The do’s and don’ts of reverse engineering

GeneralCategory
6 min read
Paul Teitelman

The act of reverse engineering is very close to what curious children do to toys sometimes. They take it apart and look at how it was made to learn how it works.

With hardware, you’re literally taking a product apart piece by piece and studying it. With software, you’re taking apart all the lines of code. This can be done via:

  • Analysis through observation of information exchange
  • Disassembly using a disassembler
  • Decompilation using a decompiler

But when does reverse engineering become copying?

That is the legal and ethical question that has lingered since we first came up with the concept of reverse engineering.

What’s the big deal?

The issue in the business world is that you’re taking apart something that someone else built. Your goal might be to:

  • Make something similar, but different
  • Make something better
  • Make something compatible

This is where the legal and ethical waters get murky.

Whatever you do, you need to do it without duplicating trademarked property or processes.

It’s not quite copying someone else’s homework. It’s taking an essay apart, sentence-by-sentence, trying to understand why they wrote what they did and then creating your own original (enough) work.

2 do’s and 2 hard don’ts to keep in mind

To give you a better understanding of where the legal lines lie, here are some of the do’s and don’ts of reverse engineering.

  1. Don’t use anyone who has worked for the other company.
  2. Do use the clean room technique.
  3. Do acquire the product or software legally.
  4. Don’t use reverse engineering to create a knockoff.

Yes, reverse engineering is perfectly legal — if done correctly. A few tips:

1. Don’t use anyone who has worked for the other company

Be extremely careful in putting your team together.

Quite simply, if you’re trying to reverse engineer software developed by Company X, do not involve anyone who:

  • Has ever worked with or for Company X
  • Could conceivably have (or have access to) any insider information or documentation from inside the walls of Company X

This can be tough, as there is often a lot of overlap between competing companies.

We may joke that it’s scandalous when your company hires someone who has worked for the competition. But it happens all the time. Someone’s work with Company X makes them a great candidate for your company. It’s more about industry experience than it’s about insider information.

Reverse Engineering Restricted Area Sign
Using the ‘clean room’ technique helps prove you did not copy the product you examined.
Photo: Kelli McClintock on Unsplash

But do not let them have anything to do with this project.

This is why so many companies will farm out their reverse engineering projects to third parties. However, you still need to review and approve anyone who is going to be working on that team.

2. Do use the clean room technique

The term ‘clean room’ comes from the medical/pharmaceutical sector. It’s a room that is separate from every other in the building. Everything that goes in and out of that room is tightly controlled. The air is even filtered separately. It’s all done to prevent contamination of any sort.

One of the most famous examples of this was done by Phoenix Technologies Ltd. They sought to develop a BIOS for PCs that was compatible with the IBM PC's proprietary BIOS; a tall order that could get them in a lot of legal trouble if done incorrectly. So, they used the clean room technique.

Step No. 1

Picture two teams in two different rooms. The first team took apart and analyzed the IBM code. Next, they described it as thoroughly as possible without using or referencing the actual code. Think of it as a very complex game of Password.

Step No. 2

Next, the second team was made up of programmers who had no prior knowledge of the IBM code. Their job was to write a new BIOS, using only the first team's functional specifications.

They did it and they did it legally. Even if there was similar coding, Phoenix Technologies’ clean room technique could prove that no IBM code “contaminated” their process.

3. Do acquire the product or software legally

Reverse Engineering Man Holding Debit Card
Be prepared to prove that you paid for the object of your reverse engineering efforts.

Buy your product legally. Even if it’s protected by trade secrets, reverse engineering it can be lawful as long as it has been legitimately obtained — in other words, you bought it.

Sec. 103(f) of the Digital Millennium Copyright Act states that someone who has lawfully obtained the right to use a copy of a computer program can:

“...circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability.”

However, nearly any user agreement will have some sort of verbiage to forbid this. For example, Apple’s Licensed Application End User License Agreement for iTunes clearly states that:

“You may not copy (except as permitted by this license and the Usage Rules), reverse-engineer, disassemble, attempt to derive the source code of, modify, or create derivative works of the Licensed Application.”

An end user license agreement (EULA) can trump copyright law in this area. Be very mindful of the measures that have been put in place to protect the given product or software’s intellectual property.

4. Don’t use reverse engineering to create a knockoff

Another big part of the legality of reverse engineering is the intent to create something unique and distinct, versus creating a very similar product with a new name and new skin.

Reverse Engineering Lawyer at Desk
Duplicate someone else’s product and you can expect a call from a lawyer.
Photo: Mateus Campos Felipe on Unsplash

Your reverse engineering has to be done the right way and done with the right intent. You can’t simply do it to create a copy of something that could conceivably confuse a customer into thinking this is Company X’s product.

This entire process is a tightrope that you need to walk very carefully. You need to protect yourself by making sure:

  • Your team doesn’t include anyone who previously had access to the other company’s trade secrets
  • Your methods are done “cleanly” with a process such as the clean room technique
  • You’ve paid for the product or software you’ll be taking apart legally

Finally, your intention must be to create something actually unique.

While reverse engineering is accepted and legal in the world of business, the slightest misstep can land you on the wrong side of the law. Be careful at every single step of your process!