 to our next talk. Our next two speakers are Stefan Becker and Stefan Kolosser. Stefan Becker holds a master in IT security and is a research assistant and PhD candidate at the Embedded Security Group at the Ruhr University Bochum Sausgötz Institute for IT Security. Stefan Kolosser is also a PhD candidate at Ruhr University since 2017 at the Institute for International Law of Peace and Armed Conflict. Stefan passed his first legal state exam in 2014 and is now among other roles, a legal advisor to the project, legal implications in hardware, reverse engineering, in cooperation with the Horst Götz Institute. The two will talk about the potential legal implications of a new trade secret which has been introduced in Germany in 2010. So let's give warm welcome and applause to Stefan Becker and Stefan Kolosser. Yeah, hello from my side. Thank you very much for being here actually. I have to say that the time of the day is a bit late for a lawyer, but I think it's just the beginning for everyone here. So, indeed, we are Stefan and Stefan and we want to talk to you about some reflections on the new reverse engineering law that actually has come into place this year. So it's kind of a brand new law. And the implications for reverse engineering is actually quite huge. Now, as a little disclaimer, we are not giving you an in-depth legal analysis because it's not possible. Every case differs. Every case is a different situation, for example. And in law, all the details count. So that means that we can only give you a broad overview about the developments, about the law in general. And then we will give you a little bit of a guideline maybe in the end to be on the safe side. Of course, you might be challenged by some lawyers or some lawsuits, but in the end I can already say that you shouldn't worry too much in this regard. And first also a little apology for the translators and interpreters because legal terminologies are really hard to translate. So, where appropriate, I will just use the German and the English version. Vice versa. And yeah, let's start. Okay. Hello and welcome from my side as well. So the question is why are we actually here? And the answer is it's my fault. So I watched last year's talk, more Schlecht als Recht Grauz ohne Sicherheitsforschung from some researchers from three different universities who reverse engineered a software which claimed to provide absolute security. And of course, they didn't believe in it. And then after like pre-publishing the paper about their research, they got a lot of legal trouble. First of all, they got a declaration to C Synthesis. I had to look this up. Unterlassungserklärung in German from the company producing the software, which if they would have signed it, would have been the same as an employment ban for them because it wouldn't allow them to possess tools for decompilation, like to install Ida Pro on their computer. So of course, they didn't sign this declaration. And then the whole thing went in front of the court. Yeah, this was in total like more than one year of personal legal trouble for them. But in the first instance of the court, there was already a settlement where the company then paid for the legal fees. And the researchers said, okay, like the next time we go through a responsible disclosure process. But the question which arose for us as a research group, as an embedded security research group, is what the legal situation of researchers utilizing reverse engineering here in Europe or in Germany actually is. So I want to give you some background about the research history at my group, at the embedded security group at Royal University, which now moved to the new Max Planck Institute in Bochum. So we have a long history on like reversing embedded devices such as smart cards or electronic locking systems or even like satellite phones. And more recently we are taking a deep look into hardware, into chips. And we apply reverse engineering on the one hand to understand like the reversing process and to do research about the reversing process itself. And on the other hand, we want to understand better if we can do malicious manipulations to hardware such as hardware trojans. Yeah, and thankfully, we also have like an interdisciplinary research graduate school, which is where Stefan comes into place. So there we have people from other disciplines who think about IT security. And even better, we also have lawyers there who understand a lot of security. So we approached Stefan to give us some legal counsel on the research project, which I will introduce very briefly. So this is about hardware reverse engineering and we deal with proprietary chips, which are protected by a lot of patents. And what we want to do is like reverse engineering, so we decapsulate it, we do images of it. And then we want, for example, to extract a net list or to extract some higher level description. And we want to know if this process is legal. So could you answer that question for me? Well, it's a bit difficult, but I can try. So first of all, he came to me that question. And given that I'm like this IP law or computation law, for example, is not exactly my core area. But I was really intrigued by your question. And then I dig into the topic. And now I came up with the answer. And actually, I can say clearly and definitely it depends. So let's look at the relevant areas of law. So we don't unfortunately have one book or one code of law that we can look into that gives us the definite answers. So we have different areas of law, such as intellectual