Restrictions on our Freedom to Study Software: A Legal Case Study from Poland
Software is a major component of modern life, affecting large parts of
our lives. When software is embedded in vehicles, the ability to control
our digital technology becomes even more important in the name of public
safety. Despite that, a recent court case in Poland highlights how the
law, and legal processes, can sometimes work against that.
A NEWAG train. CC BY-SA 3.0 -
Travelarz
The Incident At The Center of the Court Case
Back in 2022, a number of locomotives made by the Polish train
manufacturer Newag were experiencing technical difficulties and were
unable to start, thus rendering them in need of maintenance. The Polish
railway company operating those specific locomotives sent them to the
rail yard SPS for repairs (instead of directly to Newag), who in turn
found that software issues were responsible for preventing the trains
from operating normally. When SPS was unable to resolve the software
issues, one of their engineers reached out to the Dragon Sector team for
help, after finding out about them online.
The three main parties of the case:
- Newag S.A. (“Newag”), a Polish
train manufacturer;
- Serwis Pojazdów
Szynowych (“SPS”), a third party providing rail maintenance and
repair services; and
- Dragon Sector, a team of
security researchers and ethical hackers
Dragon Sector then conducted a cybersecurity assessment of the trains
in question, and were able to identify the problem. According to them,
the issue arose due to “locks” placed on the computer systems operating
on the problematic locomotives, which they were able to “unlock” in the
affected trains. Dragon Sector alleged that these locks made the systems
on the trains cease to function properly when they were geo-located to
have entered third party rail yards not approved by Newag, as was the
case when they were delivered to SPS for repairs.
In response, Newag denied these allegations, and countered that they were a smear campaign
against the company by their competitors, despite Dragon Sector’s
conclusions being deemed
trustworthy by the Computer Emergency
Response Team of Poland, also known as CERT Polska. Newag further
stated that they believed that the computer systems were unlawfully
accessed by Dragon Sector, and the trains must be taken out of service
as Newag could no longer guarantee their safe operation. In response,
Dragon Sector stated that while they had identified vulnerabilities in
the train systems, they had refrained from making any unauthorized
changes to the software or compromising the functionality of the
trains.
The Case in the Polish Courts
The dispute eventually went to trial in August 2024 in the district
court of Warsaw, when Newag brought a suit copyright infringement
against both SPS and Dragon Sector, as well as an allegation of
defamation. Surprisingly, despite what Newag had alleged pre-trial, they
officially conceded at trial that Dragon Sector did not modify the
software on the affected trains in question. The lawsuit nevertheless
proceeded on the basis of Dragon Sector’s alleged unauthorized access
and analysis of Newag’s software.
This case is important as it highlights issues that go beyond a
simple copyright dispute. In closely examining Dragon Sector’s actions,
any decision by the court will also have to comment on the role of
cybersecurity research and investigation activities in identifying,
reverse engineering, and reporting security issues, as well as how all
of this can be done in a responsible and legal manner. Depending on the
outcome of the case, this may have a chilling effect on communities who
play critical roles in cybersecurity, as well as on the exercise of the
Freedom
to Study.
Criminalization of Unauthorized Access To Computer
Systems
Software is so entrenched in daily life, and affects our lives far
beyond just our engagement with our digital gadgets. In this specific
court case, it affects the functionality of public transportation, and
even potentially the safety of Newag’s trains and the passengers who
ride in them. It is therefore reasonable for the public at large to have
some expectation of transparency in how the software controlling these
trains functions, so that vulnerabilities can be quickly discovered and
rectified. Restricting the freedom to study and improve the code to a
closed off proprietary ecosystem not only limits the number of people
who are able to identify such vulnerabilities to a select group, but
also makes unauthorized entry the only option for those who are
motivated to fully understand how the software works.
In the EU, unauthorized access of computer systems is classified as a
criminal offense, as seen in Directive
2013/40/EU (Directive 2013/40/EU of the European Parliament and of
the Council of 12 August 2013 on attacks against information systems and
replacing Council Framework Decision 2005/222/JHA) (the
“Directive”).
The broad and general rules regarding cybercrime and unauthorized
access to computer and data systems are largely set out in this
Directive, which specifically states in its Article 3 that EU member
states shall ensure within their jurisdictions that intentional access
to “the whole or to any part of an information system” is to be
“punishable as a criminal offense, where committed by infringing a
security measure”.
Because the rules in the Directive specifically places “unauthorized
access” as one of the criteria for cybercrime, it effectively provides
some allowance for so-called “ethical hacking” activity.
Generally speaking, ethical hacking is an authorized attempt to gain
unauthorized access to a computer system, by using the strategies of
malicious attackers. As with any concept, the exact definition will vary
among communities. Nevertheless, the many definitions of ethical hacking
tend to have a number of things in common:
- The actions of ethical hackers are authorized;
- The maintainers of the computer systems targeted by ethical hackers
are aware of such actions being undertaken; and
- Vulnerabilities are identified by ethical hackers with the intention
of fixing them.
Ethical hacking is used to help owners of computer systems identify
security vulnerabilities before any malicious actors has the opportunity
to exploit them. An ethical hacker is therefore usually engaged through
an agreement with the maintainer of the computer system, and must abide
by the guidelines laid out in the terms of their engagement.
The rules in the Directive are broad and general in nature in order
to give EU member states some flexibility in the exact kind of
legislation that they adopt. Legislation in each EU member state can
therefore contain gray areas or loopholes that allow even certain types
of ethical hacking to be viewed as criminal activity, as laws may be
drafted too broadly, or without sufficient nuance to take into account
all types of digital activity, despite the guidances provided by the
Directive. It is therefore imperative that anyone seeking to help
maintainers find security vulnerabilities in their computer systems
check the relevant laws in their jurisdiction to determine the limits of
what they legally can and cannot do. This holds true even in non-EU
jurisdictions.
For example, the German criminal code (Strafgesetzbuch
– the “StGB”) has a very general and broad definition of what
constitutes an illegal access to a computer or data system. Under
Section 202a of the StGB, unauthorized access to data is criminalized,
regardless of intent, and even when such access is done so for
beneficial purposes. This section of the StGBn in particular exposes
those who are looking to find cybersecurity vulnerabilities in computer
systems to a risk of criminal liability should they disclose security
flaws.
EU States Adopting Looser Restrictions
Nevertheless, some EU member states are considering or have already
instituted legislation to support not only ethical hacking activities
(where authorization for finding access to the computer system is
granted), but also for certain types of cybersecurity research and
investigation that are conducted in good faith, despite not having the
authorization of the owner or maintainer of the computer system in
question.
For example, the Federal Ministry of Justice in Germany is currently
proposing amending Section 202a of the StGB to allow
conditions of security research to be exempt from criminal penalty.
Specifically, the Ministry is proposing adding provisions to Section
202a that would specify additional conditions under which security
research is deemed to be statutorily “authorized” and therefore exempt
from criminal penalties. In the eyes of the Ministry, this would remove
the risk of criminal liability for those who engage in such security
research activity, thereby reducing unchecked security vulnerabilities
in sectors that can affect public safety.
Such loosening of restrictions to accommodate cybersecurity research
can also be seen more robustly in Belgium. In February 2023, a
whistleblower law (Klokkenluiderswet)
entered into force to allow a natural or legal person (which would
include entities such as a Dragon Sector-type collective) to investigate
the computer systems of any Belgian organization for vulnerabilities,
even if the organization in question has not consented. Such activity is
however only legal under the Klokkenluiderswet if four
conditions are all met:
- The person investigating the computer system cannot have the intent
to cause harm or to obtain illegitimate benefits from their
activities;
- Any uncovered cybersecurity vulnerability must be reported as soon
as possible to the Center for Cyber
Security Belgium (the “CCB”);
- The activity must not go further than what is necessary and
proportionate to what is required to uncover a vulnerability; and
- Any information about vulnerabilities uncovered as a result of the
investigation shall not be disclosed to the broader public without the
consent of the CCB.
The Big Picture Impact on Software Freedom
This suit brought by Newag highlights why our software
freedoms are so important. The Freedom to Study carries so much
significance in ensuring transparency and accountability in computer
systems that affect our daily life, including in public transportation.
A good faith attempt to identify and/or resolve a software problem with
real world implications should not be met with harsh punitive actions,
such as the threat of criminal sanctions, or lawsuits on the basis of
copyright violation. That Dragon Sector (and to a lesser extent SPS) are
being sued for unauthorized entry to the computer systems of the faulty
locomotives shows that it is important for legal systems to:
- have clear legal indications about the limits of what can be done,
by whom, and under what circumstances, when investigating faults or
vulnerabilities in computer systems; and
- allow for people to investigate cybersecurity issues in good faith,
rather than punishing them (either through criminal law or
lawsuits).
Lawsuits are never an easy process for any person to go through, even
if they are in the right, and have a very good chance of winning the
suit. They require the parties involved to put in time, effort, and
monetary resources, and they additionally create emotional stress,
especially for those for whom such resources are more limited. The
maintainer of a small project is going to experience much more worry
about legal fees, time spent fighting a case, and the possibility and
consequences of losing, than a multi-national corporation.
In this particular lawsuit, Dragon Sector (and SPS) has to consume
time and monetary resources, and also endure a great deal of uncertainty
to contest Newag’s claims. This in turn generates opportunity costs for
all parties involved, in places where those resources could have been
better spent. As a party with a more limited pool of resources, Dragon
Sector’s opportunity costs can be said to affect them
disproportionately, even if they ultimately prevail in court. This can
be seen to be even more egregious when considering the concession by
Newag that Dragon Sector did not modify the software operating on the
affected trains, and that the lawsuit was based only on the unauthorized
access and study of the software.
Because of these factors, this lawsuit may have a chilling effect on
cybersecurity research and investigation, as well as negative impacts on
our broader freedoms to study and to improve. While it is important to
enact proportional penalties on cybercrime, the law has to be balanced
enough to distinguish between those who act in good faith, and those who
do not.
Indeed, as we have seen in the case of Belgium, this legal balancing
is something that is possible to accomplish in EU member states, at
least in written law. Adopting the Belgian Klokkenluiderswet-style
provisions can help to promote transparency and support for the software
freedom to study, and a less punitive environment for cybersecurity
research. Had such provisions been available under Polish law, it is
possible that this lawsuit could have been avoided entirely, by removing
the legal basis for Newag’s claims.
For these reasons, it will be interesting to see on which side the
verdict lands in this case.
Resources for Disclosure of Cybersecurity Vulnerabilities
In the meantime, the European
Union Agency for Cybersecurity (“ENISA”) has recognized the
importance of identifying cybersecurity vulnerabilities, and of EU
member states to support these efforts in their domestic laws. To that
end, they have prepared a report
compiling and analysing the policies around what they call “Coordinated
Vulnerability Disclosure” (or “CVD”) in the EU. In this context, CVD
refers to the process by which cybersecurity researchers and
investigators work together and share information. Additionally, ENISA
has prepared a guidance
document on good practices to follow when participating in
vulnerability investigation and disclosure.
These are valuable resources to look further into the existing
frameworks in EU jurisdictions, when dealing with questions of
cybersecurity research and investigative activities.
If you have a legal or licensing question related to Free Software
that is not covered here or in any of our other resources, you can
consider asking our License
Questions team by sending them an email at licence-questions@fsfe.org.
Support FSFE
Anmelden
_Trako13.jpg){kind=link}