UK dev loses ownership claim on forensic software he said he wrote in spare time and licensed to employer

Ex-copper signed over copyright to bosses, judge rules


A British developer has lost his fight to claim ownership over software he wrote while working for digital forensics firm MD5.

Michael Penhallurick claimed he had worked on the “virtual forensic computing" (VFC) software at home and in his free time while being employed by MD5, and that he retained copyright ownership over the software and had merely licensed it to the company.

MD5, however, claimed that writing the software has been a fundamental part of Penhallurick's employment – and what it paid him £5,000 a month for – and as a result of that and other factors, such as agreements he signed, it owns the code.

The software is used mostly by police forces, and allows investigators to extract files from a seized hard drive and view them in a virtual machine, thereby avoiding altering any evidence on the drive.

The Intellectual Property Enterprise Court, in London, England, decided in favor of MD5, with Judge Richard Hacon noting a contract the company and Penhallurick had signed effectively gave MD5 ownership rights to the software it released and sold.

For his part, Penhallurick – a former South Yorkshire Police officer – said his employment contract concerned his expertise on forensics and he was initially employed on that basis. According to him, he was employed “to assist with forensic case work supplied to MD5 by police forces and his primary duties were to carry out forensic computer investigations, prepare witness statements, attend court and give evidence.” He also noted that he spent a lot of time working on the software on his home computer, at home, and in his spare time.

MD5 meanwhile argued that Penhallurick's duties “were more flexible and extensive than this," the judge noted: "MD5 further says that if Mr Penhallurick created any VFC software before the start of his employment it formed no part of the VFC software created for MD5.”

A contract's a contract

The reality, the judge decided, was that everyone was aware that Penhallurick was working on the VFC software, that he created multiple versions of it with improvements and enhancements, and that MD5 was selling these builds to people, paying the programmer a cut of sales.

Penhallurick started work on VFC in 2005, based on research he carried out during an MSc degree at Cranfield University in the three years prior, having learned of VMware and its virtualization tools in 2001.

When he met the owners of MD5, he outlined the manual method he used to pull files and observe them in a virtual environment, and agreed with MD5 to develop software that would automate the task, which he did. He joined the biz at the end of 2006, and by the next year, MD5 was selling VFC to customers.

Illustration of developer writing code at desk with three monitors

Looking for a new IT job? This week's list includes roles for software engineers, DC managers, cloud experts and support specialists

READ MORE

But there was a clear disparity between the two sides over who would ultimately own the software. MD5 felt it had full ownership and was paying Penhallurick a salary and cut of sales in payment; Penhallurick felt he ultimately remained the owner of the software. That disparity led to a contract in 2008 that Penhallurick and MD5 signed under which Penhallurick was given a bonus of 7.5 per cent of annual VFC sales by MD5. A further agreement in 2011 increased the bonus to 10 per cent – Penhallurick felt these payments were a license royalty rather than a bonus.

Crucially, although Penhallurick insisted he had licensed his software to MD5, it emerged during the case's proceedings that no evidence of such a license agreement existed. Meanwhile, the end-user license agreement bundled with the application noted that MD5 was the licensor, and Penhallurick had approved its wording.

Although the judge noted that none of the contracts had been put together by lawyers, leaving dangerous ambiguities that ultimately led to the lawsuit, he felt it was clear from the various bits of paperwork signed over the years that MD5 had engaged the programmer to produce and update the software, and that the company owned the copyright from the first official version.

It all fell apart after Penhallurick resigned in 2016 and then, in January 2018, when MD5 stopped paying him for the code. The dispute clearly grew rancorous, with MD5 accusing Penhallurick of leaving the company with a third version of the software with certain functions cut out, and Penhallurick allegedly telling third parties that MD5 has no rights over the software.

But those disputes are largely brushed off in the court’s decision, published on Monday this week following a hearing in July, which ruled that MD5 owns the released and sold software, had paid Penhallurick for it, and that was that.

Which should be a salutary lesson to all software developers: if you're working on a personal project, check your employment contract and employee rights to ensure your work doesn't ultimately belong to your boss. ®


Other stories you might like

  • Colocation consolidation: Analysts look at what's driving the feeding frenzy
    Sometimes a half-sized shipping container at the base of a cell tower is all you need

    Analysis Colocation facilities aren't just a place to drop a couple of servers anymore. Many are quickly becoming full-fledged infrastructure-as-a-service providers as they embrace new consumption-based models and place a stronger emphasis on networking and edge connectivity.

    But supporting the growing menagerie of value-added services takes a substantial footprint and an even larger customer base, a dynamic that's driven a wave of consolidation throughout the industry, analysts from Forrester Research and Gartner told The Register.

    "You can only provide those value-added services if you're big enough," Forrester research director Glenn O'Donnell said.

    Continue reading
  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading

Biting the hand that feeds IT © 1998–2022