Copyright

Reverse Engineering and Aarogya Setu App: Contracting Out of Fair Dealing?


Image from here

We’re excited to bring to you a guest post by one of our former bloggers, Aparajita Lath. Aparajita is a lawyer based in Bangalore. In this post, she examines the legal enforceability of the prohibition on reverse engineering imposed by the terms of service of the Govt’s COVID-19 tracking mobile app Aarogya Setu, in light of the fair use rights of users under Section 52 of the Copyright Act, 1957. Her previous posts on the blog can be viewed here.

 

 

Reverse Engineering and Aarogya Setu App: Contracting Out of Fair Dealing?

Aparajita Lath

The Aarogya Setu app that was launched on 2nd April and that has been made mandatory for certain sections of society, continues to raise to several questions regarding effectiveness, security, privacy and technology. As of May 8, this app has 9 crore users and is one of the world’s top 10 most downloaded apps. Users are probably treating this app just like any other app. Given that it has been launched by the Government of India, the expectations of safety and reliability, for most such users, is presumably high.

The app, however, is not open source and the terms of service impose a blanket prohibition on reverse engineering. Due to this, independent auditing of the app, by the community in general has not been possible. An ethical hacker has reportedly identified vulnerabilities but the government maintains that the app is safe. Security researchers and privacy advocates have argued that if the app is mandatory then people have a right to know what the app is really doing. For this, the app’s code should be opened/ revealed for the community to understand its actual functioning. Reports state that the government is now planning to open source the code of the app.

While we wait for this, the terms of use of the app continue to prohibit ‘reverse engineering’. The term ‘reverse engineering’ is neither defined under the terms of service nor the Copyright Act, 1957 (‘Act’). In the context of software, it is a pretty technical term and could mean a lot of different things.

Software per se is entitled to thin protection as a ‘literary work’ under the Act. The Act also affords users several fair dealing rights with respect to computer programs, some of which permit reverse engineering of varying degrees. For instance, section 52(1)(ac) allows users to observe, study or test the functioning of the computer programme in order to determine its underlying ideas and principles while performing such acts necessary for the functions for which the computer programme was supplied. This fair dealing clause, is a research exemption, and permits users to unlock the functionality of the software, its underlying principles and ideas while loading, running, displaying or doing any other acts that are necessary for performing the functions for which the program was supplied. Reverse engineering is also permitted as per section 52(1)(ab) where the purpose is to obtain information essential for achieving inter-operability of computer programs.

Rajiv has discussed the concept of reverse engineering, in detail, on this blog here and here. SFLC has made reference to these reverse engineering fair dealing rights, the prohibition of reverse engineering in the Aarogya Setu app terms and the need to remove such a prohibition. Certain commenters have argued that section 52(1)(ac) cannot be read as a right to reverse engineer software – to them it is a ‘testing and integration’ provision. Section 52(1)(ac) is a clear research exception and not an integration exemption. This fair dealing right allows users to determine underlying ideas/ principles of the software through monitoring the functions of the program. Ideas/ principles are not copyrightable and users are permitted to test the software to reverse engineer the ideas/ principles of the app. Section 52(1)(ab), on the other hand, is an integration exemption – since reverse engineering (which could include through decomplication) under this section is only permitted for integrating/ achieving inter-operability of computer programs.

In any case, it is difficult to argue that the Act does not permit any kind of reverse engineering whatsoever. Since this term is a technical term, if the app wanted to prohibit certain kinds of behavior through reverse engineering, to begin with, reverse engineering should have probably been defined under the terms of service. Since it has not been defined and since the Act permits certain kinds of reverse engineering, can the terms of service of the app impose a blanket prohibition on reverse engineering i.e. make users contract out of their fair dealing rights?

