DMCA § 1201 After the 2024 Rulemaking: Why Bootloader Unlocking Splits Into Two Legal Questions

The Digital Millennium Copyright Act's anti-circumvention regime is one of the busiest fault lines in technology law. Every three years the Librarian of Congress issues new exemptions; every renewal cycle reshapes what users can lawfully do with the devices they own. The 2024 ninth triennial proceeding closed the most recent cycle. For lawyers advising device makers, security researchers, repair shops, or anyone who builds the tools used to unlock consumer hardware, the question now is what actually moved — and where the rule left counsel exposed.

Why § 1201 splits into two laws, not one

The Digital Millennium Copyright Act's anti-circumvention regime is usually described as one rule. It is actually two, and the distinction decides nearly every close question about bootloader work. The statute regulates a user-facing act in one subsection and a supplier-facing trafficking prohibition in another, and the administrative machinery that generates triennial exemptions reaches only the first.

Start with the text. 17 U.S.C. § 1201(a)(1)(A) provides that "no person shall circumvent a technological measure that effectively controls access to a work protected under this title." That is the act prohibition — aimed at the end user who defeats an access control. A separate subsection, § 1201(a)(2), states that "no person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof" primarily designed to circumvent such a measure. Section 1201(b)(1) adds a parallel bar for tools that circumvent measures protecting a right of the copyright owner. Those are the trafficking prohibitions — aimed at whoever builds, hosts, sells, or distributes the means.

The Ninth Circuit treated the distinction as doctrine, not drafting. In MDY Industries, LLC v. Blizzard Entertainment, Inc., 629 F.3d 928 (9th Cir. 2010), the court read § 1201 as creating two functionally distinct claims: § 1201(a) reaches circumvention of access controls, while § 1201(b)(1) reaches trafficking in tools that circumvent copy protections. They share vocabulary and they share a chapter, but they are independent causes of action with independent elements.

The rulemaking authority tracks only one of them. Section 1201(a)(1)(C) directs the Librarian of Congress, on the Register's recommendation, to decide every three years whether users of copyrighted works are adversely affected in their noninfringing uses "by the prohibition under subparagraph (A)" — that is, by § 1201(a)(1). Nothing in the statute authorizes the Librarian to exempt trafficking.

The Copyright Office says as much itself. In its Section 1201 Study, the Register acknowledged that neither she nor the Librarian has authority to recommend or adopt exemptions to the anti-trafficking provisions, and warned that this gap may prevent some users from taking full advantage of the exemptions they actually hold. Everything that follows in this article is a consequence of that admission.

What the 2024 ninth triennial rulemaking actually did

Every exemption under discussion in the current cycle traces to one document: the final rule the Librarian of Congress adopted on October 25, 2024 and published in the Federal Register on October 28, 2024. The rule took effect on its publication date and, by statute, sunsets automatically three years later on October 28, 2027. That three-year window is the shelf life of every exemption discussed below — and the reason counsel should be tracking the tenth triennial docket before the clock runs out.

The Register's posture on renewals was near-total acceptance. The Office received 37 renewal petitions and 11 petitions for new or expanded exemptions, and recommended renewing every previously adopted exemption for which a renewal petition was filed. That preserved the backbone of the prior rule: smartphone jailbreaking, device interoperability, the existing software preservation categories, and the good-faith security research exemption all carried forward without substantive change.

The expansions were incremental and narrowly scoped. The 2024 rule added a new exemption for circumventing access controls on commercial food preparation equipment for diagnosis, maintenance, and repair — a direct response to right-to-repair pressure on embedded systems. The Office also adopted a new exemption covering access to operational and telematics data from motorized land vehicles, marine vessels, and commercial and agricultural vehicles, and expanded the text and data mining research exemption to let researchers at nonprofit institutions share corpora for independent research. None of these moves rewrote the map; each added a specific bucket adjacent to existing categories.

What the Office declined matters as much as what it granted. The most visible denial was the proposed exemption for AI trustworthiness research. The Office concluded that the harms petitioners identified arose from platform terms of service and safety guidelines rather than technological protection measures, and that an exemption therefore "would not resolve or ameliorate the adverse effects being experienced or identified in the petition." The reasoning is worth holding onto: when the gating mechanism is contract rather than a TPM, § 1201 has nothing to say, and the rulemaking will not stretch to cover it. That cautious scoping is the through-line of the 2024 package, and it is the frame through which every bootloader-adjacent question in the next section has to be read.

