Reverse Engineering and the Law: Understand the Restrictions to Minimize Risks
“To ensure you steer clear of any legal risk of reverse engineering, it should be performed only to the extent of allowances, such as for accessing ideas, facts, and functional concepts contained in the product.”
Fundamental to building and executing any successful patent licensing program is the ability to find and prove evidence of infringement, often through reverse engineering methods. A product is purchased and deconstructed to understand how it was built, how it works and what it is made of. The process of reverse engineering usually involves multiple types of analysis; which type of reverse engineering to apply is determined by the type of technology and the industry in which the patented invention is being used.
Intellectual property law does not discourage innovators from dismantling the inventions of their competitors, whether the technology is software, electronic, chemical, or mechanical. But there are still limits on how the results of a reverse engineering effort can be exploited.
Done correctly, there is nothing wrong with reverse engineering, and it is not considered an “improper means” of gathering information, as defined by the Defend Trade Secrets Act (DTSA). Still, there are numerous unlawful ways to go about reverse engineering of which innovators who feel their work has been unethically obtained should be aware.
Legal Doctrines Relating to Reverse Engineering
Copyright law (17 U.S. Code § 1201 (f))
Trade secret law
The anti-circumvention provisions of the DMCA (17 U.S. Code § 1201)
Contract laws (EULAs, TOS, TOU, and NDA)
Electronic Communication Privacy Act (ECPA)
17 U.S. Code § 1201 (f) Reverse Engineering
1. Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.
2. Notwithstanding the provisions of subsections (a)(2) and (b), a person may develop and employ technological means to circumvent a technological measure, or to circumvent protection afforded by a technological measure, in order to enable the identification and analysis under paragraph (1), or for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute infringement under this title.
3. The information acquired through the acts permitted under paragraph (1), and the means permitted under paragraph (2), may be made available to others if the person referred to in paragraph (1) or (2), as the case may be, provides such information or means solely for the purpose of enabling interoperability of an independently created computer program with other programs, and to the extent that doing so does not constitute infringement under this title or violate applicable law other than this section.
4. For purposes of this subsection, the term “interoperability” means the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.
Copyright law provides a way out, especially for software developers. Even if software is patentable, a developer may not want to go through the expense of an uncertain patent process. In this case, copyright provides an alternative avenue for limiting a competitor’s ability to exploit reverse engineered software. Copyright automatically applies to every original work of authorship, including software code. Among other things, a copyright owner has exclusive rights to the reproduction and distribution of the protected work and these rights extend to the entire work as well as its constituent parts. Reverse engineering of software often involves reconstruction of code where a reconstruction may still infringe copyright by reproducing the key elements of the original software, even if it doesn’t reproduce the original code line-for-line.
Trade Secret Law
The United States Supreme Court has ruled that state trade secret laws may not rule out “discovery by fair and honest means,” such as reverse engineering. Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470, 476 (1971). The Supreme Court also upheld the legitimacy of reverse engineering in Bonito Boats, Inc. v. Thunder Craft Boats, Inc., where it declared that the “public at large remained free to discover and exploit the trade secret through reverse engineering of products in the public domain or by independent creation.” 489 U.S. 141, 155 (1989). In California, reverse engineering is not a wrongful act in the eyes of law, and similarly, in Texas, unless reverse engineering is not prohibited, it is considered as a “fair and legal means” to obtain information. Reverse engineering that violates a non-disclosure agreement (NDA) or other contractual obligation not to reverse engineer or disclose may be embezzlement. Breaking a promise made in a negotiated NDA is more likely to result in a trade secret claim than violating a term in a mass-market End User License Agreement (EULA). If you are subject to any contractual restrictions, whether a EULA or NDA, or if the code you are researching is generally distributed pursuant to such agreements, you should talk to a lawyer before beginning your research activities.
Digital Millennium Copyright Act (DMCA)
The DMCA was passed in 1998 as an anti-piracy motion effectively making it illegal to circumvent copy protection designed to prevent pirates from duplicating digital copyrighted works and selling them. It also makes it illegal to manufacture or distribute tools or techniques for circumventing copy controls. But in reality, the controversial law's effects have been much broader by allowing game developers, music and film companies, and others to keep tight control on how consumers use their copyrighted works, preventing them in some cases from making copies of their purchased products for their own use.
Anti-circumvention provisions of the DMCA prohibit circumvention of “technical protection means” that effectively control access to copyrighted work. That “technical protection means” refers to the techniques used by software vendors such as authentication handshakes, code signing, code obfuscation, and protocol encryption. For example, if any third-party developer by doing reverse engineering develops a copy of a game that connects to the game server and performs authentication handshakes then that type of reverse engineering is beyond fair use or interoperability. This type of reverse engineering can be considered illegal. Therefore, anti-circumvention provisions limit reverse engineering.
Contract law varies based on the type of software application but most of the software products include EULA conditions of “no reverse engineering” clauses. Therefore, contract law in most cases limits reverse engineering.
1. End User License Agreement (EULA): This is a legal contract between a software developer or vendor and the end-user of the software. These agreements are also known as “click-through” agreements that bind customers to a number of strict terms.
