Security researcher faces jail for finding bugs

A researcher who demonstrated how to exploit bugs in the code of an antivirus application faces prosecution under French copyright law
Written by Munir Kotadia, Contributor
A French security researcher who published exploit codes that could take advantage of bugs in an antivirus application could be imprisoned for violation of copyright laws.

In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002.

However, Tena's actions were not viewed kindly by Tegam, which initiated legal action against the researcher. That action resulted in a case being brought to trial at a court in Paris, France. The trial kicked off on 4 January, 2005, after being deferred from its initially scheduled start date of 5 October, 2004. The prosecution claims that Tena violated article 335.2 of the code of the intellectual property and is asking for a four month jail term and a €6,000 fine. Additionally, Tegam is proceeding with a civil case against Tena and asking for €900,000 in damages.

Accoridng to Tena's Web site, his research "showed how the program worked, demonstrated a few security flaws and carried out some tests with real viruses. Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'."

Tena, who is currently a researcher for Harvard University in Massachusetts, said that Tegam responded in a "weird way" by first branding him a terrorist and then filing a formal complaint in Paris. During the resulting tribunal, Tena said the judge decided that because the published exploits included some re-engineered source code from Viguard's software, he had violated French copyright laws.

According to French security Web site K-OTik, Tena had technically broken copyright laws because his exploits were "not for personal use, but were communicated to a third party".

However, K-OTik, which regularly publishes exploit codes, claims that the ruling could create a precedent which would mean that vulnerabilities in software, however critical, could not be declared publicly without prior agreement from the software publisher.

K-OTik's editors say the ruling is "unimaginable and unacceptable in any other field of scientific research".

On Tena's Web site, he claims that if independent researchers are not allowed to freely publish their findings about security software then users will be only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said.

"To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site, then Ford could file a complaint against me," added Tena.

Philip N. Argy, senior partner of the intellectual property and technology group at Australian law firm Mallesons Stephen Jaques, said that if a similar case was put to trial in Australia the prosecution would be unlikely to get a conviction because of our "fair comment provisions".

"We have strong copyright protection as well as strong anti-hacking laws, but from what I can glean from the translations, all that Guillermito did was to publish the details of the parts of the code which contained serious bugs that made the software erroneously treat as a virus some legitimate software. I'd have thought that would be at least within the fair comment provisions of Australian copyright law," said Argy.

The final ruling will be made in Paris on 8 March, 2005.

Editorial standards