Proposed UK Law Makes Reverse Engineering Illegal

by Niall Douglas in association with NamesFacesPlaces

 

This is the fourth in a series of articles about threats to our industry - not just to the IT contracting industry, but to any part of IT which is indigenous to Europe and most specifically the United Kingdom, which is in my opinion the most vulnerable of the IT industries within the EU.

This article along with others in this series explores the consequences of the draft UK implementation of the European Copyright Directive (2001/29/EC) if the draft were to pass into law as-is. The UK Patent Office is accepting commentary from the public until October 31st 2002 - though it is better if your MP makes the comment instead of you. We shall warn you that the UK Patent Office has a history of ignoring any comments not to its liking, so be prepared that we may have to fight for amendments to the bill in the Commons sometime in Spring 2003.

The law

The EU directive speaks nothing of provision for legal reverse engineering, despite its importance and hitherto strong protection under EU law since 1991. It does speak however of private copies made for no commercial gain which is another long-held European right - to legally make backup copies of expensive items. However, once again it makes implementation of this optional.

Reverse Engineering

The UK's Copyright, Design and Patents Act 1998 expressly permits reverse-engineering in certain limited circumstances to encourage competition and better engineering among many other important things - not least of legally permitting UK small companies to produce products which can interoperate with other more established mostly US-made products. Every company in capitalism has the ideal of being a monopoly - as a monopoly, you can charge as much as you want for as little service as you like and nothing except strong competition can stop this in free market capitalism. By building secret complex protocols and making their interoperation hard to penetrate, you can enforce effective prevention of competition especially where your own engineering is shoddy.

The UK draft copyright law implementation makes no provision for the protection of reverse engineering. If it were ratified as-is, reverse-engineering any encryption using product could be classed as a knowing attempt to circumvent the encryption and thus you are handing a very big stick to large companies with which they can prevent competition as with a single phone call they can have their competitors thrown in prison!

Furthermore, any US multinational could now remove themselves from all possibility of their product being reverse-engineered simply by adding some encryption ability, even if it wasn't needed. In other words, the draft law effectively bans reverse engineering, a long-held and vital silver bullet for our IT industry.

We need an exemption in the UK draft stating that the reverse engineering rights in the 1998 Act remain superior.

Backup copies

As far as my understanding of the technology goes, it is planned to have a system of certificates your rendering device (computer, DVD player, stereo etc.) is given to permit it to access the encrypted content. One could thus make as many copies of the encrypted data as you'd like, but that leaves me wonder about backing up the certificates.

I read Microsoft's upcoming Palladium system will permit you to save out the certificates so you can restore them after a reinstall - however, they can only be reinstalled to precisely one computer perhaps three times and besides, what happens if you couldn't back up your system before it died (which is usual for most people I know who use Windows). As far as I can see, there is no mandatory provision for permitting backup copies of your licence to access Digitally Rights Managed (DRM) content.

In other words, we are effectively losing our long-held European right to make a working backup or a security copy of purchased items. I don't think I have worked in a company yet which did not make a backup copy of all purchased software and it's a sensible policy for home users as well. While it will remain legal for non-protected software, you can bet almost all commercial software will soon come wrapped in it courtesy of Microsoft's Palladium facilities - much like all DVD's today employ encryption to prevent unauthorised copies.

Of course, since soon you won't actually be buying a movie ever again - like software, you'll be buying a licence to view that movie which may or may not expire after a period of times or viewings.

As mentioned above, the EU directive does hint at maintaining rights in this area. The UK draft does not. It should be changed.

Niall Douglas
26th September 2002