Where bootloader unlocks actually land on the exemption map

The 2024 rule never names "bootloader unlock" as a regulated activity. It speaks instead in purposes — installing lawful applications, diagnosing a vehicle, repairing a fryer, researching a vulnerability — and ties each exemption to a device class and a specific end-use. Counsel's job is to take a client's fact pattern, find the exemption bucket the device lives in, and test whether the reason for the unlock falls inside that bucket's purpose clause. A bootloader unlock is not in itself exempt or non-exempt; it is exempt only if the use it enables matches a category the Librarian has blessed.

Smartphones, tablets, and the device interoperability class

The renewed smartphone exemption permits circumvention of computer programs on wireless telephone handsets and portable all-purpose mobile computing devices "to allow the device to interoperate with or to remove software applications." That purpose clause is the tether. It authorizes jailbreaking a phone to sideload a lawful app; it does not authorize unlocking a bootloader as an end in itself, and the exemption's purpose clause says nothing about whether carriers may continue to require manufacturers to ship locked bootloaders. The same class was extended in 2024 to reach tablets, smart TVs, voice assistants, routers, and network devices, but each device travels under the same purpose limitation — interoperate with or remove software applications, not modify firmware at will.

This is where the OEM-sanctioned versus exploit-based distinction becomes load-bearing. A fastboot oem unlock flow that the manufacturer documents and the EULA contemplates is not really "circumvention" at all — the access control is being used as designed, and § 1201(a)(1) never engages. An exploit-based unlock on a device the manufacturer has deliberately locked is circumvention, and then the question is whether the user's purpose — installing lawfully obtained applications — fits the exemption's purpose clause. If the unlock is aimed at running a custom kernel for its own sake or at defeating DRM on bundled content, the exemption does not reach it.

Vehicles, agricultural equipment, and commercial food prep

Embedded-system unlocks sit in their own buckets, each narrower than practitioners often assume. The 2024 rule added a new exemption for retail-level commercial food preparation equipment for diagnosis, maintenance, and repair, and a separate class permitting access to operational and telematics data on land vehicles, marine vessels, and commercial and agricultural vehicles. Read the verbs: diagnose, maintain, repair, access operational data. None of these authorize unrestricted firmware modification, performance tuning, or removal of manufacturer-imposed feature gates. A bootloader unlock on a tractor ECU to read diagnostic data likely fits; the same unlock to flash a tuned map that increases horsepower likely does not.

Good-faith security research

The security research exemption under 37 C.F.R. § 201.40(b)(7) is broader in subject matter — it reaches any lawfully acquired device or machine — but it is conditioned on four material limits that counsel should treat as checklist items. The device must be lawfully acquired, the work must be solely for good-faith security research, the research must occur in a controlled environment designed to avoid harm to individuals or the public, and the conduct must not violate any other applicable law, including the Computer Fraud and Abuse Act. A researcher who unlocks a bootloader on their own test device to probe a vulnerability, in a lab, without pivoting into live production systems, is squarely inside the exemption. A researcher who ignores any of those conditions is outside it regardless of how pure the research motive.

Right-to-repair expansions track the same pattern. The buckets are growing into embedded systems, but the purpose clauses stay tight — diagnosis, maintenance, repair, operational data — and counsel who read them as general firmware-modification licenses will overshoot. Every bootloader question has to be run through the same two-step: which device class is this, and does the client's actual purpose match the verbs the exemption uses? If the answer to either is uncertain, the user-side analysis is not finished, and the trafficking question in the next section is already waiting.

The trafficking trap: why an exempt act does not bless the tool

Every exemption question the prior section asked was a question about a user. The trafficking question is a question about whoever built, hosted, or sold the thing the user used. The two questions have different answers because the Librarian's authority runs to only one of them. Section 1201(a)(1)(C) lets the Librarian lift the act prohibition for a specified class of users for three years at a time. Nothing in the statute lets the Librarian touch § 1201(a)(2) or § 1201(b)(1). The Copyright Office has said so itself: in its guidance on the rulemaking, the Office acknowledges that circumvention performed by a third party on behalf of another person may run afoul of the trafficking prohibitions, and that the Librarian is not authorized to adopt exemptions to those provisions.

