Slashdot Mirror
Open Source and Legal Protection
"I'm in the middle of taking a current bastion of big science and making it open-sourced. I'm not going to say exactly what I'm working on right now but I'm alas confident that shortly after this codebase is released, I will be the target of numerous lawsuits by holders of patents and software patents. Although I am reverse-engineering everything from published work, it has been made clear to me that most of the implementation of the work is considered proprietary and the rest is considered trade secrets.
The field from which this work is drawn is currently in the hands of a minority of individuals, some of whom are scrambling to create startups based on their work. I have real ethical problems with their ongoing hoarding of valuable data and algorithms developed with public and defense money hence I am attempting to get their capabilities into the hands of any interested individual. Not everyone in the field acts this way, but enough do to make it a real issue with me and others.
So, my question is how do I cover my butt? After the DeCSS affair, I want to be ready for the attack lawyers before they come. Who knows, maybe they won't, but I've never gotten very far on optimism."
Anonymous internet access? May I recommend wireless lan with the usual 2.4GHz IEEE 802.11, signal unencrypted, and default settings. I leave it as such and anyone in my town can park their car in the neighborhood with their laptop and use it (ssh is your friend.) Someday it will be abused and I'll have to lock it, but its there and I'm sure many other people have their links in the open too.
US Law gives us that right.
The law differentiates certain protections. Copyright protects an expression of an idea. But the ideas in a work are unprotected, and reverse engineering is allowed as a way to retrieve those unprotected ideas, so long as you don't infringe on their copyright by copying the expression.
This isn't a new concept. Society doesn't recognize a permanent right of creators to keep their ideas secret. You have a right to try to keep it secret (trade secret, aka don't tell anyone without contracts), or you can release it fully in exchange for temporary protection (patents).
First, release it from a country where the patents and trademarks do not apply. You might have to do some digging to figure that out. At the very least, that confuses the jurisdictional issues. Second, release it to the public domain. Third, release it anonymously. If you don't have the resources to fight the legal battles (and it sounds like you don't; and it also sounds like you might lose them) then the best thing you can do is simply make it available to those who might have the resources, or who might be in a better position to win the battles. For example, it might turn out that European users will be able to make use of your software, whereas U.S. users may not. Obviously since you haven't said what you are doing, I don't know :-)
Bad advice. If the intent of the author is to release something to the community, then he probably wants to be sure that it would be possible for others to use his work. Releasing the code or documentation anonymously would not help anyone, because they would have to prove that the original information was obtained legally, which would be impossible if it comes from an anonymous source.
If the author is in a country where reverse engineering has been made illegal (probably at the behest of Software and Media Mogules such as Microsoft, the RIAA, MPAA, and DVD Forum), then he or she is probably not in a position to take on the overfunded lawyers of these organizations (or other, similar entities), much less have a snowball's chance in hell of winning. However, you are correct, anonymous release of trade secrets doesn't do anyone any good, because we can't show it was obtained legally and therefor can't use it safely.
But, the author could find a friendly party in a safe country and have them take credit for the release. In this way, the author gets the protection of anonymouty (especially if he or she uses an anonymous (e.g. cypherpunk) mail forwarding service to maintain true anonymouty throughout (which I would recommend in case the "friendly party" turns out to be a malicious plant). At the same time, the community gets the benefit of a product which has been legally reverse engineered and made available.
This doesn't guaruntee the community complete safety. After all, the CSS algorithm was legally reverse engineered abroad and that hasn't appeared to slow down the MPAA and DVD Forum from sending the secret police in to drag children from their farms, or go after every Tom, Dick, and Harry for having a link on their web page which might, somewhere, lead to the offending (though perfectly legal) code. Alas, there is no complete safety when taking on powerful, established entities with a monopoly or (in the DVD case) quasi-legal trust to protect.
The Future of Human Evolution: Autonomy
Here is a good place to do a little research:
i ng_links.shtml
http://www.softpanorama.org/SE/reverse_engineer
But even the most rigorous dosumentation won't protect yo from litigation. What you need is a "big daddy", someone to front you on any legal expenses. Talk to the Free Software Foundation. I know that is you assign rights to the FSF under specifically and release it under the GPL they have lawyers to help protect your copyrights. Talk to them, if you think the software you have developed is that important they are lieky to listen and maybe even help.
