Breaking the Lock: A Proposed ‘Bug Hunt’ Exception for TPMs

Introduction

In 2012, Parliament amended the Copyright Act and updated it to address the realities of the new internet environment and new technologies. Among the changes was the introduction of technological protection measures (TPMs), sometimes known as digital rights management (DRMs). The Act defines TPMs as “any effective technology, device or component that, in the ordinary course of its operation… controls access…or…restricts access.”[1] In some instances, TPMs may be a copyright-protected work itself – a computer program, which is the focus of this post. I argue that the Act’s narrow exceptions for TPM circumvention are detrimental for both privacy and copyright and propose a new “bug hunt” exception.

 The Act’s TPM Exceptions

The Act recognizes five primary exceptions for circumventing TPMs:

(1) to permit law enforcement to circumvent TPMs if related to the “enforcement of any Act of Parliament.”[2] This carves out a wide scope for the state in the context of criminal investigations to access information on electronic devices, such as phones or computers, and also raises significant privacy concerns.[3]

(2) to permit the interoperability of computer programs, where the user has a licence.[4]

(3) to allow for encryption research, where the copyright owner has consented.[5]

(4) to prevent the collection or dissemination of personal information.[6]

(5) to allow for security testing on a computer or a network, where the hardware owner has provided consent.[7]

The last three exceptions discuss the importance of research, privacy, and security but offer imperfect protections for parties who wish to research security matters without the owner’s consent.

Hacking & Bug Bounties

Despite the bad publicity surrounding hacking, it is not always a cloak and dagger endeavour done for personal gain or out of malice. Some hackers (called white hat hackers) engage in security testing, often unbeknownst to the developers they test, and notify organizations of security flaws that they identify. Technology organizations like Google and Facebook, and even the Pentagon, recognize the valuable work that white hat hackers do and reward them through “bug bounty” programs.[8] A bug bounty is a cash bounty awarded to individuals who bypass TPMs or DRMs and alert organizations of their security flaws – effectively crowdsourcing security testing. In addition to cash, hackers receive notoriety in the community and sometimes recognition by the organizations they test. Many organizations benefit from white hat hackers, who may have the consent of the organizations they hack; however, not all organizations may offer their consent. White hat hackers may be discouraged from hacking these organizations or alerting them of security flaws because they fear legal reprisal.

The Bug Hunt Exception

The existing TPM specific exceptions are of little use to white hat hackers who hack without authorization. Unauthorized hacks may be more advantageous than authorized ones; a thief rarely tells their victims that they will steal from them in advance. A bug hunt exception would mitigate some of the uneasiness that white hat hackers may have with hacking organizations and protect them from liability. Reliance on broad defences of fair dealing and public interest may produce uncertain results. An Ontario court perplexingly found that circumventing a TPM (a paywall) to rectify factual errors in a news article and sharing it did not fall within an education fair dealing exception. Conversely, the Federal Court found that a similar scenario would fall within the research exception.[9] Bug hunting, at its core, is about rectifying factual issues – faulty computer code. A bug hunt exception would also accord with the Act’s other exceptions for TPM circumvention with research, privacy, and security. Of course, a necessary precondition for immunity would be the hacker’s lack of criminal intent to abuse or withhold security vulnerabilities.

Conclusion

A bug hunt exception for hacking TPMs is advantageous for everyone. From a copyright perspective, it alerts owners to vulnerabilities in their program and gives them a chance to improve their work without consequence. For users, it improves the end product that they licence from programmers. In a privacy sense, bug hunts improve privacy because it creates an option for white hat hackers to inform owners of security flaws before they are taken advantage of by hackers with more nefarious intent (black hat hackers). One can wonder whether the Equifax privacy breach, and others like it, could have been avoided if there was a bug bounty program (like it has now) or a bug hunt exception that insulated and incentivized white hat hackers to come forward with security flaws.[10]

Written by Christopher Tsuji, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2019/2020 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

[1] Copyright Act, RSC 1985, c C-42, s.41 [Act].  

[2] Ibid, s.41.11.  

[3] See general evidentiary rules of admissibility concerning seized and accessed cell phones during criminal investigations with R. v. Artis, 2016 ONSC 2050; R v. Marakah, 2017 SCC 59. See also jurisprudence surrounding s.8 of the Charter, unreasonable search and seizure.  

[4] Act, supra note 1 s.41.12.  

[5] Ibid s.41.13.  

[6] Ibid s.41.14.  

[7] Ibid s.41.15.  

[8] See Google “Google Vulnerability Reward Program Rules” online at: https://www.google.com/about/appsecurity/reward-program/; see also Facebook “Facebook White Hat Information” online at: https://www.facebook.com/whitehat; see also the Department of Defense “Department of Defense Expands ‘Hack the Pentagon ‘ Crowdsourced Digital Defence Program” published October 24 2018, online at: https://www.defense.gov/Newsroom/Releases/Release/Article/1671231/department-of-defense-expands-hack-the-pentagon-crowdsourced-digital-defense-pr/  

[9] Compare the unsuccessful facts of fair dealing in 1395804 Ontario Limited (Blacklock’s Reporter) v Canadian Vintners Association, 2015 CanLII 65885 (ON SCSM) with the successful facts of 1395804 Ontario Ltd. (Blacklock’s Reporter) v. Canada (Attorney General), [2017] 2 FCR 256, 2016 FC 1255 (CanLII).  

[10] See Braga, Matthew “100,000 Canadian Victims: What We Know About the Equifax Breach – and What We Don’t” CBC News, published September 19, 2017 online at: https://www.cbc.ca/news/technology/equifax-canada-breach-sin-cybersecurity-what-we-know-1.4297532 and HackerOne, “Equifax Vulnerability Disclosure Program Policy” published July 9, 2019 online at: https://hackerone.com/equifax/  

Leave a reply

Your email address will not be published. Required fields are marked *

five × 1 =