Intellectual property at Work

When a creator crafts intellectual property right (IPR) material, such as a new idea for a widget X, then the rights of such normally devolve onto her. This also includes matters of trade secrets. However there are a number of exceptions. One of these is if this inventive process occurs whilst in the employ of others. This is to stop a worker who having been paid, used resources and spent time denies the company the benefit of their work, A case such as the US SC's CCNV v. Reid can viewed as an aid to determine the test for if the work was made in the course of employment.


An example of such a term in a contract explicitly waiver any authorship rights would be:
"
An invention or discovery made by you will normally belong to you.  However, an invention or discovery made by you will become our property if it was made:-

a. in the course of your normal duties under such circumstances that an invention might reasonably be expected to result from those duties;

b. outside the course of your normal duties, but during duties specifically assigned to you, when an invention might reasonably be expected to result from these;
"


Note that IPR are ideas from people and not the people themselves. For instance there have been attempts to prevent people from working in related other companies in the same industries, so as to clamp down on potential IPR breaches. However this has been curtailed severely - in the EU by right to work provisions and in the US by perceived restrictions on Free trade. Thus if the worker brings her own talent, then that is acceptable : not worked on code which would be considered a theft of IPR. Likewise, customer lists and contact details would be items which cannot be used by the employee in a new job.


Another check on a broad application of this would be how related the IPR is to the work. So while what an employee develops while working in a company belongs to the company, if it outside the remand of her day to day working milieu then a case could be argued it belongs to the employee. For instance the work Einstein crafted on relativity at the Berne Patent office, if he had wished to apply IPR to it, would fall certainly within this.

Third party doctrine and the expectation of privacy.

Third party doctrine and the expectation of privacy.

Information has always been of value. For instance in Classical times Caesar's public letters were distributed to the public to glorify his campaigns while his private correspondences of military plans were encrypted with the cipher that bears his name. What both have in common is they need to be handed over to another person for distribution, a third party.

When sending an electronic communication the final act of the writer is to press the send button. Normally this message will appear almost instantly at the recipient's destination. Simple. Simple that is to the user, but the framework on how this occurs is complex. The message must be dissembled under known protocols, shunted between numerous servers and then re-assembled. This process involves various different stakeholders who control the servers and email infrastructure; third-parties into whose hand the message is entrusted. From a legal perspective, what are the levels of privacy involved?

In a letter, there is both the core message and address. While the former has levels of legal protection it is the address, which can be described as metadata, which has been held to be view able by the state,

Two legal cases provide the groundwork for this in the US. In United States v. Miller (1976) during an accident response, untaxed excise material was discovered which lead to an unwarranted search on the defendant's bank records. On appeal it was held there was no "expectation of privacy" due to the commercial nature of these bank records having been created from a voluntarily interaction in the normal course of business. This was affirmed later in the context of e-communications in Smith v. Maryland (1979).This revolved around crank phone calls and the police acting to record the Defendant's dialed numbers. Again it was held that as telephone communications being part of normal business practices then these were not private. Hence it appears that any such metadata information being handed over so as to transmit to another is covered by this.

Whether this ruling will remain in place, specially in light of the recent years Snowden revelations, will be in focus in a number of cases. For instance in the US the Klayman v Obama seeks to distinguish between Maryland and that of the surveillance program by the key differentials of the technologies used and the bulk nature of the collection which are now subject to various data mining techniques and processing power that was not available during the initial rulings in the 1970s. Thus the upcoming judgment on this and other related cases will provide an interesting start to 2015.

See also:

Cellular Convergence and the Death of Privacy by Stephen B. Wicker

If the Supreme Court tackles the NSA in 2015, it’ll be one of these five cases - Ars Technica

Non disclosure agreements (NDAs) for IT Projects.

Non disclosure agreements (NDAs) for IT Projects.

NDAs can be defined in one instance as a contract: where two parties agree to share information for a certain purpose, but restricting informational access to third parties. These act as a means to ensure the IPR of a firm are protected.

This allows a client to secure any IPRs and as well prevent too much exposure which could effect any future patent applications. This also will act to clarify who owns the copyright. Instances where NDAs should be considered are:

- where there is outsourcing for new blue-skies project work

- transfer of data into the cloud

- acting within an existing system to add in addition services.

