Table of Contents: Introduction to the online version Preface to the printed version - Why Digital Works are Different - Protecting Digital Information - Notice and Takedown and Putback - Caching - Other Safe Harbor Requirements - Protection Through Technology - DMCA Technological Protections - Security Testing |
Home Copyright/Other Information Send Comments Chapter 3: Copyright of Digital Information IV.E.7.f. Security TestingThe final exception addresses security testing of computer systems, and is much like the reverse engineering and encryption research exceptions in that it applies only to the circumvention of an access control mechanism. The provision was added in the conference between the Senate and House that developed the final language for the DMCA, after they saw that the encryption research exception might be too narrow to allow some legitimate security testing: The conferees recognize that technological measures may also be used to protect the integrity and security of computers, computer systems or computer networks. It is not the intent of this act to prevent persons utilizing technological measures in respect of computers, computer systems or networks from testing the security value and effectiveness of the technological measures they employ, or from contracting with companies that specialize in such security testing. Thus, in addition to the exception for good faith encryption research contained in Section 1201(g), the conferees have adopted Section 1201(j) to resolve additional issues related to the effect of the anti-circumvention provision on legitimate information security activities. First, the conferees were concerned that Section 1201(g)’s exclusive focus on encryption-related research does not encompass the entire range of legitimate information security activities. Not every technological means that is used to provide security relies on encryption technology, or does so to the exclusion of other methods. Moreover, an individual who is legitimately testing a security technology may be doing so not to advance the state of encryption research or to develop encryption products, but rather to ascertain the effectiveness of that particular security technology. The conferees were also concerned that the anti-circumvention provision of Section 1201(a) could be construed to inhibit legitimate forms of security testing. It is not unlawful to test the effectiveness of a security measure before it is implemented to protect the work covered under title 17. Nor is it unlawful for a person who has implemented a security measure to test its effectiveness. In this respect, the scope of permissible security testing under the Act should be the same as permissible testing of a simple door lock: a prospective buyer may test the lock at the store with the store’s consent, or may purchase the lock and test it at home in any manner that he or she sees fit—for example, by installing the lock on the front door and seeing if it can be picked. What that person may not do, however, is test the lock once it has been installed on someone else’s door, without the consent of the person whose property is protected by the lock. {FN197: H.R. Rep. No. 105-796 at 66-67} The provision is limited to authorized testing, and the results of the testing should be conveyed to the system operator to assist in making the system more secure. It is not an excuse to post the results, or the techniques used to crack a system, to the public. (1) Definition.— For purposes of this subsection, the term “security testing” means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network. (2) Permissible Acts of Security Testing.— Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. (3) Factors in Determining Exemption.— In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include— (A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and (B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security. (4) Use of Technological Means for Security Testing.— Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), provided such technological means does not otherwise violate section (a)(2). {FN198: 17 U.S.C. §1201(j)} Copyright © 2002, Lee A. Hollaar. See information regarding permitted usage. |