Exception for Law Enforcement and Intelligence Activities. The DMCA permits circumvention for any lawfully authorized investigative, protective, or intelligence activity by or at the direction of a federal, state, or local law enforcement agency, or of an intelligence agency of the United States.8
Encryption Research Exception. Recognizing the need to improve the ability of copyright owners to prevent the theft of their copyrighted works, Congress provided an encryption research exception intended to advance the state of knowledge in the field of encryption technology and to assist in the development of encryption products.9 Circumvention in the course of a good faith encryption research may be allowed if the following conditions are met;
the researcher lawfully obtained the copyrighted work;
circumvention is necessary for the encryption research; the researcher made a good faith effort to obtain authorization from the copyright owner before the circumvention; and
circumvention is otherwise permissible under the applicable laws.10
In addition to the above factors, the DMCA directs the court to consider three other factors:
whether the information derived from the research was disseminated to advance the knowledge or development of encryption technology or to facilitate infringement;
whether the researcher is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced in the field of encryption technology; and
whether the researcher timely notifies the copyright owner with the findings and documentation of the research.11
Furthermore, a person may develop and employ or provide to his collaborator technological means to circumvent for the sole purpose of performing acts of good faith encryption research.
Security Testing Exception. In addition to the encryption research exception, the DMCA provides another exception for information security activities. The security testing exception permits circumvention conducted in the course of security testing if it is otherwise legal under applicable law.12 Security testing is defined as obtaining access, with proper authorization, to a computer, computer system, or computer network for the sole purpose of testing, investigating or correcting a potential or actual security flaw, or vulnerability or processing problem.13 In determining whether this exception is applicable, the DMCA requires the court to consider whether the information derived from the security testing was used solely to improve the security measures or whether it was used or maintained so as not to facilitate infringement.14 The DMCA also permits the development, production or distribution of technological means for the sole purpose of performing permitted acts of security testing.15
Exception Regarding Minors. To alleviate concern that the DMCA might inadvertently make it unlawful for parents to protect their children from pornography and other harmful material available on the Internet, the DMCA permits the manufacture of a circumvention component whose sole purpose is to assist parents in preventing access of minors to objectionable material, provided that the component is included in a product which does not itself violate the provisions of Title I.