This material is a look at software reverse engineering from the perspective of Russian law. In addition to the analysis of legal norms, examples of both contractual practice and court practice are given.

I propose to start considering this type of activity as software reverse engineering from the perspective of Russian law by presenting the following abstract situation:

There is a computer program. There is a company that has acquired a license for such software and uses it in its activities. For some unknown reasons, the program is unstable on the company's servers. The company's management plans to commission a group of third-party specialists to reverse engineer this program to determine the causes of instability of its operation on the company's servers in order to eliminate them.

This situation is just one example when the question arises of carrying out reverse engineering of the required software. The reasons for this can be very different. A couple more abstract examples:

• it is necessary to modify a program, the author of which is unknown and there is no way to install it and contact him to communicate about the program code;
• in order to keep up with a competing company that has published a new release of its software, you need to quickly study what kind of code is contained in the latest version of the company’s software in order to make your product even better than theirs.

In short, there are many such reasons. And if you get down to business closely, then not only the technical side of the issue arises, but also the legal side. Namely, is it possible, from a legal point of view, to engage in such activities in principle? Is there any liability for the person who reverse engineered the program? And is it provided for the one who ordered such execution? As you understand, there will be a lot of such questions, so I propose to get to the heart of the matter.

If among the readers of this material there are those who are not very familiar with the term reverse engineering itself, then I believe it would be appropriate to immediately define what is meant by this.

Software reverse engineering refers to the following:

Reverse engineering is the study of a device or program, as well as its documentation, in order to understand the principle of its operation and, most often, reproduce a device, program or other object with similar functions, but without copying as such. [1]

Reverse engineering (the process of systematically disassembling a program (restoring its source text and structure)) or a microcircuit to study the algorithms of its operation with the aim of simulating or repeating some or all of its functions in another form or at a higher level of abstraction, removing protection, studying algorithms, adding new ones capabilities, protocol recovery or error correction, etc. [2]

Reverse engineering is the process of analyzing an application to determine its functional characteristics, internal architecture and, in fact, its operation: modules, functions, algorithms. [3]

To summarize, it can be stated that reverse engineering of software is the process of examining the contents of a program by converting it into source code to determine its structure and principles of its operation.

If the question of the term itself can be considered resolved, I suggest turning your attention to the legal side of reverse engineering. The content of this side is presented in this material in the following sequence: legislative provisions, contractual practice, court practice.

Legal provisions

Let's start, first of all, with the legislative norms. This may surprise some, but such a phenomenon as reverse engineering is quite familiar to Russian legislation. It is discussed in Article 1280 of the Civil Code of the Russian Federation:

Civil Code of the Russian Federation (part four) dated December 18, 2006 N 230-FZ
Article 1280. Computer program and database user right
3. A person who legally owns a copy of a computer program has the right, without the consent of the copyright holder and without paying additional remuneration, to reproduce and convert the object code into source text (decompile the computer program) or instruct other persons to carry out these actions if they are necessary to achieve interoperability a computer program independently developed by this person with other programs that can interact with the decompiled program, subject to the following conditions:
1)the information necessary to achieve the ability to interact was not previously available to this person from other sources;
2)these actions are carried out in relation to only those parts of the decompiled computer program that are necessary to achieve the ability to interact;
3)information obtained as a result of decompiling can only be used to achieve the ability to interact with an independently developed computer program with other programs, and cannot be transferred to other persons, except in cases where this is necessary to achieve the ability to interact with an independently developed computer program with other programs, and also cannot be used to develop a computer program that is substantially similar in appearance to the decompiled computer program, or to carry out other actions that violate the exclusive right to a computer program.

This legal norm makes it clear that reverse engineering is only legally permissible if certain criteria are met. I suggest you pay attention to the following:

1. Lawful receipt of a copy of the program. An instance (copy) of the program that will be the object of reverse engineering must initially be obtained by any legal means.
   That is, purchasing software from an official digital app store is the right approach for reverse engineering. If an illegal (pirated) version of the program is downloaded on a torrent tracker, reverse engineering of such a program will be illegal.

2. The goal of reverse engineering. The goal of reverse engineering should be to achieve the ability to interact with the program (version of the program) created during reverse engineering with other programs.
   That is, when the goal of reverse engineering is only to study a new version of a competitor’s product in order to understand how to implement similar functionality in your product, then such a goal, as a general rule, will allow one to speak about the illegality of the reverse engineering carried out.

