for the purposes of preservation and when performed physically on the premises of the library, which is great news for archivists. But no so good if you just want to play the game. Bummer.

3D Printer Filament

The 2015 exemptions allowed reverse engineering 3D printer firmware to defeat chipped filament spools, allowing you to print with whatever you want. Almost. Under pressure from Stratasys, which claimed that people could create unspecified public health (not copyright!) issues by using unlicensed filament, a clause was added to the otherwise reasonable exemption: “that the exemption shall not extend to any computer program on a 3D printer that produces goods or materials for use in commerce”. This would prevent you from hacking the filament reel’s chipping if you intended to sell the parts, and was stripped from this year’s version of the exemption. Good riddance!

HDMI, HDCP

Hackaday friend Bunnie Huang likes to hack on HDMI encryption. Imagine that you had a CCTV stream pushed out over HDMI, and that you simply wanted to overlay the date and time in the upper left hand corner. Or maybe you’re a video artist who’d like to play around with the video coming out of a modern set-top box. You can’t, because the stream is encrypted with High-bandwidth Digital Content Protection (HDCP). The master key for HDCP was released in 2010, and its circulation remains a DMCA violation, but it’s an open secret at this point.

Bunnie petitioned to get an exemption for breaking HDCP for fair-use applications, and was denied. We love Bunnie and we love video hacking, but we can also see how the number of potential copyright violators outnumber the hardware hackers and are thus “likely to be infringing” and there just weren’t many fair-use uses. Hackers, if you want to see an exemption for this in three years, start building fair use HDCP applications — the master key is out there and the Library needs a compelling justification to break HDCP.

The DMCA: An Over-broad Law, Made Slightly Better by Exemptions

So much for this round’s exemptions. But how did we even get here? The DMCA, enacted in 1998, did two things. First, it brought US copyright practice in line with international norms and shielded online content providers from liability if users uploaded infringing content — the “safe harbor” provision. This may have saved the Internet as we know it: nobody would be willing to host submitted content if they could be sued into oblivion for something they didn’t upload or control.

Secondly, as part of the furor around Napster and the digital sharing of music, the DMCA criminalized breaking encryption that’s designed to protect copyrighted works, and prohibited dissemination or sale of tools (or knowledge) designed to break this encryption. This “anti-circumvention” section, intended to protect copyright, opened Pandora’s box.

Suddenly the copyrighted firmware that keeps track of how many pages were printed on an inkjet cartridge was protected by encryption, and cracking that encryption in order to refill and reuse the cartridge became the crime of defeating anti-circumvention measures, until finally ruled OK by the Supreme Court in 2017. John Deere fought hard to maintain that the code in the ECU of their tractors is protected by the DMCA, in an attempt to prevent farmers from working on their tractors under penalty of law. The DMCA made it illegal to jailbreak used cellphones in order to change carriers, because the subscription data was copyrighted and encrypted.

The way out of this insanity is to petition the Library of Congress for an exemption. Indeed, all of the above anti-circumvention restrictions were lifted by exemption in the past. But, as you have surely noticed, these exemptions are piecemeal and hyper-specific, and the state of play can change every three years. For instance, in 2012, jailbreaking phones to switch carriers was legalized, but the same was not true for tablets. Now, they’re both exempted. In 2009, an exemption was granted to decrypt e-books so that blind people could use read-aloud software with them, provided there were no unlocked versions available. In 2012, this was broadened to all e-books, and this exemption is still in force. Only recently could you legally hack on your DRM’ed tractor, and only this year can you hire an independent mechanic to do it.

In my opinion, the anti-circumvention clause of the DMCA is a flawed law. It legislates on a tangentially related topic — encryption — while intending to prevent another crime — copyright infringement — that was already illegal before the DMCA existed. As we’ve often seen from its myriad abuses and exemptions over the last twenty years, it’s not serving its intended purpose as much as providing a legal basis for anti-competitive and anti-innovative business strategies. I’m not sure that I’m hopeful for its removal, however, so I’ll continue to cheer every little exemption that we can get.

34 thoughts on “DMCA Review: Big Win for Right to Repair, Zero for Right to Tinker

    1. Motorola has been making a pretty big comeback in the cell phone market imho. Massive huge batteries and competitive specs with designs by lenovo, make for an interesting alternative to triple the cost major flagships.

      My last two devices were moto phones and only switched to the newer model because I switched carriers.
      I’ll probably never buy another Samsung again.

      1. Which other phones do have the nice OLED screens, Samsung has? And no, the rotting apple does not count.
        Luckily I don’t need a new phone at the moment, my Galaxy S5 is still good. But I wonder, when I need a successor: Which phones do provide: removable battery, micro SD card, IP67, IR (infrared) emitter and the OLED screen. All this features are in my 4yr old phone, but I don’t know a newer one.

  1. The entire law is flawed by the exemption process. If they need to provide an exemption for 3d filament but leave any other consumable alone then this is nothing more than a case of politicians keeping them selves employed and the bribes flowing into their bank accounts. They keep trying to make math illegal and while they can make it illegal, it still is very possible and even easy in some situations, plus the lack of proper enforcement means that these laws are just put there so that they can make an example out of someone when they finally catch them. This directly stifles innovation and change as there are people who are more risk adverse and unwilling to become that example, so it slows innovation while not actually protecting the people it claims to protect (lets face it someone eventually will crack the DRM). The entire DMCA is a gift to the corporations and the only way that the people have any power is to constantly petition for exemptions, one piece at a time, thus slowing us from making any headway into common sense laws. That seems to be the point of any political action in the past decade, Give the upper class gifts and make the rest of us fight for ours piece by piece, bonus points for making us fight amongst ourselves thus slowing our own progress into a society that is more egalitarian. I’m not saying that everyone needs to be equal but the levels of inequality that currently exist are not stable.

  2. Yeah, but we camels did get our nose under the tent…a lot of the limits will be pretty unenforceable. Nope, it won’t be easy to start a business making money of it at this point, though..

    I’d love freedom from all the “stealerships” involved in the existing bad practices, but also see another side. For example, there’s some interesting software around for a certain permanent magnet motor electric car that removes some current limits – basically the custom ECM tuning chip for the next generation. The issue of course is…yeah, your car will go faster, but the warranty was calculated on a given peak battery drain and you can depolarize PMs with too much peak current. Not to mention melting kinds of issues.

    I can see warranty issues one way or another. But as an engineer myself, the slogan “it’s not mine till the warranty is voided” is one I take to heart.

    So while this isn’t perfect – it’s a start and I suspect that even if you can’t make a biz selling cheap replacement parts for expensive consumer candy at first – it’ll happen on the grey market enough and eventually will cause the big boys to give up as the revenue stream will dry up and be very difficult to police the wack-a-mole independents. It’s just that no one of them can get big enough to get rich themselves off the false scarcity by only getting half of an absolutely insane 30x markup – either. No tears here. The end user wins.

    1. “I can see warranty issues one way or another. But as an engineer myself, the slogan “it’s not mine till the warranty is voided” is one I take to heart.”

      Problem usually isn’t some customer pulling a fast one, especially on something that has to be taken to a local shop. Problem is for the other persons down the line who buys a used vehicle. Someone makes a change*, doesn’t tell anyone about it, and consequences, with little recourse (he said, she said, at best).

      *Individual, but it could also be a dealer.

      1. Purchasing a used vehicle is already a faith based exercise. Unless you find a shop willing to allow you to tear down parts to ascertain stage of life, or offer you a real warranty, you can only make so many assumptions….

        no part of DMCA is going to help anyone with a warranty claim on used equipment or stop shady practices in the secondary used equipment market. Its only about stifling competition for the OEM.

