The human race has the ability and perhaps even the innate urge to study its environment, take it apart, and figure out how things work. One might argue it is why we are who we are. Reverse engineering is one expression of this tinkering impulse.
However, when you consider reverse engineering in the field of computers and software, the practice can conflict with legal rules designed to protect intellectual property. While intellectual property law generally recognizes reverse engineering as legitimate, there are some important exceptions that have ramifications for security engineers and professionals. There are three intellectual property rules that may affect your ability to legally reverse engineer: copyright law, trade secret law, and the anti-circumvention provisions of the Digital Millennium Copyright Act.
A fundamental technique used by security researchers is to take a "known product and working backward to divine the process which aided in its development or manufacture."[9] The Ninth Circuit Court of Appeal has defined reverse engineering in the context of software engineering as:
(1) reading about the program;
(2) observing the program in operation by using it on a computer;
(3) performing a static examination of the individual computer instructions contained within the program; and
(4) performing a dynamic examination of the individual computer instructions as the program is being run on a computer.
So, many methods of reverse engineering pose no legal risk of copyright infringement. However, emulating, decompilation, and disassembly will require at least partial reproduction of the original code. And copyright law protects software. Copyright law grants to the copyright owner certain exclusive rights in the work, even when copies of the item are given away or sold. These rights include: the right to reproduce the work; the right to prepare derivative works; the right to distribute copies of the work; the right to perform the work publicly; and the right to display the work publicly.[10] Thus, some reverse engineering will create infringing copies of a software program.
Two defenses to copyright infringement nonetheless allow the practice of reverse engineering. First, an owner of a copy of a computer program is allowed to reproduce or adapt the program if reproduction or adaptation is necessary for the program to be used in conjunction with a machine.[11] This exception is relatively limited because it applies only to an owner seeking to adapt his own copy of the program. However, it protects some reverse engineering from infringement claims.
The second defense to copyright infringement is if a legitimate owner of a software program is allowed to make fair use of the program. Fair use is defined by a four-factor test, rather than a list of acceptable practices:
The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes;
The nature of the copyrighted work;
Amount and substantiality of the portion used in relation to the copyrighted work as a whole; and,
The effect of the use upon the potential market for or value of the copyrighted work.
Reverse engineering is generally recognized as a fair use. While the expressive part of software programs is copyright-protected, function and ideas contained in programs are not. If reverse engineering is required to gain access to those unprotected elements, any intermediate copies made as part of reverse engineering are fair use. Here are some examples:
Reverse engineering is a fair use when "no alternative means of gaining an understanding of those ideas and functional concepts exists."
A Sony competitor could legally copy and reverse engineer the Sony BIOS for Playstation, as part of an effort to develop and sell an emulator that would run Playstation games on a computer.
Regardless, reverse engineering will not protect you from a copyright infringement claim if you are not legitimately in possession of the software, or if you use copyrighted code in your final product. Here are some examples:
The researching company lied to the Copyright Office to get a copy of the source code. The court found this copy was infringing.
Copyrighted code was reproduced verbatim on competitor's own hard drives to facilitate interoperability. The company could have made copies to understand the software and create its own interoperable program, but the verbatim copies were infringing.
A creator of chips designed to enable display of satellite television services without subscription did not qualify as a fair use in part because they contained 86 percent of the copyright code. Probably another consideration was that the court did not approve of the product.
Whether reverse engineering is a fair use depends on the facts of the case. Therefore, to ensure that your reverse engineering is protected by fair use, make sure that the program you are working on is legitimately obtained, make intermediary copies as needed in order to understand the program, but do not infringe the program in your final product.
Copies made during reverse engineering should be necessary for figuring out how a program works, and for accessing ideas, facts, and functional concepts contained in the software.
Copies should be intermediate. Do not use copyrighted code in the final product.
Do not steal the copy of the software that you are reverse engineering.
Despite the legal protections for reverse engineering as a fair use, two newer developments threaten to limit the protection rule. These are trade secret and contract law, and the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA).
