Open Source and Legal Protection

A nameless submittor sent in this issue on seeking legal protection for an eventual open source project of a reverse-engineered from published works. Here's the problem: the project implements what many have made clear to be proprietary information and trade secrets. What can one do to protect themselves from the eventual legal backlash when this project is finally made available to the public? Need an example of things that could go wrong with such a situation? Then one need not look farther than the DeCSS fiasco. Click the link below for the full submission.

"I'm in the middle of taking a current bastion of big science and making it open-sourced. I'm not going to say exactly what I'm working on right now but I'm alas confident that shortly after this codebase is released, I will be the target of numerous lawsuits by holders of patents and software patents. Although I am reverse-engineering everything from published work, it has been made clear to me that most of the implementation of the work is considered proprietary and the rest is considered trade secrets.

The field from which this work is drawn is currently in the hands of a minority of individuals, some of whom are scrambling to create startups based on their work. I have real ethical problems with their ongoing hoarding of valuable data and algorithms developed with public and defense money hence I am attempting to get their capabilities into the hands of any interested individual. Not everyone in the field acts this way, but enough do to make it a real issue with me and others.

So, my question is how do I cover my butt? After the DeCSS affair, I want to be ready for the attack lawyers before they come. Who knows, maybe they won't, but I've never gotten very far on optimism."

Re:What gives people the right to do this?

[PG13]

First off the issue at hand is NOT about stealing anyone else's code. It is about implementing some algorithm in code. This algorithm has (presumably) either been published in major journals or enough information is availible in the field to figure this algorithm out WITHOUT stealing anyone else's code.

Certainly from a moral standpoint (and a legal standpoint involving copyright but not patent) their is no theft occuring if I figure out hos someone else did something independently and implement this algorithm myself. (In some sense this is what DeCSS is about. Someone figured out the algorithm mapping encrypted to decrypeted files. This algorithm, being unpatented, should be perfectly within our rights to use as we see fit. No one copied their code and is distributing it.).

From a moral issue there is no reason whatsoever to assume that using someone else's idea is wrong or incorrect. They do not lose anything when you use their idea (to say they lose the rights to it is fallacious as it assumes that they have said rights in the first place) like they do when you take physical property from them. The arguments for Intellectual prooperty are ENTIERLY economic. If we did not have laws protecting IP then there would be no incentive to create works and/or new products. It is interesting to note that these laws were all originally choosen to have reasonably limited durations but that lobbying from various companies has pushed up the copyright time to a ridiculous level.

For a while after the revolution the United States had no copyright law to speak of. Of course during this period we produced little literature and became a 'pirate country' reprinting books from other countries beyond their law.

Don't ask here.

[panda]

You shouldn't be asking these questions here or in any other public forum. I, for one, will not answer these questions. It is asking for trouble to answer legal questions in places such as this.

My advice to you is hire a lawyer, or don't release your work. You'd better know the legal implications of what you're doing before you do it, and the description of what you're tyring to do is too vague for anyone, even a lawyer, to give you any kind of decent answer.

BTW, YOU WILL end up in court if someone has made it clear to you that what you are reverse engineering is considered a trade secret. If you've had any kind of access to that trade secret, and you knew it was a trade secret, you'll probably get sued, and you'll probably deserve it.

Now, we just have to get the Slashdot crew to stop posting these things.

This is not the best place to ask this question.

[irh]

As much as I admire and enjoy slashdot, it is about the last place I would seek legal advice (which is what this is.) A perfect illustration of why is that your initial post, and the replies that have followed, have failed to distinguish between patents, trade secrets, copyrights, etc.

You mention that the work you are attempting to re-implemenent is the subject of "proprietary" protection and "trade secrets", but then you claim that you will be the subject of patent litigation. I'm sorry - what are you referring to? If they have patents on the technology, then what are the patent #'s? Further, if they have patents, then their technology is NOT a trade secret - patents are published.

You mention that "most of the work is considered proprietary, the rest is considered trade secrets" this doesn't make much sense. First point - "proprietary" is NOT a subset of intellectual property. IF a technology IS the subject of either patent, copyright or trade secret protection, only then can they consider it proprietary.

So again - if there is no patent, there is no patent protection. If the technology is contained in published works, then there is no trade secret protection (unless what you are referring to is object code software that has been released to the public - you are not clear on this point). (If however, you gained knowledge of the technologies you are trying to re-implement under an implicit or explicit agreement of secrecy, then you may be in hot water.) If you are not copying source code verbatim, then you are NOT violating copyright by re-implementing the algorithm.

Further than that, you simply haven't provided enough information to help you in any meaningful way.

clean reverse engineering

[x0]

I recall watching Cringeley's first special on computers a few years ago. In order to claim that the reverse engineering was clean, there were two sets of engineers. The first set of engineers had access to the device being reversed (IBMs PC BIOS) and compiled a set of rules. The second set of engineers worked _only_ from the rules obtained by the first set and supposedly never came into contact with the device being reversed.
I get the impression from your posting that there really isn't even a product available yet to be reversed, but that there is enough information to design a parallel process. Whether or not this can stand as 'clean room' reversing would depend on how the data you obtained was presented.
I agree with one of the prior posters; If it was obtained from patent documents, you might have some problems.
I am curious whether or not, if the data was obtained from published commercial/scientific documents, copyrights might also be claimed?

Re:Published works?

[Paul+Johnson]

I am not a lawyer, but I'll have a shot at the patent side of this.

The thing to read in patents is the Claims. Getting a patent is a bit like homesteading a piece of territory used to be: you stake your "Claim", and if nobody else has got it first then its yours.

Imagine how homesteading might have worked if there were no size limits and no need to "prove" the claim (in the sense of exploiting it all). You can stake your claim by putting four pegs in the ground: the perimiter defined by those pegs is your claim. However the claim is only valid if nobody else has put any of their pegs in that area first.

Patent claims work like a series of (mostly) concentric peg claims. Claim 1 pegs out the whole of Arkensas, but you don't really expect to get that one. Claim 2 pegs out the whole of Hazzard County, and you don't really expect to get that one either. Claim 3 pegs out 50 square miles, and you might get that one if you are lucky. Claims 4-6 are the most likely looking homesteads within claim 3, and claim 4 is where you actually start expecting to defend your property.

So, look at the claims on the patent, and figure out which ones are just restatements of prior art. For example in the DVD content scrambling patent, claim 1 pretty much describes any PRNG. Claim 2 probably covers a lot of cryptographic PRNGs (its not my field), and claims 7 and 8 cover the use of a PRNG number stream XORed with the data. So those claims would be covered by prior art and the MPAA is unlikely to contest them. They will concentrate on the later, more specific claims, such as the precise pattern of XORs in the PRNG.

So if I were writing a DVD descrambler routine I would try to come up with an algorithm which evaded the detailed claims, and forget about claims 1, 2, 7 & 8, and any others with textbook prior art. If you could show a standard textbook as prior art then I would expect the suit to be declared vexatious. But IANAL, of course.

You have two options:

[Hobbex]

IANAL, but this seems more or less clear:

a) Stay down. Barring your own vanity, releasing something anonymously on the Internet is not that difficult. Put everything together nicely, and then send it to a mailing list or newsgroup on the subject through a Mixmaster or Cypherpunk mailing list. Leave spreading it to the power of the masses and of the Internet, by just creating it you have done enough.

This means major paranoia though, possibly you are not careful enough even when submitting this Slashdot. How sure are you that Rob and Andover are _really_ wiping the logs?

Yes, it sucks to have to be anonymous to speak freely, but such is the nature of living in a non-free society (and I won't even dignify anyone who says we do with a reply). Possibly you could sign the message with a public key, so that when (if) freedom comes you can take credit for your work. Consider that possesion of the private key would be very incriminating however.

b) Make a matyr of yourself. Contact a lawyer, and maybe a charity that is ready to help you first. Then just go out and tell the truth, ready to be the case that gets taken to the supreme court. It's a risky strategy, but it is a lot more glamorous then the first, so some people may still prefer it (being a pompous asshole myself, I think I might). And at least in this case you have a better chance of the data actually becoming legal, so that using it is not thoughtcrime...


-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

What gives people the right to do this?

[grumpy_geek]

One thing I've been trying to wrap my head around lately is, why do people believe they have the right to decompile and start distributing someone else's hard work? It seems to me that the mantra of the opensource movement is free as in freedom not free as in beer; and what these people are doing is reversing that and making it "free as in beer". Haven't people ever thought to work within One thing I've been trying to wrap my head around lately is, why do people believe they have the right to decompile and start distributing someone else's hard work? It seems to me that the mantra of the opensource movement is free as in freedom not free as in beer; and what these people are doing is reversing that and making it "free as in beer". Haven't people ever thought to work within the system... (use your most whiny voice) "oh, but it takes to long", "oh, they didn't want to the first time, so I'm going to make them", "we didn't have it for X platform and I want it now!", "oh, I'm spoiled little brat who can't wait for something".

Forcing a company to release source code really isn't freedom, it sure seems me like strong-arm mafia tactics by snotty brats. Slashdot sure brings itself into a huge fit when a mention of the GPL being violated, now where is our moral outrage that someone is wanting advice on a premeditated violation of someone else's license.

I don't really care if it's legal or not in their home country, I think it's morally wrong to force our opensource ideals onto companies by tactics slashdot would raise holy hell about if the rolls were reversed. If a company doesn't want to release something opensource what right to we have to TAKE AWAY THEIR FREEDOM? I love opensource, I am a firm believer in giving back to the community; but this premeditated stealing of someone else's code I can't agree with.

Documentation

[uglyduckling]

I have to agree with other posters: documentation is essential. I work in a (UK) lab environment where documentation is very hot. Off the top of my head, here are the guidelines we follow:

• Lab books should be properly bound and have sequential page numbers
• Each page should be dated and signed by the researcher and a witness/supervisor
• Blank spaces should be crossed through and initialed/signed
• Computer printouts should be glued in, not just kept on disk
• Any crossings-out/deletions should leave the original text readable. No tippex/whiteout
• Abbreviations should be kept to a minimum and explained where unclear

That's probably not an exhaustive list, and the poster of the article may know this already. Hopefully it will be useful to somebody.

First rule

[Teliver]

Document, Document, Document. The key to a good defense is to be able to prove HOW you did something. Keep a daily diary with the steps you've taken and plan to take. Document all results, and all versions of the code you are using. If you can prove that this was reverse engineered 'cleanly', then your legal problems will be much less than they would be. I'd also hire a good lawyer NOW. And not one that handles wills and property transactions. I mean one that understands copyright law. Good luck to you.