Posted on Categories changes in law, cybersecurity

Will hackers get a gift from the EU?

Work on the new Trade Secrets Directive is approaching the end. One of the most contro­versial provisions of the proposal concerns information obtained through reverse engineer­ing—examining a product to determine how it was made and how it works.

Reverse engineering is generating an increasing number of legal disputes because it is often used to achieve controversial ends. This phenomenon has been regu­lated most comprehensively under copyright law with respect to decompilation of computer programmes. Some ambiguities in this area have been resolved through the case law, such as SAS Institute Inc v World Programming Ltd (Case C-406/10) before the Court of Justice of the European Union.

But the practice of reverse engineering raises many more controversies under regulations governing the protection of trade secrets. Firstly, it has not been definitively determined whether the use of reverse engineering to reach information which the manu­facturer regards as a trade secret should be analysed at all in terms of infringement of trade secrets. This is because reverse engineering is typically employed with respect to products which the producer has intro­duced onto the market. Therefore the products are disclosed and publicly available. On the other hand, reaching certain information about the technological solutions used in a product requires highly advanced and complicated procedures and cannot be done without specialised knowledge.

This dilemma has meant that, for example, there is still a debate in the American case law over whether reverse engineering can violate trade secrets. The matter becomes even more complex with the growth of the Internet of Things. The increasing number of devices connected to the Internet means a growing  interest in vulnerabilities in the systems of these devices. Discovering weaknesses can be as aspect of reverse engineering. This is also a highly sensitive issue, because manufacturers usually avoid publicising vulnerabilities. Consequently, they have a strong incen­tive to claim that information about vulnerabilities constitutes a trade secret.

A great many of these doubts may resolved in the EU when the planned Trade Secrets Directive is adopted. The latest draft (from December 2015) includes a vital provision in Art. 2a(1)(b), pursuant to which obtaining confidential information through actions falling within the general understanding of reverse engineering will be treated as obtaining trade secrets by lawful means (“observation, study, disassembly or test of a product or object that has been made available to the public or that it is lawfully in the possession of the acquirer of the information who is free from any legally valid duty to limit the acquisition of the trade secret”). A person who comes into possession of such information will be allowed to use it legally, including to disseminate the information. Additionally, even if the information is found to have been obtained unlawfully, its disclosure will still be permissible if justified by the public interest (Art. 4 of the draft).

The new regulations may lead to increased use of reverse engineering, which obviously is not good news for those—particularly in the tech field—who wish to keep confidential as long as possible their unique tech­nological solutions and concepts. It should be remem­bered, however, that the law still has regulations in force limiting reverse engineering with respect to com­puter programmes.