Speaker: Robert Carolina (ISG Senior Visiting Fellow and Origin Solicitors, UK)
Robert Carolina has been a Senior Visiting Fellow with the Information Security Group at Royal Holloway, University of London since 1999, and is also a Director with the Origin law firm in London. He is a graduate of the University of Dayton (BA Political Science, 1988), Georgetown University Law Center (Juris Doctor, 1991), and the London School of Economics and Political Science (LL.M in International Business Law, 1993). He is admitted to practice as a Solicitor in England & Wales, and as an attorney-at-law before the US Supreme Court and the courts of the US State of Illinois. In his legal practice, Robert advises clients of all sizes with respect to creating, protecting, procuring, licensing, selling, distributing, deploying, using, and managing a wide variety of information and communication technologies – including cryptography-based products.
Title: Megamos Crypto, Responsible Disclosure, and the Chilling Effect of Volkswagen Aktiengesellschaft vs Garcia, et al
Abstract:(This seminar is based on a paper by R Carolina and K Paterson.)
On 25 June 2013, the English High Court granted a preliminary injunction restraining publication of an academic research paper in the field of cryptographic research. The case concerns an academic paper by university researchers who discovered a weakness in the Megamos cryptographic algorithm used in automobile immobilisers. The article accepted for publication would have include details of the crypto algorithm. The algorithm, however, is claimed as a trade secret. The researchers obtained the algorithm through reverse engineering a publicly available third party product called Tango Programmer. The court concluded that Tango Programmer was not derived from a legitimate source. The court went on to decide that the infringement of free speech was outweighed by the need to maintain the security of millions of automobiles fitted with the immobiliser.
We critiqued the court's published decision on many points. The court does not appear to appreciate the difference between a secret algorithm and secret keys. The decision does not provide any serious analysis of the risk created (or ameliorated) by publication. It is unclear why the court was so willing to conclude that Tango Programmer was created using misappropriated (rather than reverse engineered) information. The court may have applied the wrong legal standard in assessing the academics' responsibility. The decision does not demonstrate a clear understanding of the term "responsible disclosure" as used in security research. The decision does not address why it has taken so long for the owners of the allegedly confidential information to enforce their rights.
Although this was a preliminary decision, we are concerned that it will have a chilling effect on security research in the UK. It could also jeopardise the ability of UK academics to form multinational research efforts. Collaboration partners outside the UK might not wish to face the risk of a High Court injunction.