As we saw in Michael Lynn's case, companies sometimes make trade secret claims against security researchers, despite the fact that reverse engineering is specifically protected in both copyright and trade secret law.
One way to understand the relationship between trade secret law and reverse engineering is to view trade secret protection as a prohibition against theft or misuse of certain kinds of information, rather than a rule that says certain information is private property for all purposes. Information may be a trade secret one day, but if the public legitimately learns the information, it ceases to be protected as such. This explains why reverse engineering generally doesn't violate trade secret law. It is a fair and honest means of learning information.
The question becomes more complicated when a EULA or nondisclosure agreement (NDA) prohibits reverse engineering. If a researcher reverse engineers in violation of a legal instrument, is the technique still a fair and honest practice allowed in trade secret law?
Can a EULA or NDA:
Prevent the researcher from raising a fair use defense to a claim of copyright infringement?
Prevent the researcher from claiming fair and legitimate discovery defense in response to a trade secret misappropriation claim?
Subject the researcher to a breach of contract claim if he reverse engineers in contravention to the terms of that document?
The answer to these questions depends on whether the terms of the EULAs or NDAs are enforceable. Even if enforceable, the question remains whether a person who has violated those terms merely breaches the EULA or NDA contract, or actually infringes copyright or misappropriates trade secrets, both more serious claims. Full discussion of this issue is beyond the scope of this chapter. However, I do want to explain some basic contract principles so readers can see the interrelationship with trade secret law.
A EULA purports to be a contract between the vendor and the purchaser. Contract law is based on a mythological meeting of two entities with equal bargaining power that come together and strike a deal in which each gives something to get something. A EULA does not look much like the arm's length negotiation I've just described. Instead, the vendor issues small print terms and conditions that the purchaser sees only when he opens the box, or upon install. The purchaser can then return the product or "accept" the terms. People who've never seen the terms or agreed to them then use the product.
Additionally, companies that want to protect their trade secrets often enter into nondisclosure agreements (NDAs) that regulate how signers will treat source code. This is the only way that a team of people can work on a project and the company can still keep information confidential.
The important thing to note is that researchers may be subject to contractual provisions contained in shrink-wrap, click-wrap, and browse-wrap licenses, and that violation of those provisions in the service of security work could undermine the applicability of legal defenses you would otherwise be able to use.
Perhaps there are some contract terms the law will enforce, and some it will not. One factor may be whether the contracts were truly negotiated or just offered to the public on a take it or leave it basis. A few cases have ruled that the terms in software mass market licenses are enforceable if the user has an opportunity to view them and accept or return the product at some point prior to use. Thus, even if intellectual property law says you can do something, a court may punish you if a contract says you cannot.
As you can see, it's pretty important to legally possess a copy of the software you are working on and to comply with any promises that you've made in conjunction with obtaining the right to use that software (in a click-wrap, shrink-wrap, browse-wrap, or NDA contract, for example). Failure to do so can result in legal liability, either for breaking the promise or for otherwise legal activities that are no longer protected by IP law.
In my opinion, companies should not use EULAs to terminate public right of access to ideas and functionality of code. We should not depend on the intellectual property rights holder to make socially beneficial decisions about reverse engineering. Once software is out on the market, the vendor should not be able to bind the public at large to a license term that deprives society of the benefits of reverse engineering.
Enforcing terms limiting reverse engineering or controlling dissemination of information obtained by reverse engineering makes sense when the only way the researcher got access to the original code was under an individually negotiated NDA. But even there, restrictions that prevent people from learning about flaws in electronic voting machines or the routers that run the Internet may need to yield to the greater good of public access.
Breaching a contract does not customarily carry the negative connotation that committing a tort or a crime does. The purpose of contract is to smooth out commercial interactions, and walking away from a contract if there is a better deal is part of doing business. Traditionally, breaches could be fixed with money damages sufficient to give the contracting party the benefit of the bargain and punitive damages were not granted. So, it's a bit odd to let a breach of contract translate into trade secret and copyright damages. It is important for you to know that the law will develop further in this area over the next few years. As always, if you recognize a potential grey area, get real legal advice from an attorney.
Section 1201, the anti-circumvention provisions of the DMCA, prohibits circumvention of technological protection measures that effectively control access to copyrighted works and prohibit the distribution of tools that are primarily designed, valuable, or marketed for such circumvention.[14] What this means is that you generally are not allowed to break software locks that control how you use copyrighted materials. There are other parts to the DMCA, including the safe harbor/notice and take down provisions for copyright infringing materials, so to distinguish from these other sections, I refer to the anti-circumvention provisions as "Section 1201," rather than as the DMCA.
Congress' purpose in passing Section 1201 was to prohibit breaking copyright owners' digital rights management schemes, so that companies would be more comfortable releasing works in digital format. However, the statute prohibits far more than digital rights management; for example, circumventing both access and copy controls. As we saw previously in the computer trespass context, access is a broad concept. Any use is deemed access. Thus, Section 1201 prohibits circumvention of technology that controls how customers use digital music, movies, and games.
Some commentators have called Section 1201 para-copyright because it in effect gives copyright owners the ability to control behaviors that the copyright law does not. The copyright law does not assure to the owner the right to control access, but Section 1201 in effect gives owners that right, if they can enshrine their access preferences in a technological protection measure or with digital rights management (DRM) technology.
Because of the broad nature of access and because software is a copyright-protected work, there have been many Section 1201 claims challenging security research or reporting.
In September 2000, Princeton computer science professor Edward Felten and a team of researchers succeeded in removing digital watermarks on music. When the team tried to present their results at an academic conference, the industry group that promoted the watermarking technology threatened the researchers with a DMCA suit.
In October 2003, SunnComm threatened a Princeton graduate student with a DMCA lawsuit after he published a report revealing that merely holding down the Shift key on a Windows PC defeats SunnComm's CD copy protection technology.
In 2002, Hewlett-Packard threatened SNOsoft, a research collective, when they published a security flaw in HP's Tru64 Unix operating system.
In April 2003, educational software company Blackboard, Inc. used a DMCA threat to stop the presentation of research on security flaws in the Blackboard ID card system at the InterzOne II conference in Atlanta.
In 2003, U.S. publisher John Wiley & Sons dropped plans to publish Andrew "bunnie" Huang's book on Xbox modding, which Huang discovered as part of his doctoral research at M.I.T. Huang eventually self-published the book in mid-2003 and was subsequently able to get the book published by No Starch Press.
Despite the widespread use of the statute in cease-and-desist letters, there have not been many actual court decisions applying it to security research. In advising researchers in this area then, there are two essential issues to bear in mind: what the statute says and how it has been used.
Theoretically, Section 1201 could be used in many computer trespass situations, effectively supplanting Section 1030 (the Federal law barring intentional transmission without authorization of a software program that causes damage to a computer used in interstate commerce). Any unauthorized access that involves circumvention of a security protocol, and thus allows use of the copyrighted software on a computer, is arguably a 1201 violation. While getting authorization avoids a Section 1030 claim, getting permission is practically much more difficult in a Section 1201 context. Authorization is relatively easy to get when you are penetration testing or doing research on a particular computer system. But when your research is on DRM or other encryption schemes, authorization will not be forthcoming. Who at Sony could you call for authorization to reverse engineer the spyware root kits they were distributing with each music CD in 2005? Applying Section 1201 in a trespass context is highly problematic, for this and other reasons.