Following are examples of some common EULA clauses that apply to customers’ behavior:
· "Do not criticize this product publicly."
· “Using this product means you will be monitored."
· "Do not reverse-engineer this product."
· "Do not use this product with other vendor's products."
· "By signing this contract, you also agree to every change in future versions of it. Oh yes, and EULAs are subject to change without notice."
· "We are not responsible if this product messes up your computer."
2. Terms of Service notice (TOS): This is a legal agreement between a service provider and a person who wants to use that service. For example, access to mobile applications or websites. Using this, service providers can deactivate accounts that do not follow the terms of this agreement. It is also known as “Terms and conditions” and comprises phrases which are attached to services and/or products. Services that include these terms are web browsers, e-commerce, web search engines, social media, and/or transport services. Terms of service vary based on product and depend on the service provider, so any comment with respect to reverse engineering the product varies accordingly.
4. Non-Disclosure Agreement (NDA): This is an agreement in which parties agree not to disclose secret information. For example, confidential and proprietary information or trade secrets. It is also known as the Confidentiality Agreement (CA), Confidential Disclosure Agreement (CDA), Proprietary Information Agreement (PIA), or Secrecy Agreement (SA). It is commonly signed between two companies which come under partnership in any business.
The majority of software products today come with EULAs which have “no reverse engineering” clauses. Various other internet services also may have TOS or TOU that claim to restrict legal research activities. Researchers and programmers sometimes receive an outbreak of code pursuant to an NDA, developer agreement, or API agreement that limits the right to report security flaws. While it is more likely that a court will enforce a negotiated NDA than a mass-market EULA, the law is not clear, thus it is important to consult with counsel if the code a person wants to study is subject to any kind of contractual restriction.
Electronic Communications Privacy Act (ECPA)
The Electronic Communications Privacy Act (ECPA), sections 18 U.S.C. 2510, restricts interference of electronic communications flowing over a network. Because packets are communications, network packet inspection may violate the ECPA. There are many exceptions to this restriction. For example, the service provider may intercept and use communications as part of “any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.” Further, if the parties to the communication consent, then there is no legal problem. The ECPA is a complicated regulation, so if your research involves inspecting network packets, even if you're only interested in addressing information, such as source and destination addresses, you should talk to a lawyer first about ensuring that your work meets one of the exceptions.
In the United States, Section 103(f) of the Digital Millennium Copyright Act (DMCA), states that there is no cross-questioning on the legality of reverse engineering and circumvention of protection to achieve interoperability between computer programs. The procurement of the reverse-engineered product must be through legal means and the person must be the lawful owner of the product. Section 1201 (f) of the Copyright Act allows a person involved in a reverse engineered computer program to bypass technological measures which restrict one from accessing a computer program in order to analyze the program and gain interoperability with a different program.
Atari Games Corp. v. Nintendo of America proved that reverse engineering can be held as a fair outlier to copyright infringement under Section 107 of the Copyright Act, the court held reverse engineering act as permissible in respect to software to obtain valid information. In accordance with Section 107 of the Copyright Act, “The legislative history of section 107 suggests that courts should adapt the fair use exception to accommodate new technological innovations.” The court also noted, “A prohibition on all copying whatsoever would stifle the free flow of ideas without serving any legitimate interest of the copyright holder.”
Sega Enterprises v. Accolade - Defendant developer of computer games appealed a preliminary demand entered by the U. S. District Court for the Northern District of California under the Copyright Act in favor of a plaintiff computer game system manufacturer whose product was reverse engineered by the defendant. The developer sold games he had developed for other systems with the computer code that made the games functional on the manufacturer's system. The court reversed the entry of the preceding demand. In light of the purpose of the Copyright Act to encourage the production of creative works for the public good, reverse engineering was a fair use of the manufacturer's copyrighted work. The disassembling of the manufacturer's product was the only reasonably available means for obtaining the unprotected functional codes of the manufacturer's game program. The screen display of the manufacturer's logo on games sold by the developer was the result of the manufacturer's security code needed for access to the unprotected functional code, and the manufacturer thereby was responsible for any resulting trademark disorientation. When the person seeking the understanding has a legitimate reason for doing so, such disassembly is as a matter of law a fair use of the copyrighted work.
This principle was reinforced by cases such as Sony Computer Entertainment, Inc. v. Connectix Corp, Lexmark Int’l Inc. v. Static Control Components, and Lotus Dev. Corp. v. Borland Int’l, Inc.
Be Aware of Restrictions
Some restrictions on the act of reverse engineering or on what a reverse engineer can do with the emerging information may be necessary to ensure adequate incentives to invest in innovation. But in some cases, the restrictions have gone too far. In short, to ensure you steer clear of any legal risk of reverse engineering, it should be performed only to the extent of allowances, such as for accessing ideas, facts, and functional concepts contained in the product. Be especially cognizant of EULA agreements that state “no reverse engineering”, copyright laws, and anti-circumvention provisions before proceeding to perform any reverse engineering on the product.