Please send inquiries about GNU and the FSF to
Free Software Foundation
59 Temple Place - Suite 330
Boston, MA 02111-1307, USA
Voice: +1-617-542-5942
Fax: +1-617-542-2652
gnu@gnu.org
or WWW.FSF.org
People seem to be confusing the protection that patents offer with the protections offered by copyright or trade secrets.
Patents protect a process or an idea. In order to have patent protection the subject of the patent must be fully documented and publicly available at the patent office. This means that reverse engineering should not be necessary for any product which is covered by patents, because all of the inner workings must be documented.
Trade secret, as we all know from the DeCSS debacle, keeps the "how" out of public knowledge, but (theoretically) once the cat is out of the bag, and someone comes across the secret (by proper means) the trade secret protection is lost. Here is the area where people are trying to use trade secret law, combined with contract provisions against reverse engineering to maintain an unprecedented amount of control over intellectual property.
Copyright, the third traditional form of IP protects a method of epression. But copyright does not protect the idea behind the expression, only the precise expression that was used.
You really need to see an IP lawyer to have him/her identify which forms of protection are currently being asserted over the IP you are working from. Then you can figure out how to complete your project while minimizing the legal consequences.
Dane Torbenson
Easier said than done... However, this brings an important point: it is crucial to check for patents before releasing something that is considered to be a trade secret. If something is proprietary but not patented, then it is perfectly legal to re-implement it (as long as you use a "clean room" process and you do not copy anything directly from the current solution). But if anything is patented, then it is not possible to release this to the community.
Why? If he has spent a significant amount of time studying the problem and the existing solutions, I doubt that he would be happy to see some companies taking his solution and making a proprietary product out of it.
Bad advice. If the intent of the author is to release something to the community, then he probably wants to be sure that it would be possible for others to use his work. Releasing the code or documentation anonymously would not help anyone, because they would have to prove that the original information was obtained legally, which would be impossible if it comes from an anonymous source.
I think that the only good advice is: document everything. If you want to release something (possibly controversial) to the community, then the only way to make sure that others can really benefit from what you have done is to be accountable for it. You have to be able to prove that all the information was obtained legally, and that it does not come from any confidential documents. If every source of information is legal, then the community can benefit legally from your work (and you will be able to cover your back because you can prove how you obtained the information).
-Raphaël
Of course, IANAL, and there is much more to lawsuits than mere law (as we all know).
Now I don't know what field you are in, but lets say you are reinventing coca cola.
You may analyze a bottle (Reverse engineer) or use open sources (what is printed on the bottle i.e water, sugar, artificial flavoring). If you never seen the real recipy (trade secret) you are in the clear as long as you dont try to call your product "Coca cola" or something too similar.
If, on the other hand, you are making a simpler way to shop online (i.e. one click shopping). Assuming that Amazon's patent would hold in court, you can't recreate it in any way unless you can show that what you have done is really different to what is patented.
In short: Against patents you are screwed if their lawyers find you. Against trade secrets *they* are screwed as soon as you can show that you did the same independently.
All opinions are my own - until criticized
First off the issue at hand is NOT about stealing anyone else's code. It is about implementing some algorithm in code. This algorithm has (presumably) either been published in major journals or enough information is availible in the field to figure this algorithm out WITHOUT stealing anyone else's code.
Certainly from a moral standpoint (and a legal standpoint involving copyright but not patent) their is no theft occuring if I figure out hos someone else did something independently and implement this algorithm myself. (In some sense this is what DeCSS is about. Someone figured out the algorithm mapping encrypted to decrypeted files. This algorithm, being unpatented, should be perfectly within our rights to use as we see fit. No one copied their code and is distributing it.).
From a moral issue there is no reason whatsoever to assume that using someone else's idea is wrong or incorrect. They do not lose anything when you use their idea (to say they lose the rights to it is fallacious as it assumes that they have said rights in the first place) like they do when you take physical property from them. The arguments for Intellectual prooperty are ENTIERLY economic. If we did not have laws protecting IP then there would be no incentive to create works and/or new products. It is interesting to note that these laws were all originally choosen to have reasonably limited durations but that lobbying from various companies has pushed up the copyright time to a ridiculous level.
