Posted on 02/09/2013
ISG researchers Rob Carolina (Senior Visiting Fellow) and Kenny Paterson (Professor of Information Security and EPSRC Leadership Fellow) have
produced an extensive analysis of a recent and high-profile English High Court judgement - the so-called "Megamos Crypto" case.
The case concerns an academic paper by security researchers based in the UK and the Netherlands who discovered a weakness in the cryptographic algorithm used in Megamos car (automobile) immobilisers. The researchers engaged in responsible disclosure, and their paper was accepted to USENIX Security 2013. The paper would have revealed details of the Megamos crypto algorithm. The researchers obtained the algorithm through reverse engineering of a third party product called Tango Programmer which had the algorithm embedded in it. The court concluded that the algorithm was not derived from a legitimate source. The court then decided that the infringement of free speech in preventing publication of the paper at USENIX Security was outweighed by the need to maintain the security of cars fitted with the immobiliser.
In their analysis, entitled "Megamos Crypto, Responsible Disclosure, and the Chilling Effect of Volkswagen Aktiengesellschaft vs Garcia, et al", Carolina and Paterson provide six detailed criticisms of the decision.
- The inherent problem in attributing value to a "secret" crypto algorithm.
- The decision not providing a searching analysis of the risk created by publishing.
- The court's willingness to infer that the algorithm was discovered through misappropriation, and the burden of proof on this question.
- The court's misapprehension about the state of knowledge required to demonstrate liability against a third party accused of misusing a secret that was misappropriated by another person.
- The court's apparent confusion surrounding the meaning and purpose of "responsible disclosure" when used as a term of art in security research.
- The apparently long delay of the complaining parties in enforcing their rights in the alleged trade secret.
Carolina and Paterson express their view that this decision will have a chilling effect on security research in the UK: it could jeopardise the ability of UK academics to form multinational research efforts since collaboration partners outside the UK might not wish to face the risk of a High Court injunction.
To read more about the case, visit the IPKat legal blog: http://ipkitten.blogspot.co.uk/2013/09/can-you-tango-with-megamos.html.
To read Rob and Kenny's article in full, see http://www.isg.rhul.ac.uk/~kp/Carolina-Paterson-Megamos-comment-20130828.pdf.