Courts have found the following practices and technologies to be illegal under the anti-circumvention provisions:
Chips that allow the user to run any games or code on the machines without checking for an authentication handshake
A software program that decrypts DVDs
A software program that decrypts Adobe eBooks
Companies that produce interoperable after-market products such as printer cartridges and garage door openers (Lexmark v. Static Control Components[15], Chamberlain v. Skylink[16]) have also faced DMCA suits. Owners use encryption to check that customers are using approved aftermarket products, while competitors circumvent this encryption so that customers can use the products they like, and that circumvention allows customers to operate code inside the printer or garage door opener. Thus, the lawsuit claims that the after-market competitors are circumventing a technological protection-measure (encryption) that controls access to (use of) a copyrighted work (code in the printer, garage door opener). In these cases, the competitors have prevailed on the grounds that customers have the right to access code in the machines they've purchased. As more cases are brought, we will see what effect EULAs denying the right to access will have in this area as well as in trade secret law.
In practice, the few DMCA cases on the books suggest that the statute is more likely to be enforced when your research focuses on DRM or other technological protection measures that control access to video games, music, and movies. Researchers in these fields of DRM and applied encryption must be particularly careful because the few research exceptions in Section 1201 that exist are very narrow: reverse engineering, security research, and encryption research.
Congress recognized that the anti-circumvention provisions could prohibit reverse engineering, so it put an exception to the rule in the statute for some kinds of reverse engineering. If you have lawfully obtained the right to use a computer program, you may circumvent and disclose information obtained through circumvention for the sole purpose of creating an interoperable, noninfringing computer program, providing your work falls within these guidelines:
Sole purpose is interoperability
Necessary
Independently created computer program
Not previously readily available to the person engaging in the circumvention
Such acts of identification and analysis are not an infringement
This exception has been read very narrowly. For example, the District Court in the DeCSS case (Universal City Studios v. Reimerdes) held that DeCSS was not protected under the reverse engineering exception because DeCSS runs under both Linux and Windows, and thus could not have been for the sole purpose of achieving interoperability between Linux and DVDs."[17]
The encryption research exception applies only when:
Circumvention is of a technological protection measure that controls access to a copy, phonorecord, a performance, or display of a published work
Necessary
A researcher sought advance permission
Research is necessary to advance the state of knowledge in the field
With a few additional factors, including whether:
Publishing results promotes infringement or advances the state of knowledge or development of encryption technology
The person is a professional cryptographer
The person provides the copyright owner with notice and the research
Finally, the security research exception in Section 1201 says it is legal to access a computer network solely for the purpose of good-faith testing and that correcting a vulnerability, with authorization, is not an infringement or other violation of law. The key factors include whether:
The information is used solely to promote the security of the owner of the tested computer system, or the information is shared directly with the developer of the system.
The information is distributed in a way that might enable copyright infringement or other legal violations.
The statute also says that security tools may be created and disseminated for the sole purpose of performing the described acts of security testing, unless the tool:
Is primarily designed for circumventing
Has only limited commercially significant purpose other than to circumvent
Or:
Is marketed for circumvention
The various offenses, defenses, and factors contributing to defense are pretty complicated. But there are a few points that I can distill from this statutory scheme with which you can try to comply to make it less likely you'll be successfully sued for violating Section 1201.
Do not market for circumventing purposes.
Do not design solely for circumvention.
Seek advance permission if possible, even if you know they will deny you.
Publish in a manner that advances the state of knowledge and does not enable infringement.
Be careful when creating products that allow customers to break the law.
[9] Kewanee Oil Co. v. Bicron Corp. (1974) 416 U.S. 470, 476.
[10] 17 U.S.C. 106.
[11] 17 U.S.C. 117; DSC Communications v. Pulse Communications, 170 F.3d 1354, 1361 (Fed Cir. 1999).
[12] 977 F.2d 1510 (9th Cir. 1992).
[13] 203 F.3d 596 (9th Cir. 2000).
[14] 17 U.S.C. 1201 (1998).
[15] 387 F.3d 522 (6th Cir. 2004).
[16] 381 F.3d 1178, 1191 (Fed.Cir. 2004).
[17] 111 F.Supp.2d 294, 320 (SDNY 2000), upheld on appeal, Universal City Studios v. Corley, 272 F.3d 429 (2d Cir. 2001).