Security Researcher Condemned for Publication Vulnerability + Update
That the fine is suspended means that Guillermito will have to pay up if he continues to publish about the vulnerability and other software vulnerabilities. As a result he has taken the Tegam publication, and a dozen others, from his website. He writes:
No more demonstration of security software weaknesses. It's now forbidden in my country. On march 8 2005 I've been condemned for exposing flaws in the anti-virus software and publishing proof of concept programs to demonstrate them. That's exactly what I did for a dozen or so steganography program, which often contained security holes so big you could pass a truck through.
So now you have to believe the editors marketing. Welcome in DisneyWorld. All steganography programs are perfect, super-solid, unbreakable, undetectable, without bugs nor flaws. They are all perfect. Use them. Hahaha. What a joke.
French news on the case (French)
At Copyfight they wonder about the legal provisions in play and this post has been Slashdotted, with some readers craving for more details. I wrote them in the earlier post on the subject I refererred to above. But to give a second overview, more related to yesterday's ruling, here's what I can additionally make up from a French account of the ruling. Read it if you're more fleunt in French than I am. If you want to skip the following, be sure to read the end of this update, it throws a different light on the case:
-Guillermito has been convicted for counterfeiting, I presume under article L335.3 of the French Intellectual Property Code.
-The Court established that there was a reproduction of parts of the source code of the program, which characterizes the counterfeiting.
-The Court puts aside the exeption of article L.122-6-1 of the Intellectual Property Code, because on the one hand Guillermito's handling was not aimed at solving compatability problems, and on the other hand article L.122-6-1 requires that he who handles has a license and does not harm the author's rights. Here's part of the text of the article:
The full English text of the French Intellectual Property Code can be found here.
III. A person having the right to use the software shall be entitled, without the authorization of the author, to observe, study or test the functioning of the software in order to determine the ideas and principles which underlie any element of the software if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the software which he is entitled to do.
IV. Reproduction of the code of the software or translation of the form of that code shall not require the authorization of the author where reproduction or translation within the meaning of item 1 or 2 of Article L. 122-6 is indispensable for obtaining the information necessary to achieve the interoperability of independently created software with other software, providing that the following conditions are met:
1°.these acts are performed by a person entitled to use a copy of the software or on his behalf by a person authorized to do so;
2°.the information necessary to achieve interoperability has not previously been readily available to the persons referred to in item 1, above;
3°.and these acts are confined to the parts of the original software which are necessary to achieve interoperability.
The information thus obtained may not:
1°.be used for goals other than to achieve the interoperability of the independently created software;
2°.be given to others, except where necessary for the interoperability of the independently created software;
3°.or be used for the development, production or marketing of software substantially similar in its expression, or for any other act which infringes copyright.
V. This Article may not be interpreted in such a way as to prejudice the normal exploitation of the software or to cause unreasonable prejudice to the author’s legitimate interests.
-The exception of private copying exception or short quotation was not taken into consideration.
-To the interpretation of the French account I referred to above, why Guillermito was probably convicted is that het used a pirated version of the Viguard anti-virus software for his research. It is questionable if the same outcome would be reached if a legimite version had been used.
This is enlightening, not the least on my part. However, the tactics of Tegam stand (see earlier posting), and it raises another question: if Tegam is actually using counterfeiting claims to effectively prevent the publication of Guillermito's research.
More subtle, still a negative outcome for the abillity to freely publish on security vulnerabilities.
The judgement in this ciminal case is yet to be published. The civil court case will follow at April 12th.