Reverse Engineering

When Is It Legal to Reverse Engineer a Product on the Market?

Reverse engineering is a common method of working backward from a physical object, computer hardware, software, or other technology to discover its functionality, components, and hidden design information. Businesses use reverse engineering to analyze a competitor’s product, recover lost data, recreate obsolete parts, build compatible accessories, and develop a next generation or competing product. However, it is not always lawful to copy or borrow from a competitor's product. We explore in this article whether and when reverse engineering crosses the line into misuse of trade secret or other intellectual property rights.

What “reverse engineering” actually means

Reverse engineering (or back engineering) is the process of studying a previously made device, system, or code base to determine how it works and what it contains. In law, the concept usually means starting with the finished article and learning its internal design, structure, or operation from the article itself rather than from leaked drawings or other confidential information.

The reverse engineering process

The reverse engineering process usually has three steps: information extraction, modeling, and review. For hardware, that may involve disassembling a product, scanning it with coordinate measuring machines, laser scanners, or structured-light tools, then converting the scan into digital models in computer aided design software. For software, static analysis examines a program without running it, while dynamic analysis observes it in operation. Engineers may use disassemblers and decompilers to inspect assembly language, data structures, and sometimes recover a higher-level view of lost source code.

Why companies use reverse engineering

Reverse engineering speeds research and development, shortens prototyping, and reduces cost and waste by repairing existing parts instead of replacing whole systems. It is used in aerospace and automotive work to scan parts and create digital replicas, in medical-device work to create custom implants and prosthetics, in classic-car restoration to recreate parts, and in failure analysis to determine why a machine failed and improve its functionality. It also helps companies analyze existing designs, improve ergonomics, create compatible accessories, repurpose obsolete objects, build a digital twin, or regain lost designs for long-discontinued products and product-legacy archives.

The baseline rule under trade secret law

Under the Defend Trade Secrets Act, a trade secret is information that derives value from not being generally known and not being readily ascertainable through proper means, so long as the owner used reasonable secrecy measures. See 18 U.S.C. § 1839(3). Critically, the DTSA defines improper means to include theft, bribery, misrepresentation, breach of duty, and espionage, but it expressly says improper means “does not include reverse engineering, independent derivation, or any other lawful means of acquisition” under 18 U.S.C. §§ 1839(3),(6). State trade secret law generally follows the same Uniform Trade Secrets Act model. In other words, reverse engineering a lawfully acquired product on the market is not an improper means of acquiring product design and information under U.S. trade secret law, even when the product embodies valuable trade secrets.

Trade Secret vs. Patent

The Supreme Court’s decision in Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470 (1974), reinforces this principle. There, former employees left Kewanee and began using knowledge related to crystal-growing processes. The Court found that state trade secret protection does not conflict with federal patent law. The court explained that trade secret law protects against breaches of confidence and improper means, but does not prevent competitors from discovering the same information through legitimate reverse engineering techniques or independent development. In other words, even where valuable trade secrets exist, others remain free to use reverse engineering on a lawfully obtained product to discover its underlying design information.

Similarly, in Bonito Boats, Inc. v. Thunder Craft Boats, Inc., 489 U.S. 141 (1989), the Supreme Court struck down a Florida statute that prohibited duplicating unpatented boat hull designs using a direct molding process. A competitor had copied a hull design from an existing boat, effectively working backward from a physical object to create a similar product. The Court held that the state law improperly granted patent-like exclusive rights to unpatented designs and conflicted with federal patent law, which allows copying of publicly available products. The Court emphasized that once a product is placed on the market, competitors may lawfully engage in analyzing products, including through reverse engineering, unless they employ improper means.

These authorities establish the baseline rule: performing reverse engineering on a lawfully acquired competitor’s product is often generally legal, even where the product embodies proprietary information or valuable trade secrets, so long as the reverse engineering process relies on proper means rather than conduct that would constitute misappropriation.

