EFF Asks Court to Block U.S. From Prosecuting Security Researcher For Detecting and Publishing Computer Vulnerabilities
Washington, D.C.—The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.
Green is writing a book about methods of security research to recognize vulnerabilities in computer systems. This important work helps keep everyone safer by finding weaknesses in computer code running devices critical to our lives—electronic devices, cars, medical record systems, credit card processing, and ATM transactions. Green’s aim is to publish research that can be used to build more secure software.
But publishing the book, tentatively entitled Practical Cryptographic Engineering, could land Green in jail under an onerous and unconstitutional provision of copyright law. To identify security vulnerabilities in a device he has purchased, Green must work directly with copyrighted computer code, bypassing control measures meant to prevent the code from being accessed. Even though this kind of research is traditionally a “fair use” permitted by copyright law, Digital Millennium Copyright Act (DMCA) Section 1201 threatens criminal and civil penalties— including jail time—for performing it or publishing information about the methods of security research. The exemptions Congress included in the 1998 DMCA to protect security researchers from prosecution are vague, limited, and provide inadequate assurance against the serious legal ramifications of Section 1201 lawsuits—something the government itself has acknowledged.
“Under Section 1201, computer researchers can face serious penalties just for selling a book that would help people build better, more secure computer systems,” said EFF Legal Director Corynne McSherry. “As we explained when we filed a legal challenge to the law in July, such penalties violate the First Amendment and threaten ordinary people for publishing research or even talking about circumventing computer code that’s embedded in nearly everything we own. With the lawsuit underway, we’re asking the court to bar the government from prosecuting Dr. Green so he can publish a book that’s clearly in the public interest.”
“If we want our communications and devices to be secure, we need to protect independent security researchers like Dr. Green,” said EFF Staff Attorney Kit Walsh. “Researchers should be encouraged to educate the public and the next generation of computer scientists. Instead, they are threatened by an unconstitutional law that has come unmoored from its original purpose of addressing copyright infringement. We’re going to court to protect everyone whose speech is squelched by this law, starting with Dr. Green and his book.”
EFF filed the Section 1201 lawsuit and Thursday's request for a court order with co-counsel Brian Willen, Stephen Gikow, and Lauren Gallo White of Wilson Sonsini Goodrich & Rosati.
For the motion for preliminary injunction:
For more about this case: