An Unstoppable Force Meets an Immovable Object: A Glimpse at the Emerging Effects of the DMCA’s Anti-Circumvention Provision on the Internet of Things

Next year will mark the twentieth anniversary of the passage of the Digital Millennium Copyright Act (“DMCA”), Congress’s controversial response to novel copyright protection issues posed by digital media and new technologies that facilitate piracy and other infringing activity.  Signed into law by President Clinton a mere seven months before the release of the infamous pioneering peer-to-peer file sharing platform, Napster, the DMCA presciently provided copyright owners and prosecutors with a powerful new arsenal of anti-piracy tools designed to cut off infringing activity at the root.  By prohibiting both the circumvention of technological protection measures (“TPMs”) that control access to a protected work and the traffic in means that are designed to facilitate circumvention, the drafters of the DMCA clearly anticipated the pending digital piracy epidemic and sought to fortify the rights of digital media copyright owners.  Congress’s technology forecasting abilities are limited, however, and legislators likely could not have foreseen the development of the network of “smart” internet-connected devices and appliances collectively referred to as the Internet of Things (“IoT”), nor the far-reaching implications the DMCA would hold for consumers of these software-embedded products.
 
At a time when WiFi was not yet widely available for public consumption and mobile internet devices were too expensive and clumsy for practical use, the idea that the operation of everyday items and appliances such as children’s toys, refrigerators, and tractors would come to depend on copyrighted software and connection to the cloud would have been unthinkable.  That such devices and appliances could be conveniently controlled and programmed for automation by a handheld device from practically anywhere in the world probably would have struck legislators as the fanciful invention of a science fiction writer.  Yet two decades and thirteen iPhone models later, it has become undeniably clear that this is the future we are to inherit as more IoT devices and appliances find their way into American households.  While perhaps not immediately apparent to consumers of these products, the combination of the DMCA’s anti-circumvention provision and prevailing software licensing practices presents a looming problem that is only beginning to materialize: attempts at repairing or maintaining the operability of a software-embedded device or appliance may require the circumvention of TPMs, and in turn, expose consumers and third party repair services to liability under the DMCA.
 
The crux of the issue lies in the substantially different treatment a device’s physical hardware and software receives under contract and copyright law.  While consumers generally own the physical device, contracts, such as end user license agreements, typically grant consumers only a limited license to use the device’s software.  These agreements tend to impose a slew of judicially enforceable restrictions on the use of the software and may even prohibit the user from transferring the device to another party.  Under copyright law, device manufacturers benefit from statutory provisions that provide for remedies against parties who engage in infringing activity with respect to a device’s copyrighted software.  Manufacturers that employ TPMs to control access to the copyrighted software also enjoy the added protection of the DMCA’s anti-circumvention provision.[1]
 
The practical effect of the distinction between a device’s tangible and intangible elements is twofold: consumers essentially own nothing more than an inert assembly of plastic and metal components, and are at the whim of manufacturers who reserve the power to remotely render a device inoperable or vulnerable to new security threats by declining to continue to offer necessary services and support for the device.  Last year’s Revolv home hub debacle demonstrates the actual cost of this precarious relationship consumers maintain with software-embedded products they likely believe themselves to “own.”
 
In February 2016, Nest Labs, Alphabet’s home automation subsidiary, announced that it was shutting down support for all Revolv smart hubs and their companion smartphone applications by mid-May.  By the time the announcement was made, the shutdown already seemed imminent; Nest had stopped selling the hubs immediately after acquiring Revolv in 2014 and all one-year warranties on the hubs had expired.  In the lead up to the device’s final transformation from a powerful automation hub capable of coordinating connections between an owner’s smartphone and a diversity of smart home products into a useless $300 teardrop-shaped piece of plastic, commentators had pointed out that this may become par for the IoT course.
 

Image source: Fortune, http://fortune.com/2014/03/26/review-revolv-smart-home-hub/
 
The software-device divide raises issues beyond manufacturers’ ability to “brick” legacy devices, taking on a more subtle and commonplace dimension with respect to security patches and the availability of replacement parts.  As users of older devices know all too well, the continued operation of out-of-support devices exposes users to security vulnerabilities as manufacturers stop releasing software updates necessary to guard devices and users against new threats.  Unless manufacturers voluntarily place outdated software source code into the public domain, or make their software open source in the first place, consumers are likely barred from enjoying continued security in their no-longer supported legacy devices.  Moreover, legacy device owners who seek to replace broken or worn out parts may find that manufacturers no longer make them and that a third-party replacement part may necessitate the circumvention of TPMs to be made compatible with the device’s software.  The problem becomes magnified in a world where this kind of technology is being incorporated into more products and where device lifespans and the update cycle are becoming shorter.
 
