FAQ: Questions and Answers

[back to notice text] Question: What is reverse engineering? Answer: Reverse engineering is the general process of analyzing a technology specifically to ascertain how it was designed or how it operates. This kind of inquiry engages individuals in a constructive learning process about the operation of systems and products. Reverse engineering as a method is not confined to any particular purpose, but is often an important part of the scientific method and technological development. The process of taking something apart and revealing the way in which it works is often an effective way to learn how to build a technology or make improvements to it. Through reverse engineering, a researcher gathers the technical data necessary for the documentation of the operation of a technology or component of a system. In "black box" reverse engineering, systems are observed without examining internal structure, while in "white box" reverse engineering the inner workings of the system are inspected. When reverse engineering software, researchers are able to examine the strength of systems and identify their weaknesses in terms of performance, security, and interoperability. The reverse engineering process allows researchers to understand both how a program works and also what aspects of the program contribute to its not working. Independent manufacturers can participate in a competitive market that rewards the improvements made on dominant products. For example, security audits, which allow users of software to better protect their systems and networks by revealing security flaws, require reverse engineering. The creation of better designs and the interoperability of existing products often begin with reverse engineering. [back to notice text] Question: What is disassembly or decompilation of a computer software program? Answer: In the development of software, the source code in which programmers originally write is translated into object (binary) code. The translation is done with a computer program called an "assembler" or "compiler," depending on the source code's language, such as Java, C++, or assembly. A great deal of the original programmer's instructions, including commentary, notations, and specifications, are not included in the translation from source to object code (the assembly or compilation). Disassembly or decompilation reverses this process by reading the object code of the program and translating them into source code. By presenting the information in a computer language that a software programmer can understand, the reverse engineer can analyze the structure of the program and identify how it operates. The data generated in the disassembly of a typical computer program is one to many files with thousands of lines of computer code. Because much of the original programmer's commentary, notations, and specifications are not retained in the object code, the reverse engineered code constitutes only a part of the program information included in the original source code. Engineers must interpret the resulting source code using knowledge and expertise to recreate the data structures of the original program and understand the overall design rationale of the system. Not all reverse engineering efforts require "decompilation" of software. Some "black box" reverse engineering is done by characterizing software through observation of its interaction with system components, other software, and other (external) systems through networks. [back to notice text] Question: Answer: [not yet answered] [back to notice text] Question: What is disassembly or decompilation of a computer software program? Answer: In the development of software, the source code in which programmers originally write is translated into object (binary) code. The translation is done with a computer program called an "assembler" or "compiler," depending on the source code's language, such as Java, C++, or assembly. A great deal of the original programmer's instructions, including commentary, notations, and specifications, are not included in the translation from source to object code (the assembly or compilation). Disassembly or decompilation reverses this process by reading the object code of the program and translating them into source code. By presenting the information in a computer language that a software programmer can understand, the reverse engineer can analyze the structure of the program and identify how it operates. The data generated in the disassembly of a typical computer program is one to many files with thousands of lines of computer code. Because much of the original programmer's commentary, notations, and specifications are not retained in the object code, the reverse engineered code constitutes only a part of the program information included in the original source code. Engineers must interpret the resulting source code using knowledge and expertise to recreate the data structures of the original program and understand the overall design rationale of the system. Not all reverse engineering efforts require "decompilation" of software. Some "black box" reverse engineering is done by characterizing software through observation of its interaction with system components, other software, and other (external) systems through networks. [back to notice text] Question: Does trade secret protection of information contained within a product restrict reverse engineering? Answer: Increasingly, manufacturers protect the know-how behind their software and electronics through the use of trade secret protection. This form of protection is attractive since the kinds of information that trade secrets is very broad and can include "any formula, pattern, device or compilation of information which is used in one's business, and which gives him an opportunity to obtain an advantage over competitors who do not know or use it." [Restatement of Torts, ?757] Among other factors, the status of a trade secret depends on the efforts undertaken by the owner to maintain the secrecy of the information. Since there is no time limitation on its enforceability, trade secrets can potentially provide eternal protection for software. Trade secrets terminate and become public domain information if they are publicly disclosed for any reason, however, including the widespread publication of the information on the Internet. Reverse engineering and independent discovery of the technical information within a product s are considered legally viable means of ending another's trade secret, provided that the product is obtained lawfully. Trade secret misappropriation is found when the trade secret is used or disclosed through "improper means," which includes illegal conduct or conduct that violates a generally accepted standard of commercial morality. The explicit prohibition on reverse engineering is therefore not the only licensing provision one must consider in determining whether reverse engineering will be considered legitimate. For example, a common cause of action in a trade secret case involving an anti reverse engineering contract provision is the duty of confidentiality. Depending on the facts of the case, the court must determine whether the confidentiality required in regards to the information was established by marking those specific parts as proprietary or as restricted technical information and informing employees working with such information of their duty to preserve its confidentiality. The disclosure of such information to a third party may be considered trade secret misappropriation and may create liability for both the party which disclosed the information and the party who received it. [back to notice text] Question: Am I protected by Digital Millennium Copyright Act?s ?Safe Harbor?? Answer: You may be, if you follow the DMCA?s strict requirements, though different courts have disagreed on how to apply the protections. The DMCA, in the Safe Harbor provisions of 17 U.S.C. 512, limits the liability of "online service providers" (OSPs) for copyright infringement by their users. Though some debate remains over who qualifies as an OSP, the rule's history suggests that website and bulletin board operators qualify for its protections. The Safe Harbors apply to: 1. Storage of material on a system at a user's request. (e.g. pirated software, serial numbers or cracker utilities posted on message boards or in chat rooms) 2. Referral to other online resources. (e.g. linking to other sites that make infringing material available) 3. Caching of online materials from other sites. (e.g. temporary storage of other web pages on one's own server) 4. Acting as a conduit between users. (e.g. automatic delivery of e-mail between users) In order to be protected for storage and linking (1 and 2, above), you must: i. Lack actual knowledge and immediately remove or block access to the material when becoming aware of the infringement ii. Not benefit financially from the activity iii. Comply with the notice and takedown provisions and set up an agent to deal with complaints in accordance with the Act In order to be protected for acting as a conduit (4, above): i. A person other than the OSP must initiate the transmission ii. The process must happen automatically, without any selection or modification of material or recipients by the OSP iii. No copies of the material should be kept longer than necessary by the OSP [back to notice text] Question: Does a cease and desist letter recipient have a duty to remove materials alleged to infringe copyright? Answer: The cease and desist letter gives its recipient ("you") notice that someone is claiming something you've done or something on your site infringes a copyright. If the materials that are the subject of the notice are in fact infringing, then you do have a duty to remove them, although there may be statutory provisions (DMCA Safe Harbor) that protect you from a lawsuit if the materials were posted by someone else. You may have to give the poster notice of the complaint. If you do not believe that the materials are infringing, or if you believe that you are making fair use of the materials, you may choose to take the risk of not removing the materials, but a lawsuit might follow in which the complainer tries to prove they they are right and you are wrong. If the accuser obtains a court order, then you must take down the materials. [back to notice text] Question: What do courts consider in determining if a trade secret exists? Answer: Courts usually consider the following three factors in determining whether you have a trade secret: (1) Is the information deemed to be a "trade secret" valuable to the business? Only secret information can be protected by trade secret law. Secrecy is typically determined by evaluating whether or not the information is "generally known" or "readily ascertainable." If the information is secret, you must consider whether the secret information is valuable to your business. How would you rank its value? Courts tend to find that the information is a trade secret if the information is so valuable as to significantly impact the operations of a business. (2) What steps have been taken to keep the information secret? Trade secret laws require that you have taken some action to keep your information a secret. The security procedure taken to protect the information is often the most important evidence that the information constitutes a trade secret. For example, courts have often found that restricting access (on a "need to know" basis) to any sensitive information is a factor that helps to meet this requirement. Courts have also found that physical security, such as keeping written trade secret information in a locked drawer and granting very limited access to it, can meet this requirement. Generally, holders of trade secrets develop a formal system for safeguarding their trade secret information. Such a system can include, for example, reviewing information to be sure that the secret information is not included in documents sent to customers and competitors. In addition, proprietary notices can be placed on all documents containing information related to trade secrets and strict confidentiality provisions can be written into all consulting, manufacturing, employment, and/or non-disclosure agreements. (3) To what extent do employees and others involved in the business know about the information? What about people outside the business? The extent that those in your business and those