CG1110-software
CG1110-software
CG1110-software
CG1110-software
CG1110-software

The Danger With Time Bombs

Oct. 17, 2011
Can Your Software Vendor Lock Up Your Software so That You Have to Buy an Upgrade? Maybe Not

By Pierre Grosdidier

In a cyberspace cloak-and-dagger story worthy of the best science fiction, the Stuxnet computer worm reportedly damaged a train of uranium enrichment centrifuges in Iran.  Less spectacular disabling codes, or "time bombs," belong to the same general family of codes that intentionally impair a software system's execution. Run-of-the-mill time bombs prevent the execution of programs past a certain date and time. Vendors readily use them to enforce license agreements. The buyer must pay a license or maintenance fee to receive a software key that resets the time bomb's expiration clock. Because even the most minimally complex modern machinery is now controlled through software, time bombs can also be used to shut down equipment. The danger is that, in the absence of a valid agreement, time bombs may be illegal under the Federal Computer Fraud and Abuse Act of 1984 ("CFAA") (18 U.S.C. § 1030). Parties who violate the CFAA may also expose themselves to civil actions.

The CFAA targets "fraud and related activities in connection with computers." The CFAA, for example, criminalizes the intentional and unauthorized access of so-called "protected" computers. Broadly speaking, these computers are those in the service of the U.S. government and financial institutions and those "used in or affecting interstate or foreign commerce or communication."  The computers need not even be based in the United States to qualify. Moreover, a person who suffers "damage" as a result of certain violations of the CFAA can sue the perpetrator for compensation.  "Damage" is broadly defined as "any impairment to the integrity or availability of data, a program, a system or information."  A statutory civil action will stand under the CFAA if damages exceed $5000 in any one year or result in personal injury or pose a threat to public safety, among other conditions. 

CFAA § 1030(a)(5)(A) criminalizes the acts of whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer." This subsection obviously targets malware authors. Robert Tappan Morris, for example, was the first person convicted under this subsection for creating and releasing the Morris Worm in 1988, the first worm to affect the Internet.

However, § 1030(a)(5)(A) is also used by unsuspecting victims of time bombs to instigate civil actions. In North Tex. Preventive Imaging v. Eisenberg, for example, the defendants' time bomb was intended to disable the plaintiff's medical imaging software.  The time bomb was not part of the initial software sale and was introduced through an update disk to force the plaintiff to enter into a new licensing agreement. The court held that sending disabling code on a floppy disk qualified as a proscribed "transmission" under CFAA § 1030(a)(5). It denied defendants' motion to dismiss the CFAA claims and enjoined the defendants from withholding the disks that reset the bomb's clock. More recently, a court denied defendant's motion to dismiss the § 1030(a)(5) claim of a law firm victim of a time bomb.  The law firm had purchased a customer management software from the defendant. A time bomb eventually disabled the software, forcing the firm to purchase an upgrade. The court held that the firm's allegations that the time bomb was intended to force it to upgrade were sufficient to state a claim under the CFAA.

What about the Process Industries?

It is easy to envisage how § 1030(a)(5)(A) could apply to an unauthorized time bomb in the process industries. Software keys are regularly sent over Internet, qualifying as transmissions of codes or commands. All process-related computers in processing plants affect commerce to some extent and could qualify as protected computers. A computer that hosts a plant scheduler or equipment controls arguably affects commerce because the operation of these systems affect the plant's ability to manufacture and ship its products. Interstate commerce is affected because most processing plants ship their products across state lines, if not internationally. The damages caused by a time bomb on a process-related computer can easily exceed $5000 in, say, lost production, or threaten safety, and possibly cause personal injury. What remains is whether the transmission of the time bomb was accompanied with the intent to cause damage. This issue would likely be a question of fact for a jury.

The CFAA fortunately only criminalizes unauthorized time bombs. Contracting parties can approve disabling software under a lawful license agreement.  The agreement should specify the conditions of software disablement. Licensors who want to incorporate time bombs in their software should consult a knowledgeable attorney. Finally, the CFAA also includes an escape clause for good faith mistakes. No civil action will stand under the CFAA for the negligent design or manufacture of hardware or software.  The CFAA is not intended to trip engineers who are responsible for honest bugs.

Pierre Grosdidier is an Associate in Haynes and Boone, LLP’s Business Litigation practice group in Houston, Texas. He specializes in lawsuits with strong engineering or software components. Prior to practicing law, Pierre worked 18 years in the process control industry. He holds a Ph.D. from Caltech and a J.D. from the University of Texas. He is a registered professional engineer in Texas (inactive) and a member of the State Bar of Texas.