Security Researchers Battle Against the DMCA

47 Pages Posted: 2 Feb 2023 Last revised: 4 May 2023


In the digital age, cybersecurity plays a principal role in resolving consumer concerns regarding data breaches. Nevertheless, United States copyright laws prohibit the effective use of cybersecurity tools that disrupt malicious hackers from accessing personal (and sensitive) information. One law, in specific, that is detrimental to the defense against malicious attackers is the Digital Millennium Copyright Act (“DMCA”). Specifically, section 1201 of the DMCA prohibits the circumvention of copyrighted information. Malicious hackers have various tools and techniques to obtain unauthorized access to personal information via software vulnerabilities. Importantly, these vulnerabilities often result in the theft of consumers’ personal information; however, physical harm may also occur. Autonomous vehicles, for example, are ripe for software security concerns. Malicious hackers can and do attack safety-critical systems like engines and brakes.

Moreover, medical devices often have vulnerabilities in their software systems—leading to severe injury or death by, for example, implantable defibrillators. So, naturally, software systems have bugs that put consumer data at risk—otherwise, there would be no need for privacy policies. However, laws like the DMCA that hinder the activities of security researchers are counterintuitive to the remediation of these bugs (and consumer safety). On October 12, 1998, the U.S. Congress passed the DMCA, amending U.S. copyright law to address the relationship between copyright and the internet. Congress’ reason for passing the DMCA was to address the concerns of copyright holders who felt that there were too few protections for their work(s). Unfortunately, when writing the DMCA, Congress could not anticipate the rapid growth of technology and how ill-equipped the legal system is to keep up with technological advancements. Now, the DMCA overreaches its intended powers and subjects security researchers to criminal liability. The current technological climate calls for improved reliability and guidance regarding existing legal authorities, as well as how investigations should be held concerning security research. In addition, researchers are increasingly becoming independent and no longer affiliating themselves with institutions that housed them in the past (such as universities). This means they are moving away from restrictive research houses and opening to the public about vulnerabilities that would have previously been prohibited under contract—limiting those who can bring claims against researchers. Significantly, this is affecting the way inexperienced vendors go about handling reports. The connection between security research and certain consumer safety is where most of this argument lays its foundation. Public awareness of the benefits of security research will improve policy decisions, providing further understanding of contributions made to digital safety and security.

Keywords: DMCA, Copyright Law, Cybersecurity Law, Security Research, Section 1201, Vulnerability Reporting

Suggested Citation

Sardaryzadeh, Andre, Security Researchers Battle Against the DMCA. Andre Sardaryzadeh, Security Researchers Battle Against the DMCA, 22 Chi.-Kent J. Intell. Prop. 38 (2023)., Available at SSRN: or

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics