Frenchman who published exploit codes that could take advantage of bugs in antivirus software allegedly violated copyright law.
Special to CNET News.com
A researcher who published exploit codes that could take advantage of bugs in an antivirus application could be imprisoned for violation of copyright laws.
In 2001, French researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam International, which is based in Paris. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002.
However, Tena's actions were not viewed kindly by Tegam, which initiated legal action against the researcher. That action resulted in a case being brought to trial in Paris. The trial kicked off on Jan. 4. The prosecution claims that Tena violated article 335.2 of the intellectual property code and is asking for a four-month jail term and a fine of about $7,900 (6,000 euros) . Additionally, Tegam is proceeding with a civil case against Tena and asking for about $1.2 million in damages.
According to Tena's Web site, his research "showed how the program worked, demonstrated a few security flaws and carried out some tests with real viruses. Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses.'"
Tena, who is currently a researcher for Harvard University in Massachusetts, said that Tegam responded in a "weird way" by first branding him a terrorist and then filing a formal complaint in Paris. During the resulting tribunal, Tena said the judge decided that because the published exploits included some re-engineered source code from Viguard’s software, he had violated French copyright laws.
According to French security site K-OTik, Tena had technically broken copyright laws because his exploits were "not for personal use, but were communicated to a third party".
However, K-OTik, which regularly publishes exploit codes, claims that the ruling could create a precedent so that vulnerabilities in software, however critical, could not be declared publicly without prior agreement from the software publisher.
K-OTik’s editors say the ruling is "unimaginable and unacceptable in any other field of scientific research".
On Tena's Web site, he claims that if independent researchers are not allowed to freely publish their findings about security software then consumers will be only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said.
"To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realized that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site, then Ford could file a complaint against me," added Tena.
Philip Argy, senior partner of the intellectual property and technology group at Australian law firm Mallesons Stephen Jaques, said that if a similar case was put to trial in Australia, the prosecution would be unlikely to get a conviction because of our "fair comment provisions."
"We have strong copyright protection as well as strong anti-hacking laws, but from what I can glean from the translations, all that Guillermito did was to publish the details of the parts of the code which contained serious bugs that made the software erroneously treat as a virus some legitimate software," Argy said.
The final ruling is set for March 8.
Munir Kotadia of ZDNet Australia reported from Sydney.