“This ‘access control’ rule is supposed to protect against unlawful copying,” said EFF staff attorney Kit Walsh. “But as we’ve seen in the recent Volkswagen scandal – where VW was caught manipulating smog tests – it can be used instead to hide wrongdoing hidden in computer code. We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers.”
Walsh expressed disappointment the exemption would not come into force for another year. There may also be a limitation on what tinkerers can do, as the exemption does not allow for modification of “computer programs primarily designed for the control of telematics or entertainment systems for such vehicle”, though security researchers should still be allowed to poke holes in them.
“This is a significant step forward for security research and acknowledges the value research plays in protecting consumers from risk of harm. There is still more work to be done – for example the exemption is limited in its application, and the Computer Fraud and Abuse Act still presents many challenges – but this represents an important shift in the discussion around security research at the Government level,” added Jen Ellis, vice president of community and public affairs at Rapid7, and one of the campaigners for the exemption.
“We look forward to continuing to collaborate with both Congress and the administration to build even greater understanding of, and protections for, security research.”