  3. Right to repair and cheap/free access to the tools is required.
    To break a monopoloy on having to pay a dealer.
    Become everything is becoming rented not owned.
    Every company is looking for MRR (monthly recurring revenue) becos share price.
    And locking you and I in achieves that goal.

    The hacking thing, will carry on exactly as it does now.
    Plenty of people breaking HDCP in products on sale.
    Plenty of people chipping ECU’s and selling services.
    No one going after them.
    About to change? Don’t think so until they reach a critical mass. eg: see kodi wars.

    “you are not allowed to break encryption on a device you own”
    f*ck em.
    Thou shalt not kill. – sure
    Thou shall not use a device in a manner other than what the mfr says even thou you paid for it? — unfair law. Break it as frequently as you can.

    Thank you for purchasing your new screwdriver.
    Under the EULA you may only use it for PZ2 screws.
    These actions will void warranty:
    Attempts to use on other sized screws.
    Or Frearson, Phillips or other screw head forms.
    Attempts to use as a chisel, poker, opening plastic packaging, as a scribe, magentising it, drawing or writing identifying marks without prior purchase of a “screw driver marking kit”.

    Contrived, perhaps.
    But that’s ultimately where most companys want us to get to as it protects their bottom line and maximises bleeding us dry.

      1. Was thinking the same thing. Seen too many people make bad decisions and get paid by a sympathetic jury.

        You will also get the people that go beyond the manufacturers design, break something, then reflash the code back to stock and say it wasn’t me! Often obvious with an automobile, not so much with other devices/machines.

    1. ” if you’d like to hack a new feature into something that you own, you’re still out of luck”
      REALLY H.A.D.? and who is going to tell me not to?

      I’d probably reply like you did: “you are not allowed to break encryption on a device you own”
      f*ck em. <<< THIS!

      Thou shall not use a device in a manner other than what the mfr says even thou you paid for it? — unfair law.

      Break it as frequently as you can. <<< THIS TOO.

      1. I also wish this place would go a little more grey hat on occasion instead of strictly boyscouting it and staying as white hat as possible, but I do understand that they are representing their ownership now. It’s NBD, these things happen–so you just gotta hint and wink and say stuff like “now you wouldn’t want to break the law and modify this machine in this specific way, so we’re going to explain the process in detail so you’ll be extra sure to avoid breaking the law!”

    2. YES! You’ve hit the nail on the head! Which is the only legal use of the Hammer™
      If you wish to use your Hammer™ for other striking purposes, please acquire the expanded use license to avoid prosecution, personal injury license is not available so please don’t use the Hammer™ to kill anyone.

    1. Not much different from replacing the stock firmware on a device with an open source firmware, just going a step further to get around the limitation of the OTP/mask part. Copyright doesn’t even apply since the bit containing the copyrighted code is removed and replaced with something that does not have any of the original code.

  4. Right to repair is a big win. Hacking often starts from a repair, with “why did they do it that way anyway? It would be better if…”. I’m particularly happy to see that John Deere stranglehold broken.

  5. If I pay to own something, I should be free to use and abuse it as I please. I can see a problem, if I were to start a business, where fixing/modifying other people’s stuff, because it’s not something I paid for, or own. I’d be getting paid, for a service, which could void a warranty, and the owner could claim they never did anything, most do anyway on warranty claims. I never liked Apple products, they have always tried to control the hardware and software you could use, licenced products. I like to expand and improve my computers, as I need and, see fit, and like having choices and options. Shouldn’t cost more to upgrade, than to buy the upgraded model, or a newer model.

    You should have to keep your cell phone in a tinfoil hat, to keep the real owners from doing sneaky things in the background. Battery shouldn’t drain in a few weeks, in powered down mode, it’s working on something. We should be able to shutdown all the extra activity we don’t want, the things you won’t find in the menu options.

    Cars have enough software problems, probably not a good idea to let just anyone play with it much. It doesn’t just effect the owner/driver, if something really bad happens, lots of other cars and people on the roads.