3. Lack of necessary information in other sources. The information needed to achieve interoperability was not previously available from other sources.
   That is, if there is freely available documentation somewhere on the Internet for a program that is the object of reverse engineering, the content of which will allow achieving an effect already achieved using reverse engineering, but such documentation has not been found, then this fact with a high degree of probability can be used as evidence of the illegality of the reverse engineering.

The remaining criteria can also be determined based on the text of the above article. But in any case, the matter is not limited to the provisions of the law. The practical application of this rule is expressed in both contractual and court practice.

Contract practice

In my opinion, reverse engineering activities have found the most widespread use within the framework of contractual practice in the form of its direct prohibition, enshrined in the texts of various agreements for the use of software products and services (EULA, ToS, ToU, etc.). However, this is quite expected – many copyright holders want to limit the user’s actions in terms of researching a program obtained under a license, reducing the restriction of the user’s freedom of action to such a ban.

A few examples from various texts of similar documents:

License Agreement for Kaspersky Rescue Disk 10
It is prohibited to decompile, disassemble, modify, or make derivative works based on the Software, in whole or in part, except as permitted by applicable law.

Skype Terms of Use
4.2 Restrictions. You must not take the following actions and undertake to refrain from:
<…>
(b) undertake, cause, permit or authorize modification, creation of similar products or improvements, translation into other languages, reverse engineering for reproduction purposes, decompilation, reverse assembly, decoding, emulation, tampering, recovery or attempt to recover source code, or protocols of the Software or any parts thereof or functionality of the Software, except when such actions are permitted by law;

License agreement for the use of the "2GIS Dialer" program
5.1. The user does not have the right to independently or with the involvement of third parties:
5.1.1. To open technology, emulate, create new versions, modify, decompile, disassemble, decrypt and perform other actions with the Program code aimed at violating the Program's protection system from unauthorized use, as well as obtaining information about the implementation of algorithms used in the Program.

RoboForm License Agreement
NOT PERMITTED: Consumer shall not: (a) remove copyright notices or restrictions from the program; (b) extract algorithms from the program or attempt to decompile the program.

In fact, such wordings about the ban on reverse engineering are a kind of legal reinsurance for the copyright holder against user actions to study the "stuff" of a closed-source software product (proprietary software). And the guarantee of the user's compliance with such a ban is the prospect of various negative consequences for it (starting from the early termination of the license and ending with the recovery of losses incurred by the copyright holder or monetary compensation for copyright infringement). By the way, in the examples of foreign court practice (for example, the case Blizzard v. MDY Industries, LLC), the plaintiff’s position regarding the violated rights is based not only on copyright infringement, but also on violation of contractual obligations by the defendant (since it is assumed that the defendant, having started using the program under study, agreed with the provisions of its license agreement, i.e. became a party to the contractual relations with the plaintiff as the licensor of such program).

As for the involvement of third parties (specialists with the necessary technical knowledge) to perform reverse development of the software of interest to the customer, here the contractual relationship, in my opinion, boils down to the following:

• if the performer’s actions ultimately involve the creation of results of intellectual activity (for example, when reverse engineering involves writing code and creating any programs, scripts, etc.), then in this case a contract for the performance of work should be concluded (and in the case its conclusion with an individual, an author’s order agreement will also be applicable) specifying in it the status of the customer’s intellectual rights to the results of work under such an agreement;

• if the performer’s actions do not imply the creation of results of intellectual activity (for example, if the program under study needs to be tested), in this case an agreement for the provision of services should be concluded.

By and large, there are no special specifics in such contracts, they will differ little in their content from other contracts for the performance of work or the provision of services in the field of software, so I propose not to dwell on them separately within the framework of this material, but move on to the next part articles.

Court practice

Of course, the greatest interest on the topic is court practice, since through the prism of the conflict of the parties it allows one to trace both the interpretation and application of the law, and the application of the provisions of the contract (in the event of a contractual dispute between the parties), and this, in turn, will allow draw for yourself certain conclusions for the future regarding the specific wording used (or planned to be used) in documents, their legal force and practice of application.

