Reverse Engineering vs Illegal Hacking

This addresses the widespread, harmful misconception that breaking a digital lock or modifying software behavior is always "illegal hacking." In truth, U.S. law - while flawed - draws a clear line between lawful reverse engineering & criminal activity.

Companies often exploit this confusion to suppress ownership rights, discourage repair, and shut down interoperability under the guise of protecting security or intellectual property. This will clarify legal distinctions, correct the record, & explain why reverse engineering your own device to restore or preserve its functionality is not a crime.

What section 1201 is for[edit | edit source]

Section 1201 of the Digital Millennium Copyright Act (DMCA), passed in 1998, prohibits the circumvention of "technological protection measures" (TPMs) used to control access to copyrighted works. It also prohibits the distribution of tools designed primarily for circumvention.

What makes Section 1201 controversial is that it penalizes circumvention regardless of whether any copyright infringement occurred. In other words, even if you just want to modify or fix a product you legally own, you may still be in violation if the manufacturer wrapped it in DRM.

To soften this, Congress allowed for temporary exemptions reviewed every three years by the Library of Congress. These exemptions currently include certain cases of repair, diagnosis, security research, accessibility, & jailbreaking of phones. However, the process is burdensome, narrow, & inconsistently applied.

Legal Reverse Engineering vs. Illegal Hacking[edit | edit source]

Contrary to what some CEOs & PR departments have said, reverse engineering is legal in many contexts - especially when done for purposes of interoperability, repair, research, or personal use.

What Counts as Legal Reverse Engineering[edit | edit source]

The U.S. legal system has repeatedly upheld the right to reverse engineer in certain contexts, particularly when the intent is to enable interoperability or understand how something works. Notable court decisions include:

Sega Enterprises Ltd. v. Accolade, Inc. (1992): The Ninth Circuit ruled that disassembling code to understand how to make compatible software was fair use.^[1]

Sony Computer Entertainment v. Connectix Corp. (2000): The court affirmed that reverse engineering to create a competing product (a PlayStation emulator) was legal & transformative.^[2]

Lexmark Int'l v. Static Control Components (2004): The Sixth Circuit ruled that Static Control could reverse engineer printer firmware to enable third-party toner cartridges. The court pointed out that interoperability trumped DMCA anti-circumvention claims.^[3]

Chamberlain Group v. Skylink Technologies (2004): The Federal Circuit held that creating universal garage door remotes through reverse engineering was legitimate, establishing that DMCA violations must connect to actual copyright infringement.^[4]

DSC Communications v. DGI Technologies (1995): Courts held that disassembling firmware to create compatible microprocessor cards constituted fair use, establishing that functional elements accessed only through disassembly can be lawfully copied.^[5]

Assessment Technologies v. WIREdata (2003): The Seventh Circuit ruled that reverse engineering to access public domain data trapped within copyrighted software is permissible, preventing copyright from creating "locks" on non-copyrightable information.^[6]

Legal reverse engineering generally includes:

Analyzing software you own for repair or maintenance
Studying protocols to make devices work with third-party tools
Extracting firmware from your own hardware
Building alternate apps that communicate with your devices
Publishing technical findings that don't contain copyrighted code
Good faith security research under DMCA exemptions

What Constitutes Illegal Hacking[edit | edit source]

Illegal hacking, by contrast, involves:

Accessing remote systems without authorization
Bypassing login or authentication mechanisms on someone else's network
Stealing or distributing copyrighted code without a license
Tampering with systems in ways that compromise others' data or services
Continuing access after explicit revocation (see Facebook v. Power Ventures, 2016)^[7]

The key difference is ownership & scope: Reverse engineering stays within the boundary of what you own. Hacking crosses into systems that you don't.

Current DMCA Exemptions (2024-2027)[edit | edit source]

The Library of Congress granted sweeping new exemptions in October 2024 that greatly expand repair rights:^[8]

Vehicle telematics data access: Owners can now circumvent software locks to access, store, & share their vehicle's operations & diagnostic data.
Commercial food preparation equipment: New exemption for retail-level restaurant equipment repair (addressing the McDonald's ice cream machine problem)^[9]
Consumer devices: Renewed exemptions for smartphones, tablets, smart TVs, & IoT devices
Medical devices: Continued exemption with FDA support, concluding it wouldn't "necessarily & materially jeopardize" device safety^[10]
Jailbreaking: Expanded to cover smartphones, smart TVs, voice assistants, & routers for installing alternative software

These exemptions require that circumvention be a "necessary step" for the permitted purpose & cannot facilitate access to other copyrighted works.

Narrowing Computer Hacking Laws[edit | edit source]

The Supreme Court's 2021 decision in Van Buren v. United States fundamentally changed how courts interpret the Computer Fraud & Abuse Act (CFAA).^[11] The 6-3 majority adopted a "gates-up-or-down" test: you either have permission to access a computer system or you don't. Violating terms of service or using legitimately accessed data for improper purposes doesn't constitute "exceeding authorized access" under CFAA.