  6. For most but not all situations legality of modifying my device seems rather academic because no one is going to know. Sure it still bothers me. Chance of being caught and prosecuted for my modding a device always kept at home and not connected to internet – 0. Mod your car computer – slim but possible under some circumstances. Use red diesel in highway vehicle- possible if you are pulled over for other reason. The JD tractor situation was particularly maddening.

    1. It seems to me that most people here are missing the main point. The issue is NOT “modding”, but simple repair, which used to be as easy as identifying the bad part, and then buying a replacement.
      The DCMA allows John Deere and others to charge you “…an arm and a leg…” for the capability of identifying the faulty part.
      Consider the situation of Ford or GM selling you an OBD2-type device for $200 just so you could determine exactly WHAT was causing that dashboard light to come on. And they could VERY EASILY do this, claiming ownership of the software/firmware as their legal right to do so.
      No; DCMA and ‘Right-to-Repair’ is NOT a return to the good ol’ days. It is, quite simply, a new legal way to screw you.
      Until you stop buying product which the manufacturer claims belongs to him AND NOT TO YOU, by virtue of having written the firmware, you are asking to be screwed. Sorry; there’s no other way of putting it.
      And who do you have to thank for this ‘New Normal” Manufacturer’s Mindset? Look no further than Microsoft.

      Again–stay focused. The issue is NOT “modding”; the issue is HARD and EXPENSIVE TO REPAIR. (Tried replacing the battery in your $1000 DumbPhone lately?)

      1. I’m really surprised that someone else did not point out the obvious–

        “…The DCMA allows John Deere and others to charge you “…an arm and a leg…” for the capability of identifying the faulty part.
        “Consider the situation of Ford or GM selling you an OBD2-type device for $200 just so you could determine exactly WHAT was causing that dashboard light to come on. And they could VERY EASILY do this, claiming ownership of the software/firmware as their legal right to do so…”

        You will not be given the option to buy an analysis tool; you will pay an hourly–high–rate for the vendor to analyze the problem, a la Microsoft. And you’ll have precisely the same remedies you have with Microsoft when that analysis turns out to be wrong…

  7. What you do with products you buy, for personal use, really shouldn’t matter how you use it, modify it. I don’t believe you should get the same consideration, if you sell or distribute the fruits of your labor. There won’t always be safe end users, or those that fully understand the modification, just what it can do, not what can go wrong, if used badly. Sometimes modifications are a good thing, for a product that isn’t particularly good, maybe rushed to market. Been quite a few things, with a little work, turn out to be almost as good as buy something that cost twice as much. Some equipment, the cheaper models, are only missing a few components, maybe a jumper or two, or needs a different firmware, to unlock the higher end model’s function and features, saving hundreds of dollars. Pretty cool discovery, but sharing the how-to, sort of kills profits for the company, and future models will be more expensive, since they have to make it more difficult to self-upgrade. The lower cost models, will be actual crap, not just crippled. Not everyone needs all the high-end functions and features.

    I still think that messing with a vehicle’s computer is a bad idea. The car makers screw it up enough, a lot of safety recalls, several million vehicles effect, every year. These are companies, with a vested interest in producing a very safe product, lots of competition, recalls, and major accidents, deaths, are bad for profits. Although, I’m sure our government will step in, and ‘Bail them out’, again…

  8. I think its a resonable restriction to only allow repair, not allow tinkering/adding features.

    The reason I think so, is because sometimes hardware are shipped with locked-down features, that you need to purchase to Unlock, or they might have multiple differently priced models which have the same hardware features but are locked down software-wise.

    And if you then Unlock the “premium features” is then the same as cracking a software on computer to get the more expensive edition.

    Why should it be different from tinkering with software respective tinkering with hardware?

    —–

    I could understand that physically upgrading hardware, like exchanging memory chips from lets say 8G to 64G in order to upgrade a 16-chip harddrive from 128G to 1TB, should be allowed.

    Because then you are Actually adding Labour and materials, to improve the Product. It would be effectively the same as paying the difference price between the cheaper Product and the high-end Product.

