The legal boundaries of reverse engineering in the EU

By Arne Vidstrom

May 19, 2019

It's not easy to find detailed and practical advice about the legal boundaries of reverse engineering in the EU. People who work in the field aren't lawyers, and the lawyers don't know much about the technology involved. I've worked in the field professionally for years, and I've also taken a few university-level courses in law, but please take into account that I'm no lawyer. For a US perspective, I recommend Coders' Rights Project Reverse Engineering FAQ from the EFF.

Relevant sections of the EU Directive 2009/24/EC

Directive 2009/24/EC controls the legality of reverse engineering in the EU, and I'll start by quoting the relevant sections. [1]

Article 5 (Exceptions to the restricted acts) paragraph 3 states:

The person having a right to use a copy of a computer program shall be entitled, without the authorisation of the rightholder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do.

Article 6 (Decompilation) has two central parts:

1. The authorisation of the rightholder shall not be required where reproduction of the code and translation of its form within the meaning of points (a) and (b) of Article 4(1) are indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs, provided that the following conditions are met:

(a) those acts are performed by the licensee or by another person having a right to use a copy of a program, or on their behalf by a person authorised to do so;

(b) the information necessary to achieve interoperability has not previously been readily available to the persons referred to in point (a); and

(c) those acts are confined to the parts of the original program which are necessary in order to achieve interoperability.

2. The provisions of paragraph 1 shall not permit the information obtained through its application:

(a) to be used for goals other than to achieve the interoperability of the independently created computer program;

(b) to be given to others, except when necessary for the interoperability of the independently created computer program; or

(c) to be used for the development, production or marketing of a computer program substantially similar in its expression, or for any other act which infringes copyright.

An interpretation of the EU Directive's Article 5

As you can see, two different views of reverse engineering are handled separately by the Directive. First, Article 5 focuses on reverse engineering in general, and then, Article 6 focuses on decompilation specifically.

Article 5 gives you the right to "observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program."

A few conditions must be satisfied, however. First, you need "the right to use a computer program," which means that you have acquired the program lawfully. [2]

Second, you need to do the reversing "while performing any of the acts of loading, displaying, running, transmitting or storing the program [...] entitled to do." This phrase "ensures appropriate limitation of the permitted acts which can be performed by the legitimate user to observe, study or test the functioning of the program" according to an EU report. [3]

Unfortunately, the report doesn't specify these "appropriate limitations" further. One obvious limitation is decompilation, which is covered separately by Article 6. Another possible limitation is the contents of the licensing agreement. However, there is a ruling from the European Court of Justice (the supreme court of the EU) that states [4]:

Consequently, the owner of the copyright in a computer program may not prevent, by relying on the licensing agreement, the person who has obtained that licence from determining the ideas and principles which underlie all the elements of that program in the case where that person carries out acts which that licence permits him to perform and the acts of loading and running necessary for the use of the computer program, and on condition that that person does not infringe the exclusive rights of the owner in that program.
[...] decompilation does not permit the information obtained through its application to be used for the development, production or marketing of a computer program substantially similar in its expression, or for any other act which infringes copyright.
It must therefore be held that the copyright in a computer program cannot be infringed where, as in the present case, the lawful acquirer of the licence did not have access to the source code of the computer program to which that licence relates, but merely studied, observed and tested that program in order to reproduce its functionality in a second program.

All this means that as long as you only reverse engineer a program by doing experiments and observe how it functions, you are probably on the right side of the law. It doesn't matter if the license agreement says that you aren't allowed to do so, because such a requirement is null and void (unenforceable) according to the law in the EU.

An interpretation of the EU Directive's Article 6

Decompilation is a particular case, covered by Article 6. It's only legal without permission if you need to "achieve the interoperability of an independently created computer program." It's also illegal to use decompilation even in that case without a valid license to use the program (1 a), or if the necessary information is already available (1 b).

