Volkswagen v Garcia et. al.: Volkswagen Halts Disclosure of Secret Security Algorithm

Volkswagen v Garcia et. al.: Volkswagen Halts Disclosure of Secret Security Algorithm

Last June, Justice Birss of the High Court of England and Wales (Chancery Division) ruled in favor of Volkswagen and granted an interim injunction against Flavio Garcia, Computer Science Lecturer at the University of Birmingham, thus prohibiting him from publishing an academic paper that sought to expose weaknesses in Volkswagen automobile security systems.

The paper disclosed the algorithm used to activate the security system, the Megamos Crypto chip, which Volkswagen uses for its vehicles. According to the facts, a group of  academics - the parties to this lawsuit - were able to crack the security system and discover its flaws. However, the problem arose when these academics proposed to publish a paper at a conference, a paper which would reveal the algorithm to the public. Due to the confidential nature of the  information at stake, the defendants first notified Volkswagen, the proprietor of this information, prior to the paper's publication. Nonetheless, they did not inform Volkswagen until shortly before the date of the conference. Volkswagen contacted Garcia and his associates, requesting that they redact the vehicles’ security codes. The scientists refused to honour the request, arguing that the public has a right to see the weaknesses exposed. Volkswagen subsequently sought an injunction against the researchers on the grounds that revealing the codes used to activate the ignition systems would facilitate criminal activity.

Flavio Garcia and his associates purchased and used software called Tango Programmer, produced by a Bulgarian company called Scorpio. A central question in the case was whether the software used was legitimate. Justice Birss concluded that the  software was legitimate and the fact that it originated from Bulgaria had no significance in this respect. He further dismissed the claimant’s inference that the software's presentation in “broken English” as proving its illegitimacy.

The defendants contended that Volkswagen had no right to sue. According to the facts, the principal developer of the Megamos Crypto algorithm is the company Thales. Although not a party to the lawsuit, Justice Birss found that Thales is a "proper and necessary" party to the dispute and added them to the action. He went on to state that in following the decision of the court in Cream Holdings Ltd & Ors v. Banerjee & Ors [2004] UKHL 44 (14 October 2004), the confidentiality in the Megamos Crypto algorithm most likely belongs to Thales, as the algorithm's creator. Nevertheless, the court also found that Volkswagen had a legitimate interest in being a co-claimant.

The defendants also contended that Volkswagen had no claim to sue for misuse of confidential information. In making its ruling regarding reverse engineering, the court referred to Mars UK Ltd v Teknowledge Ltd [1999] EWHC 226 (Pat) (11 June 1999). In that case, the court had ruled that it was not a misuse of confidential information to reverse engineer a product bought to acquire information encrypted for security. Judge Birss held that, in this case, there would be a breach of confidence because the legitimacy of Tango Programmer was successfully called into question by the claimants.

The defendants further contended that there was a strong public interest in the publication of the paper and that they had acted in accordance with responsible disclosure principles. Justice Birss considered Article 10 of the European Convention on Human Rights, section 12(3) of the Human Rights Act, and the Cream Holdings judgment. According to the court, the standard for not allowing publication is a flexible one, and that the court should be "exceedingly slow" to make interim orders if it is not satisfied that the claimant is likely to succeed at trial. For the court, there seemed to be a reasonable belief  that either Thales or Volkswagen would most likely succeed at trial. This finding satisfied the first requirement.

As for the strong public interest argument, Justice Birss stated that freedom of expression and academic freedom are of major importance. However, in balancing freedom of expression with public safety, the court decided in favor of the latter. He stated,"I recognise the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars."

The judge granted the injunction sought by Volkswagen and ordered for "redaction" of the paper the defendants had written.

The present case is an illustration of the evolution of the society vis-à-vis the conservatism of the way law is applied. The court’s ruling, in my view, entails a significant future danger in that it places an obstacle for academics in the UK and abroad when it comes to conducting research and publishing about flaws in security systems. Judges around the world will eventually have to deal with cases like this one and may have to re-strike a balance between freedom of expression and confidentiality, potentially leading to a more responsive public or greater potential harm caused by disclosing secret security information of this nature.

Georgios Andriotis is an IPilogue Editor and a law student at Université de Montréal.