UK Court Rules on Reverse Engineering of Mainframe Software

Background

In 2013, the second defendant, Winsopia Ltd ("Winsopia"), entered into a customer agreement with the claimant, IBM (the "ICA"). Unbeknownst at the time to IBM, Winsopia is a wholly owned subsidiary of the third defendant, LzLabs UK, which was ultimately owned by the first defendant, LzLabs GmbH ("LzLabs"). The sixth defendant, Mr. John Moores, is the main beneficial owner of LzLabs, Winsopia, and LzLabs UK. 

Notably, back in 2009, Mr. Moore's separate company, Neon Enterprise Software LLC ("Neon"), had unsuccessfully sued IBM Corporation in the United States. In that dispute, which concluded in 2011 and involved a counterclaim by IBM, an employee from Neon admitted to acts of reverse assembly and the destruction of evidence related to IBM Corporation's proprietary software. IBM succeeded in preventing Neon from selling its infringing product and forcing it to hand over its source code to IBM; this led to the cessation of operations at Neon.

In December 2013, Winsopia and LzLabs entered into a consultancy services agreement, under which Winsopia agreed to perform discovery, quality assurance, and software development work for LzLabs. The court identified that Winsopia's use of IBM's licensed software was "for the sole purpose of assisting LzLabs in its software development." The defendants explained that they had established clean room procedures to ensure compliance with the terms of the ICA during development of what became the central issue of the dispute, the software defined mainframe ("SDM"). Those included: (i) codes of conduct between Winsopia and LzLabs; and (ii) systems to record intercompany requests made concerning the mainframe software. 

In 2016, LzLabs launched its SDM, which competes with IBM's mainframe software, offering a smaller, external, non-mainframe computer capable of executing batch processing tasks typically performed by a mainframe system. IBM became suspicious about the methods involved in SDM's development and in 2020 notified Winsopia that it intended to audit Winsopia's compliance with the terms of the ICA. When Winsopia declined the audit request, IBM commenced proceedings seeking a declaration that Winsopia's license had been lawfully terminated and an injunction preventing Winsopia from making any further use of IBM's licensed software. 

The Court's Decision

There were several issues for the court's determination, which were delivered over a 253-page decision (see paragraph 138). These issues included assessing the proper construction of the ICA, the alleged breaches (and procurement of such breaches), and whether the acts alleged to be in breach of the ICA fell within the rights conferred by the Software Directive, as implemented by the Copyright, Designs and Patents Act 1988 ("CDPA"), and whether these acts could be restricted or prohibited by contract. 

This case summary focuses on the above-mentioned issues. However, further issues which were determined included assessing liability for the tort of unlawful means conspiracy, evaluating the validity of IBM's termination of the ICA and the determination of limitation periods in relation to IBM's claims. IBM was victorious in most issues. 

At the consequentials hearing, the High Court ordered injunctive relief against the first, second, and sixth defendants, including prohibitions on the marketing, sale, and dissemination of the SDM software, and required delivery up or destruction of IBM’s ICA Programs, with compliance to be supervised by an independent forensic IT firm. The court awarded IBM its costs of the liability proceedings jointly against the first, second, and sixth defendants, with a payment on account of £20 million due by October 2025, but refused indemnity costs and granted a stay of the injunctive relief (excluding the delivery up / destruction orders) pending any appeal. Outstanding issues at the time of publication include the determination of quantum at a future hearing.

Breach of the ICA

The court considered 51 separate alleged breaches of the ICA by Winsopia. It found that Winsopia breached the ICA in the majority of these instances, including through reverse engineering of the licensed software through disassembly, decompilation, and translation in addition to the systematic creation and analysis of computer listings and the systematic use of debugging techniques [§838-844]. The court also found that Winsopia's refusal to comply with IBM's audit request amounted to a further breach of the ICA [§979].

