Is it legal to reverse engineer products?

Technological innovation is not an isolated concept, in fact, it involves interaction with places, people, and actions. Inventors frequently keep a check on the cognizance of the competitor’s new ideas by drawing insights from an already existing technology to produce a better product to form a convenient approach and coming up with novel ideas. It requires a lot of hard work and investment (in terms of money and time) for anyone to strike a novel invention. To protect these novel inventions, intellectual property (such as patents, copyrights, trademarks, and trade secrets) rights play a significant role. Trade secrets are a type of intellectual property that comprise formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily ascertainable by others, and which the owner takes reasonable measures to keep secret. In this world full of trade secrets, reverse engineering is considered “ethically acceptable”. Though there’s always a limit up to what extent the dismantling is termed legal.

Done the right way, there is nothing wrong with reverse engineering and it is not considered as an “improper means” of gathering information as declared by the Defend Trade Secrets Act (DTA). Still, there are numerous unlawful ways to go about reverse engineering which can provide answers to the innovators who feel their work has been unethically obtained.

Legal doctrines for reverse engineering

• Copyright law and fair use (17 U.S.C. 107)
• Trade secret law
• The anti-circumvention provisions of the DMCA (17 U.S.C. section 1201)
• Contract laws (EULAs, TOS, TOU, and NDA)
• Electronic Communication Privacy Act (ECPA)

Copyright law and fair use

Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include —

• the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
• the nature of the copyrighted work;
• the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
• the effect of the use upon the potential market for or value of the copyrighted work

The fact that a work is unpublished shall not itself bar a finding of fair use if such finding is made upon consideration of all the above factors.

Trade Secret Law

The United States Supreme Court has ruled that state trade secret laws may not rule out “discovery by fair and honest means,” such as reverse engineering. Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470, 476 (1971). The Supreme Court also proved the legitimacy of reverse engineering in Bonito Boats, Inc. v. Thunder Craft Boats, Inc., where it clasped that the “public at large remained free to discover and exploit the trade secret through reverse engineering of products in the public domain or by independent creation.” 489 U.S. 141, 155 (1989). In California, reverse engineering does not prove to be a wrongful act in the eyes of law, and similarly in Texas, unless reverse engineering is not prohibited, it is considered as a “fair and legal means” to obtain information. Reverse engineering that violates an NDA or other contractual obligation not to reverse engineer or disclose may be embezzlement. Breaking a promise made in a negotiated NDA is more likely to result in a trade secret claim than violating a term in a mass-market EULA. If you are subject to any contractual restrictions, whether a EULA or NDA, or if the code you are researching is generally distributed pursuant to such agreements, you should talk to a lawyer before beginning your research activities.

Digital Millennium Copyright Act

The DMCA was passed in 1998 as an anti-piracy motion effectively making it illegal to circumvent copy protection designed to prevent pirates from duplicating digital copyrighted works and selling them. It also makes it illegal to manufacture or distribute tools or techniques for circumventing copy controls. But in reality, the controversial law’s effects have been much broader by allowing game developers, music and film companies, and others to keep tight control on how consumers use their copyrighted works, preventing them in some cases from making copies of their purchased products for their own use.

Anti-circumvention provisions of the DMCA prohibits circumvention of “technical protection means” that effectively control access to copyrighted work. That “technical protection means” refers to the techniques used by software vendors such as authentication handshakes, code signing, code obfuscation, and protocol encryption. For example, if any third party developer by doing reverse engineering develops a copy of a game that connects to the game server and performs authentication handshakes then that type of reverse engineering is beyond fair use or interoperability. This type of reverse engineering can be considered illegal. Therefore, anti-circumvention provisions limit reverse engineering.

Contract Law

Contract law varies based on the type of software application but most of the software products include EULA conditions of “no reverse engineering” clauses. Therefore, contract law in most cases limits reverse engineering.

1. End User License Agreement (EULA): It is a legal contract between a software developer or vendor and the end-user of the software. These agreements are also known as “click-through” agreements that bind customers to a number of strict terms.

Following are examples of some EULAs clauses which are mentioned with the product and can harm customers:

• “Do not criticize this product publicly.”
• “Using this product means you will be monitored.”
• “Do not reverse-engineer this product.”
• “Do not use this product with other vendor’s products.”
• “By signing this contract, you also agree to every change in future versions of it. Oh yes, and EULAs are subject to change without notice.”
• “We are not responsible if this product messes up your computer.”