That concession reframes every exemption-use scenario into a single operational question: the user can do it — who built the tool? The answer sorts clients into three very different risk positions. A client who writes a script for their own device, runs it once, and deletes it is doing an act the exemption may cover and trafficking nothing. A client who publishes that script on GitHub, packages it as a one-click installer, or mirrors it on a forum has added distribution, and distribution is what § 1201(a)(2) and (b)(1) police. A client who charges money to unlock other people's devices has built the paradigm case the trafficking bar was written for. Same underlying circumvention, three different statutes in play.

The statute gives prosecutors and plaintiffs three disjunctive doors into liability. Under 17 U.S.C. § 1201(a)(2), a tool is unlawful if it (A) is primarily designed or produced to circumvent, (B) has only limited commercially significant purpose or use other than circumvention, or (C) is marketed by its distributor or someone acting in concert with them for use in circumventing. Any one is enough. Tool authors who assume a legitimate use case insulates them are reading an and where the statute wrote or. Marketing copy alone — a landing page that promises to "unlock any phone" — can satisfy prong (C) even if prongs (A) and (B) would fail.

The narrowest defensible corridor for tool vendors remains the Federal Circuit's decision in Chamberlain Group, Inc. v. Skylink Technologies, Inc., 381 F.3d 1178 (Fed. Cir. 2004). Chamberlain requires a trafficking plaintiff to show both that the tool enables conduct the device owner did not authorize and that there is a reasonable nexus between the circumvention and a right the copyright owner is actually entitled to protect. Skylink's universal garage-door remote survived because Chamberlain had never told customers they could not use third-party transmitters, and the nexus to any protected copyright interest was missing. For a tool vendor whose users are doing something the device maker tolerates — sideloading lawful apps on a device the OEM ships with an unlock command — Chamberlain is the theory to build the record around.

Counsel should be honest about how narrow that corridor is. The Ninth Circuit rejected Chamberlain's nexus requirement for § 1201(a) claims in MDY Industries, LLC v. Blizzard Entertainment, Inc., 629 F.3d 928 (9th Cir. 2010), treating anti-circumvention as a right distinct from traditional copyright. A tool distributed into or across the Ninth Circuit loses the nexus defense for access-control claims entirely. And modern district courts continue to reach tool operators under the three-prong test: in late 2022, Judge Underhill dismissed Yout, LLC's declaratory judgment action against the RIAA — Yout, LLC v. RIAA, No. 3:20-cv-01602 (D. Conn. 2022) — after concluding Yout had not plausibly shown its YouTube-ripping service did not circumvent YouTube's technological protection measures. Yout is not a bootloader case, but it is the closest modern analog for how a court looks at a general-purpose tool with a circumvention-adjacent function, and the answer was not friendly to the tool's author.

The First Amendment overhang: Green v. DOJ still matters

Yout asked whether a particular tool crossed the trafficking line. Green v. U.S. Department of Justice asks whether the line itself can constitutionally be drawn where Congress drew it. The two questions sit on top of each other in any bootloader matter that involves published code or research output, and counsel who advise tool authors need to understand where the constitutional argument currently stands — and, more importantly, where it does not.

The case began on July 21, 2016, when EFF and Wilson Sonsini filed suit on behalf of Dr. Matthew Green, a cryptographer and security researcher at Johns Hopkins, and Dr. Andrew "bunnie" Huang. The complaint challenged § 1201's anti-circumvention and anti-trafficking provisions on First Amendment grounds, both facially and as applied to the plaintiffs' specific projects — Green's research into device security, Huang's planned hardware tool for accessing high-definition video. The two plaintiffs map almost perfectly onto the audience this article is written for: a researcher and a tool author, each pinned by a different half of § 1201.

The case has bent toward the government on appeal. In its August 2, 2024 decision in Green v. U.S. Department of Justice, No. 23-5159, the D.C. Circuit affirmed dismissal of the facial First Amendment challenge, holding that § 1201's anti-circumvention and anti-trafficking provisions regulate conduct rather than speech — circumventing an access control and selling a device that does so are non-expressive acts, in the panel's view — and rejecting the argument that the Librarian's exemption process operates as an unconstitutional prior restraint. By the time of the appeal, the plaintiffs had already abandoned their as-applied challenges and pressed only the facial overbreadth and prior restraint theories, so the panel's reasoning addressed only the facial posture. The as-applied corridor was not closed; it was simply not before the court.