This begs the question: what recourse do consumers have when a device manufacturer terminates support and services or ceases to produce replacement components necessary for the device’s continued operation?  Unfortunately, there is no clear answer as consumers are left to navigate a confusing minefield of overlapping legal regimes and unresolved legal questions.  Adding to the confusion is the DMCA’s quirky triennial rulemaking procedure, which empowers the Librarian of Congress to issue temporary three-year exemptions to the anti-circumvention provision of the DMCA.  As the Electronic Frontier Foundation points out in their ongoing lawsuit challenging the constitutionality of the DMCA, the process imposes burdensome requirements on parties seeking an exemption and creates more uncertainty because there is no presumption that exemptions will be renewed.  Moreover, the fact that the Librarian of Congress is not empowered by the statute to provide exemptions to the anti-trafficking provision means that consumers who lack the technical skills to repair and maintain their own devices (i.e. the average consumer) cannot avail themselves of the services of third-party repair service providers or software developers, as the provision of such services would constitute trafficking in means designed to circumvent TPMs.
 
While the solution to this issue may ultimately lie in legislative reform, it may be argued that owners of hardware with embedded software have an implied right to access, repair, and maintain software to the extent necessary for the continued operation of the hardware, free from liability under the DMCA.  One does not need to stretch to find such an implied exemption within the penumbra of the Copyright Act’s provisions; two provisions added to the Copyright Act through the passage of the DMCA suggest a Congressional intent to this effect: 17 USC § 117(c) exempts infringement that results from the necessary copying of protected software during routine computer repair and maintenance, and 17 USC § 1201(f) exempts the circumvention of TPMs to the extent necessary to reverse engineer copyrighted software for the sole purpose of achieving interoperability with independently created, non-infringing software.  Moreover, such an implied right would be consistent with traditional common law property principles and the balance between a copyright owner’s exclusive rights and the public’s benefit contemplated by the Intellectual Property Clause of the Constitution.
 
The rapid expansion of the Internet of Things shows no signs of slowing down, raising the stakes ever higher as connected devices inhabit new corners of our homes and engenders a growing dependence on copyrighted technology for a greater part of our day-to-day lives.  Left unaddressed, the problems created by the DMCA’s anti-circumvention provision threaten to undermine the system of personal property ownership that consumers have come to expect and tether consumers and their wallets to a manufacturer’s ability and desire to provide continued support services for IoT devices and appliances.  It may be time to recognize that the nearly twenty-year-old DMCA has reached a breaking point and is now obsolete.
 
[1] Although two decisions from the Federal Circuit (Storage Tech. Corp. v. Custom Hardware Eng’g & Consulting, Inc., 421 F.3d 1307, 1318 (Fed. Cir. 2005); and Chamberlain Group, Inc. v. Skylink Techs., Inc., 381 F.3d 1178, 1203 (Fed. Cir. 2004)) have interpreted the DMCA’s anti-circumvention provision to fit within the traditional copyright framework by reading an implicit requirement that plaintiffs and prosecutors must demonstrate a nexus between the circumvention of TPMs and infringing conduct, the Ninth Circuit more recently refused to read such an implied nexus into the statute, holding that mere circumvention of TPMs alone, without any evidence of infringement, is sufficient for finding liability under the DMCA (see MDY Indus., LLC v. Blizzard Entm’t, Inc., 629 F.3d 928, 950 (9th Cir. 2010)).  Unsurprisingly, the Department of Justice favors the latter interpretation, and instructs prosecutors to remind courts that the Federal Circuit decisions do not constitute meaningful authority on this point. See United States Department Of Justice, Prosecuting Intellectual Property Crimes 242 (4th ed. 2013), available at https://www.justice.gov/sites/default/files/…/prosecuting_ip_crimes_manual_2013.pdf.
 
 
Jared Greenfield is a J.D. candidate, 2019, at NYU School of Law.