Congress has made a lot of mistakes governing the internet over the years. But the Digital Millennium Copyright Act (DMCA), enacted in 1998, stands above the pack as one of the worst. The age of digital rights management (DRM) it made possible was bad enough in the realm of music and video media. But as manufacturers prepare to extend this regime to a world of connected things, we’re on the cusp of a colossal mistake.

This is, at least according to Cory Doctorow. Speaking at Personal Democracy Forum 2015 on Thursday, he criticized the extension of the “ink jet business model” to the internet of things. Do we really want to have to pay a subscription fee to the manufacturer of every connected device in our home to keep it from shutting down? Especially in a future where life as we know it might not be possible when connected systems fail to keep our homes, cars, and offices cooled, connected, safe, and clean.

Doctorow’s position draws much of its strength from the ethos of the maker movement—that such schemes result in products that are fundamentally “broken out of the box,” and only the valiant, repeated (and usually successful) efforts of hackers to jailbreak them can restore the balance of power between manufacturer and consumer.

Doctorow is fighting an important campaign. Even since I saw the DRM chair, a concept design created by some Swiss students in 2013 that would self-destruct after eight uses, I’ve worried about the coupling of smart infrastructure and these kinds of metering and access control systems.

But I think that things get murkier when the discussion turns to security. Doctorow launched into a scathing critique of the awful provisions of the DMCA that inhibit research on vulnerabilities in DRM schemes—it isn’t just a crime to distribute cracks to rights management encryption, it’s also a crime to distribute any information about potential vulnerabilities. These restrictions have created enormous obstacles to serious and valid academic research.

Now let’s map this over to the internet of things. Now I may be wrong, but it’s one thing for Disney and Sony to stop free culture hacktivists from cracking DVDs; it’s a whole other game if Siemens and GE are stopping engineering professors from exposing holes in the firewall on my power plant. Seeing this in the cards, earlier this year, Doctorow and the Electronic Frontier Foundation launched the Apollo 1201 project (after Section 1201 of the DMCA), which aims to “eradicate DRM everywhere.”

The problem though, is that the consequences of security flaws on the internet of things are much, much higher than anything we faced in the age of Napster. But there aren’t any truly viable schemes for securing the internet of things on the table yet. With a proliferating array of devices, tucked away in every corner of our pockets, our homes, and our cities, with firmware becoming obsolete at various rates, and being probed constantly by an unseen mass of miscreants around the world—even as they sense our most private activities and pull the levers on our most critical infrastructures—this is not something to be taken lightly. If DRM is a part of the toolkit that allows internet of things businesses to bring their products to market in a profitable and responsible manner, despite all of these challenges, we shouldn’t immediately throw out the baby with the bathwater because it didn’t work out the last time around.

No one likes the way DRM currently treats users when they try to
scrutinize and fix its security vulnerabilities—to essentially
consider you as much as an enemy as it would an actual intruder.

But my hunch is that the battle over when fighting DRM does and doesn’t make sense in the internet of things is going to be a lot more complicated than the picture Doctorow paints.

But simply extending the DMCA, crafted in the 1990s by media industry insiders, to the realm of connected objects makes no sense at all. The real question we ought to be asking is, how can we fix the DMCA to make the internet of things work for us instead of against us?