The next question is whether the prohibition is causing an adverse effect on such noninfringing uses. The record is essentially limited to SecuRom and SafeDisc. The evidence relating to SecuRom tends to be highly speculative, but Professor Halderman asserted that this situation has been crying out for an investigation by reputable security researchers in order to rigorously determine the nature of the problem that this system cause, and dispel this uncertainty about exactly what’s going on. He believed that the prohibition on circumvention is at least in part to blame for the lack of rigorous, independent analysis.
In contrast to SecuROM, SafeDisc has created a verifiable security vulnerability on a large number of computers. Opponents of the proposed class did not dispute that SafeDisc created a security vulnerability, but they argued that the security flaw was patched by Microsoft in 2007, without the need of an exemption. However, SafeDisc was preloaded on nearly every copy of Microsoft’s Windows XP and Windows 2003 operating systems and was on the market for over six years before a security researcher discovered malware exploiting the security. The vulnerability had the capacity to affect nearly one billion PCs.
The record supports the conclusion that since the 2006 rulemaking, substantial vulnerabilities have existed with respect to video games certainly with respect to SafeDisc and possibly with respect to SecuROM. Within the same class of works, security researchers have proposed investigation of unconfirmed allegations of security vulnerabilities on another technological protection measure (SecureROM) that protects access, but have expressed unwillingness to do so without clear legal authority. Aggregating the evidentiary record, the proponents have shown that they need to be able to fix flaws that are identified in this class of works and they need to be able to investigate other alleged security vulnerabilities in this class.
Opponents argued that there may be no need to designate a class in this proceeding because circumvention may already be excused pursuant to Section 1201(j), which provides an exemption for security testing. However, the Register has concluded, as she did three years ago, that it is unclear whether Section 1201(j) applies in cases where the person engaging in security testing is not seeking to gain access to, in the words of Section 1201(j), a computer, computer system, or computer network. Therefore, it is appropriate to designate a class of works in this proceeding.
Section 1201(j) does, however, influence both the decision to recommend designation of a class and the decision on how to fashion the class. Section 1201(j) is evidence of Congress’s general concern to permit circumvention under appropriate circumstances for purposes of security testing, and it also is evidence of the conditions Congress believes should be imposed on those who take
advantage of an exemption for security testing. Accordingly the Register recommends that the Librarian designate a class of video games protected by access controls, when circumvention is done for the purpose of good faith testing for, investigating, or correcting security flaws or vulnerabilities. Further refinements to the class include a requirement that the information derived from the testing be used primarily to promote the security of the owner or operator of a computer, computer system, or computer network; and a requirement that that information be used or maintained in a manner that does not facilitate copyright infringement or a violation of applicable law.
E.Computer programs protected by dongles that prevent access due to malfunction or damage and which are obsolete. A dongle shall be considered obsolete if it is no longer manufactured or if a replacement or repair is no longer reasonably available in the commercial marketplace.
Three years ago, the Librarian designated the abovereferenced class of works, which is similar to classes of works designated in each of the previous rulemakings. In the current proceeding the proponent of that class, Joseph V. Montoro, Jr., on behalf of Spectrum Software, Inc., has proposed an expanded class of works related to dongles. Dongles are a type of hardware that attach to either the printer port or the USB port of a computer in order to make secured software function. Montoro stated that dongles are sold along with certain types of software and are necessary for the user to access that software on a computer. He further explained that in order for the dongle to operate properly, the operating system must support the hardware and the required device driver must be installed. Montoro submitted that there are four situations where an exemption is necessary to rectify actual harm: (1) when dongles become obsolete; (2) when dongles fail; (3) where there are incompatibilities between the dongle and the operating system, and (4) where there are incompatibilities between the dongle and certain hardware. Montoro had stressed that his proposal is as much about the computer ecosystem as it is about dongles, in particular. He said that it is important to realize that the dongle, the operating system software and the computer hardware work in tandem and that the proposed class necessarily covers all of these parts.
Representatives of the computer software industry stated that they do not oppose renewing the existing class of works, but object to expanding it beyond its current terms.
As in 2006, the Register finds that the case has been made for designation of a class of works protected by dongles. Montoro has effectively met his burden of proof for a class relating to dongles that are malfunctioning or damaged and that are obsolete, a point on which there is no disagreement in the record. When the dongle no longer functions and is obsolete, there is a substantial adverse effect on noninfringing uses because there is no other means to access the lawfully acquired software. When a dongle malfunctions or becomes obsolete, a person lawfully entitled to access the software should be able to rely on selfhelp if remedial measures are not reasonably available in the commercial marketplace. Moreover, the record reveals no evidence of harm to the market for, or value of, copyrighted works protected by dongles since the designation of the original class of works in 2000.
The class, however, should not include cases where a replacement dongle is reasonably available or can be easily repaired. Some copyright owners legitimately use dongles to control access to a computer program by unauthorized users and are entitled to the full benefit of the prohibition as long as reasonable accommodations are offered for malfunctioning or damaged dongles.
Montoro has not demonstrated that the standard previously applied reasonably available in the marketplace is insufficient to meet the needs of users of copyrighted works whose dongles malfunction or are damaged.
Montoro also argues that the current class should be expanded to reach situations involving incompatibility between the dongle and a new or upgraded version of an operating system. The Register finds that he has failed to submit cogent evidence to support an expanded class in this context. A sufficient record would require more detail about the precise cause of the problems, the scope of the problem, and the noninfringing means available to resolve the problem.
The evidence presented in the record also does not support Montoro’s request to expand the class in relation to obsolete hardware, specifically parallel ports on computers. While it appears to be the case that parallel ports may be obsolescent, there is insufficient evidence in the record to support the conclusion that parallel ports are currently, or in the next three years will be, obsolete. In order to make a case for an expanded class in relation to obsolete hardware, Montoro would have to demonstrate that the hardware is, or is likely to be, obsolete in the next three year period (either as a preinstalled item or as an optional configuration), that the unavailability of this obsolete hardware would adversely affect noninfringing uses, and that copyright owners are not meeting the legitimate needs of existing users.
IV.Other Classes Considered, but Not Recommended
A.Subscription based services that offer DRMprotected streaming video where the provider has only made available players for a limited number of platforms, effectively creating an access control that requires a specific operating system version and/or set of hardware to view purchased material; and Motion pictures protected by antiaccess measures, such that access to the motion picture content requires use of a certain platform.
Two proposals sought designation of classes of works that would allow circumvention of technological protection measures in order to provide access to motion pictures on platforms other than those authorized by content providers or their licensees.
Megan Carney proposed a class of works in order to allow circumvention of DRMprotected streaming videos offered by subscription based services, where the provider has made players available only for a limited number of platforms. She argued that this restriction of viewing options effectively constitutes an access control by requiring a specific operating system version and/or set of hardware to view purchased material. She sought to use Netflix’s Watch Instantly streaming video feature, which installs digital rights management and runs only on certain platforms of computer software and hardware. Watch Instantly is included, at no charge, in the monthly Netflix membership, but Carney said that she is unable to use it because she does not own a computer that operates on a compatible platform (PCs running Windows or Apple computers with Intel chips). Carney proposed that the Librarian designate a class or works in order to allow a user in her situation to create a separate program to circumvent the DRM on the streaming service system in order to view streaming video content made available by Netflix.
In contrast to SecuROM, SafeDisc has created a verifiable security vulnerability on a large number of computers. Opponents of the proposed class did not dispute that SafeDisc created a security vulnerability, but they argued that the security flaw was patched by Microsoft in 2007, without the need of an exemption. However, SafeDisc was preloaded on nearly every copy of Microsoft’s Windows XP and Windows 2003 operating systems and was on the market for over six years before a security researcher discovered malware exploiting the security. The vulnerability had the capacity to affect nearly one billion PCs.
The record supports the conclusion that since the 2006 rulemaking, substantial vulnerabilities have existed with respect to video games certainly with respect to SafeDisc and possibly with respect to SecuROM. Within the same class of works, security researchers have proposed investigation of unconfirmed allegations of security vulnerabilities on another technological protection measure (SecureROM) that protects access, but have expressed unwillingness to do so without clear legal authority. Aggregating the evidentiary record, the proponents have shown that they need to be able to fix flaws that are identified in this class of works and they need to be able to investigate other alleged security vulnerabilities in this class.
Opponents argued that there may be no need to designate a class in this proceeding because circumvention may already be excused pursuant to Section 1201(j), which provides an exemption for security testing. However, the Register has concluded, as she did three years ago, that it is unclear whether Section 1201(j) applies in cases where the person engaging in security testing is not seeking to gain access to, in the words of Section 1201(j), a computer, computer system, or computer network. Therefore, it is appropriate to designate a class of works in this proceeding.
Section 1201(j) does, however, influence both the decision to recommend designation of a class and the decision on how to fashion the class. Section 1201(j) is evidence of Congress’s general concern to permit circumvention under appropriate circumstances for purposes of security testing, and it also is evidence of the conditions Congress believes should be imposed on those who take
advantage of an exemption for security testing. Accordingly the Register recommends that the Librarian designate a class of video games protected by access controls, when circumvention is done for the purpose of good faith testing for, investigating, or correcting security flaws or vulnerabilities. Further refinements to the class include a requirement that the information derived from the testing be used primarily to promote the security of the owner or operator of a computer, computer system, or computer network; and a requirement that that information be used or maintained in a manner that does not facilitate copyright infringement or a violation of applicable law.
