Wednesday, April 11, 2012

[TECH] circumventing EULA reverse engineering clauses

Background: Many EULAs (End-User License Agreements) of commercial software products attempt to prohibit reverse engineering of the software.

Question: Apart from complaining, what can be done about this?

First of all, a clause prohibiting "reverse engineering" is inherently vague, because reverse engineering means different things to different people. I believe that the term "reverse engineering", in its most usual sense, refers to the process of figuring out how a device or a piece software works by examining a specimen. Note that this is distinct from the process of "cloning" a design. One might produce an exact copy of a design without understanding how it works (cloning without reverse engineering), or one might attempt to understand how it works without producing an exact or even an approximate copy of a design (reverse engineering without cloning).

Normally, reverse-engineering is legal under U.S. law and under the law of most civilized countries. In its broad sense of attempting to understand a mechanism made by someone else, reverse engineering is not even unethical. A gray area is reached only when reverse engineering efforts are specifically directed at producing an exact or approximate replica (which may be protected under copyright laws). Of course, ideas that have been learned through reverse engineering may be subject to the protection of in-force patents, so there is no guarantee that ideas learned through reverse engineering may be used without encumbrance. Nevertheless, the act of reverse engineering itself is usually legitimate.

Of course, big software doesn't like this state of affairs. While big software does file patents, it's an expensive procedure since they have to pay a patent attorney to prepare the application. Frequently, the patent examiner is able to find prior art that invalidates the application. The risks are high since the chances of originality are low. Instead, lawyers sold them the idea that an anti-reverse-engineering clause in their software license would give them a "virtual patent" -- nobody would be allowed to grab hold of their ideas, and they would not have to prepare a patent application or subject their work to legal tests of originality.

But how does big software get the world at large to accept the terms of the software license? Usually, two parties can't enter into a contract without an exchange of value from both sides. This is known as "consideration". If you walk into a software shop and buy a boxed software product for cash, a basis for a contract is formed because you have provided the vendor with money and the vendor has provided you with an installation CD. This is a contract for the sale of the software. Under my personal interpretation of contract law, the subsequent "clickwrap" agreement (EULA) that appears when you attempt to install the software is not a legally binding contract because there is no further "consideration" -- you do not give additional money for the privilege of -using- the copy of the software you now own the installation CD for and the software vendor is not giving you anything you are not already entitled to.

While judges have considered interpretations of contract law similar to mine, they have ultimately decided on a different interpretation -- the clickwrap agreement "amends" or "supplements" or "clarifies" the original contract for the sale of the software (which met the legal condition of consideration, because you paid and they delivered). I consider this to be an example of judicial error. In the long run, I believe this mistake will be corrected, and clickwrap agreements formed after the sale of the software will be found to lack consideration. Until then, I can see a very simple workaround -- have a third party purchase and install the software onto a laptop computer (including pressing "I Accept"), and then purchase the laptop computer from the third party. In this arrangement, no contract between yourself and the vendor can possibly exist, since there is no consideration from either party to the other. You may then tinker and reverse engineer to your heart's content.

In a business setting, the third party must be kept at arm's length, in a contract that does not allow him/her to obligate the business to the EULA or any other legal agreement. For such a task, an employee would be a poor choice and a business partner would be a disastrous choice.

Courts frequently prioritize objective factors (the "I Agree" button was pressed) over subjective factors (the user didn't genuinely wish to enter the agreement in the EULA since it served purely to limit their options without any benefit to them). Therefore, however silly it may seem, you are in much better shape if you do not push the "I Agree" button yourself.

This workaround may seem to contradict the premise of the software license, which usually states that "by using this software you agree ...". Legally, however, it's a non-sequitur that you must agree to the vendor's terms simply because you use the software, even if the vendor has stated such a requirement. By continuing to read this page beyond this sentence, you agree to pay the author $10,000 USD. Will that be cheque or cash?

Obviously, in a free country, you have the right to do anything not explicitly disallowed by law. The law does not disallow you from using a vendor's software -without- accepting the vendor's terms, in the same way that the law does not disallow you from reading a sentence without obeying an imperative. It's just a matter of making a clear case for the stance that you did not ever accept the EULA. The vendor will try to push for the interpretation that you initially accepted the EULA but then decided to act against its provisions, but this is not an insurmountable obstacle. It should be noted that the state of Louisiana has a Louisiana Software License Enforcement Act that specifically forces users, through mere use of software, to bind to a subset of specifically enumerated clauses of a vendor's software license terms. For a time, this included anti-reverse-engineering clauses (until part of the act was invalidated because federal law stipulates that states may not create additional copyright protections).

