This month, Mexico rushed through a new, expansive copyright law without adequate debate or consultation, and as a result, it adopted a national rule that is absolutely unfit for purpose, with grave implications for human rights and cybersecurity.
The new law was passed as part of the country's obligations under Donald Trump's United States-Mexico-Canada Agreement (USMCA), and it imports the US copyright system wholesale, and then erases the USA’s own weak safeguards for fundamental rights.
Central to the cybersecurity issue is Article 114 Bis, which establishes a new kind of protection for "Technical Protection Measures" (TPMs) this includes rightsholder technologies commonly known as Digital Rights Management (DRM), but it also includes basic encryption and other security measures that prevent access to copyrighted software. These are the familiar, dreaded locks that stop you from refilling your printer's ink cartridge, using an unofficial App Store with your phone or game console, or watching a DVD from overseas in your home DVD player. Sometimes there is a legitimate security purpose to restricting the ability to modify the software in a device, but when you as the owner of the device aren’t allowed to do so, serious problems arise and you become less able to ensure your device security.
Under the US system, it is an offense to bypass these TPMs when they control access to a copyrighted work, even when no copyright infringement takes place. If you have to remove a TPM to modify your printer to accept third-party ink or your car to accept a new engine part, you do not violate copyright — but you still violate this extension of copyright law.
Unsurprisingly, manufacturers have aggressively adopted TPMs because these allow them to control both their customers and their competitors. A company whose phone or game console is locked to a single, official App Store can monopolize the market for software for their products, skimming a percentage from every app sold to every owner of that device.
Customers cannot lawfully remove the TPM to use a third-party app-store, and competitors can't offer them the tools to unlock their devices. "Trafficking" in these tools is a crime in the USA, punishable by a five-year prison sentence and a $500,000 fine.
But the temptation to use a TPM isn't limited to controlling customers and competitors: companies that use TPMs also get to decide who can reveal the defects in their products.
Computer programs inevitably have bugs, and some of these bugs present terrible cybersecurity risks. Security defects allow hackers to remotely take over your car and drive it off the road, alter the ballot counts in elections, wirelessly direct your medical implants to kill you, or stalk and terrorize people.
The only reliable way to discover these defects before they can be weaponized is to subject products and systems to independent scrutiny. As the renowned security expert Bruce Schneier says, "Anyone can design a security system that works so well they can't think of a way to defeat it. That doesn't mean it works, that just means it works against people stupider than them."
Independent security research is incompatible with laws protecting TPMs. In order to investigate systems and report on their defects, security researchers must be free to bypass TPMs, extract the software from the device, and subject it to testing and analysis.
When security researchers do discover defects, it's common for companies to deny that they exist, or that they are important, painting the matter as a "he said/she said" dispute.
But these disputes have a simple resolution: security researchers routinely publish "proof of concept" code that allows anyone to independently verify their findings. This is simple scientific best practice: since the Enlightenment, scientists have published their findings and invited others to replicate them, a process that is at the core of the Scientific Method.
Section 1201 of the US Digital Millennium Copyright Act (DMCA 1201) defines a process for resolving disputes between TPMs and fundamental human rights. Every three years, the US Copyright Office hears petitions from people whose fundamental rights have been compromised by the TPM law, and grants exemptions to it.
The US government has repeatedly acknowledged that TPMs interfere with security research and granted explicit exemptions to the TPM rule for security research. These exemptions are weak (the US statute does not give the Copyright Office authority to authorize security researchers to publish proof-of-concept code), but it still provides much-needed surety for researchers attempting to warn us that we are in danger from our devices. When powerful corporations threaten security researchers in attempts to silence them, the Copyright Office's exemptions can give them the courage to publish anyway, protecting all of us.
The US exemptions process is weak and inadequate. The Mexican version of this process is even weaker, and even more inadequate (the law doesn't even bother to define how it will work, and merely suggests that some process will be created in the future).
Article 114 Quater (I) of Mexico's law does contain a vague offer of protection for security research, similar to an equally vague assurance in the DMCA. The DMCA has been US law for 22 years, and in all that time, no one has ever used this clause to defend themselves.
To understand why, it is useful to examine the text of the Mexican law. Under the Mexican law, security researchers are only protected if their "sole purpose" is "testing, investigating or correcting the security of that computer, computer system or network." It is rare for a security researcher to have only one purpose: they want to provide the knowledge they glean to the necessary parties so that security flaws do not harm any of the users of similar technology. They may also want to protect the privacy and autonomy of users of a computer, system, or network in ways that conflict with what the manufacturer would view as the security of the device.
Likewise, the Mexican law requires that security researchers be operating in "good faith," creating unquantifiable risk. Researchers often disagree with manufacturers about the appropriate way to investigate and disclose security vulnerabilities. The vague statutory provision for security testing in the United States was far too unreliable to successfully foster essential security research, something that even the US Copyright Office has now repeatedly acknowledged.
The bottom line: our devices cannot be made more secure if independent researchers are prohibited from auditing them. The Mexican law will deter this activity. It will make Mexicans less secure.
Cybersecurity is intimately bound up with human rights. Insecure voting machines can compromise elections, and even when they are not hacked, the presence of insecurities robs elections of legitimacy, leading to civic chaos.
Civil society groups engaged in democratic political activity around the world have been attacked by commercial malware that uses security defects to invade their devices, subjecting them to illegal surveillance, kidnapping, torture, and even murder.
One such product, the NSO Group's Pegasus malware, was implicated in the murder of Jamal Khashoggi. That same tool was used to target Mexican investigative journalists, human rights defenders, even Mexican children whose parents were investigative journalists.
Defects in our devices expose us to politically motivated surveillance, but they also expose us to risk from organized criminals, for example, "stalkerware" can enable human traffickers to monitor their victims.
Digital rights are human rights. Without the ability to secure our devices, we cannot fully enjoy our familiar, civic, political, or social lives.