This is a good forum to raise, thanks. Cory and EFF raised this issue last year as well (there were a couple other discussion threads on it). At that time, it was in the context of a covenant EFF proposed attaching to the extension of the relevant working group (in case it sounds familiar to you or anyone). We haven’t engaged on the open letter itself, but when the same issue was raised in that context, we did not ultimately support the attachment of the covenant to the extension.
It’s interesting because, on its face, there is an explicit and permanent exemption for security research in the statute itself. So the problems here aren’t supposed to exist. The question is, how can we make the reality line up with what’s clearly the intention of the law?
I just participated in a Copyright Office roundtable discussion of section 1201 (the relevant portion of US law that prohibits the circumvention of technological protection measures including DRM), and this issue came up. Pam Samuelson from UC Berkeley was at the roundtable as well and gave an impassioned intervention on behalf of security researchers who have been actively chilled in their work by this provision. Our comments with the Copyright Office (filed earlier this year) echoed this point as well - https://blog.mozilla.org/netpolicy/files/2016/03/Mozilla-comments-on-Section-1201-study.pdf
I do believe that this is a real problem, and that there is real interest and political wherewithal to fix it. I believe the Copyright Office, rather than the W3C, is the right starting place for this to make it a lasting and effective solution. The Copyright Office’s report will (hopefully) reflect this and help articulate a path forward for a lasting solution.
Hope that’s helpful.