property law, for example, and competition and trade secret law. Intellectual property law, again, has some different sub-branches, some kind of trade, patent law, for example. We have copyright laws and so forth. So the legal situation is a bit complex. And the potential consequences could be also severe if you get involved with one of those laws because sometimes you have only civil procedures that we have to face. It means that you have to pay maybe damages or compensation for loss of profit, et cetera. And the number of euros is really or can get really high for that. Thank God we have no punitive damages unlike in the U.S., for example. But also more importantly, sometimes you have criminal procedures or criminal charges that you might be threatened with if you're infringed, for example, with semiconductor laws. And that's why the question of is it legal or not is not just a simple question of, yeah, probably, or most likely, but exactly a serious one. So let's look at the first act of law. This is the semiconductor protection act. And yes, that exists because we have a law in Germany for everything, also for semiconductors. And the main idea is actually it's parallel more or less to the patent law. The semiconductor act wants to protect three-dimensional structures of microelectronic semiconductor products. And it is not my invention actually to phrase it like that, but it is a legal definition of a topography that I took from the law. So if you look into the law yourself, it's not really long, so you can just read it at night, for example, as a good night lecture. And you might always, you will always find the word topography, and it is unfortunately this kind of definition. So here the idea is that the topography is protected, but only the topography as such. So only this three-dimensional structure of microelectronic semiconductor products. That also means that information that is stored on that, like firmware, any kind of other information, is not protected by this act, so it's not protected actually by the registration. And the basic rule is simple. You must not repudiate one of the topographies. So if you do that, if you reverse engineering, for example, and put it together again and try to out-works, it's actually prohibited, like per se, under the basic rule. That's pretty unfortunate because it's exactly what we want to do. Well, we have a fortunate clause that gives you an exception actually. So the exception is found, again, this is a legal terminology, section 6, paragraph 2, number 2. And there it says that reproductions of the topography for the purposes of analysis or education are not protected. So that means, simply, as a kind of background, that, of course, you want to protect the intellectual property, but at the same time, you have the freedom of research protected under our constitution, for example. And that means that there must become kind of exception for researchers, for universities, for institutes that serve the aim of knowledge, of making the product even better, or closing security gaps or something like that. So for researchers, we have this exception clause, and actually under the Semiconductor Protection Act, at least you're fine for that. Okay. Are you arguing with the constitution is always a good way? It is, actually. It is. Now, let's go to the second law that could come into play. Let's say you don't have the Semiconductor Act in place. You might be involved with a patent act, with a patent protected product, which is not sometimes improtected by one single patent, but by several patents at the same time. And here again, the idea of the law is simple. They want to protect the technically innovative invention, the intellectual property. And again, here, the basic rule is simple. You must not unauthorizedly use the product that is protected by the patent. So if you have an authorization, it is fine. If you don't have a legal per se definite authorization to use it, you must not do so. Quite simple. But again here, this is actually parallel to the Semiconductor Act. We don't have an absolute protection, but the patent is not protected against actions for experimental purposes. Now, here again, the wording differs. And for lawyers, the wording is always really important. But again, the backgrounds of that is that you want to protect, actually research. You want to protect the ones that don't want to use the knowledge that they gained for maybe bringing up a competitor's product or to use it per se against the other company, but actually who just want to make maybe the product safer or want to debug it or maybe find any kind of malware on it. So for that, you have an exception clause. And also in the jurisprudence, this term of experimental purpose is usually widely interpreted. So it is for everything that has to do with gaining new knowledge on a technical uncertainty. So whenever maybe because as a patent, you have to describe when you register your patent how your product works in quite details. But it's, for example, there is maybe a legal uncertainty somewhere. You can just dig into that problem and do research on that. And for that, also maybe infringe the patent. So that is fine. So also under the patent act, you're fine. A bit different was at least the situation under trade secret law. And that is the main law that has changed. Also, that's why we do this talk, actually. First of all, the idea of trade secrets comes with the competition law. That's anything that is protected in a kind of like de facto or the euro, for