Can a controlled attack on a computer system to identify its security weaknesses violate copyright or trade secrets?
A great many public institutions and enterprises, including those in public trust sectors, base their operations on IT systems. These systems are used for processing vital information, such as personal data of citizens and customers and financial data. On top of that there is the Internet of Things. Homeowners can use a smartphone app to adjust their window blinds, lighting, heating or oven from anywhere in the world.
Purposes of pentests
This all makes verification of the software used in these areas increasingly important. Specialised testing is not limited to checking the external layer of a device, visible to the user, but requires some intervention in the programming. Such testing is used to identify weaknesses in the security system: to check the level of security, identify possible malfunctions in a device using certain software, and spot errors in the programming logic. Tests of this type are referred to collectively as “penetration tests” or “pentests.”
Can pentesting have an impact on intellectual property rights, and if so, what are the consequences for the pentester?
Pentests and copyright infringement
Although pentests are as a rule conducted on systems accessible via an Internet connection, this does not exclude copying of the source code of the tested software onto a data carrier (e.g. on a hard drive or memory card, or even copied out by hand on a piece of paper). Duplication could also involve making a permanent copy in the operating memory. For this purpose, the duration or form of the copying, or the fact that only a fragment of the code is involved, is irrelevant.
It also cannot be ruled out that in order to conduct tests, a pentester will translate the software code from the form of source code to the form of output code (compilation) or, more frequently, in the other direction (decompilation).
It is also conceivable that the pentester could make changes in the source code (typically output code), e.g. by cracking the security of the software, causing the software to behave differently than intended by its creator.
In Poland, the scope of copyright to software is specified in Art. 74(4) of the Copyright Act. It covers, among other things, duplication or alteration of a computer programme. So it cannot be ruled out that pentests could intrude on the exclusivity of copyright. But two different scenarios should be distinguished.
A pentester is hired under a contract to conduct penetration testing. Such tests are ordered for example by banks, ministries or municipal offices. The idea is to conduct controlled attacks on their systems and identify vulnerabilities. In this case the scope of interference with the software should be specified in the contract, or in the procurement terms of reference in the case of public institutions. The pentester is then operating with the consent of the copyright holder. Consent excludes copyright infringement.
It is important to ensure, however, that the contract for pentesting carefully describes the scope and method of testing. From the customer’s point of view, provisions protecting the confidentiality of the information obtained from the testing (including information about vulnerabilities and programming errors) are also crucial. The contractor will want to ensure that the customer waives any claim for copyright infringement connected with interference with the software. Equally important are provisions governing liability for potential negative consequences of the tests, e.g. losses to third parties. Another issue that is often overlooked is the intellectual property rights, e.g. copyright and know-how, to the test results, such and documentation and reports.
The pentester is not hired to conduct the tests, but is an interloper. Then the pentester is acting more like a hacker. He attacks the software without the authorisation of the copyright holder. He thus intrudes into the exclusivity of the copyright holder, even if his intention is only to identify weaknesses and errors and then bring them to the holder’s attention so they can be corrected. Is there any way to avoid copyright infringement in this scenario?
First, it may be determined whether the pentester’s actions (regardless of their legal character) fall within any of the exclusions provided in Art. 75 of the Copyright Act, particularly two allowed techniques of reverse engineering: “reverse analysis” (Art. 75(2)(2)) and “permitted decompilation” (Art. 75(2)(3)). Under certain conditions, these are permissible and will not constitute copyright infringement. The first technique involves “observation, examination and testing of the functioning of the programme,” but it must be intended to learn the concepts and rules on which the programme is based, and the analysis must occur only during the course of “introduction, display, application, transfer or storage” of the computer programme. To exclude infringement, the pentester’s activity must not result in modification of the structure of the programme or translation of the form of the programme. The second technique may be used only to obtain information necessary to ensure interoperability of programmes, and its use is subject to a number of additional requirements. It thus appears that typical pentesting may exceed the bounds of both of these techniques.
Second, it may be considered whether the volunteer action of the pentester qualifies as assuming the tasks of another person without being commissioned to perform them under the conditions set forth in Art. 752 and following of the Civil Code. But an attempt to exclude infringement on this basis would not appear to be justified.
Third, in recognition of their mutual interest, the pentester and the copyright holder may decide after the fact to enter into a contract for conduct of penetration testing, ratifying the tests already performed. Then the same rules for construction of the contract as discussed under scenario 1 would apply.
Pentests and infringement of trade secrets
Whether penetration testing can violate trade secrets is controversial. First it must be considered whether information about vulnerabilities in programming is subject to any protection as a trade secret at all.
At this juncture, we should mention “back doors”—vulnerabilities introduced into software intentionally (typically for subsequent exploitation). These should be distinguished from accidental weaknesses or holes which the creator was unaware of. Why is this distinction relevant? Under Art. 11(4) of the Unfair Competition Act, information constitutes a trade secret if it meets three conditions: it has economic value, it has not been publicly disclosed, and necessary measures have been taken to maintain its confidentiality. In the case of “back doors,” the holder undoubtedly wants to maintain their confidentiality and prevent leaks. The case is different with unintended weaknesses, which the holder is not even aware of and thus can hardly have taken steps to maintain their confidentiality. It may seem paradoxical that the latter are not protected as trade secrets. But even in this case it may be said that the functioning of the software as a whole has been maintained in confidence. Thus it cannot be ruled out that unauthorised pentests may in certain instances result in infringement of trade secrets pursuant to Art. 11(1) of the Unfair Competition Act, if the information about vulnerabilities is used by the pentester, for example disclosed on an Internet forum. It also cannot be ruled out that in certain instances merely obtaining the information could constitute a violation of trade secrets.
Apart from this, it may also be considered whether unauthorised penetration testing could be held to be an act contrary to law or fair practices (i.e. violating Art. 3(1) of the Unfair Competition Act). On the other hand, some information is unprotected out of consideration for the public interest, for example if it is a method of cheating customers.
Moreover, the pentester should remember that if he is also a user of the software he is testing, he will typically be bound by a licence agreement which prohibits conducting this type of testing. Then the penetration could give rise to contractual liability on the part of the tester—even if it does not constitute an act of unfair competition.
Authorised penetration testing is a highly specialised type of testing. In Poland, it is still regarded as a niche area. Beyond intellectual property issues, it can also lead to consequences in many other areas of law, e.g. criminal law, data protection and privacy, particularly when conducted without the consent of the owner of the software.
In the case of pentests conducted with consent, it is important to remember to conclude a properly constructed contract. Beyond the usual contractual provisions, it should specify the scope of the tests, the method for conducting them, the rules for maintaining the confidentiality of the information and liability for any negative consequences of the testing, and also address the intellectual property rights to the works generated by the testing.