The fight against IoT DRM

By EFF Deeplinks Blog

What with the $400 juicers and the NSFW smart fridges, the Internet of Things has arrived at that point in the hype cycle midway between “bottom line” and “punchline.”

Hype and jokes aside, the reality is that fully featured computers capable of running any program are getting cheaper and more powerful and smaller with no end in sight, and the gadgets in our lives are transforming from dumb hunks of electronics to computers in fancy cases that are variously labeled “car” or “pacemaker” or “Alexa.”

We don’t know which designs and products will be successful in the market, but we’re dead certain that banning people from talking about flaws in existing designs and trying to fix those flaws will make all the Internet of Things’ problems worse.

But a pernicious American law stands between the Internet of Defective Things and your right to know about those defects and remediate them. Section 1201 of the Digital Millennium Copyright Act bans any act that weakens or bypasses a lock that controls access to copyrighted works (these locks are often called Digital Rights Management or DRM).

These locks were initially used to lock down the design of DVD players and games consoles, so that manufacturers could prevent otherwise legal activities, like watching out-of-region discs or playing independently produced games.

Today, these locks have proliferated to every device with embedded software: cars, tractors, pacemakers, voting machines, phones, tablets, and, of course, “smart speakers” used to interface with voice assistants.

Corporations have figured out that they can deploy DRM to control how you use your device, and then use DMCA 1201 to threaten competitors whose products unlock legal, legitimate features that benefit you, instead of some company’s shareholders.

This means that, for example, a printer company can use digital locks to control who can refill your printer-ink cartridges, ensuring that you buy ink from them, at whatever price they want to charge. It means that cellphone manufacturers get to decide who can fix your phone and tractor companies can choose who can fix your tractors.

What’s worse: companies have exploited DMCA 1201 to attack security researchers who came forward to report defects in their products, arguing that any disclosures of vulnerabilities in the stuff you own might help you break the DRM, meaning that it’s illegal to tell you truthful things about the risks you face from your badly secured gadgets.

Every three years, the US Copyright Office lets us petition for limited exemptions to this law, and we have been slowly, surely carving out a space for Americans to bypass digital locks in order to use their property in legitimate, legal ways—even if there’s some DRM between them and that use.

In 2015, we won the right to jailbreak your phones and tablets—to change how they’re configured so that you can unlock features that you want (even if the manufacturer doesn’t), and remove the ones you don’t.

We also won an exemption that protects security researchers’ right to bypass DRM to investigate and test the security of all sorts of gadgets. Taken together, these two rights—the right to discover defects and the right to change your device configuration—form a foundation on which solutions to the pernicious problems of our vital, ubiquitous, badly secured gadgets can be built.

This year, we’re liberating your smart speakers: Apple HomePods, Amazon Echos, Google Homes, and lesser-known offerings from other manufacturers and platforms. These gadgets are finding their way into our living rooms, kitchens—even our bedrooms and bathrooms.

They have microphones that are always on and listening (many of them have cameras, too), and they’re connected to the Internet. They only run manufacturer-approved apps, and use encryption that prevents security researchers from investigating them and ensuring that they’re working as intended.

We’ve asked the Copyright Office to extend the jailbreaking exemption to cover these smart speakers, giving you the right to load software of your choosing on them—and letting security researchers probe them to make sure they’re not sneaking around behind your back. These exemptions include the right to bypass the devices’ bootloaders and to activate or disable hardware features.

These are rights that you’ve always had, for virtually every gadget you’ve ever owned—that is, until manufacturers discovered DMCA 1201’s potential to control how you use of their products after they become your property.

We don’t have all the answers about how to make smart speakers better, or more secure, but we are one hundred percent certain that banning people from finding out what’s wrong with their smart speakers and punishing anyone who tries to improve them isn’t helping.

These Copyright Office hearings are important, because they help the Copyright Office understand and acknowledge that DMCA 1201 is causing problems for people who want to do legitimate activities, but the hearings are still grossly insufficient.

DMCA 1201 says the Copyright Office can give you the right to use your device in ways that are prevented by DRM, but not the right to acquire a tool to enable you to make that use. Under the DMCA’s rules, every person who has the right to bypass DRM is expected to hand-whittle a tool for their own personal use and treat the design of that tool as a matter of strictest secrecy.

This is absurd. It’s one of the reasons we’re suing the U.S. government over the constitutionality of DMCA 1201, with the intention of having a court rule that the law is unenforceable, killing it altogether or sending it back to Congress for a major overhaul that terminates the ability of corporations to use a so-called anti-piracy law to ban activities that have no connection to copyright infringement.

EFF

Now read: New emoji for 2018

Latest news

Partner Content

Show comments

Recommended

Share this article
The fight against IoT DRM