That distinction matters because the as-applied theory had real traction below. In earlier district court rulings, the court let parts of the as-applied challenge proceed on the theory that § 1201 interfered with First Amendment-valid work the plaintiffs intended to perform, before later developments — a security research exemption that mooted Green's claim and a finding that Huang's proposed device would likely enable widespread piracy — narrowed the live dispute. Researcher-plaintiffs and tool-author-plaintiffs face very different trajectories under that record, and the 2024 facial ruling did nothing to disturb either side of it.

No petition for rehearing en banc, certiorari grant, or 2025 Supreme Court order has surfaced as of this writing, and counsel should treat the 2024 D.C. Circuit decision as the current published endpoint. EFF's continuing posture, captured in its 2022 commentary on the prior ruling, is that the courts have refused to engage either the facial speech challenge or most of the speech harms § 1201 inflicts, and have wrongly classified the statute as content-neutral. That tension — code as speech, circumvention as conduct — is unresolved, and security research tooling is the front where it will keep being litigated.

The operational lesson is narrow and unromantic. A client cannot plan around Green; the facial challenge has failed in the D.C. Circuit and the government's rhetorical anchor — this is conduct, not speech — is now fortified. What a client can do is plan defensively as though an as-applied challenge might one day succeed: preserve research notebooks, peer-review correspondence, threat models, and interoperability rationales that frame the work as expression, scholarship, or lawful interoperation rather than mere bypass. Constitutional uncertainty is a brick to throw in litigation posture, not a shield for prospective conduct.

A practical framework for counsel: OEMs, researchers, and repair shops

The doctrine matters because it produces different checklists for different clients. A bootloader matter walks through the door wearing one of four hats — OEM, researcher, repair shop, open-source author — and each hat changes which subsection of § 1201 is doing the work and which record needs to exist before anyone is asking questions. The framework below is organized by client type because that is how the conversations actually start.

OEM in-house counsel

The work here is to draw and document the boundary between sanctioned unlock paths and user-side circumvention. Chamberlain v. Skylink turned on the absence of an explicit restriction — the unconditional sale was read to authorize what the EULA did not forbid. Extrapolating from that authorization-nexus reasoning, a clearly drafted EULA paired with an officially supported unlock flow should help keep the OEM's own customers' conduct outside § 1201(a)(1) and preserve the company's authorization-nexus argument against any third party who builds a tool around the sanctioned path. Treat the unlock program and the license terms as one document.

Security researcher

Pin the work to the four conditions of 37 C.F.R. § 201.40(b)(7) and keep the evidence current: lawfully acquired devices, solely good-faith research, controlled environment, no other-law violations including the CFAA. These read as factors but operate as elements. A contemporaneous lab notebook, acquisition receipts, and a written test plan are the artifacts a defense lawyer will need on day one of any inquiry.

Repair shop

The 2024 vehicle, agricultural, and commercial food-prep exemptions cover the act performed on the customer's device. They do not cover building, packaging, or selling the tool used to perform it. The Copyright Office's own guidance is explicit that circumvention performed by a third party on behalf of another may run afoul of the trafficking prohibitions, which the Librarian cannot exempt. Service the device in-shop using tools the shop did not productize; do not hand customers a USB stick on the way out.

Open-source tool author

This is the riskiest seat in the room. Public distribution implicates all three trafficking prongs of § 1201(a)(2) — primary design, limited other commercial use, and marketing — and the Ninth Circuit's MDY decision removed Chamberlain's authorization-nexus defense for access-control claims in that circuit. Counsel should work the variables that remain: hosting jurisdiction, README and marketing language that does not advertise circumvention, a documented non-circumvention use case substantial enough to defeat prong (B), and a clear-eyed conversation about which user populations the project is willing to serve.

All clients: calendar October 28, 2027

Every exemption discussed in this article expires on that date unless the tenth triennial rulemaking renews it. Notice-of-inquiry and comment cycles in prior proceedings have run well in advance of the sunset, so a docket watch beginning in 2026 is the prudent posture. Treat continuation as a live risk, not a presumption, and revisit any compliance program built on the 2024 rule before the sunset hits.

If your work sits on any of these fault lines and you want a focused conversation about where your specific facts land, book a consult.