Analysis: Reverse Engineering and You

[What are the legal implications of reverse engineering games? Attorney Mona Ibrahim looks at the issue for Gamasutra, from consumer protections to EULA-based restrictions.] Let's begin with a story. Mallory the Mythical Developer and two of her good buddies are fans of Katarina's Conquest, a FPS loosely based on the Bolshevik Revolution of 1917. The game incorporates modern weaponry in a historical, beautiful, and immersive environment. October Industries, the developers of the game, had no idea it would be such a great success upon release. Its servers are, unfortunately, completely unable to handle the huge number of new users, and the game hasn't stayed up for more than thre consecutive hours since launch. So Mallory and her friends decide to host a private server where they can play the game with a handful of their other friends across the globe. This means no more worrying about the server shutting down. To do this, they will have to use reverse engineering to translate the game's network protocol so their game clients can communicate with the new server. Mallory, being an experienced and business-savvy developer, immediately recognizes that there may be some legal problems here. And Mallory is right: Reverse engineering can be a risky endeavor and shouldn't be attempted without first consulting an attorney. Below, I'll discuss what reverse engineering is, how it's accomplished, and, more importantly, when reverse engineering will put you and your development team at risk. What is Reverse Engineering? Reverse engineering of computer software is any method of studying a program for the purpose of obtaining useful and detailed information about the functional components and mechanisms of the program in question. The Supreme Court defines it as a “fair and honest means... [of] starting with the known product and working backward to divine the process which aided in its development or manufacture." This can be as simple as observing gameplay to determine the functional elements of the game's rule set or as complex as decompiling a file and analyzing its components to learn how ads are displayed across the game server. Tools used to reverse engineer a game include debuggers, disassemblers, and network protocol analyzers (packet sniffers). The essential function of these tools is to give the programmer access to data revealing the precise functions and mechanics of a program so those functions and mechanics can be reproduced with minimal or no use of the original source or binary code. This method of learning functions and processes has historically been viewed as fair game by most developers. Indeed, to some extent it is still protected under the legal doctrine of “fair use.” As a result, inventors in the field of technology and software have relied on reverse engineering for decades. For example, while the Copyright Act protects the three-dimensional patterns and designs of a microchip, it expressly allows the reverse engineering of those patterns and designs (referred to by the Act as a “mask work”) to analyze the concepts or techniques embodied in the chip. Using similar logic, courts have found that analyzing a computer program for the sole purpose of learning and reproducing its precise functions (provided those functions are not otherwise protected under patent law) is typically fair use. This does not, however, mean that all reverse engineering is treated equally under the law. In software development, the practice of reverse engineering has come under assault over the past several years. Copyright and the DMCA Anti-Circumvention Act Machine code and source code are protected as literary works under the Copyright Act. The copying of software code without permission is copyright infringement. Using any part of someone else's unique code in your own project, particularly non-functional code, without permission can give rise to an infringement claim. Sometimes during the process of reverse engineering, the programmer may want to copy a data file or the entire program. Typically that type of copying is not permitted under the Copyright Act, although there are a few, very limited, exceptions. For example, backup files are allowed for a legal purpose such as repairing or debugging a lawfully-owned program. Yet the Copyright Act's protection of computer software goes well beyond the question of whether you've copied anything. In fact, you don't need to copy any code at all to run afoul of U.S. copyright law. The anti-circumvention provision of the DMCA, 17 U.S.C. 1201, prohibits the circumvention of any technological measures that control access to any part of the work. It also prevents the distribution of software that enables circumvention of an access control. Circumvention under the Act means descrambling or decrypting a work, or otherwise bypassing, removing, deactivating or impairing any technological measure without permission. There are a few classic examples of such technological measures: Remember those old Sierra games that required you to input a word from a specific paragraph on a specific page of the user manual before you could play the game? That's an access control. Data file encryption is a more specific application of an access control. CD key and license key encryption are other commonly-used methods. Circumventing any of these methods to access the content is probably illegal under the DMCA -- but that isn't the only scenario where a programmer could find him or herself in hot water. This is relevant to Mallory the Developer's case too. If Mallory's new server doesn't provide the same safeguards that control access to the original game servers (like a CD key or a version verification protocol), then her own server is circumventing access controls to the online component of the game. Therefore, by distributing the program, means (such as DIY instructions), or code to access servers that don't use the game's original access controls, she would be violating the anti-circumvention provision. According to at least one court decision, this is sufficient to constitute a breach of 17 U.S.C. 1201 and thereby give rise to a statutory damages claim in the