Decompilation is defined in EU law as "the conversion of program code into a higher-level programming language that can be read by a human." [2]

The definition of decompilation is a bit problematic because it's unclear if it includes disassembling a program. The definition uses the concept "higher-level programming language," not "high-level programming language." The target language must also be readable by a human, which assembly language is. On the other hand, the previously mentioned ruling from the European Court of Justice makes a distinction between having access to the source code and merely studying the program:

[...] decompilation does not permit the information obtained through its application to be used for the development, production or marketing of a computer program substantially similar in its expression, or for any other act which infringes copyright.

It must therefore be held that the copyright in a computer program cannot be infringed where, as in the present case, the lawful acquirer of the licence did not have access to the source code of the computer program to which that licence relates, but merely studied, observed and tested that program in order to reproduce its functionality in a second program.

Disassembly is positioned right between two clear-cut cases. On the one hand, we always have the right to determine the ideas behind a program through general experimentation with it. On the other hand, we aren't allowed to decompile a program to determine the ideas behind it.

This leads us to a concept called "the idea and expression dichotomy", which means that copyright law isn't meant to protect ideas, but only the expressions of the ideas. The Directive states it like this in Article 1:

Protection in accordance with this Directive shall apply to the expression in any form of a computer program. Ideas and principles which underlie any element of a computer program, including those which underlie its interfaces, are not protected by copyright under this Directive.
The European Court of Justice has also stated [4]:
[...] to accept that the functionality of a computer program can be protected by copyright would amount to making it possible to monopolise ideas, to the detriment of technological progress and industrial development.

Even Article 6, that generally makes decompilation illegal, hints that the "expression" is in particular focus:

2. The provisions of paragraph 1 shall not permit the information obtained through its application:

[...]

(c) to be used for the development, production or marketing of a computer program substantially similar in its expression, or for any other act which infringes copyright.

However, if the idea and expression dichotomy principle were the only interest to defend, decompilation wouldn't be illegal in general.

We can get a clue from a report from the Swedish government when they were about to include the EU legislation into the Swedish legislation. The report states (my translation) the following on pages 129-130 [4]:

It is generally not possible to determine the ideas and principles behind a software program through mere observation of how the program functions. To that end, it is necessary to translate the machine code to source code. This is called decompilation.

Even if the ideas and principles of a software program do not have copyright protection [...], they will be protected because the copyright law will make them unavailable for study. There is disagreement about this point, however, but there is no doubt that universal rights to reverse engineer would lead to weak protection for developers. It would only concern the expression of the software; this for products needing considerable work and investments.

If we are to believe the report it works like this:

Weak reverse engineering methods, like observation, experimentation, and so on, are legal because 1) the idea and expression dichotomy principle suggests so, and 2) they aren't going to threaten the investments of software companies.

Decompilation is illegal even if it only focuses on uncovering ideas because it's a threat to the investments of software companies. On the other hand, it's legal to use decompilation for interoperability, and the reason is to safeguard the competition in the software industry.

Where does this leave disassembly? I haven't been able to find anything specific about it. My interpretation is that disassembly is probably legal in general because 1) the idea and expression dichotomy principle suggests so, and 2) it's usually way too hard to fully reverse engineer a commercial software product using only disassembly. My conclusion is also supported by the ruling of the European Court of Justice but only expressed indirectly. [4]

Practical advice

Many methods of reverse engineering seem to be completely legal in the EU, but here are a few rules I follow myself:

1) Always make sure you have acquired the software lawfully.

2) Never decompile software unless you do it for interoperability purposes.

3) Never decompile software for interoperability purposes if the information is already available.

4) Never decompile more of the software than necessary for interoperability purposes.

5) Never reveal the decompilation results to others except for interoperability purposes.

6) Beware that disassembly is a borderline case and might pose a risk if you use it for other than interoperability purposes.

7) Never share disassembled code with others - the code is copyright protected.

8) Never include the disassembled code in your own software - the code is copyright protected.

References

[1] Directive 2009/24/EC

[2] Summary of Directive 2009/24/EC

[3] Report from the Commission to the Council, the European Parliament and the Economic and Social Committee on the implementation and effects of Directive 91/250/EEC on the legal protection of computer programs

[4] Judgement of the Court (Grand Chamber) In Case C‑406/10

[5] Proposition 1992/93:48