example, and that can be used against the competitor in unfair use, for example, there's protection to not to use the secret. Now, how? Now, so what you what is prohibited is actually the the accretion or the acquisition of a secret. Now, how in order to use it against a competitor and most likely in unfair way. That's why also the former unfair competition acts comprise these rules. And especially in section 70, it was said that the is generally prohibited to use any kind of trade secrets. So why am I affected on this? I think I'm not a competitor or of the hardware vendors and the hardware manufacturers. That is absolutely true. But at the same time, what the law wants to make sure is that the law that the trade secrets actually protected in a most absolute way. So especially how right now, not maybe not so much with regard to the old law, but with the new law, any kind of person could come could reveal actually this kind of trade secrets and any kind of person any kind of natural person could be the infringer in theory at least. And especially this is this area of law has been awarded a lot of attention lately, because sometimes you have now some kind of information, some kind of maybe even firmware or something like that that is not protected by the patent or that is not protected by the semiconductor act or something like that. So the IP law falls sometimes short. And then what can come into play is simply trade secrets. Also with regard to the distinction, of course, where normally and the patent law, for example, you need to disclose all the information that you have and the trade secret actually gives you the opportunity to just keep the secrets and not disclose anything regarding that kind of information. So it's a different mechanism of protection. And regarding that, we had an EU regulation adopted in 2016 already. And it's quite detailed, actually a quite detailed regulation under the EU and the time limit, because it's a regulation. So it needs to be adopted and to transferred into national domestic law by the member states. That time limit for adoption and for transferring that regulation was June 2018. And Germany decided not to play with the rules and not to stick with the deadline. But it finally adopted the domestic law in April 2019. A bit later, but better later than never. Because now we have quite a harmonized rules on the trade secrets. And that is important because you used to have a quite diverse situation in France and UK and Italy and Germany. So sometimes some of the certain things are protected in one state, but not in the other. So especially when you work in an EU environment and not just locally in Germany, that is really handy. So the trade secret acts. Usually it was a bit of a difficulty to define actually what is a trade secret. And that has been an issue for decades, I would say. Now it is defined as information that is not generally known among or really accessible to persons within the circles that normally deal with the kind of information in question. Also legal terminology, sorry for that. Then the information must be subject to reasonable steps to keep it a secret. And there must be legitimate interest to keep it a secret. Usually that interest is simply the secrecy of being a commercial value, for example. Now the problem here is already what is a trade secret for reverse engineers. Because especially we have this requirement of information that is subject to reasonable steps to keep it a secret. But again, reasonable is an undefinite terminology, undefinite word. So here we need some clarification. And actually, if we look back into the history already under the old law, it was not really, it had some kind of comparable approach to it. And we can look back, for example, to 1935, to the Reichsgericht, where there was a chupress case involved, or Stiefel Eisenpresse in German. And the idea was that a competitor of that producer produced that chupress, actually wanted to acquire the chupress for a cheaper price, but the competitor declined and then they just tried to reverse engineer that chupress. And to reverse engineer the hardware, the mechanism of how that worked. And then, so finally, the case ended up in front of the court. And the court decided several issues. And first of all, it's kind of tried to define what is a trade secret and what is actually reasonable steps to keep that information a secret. But also, it didn't end up really lucky, because again, it decided that it depends on the reasonable amount of time that you need to do the reverse engineering process, or the reasonable effort that you put into the reverse engineering. So in the end, we don't really clear with what is actually reasonable or not. But at least for our case, when you deal with hardware, with chips, for example, computer chips, to hardware reverse it, it's, I think, most likely very time consuming and costly. So that's can be regarded as a trade secret per se for that purpose. So in general, for reverse engineers, it always depends on the simplicity or easiness of the reversing act. But in the end, at least for the hardware reversing on chips, that will certainly be met, I think. Now we have the prohibition, maybe a bit more broadly construed than before. So a trade secret must not be acquired through unauthorized access to relevant documents subject to the control of the trade secret owner, some kind of spying is, for example, prohibited and through any other immoral conduct. And actually, immoral conduct sounds a bit weird in that perspective sometimes. But also in this chupress case, the court had to decide whether this reverse engineering was in the end immoral or not. And decided that yes, it was. So here again, actually, we had the question of is reverse engineering per se immoral conduct or not. But the good aspect is right now that we have a new rule that points out that actually reverse engineering, at least on the trade secret act is legal or is lawful. Because right now we have a specific rule that says the acquisition of trade secrets is lawful by the means of observation, study disassembly or testing, which means reverse engineering. And the product that's another requirements, the product has to be made available to the public. Actually, that's the most important alternative here of that phrase. So whenever actually the good of the product is on the market publicly available, then it is available to the public. So everybody can buy it. And then you can do research on reverse engineering, for example. This might be a bit different when, for example, certain companies are being made the offer, for example, to pre test certain kind of products. That might be a bit different there. But at least as soon as it's publicly on the market, purchasable for everyone, or by everyone, then it is subject to section three. So that's actually the very good news. So in the end, I would say that we have, first of all, a good idea right now that intellectual property law protects reverse engineering. So it is not against it. We have competition trade secret law that at least right now, specifically allows for it. And that also allows for another debate that actually exists amongst lawyers, because certainly, this is true for hardware reverse engineering. If you do software reverse engineering, it might be a bit different because you might, you're subject to the copyright act, for example. So there are a bit different rules sometimes. Also the main idea that reverse engineering is not prohibited per se. That is also true. But here, also, when it comes to hardware plus firm wear, then you might end up sometimes with software and with copyright act, it might be a bit difficult. But again, also the main ideas that reverse engineering is true, or is is lawful. And wherever there is an uncertainty right now, people or the lawyers say that whenever is there is uncertainty in the intellectual property law side, with regard to reverse engineering, then it must be also interpreted as legal because we have now the specific laws in the new trade secret law. So actually, that law is quite important for reverse engineering right now. And it's also a good, actually, a highlight, I would say, in the future debates of IP law and related fields. So in general, the outlook is quite good, I would say. So in the end, as a guideline for research, it's actually quite simple, because first of all, keep calm and do your research. So you don't be afraid of any lawyers that will come up. I mean, certainly, some lawyers will try. And maybe they will succeed in some cases, but usually overall, again, they shouldn't. Then what the law does not provide for actually, but we should do is follow the responsible disclosure process. In general, with regard to the trade secret act, for example, it does not really differentiate between the reverse engineering act per se, so the information that you gain out of the act, and what you do afterwards with that information. So to say, in terms of research, you want to publish it in a journal, for example. So is that allowed or not? Well, it's not clearly said so in the in the code. But because we don't have this kind of distinction in the code, it's most likely also legal. Because we have now this general allowance in the know how law, so to say. So in general, it's most likely also legal if you just publish it in a journal. But nevertheless, to be on the very safe side, you should follow a responsible disclosure process. And also you have made some good experiences with that so far, right? Yeah, recently, in our group, we made some some good experiences with responsible disclosure. So a colleague of mine found like a hardware vulnerability, where like millions of devices are affected, which will be in the market, probably for at least 10 or 20 more years. And then like those big companies as hardware manufacturers, they have mechanisms in place to disclose responsibly. And the experience my colleague made was that he got like really like he got an answer within just two days from the company. And they asked for a technical write up, then they needed a little more time to confirm this technical write up actually. And afterwards, on the one hand, they, they sent the vulnerability to their customers under NDA. They didn't disclose how it actually works. But they told the customers, okay, there is a vulnerability in our products. And on the other hand, right now, we are coordinating like the publication of the paper and the publication of the vulnerability together with the company. So like some of those like bigger companies have mechanisms in place. I don't know how it is for, you know, like small German middle stand. They might never answer to your responsible disclosure. But nonetheless, and then you should do it and you should give them some time at least before you before you publish. And just in case maybe you end up in an emergency situation that you maybe get a nice letter in your mailbox, and it's from an opposing attorney that tries to sue you, for example, and then also keep calm and just ask a lawyer