Monday, 23 June 2008

Legal issues with Reversing

In Australia, as with many other jurisdictions, the reverse engineering of software will be considered to be legal as long as it falls within one of the defined defences against copyright infringement. These are detailed below.

Additionally, it is possible to prove the legality of a reversing procedure if it is done using a cleanroom process. A cleanroom procedure involves:

  • obtaining a legally licensed version of the software,
  • having one team of analysts to disassemble and the compile the software. This team would then create flow documents and process requirements from their understanding of the software and structure. Can it be taken when explaining the structure to ensure that a breach has not occurred,
  • an alternate team of programmers could then use the structure of document to rewrite new software with new code.

In order for the copyright owner to prove the reverse engineering of the software is an infringement, it is necessary that the following conditions apply:

  • a valid right to copyright subsists on the software (it is currently unlikely that any copyright term would have expired),
  • the source or object code (or a substantial section thereof) has been created through a significant reproduction or adaptation of the original code, and
  • one of the valid defences (listed below) does not apply.
When a user has legitimately obtained a copy of software, there are a number of relevant defences to copyright infringement. It should be further noted that the copyright holder or owner is not permitted under law to require the user to contract out of these rights. These defences include:
  • creating a backup copy of the software,
  • making a copy of the software in the normal course of running the program,
  • making a copy of the software or its components in order to patch or otherwise correct errors in the software. This defence is limited to the situation where the said patch is not available within a reasonable time and also at an ordinary commercial price,
  • making a copy of software to obtain information in order to ensure system interoperability. This defence is limited to cases where that information is not readily available from another source already, and
  • making a copy of software for the purposes of testing the security of the product.
Reversing is still dangerous. Even while trying to avoid copying software an unconscious copy could be made. This is why cleanroom procedures are so critical. A strange as it seems, it is possible to copy something without making reference to the original source in a manner that breaches the copyright laws. This is generally known as unconscious copying.

Even when a cleanroom procedure is correctly followed, some illegal copying could have occurred. There needs to be taken in the creation of the explanatory document to ensure that this is not a consequence of unconscious or unintentional copy.

Autodesk v. Dyason (1992) 173 CLR 3330; 220 IPR 163 is a prime example of this risk.

Although there is a valid defense of security testing and for patching, it is essential to ensure that a commercial fix is not readily available prior to testing. Most importantly, document each step and ensure that records of all the testing exist.

No comments: