Legal Question in Technology Law in Georgia
Right to Withhold System Passwords
We are in the telephone system business, in which the systems that we sell and service are protected by a password that we provide to prevent the customer and other companies from having access to the programming software of the systems. These passwords are for our protection while the product is under warranty and if we are the servicing company for the equipment. With a password, we know that we are the only ones getting into the system, which would prevent us from being blamed for mistakes made by the customer or other companies. If the customer chooses to not do business with us anymore, are we obligated to release this password? The systems can be reset and programmed from scratch by removing the battery, if the new servicing company is knowledgable with that particular equipment. Any help you could provide would be greatly appreciated, as this issue has come up several times in the last few months. Thank you.
1 Answer from Attorneys
Re: Right to Withhold System Passwords
You should hire me to write an agreement (contract) for you to show customers that relieves you of continued warranty obligations in exchange for the password. If you want to be nicer, you would have an agreement that obligates them to pay for fixing any problem they call you in on which in your determination results from changes to the configuration.
Of course removing the battery works, but that also erases the configuration and could lead to more problems, right? By coincidence, I just had a contract programmer tell me that he was disabling client companies' employee's diskette drives in the bios setup each night and changing the bios passwords to prevent them putting the drives back online. (The company was doing that as an increased security measure. Ha!) I told him I could fix that in a 'flash' -- by pulling the battery and then replacing it. He claimed that the capacitor on the motherboard would defeat me and I claimed I could short that charge in another "flash".
To answer your question more directly, it is not my opinion that you need to divulge the password even though it is on the system that they bought and they own outright. I'll liken it to a maintenance password, the likes of which should be released only (in my theory) to 'factory-trained' maintenance personnel, not directly to clients. I understand that there are passwords and special secret tricks to getting into maintenance modes in automobiles these days and the information is not in the driver's use and care manual. If someone wants another company to take over maintenance, you could send the other company the password in writing delivered by constable (that's cheaper than you think, by the way), so that you have proof that they received it, and you might require them to request the password from you in writing (preferably on a form you draw up), signed, and maybe even pay the $20 to $40 constable fee. That way when they mung it all up, you've got proof that someone else had access to the configuration.
Here's another way to think of it; haven't you seen a notice on the back of a TV set that says that unauthorized access inside the set may invalidate the warranty? Even little disk drives these days have a tiny piece of tape sealing the case closed with such a notice on it.
I would under no circumstances suggest to anyone (or inform anyone) that the battery could be removed. Don't tell and don't confirm if they ask. Why? Because that SURELY deletes the config. and greatly increases the chances of there being a problem, doesn't it?
Besides, maybe some procedure that threatens to jeopardize a future warranty claim will make them think twice about leaving you!
Send me mail directly to [email protected] if you like.