Speaking about the court practice of Russian courts in relation to reverse engineering of software, I will immediately note that it has not yet managed to accumulate such striking court cases as other countries have (at least if we talk about those cases that were studied when preparing the text of this material). By vivid cases, we mean processes such as Sega Enterprises v. Accolade, Atari Games Corp. v. Nintendo of America, Inc, Blizzard v. Internet Gateway, Inc (all – USA), Microsoft v. Vest Corporation (France), SAS Institute Inc v World Programming Ltd (UK). Nevertheless, in our Russian practice there are examples that will be quite suitable for the topic under discussion and which are definitely worth paying attention to (see, for example, case No. 09AP-23848/2013-GK on the claim of StroySoft Firm LLC to the National Association of Estimated Pricing and Cost Engineering and Bureau of Economic Consulting LLC).

A review of court practice, I think, should begin with the following judicial document:

Resolution of the Plenum of the Supreme Court of the Russian Federation No. 5, Plenum of the Supreme Arbitration Court of the Russian Federation No. 29 of March 26, 2009 “On some issues that arose in connection with the entry into force of part four of the Civil Code of the Russian Federation”:

cannot copy the text

This resolution says exactly that in the case of determining the legality of reverse engineering a program, the question must be analyzed whether the person who performed the reverse engineering of the program legally owned a copy of such a program or not. If it is unlawful, then most likely the outcome of the case will not be in favor of such a person. This is exactly what was already mentioned above in the explanation about the first criterion for the permissibility of performing actions on reverse software development.

Such a statement is actually duplicated in such decisions as, for example, the Decision of the Fifteenth Arbitration Court of Appeal of August 6, 2014 in case No. A32-42112/2013, the Decision of the Arbitration Court of the Kirov Region of March 28, 2014 in case No. A28-152/2014.

Further, the second point that is worth paying attention to: does one person have the right to attract other persons to perform reverse engineering or should this person carry it out independently? The answer to this question can be given by the following court decision:

The decision of the Arbitration Court of the City of Moscow dated May 29, 2013 in case No. A40-10750/2013:

Within the meaning of Article 1274 of the Civil Code of the Russian Federation and clause 2 of Article 1280 of the Civil Code of the Russian Federation, research of a computer program, like any other object of exclusive rights, can be carried out either by the user independently or by any other person with special knowledge, but in the interests of the user, with his knowledge and consent. This is explained by the fact that research itself, by virtue of Article 1270 of the Civil Code of the Russian Federation, is not indicated as a method of using the object of exclusive rights and does not imply its alienation for compensation or other introduction into circulation.

That is, it allows us to draw the following conclusion: research of a computer program can be carried out either by the user independently or by any other person with special knowledge, but in the interests of the user, with his knowledge and consent.

Moreover, there is no direct ban on such research by one person and in the interests of another in the current legislation. This also follows from court practice:

The decision of the Ninth Arbitration Court of Appeal dated August 12, 2013 N 09AP-23848/2013-GK
There is no direct prohibition in current legislation on carrying out research in the interests of the user, with his knowledge and with his consent, by any person with the necessary special knowledge.

The same conclusion can be found in the above-mentioned Decision of the Arbitration Court of the City of Moscow dated May 29, 2013 in case No. A40-10750/2013.

Let's move on. If the agreement under which the program is distributed (which is an object for reverse engineering) does not say anything about the right of the user of such a program to carry out reverse engineering, then is it permissible to carry it out without securing such a right in the content of the agreement or not?

The answer to this question can be found in this resolution:

Resolution of the Eleventh Arbitration Court of Appeal dated October 25, 2012 in case No. A55-13189/2012
The conclusion of a license agreement means that the user of the program has the right to perform in relation to it the actions provided for in Art. 1280 of the Civil Code of the Russian Federation, as well as other actions stipulated by the contract and related to the operation of the program. <...> This agreement, unlike other license agreements, is not subject to the rules established by paragraphs 2 - 6 of Article 1235 of the Code.

A similar answer, by the way, is contained in the above Resolution of the Plenum of the High Court of the Russian Federation and the Plenum of the Supreme Arbitration Court of the Russian Federation dated March 26, 2009 No. 5, 29 "On some issues that arose in connection with the entry into force of part four of the Civil Code of the Russian Federation."