In this vein, it should be noted that the concept of a software license is rather bogus itself. In most states, you don't need a license from an author to merely -use- a piece of software he/she wrote. You only need a license to -copy- the software, and only because the software is protected by copyright law, not because the author says so. In most states, the only case in which you need a license merely to -use- a piece of software is when the underlying technology is protected by a patent. In this case, you need a license from the owner of the patent, not the author of the software embodying it (though the vendor may hold both the copyright and the patent). In any case, such a license is not a "software" license, but a patent license.

Even so, you are not forced to enter an agreement with the vendor simply because use of the software would otherwise infringe a patent owned by the vendor. You have the sensible option of using the software without a patent license and waiting for the vendor to sue you for patent infringement. If you do not redistribute the software, or a clone of it, this will virtually never happen. Besides, the damages would not amount to much, as you are not commercially exploiting the invention, you are only employing it to the extent of studying a single instance of it. It would be difficult to justify a "reasonable royalty" greater than the price of the software and there would be no provable loss of revenue to the vendor. In fact, if your copy of the software was originally bought from the vendor, should find a strong defense from patent infringement claims from the vendor under the Exhaustion Doctrine, though not necessarily from patent claims brought by parties other than the vendor.

A noteworthy snag to the above reasoning that "mere use of software does not require a license" is that intermediate copies may be generated when a computer program is run. Lawyers have split hairs over the extent to which the generation of these intermediate copies may be a form of copyright infringement. Fortunately, courts have found intermediate copies produced during a reverse-engineering effort to be "fair use" when there are no other ways to obtain otherwise unprotected technical information. However, the DMCA introduces a ban on reverse engineering for the purpose of defeating a software protection mechanism. Again, a basic premise of legitimate reverse engineering is that the engineer is merely trying learn the techniques and technologies utilized by the software. Defeating a protection mechanism is a highly dubious motivation; it is not surprising that courts have held against it.

Summary: Reverse engineering is still legitimate even if the software ships with an EULA. It is a matter of jumping through hoops to avoid obligating yourself under the EULA. The pioneers of reverse engineering EULA-protected software have generally been burned -- partly through their own ignorance and partly through (in my view) unreasonable judicial interpretation. While legal scholars are content to document the cases that arise, few suggest workarounds. EULAs are an advance in the field of legal engineering, but they are still gimmicks and cannot possibly be equivalent to the "real" intellectual property protection that copyrights and patents afford. Accordingly, it is plausible that a simple workaround, such as purchasing pre-installed software from a third party, can defeat an EULA.

Warnings: I am not a lawyer. If you are contemplating reverse engineering, you should definitely consult a real lawyer and give him/her the full details of your reverse engineering project. In complete contradiction of common sense, anti-reverse-engineering clauses present in EULAs have been held legally binding by courts, notwithstanding the fact that such clauses harm the public interest. Definitely consult with a lawyer as early as possible in the process. Nothing in this document should be construed as being legal advice; it is written exclusively for the purposes of entertainment.

Tuesday, January 17, 2012

[LIFE] Thoughts on Wikipedia Global Blackout

Imagine life without Wikipedia. Imagine you're wondering how a combination lock works and because there's no Wikipedia, you can't find out. Knowledge is completely blocked. You have no way to get this information. Absolutely none. Imagine a college student writing a term paper that requires citing sources, but he/she can't find any. Knowledge is completely blocked. He/she has no way to find sources to cite. Absolutely none. Imagine you're idly wondering how many different types of cows there are and what they are all called. And you wouldn't be able to find out. Knowledge would be completely blocked. You'd have to find something else to do.

I'm not against Wikipedia or anything; I think it's a great project. I'm just a little concerned that while it can be a helpful tool to find information quickly, it can also become a crutch if people become accustomed that -all- the information they obtain about anything is going to come from Wikipedia. It's also remarkably easy to waste hours wading through information you don't really need in order to avoid upcoming tasks -- there's little doubt that Wikipedia fosters procrastination. So I think the blackout is a good idea, and we should use this opportunity to remind ourselves that knowledge in pill form is not automatically power.