range of $2,500 to $25,000. This does not mean that all aspects of reverse engineering are prohibited under the DMCA. For instance, analyzing unencrypted machine code in order to translate those processes and functions to source code is generally permissible. But because the statutory definition of “circumvention” is so broad under the act, you should be mindful of any encrypted or otherwise protected data contained in a program file if you attempt to lawfully reverse engineer a process or function. There is one major exception to the DMCA: Bypassing or decrypting encrypted data files of a legally owned copy of a program for the sole purpose of making that program interoperable with other legal software (for instance, a different operating system) is expressly permitted under the DMCA. However, this right is personal. You can't distribute a way to bypass a CD key or other cracking or decrypting software to make that software playable. This is why most interoperability projects, such as the adventure game virtual machine ScummVM, require end users to legally own the games they make playable. They cannot legally provide a means of playing cracked games, even if the primary purpose of the project is interoperability. This is key: interoperability must be the only purpose. It is important to note here that this exception can be waived if you agree to a license that prohibits reverse engineering. Contractual Safeguards A less confusing but no less treacherous risk comes from contracts -- EULAs, NDAs, and other agreements -- that a programmer might subject him or herself to when licensing software. For years, courts have upheld contract provisions that limit the end user's right to reverse engineer a program for any purpose. Any form of agreement to a contract will suffice: click-wrap and shrink-wrap agreements are generally considered enforceable. For example, if Katarina's Conquest includes an EULA that expressly prohibits reverse engineering, and Mallory clicked the “I Accept” button when installing the program, then Mallory should probably abandon hopes of creating a private server by reverse engineering the client. A programmer can be liable for breach of contract and other causes of action for violating a EULA, including misappropriation of trade secrets, in addition to the possible copyright claims.. Pay close attention to the EULA of any game or program you want to reverse engineer. Even if you hope to reverse engineer the program for legal purposes, you would still be prohibited if you've accepted the EULA's terms in any manner. This includes purchasing a product with a shrink wrap license or clicking the “I Accept” button during the installation process. Privacy Rights A final consideration to bear in mind is data privacy. In most situations involving reverse engineering of a game, developers like Mallory and her friends would only want to monitor her client's network communications with the game server. However, if you're working on the kind of project where you inspect network packets that aren't yours, then you should be aware of certain privacy laws. The first is the Electronic Communications Privacy Act (ECPA), part of the Wiretap Act, (18 U.S.C. 2510 et. Seq.). Under the ECPA you can't intercept electronic communications, including data packets or any transfer of information between a client and a network provider, while that data is en route on a network unless you are the network provider (or a duly authorized government official authorized to access that information for investigative purposes). Violation of the ECPA could subject you to both civil and criminal liability. The second law is the Stored Communications Act (18 U.S.C. 2701 et. Seq. ). This act is designed to prevent unauthorized access to network service providers that allow the transfer of private electronic communications. You can be criminally liable for accessing data temporarily stored at those points without authorization. You can also be liable for exceeding your authorization and obtaining data to which you shouldn't have access unless that access is expressly permitted under the statute. Both of these laws are designed to prevent you from accessing private communications, including data packets sent over a network or temporarily stored on a network. For this reason alone, you should avoid reverse engineering projects that require monitoring communications you don't have permission to observe. Conclusion Reverse engineering isn't inherently illegal. As we've seen, though, it can involve a variety of legal issues. If Mallory and her friends move forward with their private server project they will need to determine their risk exposure and take steps to ensure that all aspects of the reverse engineering process is legally compliant. This isn't the type of project you want to pursue if you're risk averse; after all, reverse engineering is traditionally done for the purpose of recreating the useful functions of someone else's work. That alone can be enough to draw unwanted attention from content owners. If you still want to engage in a reverse-engineering project, you can mitigate your risk by contacting an attorney to learn steps you should take to protect yourself and your project. [Mona Ibrahim is a trademark, entertainment, and media law attorney based in Seattle, WA. She is Of Counsel with Imua Legal Advisors and her practice emphasizes copyright and trademark dispute resolution, IP registration, entertainment and media transactions, general business transactions, and employment law. Mona is an avid gamer and is dedicated to serving the gaming and game development communities by providing education, helpful strategy, and legal assistance when necessary. THE INFORMATION IN THIS ARTICLE IS FOR EDUCATIONAL PURPOSES ONLY. The content of this article is not legal advice. It only constitutes commentary on legal issues, and is for educational and informational purposes only. Reading this article, replying to it via comments, or otherwise interacting with this article does not create an attorney-client privilege between you and the author. No information you provide in the comments portion of this article shall be deemed confidential.]