because first of all, if maybe you're threatened by a horrendous sum that you should pay or something like that. Don't be afraid of that. First of all, because if you go to a to a lawyer and just ask him for a first time of advice, this per se, so the costs of the lawyer per se, they're not super high. Actually, they're also covered by law. So it's it must not be higher than 190 190 euros plus tax. And so that is also a good site. And then in the end, also, because you have quite a good law on your side, if you do hard to reverse engineering, then if you win the case, for example, then also the opponent, the losing side actually pays all the fees for the lawsuit. So that's also a good part. Of course, it doesn't solve all the problems because especially certain areas are not very clear in terms of jurisprudence. They also have to maybe discover this law. But at the same time, also, and I think that's also a point that we could take from the last year's talk, was that the judge, even though they ended up with a with an agreement, but the judge actually mentioned that the case against the our colleagues was quite weak. So in the end, I think they wouldn't have won the case. I think the opponent's attorneys wouldn't have won the case, but it would have looked really good for the researchers. So as a summary, it's actually a good point that security research overall is taken into a broad condesertation by lawmakers. That also holds true for other areas. We have a different regulation that specifically deals in the recital with the permission of the pattern or the copyright law infringement, for example, if you do research on encryption or something or decryption. So that also, if it's regarding cybersecurity, this kind of aspects, the research on that is usually largely protected by now. It has several instances where that was mentioned. So overall, it shouldn't look so bad. Of course, that's no guarantee, like in from the court in the law, and on the high sea, you're in God's hands. So you never know, of course, but if you follow the guidelines, actually, and if you just keep calm, there shouldn't be so much of a problem. Thank you very much. Thanks for your legal advice. Yes, so thank you, Stefan and Stefan. And we actually have a few minutes for your questions. Yeah, maybe there are some, I suppose. If you have one question, please just use the microphones here in one, two, three. And we start with question from microphone two, please. Hi, thanks for your talk. I wanted to know what if I develop tools for reverse engineering and I want to sell them or release them, am I some way liable or like, be scared? So selling, so maybe selling it to come like in general, on the markets, not just to other, no, in general, no, because if in the end, always the one who does the research or the reverse engineering actually is supposed to display or declare that their research or what they're doing is for the purpose of research. So whenever they use maybe your tool that you used for maybe your solid grounds for a different purpose, then it's up to them actually, that they may be infringed patent law whatever. But the reverse engineering product per se should not be illegal actually, no, thank you. Okay, thanks. And mic number three, please. Hello, yes, thank you for your talk as well. I was wondering if vendor specifically states in their terms of services that disassembling reverse engineering and decompiling of the product is not allowed. Is that something that this talk that you just gave is superseding like is a how strong are the terms of service in a legal way? Excellent question. In general, always what you want to do, of course, if let's say the law prohibits a certain act, then you want to buy an individual contract just prohibit that behavior. And that happens quite frequently, especially in the general terms of agreements. Now, you mentioned decompilation. So if it's regarding software, it might be a problem if you really decompile software because that's actually not reverse engineering that is allowed. Like that's what I said, software is a bit different sometimes. But if you have a clause that says you must not reverse engineer basically, or you must not study or like the law, for example, phrased it, this clause is most likely will not uphold the court because if it's a general term of agreement, the court can decide on the lawfulness on this kind of general term. So not if it's an individually discussed contract, but if it's like this general terms of agreement. And then the court must also decide whether some kind of clause is against a basic legal idea. And right now with regard to the trade secret law, it says really clearly that reverse engineering must be allowed. So when then it infringes with that really clearly stipulated rule, actually, then also that general term of agreement would not hold up in court and such. But again, with regard to software, there's sometimes some kind of exception. So with especially regard to decompilation, so that might be a bit different. But that's the general thing. All right. Thanks. We go to mic number two, please. Yeah, hello. So you talked mostly about hardware, reverse engineering, but often what you do when you hardware reverse engineer something is you extract some data from from inside the chips and then you end up with a sequence of bits and those bits usually encode a computer program. So the rest of the reverse engineering then is deals with software. So you didn't talk about the computer programs directive, I suppose that's