A fundamental technique used by security researchers is to take a “known product and working backward to divine the process which aided in its development or
manufacture.”*The Ninth Circuit Court of Appeal has defined reverse engineering in
the context of software engineering as:
(1) reading about the program;
(2) observing the program in operation by using it on a computer;
(3) performing a static examination of the individual computer instructions contained within the program; and
(4) performing a dynamic examination of the individual computer instructions as the program is being run on a computer.
So, many methods of reverse engineering pose no legal risk of copyright infringe- ment. However, emulating, decompilation, and disassembly will require at least par- tial reproduction of the original code. And copyright law protects software. Copyright law grants to the copyright owner certain exclusive rights in the work, even when copies of the item are given away or sold. These rights include:the right to reproduce the work; the right to prepare derivative works; the right to distribute copies of the work; the right to perform the work publicly; and the right to display the work publicly.†Thus, some reverse engineering will create infringing copies of a
software program.
Two defenses to copyright infringement nonetheless allow the practice of reverse engineering. First, an owner of a copy of a computer program is allowed to repro- duce or adapt the program if reproduction or adaptation is necessary for the pro- gram to be used in conjunction with a machine.‡This exception is relatively limited
because it applies only to an owner seeking to adapt his own copy of the program. However, it protects some reverse engineering from infringement claims.
The second defense to copyright infringement is if a legitimate owner of a software program is allowed to makefair use of the program. Fair use is defined by a four- factor test, rather than a list of acceptable practices:
•The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes;
•The nature of the copyrighted work;
•Amount and substantiality of the portion used in relation to the copyrighted work as a whole; and,
•The effect of the use upon the potential market for or value of the copyrighted work.
Reverse engineering is generally recognized as a fair use. While the expressive part of software programs is copyright-protected, function and ideas contained in programs are not. If reverse engineering is required to gain access to those unprotected ele- ments, any intermediate copies made as part of reverse engineering are fair use. Here are some examples:
*Kewanee Oil Co. v. Bicron Corp. (1974) 416 U.S. 470, 476. † 17 U.S.C. 106.
Sega Enterprises v. Accolade*
Reverse engineering is a fair use when “no alternative means of gaining an under- standing of those ideas and functional concepts exists.”
Sony Computer Entertainment v. Connectix†
A Sony competitor could legally copy and reverse engineer the Sony BIOS for Playstation, as part of an effort to develop and sell an emulator that would run Playstation games on a computer.
Regardless, reverse engineering will not protect you from a copyright infringement claim if you are not legitimately in possession of the software, or if you use copy- righted code in your final product. Here are some examples:
Atari Games Corp. v. Nintendo of America, Inc., 975 F.2d 832 (Fed. Cir. 1992)
The researching company lied to the Copyright Office to get a copy of the source code. The court found this copy was infringing.
Compaq Computer Corp. v. Procom Technology, Inc., 908 F. Supp. 1409 (S.D. Tex. 1995)
Copyrighted code was reproduced verbatim on competitor’s own hard drives to facilitate interoperability. The company could have made copies to understand the software and create its own interoperable program, but the verbatim copies were infringing.
Cable/Home Communication Corp. v. Network Productions, Inc., 902 F.2d 829 (11th Cir. 1990)
A creator of chips designed to enable display of satellite television services with- out subscription did not qualify as a fair use in part because they contained 86 percent of the copyright code. Probably another consideration was that the court did not approve of the product.
What to do to protect yourself with fair use
Whether reverse engineering is a fair use depends on the facts of the case. Therefore, to ensure that your reverse engineering is protected by fair use, make sure that the program you are working on is legitimately obtained, make intermediary copies as needed in order to understand the program, but do not infringe the program in your final product.
• Copies made during reverse engineering should be necessary for figuring out how a program works, and for accessing ideas, facts, and functional concepts contained in the software.
• Copies should be intermediate. Do not use copyrighted code in the final product. • Do not steal the copy of the software that you are reverse engineering.