This decision protects security researchers & reverse engineers who:

Access publicly available systems
Use credentials they were legitimately given
Don't bypass technical access controls
Violate only terms of service, not technical barriers

The Ninth Circuit applied this framework in hiQ Labs v. LinkedIn (2022), finding that scraping publicly accessible data doesn't violate CFAA since there are "no gates to lift or lower" on public websites.^[12]

Futurehome example:[edit | edit source]

In May 2025, Norwegian smart home company Futurehome was acquired out of bankruptcy. The new owners, FHSD Connect AS, introduced a mandatory subscription model: customers had to pay an annual fee of 1,188 NOK (approx. $117 USD) or lose access to basic functionality like the mobile app, automation, & local APIs - even though those features were previously included in the one-time purchase price.^[13]

When customers began exploring ways to restore lost functionality through reverse engineering, Futurehome CEO Øyvind Fries accused them of "illegal hacking" & threatened legal action.^[14]

However, no evidence was provided that users were:

Accessing Futurehome's servers without authorization
Distributing proprietary code
Compromising the privacy of others

Consumer rights advocate Louis Rossmann offered a $5,000 bounty for someone to create a way to use Futurehome devices locally without a subscription. His viewers began:

Capturing network traffic from their own devices
Analyzing firmware dumps from hubs they physically owned
Attempting to restore functionality that had been removed post-sale

The purpose was to restore functionality customers had already paid for. Futurehome's management tried to frame this as a bounty for criminal activity.

Other Examples with Legal Clarity[edit | edit source]

John Deere Tractors: Deere has long fought independent repair efforts, but under pressure from state laws & exemptions granted by the Library of Congress, some tractor repair activities (such as accessing diagnostic software) are now explicitly legal.^[15] The FTC & state attorneys general sued John Deere in January 2025 for monopolizing agricultural equipment repair.^[16]

Sony PlayStation 3 jailbreaking: Sony sued George Hotz (Geohot) after he jailbroke a PS3. While Sony sued him civilly, the case settled without establishing that his actions were criminal.^[17]

Lexmark Printers: As mentioned above, the Sixth Circuit ruled that making third-party toner cartridges work with Lexmark printers - despite digital locks - was not illegal.^[3]

United States v. Elcom/Sklyarov (2001-2002): Though Russian programmer Dmitry Sklyarov was arrested for creating Adobe eBook circumvention software, charges were dropped against him personally & his company ElcomSoft was acquitted, demonstrating prosecutorial overreach risks.^[18]

"Illegal Hacking" as a legal conclusion[edit | edit source]

Using words like "hacking" to describe legitimate reverse engineering is not a legal conclusion. Section 1201 of is written in a way that can make even normal ownership behavior sound suspicious. Courts have repeatedly ruled that reverse engineering, when done for lawful purposes, is protected.

Key Legal Principles[edit | edit source]

Courts now apply clear principles distinguishing lawful reverse engineering from illegal hacking:

Protected Activities Include:

Lawfully acquiring software or hardware
Analyzing it without circumventing authentication
Conducting interoperability research under DMCA Section 1201(f)
Accessing publicly available information
Good faith security research with responsible disclosure

Risk Factors for CFAA/DMCA Liability:

Bypassing passwords or authentication systems
Continuing access after explicit revocation
Accessing non-public systems
Causing system damage
Commercial exploitation of circumvention tools

The distinction often turns on technical circumvention - courts protect analytical activities that don't breach access controls while penalizing those who bypass passwords, authentication, or security measures.

Conclusion[edit | edit source]

Reverse engineering is not a crime. Owning a product should mean controlling it. & efforts to restore, understand, or interoperate with devices you legally bought are not "hacking" - they are a cornerstone of innovation, user freedom, & the right to repair.

The legal landscape has evolved dramatically through decisions like Google v. Oracle (2021) affirming API reimplementation as fair use,^[19].

The October 2024 DMCA exemptions represent the largest repair rights texpansion so far. Combined with Van Buren's limitation of CFAA liability, these create lots of legal space for legit reverse engineering to be considered legal.

References[edit | edit source]