For a while after the revolution the United States had no copyright law to speak of. Of course during this period we produced little literature and became a 'pirate country' reprinting books from other countries beyond their law.
Marriage is the "pseudo-ethics" that cloaks the messy truth of sexuality in the raiment of propriety -- it's "Don't Ask,
You shouldn't be asking these questions here or in any other public forum. I, for one, will not answer these questions. It is asking for trouble to answer legal questions in places such as this.
My advice to you is hire a lawyer, or don't release your work. You'd better know the legal implications of what you're doing before you do it, and the description of what you're tyring to do is too vague for anyone, even a lawyer, to give you any kind of decent answer.
BTW, YOU WILL end up in court if someone has made it clear to you that what you are reverse engineering is considered a trade secret. If you've had any kind of access to that trade secret, and you knew it was a trade secret, you'll probably get sued, and you'll probably deserve it.
Now, we just have to get the Slashdot crew to stop posting these things.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
As much as I admire and enjoy slashdot, it is about the last place I would seek legal advice (which is what this is.) A perfect illustration of why is that your initial post, and the replies that have followed, have failed to distinguish between patents, trade secrets, copyrights, etc.
You mention that the work you are attempting to re-implemenent is the subject of "proprietary" protection and "trade secrets", but then you claim that you will be the subject of patent litigation. I'm sorry - what are you referring to? If they have patents on the technology, then what are the patent #'s? Further, if they have patents, then their technology is NOT a trade secret - patents are published.
You mention that "most of the work is considered proprietary, the rest is considered trade secrets" this doesn't make much sense. First point - "proprietary" is NOT a subset of intellectual property. IF a technology IS the subject of either patent, copyright or trade secret protection, only then can they consider it proprietary.
So again - if there is no patent, there is no patent protection. If the technology is contained in published works, then there is no trade secret protection (unless what you are referring to is object code software that has been released to the public - you are not clear on this point). (If however, you gained knowledge of the technologies you are trying to re-implement under an implicit or explicit agreement of secrecy, then you may be in hot water.) If you are not copying source code verbatim, then you are NOT violating copyright by re-implementing the algorithm.
Further than that, you simply haven't provided enough information to help you in any meaningful way.
I recall watching Cringeley's first special on computers a few years ago. In order to claim that the reverse engineering was clean, there were two sets of engineers. The first set of engineers had access to the device being reversed (IBMs PC BIOS) and compiled a set of rules. The second set of engineers worked _only_ from the rules obtained by the first set and supposedly never came into contact with the device being reversed.
I get the impression from your posting that there really isn't even a product available yet to be reversed, but that there is enough information to design a parallel process. Whether or not this can stand as 'clean room' reversing would depend on how the data you obtained was presented.
I agree with one of the prior posters; If it was obtained from patent documents, you might have some problems.
I am curious whether or not, if the data was obtained from published commercial/scientific documents, copyrights might also be claimed?
In the immortal words of Socrates, who said; 'I drank what?'
The thing to read in patents is the Claims. Getting a patent is a bit like homesteading a piece of territory used to be: you stake your "Claim", and if nobody else has got it first then its yours.
Imagine how homesteading might have worked if there were no size limits and no need to "prove" the claim (in the sense of exploiting it all). You can stake your claim by putting four pegs in the ground: the perimiter defined by those pegs is your claim. However the claim is only valid if nobody else has put any of their pegs in that area first.
Patent claims work like a series of (mostly) concentric peg claims. Claim 1 pegs out the whole of Arkensas, but you don't really expect to get that one. Claim 2 pegs out the whole of Hazzard County, and you don't really expect to get that one either. Claim 3 pegs out 50 square miles, and you might get that one if you are lucky. Claims 4-6 are the most likely looking homesteads within claim 3, and claim 4 is where you actually start expecting to defend your property.
