Dimensión Socio-Afectiva

Despite the legal protections for reverse engineering as a fair use, two newer devel- opments threaten to limit the protection rule. These are trade secret and contract law, and the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA).

As we saw in Michael Lynn’s case, companies sometimes make trade secret claims against security researchers, despite the fact that reverse engineering is specifically protected in both copyright and trade secret law.

One way to understand the relationship between trade secret law and reverse engi- neering is to view trade secret protection as a prohibition against theft or misuse of certain kinds of information, rather than a rule that says certain information is pri- vate property for all purposes. Information may be a trade secret one day, but if the public legitimately learns the information, it ceases to be protected as such. This explains why reverse engineering generally doesn’t violate trade secret law. It is a fair and honest means of learning information.

The question becomes more complicated when a EULA or nondisclosure agreement (NDA) prohibits reverse engineering. If a researcher reverse engineers in violation of a legal instrument, is the technique still a fair and honest practice allowed in trade secret law?

Can a EULA or NDA:

• Prevent the researcher from raising a fair use defense to a claim of copyright infringement?

• Prevent the researcher from claiming fair and legitimate discovery defense in response to a trade secret misappropriation claim?

• Subject the researcher to a breach of contract claim if he reverse engineers in contravention to the terms of that document?

The answer to these questions depends on whether the terms of the EULAs or NDAs are enforceable. Even if enforceable, the question remains whether a person who has violated those terms merely breaches the EULA or NDA contract, or actually infringes copyright or misappropriates trade secrets, both more serious claims. Full discussion of this issue is beyond the scope of this chapter. However, I do want to explain some basic contract principles so readers can see the interrelationship with trade secret law.

A EULA purports to be a contract between the vendor and the purchaser. Contract law is based on a mythological meeting of two entities with equal bargaining power that come together and strike a deal in which each gives something to get some- thing. A EULA does not look much like the arm’s length negotiation I’ve just described. Instead, the vendor issues small print terms and conditions that the pur- chaser sees only when he opens the box, or upon install. The purchaser can then

return the product or “accept” the terms. People who’ve never seen the terms or agreed to them then use the product.

Additionally, companies that want to protect their trade secrets often enter into non- disclosure agreements (NDAs) that regulate how signers will treat source code. This is the only way that a team of people can work on a project and the company can still keep information confidential.

The important thing to note is that researchers may be subject to contractual provi- sions contained in shrink-wrap, click-wrap, and browse-wrap licenses, and that vio- lation of those provisions in the service of security work could undermine the applicability of legal defenses you would otherwise be able to use.

Perhaps there are some contract terms the law will enforce, and some it will not. One factor may be whether the contracts were truly negotiated or just offered to the pub- lic on a take it or leave it basis. A few cases have ruled that the terms in software mass market licenses are enforceable if the user has an opportunity to view them and accept or return the product at some point prior to use. Thus, even if intellectual property law says you can do something, a court may punish you if a contract says you cannot.

What to do to protect yourself

As you can see, it’s pretty important to legally possess a copy of the software you are working on and to comply with any promises that you’ve made in conjunction with obtaining the right to use that software (in a click-wrap, shrink-wrap, browse-wrap, or NDA contract, for example). Failure to do so can result in legal liability, either for breaking the promise or for otherwise legal activities that are no longer protected by IP law.

In my opinion, companies should not use EULAs to terminate public right of access to ideas and functionality of code. We should not depend on the intellectual property rights holder to make socially beneficial decisions about reverse engineering. Once software is out on the market, the vendor should not be able to bind the public at large to a license term that deprives society of the benefits of reverse engineering. Enforcing terms limiting reverse engineering or controlling dissemination of informa- tion obtained by reverse engineering makes sense when the only way the researcher got access to the original code was under an individually negotiated NDA. But even there, restrictions that prevent people from learning about flaws in electronic voting machines or the routers that run the Internet may need to yield to the greater good of public access.

Breaching a contract does not customarily carry the negative connotation that com- mitting a tort or a crime does. The purpose of contract is to smooth out commercial interactions, and walking away from a contract if there is a better deal is part of

doing business. Traditionally, breaches could be fixed with money damages suffi- cient to give the contracting party the benefit of the bargain and punitive damages were not granted. So, it’s a bit odd to let a breach of contract translate into trade secret and copyright damages. It is important for you to know that the law will develop further in this area over the next few years. As always, if you recognize a potential grey area, get real legal advice from an attorney.