Opensource project, am I responsible?

Hi all,

At the moment I am participating in a project responsible for the creation of program having the ability to harm one's system. The primary purpose of the program however lays within the legal boundaries of the law. The program will be released under GPLv3 and therefore is opensource.

My involvement doesn't go any further than writing code and preparing documentation, in which my name will be mentioned. At no time throughout the project will I take the release in production nor am I engaged in the actual usage of the product. (The deployment will be will be executed by a third party)

Question is: if it will ever come to legal action, can I be hold responsible for damages and/or digital fraud? I just wanted to bring up the issue to see if any had experience with such situations.

I'll not go into details on the project itself or its purpose
I'm not a lawyer, but I would bet money as long as your intent isn't malicious then you have nothing to worry about. There's an entire industry for creating and using these kinds of tools in a legal manner.

If this project is backed by any sort of company, I would consult with them just be sure that you are fine.


Eh I can't offer any advice besides ask the people you are working with (if it is backed by a company, they should have at least one lawyer). You could also ask over at StackOverflow, as more professionals tend to be active over there.
Thank you for your answer. I just noticed that some people shift all the responsibilities to the first person they can find. I've never been in this situation before as most of the software I write is proprietary, and usually the devers are left out of the final credits.
Are there any non-harmful uses for your program? Are you reasonably certain that third parties will be using this program to harmful ends?
All programs have the ability to at least destroy data and/or cause economic damage in some way. That's why most open source licenses have a disclaimer stating that the program in question has no warranty and it's used at the user's own risk, basically protecting the developer from being sued for damages arising from the use of the program.
I don't know if GPL3 has such a disclaimer, but I know GPL2 didn't.
From what I've gathered, both licenses are equal when it comes to the warranty and exemption from liability. I'm not questioning what happens for me in case of accidental damage, but more towards to point of deliberately (ab)using the software.
As far as civil law is concerned, you are not liable either way.
As far as criminal law, I'm not so sure. I don't believe it's illegal to write malware anywhere, but then, IANAL.
I don't believe it's illegal to write malware anywhere,


UK law

"Malware and the law
Developing a virus or other malware and/or disseminating it is an offence under the Computer Misuse Act.

Depending on the circumstances, there could be a section 1, section 2 or section 3 offence (each of which is described above). The Police and Justice Act 2006 expanded the section 3 offence (unauthorised modification of computer material) to include actions designed to impair the operation of any program or computer. The maximum penalty is 10 years' imprisonment and a fine.

The Computer Misuse Act has also been changed to make it an offence to make, adapt, supply or offer to supply any article which is "likely to be used to commit, or to assist in the commission of, [a hacking or unauthorised modification] offence". It is also an offence to supply an article "believing that it is likely" to be used to commit such an offence.

The meaning of 'article' includes any program or data. The provisions would cover the supply of toolkits designed for launching Denial of Service attacks (see below) or viruses. Anyone convicted of breaking this section of the Act could be jailed for up to two years.

This part of the law has been controversial because security researchers have said that it could impede their work, restricting their ability to share information about security vulnerabilities (on the basis that if criminals use that information to attack a system, the researcher could be held responsible).

It is possible that malware could also give rise to civil liability – i.e. a lawsuit rather than a prosecution. If your company unwittingly introduced a virus to another company's network, that company could sue, alleging that your company was negligent in failing to detect and block the dissemination of viruses. Evidence might be that anti-virus software in use in the company spreading the virus was not up to date. There is an obvious defence of contributory negligence, though: if the other company had up-to-date anti-virus protection in place, the virus should have been blocked. Accordingly, we have never heard of such a lawsuit being filed."
http://www.out-law.com/page-405

I am kind of socked by the last post. UK law strictly forbids any sort of involvement in such project, if I'm understanding correctly. Does this only apply to software written in that state or country? How is the rest of the world handling this judiciary?
The MIT license:

The MIT License (MIT)

Copyright (c) <year> <copyright holders>

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.


Which basically says anyone can use your code to do anything and you aren't responsible for the results or using it or maintaining it.
Last edited on
I aint a expert either, but you as mentioned above is there anything good the program can do.

And I believe you can say for ethical purposes only and that its only for pen-testing etx.
Neither is the software nor the is project intended to case harm to systems, computers or users. It could be used that way. How the actual deployment takes place is beyond my role.
Does this only apply to software written in that state or country?
It applies to all persons performing the actions described in the statute, that at the time are also within the jurisdiction of said statute.

Neither is the software nor the is project intended to case harm to systems, computers or users. It could be used that way.
This description is vague enough that it could apply to anything from compilers, to virtual machines, to simply software with buffer overflow vulnerabilities.
The way you're phrasing it, though, it implies that nefarious applications are much more likely than lawful ones, and that you know this.
The way you're phrasing it, though, it implies that nefarious applications are much more likely than lawful ones, and that you know this.


As a developer I know where the issues are and how certain capabilities cloud be misused by others. As said above, I am just the developer, and what I think might happen doesn't need to be reality. Again I have no knowledge or insight on the actual deployment or how the final release will be distributed.
What I fear is more the thought that I could have known if things turn out to mischievous.
In the end it will likely come down to whether or not convicting you is cost-effective enough for the other party. Today we have a world of lawyers, not laws...
Topic archived. No new replies allowed.