So, look at the claims on the patent, and figure out which ones are just restatements of prior art. For example in the DVD content scrambling patent, claim 1 pretty much describes any PRNG. Claim 2 probably covers a lot of cryptographic PRNGs (its not my field), and claims 7 and 8 cover the use of a PRNG number stream XORed with the data. So those claims would be covered by prior art and the MPAA is unlikely to contest them. They will concentrate on the later, more specific claims, such as the precise pattern of XORs in the PRNG.
So if I were writing a DVD descrambler routine I would try to come up with an algorithm which evaded the detailed claims, and forget about claims 1, 2, 7 & 8, and any others with textbook prior art. If you could show a standard textbook as prior art then I would expect the suit to be declared vexatious. But IANAL, of course.
You are lost in a twisty maze of little standards, all different.
IANAL, but this seems more or less clear:
a) Stay down. Barring your own vanity, releasing something anonymously on the Internet is not that difficult. Put everything together nicely, and then send it to a mailing list or newsgroup on the subject through a Mixmaster or Cypherpunk mailing list. Leave spreading it to the power of the masses and of the Internet, by just creating it you have done enough.
This means major paranoia though, possibly you are not careful enough even when submitting this Slashdot. How sure are you that Rob and Andover are _really_ wiping the logs?
Yes, it sucks to have to be anonymous to speak freely, but such is the nature of living in a non-free society (and I won't even dignify anyone who says we do with a reply). Possibly you could sign the message with a public key, so that when (if) freedom comes you can take credit for your work. Consider that possesion of the private key would be very incriminating however.
b) Make a matyr of yourself. Contact a lawyer, and maybe a charity that is ready to help you first. Then just go out and tell the truth, ready to be the case that gets taken to the supreme court. It's a risky strategy, but it is a lot more glamorous then the first, so some people may still prefer it (being a pompous asshole myself, I think I might). And at least in this case you have a better chance of the data actually becoming legal, so that using it is not thoughtcrime...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
One thing I've been trying to wrap my head around lately is, why do people believe they have the right to decompile and start distributing someone else's hard work? It seems to me that the mantra of the opensource movement is free as in freedom not free as in beer; and what these people are doing is reversing that and making it "free as in beer". Haven't people ever thought to work within One thing I've been trying to wrap my head around lately is, why do people believe they have the right to decompile and start distributing someone else's hard work? It seems to me that the mantra of the opensource movement is free as in freedom not free as in beer; and what these people are doing is reversing that and making it "free as in beer". Haven't people ever thought to work within the system... (use your most whiny voice) "oh, but it takes to long", "oh, they didn't want to the first time, so I'm going to make them", "we didn't have it for X platform and I want it now!", "oh, I'm spoiled little brat who can't wait for something".
Forcing a company to release source code really isn't freedom, it sure seems me like strong-arm mafia tactics by snotty brats. Slashdot sure brings itself into a huge fit when a mention of the GPL being violated, now where is our moral outrage that someone is wanting advice on a premeditated violation of someone else's license.
I don't really care if it's legal or not in their home country, I think it's morally wrong to force our opensource ideals onto companies by tactics slashdot would raise holy hell about if the rolls were reversed. If a company doesn't want to release something opensource what right to we have to TAKE AWAY THEIR FREEDOM? I love opensource, I am a firm believer in giving back to the community; but this premeditated stealing of someone else's code I can't agree with.
- Lab books should be properly bound and have sequential page numbers
- Each page should be dated and signed by the researcher and a witness/supervisor
- Blank spaces should be crossed through and initialed/signed
- Computer printouts should be glued in, not just kept on disk
- Any crossings-out/deletions should leave the original text readable. No tippex/whiteout
- Abbreviations should be kept to a minimum and explained where unclear
That's probably not an exhaustive list, and the poster of the article may know this already. Hopefully it will be useful to somebody.Document, Document, Document. The key to a good defense is to be able to prove HOW you did something. Keep a daily diary with the steps you've taken and plan to take. Document all results, and all versions of the code you are using. If you can prove that this was reverse engineered 'cleanly', then your legal problems will be much less than they would be. I'd also hire a good lawyer NOW. And not one that handles wills and property transactions. I mean one that understands copyright law. Good luck to you.