US authorities allowed researchers to do pentest and reverse engineering without legal consequences

On Friday, October 28, an updated list of exceptions to the Digital Millennium Copyright Act (DMCA), a rule prohibiting “bypassing digital access controls”, was published on the website of the Library of Congress. These rules govern the conditions under which private users can interact and manipulate digital content owned by rights holders without the risk of legal consequences for themselves.

The list of current exceptions includes those that will make it easier for information security researchers to carry out software testing activities.
')
Since 2003, similar exemptions from the DMCA have been published every three years - but in this case this period has been extended for another year, which was left to discuss the consequences with the rights holders. Representatives of the business feared the consequences that could have been allowed, in fact, to engage in reverse software development and penetration testing.

The most interesting are the following exceptions (their full list is published in The Register):

• Jailbreaking smartphones and tablets to ensure software compatibility and remove unwanted programs.
• Attempts to gain access to car software.
• Attempts to bypass the protection and management mechanisms of 3D printers.
• Attempts by patients to access personal medical device data.
• Reverse engineering software for security research.

According to Aaron Alva, who works as a technology policy officer (Tech Policy Fellow) at the US Federal Trade Commission, "new exceptions are a big victory for the information security and security community."

Despite the entry into force of the new exemptions, researchers are still required to comply with the Computer Fraud and Abuse Act. In addition, the exclusion conditions imply the existence of certain conditions during the reverse development and deobfuscation of the code - they must be carried out "in a controlled environment designed to avoid causing any harm to specific individuals and society".

Also, any information obtained from such events should be used to increase the level of security of devices using the code under study, or the safety of people using the final product. Ensuring this “increased security”, in turn, should in no way violate the rights of rightholders.

“If you follow all the rules, you can test the security of the toaster connected to the Internet in order to assess the risks that attackers will be able to seize control of them and burn your bagels or remotely receive information about your preferences in baking,” Alba says. “But, of course, all this does not give anyone the right to steal such a toaster, crack a neighbor’s toaster or force the device to catch fire next to highly flammable materials.”