conference logo

Playlist "36C3: Resource Exhaustion"

Reflections on the New Reverse Engineering Law

Steffen Becker and Stephan Koloßa

Individuals conducting reverse engineering for research purposes face several legal issues arising from IP and competition law. The legislation has reacted by introducing a new law on trade secrets specifically allowing reverse engineering. While the new law is certainly an improvement, many questions still remain as to conflicts with opposing domestic laws as well as other possibilities to waive the permission. In this talk, we provide guidance through the jungle of the current legal situation from a techno-legal perspective.

Hardware Reverse Engineering (HRE) is common practice for security researchers in order to detect vulnerabilities and assure integrity of microchips. Following last years talk “Mehr schlecht als Recht: Grauzone Sicherheitsforschung” and from the standpoint of a research group regularly applying HRE, we asked ourselves about potential negative legal implications for our personal lives. Therefore, we consulted an expert who assesses the legal implications of our work.

For a long time, our law has solely protected the inventor of a product. Discovering the underlying technical details and mechanisms of, e. g. microchips, has been deemed illegal due to intellectual property (IP) protection laws. Only lately, the legislation has recognized the importance of cybersecurity that heavily relies on reverse engineering to find security gaps and malfunctions. Subsequently, Germany introduced a new trade secret allowing for the “observation, study, disassembly or testing of a product or object” in 2018. However, at this stage, several questions remain unanswered: Is it possible to restrict this freedom by, e. g. contractual agreements? How may the gained knowledge (not) be used? How do claims from IP holders from other legal systems such as the US influence our case?

The talk will shed light on these questions from a techno-legal perspective. Ultimately, it will give guidance for reverse engineers, demonstrating the boundaries of such new developments and highlighting the legal uncertainties in need of clarifications by literature and practice.