Certain legislations e.g. labour-related legislations like the Employees Compensation Act, 1923 (ECA), Minimum Wages Act, 1948 (MWA), explicitly prohibit employees from contracting out of the rights/ benefits conferred to them by these statues (e.g. Section 17 ECA and Section 25 MWA). The Act, however, does not expressly prohibit users from contracting out of their fair dealing rights. It can therefore be argued that private parties are free to contractually forego user rights (the right to reverse engineer) and that parties have the freedom to contract as they like.

However, the freedom to contract argument may be rebutted on the ground that this app is being imposed as mandatory and users have no meaningful choice but to accept the terms (whether reasonable or not). Further, it can be argued that any contractual provision that defeats the purpose of a statute or one which is against public policy is unenforceable (section 23 of the Contract Act). The Copyright Act grants ‘exclusive rights’ to authors/ owners, but also imposes limitations on these exclusive rights that are in the nature of the user’s rights. Such a balancing of rights, is not a mere default position, but a conscious policy decision of balancing competing interests. Further, statutory rights that are designed to serve a public purpose and which operate for the general benefit of the community should not be permitted to be waived by private agreements. Shamnad and Pankhuri have also highlighted in their response (pg 74 &75) to a survey on copyright user rights that user rights cannot be contracted out of and have cited Delhi High Court and ITAT decisions which state that ‘holders of copyright are not entitled to impose any restrictions curtailing fair use’ and that any conditions put in a license restricting its fair or reasonable use will be ignored.

Making users contract out of their fair dealing rights is questionable, especially given the present context where such rights may serve a public purpose of identifying vulnerabilities with an app launched by the government, used by crores of people, that collects vast amounts of personal and sensitive information.

In addition to the above, given that ethical hackers are investigating this app and the government is committed to opening up the code, should this blanket prohibition be taken seriously if reverse engineering, to the extent permitted under the Copyright Act, is used to serve a public purpose?

Please click here to view our other posts related to COVID-19 and here to view other important IP developments related to it.

[Edit: Please click here to view an update post by Aparajita on this issue.]

3 comments.

  1. AvatarDivij

    Thanks for the informative post Aprajita! I wonder how the fair dealing right intersects with the explicit prohibitions on altering source code under the IT Act (Ss. 43 and 66)? The scope of the right could possibly shield against infringement claims, but is it possible to shield against the *incredibly vague* punishments for source code tampering under the IT Act?

    Reply
    1. AvatarAyush

      Hi Divij, I believe that if one refers to Section 43 (j),65 and 66, there is a requirement of intention to do damage or harm to the software. Fair use for research purposes should but come under any violation.

      Reply
  2. AvatarAparajita Lath

    Hi Divij and Ayush, thanks for your comments. I agree with Ayush.

    I also wanted to point out that the terms of service treat tampering and reverse engineering as separate acts. Tampering is also prohibited.

    Separately and since acts such tampering have been brought up, I also wanted to add to my post above.

    Clause 3 of the terms of service provides:

    3. Use

    “You agree that you will only use the App in good faith and will not provide false or misleading information about yourself or your infection status. You agree that you will not do anything to throttle, engineer a denial of service, or in any other manner impair the performance or functionality of the App. You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service.”

    This clause seems to suggest that the terms of service intend to prohibit acts that:

    (a) use the app or the source code to cause damage / harm; and

    (b) use the app for unintended purposes.

    The clause does not prohibit the use of the source code of the app for acts that do not cause damage and for acts that are in pursuance of the intended purpose of the app.

    Reverse engineering for the purpose of research may not cause damage, but such acts could be acts which are not intended to the purpose for which users use the app. The intended use of the app is to ensure that people submit information to enable contact tracing. Reverse engineering does not fall within this purpose.

    While this ambiguity can be debated at an academic level where the clause is read like a statute, at a practical level, a user who is plainly reading the terms of service will mostly be deterred from exercising fair dealing rights because this clause prohibits reverse engineering. Researchers may therefore be deterred from reverse engineering and publishing results based on reverse engineering.

    Reply

Leave a Reply

Your email address will not be published.