From today, it's OK in the US to thwart DRM to repair your stuff – if you keep the tools a secret

Selling toolsets is a no-no, distributing them for free a gray area

Analysis This week the US Copyright Office ruled it's OK for Americans to break anti-piracy protections in a bunch of home and personal devices, and vehicles, in the course of fixing or tinkering with said equipment.

Mechanisms put in place to thwart unauthorized repairs or changes – such as firmware code that disables third-party replacements – can be legally circumvented to fix or adapt – deep breath – smartphones, tablets, smartwatches, routers and other wireless hotspots, digital personal assistants, and cars, trucks and tractors.


Yes, Americans, you can break anti-piracy DRM if you want to repair some of your kit – US govt


Up until now manufacturers have tried to lock out unofficial repairs for various reasons: partly to stop people fitting dodgy or backdoored replacements, and mostly to ensure customers fork out for official expensive parts and services.

DRM is also used to ensure people use only official printer ink cartridges or ground coffee beans.

Circumventing these restrictions can result in deliberately bricked devices, accusations of copyright violations, and lawsuits, because DRM has the DMCA – the Digital Millennium Copyright Act – as its protector.

The new rules protecting people carrying out repairs, jail-breaking their Amazon Alexas, or poking around for security flaws, come into effect in America today, Sunday, October 28.

At first glance, the rules look like a positive step. However, there are caveats you should be aware of.

There's always a catch

The main thing is that while you yourself can develop the software or hardware tools needed to circumvent the DRM, you can't sell or seemingly distribute these toolkits. Thus, someone can pay you to circumvent the protections to carry out a repair on their behalf, but you can't share how you did it.

"The ruling only granted use exemptions, but not tools exemptions," Cory Doctorow, a special adviser to the Electronic Frontier Foundation (EFF) and novelist, explained to The Register on Friday.

"Effectively the statute envisions you will make your own tools. It's completely bonkers and unrealistic."

It could also lead to people downloading what they think are newly legal repair tools that are actually spyware or some other malicious applications, Doctorow added.

"This means people will end up downloading tools that are illegal. If there's going to be no legal aboveground tools market, you don't know what you are getting. People could unknowingly be adding malware to their systems."

And, yes, even if you give away the knowledge to crack DRM away as free or open-source materials, you're not in the clear, it appears. You can't "traffic" your toolkits: this means distributing them as open-source or free downloads is a gray area.

"The tool ban potentially includes open source tools – the laws are written quite broadly," Mitch Stoltz, senior staff attorney at the EFF, told El Reg. "The law says it's illegal to traffic these tools, which covers manufacturing and selling them, and potentially also teaching people about how to make and use them."

The situation is also not great for security researchers. While the legal update from the Copyright Office gave a green light to those probing products, they seemingly aren't allowed to share how they broke something's digital defenses. That's going to limit what vulnerability research can be peer-reviewed and published.


Stoltz did give the Copyright Office credit for listening to arguments for and against the anti-piracy mechanisms, and for streamlining the process to at least reach this point. He also pointed out that, once exemptions have been granted, the office tends to not rescind them, though that that isn't guaranteed.

"The Copyright Office is a political football," Doctorow explained. "Some politicians want to bring it out of the administrative branch of government and make it the responsibility of Congress instead. That would give lobbyists a lot more power over proceedings. If the copyright office were to be ripped out of the Library of Congress then you could expect a more draconian regime as a result."

Combine harvester... Photo by shutterstock

US Copyright Office suggests 'right to repair' laws a good idea


The simplest solution is simply to strip DRM of its legal protections all together, Doctorow posited. That would mean outsmarting anti-piracy mechanisms within products is no longer a violation of the law. It's a goal he has said he'd like to achieve by 2025, though that the timeline is aspirational. However, it may come around even more quickly than that, thanks to an ongoing court case in Washington DC.

The lawsuit, Green v US Department of Justice, [PDF] was brought by Dr Matthew Green, assistant professor at the Johns Hopkins Information Security Institute, and computer scientist and hardware hacker Dr Bunnie Huang. In it, they are challenging section 1201 – the set of limitations and exemptions on circumventing DRM – on constitutional grounds, arguing it breaks the First Amendment.

The case is stalled in the courts, though there are signs of hope that it could be moving forward, Doctorow said. If successful, it would be a massive boost for the right to repair, but you can bet the case will be fought all the way to the US Supreme Court. ®

Other stories you might like

  • Yet again, Cream Finance skimmed by crooks: $130m in crypto assets stolen

    Third time's the unlucky charm for loan outfit

    Decentralized finance biz Cream Finance became further decentralized on Wednesday with the theft of $130m worth of crypto assets from its Ethereum lending protocol.

    Cream ( and not reported the loss via Twitter, the third such incident for the loan platform this year.

    "Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC," the Taiwan-based biz said. "The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address. No other markets were impacted."

    Continue reading
  • OpenID-based security features added to GitHub Actions as usage doubles

    Single-use tokens and reusable workflows explained at Universe event

    GitHub Universe GitHub Actions have new security based on OpenID, along with the ability to create reusable workflows, while usage has nearly doubled year on year, according to presentations at the Universe event.

    The Actions service was previewed three years ago at Universe 2018, and made generally available a year later. It was a huge feature, building automation into the GitHub platform for the first time (though rival GitLab already offered DevOps automation).

    It require compute resources, called runners, which can be GitHub-hosted or self-hosted. Actions are commands that execute on runners. Jobs are a sequence of steps that can be Actions or shell commands. Workflows are a set of jobs which can run in parallel or sequentially, with dependencies. For example, that deployment cannot take place unless build and test is successful. Actions make it relatively easy to set up continuous integration or continuous delivery, particularly since they are cloud-hosted and even a free plan offers 2,000 automation minutes per month, and more than that for public repositories.

    Continue reading
  • REvil gang member identified living luxury lifestyle in Russia, says German media

    Die Zeit: He's got a Beemer, a Bitcoin watch and a swimming pool

    German news outlets claim to have identified a member of the infamous REvil ransomware gang – who reportedly lives the life of Riley off his ill-gotten gains.

    The gang member, nicknamed Nikolay K by Die Zeit newspaper and the Bayerische Rundfunk radio station, reportedly owns a €70,000 watch with a Bitcoin address engraved on its face and rents yachts for €1,300 a day whenever he goes on holiday.

    "He seems to prefer T-shirts from Gucci, luxurious BMW sportscars and large sunglasses," reported Die Zeit, which partly identified him through social media videos posted by his wife.

    Continue reading

Biting the hand that feeds IT © 1998–2021