E.Computer programs protected by dongles that prevent access due to malfunction or damage and which are obsolete. A dongle shall be considered obsolete if it is no longer manufactured or if a replacement or repair is no longer reasonably available in the commercial marketplace.
Three years ago, the Librarian designated the abovereferenced class of works, which is similar to classes of works designated in each of the previous rulemakings. In the current proceeding the proponent of that class, Joseph V. Montoro, Jr., on behalf of Spectrum Software, Inc., has proposed an expanded class of works related to dongles. Dongles are a type of hardware that attach to either the printer port or the USB port of a computer in order to make secured software function. Montoro stated that dongles are sold along with certain types of software and are necessary for the user to access that software on a computer. He further explained that in order for the dongle to operate properly, the operating system must support the hardware and the required device driver must be installed. Montoro submitted that there are four situations where an exemption is necessary to rectify actual harm: (1) when dongles become obsolete; (2) when dongles fail; (3) where there are incompatibilities between the dongle and the operating system, and (4) where there are incompatibilities between the dongle and certain hardware. Montoro had stressed that his proposal is as much about the computer ecosystem as it is about dongles, in particular. He said that it is important to realize that the dongle, the operating system software and the computer hardware work in tandem and that the proposed class necessarily covers all of these parts.
Representatives of the computer software industry stated that they do not oppose renewing the existing class of works, but object to expanding it beyond its current terms.
As in 2006, the Register finds that the case has been made for designation of a class of works protected by dongles. Montoro has effectively met his burden of proof for a class relating to dongles that are malfunctioning or damaged and that are obsolete, a point on which there is no disagreement in the record. When the dongle no longer functions and is obsolete, there is a substantial adverse effect on noninfringing uses because there is no other means to access the lawfully acquired software. When a dongle malfunctions or becomes obsolete, a person lawfully entitled to access the software should be able to rely on selfhelp if remedial measures are not reasonably available in the commercial marketplace. Moreover, the record reveals no evidence of harm to the market for, or value of, copyrighted works protected by dongles since the designation of the original class of works in 2000.
The class, however, should not include cases where a replacement dongle is reasonably available or can be easily repaired. Some copyright owners legitimately use dongles to control access to a computer program by unauthorized users and are entitled to the full benefit of the prohibition as long as reasonable accommodations are offered for malfunctioning or damaged dongles.
Montoro has not demonstrated that the standard previously applied reasonably available in the marketplace is insufficient to meet the needs of users of copyrighted works whose dongles malfunction or are damaged.
Montoro also argues that the current class should be expanded to reach situations involving incompatibility between the dongle and a new or upgraded version of an operating system. The Register finds that he has failed to submit cogent evidence to support an expanded class in this context. A sufficient record would require more detail about the precise cause of the problems, the scope of the problem, and the noninfringing means available to resolve the problem.
The evidence presented in the record also does not support Montoro’s request to expand the class in relation to obsolete hardware, specifically parallel ports on computers. While it appears to be the case that parallel ports may be obsolescent, there is insufficient evidence in the record to support the conclusion that parallel ports are currently, or in the next three years will be, obsolete. In order to make a case for an expanded class in relation to obsolete hardware, Montoro would have to demonstrate that the hardware is, or is likely to be, obsolete in the next three year period (either as a preinstalled item or as an optional configuration), that the unavailability of this obsolete hardware would adversely affect noninfringing uses, and that copyright owners are not meeting the legitimate needs of existing users.
IV.Other Classes Considered, but Not Recommended
A.Subscription based services that offer DRMprotected streaming video where the provider has only made available players for a limited number of platforms, effectively creating an access control that requires a specific operating system version and/or set of hardware to view purchased material; and Motion pictures protected by antiaccess measures, such that access to the motion picture content requires use of a certain platform.
Two proposals sought designation of classes of works that would allow circumvention of technological protection measures in order to provide access to motion pictures on platforms other than those authorized by content providers or their licensees.
Megan Carney proposed a class of works in order to allow circumvention of DRMprotected streaming videos offered by subscription based services, where the provider has made players available only for a limited number of platforms. She argued that this restriction of viewing options effectively constitutes an access control by requiring a specific operating system version and/or set of hardware to view purchased material. She sought to use Netflix’s Watch Instantly streaming video feature, which installs digital rights management and runs only on certain platforms of computer software and hardware. Watch Instantly is included, at no charge, in the monthly Netflix membership, but Carney said that she is unable to use it because she does not own a computer that operates on a compatible platform (PCs running Windows or Apple computers with Intel chips). Carney proposed that the Librarian designate a class or works in order to allow a user in her situation to create a separate program to circumvent the DRM on the streaming service system in order to view streaming video content made available by Netflix.