relevant here. As far as I remember, that one has some it allows you to do some things, but it's very strict about publishing things. So for instance, publishing the result, the information that you gain through the compilation in the cases where you're allowed to decompile. So I'm wondering if that if you're the moment you start analyzing the bit stream that you've extracted if you're then in software land already, or if you can use the hardware. Yeah, also excellent question. And you're also discussing that a bit beforehand. Yeah, if you end up with software, that could be protected by the copyright acts. So we have a good sense. And there you have one rule also that's this kind of basic reverse engineering is allowed, but you also have another rule that says you must not decompile. So in the sense, if you just translate your or produce some kind of source code in totem, but completely, that would be regarded as the compilation. And that is only legal if you want to enhance into operability with different systems. If you don't do that, actually, then it's a bit problematic and most likely prohibited. So but on the other hand, if you do maybe some kind of black box testing, so not decompile the whole code, but maybe use only more specific areas of black box testing, then also this kind of reverse engineering on that part is not regarded as the compilation. So then you're also out of that rule. And then also again, it holds true that reverse engineering is legal. So it depends on the exact sort of circumstances actually. Yes, I have one question to our signal angel. Do we have any questions from the internet? Okay, well, so then we go over to Mike one, please. In your answer to the first question, you said that if someone used a tool that was originally mean for some other benign purpose and used it to reverse engineer something, the toolmaker would be not liable. So what if the toolmaker specifically said, okay, this tool can be used to reverse engineer X, Y, C. I never done this, but I could think I might think it might work. Would they still not be liable? Well, you must in the end, the one who you mean the one who who does in the end, the reverse engineering with that. No, no, the person who makes the tool, not the person who reverse engineers. Well, if that tool is is a belatedly is also potentially a perfect legally tool to use reverse engineering, and then the other person just misuses it or abuses it, that is actually totally fine at that point. Even if you say you can't break the law with that? Well, you shouldn't do so. Just I would never say that loud, of course. I mean, don't get yourself into even the discussion of the trouble. So just avoid any kind of that and only like state and stipulate that you're doing it for research and hardware reverse engineering or reverse engineering in general. Thank you. Yes, we have one last question, I assume, from Mike number two. Yeah, so I will use this for two questions. So as a researcher, I can I'm allowed generally allowed to re engineer products, which is good news. So first, how does anything change? It changes if I make this documentation publicly available. So I re engineered a piece of hardware that only falls under patent law. And now I publish these design files for free under free license on the internet. Is that legal? And also here's a little discussion. Because it is clearly legal if that information is part of intellectual property law. There is one discussion that says this kind of information is also some kind of know how protection. So also in the direction of a trade secret, more or less. If you interpret it and that's not completely clear yet, but most likely it is actually also intellectual property and no know how protection. So if you maybe have this hardware infringing on the on the patent rights and then you publish it in the journal or something like that, that's most likely is also legal in that regard. Yeah. But there is this internal discussion actually amongst the lawyers, whether it's know how or whether it's simply intellectual property. Well, I could publish it on GitHub and then link in my paper to that. Is it still legal? Well, in general, I would say yes without liability here. But yeah. And second, how do I qualify as a researcher? I mean, can I do the research just by myself and claim I am a researcher and just doing it for the matter of science? Whatever I clarify as science? Yeah. So throughout the different areas of law you have really broad terminology in that regard. So of course you're on the perfectly safe side if you work with an institution like a university or an institute something like that. If you do it completely privately, it would well, there's another exception clause that if you do that simply for private purposes, but that would include that you don't publish anything. If you just do it for the research, at least you must state what kind of expectations you have to acquire new knowledge or maybe to solve a kind of a mechanical problem or something like that. So you cannot just broadly state that I'm doing research, whatever that is, but I'm doing research. But you need then at least to specify what is your expectation, your findings, what you want to do actually, what you want to achieve with it. And then but it could be also it can be regarded as research as such. Cool, thanks. And that wraps it up. Unfortunately we're running out of time and let's all say thank you again to Stefan Becker and Stefan Kulossa for their talk and let's give them a warm round of applause.