Tuesday, January 11, 2005

Guillermito: Reverse Engineering & Scientific Research

After a delay of several months the trial against the French security researcher Guillaume Tena, better known under his pseudonym Guillermito, started last week. He his prosecuted under article 335.2 of the French Intellectual Property Code for counterfeiting, and may face a requested jail sentence of four months and a fine of 6,000 euros. The company that brought the counterfeiting charges, Tegam, also seeks damages of 900,000 euros in a civil lawsuit. An initial claim of concealment of counterfeiting was dropped in a legal struggle that started in 2001.

In 2001 Guillermito researches Tegam's Viguard anti-virus software and proves wrong its advertised claim that it detects and stops "100% of viruses". He published his research online, pointing out how the software worked, showing some security flaws, and what would lead form the basis of the current trial: reverse engineering of Viguards source code. On his site Guillermito, currently a researcher in molecular biology in the department of Genetics of Harvard University and the department of molecular biology in the Massachusetts General Hospital, explains:
The actual problem is that I coded and shared a few "exploits", ie the practical demonstration of my thorical analysis, which demonstrated the reality of the flaws I discovered, in a way that everybody could reproduce them on their own computer. The judge says that these demonstrations "reproduct and copy the code and structure of the Viguard software", hence the counterfeiting.
Troubeling about this case is that (unfavourable) security research may be squashed by copyrightsholders. It is reminiscent of the anti-circumvention Digital Millenium Copyright Act lawsuit with which Princeton University professor Ed Felten was threatened when he wanted to publish his research on weaknesses in the Secure Digital Music Initiative. Secure was, obviously, something that this Initiative was not, as Felten proved. In the end Felten was proven right in standing up to the legal threats, but the situation under the DMCA still hinders scientific (security) research. The Digital Media Consumer's Rights Act, a bill pending in the U.S. Congress, seeks to restore valid scientific research, but it is all but certain that it will ever see the day of light.

Uncertain is also what the outcome will be of the Guillermito trial, which deals with some different legal and factual issues. Set aside French IP law, which dictates the trial, Recital 50 of the European Copyright Directive states that the protection of technological measures, which hinder the use of software should:
Neither inhibit nor prevent the development or use of any means of circumventing a technological measure that is necessary to enable acts to be undertaken in accordance with the [copyright exemptions] of Article 5(3) [permission to do research into the ideas and principles underlying computer programs] or Article 6 [permission to decompilate] of [the Software Directive].
From the recital may be concluded that the development or use of circumvention devices for reverse engineering as a part of (scientific) research may not be prevented by technological measures. Of the subsequent publication of this research the Recital does not speak.

A factual issue, not part of the trial but seemingly of Tegam's scare tactics, is that Guillermito was accused publicly by the software company to be a "terrorist wanted by the DST (French secret service) and the FBI". This has not lead him to recluse in fear, but he is hardly optimistic of the outcome, scheduled for March this year:
Of course I'm going to defend myself, with the help of my (excellent) lawyer, but to be frank, I'm kind of pessimistic. It's so easy to impress judges with heavily connoted words like "virus", "pirate", "terrorist", "hacker", and it's so difficult on the other hand to explain the scientific method and the deep curiosity that makes us analyze how software works and find their flaws.
- - -
A link, for those willing to read a French report on the court precedings, or crippled translation thereof.
Tegam website

Later: The word is spreading: Techdirt, Slashdot and CNet report
Even Later: Ed Felten takes a (U.S. legislative) look at the case


Blogger Tweedledopey said...

Just wanted to let you know that it has also spread to Register

12/1/05 02:45  

Post a Comment

Links to this post:

Create a Link

<< Home