lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: cherot at convoq.com (Christopher F. Herot)
Subject: IDS (ISS) and reverse engineering




This is from the Fairuse list.  In short, in the US, reverse engineering for interoperability has generally been held to be within the fair use rights of copyright law, but reverse engineering for cloning has been held to be prohibited under shrink-wrap licenses, at least in the federal court in Massachusetts.  In between those two opinions is plenty of room for litigation, one of the growth industries of the 21st century.

From: owner-fairuse@...rklyn.com [mailto:owner-fairuse@...rklyn.com] On Behalf Of Ruben I Safir
Sent: Sunday, August 17, 2003 5:24 PM
To: fairuse@...xs.com; hangout@...xs.com
Subject: [fairuse] EULA Law


(Copyright Noel Humphrey 2003)

End user license agreements or EULA's, are alive and well. Two recent
cases have focused attention on the vigor and efficacy of non-negotiable
statements of terms that govern access to copyrighted or patented works.
The courts treated these statements as enforceable contracts.

In a reverse engineering case, the US Circuit Court of Appeals for the
Federal Circuit published its decision in Bowers v. Baystate
Technologies January 29, 2003, and the Supreme Court announced in June
that it would not hear an appeal from the appeals court's decision.
Citations and links appear in sidebar. In this case, the court enforced
the EULA's terms to forbid reverse engineering.

The second decision, involving deep-linking by a competitor, reflects
pre-trial motions in the long-running Tickets.Com. Ticketmaster Corp. v.
Tickets.Com, Inc., case. Filed March 7, 2003, this decision upheld a web
site operator's contract claims against a competitor that sent software
robots or spiders to collect information from a site.

Taken together, these two decisions suggest that EULA's typically enjoy
genuine viability in US law. These decisions erode fair use and freedom
of access.

Bowers v. Baystate

Facts

Harold L. Bowers created a template to improve CAD software. Bowers
filed a patent application in 1989, and patent No. 4,933,514 issued the
next year. After a re-examination, a patent re-examination certificate
issued in 1997. Bowers' software claims to place the CAD commands in a
visual and logical order.

A man named George W. Ford III designed a software program to work with
CAD software to ensure that a design complies with the geometric
dimensioning and tolerancing requirements of a standard published by
ANSI. In 1990, Bowers began to license his template and Ford's software
in a single bundled product referred to as Designer's Toolkit.

Defendant Baystate Technologies also marketed software that enhanced the
functionality of the Cadkey CAD program. Baystate did not want to
establish a formal relationship with Bowers. In 1991, Baystate obtained
a copy of Bowers' Designer Toolkit. A few months later, Baystate
introduced its own version 3 of its Draft-Pak product, which
incorporated features of Bowers' Designer Toolkit. Price competition
followed.

Eventually Baystate bought the Cadkey company and eliminated Bowers from
the network, effectively preventing Bowers from developing and marketing
the Designer's Toolkit for the Cadkey program.

Baystate sued for a declaratory judgment that Baystate's program did not
infringe Bowers' patent or that Bowers' patent was invalid or
unenforceable. Bowers countersued for damages and infringement.

At a trial in federal court in Massachusetts, a jury determined that
Baystate had breached its agreement with Bowers. The jury awarded Bowers
several million dollars of damages. The district court judge reduced the
award to $5,270,142. Both sides appealed.

The Issue

Bowers' shrink-wrap EULA was at issue. The EULA stated that the user was
not permitted to reverse engineer the software. In other words, the
EULA's language prohibited the user from translating from object code to
source code. Bowers asserted that Baystate was not legally permitted to
reverse engineer Bowers' software. Bowers argued this position, not
because the reverse engineering resulted in a copyright violation, but
instead because the reverse engineering violated the EULA between Bowers
and Baystate.

Baystate insisted Bowers could not enforce its EULA against Baystate
because the Copyright Act preempted the "no reverse engineering"
limitation in the EULA. Generally, "preemption" means that a federal
statute is so important or intended to be so comprehensive in its
effects that its language overrides state law that restricts the federal
statute. In this case, the argument was that the strength of the federal
policy of allowing reverse engineering so overwhelmed that area of law
that a state law element that inhibited the enforcement of the federal
law's reach should not be enforced. State law ordinarily governs
contract law.

The US Court of Appeals for the Federal Circuit heard the case because
it has appellate jurisdiction for cases with patent claims.

