Guest Article: The Danger With Time Bombs - Can Your Software Vendor Lock Up Your Software so That You Have to Buy an Upgrade? Maybe Not


In a cyberspace cloak-and-dagger story worthy of the best science fiction, the Stuxnet computer worm reportedly damaged a train of uranium enrichment centrifuges in Iran.  Less spectacular disabling codes, or “time bombs,” belong to the same general family of codes that intentionally impair a software system’s execution.  Run-of-the-mill time bombs prevent the execution of programs past a certain date and time.  Vendors readily use them to enforce license agreements.  The buyer must pay a license or maintenance fee to receive a software key that resets the time bomb’s expiration clock.  Because even the most minimally complex modern machinery is now controlled through software, time bombs can also be used to shut down equipment.  The danger is that, in the absence of a valid agreement, time bombs may be illegal under the Federal Computer Fraud and Abuse Act of 1984 (“CFAA”) (18 U.S.C. § 1030).  Parties who violate the CFAA may also expose themselves to civil actions.

The CFAA targets “fraud and related activities in connection with computers.”  The CFAA, for example, criminalizes the intentional and unauthorized access of so-called “protected” computers.  Broadly speaking, these computers are those in the service of the U.S. Government and financial institutions, and those “used in or affecting interstate or foreign commerce or communication.”  The computers need not even be based in the United States to qualify.  Moreover, a person who suffers “damage” as a result of certain violations of the CFAA can sue the perpetrator for compensation.  “Damage” is broadly defined as “any impairment to the integrity or availability of data, a program, a system, or information.” A statutory civil action will stand under the CFAA if damages exceed $5,000 in any one year, or result in personal injury, or pose a threat to public safety, among other conditions.

Excerpt from, Oct. 27, 2011. To view the full article, click the PDF linked below.


Email Disclaimer