Книга: HackingTheXbox Free
Назад: Chapter 11 Developing Software for the Xbox
Дальше: Chapter 13 Onward!

Chapter 12 -
Caveat Hacker

Reverse engineering and intellectual property law has some tricky legal interactions. On one hand, innovation deserves its just reward. The right of inventors or authors to exclusively produce or sell the fruits of their labor must be protected. On the other hand, a free and competitive marketplace is also required to preserve innovation and to ensure fair markets. The study of the design principles embodied in existing products and the ability to produce improved derivative products are an important part of a competitive market place.

This chapter provides an overview of intellectual property law, and some of the more important bits that you need to know about as a hacker. Ignorance is not a valid defense, and there are some severe penalties prescribed by the law for those who ignore the laws that govern reverse engineering and intellectual property rights. Some acts of intellectual property violation are punishable as felonies along with hefty fines.

The majority of this chapter was written by Lee Tien, a Senior Staff Attorney with the Electronic Frontier Foundation. Lee (and Joseph Liu) were my counsel during the period when I was trying to publish my findings on the Xbox security system. Chapter 8 has a sidebar titled “The Legal Challenges of Hacking” that describes my fight with MIT to get my paper published.

The content of this chapter is presented with the intention of providing an informational resource for hackers. If you think you may be in a legally compromising situation, there is no substitute for contacting an attorney and getting proper legal advice on your specific situation.

Profile: Lee Tien

Lee Tien is a Senior Staff Attorney with the Electronic Frontier Foundation, specializing in free speech law, including intersections with intellectual property law and privacy law. Before joining EFF, Lee was a sole practitioner specializing in Freedom of Information Act (FOIA) litigation. Mr. Tien has published articles on children’s sexuality and information technology, anonymity, surveillance, and the First Amendment status of publishing computer software. Lee received his undergraduate degree in psychology from Stanford University, where he was very active in journalism at the Stanford Daily. After working as a news reporter at the Tacoma News Tribune for a year, Lee went to law school at Boalt Hal , University of California at Berkeley. Lee also did graduate work in the Program in Jurisprudence and Social Policy at UC-Berkeley. 1

The Electronic Frontier Foundation

The Electronic Frontier Foundation (EFF) provided me legal counsel during the period when I was trying to publish my paper on the Xbox security system. The following paragraphs introduce what the EFF does, and who they are.

Imagine a world where technology can empower us all to share knowledge, ideas, thoughts, humor, music, words and art with friends, strangers and future generations.

That world is here and now, made possible with the electronic network — the Internet — with the power to connect us all . And future developments in technology wil enable us to access information and communicate with others in even more powerful ways.

But governments and corporate interests worldwide are trying to prevent us from communicating freely through new technologies, just as when those in positions of power controlled the production and distribution of — or even burned — books they did not want people to read in the Middle Ages. But only by fighting for our rights to speak freely what-ever the medium — whether books, telephones, or computers — can we protect and enhance the human condition.

The Electronic Frontier Foundation (EFF) was created to defend our rights to think, speak, and share our ideas, thoughts, and needs using new technologies, such as the Internet and the World Wide Web. EFF is the first to identify threats to our basic rights online and to advocate on behalf of free expression in the digital age.

Based in San Francisco, EFF is a donor-supported membership organization working to protect our fundamental rights regardless of technology; to educate the press, policymakers and the general public about civil liberties issues related to technology; and to act as a defender of those liberties. Among our various activities, EFF opposes misguided legislation, initiates and defends court cases preserving individuals’ rights, launches global public campaigns, introduces leading edge proposals and papers, hosts frequent educational events, engages the press regularly, and publishes a comprehensive archive of digital civil liberties information at one of the most linked-to websites in the world: http://www.eff.org.2

1 From the EFF website, http://www.eff.org/homes/lee_tien.html

2 From the EFF website, http://www.eff.org/abouteff.html

Caveat Hacker: A Primer on Intellectual Property, by Lee Tien

Reverse engineering is the process of extracting know-how or knowledge from an artifact; in the marketplace, it’s been called the “time-honored technique of figuring out just what makes a competitor’s product tick.”1 But anyone who studies mass-marketed products today should be aware of the legal minefield surrounding reverse-engineering. The anticircumvention provisions of the Digital Millennium Copyright Act (DMCA),2 contractual terms prohibiting reverse-engineering, and the Economic Espionage Act3 are a few of the dangerous legal areas that technologists should know about. This chapter will briefly survey these areas to give hackers a rough idea of the issues.

There are two general issues here. First, is the reverse engineering lawful? Second, even if you may reverse engineer the product, can you publish what you learn from the reverse engineering?

Classical Intellectual Property Law: An Overview

Intellectual property law traditionally meant copyrights and patents. Both are created and limited by federal statutes based on the Constitution’s intellectual property clause: “Congress shall have the Power . . . To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.”4 Computer programs are typically protected as copyrighted “literary works,” but they can also be patented.5

People have recently come to think of trade secrets as another kind of intellectual property. Trade secrets were originally protected by courts under case law, but they are now the subject of both state and federal states as well. Unlike copyrights and patents, trade secrecy law is historically grounded in unfair competition principles. In the United States, authors and inventors don’t have “natural rights.”6 Instead, their rights are based on a notion of public welfare. Society will benefit if authors and inventors get some protection, because they won’t have adequate incentives to create if others can freely use their work. But that protection is limited in order to assure that the public ultimately benefits.7 For example, copyright and patent rights are only for “limited times”; eventually, protected works must enter the public domain.8 In short, intellectual property law sets the terms for a “bargain” between the public and authors or inventors.

Copyright

Copyright law protects original works of expression that are “fixed” in a tangible medium and gives the author (or assignee) exclusive rights over reproduction, distribution, adaptation, public display and public performance of the work. It does not protect against independent creation.

Works are not the same as copies or phonorecords (copies of sound recordings). When you buy a book, you own a copy, but the copyright owner retains the rights to the work itself. Note, by the way, that the “first sale” doctrine allows lawful owners of copies to sell or transfer these lawfully owned copies, 9 with certain exceptions.10

There are many different types of works, with many different rules for each type. So copyright law is quite complex, and technology hasn’t simplified matters. Consider a copyrighted song. The song or musical composition (MC) is protected by copyright, typically held by the songwriter. To record the song, one needs permission from the MC copyright owner.11 Once recorded, there is an independent copyright in the sound recording (SR), which protects the actual recorded sounds including the singer’s interpretation of the underlying song as well as the efforts of the producer and sound engineers. Record companies usually own SR copyrights. As a result, if you want to use a copyrighted sound recording of the song in a TV commercial, you need permission of both the MC copyright owner and the SR copyright owner.

Most of the copyright owner’s rights are fairly obvious, but some of them are not — especially when computers are involved. For instance, computers load programs into RAM, creating a copy for copyright purposes. The copyright act contains a specific exemption that permits the owner of a copy of a computer program to copy the program into computer memory.12 This illustrates the general strictness of copyright law: that one can’t use a copyrighted work for its intended purpose without making a copy doesn’t mean that making the copy isn’t copyright infringement. The implications of this strictness for the Internet are serious, since Internet dissemination general y involves the making of copies.

The right over adaptation can also be confusing. Adaptations, or “derivative works,” are works based on a copyrighted work: foreign-language translations, movies based on books, and so on. In one much-criticized case, a court found that cutting pictures out of lawfully owned copies and mounting the pictures onto ceramic tiles created infringing derivative works.13 Most courts disagree with this result.14

Copyright protection begins automatically when a work is created and generally lasts for the life of the author plus 70 years.15 Works become free for all to use, i.e., enter the public domain, once the copyright term expires.

There are many exceptions to copyright. The rule that copyright protects expression means that it doesn’t bar anyone from using the ideas or facts revealed in the work. “Ideas” includes the plots of stories. More generally, copyright doesn’t protect the utilitarian aspects of a work, so you can write a computer program that does the same thing as another program so long as you don’t copy its expression.

Facts are considered “outside” copyright because they are discovered, not authored. This would include, for instance, the discovery of new prime numbers. But you can have a copyright in the selection, sequence or arrangement of facts or anything else that is not itself copyrightable. The classic example is an anthology of public-domain poetry. You can have a copyright to the compilation even though the individual pieces are unprotected if the selection, sequence or arrangement is sufficiently original. The alphabetical arrangement of facts in the typical telephone “white pages” directory fails the constitutional originality requirement. You don’t get any protection merely because you invested money, time or effort into collecting the phone numbers.

Copyright doesn’t cover many “ordinary” uses of the work. In itself, reading a book isn’t subject to copyright, because it doesn’t infringe any of the copyright owner’s rights. Singing a song in the shower is a performance, but the copyright owner only has a right over public performances. Here again, however, the Internet has changed things. When you read a document in your web browser, a copy of the document was probably made by your computer. Thus, many formerly ordinary uses now entail the making of a copy, which raises copyright issues.

Today, there’s a lot of controversy about “fair use.” Fair use is a defense to copyright infringement that was intended to allow people to make some unauthorized use of copyrighted works. Fair use allows book reviewers to quote from books. It’s a very complicated area of law; whether a use is “fair” depends on factors like the purpose, nature, amount, and economic effect of the use.16

Patent

Patent law protects inventions and gives the inventor (or his assignee) the right to exclude others from making, selling, or using the invention for 20 years from the date of the filing of the patent. Unlike copyright, patent law protects against independent invention by another person.

The bargain here is that in return for the patent, the inventor must provide enough information in the patent application to enable one “skilled in the art” to create the invention without much experimentation. Once a patent is awarded, the application is made public. By making the information public, the patentee contributes to society’s store of knowledge.

A patent confers no affirmative rights, however; if you patent an improvement to someone else’s invention, you can’t practice the improvement without infringing on the underlying patent. If you invent and patent a new drug, you may still need regulatory approval before you can sell the drug.

To be patentable, an invention must be useful, novel, and “nonobvious” to one “skilled in the art.” The novelty and nonobviousness requirements mean that the invention must be a sufficient development in technology before the right to exclude is given. Developments that do not meet these high standards are denied protection.

Trade Secrets

A third area of law — trade secrecy — is also considered part of intellectual property law, although it is not really property. A trade secret is commercially valuable business or other information known to the user but not to competitors. Secrecy, although not absolute secrecy, is the essence of a trade secret; one must take reasonable precautions to protect the trade secret against disclosure.

There’s an obvious relationship between patents and trade secrets, because both protect useful information. If the useful information isn’t patentable at al , there’s no choice. But one might not want patent a patentable invention for several reasons. You might not want to disclose information in the patent application. Also, if you don’t expect the technology to be valuable for very long, it might not be worth getting a patent that lasts 20 years.

The main downside of trade secrecy is that it provides no protection against independent invention or against reverse-engineering. Trade secrecy is therefore unwise if the secret can be figured out from the product. If, on the other hand, the invention is a process used in making the product, it might be hard to reverse-engineer. Even though Coca-Cola has been on the market for many years, apparently no one has figured out how to duplicate it.

The Constitutional Copyright Bargain

Intellectual property rights are a means to an end — to promote the progress of knowledge and technology. As the Supreme Court once said, “the monopoly privileges that Congress may authorize are neither unlimited nor primarily designed to provide a special private benefit.”17

The above passage indicates that intellectual property law has long been concerned about limiting the potential monopoly power conferred by copyright and patent law. For instance, the first-sale doctrine prevents patent and copyright owners from controlling the market once patented products or copies of copyrighted works are sold.

Also, copyright law has long been interpreted by courts and crafted by Congress to preserve a balance with freedom of speech. Doctrines like the idea/expression dichotomy, the fair use doctrine, and copyright’s limited term are generally viewed as reducing the potential conflict between copyright and freedom of expression.18

Interestingly, concern about monopolies is historically linked to the concern for free speech. English copyright law had long functioned as a kind of state-sponsored cartel; in return for private monopolies over writings, the publishers agreed to act as policemen of the press in the service of government censorship — in particular, the Bible and other religious works.19

Similarly, copyright law’s idea-expression dichotomy ensures that uncopyrightable facts and ideas and unpatentable functional principles remain in the public domain for future creators to build on.

The Traditional View of Reverse Engineering

Historically, reverse engineering has always been a lawful way to gain information embodied in mass-marketed products. For many technology firms, reverse-engineering competitors’ products to study their innovations is a standard practice. Indeed, U.S. courts have also treated reverse engineering as an important factor in maintaining balance in intellectual property law, and the Supreme Court has called reverse engineering “an essential part of innovation.”

The law recognizes three main purposes of legitimate reverse engineering. Competitive reverse-engineering is intended to create a direct substitute. Compatibility or interoperability reverse-engineering is aimed at figuring out how to make a product that works with the reverse-engineered product. And of course, researchers often reverse-engineer products in order to gain knowledge with no commercial purpose.

Trade Secrecy and “Improper Means”

In general, a trade secret is misappropriated only if a person or firm misuses or discloses the secret in breach of an agreement or confidential relationship, engages in other wrongful conduct (e.g., bribery, coercion, trespass) to obtain the secret, or acquires the secret from a misappropriator knowing or having reason to know that the information was a misappropriated trade secret.

Most states, like California, explicitly provide that reverse engineering is a lawful way to acquire a trade secret. Several reasons support reverse engineering as a sound principle of trade secret law.20 Buying a product in the open market generally gives the buyer personal property rights in the product, which include the right to take the product apart, measure it, subject it to testing, and the like. The law also regards sale of a product in the open market as a publication of innovations it embodies and a dedication of them to the public domain unless the creator has obtained patent protection for them.

The vulnerability of trade secrets to reverse engineering is part of the overall constitutional scheme. In Bonito Boats v. Thunder Craft Boats, the Supreme Court struck down a Florida law that forbade manufacturers of boats from using existing boat parts as “plugs” for a direct molding process that yielded competing products because the law “prohibit[ed] the entire public from engaging in a form of reverse engineering of a product in the public domain.”21 The court explained that reverse engineering is “an essential part of innovation,” likely to yield variations on the product that “could lead to significant advances in technology.” Indeed, “the competitive reality of reverse engineering may act as a spur to the inventor” to develop additional patentable ideas.

In cases like Bonito Boats, the question is whether a state law is “preempted” by federal law. When federal and state law conflict, either directly or as a matter of federal policy goals, the state law loses under the doctrine of “conflict” preemption. This stems from the Constitution’s Supremacy Clause, under which federal law generally trumps state law.22 Copyright law also contains a specific preemption clause, discussed below.

Copyright Law and the Problem of Intermediate Copying

Until recently, copyright law didn’t need to worry about reverse engineering, because there was little reason to reverse engineer books, art, or music. Now that computer programs are “literary works,” things are much different. Since many computer programs are distributed only in object code, the reverse engineering process commonly requires an initial decompilation into source code — which entails making a copy.

U.S. courts have found that copyright law does not necessarily prohibit reverse-engineering, because copying incidental to reverse engineering can be a “fair use”: “The Copyright Act permits an individual in rightful posses-sion of a copy of a work to undertake necessary efforts to understand the work’s ideas, processes, and methods of operation.”23 This can be true even when the ultimate goal of the reverse engineering is commercial. The courts generally rely on the Constitutional purpose for copyright protection: “the promotion of ‘the Progress of Science….’” 24 The fair use doctrine advances this Constitutional objective by “encourag[ing] others to build freely upon the ideas and information conveyed by a work.”25

The key case here was Sega Enterprises Ltd. v. Accolade, Inc.26 Accolade disassembled Sega game programs in order to get information necessary to make its games compatible with the Sega Genesis game console. Accolade then sold its own games in competition with games made by Sega and its licensed developers. Accolade raised a fair use defense to Sega’s claims that the disassembly copies were infringing. The court accepted Accolade’s defense for the reasons described above. It also noted that if Accolade could not dissassemble Sega’s code, Sega would get “a de facto monopoly over [the unprotected] ideas and functional concepts [in the program],” which is only available under patent law.27

The court’s holding, however, was limited to reverse engineering undertaken for a “legitimate reason,” such as to gain access to the functional specifications necessary to make a compatible program, and then only if it “provides the only means of access to those elements of the code that are not protected by copyright.”28

Patent Law

There is no general fair use defense or reverse-engineering exemption in patent law. In theory, you shouldn’t need to reverse-engineer a patented product, because the patent specification should inform the relevant technical community of the best way to make the invention.

Some reverse engineering activities will not infringe a patent. The buyer of a machine embodying a patented invention, for example, is generally free to disassemble it to study how it works under patent law’s first-sale principle. Buying the product means that you have the right to use it, and simply studying it doesn’t infringe the patent owner’s exclusive rights to make or sell the invention. Nevertheless, courts sometimes enforce contractual restrictions on reverse engineering.29

Also, one who tries to make a patented invention to satisfy scientific curiosity may have an “experimental use” defense. Under U.S. law, this defense is narrow and probably does not include research uses that may lead to development of a patentable invention or a commercial product.30

The clash between these three areas can be seen if we look again at the Sega situation. Suppose Sega had a patent on an algorithm used in all of its game programs. By disassembling Sega programs, Accolade arguably “makes” or “uses” the patented algorithm, even if it did so inadvertently. In short, the intermediate copying problem reappears in the patent context.

New Challenges for Reverse Engineers

The importance of reverse engineering has only grown with the rise of commercial cryptography in mass-marketed products, because it is impossible to make systems more secure without trying to break them. Ironically, the growing use of encryption has contributed to laws against reverse engineering. The entertainment industry, for example, now relies on encryption and other technologies to protect digital information like music on CDs and movies on DVDs against unauthorized copying. Unsurprisingly, new laws have been enacted to prevent people from “circumventing” encryption and other forms of security.

Legal encroachments to reverse engineering haven’t been limited to encryption. In the 1970s and 1980s some states forbade the use of a direct molding process to reverse-engineer boat hulls.31 In the late 1970s and early 1980s, the semiconductor industry sought and obtained legislation to protect chip layouts from reverse engineering to make clone chips.32 A major international agreement on intellectual property rights says nothing about reverse engineering.33

The Digital Millennium Copyright Act and the Problem of Unauthorized Access

The DMCA is one of the most important laws that now regulate reverse engineering. One part of the DMCA — its “anti-circumvention” provisions — gives legal protection to technical measures that effectively control access to or prevent copying of a copyrighted work. Unfortunately, the DMCA is extremely complex; for instance, the DMCA makes it unlawful to bypass “effective technical protection measures” without clearly specifying what that term means.

Unauthorized Access

The DMCA essentially creates a new right of “access” for copyright owners. Spokesmen for the copyright industry liken the act of circumventing a technical protection system to “breaking and entering” a home.

One simple example is censorware programs used by schools and libraries to prevent children from viewing inappropriate images. These programs often contain encrypted “blacklists” of censored websites, which vendors typically treat as trade secrets. Suppose a researcher finds that a particular program blocks sites that are wholly appropriate for children, and wants to read the blacklist in order to figure out how many appropriate websites are being wrongly blocked.34 Because the vendor has encrypted the blacklist in order to prevent people from gaining access to its content, and the list is arguably a copyrighted compilation of facts, the encryption is a technical protection measure applied to a copyrighted work and unauthorized decryption would be an unlawful act of circumvention — except that the DMCA currently has a temporary exemption for decrypting censorware blacklists.

Another example: the movie industry uses an encryption scheme called Content Scrambling System (CSS) to protect movies on DVDs. In the 2600 case,35 CSS was held to be a technical measure that “effectively” controls access to movies. Bypassing CSS without the copyright owner’s authorization is an unlawful “act of circumvention” under the DMCA. Note that the courts have not found that the fair use doctrine applies to the DMCA (as opposed to copyright law). Thus, if the use of CSS prevents you from fast-forwarding through the commercials on a DVD movie — it is still unlawful to “circumvent” that restriction.

Note here that the notion of “effective” here is not connected to cryptographic efficacy. Even weak encryption is “effective” under the DMCA because the ordinary person could not defeat it.

Circumvention Technologies

The DMCA protects technical measures in a second way: its “anti-device” provisions outlaw the manufacture and distribution of technologies that enable circumvention.36 Continuing the “breaking and entering” metaphor, spokesmen for the copyright industry liken circumvention technologies to “burglars’ tools,” which are illegal in many states.

Section 1201 of the DMCA states that “[n]o person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof ” if it has one or more of the following three characteristics: (1) if it is “primarily designed or produced for the purpose of circumventing [technical] protection,” (2) if it has “only limited commercially significant purpose or use other than to circumvent [technical] protection,” or (3) if it is “marketed by that person or another acting on its behalf with that person’s knowledge for use in circumventing technical protection.”

Note that these provisions apply not only to the new right of “access control,” but to the rights of copyright owners generally. Thus, technologies that would circumvent copy-protection measures for CDs can be unlawful under these provisions.

Recall the two examples just given. In the 2600 case, at issue was the DeCSS program, which enables people to decrypt DVD movies protected by CSS. DeCSS was found to be a prohibited circumvention technology. In the censorware example, the DMCA exemption permits the act of decryption, but it says nothing about whether a censorware researcher can make available the computer program used to decrypt the encrypted blacklist, or even the details of the method of decryption.

Navigating the DMCA’s Exemptions

Just as you can’t reverse-engineer object code without decompiling or dissassembling it, you can’t reverse- engineer a technical protection measure without circumventing it. Moreover, you often need a technological device or tool to actually perform reverse engineering, so the ban on circumvention technologies also restricts reverse engineering.

In combination, these DMCA provisions create major barriers to cryptographers and security researchers who want to analyze the security measures used in real, mass-marketed products. A commercial reverse engineer who discovers a problem with another firm’s technical measure and offers suggestions about how to improve it is at risk of being indicted on criminal DMCA charges.

Even an academic reverse engineer is at risk of being sued for publishing a paper about the weaknesses in a firm’s security measures, because such a paper could be labeled a “tool of circumvention.”37 One example is Princeton professor Edward Felten, who assembled and entered a team of scientists in the music industry’s “SDMI Challenge,” a contest to crack digital watermarking and other technologies being considered by the Secure Digital Music Initiative for protecting digital music. Felten and his team entered the contest with the intent of using the SDMI Challenge as a real-world security case study, and they eventually authored a peer-reviewed academic paper that was to be presented at a conference. Before the paper was actually presented, the Recording Industry Association of America (RIAA) sent Felten and the conference organizers a letter warning him that publishing the paper would violate intellectual property laws, including the DMCA.

The DMCA also contains several exemptions relevant to reverse engineering: circumvention of a technical protection system when necessary to achieve interoperability among computer programs; circumventions conducted in the course of legitimate encryption research; and circumvention for purposes of computer security testing. Unfortunately, each of these exemptions is both complex and narrow. Even when the act of reverse-engineering is allowed, the DMCA strictly regulates what can be done with the resulting information.

1201(f): reverse-engineering for interoperability

This exemption allows the circumvention of technical protection measures for interoperability reverse engineering. It also allows, to a very limited extent, the dissemination of information gained from reverse-engineering. Note that 1201(f) would not have exempted Felten’s attack on the SDMI watermarks, because it had no relation to interoperability.

The 2600 case, mentioned earlier, concerns the publication of a computer program known as “DeCSS” on the website of 2600 Magazine. DeCSS can be used to bypass CSS, the technical protection measure used to control access to DVD movies. EFF, which represented 2600 Magazine, argued that DeCSS qualifies for the interoperability privilege of 1201(f). DeCSS was designed, we argued, to enable people to build software that would enable them to play legitimately purchased DVD movies on their platform of choice, namely, Linux computer systems.

The courts rejected this argument, saying that 1201(f) only permitted circumvention for purposes of achieving program-to-program interoperability, whereas DeCSS enabled program-to-data interoperability that 1201(f) did not cover. This ruling is dubious, because there are computer programs as well as data on movie DVDs.

While 1201(f) seems to follow Sega in permitting interoperability reverse-engineering, it is more restrictive in several ways: interoperability is the only legitimate purpose for which reverse engineering may be done; only program-to-program interoperability qualifies, even though circumvention may be needed to achieve hardware-to-program interoperability or program-to-data interoperability; and the information resulting from reverse engineering cannot be freely published.

1201(g): encryption research

The DMCA also contains an express exemption for encryption research. Unfortunately, it is also very narrow. For one thing, this exception only applies if the cryptographer has asked (even if he or she has not received) permission from the copyright owner to engage in an act of circumvention before the circumvention is accomplished. Second, the statute emphasizes the need for a cryptographer to be an expert in order to qualify for this exemption, even though some of the most brilliant minds in the field of cryptology lack formal training. Third, the statute permits a cryptanalyst to make tools to bypass access controls, but is silent on whether tools to bypass use or copy controls are permissible (that is, it contains an exception to one but not both of the anti-device rules). Fourth, it regulates the cryptologist’s ability to disseminate the results of decryption.

Consider again Prof. Felten’s SDMI research: it would not be exempted by 1201(g) because digital watermarks are not encryption.

1201(j): security research

The DMCA’s security research exemption has a similar structure: it applies only if the tester asks in advance and likewise allows making tools only to bypass access controls, not copy or use controls. Like 1201(g), it too regulates the tester’s dissemination of the results of the testing.

Even in this narrow form, it is not clear whether Felten’s research would be covered. Sec. 1201(j) only permits making a tool to bypass an access control. Is a digital watermark an access control or a copy control? The answer to this question depends to a large extent on how the watermark is used. EFF argued that, as contemplated by the RIAA, the SDMI watermark technologies were both access and copy control technologies.

End-User License Agreements and Contractual Prohibitions on Reverse-Engineering

Intellectual property isn’t the only obstacle to reverse engineering. It’s common for software licenses to prohibit reverse engineering. A typical license clause might say: “You may not, and you may not permit others to, (a) disassemble, decompile or otherwise derive source code from the Software, (b) reverse engineer the Software, (c) modify or prepare derivative works of the Software, (d) copy the Software, except as expressly permitted in this Agreement, (e) rent or lease the Software, or (f) use the Software in any manner that infringes the intellectual property or other rights of Licensor or another party.”

Companies argue that such provisions legally bind purchasers not to reverse engineer their software. If they do so anyway, they have breached a contract and can be sued for damages. The problem, of course, is that the anti-reverse-engineering provision gives the copyright owner rights beyond those it would have under, say, the Sega decision.

Whether this kind of contractual prohibition is enforceable is a hotly disputed issue. Courts have sometimes rejected reverse engineering defenses in trade secrecy cases because this activity exceeded the scope of licensed uses of the software.38 Courts have sometimes refused to enforce software shrinkwrap license restrictions against reverse engineering because of a conflict between the clause and federal intel ectual property policy. In Vault Corp. v. Quaid Software Ltd. ,39 the maker of copy-protection software tried to enforce an anti-reverse-engineering clause under Louisiana law against a firm that had reverse-engineered its copy-protection scheme. The court held that federal law preempted the contractual clause as a matter of federal policy, the same argument used in Bonito Boats to override the Florida boat hull law.

In addition, Section 301 of the Copyright Act preempts state-created or state-enforced rights “that are equivalent to any of the exclusive rights within the general scope of copyright . . . .” As might be expected, there’s a debate about what “equivalent” means. Courts have said that contract provisions enforceable under state law are “equivalent” to federal copyright when the conditions for infringement are the same. But if infringement of the state-created right requires an “extra element,” it is not “equivalent.”

Such a contractual clause was recently found enforceable. In Bowers v. Baystate Technologies, Inc. ,40 an inventor marketed a patented computer-aided design (CAD) software “toolkit” with an anti-reverse-engineering license clause. Baystate, a competitor, reverse engineered Bowers’ software and then marketed a competing CAD toolkit. After some complicated litigation, the court eventually held, among other things, that Baystate breached its contract with Bowers.

The court held that the license wasn’t preempted because a contract has an “extra element” — the parties must agree.41 It follows that federal copyright law can never preempt a contractual prohibition. The problem with the Bowers decision is that it focuses only on the specific preemption clause of the Copyright Act and completely ignores constitutional “conflict” preemption.42

The Uniform Computer Information Transactions Act (UCITA) is a state legislative atttempt to address these issues, but it is also mired in controversy.

Trade secrets and the Economic Espionage Act

The Economic Espionage Act (EEA)43 created the first federal cause of action for trade secrecy misappropriation. But it has no reverse engineering defense. This is troubling because rights granted under the EEA arguably implicate certain reverse engineering activities previously thought to be lawful. In particular, it’s unclear whether decompilation and disassembly of computer programs may violate EEA rules that forbid duplicating trade secrets.

The Responsible Hacker: Ignorance Is No Defense

In general, there are two ways you can violate intellectual property laws. Direct infringement means that you actually infringed. Indirect infringement means that you facilitated actual infringement by someone else. For example, in the Betamax case, the issue was whether Sony, by selling VCRs, could be found liable for its customers’ copyright infringement.

Civil and Criminal Offenses and Penalties

The legal theories we’ve talked about carry a broad range of potential penalties. The main concern is civil liability, either economic damages or an injunction against the activity or both. Damages are usually tied to the amount of harm caused by the infringement.

In patent law, for example, the usual basis for damages is that of a “reasonable royalty.” The court will calculate how much you should have paid the patent owner in royalties if you had contracted for a license. Damages can also be based on the infringer’s profits or the patent owner’s lost profits.

“Willful” infringement is treated more harshly. The patent statute permits a court, in its discretion, to increase damages up to three times the base damages (and also to pay the patent owner’s attorney’s fees) if the infringer knew about the patent and did not consult with competent patent counsel.

The current trend in intellectual property law is toward greater attention to criminal penalties. Under the first federal copyright act in 1790, copyright infringement was a purely civil matter. It was not until 1897 that Congress added criminal penalties to the copyright act, and criminal copyright infrngement was classified as a misdemeanor.44 Moreover, criminal copyright infringement was rarely used.

Today, the risk of criminal prosecution appears considerably higher, and the criminal penalties are much greater. Amendments to the copyright act in 1982 and 1992, for instance, classified certain kinds of infringement as felonies. Even then, however, criminal infringement had to be undertaken willfully and for commercial advantage or private financial gain.

The 1997 No Electronic Theft Act (NET Act) criminalized the reproduction or distribution of one or more copies of copyrighted works that have an aggregate retail value of over $1,000 during any 180 day period, regardless of how those copies are created or distributed. It retained the willfulness requirement, but eliminated the requirement that the defendant’s infringement be motivated by profit or commercial gain.

The DMCA also contains criminal provisions, which were invoked in the prosecution of Dmitry Sklyarov and the company he worked for, ElcomSoft. Elcomsoft produced and distributed software that can be used to convert digital books from Adobe’s eBook format into Adobe’s PDF format. In the course of the format conversion, the use restrictions imposed by the eBook format are stripped away. It was undisputed that the Elcomsoft software can be used to facilitate noninfringing uses of eBooks (e.g., fair use excerpting, or to facilitate automated translation into Braille for blind readers). Sklyarov himself was never accused of infringing a copyright, or assisting in the infringing activities of any third party. Nevertheless, for his part in developing the software, the FBI arrested him and held him in custody for 3 weeks.45 He and Elcomsoft were indicted by a grand jury; based on the indictment, Sklyarov faced a maximum of 25 years in prison and a fine that could exceed $2 million.46 ElcomSoft and Sklyarov eventually were found not guilty of violating the DMCA.

Reverse Engineering as “The Freedom to Tinker” and Other Legal Issues

Edward Felten, a computer science professor at Princeton University, views reverse engineering as a part of the “the freedom to tinker,” which should include the freedom to “take them apart, to discuss them, to explore how they work, to modify them, to make them better.” Felten argues that “as more and more of our world is experienced through electronic devices, and communications and culture are more and more mediated by these devices, it becomes increasingly important that we be able to tinker with them, to be able to understand this part of our world.”

The freedom to tinker should also include the right to talk about tinkering. But as we’ve seen, many of the new intellectual property rules limit the right of reverse-engineers to share what they learn from tinkering. These limits not only raise serious First Amendment free-speech issues, they go to the heart of the constitutional basis for copyright and patent law: progress in the arts and sciences. One of the major issues raised by the DMCA is its chilling effect on scientists.47


1 Joel Miller, Reverse Engineering: Fair Game or Foul? , IEEE Spectrum, Apr. 1993, at 64, 64.

2 17 U.S.C. § 1201–1204.

3 18 U.S.C. § 1831–39.

4 U.S. Const. Art. I, §8, cl. 8. When the Constitution was written, the word “science” was often used as a synonym for “knowledge.”

5 See Diamond v. Diehr, 450 U.S. 175 (1981); In re Alappat, 33 F.3d 1526 (Fed. Cir. 1994).

6 In Europe, copyright has traditionally been viewed as protecting an inherent inalienable personal right of the creator of a work.

7 “ The economic philosophy behind the clause empowering Congress to grant patents and copyrights is the conviction that encouragement of individual effort by personal gain is the best way to advance public welfare through the talents of authors and inventors in ‘Science and useful Arts.’” Mazer v. Stein, 347 U.S. 201, 219 (1954).

8 Feist Publications, Inc. v. Rural Tel. Serv. Co. , 499 U.S. 340, 348-49 (1991) (“This result is neither unfair nor unfortunate. It is the means by which copyright advances the progress of science and art.”)

9 See 17 U.S.C. Sec. 109. “The whole point of the first sale doctrine is that once the copyright owner places a copyrighted item in the stream of commerce by selling it, he has exhausted his exclusive statutory right to control its distribution.” Quality King v. L’Anza Research Int’l, 523 U.S. 135, ___ (1998).

10 For instance, phonorecords and stand-alone computer programs are treated differently than books under Sec. 109.

11 Under current copyright law, the MC reproduction copyright is control ed by compulsory license provisions, which means that you automatically get permission by paying a statutory rate.

12 17 U.S.C. § 117 (permitting making of copy or adaptation copy or adaptation “as an essential step in the utilization of the computer program in conjunction with a machine.”).

13 Mirage Editions, Inc. v. Albuquerque A.R.T. Co., 856 F.2d 1341, 1344 (9th Cir. 1988), cert. denied, 489 U.S. 1018 (1989).

14 See, e.g., Lee v. Deck The Walls, Inc., 925 F. Supp. 576 (N.D. Ill. 1996), aff’d sub nom. Lee v. A.R.T. Co., 125 F.3d 580 (7th Cir. 1997) (rejecting reasoning ofMirage Editions); Precious Moments, Inc. v. La Infantil, Inc., 971 F. Supp. 66, 68-69 (D.P.R. 1997) (denying claim against one who purchased fabric and then incorporated it into bedding); Paramount Pictures Corp. v. Video Broadcasting Sys., Inc., 724 F. Supp. 808 (D. Kan. 1989) (distribution claim barred by first sale doctrine, distinguishing Mirage Editions).

15 Under the first copyright act, protection lasted for only 14 years.

16 17 U.S.C. § 107.

17 Sony v. Universal City Studios 464 U.S. 417, 429 & 432 (1984).

18 See general y Neil Weinstock Netanel, Locating Copyright Within the First Amendment Skein, 54 Stan. L. Rev. 1 (2001).

19 See generally L. Ray Patterson, Free Speech, Copyright, and Fair Use, 40 Vand. L. Rev. 1 (1987).

20 See generally Pamela Samuelson & Suzanne Scotchmer, The Law and Economics of Reverse Engineering, 111 Yale L. J. 1575 (2002).

21 The Court went on to say that “[w]here an item in general circulation is unprotected by a patent, ‘[r]eproduction of a functional attribute is legitimate competitive activity.’”

22 U.S. Const. art. VI, cl. 2.

23 Atari Games Corp. v. Nintendo, 975 F.2d 832, 842 (Fed. Cir. 1992); see Sony Computer Ent. Corp. v. Connectix Corp. , 203 F.3d 596 (9th Cir. 2000).

24 Id., quoting U.S. Const. Art. I, §8, cl. 8.

25 Feist Publications, Inc., v. Rural Telephone Serv. Co., Inc. , 499 U.S. 340, 350 (1991).

26 977 F.2d 1510 (9th Cir. 1992).

27 Id. at 1526-1527.

28 Id. at 1518.

29 See Pioneer Hi-Bred Int’l, Inc. v. DeKalb Genetics Corp. , 51 U.S.P.Q.2d (BNA) 1797 (S.D. Iowa 1999) (enforcing a “bag tag” prohibiting purchasers of PVPA-protected corn seed from using the seed for breeding or research purposes).

30 See Roche Prod. v. Bolar Pharmaceutical Co., 733 F.2d 858, 858-63 (Fed. Cir. 1984) (defense does not permit “unlicensed experiments conducted with a view to the adaptation of the patented invention to the experimentor’s business,” as opposed to experiments conducted “for amusement, to satisfy idle curiosity, or for strictly philosophical inquiry”); Rebecca S. Eisenberg , Patents and the Progress of Science: Exclusive Rights and Experimental Use, 56 U. Chi. L. Rev. 1017, 1023 (1989).

31 These state laws were struck down by the Supreme Court in Bonito Boats.

32 Semiconductor Chip Protection Act, Pub. L. No. 98-620, 98 Stat. 3347 (1984) (codified at 17 U.S.C. § § 901-914 (1994)). We will not discuss this statute except to note that it contains a specific reverse-engineering privilege that permits the copying of protected chip designs in order to study the layouts of circuits, and also the incorporation of know-how discerned from reverse engineering in a new chip. Interestingly, reverse engineers must engage in enough “forward engineering” to develop an original chip design that itself qualifies for SCPA protection.

33 Agreement on Trade-Related Aspects of Intel ectual Property Rights (TRIPS), Apr. 15, 1994, Marrakesh Agreement Establishing the World Trade Organization, Annex 1C, Legal Instruments— Results of the Uruguay Round vol. 31, 33 I.L.M. 81 (1994). The trade secrecy provision of the TRIPS Agreement is Article 39, 33 I.L.M. at 98.

34 See, e.g., http://www.sethf.com.

35 Universal City Studios v. Reimerdes, 111 F.Supp. 294 (S.D.N.Y. 2000), aff’d 273 F.3d 429 (2d Cir. 2001).

36 The DMCA covers two different kinds of technologies based on what they protect: technologies that “effectively control access to [copyrighted] works,” Sec. 1201(a)(2) and technologies that “effectively protect[] a right of a copyright owner . . . in a work or a portion thereof.” Sec. 1201(b)(1).

37 While this seems odd, consider that many academic papers in the security include computer program code.

38 E.g., Technicon Data Sys. Corp. v. Curtis 1000, Inc. , 224 U.S.P.Q. (BNA) 286 (Del. Ch. 1984) (holding that a consultant to a hospital used improper means to obtain trade secret interface information by wiretapping the hospital’s licensed software system to study the manner in which the server software exchanged data with the client software because this use had not been authorized by the hospital; stating further that even if the use had been authorized, the action would have breached restrictive terms in the license); see also DSC Communications Corp. v. Pulse Communications, Inc. , 170 F.3d 1354 (Fed. Cir. 1999) (holding that there was a triable issue of fact as to whether Pulsecom’s use of a “snooper board” at a telephone company to get access to interface information about DSC’s software resulted in a misappropriation of a trade secret in view of restrictions in the telephone company’s license to use DSC’s software).

39 847 F.2d 255 (5th Cir. 1988).

40 302 F.3d 1334 (Fed. Cir. 2002).

41 The court relied on an earlier case, ProCD, Inc. v. Zeidenberg, 86 F.3d 1447, 1454. (7th Cir. 1996) (“A copyright is a right against the world. Contracts, by contrast, general y affect only their parties; strangers may do as they please, so contracts do not create ‘exclusive rights.’”).

42 EFF has submitted an amicus brief supporting Baystate’s petition for rehearing en banc in the case. [add cite]

43 Economic Espionage Act of 1996, Pub. L. No. 104-294, 110 Stat. 3488 (codified at 18 U.S.C. § § 1831-1839 (Supp. V 1999)).

44 See generally Lydia Loren, Digitization, Commodification, Criminalization: The Evolution of Criminal Copyright Infringement and the Importance of the Willfulness Requirement, 77 Wash. U. L.Q. 835, 840 (1999).

45 See Professor Larry Lessig, “Jail Time in the Digital Age,” N.Y. Times (July 30, 2001) (available at <http://www.nytimes.com/2001/07/30/opinion/30LESS.html>); Declan McCullagh, “Hacker Arrest Stirs Protest,”Wired News (July 19, 2001) (available at <http://www.wired.com/news/politics/0,1283,45342,00.html>); Jennifer 8 Lee, “U.S. Arrests Russian Cryptographer as Copyright Violator,” N.Y. Times, July 18, 2001.

46 See Brad King & Michelle Delio, “Sklyarov, Boss Plead Not Guilty,” Wired News (Aug. 30, 2001) (available at <http://www.wired.com/news/politics/0,1283,46396,00.html>).

47 See generally Electronic Frontier Foundation, Unintended Consequences: Four Years under the DMCA (2003) [cite to EFF website]

Назад: Chapter 11 Developing Software for the Xbox
Дальше: Chapter 13 Onward!

krl0s
Gracias
jbhukujil
mn.,,m