Majority Opinion

The court of appeals enforced the EULA that limited the reverse
engineering. The court held that the Copyright Act does not "preempt or
narrow the scope of Mr. Bowers' contract claim." The court said that the
elements of the copyright claim and the contract claim were different,
and, therefore, the Copyright Act is not intended to overpower these
contract claims.

The court cited prominently the ProCD, Inc.v. Zeidenberg case for the
proposition that federal copyright law does not preempt a shrink-wrap
license. The Bowers court said Judge Easterbrook had said in that case
that "mutual assent and consideration required by a contract claim
render that claim qualitatively different from copyright infringement."

The Bowers court said that its holding did not disturb the famous Atari
Games v. Nintendo case. In that decision, the court said that "reverse
engineering object code to discern the unprotectable ideas in a computer
program is a fair use." In that case, Atari obtained the software that
it copied directly from the Copyright Office, not from Nintendo.

The Bowers court, in other words, viewed the EULA as indicating that
Baystate had voluntarily and knowingly relinquished its fair use right
to reverse engineer Bowers' software "by mutual consent and
consideration."

The appeals court backed the jury's conclusion based on ample evidence
that Baystate had reverse engineered Bowers' software, despite the EULA
provision that forbade reverse engineering.

The majority opinion, of course, cannot be faulted for concluding that a
contract claim and a copyright infringement claim have different
elements. The weakness of the majority decision is that the court
apparently viewed a shrink-wrap EULA as mutual, voluntary and knowing.
If the court had had a different vision of a EULA, then the outcome
might have been different, too.

Dissent

Circuit Judge Dyk wrote a dissent from the majority opinion in
connection with the copyright analysis. He apparently had the
shrink-wrap EULA in mind. The dissenting opinion said that the
"majority's approach permits state law to eviscerate an important
federal copyright policy reflected in the fair use defense, and the
majority's logic threatens other federal copyright policies as well."

This case generated publicity, and Judge Dyk obviously was listening to
comment from friends of the court. The three-judge panel had initially
decided the case unanimously, but, after reconsideration, Judge Dyk
dissented from the copyright portion of the majority decision. See, for
example, the friend of the court brief from the Electronic Frontier
Foundation at
http://www.eff.org/IP/Emulation/20020918_baystate-amicus.pdf.

Judge Dyk concluded that the rule should be that "state law authorizing
shrink-wrap licenses that prohibit reverse engineering is preempted."
Judge Dyk acknowledged that the contract claim and the copyright claim
are different, when you consider the elements of the claims, but said
that the effect is the same because the contract is merely a limitation
on protecting the work from unauthorized copying. Therefore, he said,
the copyright law should preempt the contract claim. A state is not free
to eliminate the fair use defense, Judge Dyk wrote.

Judge Dyk wrote that a freely negotiated EULA differs from a shrink-wrap
EULA in this setting. If the court enforces a shrink-wrap EULA, Judge
Dyk wrote, then the EULA is like a state law that would provide that a
user could not copy a work that had a black dot in the corner of the
page. Such a state law would give the owner of the work complete power
over behavior that would otherwise constitute fair use. Enforcing this
EULA enables state law to give the copyright holder "the ability to
eliminate the fair use defense in each and every instance at its
option." The majority opinion permits shrink-wrap agreements that are
broader than the protection that comes from the Copyright Act, Judge Dyk
wrote.

Judge Dyk relied on the copyright law decision in Vault Corp. v. Quaid
Software, and the Supreme Court's patent law decision in Bonito Boats v.
Thunder Craft Boats.

Judge Dyk distinguished the ProCD case on the grounds that the
limitation that enforcement of the EULA provided was the difference in
the charge between the fee for commercial use and the fee for
non-commercial use. That is different, Judge Dyk said, from a
restriction on copying. Copying is what the Copyright Act controls,
whereas the Copyright Act does not address the rate of the fee.

The Supreme Court declined to hear an appeal in June 2003.

Ticketmaster

Facts

The Ticketmaster case is an extended commercial feud between on-line
ticket purveyors. The case involves a practice known as "deep-linking"
whereby Tickets.com hyperlinked directly into URL's within
Ticketmaster's web site bypassing the opening pages that Ticketmaster
wanted customers to see. Tickets.com sent "spiders" to Ticketmaster's
web site to copy information about forthcoming events and URLs to which
to direct Tickets.com customers. The spiders copied the Ticketmaster
pages and then retained the information while discarding the
intellectual property parts.

Tickets.com asked the court to dismiss the claims. Ticketmaster made
three separate legal arguments. First, Ticketmaster asserted that the
court should enforce the terms of use set forth at the Ticketmaster
homepage as a contract that governs a web user's access to
Ticketmaster's site. Second, Ticketmaster asserted that the spiders
constituted an actionable "trespass to chattels" because they come onto
Ticketmaster servers in an unwelcome way. Third, Ticketmaster asserted
that the spiders violated Ticketmaster's copyrighted works by copying
the contents of Ticketmaster's site.

The Contract Cause of Action

Ticketmaster's site's home page contained a notice to the effect that a
person who goes into the site beyond the home page accepts certain
conditions. Among those conditions was a statement that information
obtained from the site was for personal use, not commercial use.

Tickets.com executives were familiar with the Ticketmaster sites' rules.
In fact, a Tickets.com letter to Ticketmaster tried to reject
specifically the notice's terms. The court considered whether the
spiders that crawled the Ticketmaster site created a binding contract in
the situation where the Tickets.com executives knew Ticketmasters'
terms. In other words, this was not a case where the web site user was
not familiar with the EULA terms. The court had no reason to investigate
the prominence of the notice, because the parties agreed that the notice
was prominent and because the Tickets.com executives did know the terms.

Judge Hupp, a senior district court judge for the Central District of
California, wrote that he "would prefer a rule that required an
unmistakable assent to the conditions easily provided by clicking on an
icon which says 'I agree' or the equivalent. Such a rule would provide
certainty in trial and make it clear that the user had called to his
attention the conditions he or she accepted when using the web site.
However, the law has not developed in this way."

Instead, Judge Hupp wrote, "The principle has long been established that
no particular form of words is necessary to indicate assent-the offeror
may specify that a certain action in connection with his offer is deemed
acceptance, and ripens into a contract when the action is taken." The
court cited such examples as a cruise ship ticket with a venue provision
printed on the back, limitations on liability printed on the back of a
bill of lading, an air waybill or an airplane ticket, shrink-wrap cases,
and terms on the back of a parking lot ticket. See sidebar.

The court found that "a contract can be formed by proceeding into the
interior web pages after knowledge?of the conditions accepted in doing
so." The case involving a commercial visitor is different from a
consumer case, such as the Specht v. Netscape case (see sidebar), where
the contract terms are not known to the site's user and are not plainly
visible.

Tickets.com had moved to have Ticketmaster's claims dismissed by the
judge on the grounds that Ticketmaster had no valid legal claim. The
judge reluctantly agreed with Ticketmaster that the contract claim could
not be dismissed.

The Trespass to Chattels Claim

On the other hand, the judge did dismiss the "trespass to chattels" tort
claim. He wrote that "mere use of a spider to enter a publicly available
web site to gather information, without more, is insufficient to fulfill
the harm requirement for trespass to chattels."

Other courts, such as the court in the Register.com case, upheld the
trespass to chattels tort theory where "spider" software visits the
plaintiff's website regularly for commercial ends. Here, the court found
that there was not enough interference with Ticketmaster's site to
justify a tort claim. Judge Hupp wrote, "unless there is actual
dispossession of the chattel for a substantial time (not present here),
the elements of the tort have not been made out. Since the spider does
not cause physical injury to the chattel, thee must be some evidence
that the use or utility of the computer (or computer network) being
'spiderized' is adversely affected by the use of the spider."

After Judge Hupp published his opinion, California's Supreme Court in
Intel Corp. v. Hamidi threw out the trespass to chattels claim. That
decision emphasized that a plaintiff with a "trespass to chattels" claim
must show a genuine injury to succeed.

The Copyright Claim

Ticketmaster also claimed Tickets.com's spiders wrongfully copied
Ticketmaster intellectual property. Judge Hupp decided that the brief
period of the copying was protected by "fair use." The Tickets.com
computers discarded all the Ticketmaster propriety expression after "10
to 15 seconds" while retaining the information. Copyright protects
expression, rather than information. The court analogized this pattern
to reverse engineering that required a temporary copy of the protected
work in order to have access to the unprotected, publicly available,
factual information. Ticketmaster intellectual property did not appear
to the public. Tickets.com was merely collecting information and not
exploiting Ticketmaster's "creative labors." The court said facts, such
as the existence of an event, its date and time and its ticket prices
"are not subject to copyright."

Likewise, the court said that a URL is not protected by copyright,
because it is "simply an address, open to the public."

