HT-2021-000363 - [2025] EWHC 532 (TCC)

An IBM mainframe can support multiple CICS regions (memory areas), which can be configured to work together, where a mainframe user requires additional capacity for its CICS transactions. The CICS Transaction Gateway (“CICS TG”) is software that allows a remote application to invoke services in a CICS region. Communications can occur between two regions of CICS executing on different mainframes, or between a CICS region and a non-CICS region.

Where a CICS region is required to communicate with other CICS or non-CICS systems that are not in the same operating system, the connection is effected by using either the Systems Network Architecture (“SNA”) protocol, or a TCP/IP protocol. Logical Unit 6.2 (“LU6.2”) is an IBM communications protocol, which is used to communicate between two systems using the SNA. IP interconnectivity (“IPIC”) is a protocol which enables use of a TCP/IP network for intercommunication between systems.

LzLabs developed a substitute for CICS on the SDM, through software referred to as “LTE” or “LzOnline”. In order to support communication between a CICS region running on the SDM and a CICS region running on a mainframe, the SDM needed to be able to receive messages from, and send messages to, the mainframe-based CICS regions, using the same network protocols, headers, handshakes and data format as used by CICS.

IBM has not published the method that CICS uses to encapsulate the input parameters and output response of an EXEC CICS command that is specified to be executed on a remote CICS region, or details of the data area used for encapsulation of the relevant parameters, the private headers.

It is common ground, as recorded in the experts’ second joint statement, that Winsopia compiled and executed test programs so as to generate CICS-to-CICS network traffic, using tracing tools to record such traffic.

Winsopia used VTAM buffer traces to record the network traffic over SNA protocols, using GTF to store the data. Virtual Telecommunications Access Method (“VTAM”) is a component of the z/OS communication server which provides communication services using SNA based protocols. VTAM is used to carry network data between pairs of CICS regions using LU6.2. General Tracing Facility (“GTF”) records the processing or flow of a program or transaction, including network communications, memory content and the interactions between programs and transactions. The VTAM buffer traces included byte streams which were used to identify the data structures, message formats and the constants defined by CICS.

Winsopia also used TCP/IP packet traces to record network traffic over TCP/IP protocols. Component trace (“CTRACE”) is a z/OS diagnostic utility that can capture in real time detailed technical information about the operation of components of the IBM mainframe software. TCP/IP packet trace uses CTRACE to store the trace data.

Winsopia sent the trace data from CICS-to-CICS network traffic to LzLabs. LzLabs used it to develop a solution whereby the SDM could communicate with a z/OS based CICS as if the SDM were another CICS region.

IBM’s case is that the systematic collection by Winsopia of GTF, VTAM buffer and TCP/IP packet traces constituted reverse engineering of CICS transaction server for z/OS v5. Further, provision of the results of such traces to LzLabs was transfer outside enterprise, use outside enterprise and failure to prevent unauthorised use, in breach of the ICA.

The defendants’ case is that Winsopia’s analysis was necessary to understand the data format of messages sent between different CICS regions during CICS-to-CICS communications, so that it could understand the network communication protocol that the SDM would need to support in order to interoperate with CICS regions.

The issues in dispute are:

IBM’s case is that Winsopia’s analysis constituted reverse engineering of the CICS Transaction Server for z/OS v5, an ICA Program.

The defendants’ case is that Winsopia’s analysis concerned the private header fields used by CICS forming part of the packet structure of messages sent between CICS regions. The content of the messages can be distinguished from the format of the messages. The format is interface information and not an ICA Program.

I accept that Winsopia was not interested in the content of the messages but it did not confine its investigation to establishing the nature or function of the interface between CICS regions. The components examined, namely the byte streams disclosed in the VTAM buffer traces, had as the object of their analysis, the sequence of steps and rules by which CICS Transaction Server for z/OS v5 effected CICS-to-CICS communications. As such, it concerned an ICA Program.

Winsopia used the GTF facility to collect VTAM buffer traces that disclosed details of the data structures, message formats and the constants defined by CICS. As Mr Taylor agreed in cross-examination, the purpose of the buffer trace analysis was to identify the precise message formats and the constants that CICS defines for messages. This enabled Winsopia to ascertain the combination and sequence of instructions, and rules selected by the creators of the CICS-to-CICS communications. Mr Swanson and Mr Stephens agreed in their evidence that information within the private headers is not documented. This analysis amounted to reverse engineering of these component parts of CICS.

It is said by the defendants that the data formats, headers and protocols were simply interface information exchanged between two CICS regions for the purposes of communicating. That description does not accurately reflect the fact that the byte streams exposed by Winsopia identified the precise data structures, message formats and constants by which the CICS Transaction Server effected such communications.

It is common ground that Winsopia sent the buffer trace data to LzLabs for use in development of the SDM. Although some of the information was redacted, Mr Taylor accepted in cross-examination that the streams of bytes could be read by anyone who could read the EBCDIC format. Further, during his secondment from LzLabs to Winsopia, Mr Taylor had access to the traces on the mainframe without any redaction, which he used to develop code on the SDM:

“A. … I did not have unfettered access. There was security rules in place that would not allow me to do certain things, change certain datasets, for example. But to all intents and purposes, I could use the mainframe tools to carry out the testing in the area in which I was allowed to carry out testing it.

…

Q. But what you did have is the access that you needed to do whatever you wanted to do?

A. Yes, that is true.

Q. And you could see raw GTF traces, so no reductions, no legal input?

A. Correct.

…

Q. Another advantage is you were able to work on developing the SDM code simultaneously with your mainframe access, weren't you?

A. Yes I was.

Q. … and that allowed you to look at traces and make changes as a direct and immediate result of what you were seeing on the mainframe?

A. Yes it is.

Q. And to be clear, it wasn't just configuration files that you were tweaking on the SDM, you were making substantive changes to SDM source code while at Winsopia, weren't you?

A. Yes I was. ”

The defendants submit that Winsopia’s activities fell within Article 5(3) of the Software Directive. Winsopia was entitled to compile, load and run test programs on the mainframe, cause network transmissions to occur between two CICS regions it had set up and perform traces using the tools supplied by IBM, and storing, loading and displaying the results of those traces. I reject that argument. There is no suggestion that Winsopia used the tracing tools for the purpose they were designed, namely, debugging. The format, sequence and combination of hexadecimal code exposed by Winsopia enabled it to gain an understanding as to the detailed design choices used in the CICS Transaction Server to implement the CICS-to-CICS communications. That concerned expression of the program, rather than its functioning.

The Article 6 exception in the Software Directive is not applicable. Mr Taylor’s evidence was that LzLabs sought to develop LTE/LzOnline so that it would enable customer applications written for CICS to run on the SDM without the need for recompilation and to simulate the behaviour of a CICS region when it communicates with a mainframe CICS region. As Mr Stephens accepted in cross-examination, it was open to LzLabs to adopt a solution based on recompilation of customer applications. Therefore, Winsopia’s analysis was not necessary in order to achieve interoperability of the SDM with CICS.

In summary on this issue: