Reverse engineering vs illegal hacking: Difference between revisions

(2 intermediate revisions by 2 users not shown)

Line 23:

The U.S. legal system has repeatedly upheld the right to reverse engineer in certain contexts, particularly when the intent is to enable interoperability or understand how something works. Notable court decisions include:

*'''Sega Enterprises Ltd. v. Accolade, Inc.''' (1992): The Ninth Circuit ruled that disassembling code to understand how to make compatible software was fair use.<ref>{{Cite web |title=Sega Enters. Ltd. v. Accolade, Inc.,

*'''Sega Enterprises Ltd. v. Accolade, Inc.''' (1992): The Ninth Circuit ruled that disassembling code to understand how to make compatible software was fair use.<ref>{{Cite web |title=Sega Enters. Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992) |url=https://www.copyright.gov/fair-use/summaries/segaenters-accolade-9thcir1992.pdf}}</ref>

977 F.2d 1510 (9th Cir. 1992) |url=https://www.copyright.gov/fair-use/summaries/segaenters-accolade-9thcir1992.pdf}}</ref>

*'''Sony Computer Entertainment v. Connectix Corp.''' (2000): The court affirmed that reverse engineering to create a competing product (a PlayStation emulator) was legal & transformative, and that making intermediate copies of a copyrighted bios for use in software development constitutes fair use .<ref>{{Cite web |title=Sony Computer Entm’t, Inc. v. Connectix Corp.,

*'''Sony Computer Entertainment v. Connectix Corp.''' (2000): The court affirmed that reverse engineering to create a competing product (a PlayStation emulator) was legal & transformative, and that making intermediate copies of a copyrighted bios for use in software development constitutes fair use .<ref>{{Cite web |title=Sony Computer Entm’t, Inc. v. Connectix Corp., 203 F.3d 596 (9th Cir. 2000) |url=https://www.copyright.gov/fair-use/summaries/sony-connectix-9thcir2000.pdf}}</ref>

203 F.3d 596 (9th Cir. 2000 |url=https://www.copyright.gov/fair-use/summaries/sony-connectix-9thcir2000.pdf}}</ref>

*'''Lexmark Int'l v. Static Control Components''' (2004): The Sixth Circuit ruled that Static Control could reverse engineer printer firmware to enable third-party toner cartridges. The court pointed out that interoperability trumped DMCA anti-circumvention claims.<ref name="lexmark">[[wikipedia:Lexmark_International,_Inc._v._Static_Control_Components,_Inc.|https://en.wikipedia.org/wiki/Lexmark_International,_Inc._v._Static_Control_Components,_Inc.]]</ref>

*'''Chamberlain Group v. Skylink Technologies''' (2004): The Federal Circuit held that creating universal garage door remotes through reverse engineering was legitimate, establishing that DMCA violations must connect to actual copyright infringement.<ref>{{Cite web |title=The CHAMBERLAIN GROUP,

*'''Chamberlain Group v. Skylink Technologies''' (2004): The Federal Circuit held that creating universal garage door remotes through reverse engineering was legitimate, establishing that DMCA violations must connect to actual copyright infringement.<ref>{{Cite web |title=The CHAMBERLAIN GROUP, INC., Plaintiff–Appellant, v. SKYLINK TECHNOLOGIES, INC., Defendant–Appellee. No. 04–1118. United States Court of Appeals, Federal Circuit |url=https://www.law.berkeley.edu/files/Chamberlain_Group_v_Skylink_Technologies.pdf}}</ref>

INC., Plaintiff–Appellant,

v.

SKYLINK TECHNOLOGIES, INC.,

Defendant–Appellee.

No. 04–1118.

United States Court of Appeals,

Federal Circuit |url=https://www.law.berkeley.edu/files/Chamberlain_Group_v_Skylink_Technologies.pdf}}</ref>

*'''DSC Communications v. DGI Technologies''' (1995): Courts held that disassembling firmware to create compatible microprocessor cards constituted fair use, establishing that functional elements accessed only through disassembly can be lawfully copied.<ref>{{Cite web |title=DSC Communications Corp. v. DGI Technologies, Inc., 898 F. Supp. 1183 (N.D. Tex. 1995) |url=https://law.justia.com/cases/federal/district-courts/FSupp/898/1183/1464449/}}</ref>

Line 59:

Line 50:

*Stealing or distributing copyrighted code without a license

*Tampering with systems in ways that compromise others' data or services

*Continuing access after explicit revocation (see '''Facebook v. Power Ventures''', 2016)<ref>{{Cite web |title=FACEBOOK, INC., a Delaware

*Continuing access after explicit revocation (see '''Facebook v. Power Ventures''', 2016)<ref>{{Cite web |title=FACEBOOK, INC., a Delaware corporation, Plaintiff-Appellee, v. POWER VENTURES, INC., DBA Power.com, a California corporation; POWER VENTURES, INC., a Cayman Island corporation, Defendants, and STEVEN SURAJ VACHANI, an individual, Defendant-Appellant. |url=https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf}}</ref>

corporation,

Plaintiff-Appellee,

v.

POWER VENTURES, INC., DBA

Power.com, a California

corporation; POWER VENTURES,

INC., a Cayman Island

corporation,

Defendants,

and

STEVEN SURAJ VACHANI, an

individual,

Defendant-Appellant. |url=https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf}}</ref>

The key difference is ownership & scope: Reverse engineering stays within the boundary of what you own. Hacking crosses into systems that you don't.

Line 83:

Line 61:

*'''Vehicle telematics data''': Owners can now circumvent software locks to access, store, and share their vehicle's operations and diagnostic data.

*'''Commercial food preparation equipment''': New exemption for retail-level restaurant equipment repair ''(addressing the McDonald's ice cream machine problem).''<ref>{{Cite news |last=Bowman |first=Emma |date=November 3, ~~20245:00 AM ET~~ |title=A new copyright rule lets McDonald's fix its own broken ice cream machines |url=https://www.npr.org/2024/11/02/g-s1-31893/mcdonalds-broken-ice-cream-machine-copyright-law |work=NPR}}</ref>

*'''Commercial food preparation equipment''': New exemption for retail-level restaurant equipment repair ''(addressing the McDonald's ice cream machine problem).''<ref>{{Cite news |last=Bowman |first=Emma |date=November 3, 2024 |title=A new copyright rule lets McDonald's fix its own broken ice cream machines |url=https://www.npr.org/2024/11/02/g-s1-31893/mcdonalds-broken-ice-cream-machine-copyright-law |work=NPR}}</ref>

*'''Consumer devices''': Renewed exemptions for smartphones, tablets, smart TVs, and IoT devices.

*'''Medical devices''': Continued exemption with FDA support, concluding that, contrary to claims otherwise, it wouldn't "necessarily and materially jeopardize" device safety.<ref>{{cite web |url=https://iamers.org/2024/07/fda-issues-letter-supporting-continuation-of-dmca-exemption-for-repair-of-medical-devices/ |title=FDA issues letter supporting continuation of DMCA exemption for repair of medical devices |publisher=IAMERS |date=July 2024}}</ref>

Line 93:

Line 71:

===Introduction and Overview===

European law tends to subjectively favor the ''Reverse Engineer'' (RE), including in situations such as "'''observe, study or test the functioning of the program''', provided that those acts '''do not infringe the copyright in the program'''"<ref name=":0">{{Cite web |date=23 April 2009 |title=Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs (Codified version) (Text with EEA relevance) |url=https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng |url-status=live |archive-url=https://web.archive.org/web/20250000000000*/https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng}}</ref>, while going as far as "'''Decompilation for Interoperability'''"<ref name=":0" /> and "'''Decompilation for Error Correction and Repair'''"<ref name=":0" />. Strong emphasis is put on the intention and the desired outcome of the reverse engineering process.

European law tends to subjectively favor the ''Reverse Engineer'' (RE), including in situations such as "'''observe, study or test the functioning of the program''', provided that those acts '''do not infringe the copyright in the program'''"<ref name=":0">{{Cite web |date=23 April 2009 |title=Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs (Codified version) (Text with EEA relevance) |url=https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng |url-status=live |archive-url=https://web.archive.org/web/20250721222533/https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng |archive-date=2025-07-21}}</ref>, while going as far as "'''Decompilation for Interoperability'''"<ref name=":0" /> and "'''Decompilation for Error Correction and Repair'''"<ref name=":0" />. Strong emphasis is put on the intention and the desired outcome of the reverse engineering process.