Ticketmaster also argued that the deep-linking created an unauthorized
public display of Ticketmaster events pages. This display occurred when
a Tickets.com's site's user clicks on the link to the Ticketmaster page.
Judge Hupp determined that the facts do not fit the facts of those cases
where the court stopped framing. Tickets.com's method did not mislead
users about the owner of the page where the user was sent.

The court dismissed the copyright claims from the action.

Conclusion

These two cases show that sophisticated US courts tend to enforce as
contracts non-negotiated statements of rights in the software area of
law, just as these courts do in other consumer and commercial settings.
Software users ignore shrink-wrap licenses at their peril. In today's
legal climate, courts do not generally perceive "fair use" as enough to
overcome the terms of purported licenses.



*************************** Noel D. Humphreys is Counsel to the law firm
Connell Foley LLP, Roseland, NJ. He may be reached at
nhumphreys@...nellfoley.com.

*************************** Side Bar for Bowers v. Baystate Technologies
Federal District Court: 112 F. Supp.2d 185 (D. Mass. 2000) Federal
Circuit Court of Appeals for the Federal Circuit: 320 F.3d 1317 (CAFC
2003), 2003 WL 262300; (online at
http://laws.lp.findlaw.com/getcase/fed/case/011108v2&exact=1). Court of
Appeals for the Federal Circuit, January 29, 2003
http://laws.findlaw.com/fed/011108v2.html
http://www.ll.georgetown.edu/federal/judicial/fed/opinions/01opinions/01-1108o.html
prior opinion: 302 F.3d 1334, 2002 U,S.App. LEXIS 17184, 64 U.S.P.Q.2d
(BNA) 1065, Cop. L. Rep. (CCH) P28,479 (August 20,2002):
http://www.law.upenn.edu/fac/pwagner/patents/2003sp/downloads/bowers_v_baystate_2002.pdf
Appellate court friend of the court briefs and comments:
http://www.acm.org/usacm/Briefs/bowersVbaystatebrie.htm
http://www.info-commons.org/blog/archives/000035.html
http://www.ll.georgetown.edu/aallwash/briefs.html
http://jurist.law.pitt.edu/amicus/bowers_v_baystate_rehearing.pdf United
State Supreme Court denied certiorari, June 16, 2003: 123 S.Ct.
2588(mem), 71 USLW3709, 71 USLW 3770, 71 USLW 3774 (online at
http://supreme.lp.findlaw.com/supreme_court/orders/2002/061603pzor.html)
IEEE Supreme Court Amicus brief
http://www.ieeeusa.org/forum/policy/2003/Baystate060203.html
http://www.ieeeusa.org/forum/policy/2003/baystate%20amicus%20brief.pdf
Commentary: http://www.techlawjournal.com/topstories/2003/20030616.asp
http://rrcs-se-24-73-162-58.biz.rr.com/bowers/certreply.pdf
http://www.techlawjournal.com/topstories/2003/20030616.asp
http://mail.gnu.org/archive/html/dmca-activists/2002-10/msg00075.html
http://www.sethf.com/infothought/blog/archives/000173.html
http://www.infoworld.com/article/02/09/13/020916opgripe_1.html
http://www.idg.com.sg/idgwww.nsf/0/3145265E7140D30D48256D520023F052?OpenDocument
http://www.infoworld.com/article/03/06/26/HNreverseengineering_1.html?development
http://www.andrewspub.com/rptr_desc.asp?pub=SLB
http://www.ieeeusa.org/releases/2003/060403pr.html
http://gateway.library.uiuc.edu/administration/scholarly_communication_issues_29.htm
http://chronicle.com/free/2002/10/2002102501t.htm

IEEE links page http://rrcs-se-24-73-162-58.biz.rr.com/bowers/#reference

Side Bar for Ticketmaster: Federal District Court: CV 997654, 2003 U.S.
Dist. LEXIS 6483, 2003 WL 21406289, Copy.L.Rep (CCH)?28,607(CDCal. 2003)
http://www.haledorr.com/pdf/ticketmaster.pdf

Deep-linking commentary
http://www.workz.com/cgi-bin/gt/tpl_page.html,template=1&content=1371&nav1=1&
http://www.nwsltr.com/article-deeplink.shtml
http://www.gigalaw.com/articles/2000-all/kubiszyn-2000-05b-all.html 2000
Ticketmaster case comment:
http://www.computerworld.com/news/2000/story/0,11280,43732,00.html
http://www.wired.com/news/politics/0,1283,35306,00.html
http://linuxtoday.com/news/2000040700904NW
http://www.internetnews.com/ec-news/article.php/4_438011
http://www.computeruser.com/news/00/08/16/news8.html


Statutory exclusive rights under the Copyright Act:
http://www4.law.cornell.edu/uscode/17/106.html

The Statutory Fair Use Factors:
http://www4.law.cornell.edu/uscode/17/107.html

Sidebar for ProCD, Inc.v. Zeidenberg: 86 F.3d 1447, 39 USPQ2d 1161 (7th
Cir., 1996)
http://www.ca7.uscourts.gov/op3.fwx?yr=96&num=1139&Submit1=Request+Opinion.



