UK dev loses ownership claim on forensic software he said he wrote in spare time and licensed to employer

A British developer has lost his fight to claim ownership over software he wrote while working for digital forensics firm MD5.

Michael Penhallurick claimed he had worked on the “virtual forensic computing" (VFC) software at home and in his free time while being employed by MD5, and that he retained copyright ownership over the software and had merely licensed it to the company.

MD5, however, claimed that writing the software has been a fundamental part of Penhallurick's employment – and what it paid him £5,000 a month for – and as a result of that and other factors, such as agreements he signed, it owns the code.

The software is used mostly by police forces, and allows investigators to extract files from a seized hard drive and view them in a virtual machine, thereby avoiding altering any evidence on the drive.

The Intellectual Property Enterprise Court, in London, England, decided in favor of MD5, with Judge Richard Hacon noting a contract the company and Penhallurick had signed effectively gave MD5 ownership rights to the software it released and sold.

For his part, Penhallurick – a former South Yorkshire Police officer – said his employment contract concerned his expertise on forensics and he was initially employed on that basis. According to him, he was employed “to assist with forensic case work supplied to MD5 by police forces and his primary duties were to carry out forensic computer investigations, prepare witness statements, attend court and give evidence.” He also noted that he spent a lot of time working on the software on his home computer, at home, and in his spare time.

MD5 meanwhile argued that Penhallurick's duties “were more flexible and extensive than this," the judge noted: "MD5 further says that if Mr Penhallurick created any VFC software before the start of his employment it formed no part of the VFC software created for MD5.”

A contract's a contract

The reality, the judge decided, was that everyone was aware that Penhallurick was working on the VFC software, that he created multiple versions of it with improvements and enhancements, and that MD5 was selling these builds to people, paying the programmer a cut of sales.

Penhallurick started work on VFC in 2005, based on research he carried out during an MSc degree at Cranfield University in the three years prior, having learned of VMware and its virtualization tools in 2001.

When he met the owners of MD5, he outlined the manual method he used to pull files and observe them in a virtual environment, and agreed with MD5 to develop software that would automate the task, which he did. He joined the biz at the end of 2006, and by the next year, MD5 was selling VFC to customers.

Looking for a new IT job? This week's list includes roles for software engineers, DC managers, cloud experts and support specialists

READ MORE

But there was a clear disparity between the two sides over who would ultimately own the software. MD5 felt it had full ownership and was paying Penhallurick a salary and cut of sales in payment; Penhallurick felt he ultimately remained the owner of the software. That disparity led to a contract in 2008 that Penhallurick and MD5 signed under which Penhallurick was given a bonus of 7.5 per cent of annual VFC sales by MD5. A further agreement in 2011 increased the bonus to 10 per cent – Penhallurick felt these payments were a license royalty rather than a bonus.

Crucially, although Penhallurick insisted he had licensed his software to MD5, it emerged during the case's proceedings that no evidence of such a license agreement existed. Meanwhile, the end-user license agreement bundled with the application noted that MD5 was the licensor, and Penhallurick had approved its wording.

Although the judge noted that none of the contracts had been put together by lawyers, leaving dangerous ambiguities that ultimately led to the lawsuit, he felt it was clear from the various bits of paperwork signed over the years that MD5 had engaged the programmer to produce and update the software, and that the company owned the copyright from the first official version.

It all fell apart after Penhallurick resigned in 2016 and then, in January 2018, when MD5 stopped paying him for the code. The dispute clearly grew rancorous, with MD5 accusing Penhallurick of leaving the company with a third version of the software with certain functions cut out, and Penhallurick allegedly telling third parties that MD5 has no rights over the software.

But those disputes are largely brushed off in the court’s decision, published on Monday this week following a hearing in July, which ruled that MD5 owns the released and sold software, had paid Penhallurick for it, and that was that.

Which should be a salutary lesson to all software developers: if you're working on a personal project, check your employment contract and employee rights to ensure your work doesn't ultimately belong to your boss. ®