While this is the general E.U. law, each country has it's own interpretation on it, the Directive being more of a guideline. For a safer approach, it is advised to carefully check the local legislation. Often times challenges come from the "legal speech" being difficult to understand by untrained personnel. [[wikipedia:Large_language_model|Large Language Models]]<ref>{{Cite web |title=Large Language Model |url=https://en.wikipedia.org/wiki/Large_language_model |url-status=live |website=Wikipedia}}</ref> (LLMs) could aid the legal research process, the bigger cloud-based LLMs often performing the best, double checking the information is mandatory.

===Guidelines for ~~safe~~ reverse engineering ~~and enabling your products to work as intended~~===

===Guidelines for safer reverse engineering===

To better understand the position a RE would find themselves into, it is recommended to try and understand where the manufacturer is acting upon their product. We can briefly categorize the potential infringement on three levels:

~~==== Full solutions ====~~

*Hardware

*Software

*Hardware + Software

~~==== Partial solutions ====~~

Each one of these has it's own technical challenges and will most likely be treated differently in the court of law.

=== Legal precedents ===

====Full solutions====

The solutions are usually not complete, since the manufacturer sadly has most of the control over your product, whatever might it be. Almost complete solutions are a more likely term as most actions are rather ''reactive'' than ''proactive'' because the consumer will firstly be hit by the overreach and then react to it.

====Partial solutions====

===Legal precedents===

==Narrowing computer hacking laws==

The Supreme Court's 2021 decision in '''Van Buren v. United States''' fundamentally changed how courts interpret the Computer Fraud & Abuse Act (CFAA).<ref>{{Cite web |title=VAN BUREN v. UNITED STATES

The Supreme Court's 2021 decision in '''Van Buren v. United States''' fundamentally changed how courts interpret the Computer Fraud & Abuse Act (CFAA).<ref>{{Cite web |title=VAN BUREN v. UNITED STATES CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT No. 19–783. Argued November 30, 2020—Decided June 3, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf}}</ref> The 6-3 majority adopted a "gates-up-or-down" test: you either have permission to access a computer system or you don't. Violating terms of service or using legitimately accessed data for improper purposes doesn't constitute ''"exceeding authorized access"'' under CFAA.

CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR

THE ELEVENTH CIRCUIT

No. 19–783. Argued November 30, 2020—Decided June 3, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf}}</ref> The 6-3 majority adopted a "gates-up-or-down" test: you either have permission to access a computer system or you don't. Violating terms of service or using legitimately accessed data for improper purposes doesn't constitute ''"exceeding authorized access"'' under CFAA.

This decision protects security researchers & reverse engineers who:

Line 175:

Line 158:

Reverse engineering should not be a crime. Owning a product should mean controlling it. Efforts to restore, understand, or interoperate with devices you legally bought is not "hacking" - it is a cornerstone of innovation, user freedom, and the right to repair.

The legal landscape has evolved dramatically through decisions like '''Google v. Oracle''' (2021) affirming API reimplementation as fair use<ref>{{Cite web |title=GOOGLE LLC v. ORACLE AMERICA, INC.

The legal landscape has evolved dramatically through decisions like '''Google v. Oracle''' (2021) affirming API reimplementation as fair use<ref>{{Cite web |title=GOOGLE LLC v. ORACLE AMERICA, INC. CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE FEDERAL CIRCUIT No. 18–956. Argued October 7, 2020—Decided April 5, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/18-956_d18f.pdf}}</ref>.

CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR

THE FEDERAL CIRCUIT

No. 18–956. Argued October 7, 2020—Decided April 5, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/18-956_d18f.pdf}}</ref>.

The October 2024 DMCA exemptions represent the largest repair rights expansion so far. Combined with Van Buren's limitation of CFAA liability, these create lots of legal space for legitimate reverse engineering to be considered legal.

@@ Line 23: / Line 23: @@
 The U.S. legal system has repeatedly upheld the right to reverse engineer in certain contexts, particularly when the intent is to enable interoperability or understand how something works. Notable court decisions include:
-*'''Sega Enterprises Ltd. v. Accolade, Inc.''' (1992): The Ninth Circuit ruled that disassembling code to understand how to make compatible software was fair use.<ref>{{Cite web |title=Sega Enters. Ltd. v. Accolade, Inc.,
+*'''Sega Enterprises Ltd. v. Accolade, Inc.''' (1992): The Ninth Circuit ruled that disassembling code to understand how to make compatible software was fair use.<ref>{{Cite web |title=Sega Enters. Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992) |url=https://www.copyright.gov/fair-use/summaries/segaenters-accolade-9thcir1992.pdf}}</ref>
-F.2d 1510 (9th Cir. 1992) |url=https://www.copyright.gov/fair-use/summaries/segaenters-accolade-9thcir1992.pdf}}</ref>
-*'''Sony Computer Entertainment v. Connectix Corp.''' (2000): The court affirmed that reverse engineering to create a competing product (a PlayStation emulator) was legal & transformative, and that making intermediate copies of a copyrighted bios for use in software development constitutes fair use .<ref>{{Cite web |title=Sony Computer Entm’t, Inc. v. Connectix Corp.,
+*'''Sony Computer Entertainment v. Connectix Corp.''' (2000): The court affirmed that reverse engineering to create a competing product (a PlayStation emulator) was legal & transformative, and that making intermediate copies of a copyrighted bios for use in software development constitutes fair use .<ref>{{Cite web |title=Sony Computer Entm’t, Inc. v. Connectix Corp., 203 F.3d 596 (9th Cir. 2000) |url=https://www.copyright.gov/fair-use/summaries/sony-connectix-9thcir2000.pdf}}</ref>
-F.3d 596 (9th Cir. 2000 |url=https://www.copyright.gov/fair-use/summaries/sony-connectix-9thcir2000.pdf}}</ref>
 *'''Lexmark Int'l v. Static Control Components''' (2004): The Sixth Circuit ruled that Static Control could reverse engineer printer firmware to enable third-party toner cartridges. The court pointed out that interoperability trumped DMCA anti-circumvention claims.<ref name="lexmark">[[wikipedia:Lexmark_International,_Inc._v._Static_Control_Components,_Inc.|https://en.wikipedia.org/wiki/Lexmark_International,_Inc._v._Static_Control_Components,_Inc.]]</ref>
-*'''Chamberlain Group v. Skylink Technologies''' (2004): The Federal Circuit held that creating universal garage door remotes through reverse engineering was legitimate, establishing that DMCA violations must connect to actual copyright infringement.<ref>{{Cite web |title=The CHAMBERLAIN GROUP,
+*'''Chamberlain Group v. Skylink Technologies''' (2004): The Federal Circuit held that creating universal garage door remotes through reverse engineering was legitimate, establishing that DMCA violations must connect to actual copyright infringement.<ref>{{Cite web |title=The CHAMBERLAIN GROUP, INC., Plaintiff–Appellant, v. SKYLINK TECHNOLOGIES, INC., Defendant–Appellee. No. 04–1118. United States Court of Appeals, Federal Circuit |url=https://www.law.berkeley.edu/files/Chamberlain_Group_v_Skylink_Technologies.pdf}}</ref>
-INC., Plaintiff–Appellant,
-v.
-SKYLINK TECHNOLOGIES, INC.,
-Defendant–Appellee.
-No. 04–1118.
-United States Court of Appeals,
-Federal Circuit |url=https://www.law.berkeley.edu/files/Chamberlain_Group_v_Skylink_Technologies.pdf}}</ref>
 *'''DSC Communications v. DGI Technologies''' (1995): Courts held that disassembling firmware to create compatible microprocessor cards constituted fair use, establishing that functional elements accessed only through disassembly can be lawfully copied.<ref>{{Cite web |title=DSC Communications Corp. v. DGI Technologies, Inc., 898 F. Supp. 1183 (N.D. Tex. 1995) |url=https://law.justia.com/cases/federal/district-courts/FSupp/898/1183/1464449/}}</ref>
@@ Line 59: / Line 50: @@
 *Stealing or distributing copyrighted code without a license
 *Tampering with systems in ways that compromise others' data or services
-*Continuing access after explicit revocation (see '''Facebook v. Power Ventures''', 2016)<ref>{{Cite web |title=FACEBOOK, INC., a Delaware
