legal1.htm: help on the legal aspects of reverse engineering

Good Evening +Fravia,

I am The+Starling (although it shouldn't take you too long to determine my real name). You were asking for help on the legal aspects of reverse engineering. Here are my thoughts

THE+STARLING - 06/11/98

THE LEGAL PROTECTION OF COMPUTER PROGRAMS

Introduction

Although I'm not connected with the legal profession I thought I'd have a go at exploring the issues to do with one of +Fravia's questions on the legality of reverse engineering from a layman's perspective. To answer the question I'm going to talk about EEC law, specifically the text of the Council Directive of 14 May 1991 on the legal protection of computer programs (91/250/EEC). Because it's EEC law, most of this probably doesn't apply in the States (sorry fellas) and please bear in mind that because this is the text of the Directive, some of the portions of the actual Directive could be different. So, down to business .. the article consists of a discussion of what I think are the three most important bits of the Directive, Article 5(1), Article 5(3) and Article 6. I've also mentioned Article 9(1) in passing. It'll probably help if you've read at least thesee from the directive. One last thing, during the course of the article I'll refer to "the author" quite a bit. When I say "the author" I mean either the person, or the people, or the company that sold you the program - it's a legal term that's definined in the Directive. I guess I don't have to say that because I'm not a lawyer or solicitor or whatever, you shouldn't take any of this as legal advice. If you're in legal trouble you really need to get help from a professional.

Discussion

You may fix bugs unless the license says otherwise - Article 5(1) You are legally entitled to do "anything you like" (sic) to a program to fix it if and only if it doesn't work and the license agreement doesn't say otherwise. So if the license that comes with your nice new software contains a clause that says something like "you can't fix my heap of shit if it breaks then you are not legally entitled to take it to pieces and fix it. However if the license doesn't say what to do if the program's faulty then you can translate, adapt, arrange or alter the program in order to get it to work: but you are not legally entitled to do any of those four things for any other purpose (because it's a challenge, say).

You may observe, study or test a program's functioning - Article 5(3) Regardless of what the license agreement says, you don't need to have permission from the program's author (the "authorization of the rightholder"), to study the way a program works (it's "functioning") if and only if your aim is to understand the "ideas and principles" which underlie the part of the program you're studying. Anything in your contract that says you can't study, observe or test the program's functioning is declared "null and void" by Article 9. However if it can be proved that in studying the program you've infringed laws on "trade-marks, unfair competition, trade secrets, protection of semi-conductor products or other laws of contract" you may be liable to prosecution. This might mean that if you go studying a program and you've accepted the license agreement for it you can be found in breach of contract (because you may have infringed "other laws of contract"). However because contract law is fantastically complicated (even more so than +Fravia's site :-) you'd need a specialist to look and decide whether studying a particular program constitutes a breach of the license conditions for that program.

It's now time to touch on the important question to do with Article5(3). It is: when you reverse engineer a program are you studying it? In other words, does reverse engineering constitute a legitimate area of study? If it's legitimate then it should be okay to reverse any program you like as long as you're doing it to study the program and not for some other reason. I don't think there's a hard and fast answer to this question. On the face of it I can't think of any reason why reverse engineering should be illegitimate per se: it's just another area of computer science/engineering like any other and every area of study requires subject matter. But there are questions to do with a person's intent when they reversed a product which would need to be answered in a legal case. In other words, in order to decide whether your reversing is legit you probably need to look at your motives for reversing a program: do you do it for profit or because you want to understand how it works? If the latter then you are potentially on better ground than if it were the former. If you really are interested in how a protection scheme works and you're not trying to crack it so you can sell, or give, the resulting program to others, then a court of law would be inclined to look more favourably on you. However you would need to provide proof of your intention: just saying so wouldn't be enough. Publicising your results on a Web page with the heading "FREE CRACKED PROGRAMS" would definitely not be good idea. Neither would public vitriolic rantings aimed at the author because it might be apparent that your aim was not to understand the program but to damage the author's "legitimate interest", i.e. you cracked the program because you wanted to harm their business in some way. For example, saying "Micro$haft are demonically intent on possessing people's souls and I love to break their programs because it gives me pleasure" to your friends is fine, but when you publish a web page you put your opinions in the public domain.
At that point you really must be prepared to put your money where your mouth is - if you really have an informed opinion then it should be possible to persuade a reasonable group of people that you are right. However if you're just mouthing off all you'll do is make yourself look like a berk and you'll demean the credibility of your contention that you were seeking understanding.

see note 1!

You may decompile a program if it's not "interoperable" with other programs - Article 6 You are legally entitled to decompile a program if and only if it's necessary to "achieve the interoperability of an independently created computer program with other programs", but not for any other purpose. A program is not interoperable if it "gets in the way" of other programs on your computer. By this I mean that it must obstruct another program's execution on purpose, or hog so much memory that nothing else can get a look in on purpose, or refuse to relinquish control to Windows on purpose, and so on. A program is perfectly interoperable if it's a bit slow, or buggy, or the executable is a bit larger than it need be. Interoperability has to do with deliberate obstruction rather than bugs. So if your snazzy new $oftICE program has a virus in it that causes it to destroy the M$Explorer executable, you're perfectly at liberty to take it to bits and stop it doing that. But if IExplore.exe is feeling a bit poorly today and you're pissed off with it, you are not legally entitled to hack it around in order to speed it up a little. When you decompile a program, you are only allowed to alter that bit of it that's causing it not to be interoperable. So if you're fixing that virus in $oftICE you can't go altering the protection scheme at the same time (unless it's that that's causing the trouble of course :-).

Conclusion

I think the law is fairly clear as far as fixing bugs and making a program work alongside other programs goes. But it looks like the waters are muddy as far as reversing a program in order to study it goes. Intention (as ever) appears to be 9/10ths of the law in this case. Having said that it may be that a lawyer would be able to clarify points of my interpretation, but then again it might be that the law is unclear on this point and it would require a judgement to sort the matter out.

Au Revoir oh my brothers. Fight ignorance.

THE+STARLING - 06/11/1998
Cracker, reverse thyself

Note 1: I'm sure this final set of opinions will look pedestrian to some people. Perhaps they are. I just think that if we're really interested in defending reverse engineering as legitimate subject for study (rather than just saying "up yours" to corporations because they happen to have incurred our displeasure) we'll need to start putting some reasoned argument behind rhetorical statements like "You may bomb or nuke only sites and pages that are really lame and/or pathetically commercial-oriented" otherwise we'll make ourselves look like arses rather than searchers :-)

red_ball Back to legal


red_ball homepage red_ball links red_ball +ORC red_ball most recent essays
red_ball anonymity red_ball counter measures red_ball bots wars red_ball CGI antismut red_ball cocktails
red_ball search_forms red_ball history of this site red_ball AntiMicro$oft red_ball mail_fravia
red_ball Is reverse engineering legal?