Nearly 25 years ago, the Digital Millennium Copyright Act was added to the Copyright Act. Among its provisions were “paracopyright” measures extending protection in areas well beyond that of traditional copyright law. One such measure is found in § 1201 of the Copyright Act, which prohibits a person from circumventing a technological measure that effectively controls access to a copyright-protected work.
Recent Anti-circumvention Exemptions
An early example of § 1201 enforcement arose when Princeton University Professor Edward Felten and his information technology research team proposed to present their paper on digital music access control technologies at a conference in 2001. The Recording Industry Association of America (via the Secure Digital Music Initiative) argued that even discussing technology that could bypass such controls could be illegal under the DMCA, resulting in a short-lived but highly publicized lawsuit. These provisions of the copyright law can seemingly resemble patent law, in the sense that they seek to regulate certain uses of copyrighted works.
In part because this expansion might have unintended negative consequences, the DMCA included a provision that the Librarian of Congress should, every three years, determine appropriate exemptions from these anti-circumvention provisions for certain classes of works. The most recent rules on these exemptions became effective on November 29, 2001. The “Eighth Triennial Proceeding” to update the exemptions continues on many prior exemptions, but there are some extremely important proposed updates to the exemptions. For example, one exemption allows open-source authors to investigate devices with embedded open source software to check for license compliance.
The mechanism for these exemptions is as follows: the Register of Copyrights conducts a formal public process, consults with the U.S. Department of Commerce (the Executive Branch counterpart to the Library of Congress for IP issues), and makes recommendations to the Librarian of Congress. Throughout the past 20 years or so, exemptions through such rulemaking have been made for various classes of works where, per the legislative history replete with multiple negatives, “the lack of an ability to waive the circumvention prohibition might undermine the fair use of copyrighted works.”
While the DMCA itself includes certain permanent exemptions (e.g., for certain library browsing), other exemptions were to be revisited every few years to ensure that the technologies and their uses warranted the exemptions. Thus, in June 2020, the Copyright Office issued a notice of inquiry requesting petitions for renewal of existing exemptions, petitions in opposition to renewal and petitions for new (or expanded) exemptions. In response, it received 32 renewal petitions and 26 petitions for new/expanded exemptions. In October 2020, the Office issued a Notice of Proposed Rulemaking identifying the existing exemptions for which the Register intended to recommend renewal, as well as proposed classes for new exemptions. This invited several rounds of public commentary. Overall, the Office received 161 total submissions in response to the October 2020 Notice. After further public hearings in early 2021 and additional public input, the Register provided her recommendations to the Librarian of Congress on October 19, 2021. (The recommendations document is quite detailed, spanning more than 350 pages.) On October 28, 2021, the Librarian of Congress Adopted final regulations based on the recommendations.
New Exemptions Adopted in 2021
On the renewal side, not much changed. The final rule resulted in renewals of all of the existing exemptions, in some cases using those as the baseline in assessing whether further expansion was appropriate. These included things such as educational uses of audiovisual works, e.g., the use of motion pictures for massive open online courses and captioning/audio descriptions of works for students with disabilities. For existing exemptions relating to software, they included uses relating to patient data on networked medical devices; unlocking cellphones/jailbreaking; repair of motorized land vehicles (including tractors); repair of smartphones, home appliances and home systems; security research; software/video game preservation; and operation of 3D printers to allow use of alternative feedstock.
More notable were areas of new or expanded exemptions. A new exemption that is of particular interest to technology-based companies allows for circumvention of technical measures on any device or machine (except a gaming console) to investigate potential violations of licenses for “free and open source software” (FOSS). Any such investigation must be performed on a legally obtained device and not violate other laws. The investigation must also be performed by, or on behalf of, a party with standing to bring a breach of license or copyright claim that has a good-faith belief that the investigation is necessary. Further, the investigation must be for the sole purpose of investigating potential infringement. However, how this exemption will work in practice is not yet clear.
Given the prevalence of FOSS code, there will often be good reason to believe that it is present in any given device. Without inspecting the code, it may be challenging or impossible to know whether any given piece of FOSS code is present. It could be plausibly argued that the mere fact that a particular piece of FOSS code would be useful in a device is sufficient to establish good faith grounds to investigate. In contrast, one could argue that building a good faith argument requires at least some independent evidence of use of the FOSS code, which in many cases may be impossible to obtain without circumventing the technical measures protecting the code. Furthermore, once an investigation has been conducted and source code has been exposed, it is extremely difficult—if not impossible—to control how knowledge of that code is used. There are obvious examples of misuse of the exemption (e.g., publishing proprietary code online) that may be policed, but there are many gray areas that will need to be evaluated on a case-by-case basis.
Another new exemption of interest allows for circumvention of technical measures on motion pictures and literary works stored on DVDs or Blu-ray discs, or made available for digital download, for researchers to perform text and data mining. The circumvention must be applied by a researcher affiliated with a nonprofit institution, or a student or information technology staff member under such a researcher’s direction, and the institution must legally own or license a copy of the copyrighted work. Further, the work may only be watched or read for the purpose of validating the results of the research and the institution must employ effective security measures to prevent further dissemination of the work. Exactly what constitutes “effective security measures” should be determined by an agreement between the institution and interested copyright holders. Absent such an agreement, the institution must use the same measures that it uses to keep its own highly confidential information (e.g., government-issued identification numbers, medical or health insurance information, and payroll systems) secure. This exemption has limited scope, but for institutions and research projects that qualify, it may provide easier access to rich sources of data for analyzing cultural phenomena and development.
Proceed with Care
The new exemptions expand the situations under which individuals may circumvent technical measures protecting copyrighted material. The new exemption for investigating possible copyright violations has significant ramifications for both copyright holders and users of FOSS code. Copyright holders now have a powerful tool for ensuring that users comply with the terms of the license under which the code is distributed.
However, copyright holders should be aware of the limitations and, ideally, have detailed procedures and records to ensure they can demonstrate a good faith reason for all investigations and that anything learned through those investigations is not misused. For example, copyright holders should consider deleting the majority of source code extracted from devices and storing only conclusions and short extracts necessary to prove license or copyright violations. Similarly, users and manufacturers of computing devices should be aware of the increased risks of third parties accessing any code included on those devices. To minimize this risk, including detailed documentation of all FOSS code used by a device is advisable to undercut arguments that there is a good faith case to investigate the code used by the device.