+*Continuing access after explicit revocation (see '''Facebook v. Power Ventures''', 2016)<ref>{{Cite web |title=FACEBOOK, INC., a Delaware corporation, Plaintiff-Appellee, v. POWER VENTURES, INC., DBA Power.com, a California corporation; POWER VENTURES, INC., a Cayman Island corporation, Defendants, and STEVEN SURAJ VACHANI, an individual, Defendant-Appellant. |url=https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf}}</ref>
-corporation,
-Plaintiff-Appellee,
-v.
-POWER VENTURES, INC., DBA
-Power.com, a California
-corporation; POWER VENTURES,
-INC., a Cayman Island
-corporation,
-Defendants,
-and
-STEVEN SURAJ VACHANI, an
-individual,
-Defendant-Appellant. |url=https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf}}</ref>
 The key difference is ownership & scope: Reverse engineering stays within the boundary of what you own. Hacking crosses into systems that you don't.
@@ Line 83: / Line 61: @@
 *'''Vehicle telematics data''': Owners can now circumvent software locks to access, store, and share their vehicle's operations and diagnostic data.
-*'''Commercial food preparation equipment''': New exemption for retail-level restaurant equipment repair ''(addressing the McDonald's ice cream machine problem).''<ref>{{Cite news |last=Bowman |first=Emma |date=November 3, 20245:00 AM ET |title=A new copyright rule lets McDonald's fix its own broken ice cream machines |url=https://www.npr.org/2024/11/02/g-s1-31893/mcdonalds-broken-ice-cream-machine-copyright-law |work=NPR}}</ref>
+*'''Commercial food preparation equipment''': New exemption for retail-level restaurant equipment repair ''(addressing the McDonald's ice cream machine problem).''<ref>{{Cite news |last=Bowman |first=Emma |date=November 3, 2024 |title=A new copyright rule lets McDonald's fix its own broken ice cream machines |url=https://www.npr.org/2024/11/02/g-s1-31893/mcdonalds-broken-ice-cream-machine-copyright-law |work=NPR}}</ref>
 *'''Consumer devices''': Renewed exemptions for smartphones, tablets, smart TVs, and IoT devices.
 *'''Medical devices''': Continued exemption with FDA support, concluding that, contrary to claims otherwise, it wouldn't "necessarily and materially jeopardize" device safety.<ref>{{cite web |url=https://iamers.org/2024/07/fda-issues-letter-supporting-continuation-of-dmca-exemption-for-repair-of-medical-devices/ |title=FDA issues letter supporting continuation of DMCA exemption for repair of medical devices |publisher=IAMERS |date=July 2024}}</ref>
@@ Line 93: / Line 71: @@
 ===Introduction and Overview===
-European law tends to subjectively favor the ''Reverse Engineer'' (RE), including in situations such as "'''observe, study or test the functioning of the program''', provided that those acts '''do not infringe the copyright in the program'''"<ref name=":0">{{Cite web |date=23 April 2009 |title=Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs (Codified version) (Text with EEA relevance) |url=https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng |url-status=live |archive-url=https://web.archive.org/web/20250000000000*/https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng}}</ref>, while going as far as "'''Decompilation for Interoperability'''"<ref name=":0" /> and "'''Decompilation for Error Correction and Repair'''"<ref name=":0" />. Strong emphasis is put on the intention and the desired outcome of the reverse engineering process.
+European law tends to subjectively favor the ''Reverse Engineer'' (RE), including in situations such as "'''observe, study or test the functioning of the program''', provided that those acts '''do not infringe the copyright in the program'''"<ref name=":0">{{Cite web |date=23 April 2009 |title=Directive 2009/24/EC of the European Parliament and of the Council of 23 April 2009 on the legal protection of computer programs (Codified version) (Text with EEA relevance) |url=https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng |url-status=live |archive-url=https://web.archive.org/web/20250721222533/https://eur-lex.europa.eu/eli/dir/2009/24/oj/eng |archive-date=2025-07-21}}</ref>, while going as far as "'''Decompilation for Interoperability'''"<ref name=":0" /> and "'''Decompilation for Error Correction and Repair'''"<ref name=":0" />. Strong emphasis is put on the intention and the desired outcome of the reverse engineering process.
 While this is the general E.U. law, each country has it's own interpretation on it, the Directive being more of a guideline. For a safer approach, it is advised to carefully check the local legislation. Often times challenges come from the "legal speech" being difficult to understand by untrained personnel. [[wikipedia:Large_language_model|Large Language Models]]<ref>{{Cite web |title=Large Language Model |url=https://en.wikipedia.org/wiki/Large_language_model |url-status=live |website=Wikipedia}}</ref> (LLMs) could aid the legal research process, the bigger cloud-based LLMs often performing the best, double checking the information is mandatory.
-===Guidelines for safe reverse engineering and enabling your products to work as intended===
+===Guidelines for safer reverse engineering===
+To better understand the position a RE would find themselves into, it is recommended to try and understand where the manufacturer is acting upon their product. We can briefly categorize the potential infringement on three levels:
-==== Full solutions ====
+*Hardware
+*Software
+*Hardware + Software
-==== Partial solutions ====
+Each one of these has it's own technical challenges and will most likely be treated differently in the court of law.
-=== Legal precedents ===
+====Full solutions====
+The solutions are usually not complete, since the manufacturer sadly has most of the control over your product, whatever might it be. Almost complete solutions are a more likely term as most actions are rather ''reactive'' than ''proactive'' because the consumer will firstly be hit by the overreach and then react to it.
+====Partial solutions====
+===Legal precedents===
 ==Narrowing computer hacking laws==
-The Supreme Court's 2021 decision in '''Van Buren v. United States''' fundamentally changed how courts interpret the Computer Fraud & Abuse Act (CFAA).<ref>{{Cite web |title=VAN BUREN v. UNITED STATES
+The Supreme Court's 2021 decision in '''Van Buren v. United States''' fundamentally changed how courts interpret the Computer Fraud & Abuse Act (CFAA).<ref>{{Cite web |title=VAN BUREN v. UNITED STATES CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT No. 19–783. Argued November 30, 2020—Decided June 3, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf}}</ref> The 6-3 majority adopted a "gates-up-or-down" test: you either have permission to access a computer system or you don't. Violating terms of service or using legitimately accessed data for improper purposes doesn't constitute ''"exceeding authorized access"'' under CFAA.
-CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR
-THE ELEVENTH CIRCUIT
-No. 19–783. Argued November 30, 2020—Decided June 3, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf}}</ref> The 6-3 majority adopted a "gates-up-or-down" test: you either have permission to access a computer system or you don't. Violating terms of service or using legitimately accessed data for improper purposes doesn't constitute ''"exceeding authorized access"'' under CFAA.
 This decision protects security researchers & reverse engineers who:
@@ Line 175: / Line 158: @@
 Reverse engineering should not be a crime. Owning a product should mean controlling it. Efforts to restore, understand, or interoperate with devices you legally bought is not "hacking" - it is a cornerstone of innovation, user freedom, and the right to repair.
-The legal landscape has evolved dramatically through decisions like '''Google v. Oracle''' (2021) affirming API reimplementation as fair use<ref>{{Cite web |title=GOOGLE LLC v. ORACLE AMERICA, INC.
+The legal landscape has evolved dramatically through decisions like '''Google v. Oracle''' (2021) affirming API reimplementation as fair use<ref>{{Cite web |title=GOOGLE LLC v. ORACLE AMERICA, INC. CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR THE FEDERAL CIRCUIT No. 18–956. Argued October 7, 2020—Decided April 5, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/18-956_d18f.pdf}}</ref>.
-CERTIORARI TO THE UNITED STATES COURT OF APPEALS FOR
-THE FEDERAL CIRCUIT
-No. 18–956. Argued October 7, 2020—Decided April 5, 2021 |url=https://www.supremecourt.gov/opinions/20pdf/18-956_d18f.pdf}}</ref>.
 The October 2024 DMCA exemptions represent the largest repair rights expansion so far. Combined with Van Buren's limitation of CFAA liability, these create lots of legal space for legitimate reverse engineering to be considered legal.