2. Terms of Service notice (TOS): It is a legal agreement between a service provider and a person who wants to use that service. For example, access to mobile applications or websites. Using this, service providers can deactivate accounts that do not follow the terms of this agreement. It is also known as “Terms and conditions” and comprises phrases which are attached to services and/or products. Services that include these terms are web browsers, e-commerce, web search engines, social media, and/or transport services. As the terms of service vary based on product and depend on the service provider so any comment to reverse engineer the product varies accordingly.

3. Terms of Use notice (TOU): It is an agreement in which a user must agree to and abide by in order to use a website or service. It is also referred to as “Terms of Service”, “Terms and conditions” and/or “Disclaimer”. As the terms of use vary based on product and it depends on the service provider so any comment to reverse engineer products vary accordingly.

4. Non-Disclosure Agreement (NDA): It is an agreement in which parties agree not to disclose secret information. For example, confidential and proprietary information or trade secrets. It is also known as the Confidentiality Agreement (CA), Confidential Disclosure Agreement (CDA), Proprietary Information Agreement (PIA), or Secrecy Agreement (SA). It is commonly signed between two companies which come under partnership in any business.

The majority of software products today come with EULAs which have “no reverse engineering” clauses. Various other internet services also may have TOS or TOU that claim to restrict legal research activities. Researchers and programmers sometimes receive an outbreak of code pursuant to an NDA, developer agreement, or API agreement that limits the right to report security flaws. While it is more likely that a court will enforce a negotiated NDA than a mass-market EULA, the law is not clear, thus it is important to consult with counsel if the code a person wants to study is subject to any kind of contractual restriction.

Electronic Communications Privacy Act (ECPA)

The ECPA, sections 18 U.S.C. 2510, restricts interference of electronic communications flowing over a network. Because packets are communications, network packet inspection may violate ECPA. There are many exceptions to this restriction. For example, the service provider may intercept and use communications as part of “any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.” Further, if the parties to the communication consent, then there is also no legal problem. The ECPA is a complicated regulation, so if your research involves inspecting network packets, even if you’re only interested in addressing information, such as source and destination addresses, you should talk to a lawyer first about ensuring that your work meets one of the exceptions.

In the US, under Section 103(f) of the Digital Millennium Copyright Act (DMCA), it is stated that there is no cross-questioning on the legality of reverse engineering and circumvention of protection to achieve interoperability between computer programs. In regard to this, the procurement of the reverse-engineered product must be through legal means and the person must be the lawful owner of the product. Section 1201 (f) of the Copyright Act reassures a person involved in a reversed engineering computer program as it allows for bypassing technological measures which regulate one to access a computer program to analyze the program and gain interoperability with a different program.

• Atari Games Corp. v. Nintendo of America’s case proved that reverse engineering can be held as a fair outlier to copyright infringement under Section 107 of the Copyright Act, the court held reverse engineering act as permissible in respect to software to obtain valid information. In accordance with Section 107 of the Copyright Act, “The legislative history of section 107 suggests that courts should adapt the fair use exception to accommodate new technological innovations.” The court also noted, “A prohibition on all copying whatsoever would stifle the free flow of ideas without serving any legitimate interest of the copyright holder.”
• Sega Enterprises v. Accolade’s case — Defendant developer of computer games appealed a preliminary demand entered by the U. S. District Court for the Northern District of California under the Copyright Act in favor of a plaintiff computer game system manufacturer whose product was reverse engineered by the defendant. The developer sold games he had developed for other systems with the computer code that made the games functional on the manufacturer’s system. The court reversed the entry of the preceding demand. In light of the purpose of the Copyright Act to encourage the production of creative works for the public good, reverse engineering was a fair use of the manufacturer’s copyrighted work. The disassembling of the manufacturer’s product was the only reasonably available means for obtaining the unprotected functional codes of the manufacturer’s game program. The screen display of the manufacturer’s logo on games sold by the developer was the result of the manufacturer’s security code needed for access to the unprotected functional code, and the manufacturer thereby was responsible for any resulting trademark disorientation. When the person seeking the understanding has a legitimate reason for doing so, such disassembly is as a matter of law a fair use of the copyrighted work.

This principle was proved official in cases such as Sony Computer Entertainment, Inc. v. Connectix Corp, Lexmark Int’l Inc. vs. Static Control Components, and Lotus Dev. Corp. v. Borland Int’l, Inc.

Some restrictions on the act of reverse engineering, or on what a reverse engineer can do with the emerging information, may be necessary to ensure adequate incentives to invest in innovation. But in some cases, the restrictions have gone too far. In short, to be away from any legal risk of reverse engineering, we have to perform it only to the extent of allowances such as for accessing ideas, facts, and functional concepts contained in the product. We need to take care of EULA agreements which state “no reverse engineering”, copyright laws, and anti-circumvention provisions before proceeding to perform any reverse engineering on the product.

This story was first published here.