Interestingly, there is a court practice according to which making corrections to identified software errors may be a violation of the rights of the copyright holder:

Resolution of the Federal Arbitration Court of the North-Western District dated June 07, 2013 in case No. A13-6254/2012
Clause 6.6.1 of the said license agreements restricts the licensee's right to perform actions: disassemble, decompile (convert object code into source code), adapt and modify programs and other software components. <...>

Having examined and assessed the evidence presented by the persons participating in the case in accordance with the rules of Articles 65 and 71 of the Arbitration Procedure Code of the Russian Federation, including contracts concluded by the Company in 2010-2011 for the provision of software maintenance services <...>, the courts found that the changes to the software, <...> correction of identified errors in the software <...> without the consent of the copyright holder <...> will lead to a violation of the exclusive right <...> to the result of intellectual activity.

According to this logic, an attempt to eliminate errors in a program (in order to ensure its functioning for oneself in the right way, without errors) independently, without involving the copyright holder himself, can lead to liability. Then it turns out that in the case of reverse engineering, in order to comply with all the criteria of legality provided for by the above paragraph 3 of Art. 1280 of the Civil Code, it will be necessary to have a justification that independent (meaning, without the involvement of the copyright holder himself) elimination of errors was necessary to achieve the ability of the copyright holder’s program to interact with other programs.

The next point: if reverse engineering of the program under study is performed only for the purpose of checking whether such a program is not the object of a rights violation, then is reverse engineering permissible for such purposes?
In this situation, not everything is so simple. Of course, a lot depends on the specific circumstances of the case, but the following example from practice (which was already discussed above in the text) suggests that research of the program for the purpose of such verification and for collecting evidence by the defendants in their defense was a legal action:

The decision of the Ninth Arbitration Court of Appeal dated August 12, 2013 N 09AP-23848/2013-GK
<...> the study of the program was carried out by the defendants within the framework of a bona fide and justified need, solely for the purpose of fulfilling the obligation to prove claims in accordance with Article 65 of the Arbitration Procedure Code of the Russian Federation, did not have the purpose of creating any negative consequences for the plaintiff and did not lead to such consequences.

In my opinion, this is a fairly significant judicial act, from which we can conclude that the study of a third-party program for the purpose of collecting evidence may well be recognized as a lawful method in relation to the program under study (and therefore, the absence of violation of the copyright of its rightholder).

Therefore, for those who are interested in this topic in detail, I recommend that you familiarize yourself with the case of the claim of StroySoft LLC v. the National Association of Estimated Pricing and Cost Engineering and Bureau of Economic Consulting LLC: read the Ruling of the Ninth Arbitration Court of Appeal dated August 12, 2013. N 09AP-23848/2013-GK and other documents on it.

Conclusions

As for the general conclusions on court practice on the subject of the matter, it is worth noting the following:

1. Since it is for the courts to determine whether the program that was the object of reverse engineering was obtained for research legally or not, then first of all, they should pay attention to this aspect. If it turns out that it was obtained illegally, then most likely no other arguments will benefit the researcher's defensive position;
2. The research can be carried out by the user himself or by any other person, but with his knowledge and consent. Therefore, if a third-party specialist is involved, it will be necessary to confirm the existence of such knowledge and consent;
3. Reverse engineering a program to collect evidence may be considered a legal action.

Coders’ Rights Project Reverse Engineering FAQ

Table Of Contents Introduction What Aspects Are Most Legally Risky? What Legal Doctrines Affect Reverse Engineering? Copyright Law Limiting Reverse Engineering Copyright Law Allowing Reverse Engineering Reverse Engineering Court Decisions Trade Secret Law and Reverse Engineering DMCA Anti-...

Electronic Frontier FoundationGeorge Wong

Author's note.

1. [1] Dictionaries and encyclopedias on the Academic website // http://dic.academic.ru/dic.nsf/ruwiki/1070713 , accessed: 01.10.2016.
2. [2] Multitran // http://www.multitran.ru/c/M.exe?l1=2&amp;l2=1&amp;s=Reverse+engineering, accessed 08.10.2016.
3. [3] Anna Andreeva, "Reverse engineering in the context of desktop and mobile application security" // http://www.a1qa.ru/blog/revers-inzhiniring-v-kontekste-bezopa , accessed: 05.10.2016.