↑ "Sega Enters. Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992)" (PDF). {{cite web}}: line feed character in |title= at position 37 (help)
↑ "Sony Computer Entm't, Inc. v. Connectix Corp., 203 F.3d 596 (9th Cir. 2000" (PDF). {{cite web}}: line feed character in |title= at position 47 (help)
↑ ^3.0 ^3.1 https://en.wikipedia.org/wiki/Lexmark_International,_Inc._v._Static_Control_Components,_Inc.
↑ "The CHAMBERLAIN GROUP, INC., Plaintiff–Appellant, v. SKYLINK TECHNOLOGIES, INC., Defendant–Appellee. No. 04–1118. United States Court of Appeals, Federal Circuit" (PDF). {{cite web}}: line feed character in |title= at position 23 (help)
↑ "DSC Communications Corp. v. DGI Technologies, Inc., 898 F. Supp. 1183 (N.D. Tex. 1995)".
↑ "Assessment Technologies of Wi, Llc, Plaintiff-appellee, v. Wiredata, Inc., Defendant-appellant, 350 F.3d 640 (7th Cir. 2003)".
↑ "FACEBOOK, INC., a Delaware corporation, Plaintiff-Appellee, v. POWER VENTURES, INC., DBA Power.com, a California corporation; POWER VENTURES, INC., a Cayman Island corporation, Defendants, and STEVEN SURAJ VACHANI, an individual, Defendant-Appellant" (PDF). {{cite web}}: line feed character in |title= at position 27 (help)
↑ "Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies". Federal Register. October 28, 2024.
↑ Bowman, Emma (November 3, 20245:00 AM ET). "A new copyright rule lets McDonald's fix its own broken ice cream machines". NPR. {{cite news}}: Check date values in: |date= (help)
↑ "FDA issues letter supporting continuation of DMCA exemption for repair of medical devices". IAMERS. July 2024.
↑ "VAN BUREN v. UNITED STATES CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT No. 19–783. Argued November 30, 2020—Decided June 3, 2021" (PDF). {{cite web}}: line feed character in |title= at position 27 (help)
↑ "HIQ LABS, INC. V. LINKEDIN CORPORATION, No. 17-16783 (9th Cir. 2022)".
↑ "Rasende og fortvilte Futurehome-kunder: – Oppleves som utpressing". Tek.no (in norsk bokmål). Retrieved 2025-07-14.
↑ "Lover 50.000 kroner for å knekke programvaren til Futurehome". Tek.no (in norsk bokmål). Retrieved 2025-07-14.
↑ "Stand Up for Repair". Repair.org.
↑ "FTC sues John Deere over farmers' right to repair tractors". NPR. January 15, 2025.
↑ "Sony and Hotz settle hacking case".
↑ "US v. ElcomSoft & Sklyarov". Electronic Frontier Foundation.
↑ "GOOGLE LLC v. ORACLE AMERICA, INC. CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE FEDERAL CIRCUIT No. 18–956. Argued October 7, 2020—Decided April 5, 2021" (PDF). {{cite web}}: line feed character in |title= at position 35 (help)

[1] "Sega Enters. Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992)" (PDF). {{cite web}}: line feed character in |title= at position 37 (help)

[2] "Sony Computer Entm't, Inc. v. Connectix Corp., 203 F.3d 596 (9th Cir. 2000" (PDF). {{cite web}}: line feed character in |title= at position 47 (help)

[lexmark-3] 3.0 ^3.1 https://en.wikipedia.org/wiki/Lexmark_International,_Inc._v._Static_Control_Components,_Inc.

[4] "The CHAMBERLAIN GROUP, INC., Plaintiff–Appellant, v. SKYLINK TECHNOLOGIES, INC., Defendant–Appellee. No. 04–1118. United States Court of Appeals, Federal Circuit" (PDF). {{cite web}}: line feed character in |title= at position 23 (help)

[5] "DSC Communications Corp. v. DGI Technologies, Inc., 898 F. Supp. 1183 (N.D. Tex. 1995)".

[6] "Assessment Technologies of Wi, Llc, Plaintiff-appellee, v. Wiredata, Inc., Defendant-appellant, 350 F.3d 640 (7th Cir. 2003)".

[7] "FACEBOOK, INC., a Delaware corporation, Plaintiff-Appellee, v. POWER VENTURES, INC., DBA Power.com, a California corporation; POWER VENTURES, INC., a Cayman Island corporation, Defendants, and STEVEN SURAJ VACHANI, an individual, Defendant-Appellant" (PDF). {{cite web}}: line feed character in |title= at position 27 (help)

[8] "Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies". Federal Register. October 28, 2024.

[9] Bowman, Emma (November 3, 20245:00 AM ET). "A new copyright rule lets McDonald's fix its own broken ice cream machines". NPR. {{cite news}}: Check date values in: |date= (help)

[10] "FDA issues letter supporting continuation of DMCA exemption for repair of medical devices". IAMERS. July 2024.

[11] "VAN BUREN v. UNITED STATES CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT No. 19–783. Argued November 30, 2020—Decided June 3, 2021" (PDF). {{cite web}}: line feed character in |title= at position 27 (help)

[12] "HIQ LABS, INC. V. LINKEDIN CORPORATION, No. 17-16783 (9th Cir. 2022)".

[13] "Rasende og fortvilte Futurehome-kunder: – Oppleves som utpressing". Tek.no (in norsk bokmål). Retrieved 2025-07-14.

[14] "Lover 50.000 kroner for å knekke programvaren til Futurehome". Tek.no (in norsk bokmål). Retrieved 2025-07-14.

[15] "Stand Up for Repair". Repair.org.

[16] "FTC sues John Deere over farmers' right to repair tractors". NPR. January 15, 2025.

[17] "Sony and Hotz settle hacking case".

[18] "US v. ElcomSoft & Sklyarov". Electronic Frontier Foundation.

[19] "GOOGLE LLC v. ORACLE AMERICA, INC. CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE FEDERAL CIRCUIT No. 18–956. Argued October 7, 2020—Decided April 5, 2021" (PDF). {{cite web}}: line feed character in |title= at position 35 (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]