Information Security auditors are some times required to conduct a “Software Source Code audit” to find out if the software is reliable and does not have any malicious codes embedded there in which may violate the privacy of the user or commit any other frauds.
While such audits are normally conducted with the permission of the software supplier, many software vendors donot permit such audits since according to them it may compromise the intellectual property rights associated with the software. The software vendor may claim that the code is “Proprietary” and is subject to protection of copyright.
While some users may obtain and rely on the appropriate warranties and indemnities from the vendor and use the software in good faith, their faith has now been shaken by the Volkswagen fraud that has revealed that even reputed companies may resort to organized cheating if there are opportunities presented to them in the form of “Copyright protected software codes”.
The unsavory incident in which the Company manipulated the software element (More details on the modus operandi available here) to cheat “Emission Tests” has made it necessary for all software users and regulators to distrust the vendors of proprietary software and look for some means to conduct software code audits in the interest of its own security, even when the vendor does not permit it .
However there is one catch here. If a company wants to conduct a software source code audit despite the vendor not permitting it in the end user agreement, there could be not only violation of the contractual terms to contend with but also possible violation of the copyright Act. Contractual violation is easier to handle since there may be a protective clause in the same contract which may entitle the user to protect his own Privacy Rights. But violation of Copyright law is a sensitive issue and needs a deeper look.
Proprietary software is protected by copyright laws and any attempt to unravel the code could be treated as an offence under the Amended Indian Copyright Act or DMCA . The owners of such software zealously protect the secrecy of the code and may invoke these provisions if necessary. At the same time this right to secrecy may be used for incorporating back doors to extract data from the user end without his consent as well as to commit frauds like what Volkswagen did. In a software scenario, this may make the end user liable to some of its clients also. We can recall that some time back there was a report of some software manufacturer incorporating a bitcoin mining code in the software to produce bitcoins for the benefit of the software vendor at the expense of the user’s resources.
While Volkswagen type of frauds are punishable offences in India as “introduction of computer contaminants”, copyright is still a sacred cow and the last amendments to copyright act protect “Digital Rights Management” along with the right to introduce measures to prevent circumvention.
Under Section 65A of the amended Copyright Act,
“Any person who circumvents an effective technological measure applied for the purpose of protecting an of the rights conferred by this Act with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable for fine.”
Any attempt to unravel the source code would also attract Section 65B which says
“Any person who knowingly, (i) removes or alters any rights management information without authority …… shall be punishable with imprisonment which may extend to two years and shall also be liable for fine.”
Hence an attempt to peek into the raw source code contained in an executable software may attract the penal provisions of the Copyright Act.
Though there are exemptions of this provisions for certain reasons such as “National Security”, which includes “Doing anything referred to therein for a purpose not expressly prohibited by this Act”, it is not clear if the exemptions cover the unpacking of the code for the purpose of identifying whether or not it contains any “Computer Contaminant” as defined under Section 43 of ITA 2000/8 which would also be a cognizable offence under Section 66 of ITA 2000/8.
However, a logic can be claimed that if there is any prima facie reason to suspect that the software is violating any provisions of law, then “For reasons of preventing commission of any cognizable offence”, a software source code audit/research can be done without attracting any adverse effect of the copyright Act.
It is possible that any software contract may provide a condition that the “Software shall not violate any provisions of ITA 2000/8”. If therefore there is a suspicion that there could be a possibility of such violation, we are actually having a legitimate reason for conducting a software source code audit.
It may however be necessary that the Company may have to build up some evidence to “Prove the Suspicion” before proceeding with such audits and also ensure that the audit is only to secure its interest and not to copy the proprietary information contained within the code.
Now that it is public knowledge that even a reputed auto manufacturer of the status of Volkswagen can incorporate “Trojans” and “Computer Contaminants” in proprietary software, users of any proprietary software have an immediate reason to check if the proprietary software they are using are bound by proper contracts of indemnity and right to conduct a source code audit.
If there is a reason to believe that any malicious code in the software could violate their own privacy or may impose legal liabilities on itself, the company can consider conducting software source code audit and defend against any challenge that can be launched under the Copyright Act. It is however necessary to document the reasons in a “Pre-Audit Study” and appropriate measures to ensure that the information is not misused either by itself or its employees in future.
If a company does not want to be that aggressive, it is necessary to identify the Volkswagen fraud as an indication of a “Threat” and as a compliance measure it may be worthwhile to get additional written assurances from the proprietary software vendors that the software does not contain any “Computer Contaminants as defined under Section 43 of ITA 2000”.