Mexico's new copyright law was rushed through its Congress without debate or consultation, copy-pasting the US copyright system into Mexican law as though America's system was working perfectly.
https://www.eff.org/deeplinks/2020/07/mexicos-new-copyright-law-puts-human-rights-jeopardy
1/
https://www.eff.org/deeplinks/2020/07/mexicos-new-copyright-law-puts-human-rights-jeopardy
1/
The law poses grave risks to Mexicans' human rights, especially (and most obviously), their right to free expression.
https://www.eff.org/deeplinks/2020/07/how-mexicos-new-copyright-law-crushes-free-expression
2/
https://www.eff.org/deeplinks/2020/07/how-mexicos-new-copyright-law-crushes-free-expression
2/
But perhaps even more urgent is the impact this law will have on the Mexicans' cybersecurity: the security of their devices and thus the integrity of their data and even their personal safety:
https://www.eff.org/deeplinks/2020/07/mexicos-new-copyright-law-cybersecurity-and-human-rights
3/
https://www.eff.org/deeplinks/2020/07/mexicos-new-copyright-law-cybersecurity-and-human-rights
3/
The new law imports the USA's "anti-circumvention rule" - a rule that makes it both a criminal and civil matter to tamper with the "technical protection measures" that restrict access to a device, even if it's your device, and even if you're not infringing copyright.
4/
4/
This law has been a serious impediment to independent security audits - when a researcher investigates the devices we're using, to ensure that they aren't leaking our data or exposing us to risk - say, by allowing hackers to send lethal shocks to our implanted pacemakers.
5/
5/
That's because security testing often involves bypassing a TPM to get at the device's internals, and the output of those tests is often "proof of concept" code, which incontrovertibly demonstrates the defects, overriding any denials from the manufacturer.
6/
6/
Both of these run afoul of both US and (new) Mexican copyright law, and since the only way to determine whether a system is secure is to subject it to independent scrutiny, this leaves devices vulnerable to serious attacks with real consequences.
7/
7/
Mexicans have direct experience with this. Pegasus, a digital weapon sold by the arms dealer NSO Group, was used to attack independent journalists, anti-sugar campaigners, and even young children:
https://threatpost.com/pegasus-spyware-targets-investigative-journalists-in-mexico/139424/
8/
https://threatpost.com/pegasus-spyware-targets-investigative-journalists-in-mexico/139424/
8/
The same weapons were implicated in the Saudi kidnapping, murder and dismemberment of Jamal Khashoggi; they rely upon lingering security defects in devices that the arms dealers exploit and sell to dictators and wealthy thugs.
9/
9/
Like the US law, the Mexican law contains an "exemption" for security research; in fact, it is nearly a verbatim translation of the US clause. That exemption is entirely useless. How useless? In 22 years, no one in the USA has ever managed to use it.
10/
10/
And in case there was any doubt, the US Copyright Office has officially acknowledged the insufficiency of this exemption and has created larger, more explicit carve outs (that are still insufficient).
11/
11/
The US law lets the Copyright Office make these changes; the Mexican law not only does not define a process for fixing these overreaches, it's also starting without the USA's 22 years' worth of exemptions.
12/
12/
No nation can afford to tie the hands of cybersecurity researchers. Mexico's lawmakers could have easily written a law that accommodated security - all they'd have had to say was, "None of this applies unless you're infringing someone's copyright." They didn't.
13/
13/
Now it's down to the National Commission for Human Rights, which has until Jul 31 to announce that it is reviewing the law. If you are in Mexico or are Mexican, here's a petition to the Commission:
https://participa.nicensuranicandados.org
eof/
https://participa.nicensuranicandados.org
eof/