Page:United States Statutes at Large Volume 112 Part 5.djvu/111

 PUBLIC LAW 105-304—OCT. 28, 1998 112 STAT. 2869 "(B) in the normal course of its operation, the technological measure, or the work it protects, collects or disseminates personally identifying information about the person who seeks to gain access to the work protected, without providing conspicuous notice of such collection or dissemination to such person, and without providing such person with the capability to prevent or restrict such collection or dissemination; "(C) the act of circumvention has the sole effect of identifying and disabling the capability described in subparagraph (A), and has no other effect on the ability of any person to gain access to any work; and "(D) the act of circumvention is carried out solely for the purpose of preventing the collection or dissemination of personally identifying information about a natural person who seeks to gain access to the work protected, and is not in violation of any other law. " (2) INAPPLICABILITY TO CERTAIN TECHNOLOGICAL MEASURES. —This subsection does not apply to a technological measure, or a work it protects, that does not collect or disseminate personally identifying information and that is disclosed to a user as not having or using such capability. " (j) SECURITY TESTING.— "(1) DEFINITION. —For purposes of this subsection, the term 'security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network. "(2) PERMISSIBLE ACTS OF SECURITY TESTING. —Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. "(3) FACTORS IN DETERMINING EXEMPTION. —In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include— "(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and "(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security. "(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TEST- ING. —Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described

