Security Experts:

Connect with us

Hi, what are you looking for?



Downfall of Software Startup Highlights Code Ownership Issues

Hitsniffer’s Downfall Highlights IP Problems over Code Ownership

Hitsniffer’s Downfall Highlights IP Problems over Code Ownership

Hitsniffer is a well-regarded web analytics app. Its WordPress plugin has had 141,166 downloads, including four today. But the Hitsniffer website has been shuttered, raising accusations of theft against ‘a programmer who had worked for the company since its inception.’ It is a case study on how to protect intellectual property — although in this instance it is not yet certain who actually owns what IP.

The Hitsniffer website  explains, “Hitsniffer was compromised by a programmer who had worked for the company since its inception. This programmer has stolen all databases. The customer database is now in his hands. You will probably have received an email from a company called Hitsteps, this company has no relationship with Hitsniffer, Hitsteps is now using our customer database to contact our customers. We have made allegations of theft and fraud regarding this matter and it is now being investigated by the Police…”

The programmer concerned, Armin Nikdel, has a completely different take on the situation, and has published a rebuttal on Facebook.

According to Nikdel, he developed the software and allowed a former friend to handle the business side of things. The relationship went bad with missed payments. “This situation continued for long and got worst and he missed my shares every months,” writes Nikdel. “I voiced out and told him he need to pay my shares in order to return back to our healthy and fair partnership, without hesitation, He refused to payback any of debts.”

Nikdel suggests that the real problems came when his friend attempted to move the system to a new server. The move failed, “as Hitsniffer is using many custom non-standard and purpose specific apps and it wouldn’t run without them.”

And that seems to be the current situation. Hitsniffer is down, its original developer is accused of theft, and the police are allegedly involved. The case, however, is a Pandora’s mare’s nest of intellectual property. 

There does not appear to be any current public accusation of theft of code by Hitsniffer against Armin Nikdel (Hitsteps). That would probably require a code-level comparison of the two apps. But at the moment it is an open question whether Hitsniffer or Nikdel actually owns that code. Resolution would depend on whether Nikdel was legally a Hitsniffer employee, or someone with a more casual relationship — and refusal to deliver revenue ‘shares’ (never mind a salary) could suggest no formal employee relationship.

Dr. Brian Bandey, Principal at Patronus PhD and a specialist in international intellectual property, explains some of the pitfalls. “So here’s the ‘big rub’ for companies that develop software,” he told SecurityWeek. “If they use a 3rd party non-employee, they won’t own the copyright work as author automatically. So what happens? Well, we get a number of legal tests. And a ton of uncertainty for all. The freelance (non-employee) programmer might (would probably) own the copyright work on trust for those who commissioned it – and could be compelled to sign a copyright assignment to vest the copyright formally (legally) in the party that commissioned it.” 

But they don’t always do that. “When conducting an IP Audit on large software houses,” he continued, “I have seen many instances where their pride and joy flagship software product is not owned by them per se. In a sense it is a honeycomb of ownership — them owning some and the rest of the copyright works (modules, routines) generated by 3rd parties not formally and completely vested in them.”

So for large companies it becomes essential that copyright ownership is legally settled. “They must have a written assignment of copyright in place that includes something called ‘future copyrights’ to ensure that they own the code they commission to be written.” The reason is obvious. “If I’m a software house, I build value by making intellectual property — property that I own and can sell, lease, license and mortgage. Fragmented copyright equals less value.”

In the Hitsniffer case, the issue seems to be less the code itself as the database of customers. It is similarly problematic (a problem that doesn’t exist if Armin Nikdel was legally employed by Hitsniffer). Nikdel is accused of stealing the database — but Hitsniffer doesn’t automatically own the data in the database unless it was a Hitsniffer employee that entered the data into the DBMS. But, warns Bandey, “There’s a world of pain available to those who take databases containing personal data (data that can identify living individuals) and use it or sell it in another trading situation.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.