    And that is not prohibited either, because then theres no DRM preventing you from doing that.

    —–

    Its a whole different story, if this harddrive would have 16 pieces of 64G chips, but the harddrive were limited by a jumper to 128G in total by “locking out” all except 2 chips, and then Selling this harddrive for a fraction of the 1TB price.

    If you then as a Customer, uses a soldering iron to enable the jumpers, it would mean the Company does a loss because once the World gets to know (via a internet site) that you can enable these jumpers, a “upgrade” that would cost just a fraction of a penny (the price of the soldering tin used to fill in the jumpers), the Company will make a loss because they will be effectively Selling 1TB drives for the price of 128GB drives, and that isn’t fair.

    The Company might sell the 128GB drives with a Little bit of loss compared to the purchase price (because of the 128GB drives being populated with 1TB of chips), but might sell the 1TB drives with a huge margin, so they cover up the losses.

    You understand now why the first one (swapping out the chips) is a FAIR upgrade, while enabling a jumper is a UNFAIR upgrade?

    That the Company CHOOSES To populate the lower end drives with higher end chips, isn’t a valid argument to bypass any restrictions or locks on the drive, if the Company does this choice to streamline their manufacturing process (so they could use the same manufacturing process regardless of the size of drive) its their choice.

    —–

    Its equal to STEALING… theft of service.
    And here is why:

    Imagine you are riding a bus. You have a ticket valid for Zone A. But you ride Zone A and Zone B. You could argue that even if you would stop at Zone A perimeter, the bus would still travel to Zone B, and thus the cost of driving the bus (the salary of the bus driver AND the running costs of the bus) would be the same regardless of if you would jump off at Zone A perimeter or not.
    You could then say that you are not stealing service. But in fact you do, you do steal service by running to Zone B. Because the Company have decided that a ride to Zone B costs more, even if both rides have the same “content” to say, the ride to Zone A is just crippled.

    You can’t argue that the bus should stop at Zone A and not drive into Zone B, and argue that they should have a separate bus going for Zone A and Zone B that Always will cost a Zone A+B ticket. Because its their choice to have a bus that does both zones, but only cost a Zone A ticket as long as you stay inside Zone A.

    —–

    Same with the harddrive. Even if the content of the 128GB drive and 1TB drive is the same in this example, you are still stealing service by upgrading the harddrive using the jumper, like riding on the Zone A ticket for longer than allowed.

    Swapping the chips on the harddrive without bypassing any security limitations, is more equal to Calling your friends and asking them to pick you up at the Zone A perimeter with a car, and drive with car the last mile just to avoid the Zone B ticket fee, and that is a fair “upgrade” for the ride.

    You understand now why DRM and restrictions is sometimes fair?

    Its the same with Music files with “pay per listen” or Movie files with “pay per view”. You are not paying the full price for the file, you might just pay a couple of cents, and thus you instead have to ppl or ppv.

    —–

    About repair, its However not a fair deal if the thing breaks and you have to only repair it at a authorized repair facility, Because then they can inflate the prices without any competition, and its not fair if you have to pay like 50% of the original price to repair a Product to restore it to original condition.

    Note the “Restore it to original condition”. Thats the restriction of the excemption. You may NOT go further than restoring it to original condition. This also means you are not allowed to add features you want, because that constitutes upgrading the device, and you may not remove features you don’t like, for example things that call home to show you ads.

    Because the ads is part of payment, you are not paying full price for the Product, you have to accept the advertisments.

  9. From the Electronic Frontier Foundation, the EFF–

    The Freedom to Jailbreak and the Right to Repair – EFFector 31.16

    “…But the exemptions are still too narrow and too complex for most technology users, and they don’t save the law from being an unconstitutional restraint on freedom of speech. EFF represents entrepreneur Andrew “bunnie” Huang and Professor Matthew Green in a lawsuit seeking to overturn Section 1201…(info@effdotorg)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.