Assume you purchase a software application from Company A. Company A wrote this application using Microsoft .NET as the platform. You download Lutz Roeder’s .NET Reflector decompiler (which turns the MSIL code into C#). You point the decompiler at the assemblies and executables that are part of Company A’s application and examine the C# source code. Is it ethical to merely examine the resulting source code, why / why not? Furthermore, is this legal, why / why not? Could a clause in the EULA cover decompilation adequately?

An argument could be made that a professional software company releasing a software product to a third party, should have obfuscated the MSIL code if they were interested in keeping the code closed. There are many products on the market that obfuscate the MSIL code making the decompiled code not easily human readable. If the source code was protected by a trade secret, wouldn’t distributing the MSIL code (which easily is translated into source code) mean it was no longer a trade secret, by definition?

Pretend that Company A doesn’t build very solid software. Being able to examine the source code (via decompiling it) would make it much easier for the IT organizations supporting Company A’s application. Assume for a second that the source code was examined and security problems were found. Knowing about the security holes would make it much easier to set up the application in a way that maximizes security, auditing, and compliance. Think about a third party finance or accounting related application that needs to comply with 404 of the Sarbanes Oxley (SOX) Act.