Rights Conferred by the Software Directive 

The court considered whether any of the acts alleged to be in breach of the ICA, such as reverse engineering IBM's software to create LzLabs' SDM, fell within the rights conferred by Articles 5(1), 5(3), and/or 6 Software Directive. The judge referred to several key principles derived from the Software Directive and its application in the UK via the CDPA:

• Copyright Protection: Computer programs are protected as literary works, and this protection extends to the expression of the program but not to the underlying ideas, procedures, methods of operation or mathematical concepts.
• Restricted Acts: Copyright owners have exclusive rights to perform certain acts, including copying, adapting, and distributing the protected work. 
• Exceptions: The Software Directive provides specific exceptions to these exclusive rights for computer programs, including: (i) making back-up copies; (ii) decompilation for interoperability; (iii) observation, study, and testing to determine underlying ideas and principles; and (iv) copying or adapting for lawful use, including error correction.
• Void Contractual Terms: Contractual terms that seek to override these exceptions are void.

The defendants argued that their actions which were alleged to be a breach of the ICA were permitted under the exceptions provided by the Software Directive (implemented by sections 50B, 50BA, and 50C of the CDPA). The judge examined each of these arguments in detail:

• Error Correction (Article 5(1)): The defendants contended that they had disassembled part of the object code and source code as part of a debugging facility to correct alleged errors. However, the court observed that "such detailed analysis investigated, not just the output of the program but how the program achieved its output, that is, expression of the program, rather than its functioning" [§296]. In any event, the terms of the ICA prohibited the disassembly and reverse engineering, which overrode the general permission for error correction under Article 5(1).
• Observation, Study, and Testing (Article 5(3)): The defendants claimed that their actions fell within the scope of observing, studying, and testing the functioning of the IBM programs to determine the underlying ideas and principles. However, the court determined that defendants' actions went "beyond mere observation and testing." Rather it entailed a "detailed examination" of how control was exchanged between CICS, or the Customer Information Control System, and COBOL, or Common Business-Oriented Language [§595]. Such examination, again, concerned the expression of IBM's program, rather than its function.
• Decompilation for Interoperability (Article 6):The defendants argued that their decompilation activities were necessary to achieve interoperability between their SDM and IBM's programs. The judge rejected this argument, noting that the decompilation was not limited to obtaining information necessary for interoperability. Instead, it involved transferring entire machine code instructions into C language macros, which was not indispensable for interoperability [§400-401]. 

The judge therefore concluded that the defendants' actions did not fall within the exceptions provided by the Software Directive. In applying established case law principles, the judge emphasized that the exceptions must be interpreted restrictively to protect the copyright owner's rights and legitimate interests. As a result, the defendants' reliance on the Software Directive as a defense was unsuccessful, and the breaches of the ICA were upheld. 

Procurement of Breach 

Finally, the court found that LzLabs and Mr. Moores were liable for procuring/inducing a Winsopia's breach of the ICA. 

The directors of the related companies, being the fourth and fifth defendants were found not liable for unlawfully procuring breach of contract on the part of Winsopia since their roles fell within the scope of the defense in Said v Butt. Mr. Moores, however, was not a director but an indirect beneficial owner of Winsopia, LzLabs UK, and LzLabs. The court was persuaded that Mr. Moores' close involvement with the direction of the companies was sufficient to determine that he had "encouraged and assisted Winsopia to commit acts that amounted to breaches of contract" [§930]. 

LzLabs was Winsopia's sole client. Therefore, the activities that were carried out by Winsopia, and in breach of the ICA, were done so at the "sole direction" and "control" of LzLabs. The court observed that due to the nature, extent, and duration of the breaches conducted by Winsopia, such behavior was "indicative of deliberate and systematic disregard of the terms of the ICA" [§873]. The court also observed that while clean room procedures such as codes of conduct were in place, they had minimal impact since "those who controlled LzLabs and Winsopia did not take any meaningful steps to ensure that the clean room procedures were effective in practice" [§874].