Coders’ Rights Project Reverse Engineering FAQ

People have always explored and modified the technologies in their lives, whether crystal radios, automobiles, or computer software. Reverse engineering is one expression of this tinkering impulse. Unfortunately, legal regulation of reverse engineering can impact the Freedom to Tinker in a variety of ways. This FAQ gives some information that may help coders reduce their legal risk.

What is this FAQ and who is it for?

This FAQ is intended for non-lawyers who want some general information about how U.S. laws might affect reverse engineering by computer programmers. This information is provided as a general guide to the issues, and is not legal or technical advice.

The legal questions raised by reverse engineering are complex and legal risks may depend on particular facts and legal doctrines that are beyond the scope of this general guide. This FAQ is meant to familiarize you with some of the principles involved, so that you can have a more effective discussion if and when you engage an attorney to help you with your specific situation.

Feel free to contact EFF if you need help finding a lawyer qualified to advise on reverse engineering.

First the Scary Stuff: What Kinds of Reverse Engineering Are Most Legally Risky? ^

By using the term "legally risky" here, we aren't saying that the activity is certainly legal or illegal. We're saying that these are areas where the law may apply so any researcher considering these steps should take the time to think it through and probably get some legal help.

Don't feel hopeless, however. Visit our section on How to Limit Legal Risk.

What Legal Doctrines Are Most Likely To Affect Reverse Engineering? ^

Five areas of United States law are particularly relevant for computer scientists engaging in reverse engineering:

This FAQ does not address international or foreign law.

How Could Copyright Law Limit My Ability To Legally Reverse Engineer? ^

Reverse engineers execute code and/or make copies of software as part of analyzing the way the program works. Copyright law generally grants a certain set of exclusive rights to copyright owners, including the right to make copies of copyrighted works. Software is one category of works that are protected by copyright. As a result, if you make copies of software, you generally need either permission from the copyright owner, or your copying must fall within an exception granted by the copyright laws. Permission can be inferred from the outright sale of a copy of software or from a license agreement. The copyright exception most relevant to reverse engineering is the fair use doctrine.

Executing code also raises the possibility of copyright issues. Some courts have stated that causing code to be copied from disk into RAM may be a copy for purposes of copyright law, and if that RAM copy is unlicensed, then it is infringing. In other words, executing unlicensed code could be infringing. Further, some copyright owners argue that cached copies held in more permanent storage may be infringing.

What U.S. Copyright Law Doctrines Allow Reverse Engineering? ^

Permission: a copyright owner can always give you permission to make copies (perhaps in a license agreement), and depending on the nature of the permission, it may authorize reverse engineering. For example, if a license agreement authorizes you to “use” the software, and it does not expressly prohibit reverse engineering, that may be all the permission you need.

Fair Use: The fair use doctrine allows users to make unauthorized copies in certain circumstances. Courts have found that reverse engineering for interoperability, for example, can be a fair use.

Are There Court Decisions That Illustrate Reverse Engineering As Either An Infringing Or A Non-Infringing Fair Use? ^

How Could Trade Secret Law Limit Reverse Engineering? ^

Like copyright infringement, misappropriation of trade secrets can be both a civil and criminal offense. Generally, a trade secret is information that (1) derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. Misappropriation means a wrongful taking or publication of a trade secret.

Reverse engineering generally doesn’t violate trade secret law because it is a fair and independent means of learning information, not a misappropriation. Once the information is discovered in a fair and honest way, it also can be reported without violating trade secret law.

However, reverse engineering that violates an NDA or other contractual obligation not to reverse engineer or disclose6 may be misappropriation. Breaking a promise made in a negotiated NDA is more likely to result in a trade secret claim than violating a term in a mass market EULA. If you are subject to any contractual restrictions, whether a EULA or NDA, or if the code you are researching is generally distributed pursuant to such agreements, you should talk to a lawyer before beginning your research activities.

How Could The Anti-Circumvention Provisions of the DMCA Limit Reverse Engineering? ^

Section 17 U.S.C. 1201, the anti-circumvention provisions of the DMCA, prohibits circumvention of “technological protection measures” that “effectively control access” to copyrighted works. The law also prohibits trafficking in tools that are primarily designed, valuable or marketed for such circumvention.

In other words, section 1201 creates a potential legal obstacle for a researcher or coder if a software vendor employs mechanisms that control the way copyrighted software or other materials can be accessed or used. Many people think of section 1201 as prohibiting cracking digital rights management schemes (DRM). However, the language of section 1201 prohibits more than breaking traditional “copy-protection” mechanisms applied to DVDs and digital video downloads. It also prohibits breaking “access controls”. Software vendors have argued, or are likely to argue, that techniques such as authentication handshakes, code signing, code obfuscation, and protocol encryption all qualify as “technical protection measures” protected by the DMCA. While research on these techniques may nevertheless be legal for a variety of reasons, researchers working on encryption, security and the creation of interoperable programs have to worry about whether section 1201 applies to their research.

For more information on how the DMCA anti-circumvention provisions have been used against researchers and others, see EFF’s Unintended Consequences White Paper.

What Exceptions Does DMCA Section 1201 Have To Allow Reverse Engineering? ^

Section 1201 contains an exception for reverse engineering, as well as security research, encryption research, and the distribution of security tools, all of which may support reverse engineering. However, these exceptions are drafted very narrowly. If your research might implicate section 1201, consult a lawyer to see if you can do your work in a way that is allowed by one of the relevant exceptions or by an exemption periodically granted by the Copyright Office. The following factors are relevant to whether you are entitled to a reverse engineering, research or security exception. However, meeting any or all of these factors will not necessarily protect your work. The list is offered just to give you an idea of the kinds of things that distinguish permissible from impermissible reverse engineering:

If I Conduct Research Within The Section 1201 Exceptions, Can I Then Distribute Code Derived From That Research? ^

Even when your acts of circumventing a technological protection measure are allowed under a section 1201 exception, you may still be prohibited from trafficking in reverse engineering, encryption or security tools that circumvent. Do not distribute code or other tools that come from research regulated under Section 1201 without talking to a lawyer first. For more information, read our FAQ on Vulnerability Reporting.

How Could Contract Law Limit Reverse Engineering? ^

Most software today comes with EULAs, and EULAs may have “no reverse engineering” clauses. Websites or other internet services also may have TOS or TOU that purport to restrict otherwise legal research activities. Researchers and programmers sometimes receive access to code pursuant to an NDA, developer agreement or API agreement that restricts the right to report security flaws. The legal status of contractual prohibitions on security research or vulnerability reporting is still in flux. While it is more likely that a court will enforce a negotiated NDA than a mass market EULA, the law is not clear. Be sure to consult with counsel if the code you want to study is subject to any kind of contractual restriction.

How Could The Electronic Communications Privacy Act Regulate Reverse Engineering? ^

The ECPA, sections 18 U.S.C. 2510 and following, prohibit interception of electronic communications flowing over a network. Because packets are communications, network packet inspection may violate ECPA. There are many exceptions to this general prohibition. For example, the service provider may intercept and use communications as part of “any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.” In addition, if the parties to the communication consent, then there is also no legal problem. The ECPA is a complicated statute, so if your research involves inspecting network packets -- even you’re only interested in addressing information, such as source and destination addresses -- you should talk to a lawyer first about ensuring that your work meets one of the exceptions.

In Sum, If My Research Involves Reverse Engineering, What Can I Do To Limit My Legal Risk? ^