outside the business have access to the information can affect a court's decision as to whether you have a legal trade secret. Generally, courts have found the information to be public knowledge and not a trade secret if people who do not have a need to know the information have access to it. This is especially true if many people outside the company are familiar with the information. [back to notice text] Question: Are licensing provisions prohibiting reverse engineering enforceable? Answer: While the validity of licensing prohibitions of reverse engineering has not yet been decided by courts, the conflict between state laws that would enforce these provisions and federal intellectual property law has been addressed. When considering cases where breach of contract or trade secret misappropriation is claimed (both state law claims), courts must first determine whether or not intellectual property law preempts those contracts enforced by the individual state. Preemption occurs when courts determine that federal intellectual property law must be considered in order to address the issues involved in the particular provisions. Section 301 of the Copyright Act provides that a state law claim is preempted if: (1) the work to be protected comes within the subject matter of copyright; and (2) the state-created right forming the basis of the state law claim is equivalent to any of the exclusive rights within the general scope of copyright." In order for the claim to be preempted it must first pass this equivalency test, which determines whether the state-created rights in upholding the contract are merely alternative articulations of the exclusive rights of copyright law. If the court determines that the contract provisions contain an "extra element" that require analysis of the contract to be preempted by copyright law, the courts generally proceed to an analysis of the possible infringement or exemption under fair use of the activities of the reverse engineer. [back to notice text] Question: What are shrink-wrap, click-wrap, and browse-wrap licenses? Answer: In the context of computer software and the Internet, written agreements that indicate the formation of a contract between the user and the manufacturer have been replaced by shrink-wrap, click-wrap, and browse-wrap agreements. Shrink-wrap licenses refer to the cellophane wrapping that seals boxes of mass marketed software are commonly called "shrink-wraps." Software manufacturers generally attach license agreements inside the packaging of their products, which bind the consumer to the terms of the agreement upon removal of the shrink-wrap. Some courts have held that shrink-wrap licenses are unenforceable as contracts of adhesion, while other courts have considered them valid. An adhesion contract is a bargain drafted unilaterally by a dominant party, and presented as a final offer to a party with very little bargaining power. The terms are generally presented as a preprinted form to the weaker party, who lacks any realistic ability to negotiate the terms. If an individual chooses to return the product, however, they are no longer bound by the terms of the contract. Click-wrap licenses are another form of creating an electronic agreement, except that the license is included on the computer screen before installation rather than on the box. By clicking on a button that says "I agree" or "I accept," the licensee agrees to the terms of use of the contract. An important difference between click-wrap agreements and shrink-wrap agreements is the fact that the user actually has an opportunity to read the contract before using or installing the program. Browse-wrap agreements are contracts in which the terms of use are listed on a web site page. In such contracts, manufacturers presume to bind the user to the license terms merely by their visit to the web site or downloading software from that site. Courts are generally reluctant to hold such contracts enforceable because of the lack of assent, or explicit agreement, on the part of the user. [back to notice text] Question: What "copying" of computer programs is permitted under copyright law? Answer: Copyright law protects any work, including computer software, that is "fixed in a tangible medium of expression" and which contains a "modicum of originality." While making a copy of an orginal work generally constitutes copyright infringement, the very nature of computer software requires the making of a copy of original elements every time a program runs. In order to solve this problem, Congress included specific exemptions within copyright law outlining the permitted uses of a computer program. Section 117 of the Copyright Act provides that: [I]t is not an infringement for the owner of a copy of a computer program to make or authorize the making of another copy or adaptation of that computer program provided: that such a new copy or adaptation is created as an essential step in the utilization of the computer program in conjunction with a machine and that it used in no other manner, or that such new copy or adaptation is for archival purposes only and that all archival copies are destroyed in the event that continued possession of the computer program should cease to be rightful. [back to notice text] Question: Is the making of an intermediate copy in the reverse engineering process copyright infringement? Answer: There have been many attempts by companies over the past two decades to bring claims against software developers for their reverse engineering efforts. Since reverse engineers must make intermediate copies of the original work through the disassembly or decompilation process, the copyright owners of the initial software program have claimed that such a procedure is not covered by Section 117. They have argued that reverse engineering should be considered copyright infringement since some of the retrieved technical data used in the development process includes copyrightable expression. In Sega v. Accolade, the case most often referred to discussing reverse engineering of computer software, the appellate court determined that reverse engineering is a fair use when "no alternative means of gaining an understanding of those ideas and functional concepts