[Owasp-board] Let's stand together against DCMA and similar laws

Kevin W. Wall kevin.w.wall at gmail.com
Thu Aug 11 00:25:37 UTC 2016

OWASP Board members,

One day ago, I cross-posted to the OWASP Leader's mailing list (see
an earlier post that Cory Doctorow had originally posted to the OWASP
Community list back on June 2nd. I did so because Cory said that NO ONE
had responded to his original post. After having the privilege of talking
about the current state of DRM and DCMA affairs and hearing W3C's venturing
into dangerous waters with their DRM-like technology known as Encrypted
Media Extension (EME), it seemed to me that as a community, this is something
that affects many off us, potentially in some very bad ways.

I've contacted Cory to have my name added to EFF's list of people protesting
the W3C's EME technology without providing an exclusion for security
researchers reporting on browser vulnerabilities. I know that other OWASP
members have as well, and I'm happy for that. But realistically, as individuals,
our voices do not carry much weight is it would if we spoke with a collective

So myself and a few other OWASP members have said questioned what could we
do as a _community_ to come against DCMA and similar laws.  Whatever your
feelings are about DRM, I think that most of you feel that it is wrong for
a company to hide behind DRM and DMCA in an attempt to prevent product
vulnerabilities from being publicly revealed after providing reasonable
time for a company to issue patches, etc. (That is, I am talking about what
happens after responsible disclosure fails and security researchers finds
themselves facing a choice between being sued or divulging the necessary
details of the vulnerability for the public good and safety in order to
force a company's hand at taking corrective action or making the public
aware so they can avoid purchasing said product.)

To me, this goes beyond mere copyright evasion and DRM. Toward that end, I
think that DRM is understandable, although an ill-conceived, if not totally
futile endeavor to protect copyrights. However, my understanding of DMCA
(and Cory, please correct me if I'm wrong here) is that DMCA criminalizes
production and dissemination of technogly or knowledge of ANYTHING intended
to circumvent access to control of copyrighted works. So for instance (and,
this is just a hypothetical here), if a company made a pacemaker that used
Bluetooth for remote access by doctors and the authentication / access control
of those devices relied on obfuscation rather than (say) a secure encrypted
communication channel, a security researcher who revealed this could
potentially face a lawsuit by the pacemaker manufacturer because revealing
details of any authentication bypass could infringe on that company's
copyrighted IP. Has that happened yet? Well, not to my knowledge, but
with the explosion of IoT devices, it's bound to sooner or later. (Cory, if
you know of any real case law that you can discuss here, that might go a
long way towards convincing folks.)

So, what am I proposing? I would like an OWASP board member to
propose a couple of different motions to be considered by and voted
on by the OWASP board:

1) I would like to see a motion for OWASP as an organizational whole,
   consider support for and officially "signing" (whatever that means
   in a legal sense) EFF's notice to W3C to protect security researchers
   reporting on vulnerabilities in their proposed EME standard,
   implementations thereof, or other W3C browser related technologies. That
   is, I would like to see the "OWASP Foundation" named as a party to

2) I would like to see a motion for OWASP to at least analyze the pros and
   cons of filing a "friend of the court" (i.e, amicus curiae) brief to stand
   with EFF, Matthew Green, et al in the section 1210 DMCA lawsuit that they
   recently filed against the USG (for details see
   and if the perceived pros outweigh the cons, to actually proceed with
   filing an amicus brief.

It is my understanding that someone presently on the OWASP Board has to
bring forth these as motions before the board. (Note: If I am mistaken
about that, I will gladly do it myself.)  So who on the board will
stand up against DCMA and similar legislation in other countries that
Cory outlined in a follow-up post to the OWASP leaders list?  I personally
do not believe that either of these proposals for motions are partisan
from a political perspective and I think that both support our stated
core purpose of being "the thriving global community that drives visibility
and evolution in the safety and security of the world’s software".

So, let us do what we can as individuals, but let us remember that our
community voice together is much louder than it is speaking alone.

Thanks you all for listening and considering my thoughts in earnest.
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the Owasp-board mailing list