Reverse engineering a schema - any ethical or legal imlications?

**malvolio** · 20 December 2010, 15:05

Originally posted by Clever Hans View Post

I have been offered a short contract to convert data from one application to another.

They want me to extract data from a competitors application/db to their system while their client transitions from one system to the other. This is to be done by reverse-engineering the schema and mapping to the fields in their application and extracting it via odbc/whatever.

The two rival systems will remain in place, one extracting the data from the other, at the client over a period of time, perhaps months. They may want to repeat the operation for future clients/rival products. They will want me to sign an NDA.

I used to work for the competitor on that product years ago. That product is still in development and is not at all legacy - they are a market leader.

My understanding is that decompilation is against the law if used for competitive reasons. I regard reverse engineering a schema as part of the decompilation process, though this may be technically incorrect. They argue the client owns the data, and they've been through it all with lawyers.

So:

I feel uncomfortable with the ethical and legal implications, and want to know if I am being naive/precious/stupid believing the following:

1. Its too much reverse engineering and direct mapping to an application for a bog-standard data conversion.
2. I used to work with the rival on the product and feel a duty of confidentiality (and they were my mates).
3. Its at best a legal grey area and should there be comeback later on, I will be particularly exposed as a contractor, even insured in a ltd.

Basically, is it dodgy or perfectly normal and above board?

I suggest you have a read of the Computer Misuse Act. Very briefly

The Act identifies three specific offences:
Unauthorised access to computer material (that is, a program or data).
Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime.
Unauthorised modification of computer material.
The Act defines (1) (the basic offence) as a summary offence punishable on conviction with a maximum prison sentence of six months or a maximum fine of 2000 or both. The Act goes on to describe offences (2) and (3) as triable either summarily or on indictment, and punishable with imprisonment for a term not exceeding five years or a fine or both.

I suggest what you're proposing matches both options one and two. Walk away

**yorkshireman** · 20 December 2010, 15:11

Even if it was legal it doesn't sound like a very ethical way to behave towards mates.

Like he said - walk away.

**rd409** · 20 December 2010, 15:22

I am not sure about the legal aspects in detail, but if the data belongs to the client, then they have rights to take it to any application they deem necessary.

If you are asked to design a system that creates an interface (in generic terms) between two systems, that is not illegal I guess. There are hundreds if not thousands of client who are migrating their data from one system/application to another due to numerous reasons. I don’t see a reason why this should not be allowed.

Now coming to technical point of view, is the schema of the application public? If the only reason you are being offered the work is because you have insider knowledge, then you are treading on thin ice. It might be dangerous. But if the schema is available in public, or you can prove, there is a way to get the data without hacking the application, and migrate to another system, then I don’t see reason, why it is not legal.

If you want to go ahead with the work, I would rather consider getting indemnity clause in the contract, which specify that you are being asked to do certain thing, which is not specifically illegal, but if this ends up in the court, you are not liable for any damages, and all the responsibility rests with the client. Get a lawyer to get the words correct.

**eek** · 20 December 2010, 15:26

Originally posted by malvolio View Post

I suggest you have a read of the Computer Misuse Act. Very briefly
I suggest what you're proposing matches both options one and two. Walk away

Its not misuse as you are accessing data belonging to your client with his permission.

it does however sound unethical if you are being employed solely on your knowledge of the other system.

**doodab** · 20 December 2010, 15:26

The relevant law will be the Copyright, Designs and Patents act 1988, specifically

Decompilation.

(1)It is not an infringement of copyright for a lawful user of a copy of a computer program expressed in a low level language—

(a)to convert it into a version expressed in a higher level language, or

(b)incidentally in the course of so converting the program, to copy it,

(that is, to “decompile” it), provided that the conditions in subsection (2) are met.
(2)The conditions are that—

(a)it is necessary to decompile the program to obtain the information necessary to create an independent program which can be operated with the program decompiled or with another program (“the permitted objective”); and

(b)the information so obtained is not used for any purpose other than the permitted objective.

(3)In particular, the conditions in subsection (2) are not met if the lawful user—

(a)has readily available to him the information necessary to achieve the permitted objective;

(b)does not confine the decompiling to such acts as are necessary to achieve the permitted objective;

(c)supplies the information obtained by the decompiling to any person to whom it is not necessary to supply it in order to achieve the permitted objective; or

(d)uses the information to create a program which is substantially similar in its expression to the program decompiled or to do any act restricted by copyright.

(4)Where an act is permitted under this section, it is irrelevant whether or not there exists any term or condition in an agreement which purports to prohibit or restrict the act (such terms being, by virtue of section 296A, void).

http://www.legislation.gov.uk/ukpga/...s-lawful-users

It is not an infringement of copyright in a database for a person who has a right to use the database or any part of the database, (whether under a licence to do any of the acts restricted by the copyright in the database or otherwise) to do, in the exercise of that right, anything which is necessary for the purposes of access to and use of the contents of the database or of that part of the database.

http://www.legislation.gov.uk/ukpga/...permitted-acts

TBH, apart from the fact that you aren't actually decompiling anything, I think writing what amounts to a migration script allowing import of data into a competing application is going to be legal as long as you have a legal right to access the database i.e. if you were engaged on behalf of the client and they gave you access to their system.

**RichardCranium** · 20 December 2010, 15:32

I was in a similar position some 22 years ago when working for a software house. I was tasked with reverse engineering a FromCo system so the data could be transferred to a ToCo system.

After some head scratching, I phoned FromCo for some advice and they cheerfully sold us the Import/Export module for £50 over the 'phone.

The client was charged for 2 weeks of my time; the job took about a day.

Of course you can help a client move from a FromCo system to a ToCo system. The big systems integrators do this day in, day out. IT systems replacement is a bread-and-butter activity.

More immoral is when FromCo uses an undocumented, proprietary system so you are trapped when you use their systems.

**Ignis Fatuus** · 20 December 2010, 15:54

Originally posted by Clever Hans View Post

I have been offered a short contract to convert data from one application to another.

They want me to extract data from a competitors application/db to their system while their client transitions from one system to the other. This is to be done by reverse-engineering the schema and mapping to the fields in their application and extracting it via odbc/whatever.
...

Are you actually reverse-engineering anything proprietary, or are you merely mapping the data model from one application to another? If the latter, i.e. you are not intending to copy or steal the FromCo system, but only to migrate the client's data to another system, I don't see anything wrong with that (IANAL). After all, the point is usually to move away from the previous system, not just to keep the system and move away from its inventor.

Obviously there is a large grey area where the data model could be said to be not just the format of the client's data, but an essential part of the FromCo invention. For you, or the judge, to decide.

But as Mr Cranium says, the big integrators do it all the time.

**Scrag Meister** · 20 December 2010, 16:27

I did a number of data transfers a few years ago and I usually just request some CSV data file of the data, done via some built in reporting tool from "FromCo" system and then process those and import to the "ToCo" db.

Once I got certains systems done on a regular basis, it was money for old rope. Fixed fee.

**SueEllen** · 20 December 2010, 16:48

If it's what Ignus Fatuus said i.e. mapping a schema and:
1. The new potential client owns all the data being transferred,
2. You are not within the time period of 6 months of working for the original client (you did get your original contract checked out didn't you?),
then you aren't breaking any laws.

If you work as a consultancy with a particular skill set particularly within a niche area then you will end up doing the same/very similar work for clients who are direct competitors.

While there is an argument over how long confidentially clauses are valid (all contracts have them) for commercial reasons, no company can stop you working for a competitor as long as you don't break any confidentially clauses.

In case of a product that has been in development and been used for years I strongly doubt there isn't a better way of doing what you did then, which means you won't use exactly the same code/processes/schema you did then. There is also the issue that some things are an industry standard way of doing things.

I would suggest that any contract you receive from this potential client you get checked out by a lawyer who understands and specialises in Intellectual Property so that you are indemnified if the client gets taken to court. (It's the wording of the clauses that are important.)

Reverse engineering a schema - any ethical or legal imlications?