exists." The court considered Accolade's intermediate copying of parts of Sega's video game console during the reverse engineering process in order to make compatible games of minimal significance to the rights in Sega's copyrighted computer code. The court held that forbidding reverse engineering in this context would defeat "the fundamental purpose of the Copyright Act--to encourage the production of original works by protecting the expressive elements of those works while leaving the ideas, facts, and functional concepts in the public domain for others to build on." [back to notice text] Question: What are the different uses of reverse engineering? Answer: A common misperception regarding reverse engineering is that it is used for the sake of stealing or copying someone else's work. Reverse engineering is not only used to figure out how something works, but also the ways in which it does not work. Some examples of the different uses of reverse engineering include: Understanding how a product works more comprehensively than by merely observing it Investigating and correcting errors and limitations in existing programs Studying the design principles of a product as part of an education in engineering Making products and systems compatible so they can work together or share data Evaluating one's own product to understand its limitations Determining whether someone else has literally copied elements of one's own technology Creating documentation for the operation of a product whose manufacturer is unresponsive to customer service requests Transforming obsolete products into useful ones by adapting them to new systems and platforms [back to notice text] Question: What is reverse engineering? Answer: Reverse engineering is the general process of analyzing a technology specifically to ascertain how it was designed or how it operates. This kind of inquiry engages individuals in a constructive learning process about the operation of systems and products. Reverse engineering as a method is not confined to any particular purpose, but is often an important part of the scientific method and technological development. The process of taking something apart and revealing the way in which it works is often an effective way to learn how to build a technology or make improvements to it. Through reverse engineering, a researcher gathers the technical data necessary for the documentation of the operation of a technology or component of a system. In "black box" reverse engineering, systems are observed without examining internal structure, while in "white box" reverse engineering the inner workings of the system are inspected. When reverse engineering software, researchers are able to examine the strength of systems and identify their weaknesses in terms of performance, security, and interoperability. The reverse engineering process allows researchers to understand both how a program works and also what aspects of the program contribute to its not working. Independent manufacturers can participate in a competitive market that rewards the improvements made on dominant products. For example, security audits, which allow users of software to better protect their systems and networks by revealing security flaws, require reverse engineering. The creation of better designs and the interoperability of existing products often begin with reverse engineering. [back to notice text] Question: Is reverse engineering legal? Answer: Reverse engineering has long been held a legitimate form of discovery in both legislation and court opinions. The Supreme Court has confronted the issue of reverse engineering in mechanical technologies several times, upholding it under the principles that it is an important method of the dissemination of ideas and that it encourages innovation in the marketplace. The Supreme Court addressed the first principle in Kewanee Oil v. Bicron, a case involving trade secret protection over synthetic crystals manufacturing by defining reverse engineering as "a fair and honest means of starting with the known product and working backwards to divine the process which aided in its development or manufacture." [416 U.S. 470, 476 (1974)] The principle that reverse engineering encourages innovation was articulated in Bonito Boats. v. Thunder Craft, a case involving laws forbidding the reverse engineering of the molding process of boat hulls, when the Supreme Court said that "the competitive reality of reverse engineering may act as a spur to the inventor, creating an incentive to develop inventions that meet the rigorous requirements of patentability." [489 U.S. 141 160 (1989)] Congress has also passed legislation in a number of different technological areas specifically permitting reverse engineering. The Semiconductor Chip Protection Act (SCPA) explicitly includes a reverse engineering privilege allowing semiconductor chip designers to study the layout of circuits and incorporate that knowledge into the design of new chips. The Competition of Contracting Act of 1984 allows the defense industry to inspect and analyze the spare parts it purchases in order to facilitate competition in government contracts. The law regarding reverse engineering in the computer software and hardware context is less clear, but has been described by many courts as an important part of software development. The reverse engineering of software faces considerable legal challenges due to the enforcement of anti reverse engineering licensing provisions and the prohibition on the circumvention of technologies embedded within protection measures. By enforcing these legal mechanisms, courts are not required to examine the reverse engineering restrictions under federal intellectual property law. In circumstances involving anti reverse engineering licensing provisions, courts must first determine whether the enforcement of these provisions within contracts are preempted by federal intellectual property law considerations. Under DMCA claims involving the circumvention of technological protection systems, courts analyze whether or not the reverse engineering in question qualifies under any of the exemptions contained within the law.

Topic maintained by Samuelson Law, Technology and Public Policy Clinic