Proper means versus improper means

The core issue in determining the propriety of reverse engineering is how you gain access. Buying a product on the open market and analyzing it is ordinarily proper means under trade secret law. By contrast, using theft, deception, breach of a confidentiality agreement, or industrial espionage constitutes improper means.

In E.I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012 (5th Cir. 1970), the defendants hired a pilot to take aerial photographs of DuPont’s methanol plant while it was still under construction and not yet enclosed. DuPont had taken reasonable steps to maintain secrecy from ground-level observation, but had not covered the facility from above. The Fifth Circuit held that this conduct constituted improper means, reasoning that although the information was visible from the air, the use of aerial surveillance to obtain proprietary information that was not otherwise readily ascertainable through normal inspection went beyond acceptable competitive practices.

Similarly, in Compulife Software Inc. v. Newman, 959 F.3d 1288 (11th Cir. 2020), the defendants accessed publicly available insurance quote data through the plaintiff’s website. While individual, manual queries by a human user could be considered proper means, the defendants deployed automated bots to extract massive volumes of data at a scale that ordinary users could not replicate. The Eleventh Circuit held that this type of automated scraping could qualify as improper means and enabled the collection of data in a manner inconsistent with normal access.

These cases illustrate that reverse engineering itself is not the problem. Rather, liability arises when performing reverse engineering involves such means as deception, circumvention, or automated overreach that enable a party to access confidential information or secret information in ways that go beyond legitimate market acquisition. In those circumstances, the conduct may constitute misappropriation, even if the end goal is to analyze a product or develop a competing design.

A product can stay secret for only so long

A marketed product does not automatically lose trade secret protection simply because it is sold to the public. The key inquiry under trade secret law remains whether the alleged secret is still not readily ascertainable through proper means, such as lawful reverse engineering of a publicly available product.

The Federal Circuit’s decision in ams-OSRAM USA Inc. v. Renesas Electronics America, Inc., 133 F.4th 1337 (Fed. Cir. 2025) illustrates how this principle operates in practice. In that case, the dispute involved semiconductor technology used in ambient light sensors embedded in consumer electronics. The plaintiff argued that certain design features and proprietary information within its chips constituted protectable trade secrets, while the defendant contended that those features could be discovered through standard reverse engineering techniques applied to chips available on the market. The court held that the relevant question was not whether the defendant had actually completed the reverse engineering process, but whether the information could have been obtained through proper means, i.e., by analyzing a lawfully acquired product using routine and straightforward engineering methods. Because the information was susceptible to such analysis, it was deemed readily ascertainable, and therefore not entitled to ongoing trade secret protection.

This reasoning aligns with longstanding Supreme Court precedent. In Bonito Boats (discussed above), the invalidated statute effectively barred reverse engineering of a physical object. The Supreme Court emphasized that once a product is placed into the public domain without patent protection, competitors are generally free to study and copy it using proper means, including working backward from the product itself.

These cases underscore an important limitation: the original manufacturer may gain a competitive advantage from secrecy at the outset, but once a product enters the market, that advantage can erode if competitors can lawfully gain access to the underlying design information through reverse engineering techniques. In practical terms, if a competitor’s product can be disassembled, analyzed, and understood using standard industry methods without resorting to improper means, then the information may no longer qualify as a protected trade secret, even if the reverse engineering process requires technical skill or detailed analysis.

Patent law asks a different question

Even when trade secret law permits reverse engineering, patent law may still matter. A patent gives the owner exclusive rights to exclude others from making, using, selling, offering to sell, or importing the claimed invention. So you may be free to study a product to determine how it works, but selling a reverse engineered product that falls within valid patent claims can still infringe. That is why a business can win the trade secret issue and still face legal action under patent law. See 35 U.S.C. § 271.

Reverse engineering software, interoperability, and fair use

With proprietary software, engineers often lack access to the original source code, which leads them to use reverse engineering techniques, including disassembly into assembly language and analysis of data structures, to understand unprotected functional elements and enable interoperability. Courts have repeatedly addressed whether this type of analyzing and intermediate copying is permissible.

In Sega Enters. Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992), Accolade sought to develop video games compatible with Sega’s Genesis console. Because Sega’s interface specifications were not publicly available, Accolade disassembled Sega’s object code to identify the interface requirements. Sega brought legal action, arguing that this copying infringed copyright. The Ninth Circuit court held that Accolade’s intermediate copying constituted fair use because it was necessary to access unprotected functional elements and achieve interoperability with the console. The court emphasized that where disassembly is the only way to gain access to functional requirements, such use can be justified.

Similarly, in Sony Computer Entertainment, Inc. v. Connectix Corp., 203 F.3d 596 (9th Cir. 2000), Connectix created a PlayStation emulator that allowed Sony games to run on personal computers. To do so, Connectix engaged in extensive reverse engineering of Sony’s BIOS, including temporary copying during development. Sony argued this was infringing, but the Ninth Circuit again held that the reverse engineering was fair use. The court found that Connectix’s work was transformative because it produced a new platform and enhanced functionality, and that the intermediate copying was necessary to understand the system’s operation.

Congress has also provided limited statutory support for this type of activity. Under 17 U.S.C. § 1201(f), circumvention of technological protection measures is permitted when undertaken for the sole purpose of identifying and analyzing elements necessary to achieve interoperability of independently created software. Section 1201(j) similarly permits certain acts of reverse engineering for good-faith security testing, with authorization from the owner or operator of the computer system. These provisions reflect a recognition that performing reverse engineering can be essential to innovation, competition, and security, particularly where developers seek to create a similar product or compatible system.

At the same time, the boundaries remain contested. Reverse engineering of software may still implicate contract restrictions, licensing terms, or anti-circumvention rules, and improper use of proprietary information can still constitute misappropriation. As technology continues to evolve, especially with increasingly complex platforms and AI systems, the legality of reverse engineering software for interoperability remains an active and closely watched area of law.

Contracts, clickwrap, and scraping can change the risk

Software disputes involving the reverse engineering of software often turn as much on contract law as on intellectual property law. Courts have repeatedly emphasized that how a party obtains access to software, data, or a system, and what restrictions govern that access, can determine whether performing reverse engineering remains lawful or crosses into improper means.

In Bowers v. Baystate Technologies, Inc., 320 F.3d 1317 (Fed. Cir. 2003), the dispute arose from competing computer aided design (CAD) programs. The defendant purchased the plaintiff’s software, which was distributed under a shrinkwrap license expressly prohibiting reverse engineering techniques, including decompilation. The defendant nevertheless analyzed the software to develop a competing product. The Federal Circuit held that the shrinkwrap agreement was enforceable and that violating the anti-reverse engineering clause constituted a breach of contract, even if federal copyright law might otherwise permit certain reverse engineering activities. The court reasoned that private parties can contractually waive rights that might otherwise exist under federal law. The key takeaway for businesses is that even if reverse engineering might be generally legal under trade secret law, contractual restrictions can independently prohibit it and create exposure to legal action.

By contrast, Aqua Connect, Inc. v. Code Rebel, LLC, No. CV 11-5764 RSWL (C.D. Cal. Nov. 5, 2012), addressed whether violating a license agreement automatically transforms reverse engineering into improper means under California’s Uniform Trade Secrets Act. In that case, the plaintiff alleged that the defendant improperly accessed and analyzed its remote desktop software to develop a competing product. Although the plaintiff pointed to end-user license agreement (EULA) restrictions, the court held that a mere breach of contract, standing alone, does not necessarily constitute improper means sufficient to support a trade secret misappropriation claim. In other words, while the defendant’s conduct might support a contract claim, it did not automatically establish that the defendant used prohibited or deceptive means to gain access to protected confidential information under trade secret law.

These cases illustrate a critical distinction: contractual restrictions can limit the ability to use reverse engineering, but not every contract breach rises to the level of trade secret misappropriation. That distinction becomes especially important in modern disputes involving online platforms and automated access. Courts have increasingly found that large-scale scraping using bots or circumvention of technical barriers may constitute improper means, particularly where access controls are bypassed or the method of analyzing data would not be feasible through ordinary means.

For businesses analyzing a competitor’s product, proprietary software, or online systems, the practical guidance is straightforward: before performing reverse engineering, carefully review all applicable licenses, clickwrap agreements, and terms of use. The legality of your method, your tools, and how you access the system can be just as important as the underlying engineering analysis itself.

Hardware, CAD, PCBs, and lost design data

On the hardware side, businesses commonly analyze printed circuit boards, electronic components, microprocessors, and other components when original files are missing. The workflow usually runs from scan capture to post-processing to CAD modeling, with quality checks against original specifications. Reverse engineering is used to create digital records, analyze existing products, recover missing design information, and preserve design intent for later development. That is especially valuable when a company wants to revive discontinued products, secure spare-part supply, or understand how a competitor’s product was assembled.

Security research, malware, and the AI era

Reverse engineering is also central to cybersecurity. Security teams use reverse engineering, including decompilers, disassemblers, and other automated tools, to analyze software, identify buffer overflows, authentication flaws, malware behavior, and architectural weaknesses in code. This reverse engineering process often involves both static and dynamic analysis to better understand functionality, data structures, and potential vulnerabilities. At the same time, attackers use the same reverse engineering techniques to expose secret information, uncover proprietary algorithms, and exploit weaknesses in proprietary software systems.

Courts have increasingly addressed when such conduct crosses into improper means under trade secret law. For example, in Compulife Software Inc. (discussed above), the defendants use of automated bots to scrape large volumes of insurance quote data from a competitor’s website was far beyond what a human user could access. The use of bots to systematically extract data could constitute improper means and support a claim for misappropriation under the Defend Trade Secrets Act and Uniform Trade Secrets Act.

The legal risks become even more pronounced where access is obtained through deception or circumvention of safeguards. In United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016), the Ninth Circuit held that using another person’s login credentials to gain access to protected systems after authorization had been revoked could violate federal law, highlighting how credential misuse can transform otherwise lawful analyzing or reverse engineering into unlawful conduct.

These principles are now being tested in the AI context. In OpenEvidence Inc. v. Pathway Medical, Inc., No. 1:24-cv-10471 (D. Mass. filed 2024), the plaintiff claimed that a competitor used stolen credentials and prompt-injection attacks to extract system prompts and other proprietary information from an AI platform. The allegations focus on whether such conduct constitutes improper means to obtain confidential information, rather than lawful reverse engineering of a publicly available system. While the case remains pending, it reflects a broader trend: as AI systems become more complex, companies are increasingly attempting to determine how models operate internally, raising difficult questions about whether extracting hidden prompts, weights, or outputs is permissible reverse engineering or unlawful acquisition of valuable trade secrets.

Reverse engineering for cybersecurity, such as vulnerability testing, malware analysis, and development of more secure systems, is legitimate when conducted through proper means. But using deception, bypassing authentication controls, or exploiting access mechanisms to obtain proprietary information can quickly shift the analysis and trigger legal action under trade secret, computer access, or contract law.

Conclusion

Reverse engineering of a lawfully acquired product is lawful, and it is a legitimate tool to analyze technology, improve existing designs, recover lost knowledge, secure software, and create better products. But reverse engineering is unlawful if you rely on deception, insider leaks, bot scraping, stolen credentials, or you violate binding anti-reverse-engineering clauses or patent rights. Companies can still defend trade secrets, but they do so through reasonable secrecy measures, contracts, patents, and technical controls, but not by pursuing parties engaged in post-sale reverse engineering analyses of a product in the marketplace.

If you have inquiries regarding the legality of a reverse engineering project, trade secret matters, or other intellectual property matters, contact our office for a consultation.

© 2026 Sierra IP Law, PC. The information provided herein does not constitute legal advice, but merely conveys general information that may be beneficial to the public, and should not be viewed as a substitute for legal consultation in a particular case.