Sidebar for the Atari Games v. Nintendo reverse engineering case: 975
F.2d 832, 24 USPQ2d 1015 (CAFC 1992)
http://cyber.law.harvard.edu/openlaw/DVD/cases/atarivnintendo.html


Sidebar for Vault Corp. v. Quaid Software 847 F2d 255 (5th Cir., 1988)
(found online at
http://cyber.law.harvard.edu/openlaw/DVD/cases/Vault_v_Quaid.html)
Sidebar for the Supreme Court's decision in Bonito Boats v. Thunder
Craft Boats, 489 US 141 (1989) (found online at
http://www.law.uconn.edu/homes/swilf/ip/cases/bonito.html).

Sidebar for the shrink-wrap cases Judge Hupp cited Register.com v.
Verio: 126 F.Supp2d 238 (SDNY, 2000) (The order may be found at
http://www.kentlaw.edu/legalaspects/preventing_access/register.com%20v.%20verio.htmor
http://www.icann.org/registrars/register.com-verio/order-08dec00.htm)
and

Judge Hupp also cited Pollstar v. Gigmania: 170 F. Supp. 2d 974; 2000
U.S. Dist. LEXIS 21035; Copy. L. Rep. (CCH) ?28,329; 45 U.C.C. Rep.
Serv. 2d (Callaghan) 46 (EDCA, 2000) (The decision may be found at
http://euro.ecom.cmu.edu/program/courses/tcr840/2003/pollstar.htm).

Judge Hupp also cited Specht v. Netscape: 306 F.3d 17, 48 UCC
Rep.Serv.2d 761 (2d Cir. 2002), The lower court opinion was reported at
150 F.Supp2d 585 (SDNY 2001).
http://www.kentlaw.edu/legalaspects/digital_signatures/Contracting/readings/specht_v_netscape.pdf

Sidebar for Intel Corp. v. Hamidi: 30 Cal.4th 1342, 71 P.3d 296, 1
Cal.Rptr.3d 32, 20 IER Cases 65, 3 Cal. Daily Op. Serv. 5711, 2003 Daily
Journal D.A.R. 7181, Cal., Jun 30, 2003 Available online at
http://www.haledorr.com/pdf/intel_hamidi.pdf.

-- __________________________ Brooklyn Linux Solutions
__________________________ DRM is THEFT - We are the STAKEHOLDERS
http://fairuse.nylxs.com

http://www.mrbrklyn.com - Consulting http://www.inns.net <-- Happy
Clients http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and
articles from around the net http://www2.mrbrklyn.com/downtown.html -
See the New Downtown Brooklyn....

1-718-382-0585 
To stop the messages from coming see http://www2.mrbrklyn.com/appl/fairuse/gone.html
____________________________
New Yorkers for Fair Use -
because it's either fair use or useless.... 
 

> -----Original Message-----
> From: Ralph Seberry [mailto:mischief@...ushome.com.au]
> Sent: Wednesday, November 26, 2003 4:53 PM
> To: V.O.
> Cc: full-disclosure@...ts.netsys.com; focus-ids@...urityfocus.com
> Subject: Re: [Full-Disclosure] IDS (ISS) and reverse engineering
> 
> 
> Apparently it is legal both in US and Australia. This link
> discusses the Sony/Connectix case in US where Connectix made
> numerous unauthorised copies of BIOS during reverse engineering
> (and got done for *that*) and the Australian case. ISS is fine
> under both US and Aus fair use laws.
> 
> http://www.ipcr.gov.au/SUBMIS/docs2/Sub01.pdf
> 
> ...
> Under s 47D of the amended Act, a person may reverse engineer copies of a program
> owned by someone else, but only if they intend to make a product that interoperates with that
> program (this restriction does not apply under the more flexible "fair use" defence under US
> law). In other words, the right would not be available to Connectix in Australia because the
> VGS does not interoperate with the PlayStation console code. It is a substitute for it.
> ...
> 


Powered by blists - more mailing lists