Battle brews over reverse engineering

Recent court decisions limiting developers' rights to reverse-engineer software products have sparked an outcry by critics who say these actions could severely limit developers and users trying to interoperate or find flaws in commercial software.

U.S. judges have recently ruled that unauthorized re-engineering of the digital video disc playback system and a Web filtering program called CyberPatrol violated copyright and trade-secret laws.

Reverse engineering is also forbidden by many shrink-wrap license agreements. This restriction will likely be strengthened by the Uniform Computer Information Transactions Act (UCITA), which gives vendors powerful leverage in contract negotiations.

While some software vendors and content owners insist these decisions strengthen intellectual property protections, developers and system administrators argue they are losing the right to use products as they wish.

"Clearly, if we are not allowed to reverse-engineer the software that we didn't buy but are most graciously allowed to 'license' by agreeing to an arbitrary contract, then we have no control over what software is running on the computers we own," said Ian Goldberg, chief scientist at Zero-Knowledge Systems Inc. in Montreal. "Bugs, security holes or worse, explicit back doors, might be undetected, but only talked about within the bad guys' community. Publicly disclosing the information would be illegal."

Fair-use provisions in the copyright laws that permit reverse engineering have spurred the development of software that competes with proprietary applications such as Microsoft Word and Excel. For example, San Jose-based Phoenix Technologies Ltd.'s reverse engineering of IBM's BIOS in the mid-1980s became the basis for the entire PC clone industry.

During the annual Computers, Freedom and Privacy conference held last month in Toronto, Jessica Litman, Professor of Law at Wayne State University in Detroit, Mich., said controversial court decisions are rapidly eroding the "fair use" provisions that traditionally permitted unauthorized use of software for the purpose of reverse-engineering. The provision allows developers to disassemble and decompile a program and use what they learned to create and sell an interoperable or competing program as long as it doesn't infringe on the original code.

While Congress made exceptions in the 1998 Digital Millennium Copyright Act for interoperability development and security testing, these exceptions have been overridden in favor of anticircumvention provisions and trade secrecy laws.

But Pamela Samuelson, a professor at the School of Information Management and Systems at the University of California at Berkley, said the ruling is unprecedented because defendants in the DVD CCA case hadn't violated the shrink-wrap license. "If you have gotten information from somebody that the judge decides was a misappropriation of trade secrets, you are a trade-secret appropriator even if you legitimately bought this stuff," said Samuelson. "If the judge decides that somewhere out there in the chain of the development was a trade-secret appropriation, then the decision would say that you are an appropriator too, and how would you know?"

In March, the copyright wars continued when El Segundo, Calif.-based Mattel Inc. sued a Swede and Canadian who reverse-engineered the CyberPatrol Web filtering program producing two software utilities, known as cphack, that revealed the parent's password and displayed a list of blocked sites. Mattel argued that the reverse engineering was illegal because it was prohibited on the software's shrink-wrap license. A judge sided with Mattel and the company issued e-mail subpoenas against mirror sites that posted the software.

Richard Smith, a former developer at Cambridge, Mass.-based Phar Lap Software Inc., who now evaluates software for privacy holes, said UCITA gives companies legal backing to enforce reverse-engineering bans in shrink-wrap licenses that might not otherwise be enforceable. "Maybe the data files are encrypted not for protection but to keep competitors away from the data as a useful monopoly tool," he said.

Meanwhile, some developers are moving their reverse-engineering projects offshore to avoid U.S. rules.

"There are rather insane laws in the U.S. about reverse engineering, and so we sidestepped those by having the work done in Europe under the European Union fair-use laws," said Jeremy Allison, a software developer at VA Linux Systems Inc. in Sunnyvale, Calif. Allison co-authored Samba, a Windows file-serving program that allows Unix machines to serve file-and-print services to Windows clients.

Allison said his team is forced to reverse engineer because Microsoft doesn't offer documentation of its proprietary protocols. But when the Samba team decoded the Microsoft domain controller protocol to allow Samba servers to interoperate with Windows NT, they made sure the work took place outside the U.S.

"If the laws continue the way they are, the U.S. software industry will get strangled by the increasing amount of restriction on reverse engineering," Allison said.

Related stories:

Copyright © 2000 IDG Communications, Inc.

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon