Latest news

« »

Thursday 1 August 2013

Volkswagen Aktiengesellschaft v Garcia & Ors [2013] EWHC 1832 (Ch) (25 June 2013)

Car security isn't what it was when I was young. Leaving aside the fact that my old Frogeye didn't even have door locks (although there was a lock on the bonnet, so that might have foiled a thief, who'd have had to be pretty mad to go for a bright orange car in the first place)  let alone an immobiliser, even the locks on cars of that era left a lot to be desired. On a camping holiday with a schoolfriend and his family, he locked the keys to his Cortina GT in the boot, but his father (who ran a Ford dealership, although he himself drove a very exotic BMW 3.0CSi) opened it with the key to his caravan.

Nowadays, although there are still mechanical aspects to vehicle security, it's an area which has a great deal more to do with electronics. It was to protect the algorithm that lies at the heart of the security system it uses (along with several other manufacturers), the Magamos Crytpo chip, that Volkswagen found itself in court last week (Volkswagen Aktiengesellschaft v Garcia & Ors [2013] EWHC 1832 (Ch) (25 June 2013)).

The facts were quite simple. A handful of academics had "attacked" (as they say in the field) that security system, and discovered some flaws. The vehicle manufacturers who stood to be embarrassed by those flaws might, you'd think, be grateful, but the academics proposed to deliver a paper at a conference, and in doing so would reveal the key algorithm to the world. In the name of "responsible disclosure" they had not simply gone ahead and done this: they had talked to the proprietor of the confidential information concerned. But they hadn't talked to VW, not until much nearer the date of the conference (which was last week, hence VW's need to seek an interim injunction).

To do this, the academics used a program called Tango Programmer, produced by an organisation called Scorpio, which is based in Bulgaria, and purchased by the academics for €1,000. There is some discussion in the judgment of how the program was devised, and where its authors found the Megamos Algorithm, which they might have arrived at by "chip-slicing" - cutting open the chip and examining the gates under a microscope. The important question was whether the software was legitimate or not. As the judge observed, "Just because it comes from Bulgaria does not mean it is illegitimate." And the fact that the website (not available when I went looking for it the other day, but back on line now) was written in "broken English" did not persuade him. In fact the website looks plausible, and the products shown on suggest that this is a business of some substance; it appears to be a limited company, and the strangest thing about it is its location bang in the middle of Bulgaria.

There was an issue about VW's right to sue. The algorithm was devised by Thales, who were not initially a party to the action, but the judge added them as a "proper and necessary" party, saying that it was likely within the meaning of Cream Holdings Ltd & Ors v. Banerjee & Ors [2004] UKHL 44 (14 October 2004) that "the confidentiality in the Megamos Crypto algorithm belongs to them", which is an interesting way to express it. This point did not stand in the way of an injunction being granted: Thales had standing to sue, but the judge held that VW did too, as they had a legitimate interest in being a co-claimant.

There is an old Jacob J case, Mars UK Ltd v Teknowledge Ltd [1999] EWHC 226 (Pat) (11 June 1999), [1999] 2 Costs LR 44, [1999] EWHC 226 (Pat), [2000] FSR 138, on reverse engineering, in which he held that it was not a misuse of confidential information to reverse engineer a product you had bought even to obtain information encrypted for security. The present case was argued on the basis that that case had been correctly decided, though that is in dispute, and (of course) it was the claimants' submission that it did not apply because the Scorpio Programmer software was not legitimate. The judge ended up relying on the "murky" origins of the program and the lack of effort on the part of the defendants to ascertain whether it had been produced by legitimate reverse-engineering or otherwise, and on that basis he held that there would be a breach of confidence. Should an injunction be granted to prevent publication? Not merely to save VW's blushes, said Mr Justice Birss, considering Article 10 of the European Convention, section 12(3) of the Human Rights Act, and the Cream Holdings judgment (but not American Cyanamid, which he said was clearly not the right test in the circumstances), which gave the guidance that the standard for not allowing publication is a flexible one, and that the court should be "exceedingly slow" to make interim orders if it is not satisfied that the claimant will probably succeed at trial.

Thales or VW would, he thought, probably succeed at trial, so that hurdle was cleared. Then the balance of public interest and the public interest defence fell to be considered. Freedom of expression and academic freedom were very important, but the epidemic of car crime that would be unleashed if the algorithm were published was more important. The software is sold by someone who understands that it can facilitate crime: there's a disclaimer that says (sic)
All devices and software developed by Scorpio-LK Ltd. are designed and sold with legal purpose to enchance and help people working in the sphere of car repairs and maintenance. The company doesn't take responsibility for any misuse of our products for illegal purpuses. Hence persons misusing our products for illegal purpuses bear their own responsebility for such acts.
And elsewhere:
Scorpio-lk Ltd accepts no responsibility for misuse of software for illegal purposes. The purchased softawre can only be used to repair vehicle immobilisers. On purchase of software client accepts responsibility for software use rendering Scorpio-lk Ltd unaccountable for illegal use.
The English, incidentally, seems no more broken than that of many native speakers. But the judge concluded that the claimants would probably be able to show that the software was not legitimate, and the defendants should have appreciated that.

The judge granted the injunction sought by VW, requiring "redaction" (the trendy alternative to "editing") of the paper they had written. They could still impress their peers by showing that they had derived the algorithm, and the claimants could remedy the problem identified with it: win win. The judge clearly came to the view that the defendants' protestations about "reasonable disclosure"  were nothing more than self-justification, and not the actions of responsible academics - a harsh view, but consistent with their reluctance to take even a few simple steps to ascertain where Scorpio-Lk Ltd had found the algorithm.

The judgment has been criticised by Prof Ross Anderson at Cambridge University, who is quoted in Automotive News Europe. He makes the valid point that the bad guys will not be prevented from doing what they have been doing all along - and the good guys won't know what the problem is. I'm not sure I understand his point: the important thing is that VW and Thales know, and can fix the weakness.


No comments:

Post a Comment