Actions
Forum Thread Details
  • Replies 54 replies
  • Subscribers 534 subscribers
  • Views 4769 views
  • Users 0 members are here
Related

Do you have a right to privacy of your source code?

cstanton

As an individual, if you write a program and share the binary of that, should the expectancy be that you share its source code?

You might not want to share the source code, for example, you can very easily be judged based on that source code, both professionally and personally.

I've known people purposefully not post their code on Git Hub because they know employers will scrutinize and judge it, and in fact others observe how many 'regular commits' you do. Whether or not such judgment is fair is out of scope, but it's certainly something that's in the public eye at that point.

So perhaps you release a compiled binary because you want to help, but you don't want to invite conversations about the code, make it publicly displayed, or maybe there are other reasons.

However, someone comes along, decompiles the binary, reverse engineers it with ida pro, and releases the source code - citing that they have every right to do that, and now everyone can see the code, even though it's against your wishes.

Who was in the wrong? Or was no one in the wrong? Does it go to copyright since there was no license? Or was there an implied license?

There certainly appears to be a strong sense of justice among those online, that insists "it's just code" and "there's a right to transparency".

But there feels like there's something here that may not stand up to this scrutiny and this cavalier attitude of someone's work. Comparatively in the art world, someone creates a piece of art, and recently those components are being re-used in the case of AI (stable diffusion) and there's an uproar, but aren't they just laying the components bare? Maybe the analogy doesn't quite fit, but it certainly feels like for some reason code, by some, is treat differently to other mediums. Even though there are patents, copyrights, licenses, etc.

It could be difficult or even impossible for an individual to do something about this without financial backing, too. Especially compared to companies.

What do you think?

Edit: If you're picking up on spelling errors rather than the topic and context of the post, you're easily distracted. ;)

Parents

  • This is a tricky one, but short of having a license agreement which forbids it, I can’t see reverse engineering being a problem.

    Imagine you go to a burger joint and order a burger to take away. Nobody’s going to stop you from photographing the burger, taking it apart and cooking one just like it at your own home. Furthermore, short of signing anything, nothing stops you from sending bits of it to a chemical lab for analysis. Learning from others is a way of innovating and improving – Hungry Jacks copied the Big Mac with their Big Jack and that was fine. In return, a McFeast was introduced which has very similar composition to the Hungry Jacks Whopper.

    Copyrights have been thrown around, but even moral copyright only protects the form of expression. So if you provided the binary blob, it just means I can’t go exploiting that binary blob like-for-like. But if I disassemble it, it could be argued as being a transformational process (i.e. conversion from binary to source) which is often something considered sufficient to avoid copyright claims.

    One way you can get around this to some extent is by technical countermeasure – obfuscating the source and making it difficult to analyse is something that games publishers have often done in the name of DRM and anti-cheat. That can frustrate the effort of reverse engineering sufficiently if the intent is to stifle those seeking to emulate your innovation. It comes at a cost, but it also affords legal protection in some jurisdictions (e.g. DMCA would consider encryption a countermeasure for example).

    Regardless, the flip-side of the coin must also be considered – not releasing the sources because one is secretive is something companies often do when they suspect the code could open them up to legal challenges from valid forms of protection, be it copyright or patents. How is a patent-holder to enforce their rights reasonably without the use of reverse-engineering? The legal process is long and expensive …

    In fact, reverse-engineering is explicitly protected and permitted by some jurisdictions – e.g. the DCMA expressly permits it for the case of enabling interoperability or compatibility.

    I think this link is a good start: https://www.eff.org/issues/coders/reverse-engineering-faq

    - Gough

Reply

  • This is a tricky one, but short of having a license agreement which forbids it, I can’t see reverse engineering being a problem.

    Imagine you go to a burger joint and order a burger to take away. Nobody’s going to stop you from photographing the burger, taking it apart and cooking one just like it at your own home. Furthermore, short of signing anything, nothing stops you from sending bits of it to a chemical lab for analysis. Learning from others is a way of innovating and improving – Hungry Jacks copied the Big Mac with their Big Jack and that was fine. In return, a McFeast was introduced which has very similar composition to the Hungry Jacks Whopper.

    Copyrights have been thrown around, but even moral copyright only protects the form of expression. So if you provided the binary blob, it just means I can’t go exploiting that binary blob like-for-like. But if I disassemble it, it could be argued as being a transformational process (i.e. conversion from binary to source) which is often something considered sufficient to avoid copyright claims.

    One way you can get around this to some extent is by technical countermeasure – obfuscating the source and making it difficult to analyse is something that games publishers have often done in the name of DRM and anti-cheat. That can frustrate the effort of reverse engineering sufficiently if the intent is to stifle those seeking to emulate your innovation. It comes at a cost, but it also affords legal protection in some jurisdictions (e.g. DMCA would consider encryption a countermeasure for example).

    Regardless, the flip-side of the coin must also be considered – not releasing the sources because one is secretive is something companies often do when they suspect the code could open them up to legal challenges from valid forms of protection, be it copyright or patents. How is a patent-holder to enforce their rights reasonably without the use of reverse-engineering? The legal process is long and expensive …

    In fact, reverse-engineering is explicitly protected and permitted by some jurisdictions – e.g. the DCMA expressly permits it for the case of enabling interoperability or compatibility.

    I think this link is a good start: https://www.eff.org/issues/coders/reverse-engineering-faq

    - Gough

Children
  • in reply to Gough Lui
    Gough Lui said:

    This is a tricky one, but short of having a license agreement which forbids it, I can’t see reverse engineering being a problem.

    There definitely appears to be a line drawn here and in your example, between reverse engineering something, and then iterating upon a new version of that and making it anew. Which is somewhat protected in various ways, and reverse engineering something, or decompiling it and then simply sharing that source code without permission or rights to do so.

    My takeaway is that there are still nuances in the sweeping statements of "all code should be shared regardless" where perhaps it shouldn't be, but looking at it is fine.

  • in reply to cstanton
    cstanton said:
    Which is somewhat protected in various ways, and reverse engineering something, or decompiling it and then simply sharing that source code without permission or rights to do so.

    But the process of reverse engineering itself could be argued to be transformative as machine code is being converted into sources (and this is not always a 1:1 process). Furthermore, if the output is annotated - variables named rather than automated output, it does add value ...

    And even if it wasn't and if the issue was copyright, some countries also have exceptions for research, documentation and critique under a fair dealing or fair use clause. A case could be made that this is a "study" of the program and its modes of operation.

    I feel like if your intention is to hide the code, you really shouldn't be letting the code out of the door in any form - this is where a lot of companies have gone to the SaaS route and instead provide API access to their algorithms. This way, the only thing that could be done is a "black box" style test, and even that may be forbidden/rate-limited etc. If you can execute it, the code obviously will exist for analysis - the same can be said for any webpage (and the issue around rewriting the code of a page for ad-blocking, adding features, etc). Obfuscation and technical countermeasures mostly frustrate, but sometimes they are used for legal protection measures - e.g. YouTube invoking DMCA over youtube-dl over the breaking of their (mostly trivial) rolling cipher.

    There are nuances - but there's also a lot of money for lawyers to make ... I kinda feel like the two may not be entirely unrelated.

    - Gough