In the latter, all aspects of the ETL cycle would be under investigation which involves the non-client party gaining considerable insight into the client's business. Hence some form of agreement is required.

What does the NDA cover: this should be both the code itself, but also the sources of the data as well as the transformed information. However one area which can be negotiated is re-use of meta-material, the processes and scripts which were used during the project i.e. if this devolves entirely to the client or can this be freely implemented in other projects.

Audits provide a means to ensure that NDA procedures are being adhered to. Elements of audit might include investigation of specific documentation or visits by vetted client personal to observe procedures. However if the terms of the audit are too broad, where the client oversees all elements of the other party's work, this would act as delay on the project. Hence some measure of balance is required.

The issue of penalties should also be considered. These would come into effect if the terms were breached. It is non-uncommon (as mentioned in Cloud Computing by Millard) for clients to seek unlimited liability for such, which for the other party is very much a show-stopper. In passing, while there are element of similarity, the NDA is not a non-compete agreement with the latter having to engage with elements of employment law.

Thus NDAs are at best a means to provide a support framework so long as it does not devolve into a strait-jacket that sabotages the work of the parties.

The Sony cyberattack and the Legal options, in war and peace.

The Sony cyberattack and the Legal options, in war and peace.

There are a series of recent news reports that indicate that the Sony corporation in the US had been subject to a cyberattack. The result of this was the compromising of the corporation's internal systems, with the disclosure of both Intellectual property right material and private personal data relating to employees. This was in the form of movie scripts and emails. As one motive of the attack was a Sony film which denigrated the North Korean regime, "The Interview", it currently is thought this entity is the prime suspect in this.

From a legal perspective, what are the actions the various stakeholders can peruse in the context of how such international cyberattacks should be dealt with. These can be placed in context of earlier such attacks and what subsequent framework was created to pursue legal or other socio-political actions.

In 2007 the Baltic state of Estonia was targeted by a series of cyberattacks mostly on public sites. As it was believed to be related to moves purported to be anti-Russia by the Estonian government, this neighboring country was thought to be the main culprit. While this was never proved to be linked to the Russian government, traces of the cyberattack were connected to known pro-Russian sites. The actual damage done was by the targeting of infrastructure websites, incorporating defacement and DDoS which essentially made these unusable. This was of major impact as Estonia pursued a digitization of essential services: so a result as the seizing up of state utilities.

In the wake of this the Tallinn manual was crafted as a rule book to meet future attacks. In parallel as Estonia was a member of NATO, it was declared that any such cyberattack on a member state would be regarded as an attack on all. The means of this response was to be proportionate, but kinetic weaponry was not specially ruled out.

Thus the differences between this and the Sony attack are a private company was the subject to the attack and that incident while seemingly well planed did not extend to the same length of time. So in light of this, what in the US government's options as per the Tallinn Manual rule 11- ‘[a]‌ cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’.

First, was this an act of Armed Conflict/War? While Sony is a private company, the militarization of North Korean society would imply that any such attack would have the backing of their armed forces. Given the economic damage caused by the attack (loss of confidence in Sony and its cancellation of the film "The Interview") this breaches the prohibition on the use of force Article 2(4) of the United Nations Charter.

Second, however even if was so, then unlike physical world attacks, the identity of the perpetrators in cyberattacks might be cloaked and difficult to trace. For instance, the authors of the Stuxnet attack have not been definitely identified but only suggested.

So to sum up the author Roscini, the response has to be proportionate to the damage. While the private nature of this precludes an armed state response, in different circumstances with different actors such can never be ruled out.

Further Reading

- Who controls the Internet by Tim Wu

- Cyber Operations and the Use of Force in International Law by Marco Roscini

DDoS and the law.

DDoS and the law.

A distributed denial of service (DDoS) is where a computer cannot correctly function due to an intentional act which incapacitates the channels (ports in IT parlance) which a computer depends on to communicate with the outside world. The Mens Rea and the Actus rea are thus summed up. The DDoS usually comprises a number of infected computers (a botnet) acting in concert against the target: thereby flooding any attempt to block IP addresses. A physical world analogy would be if one could not leave one's house due to someone using a tennis ball machine to throw items at the doors and windows, trapping the occupant and not allowing anyone else to enter. This thus would be illegal in the analogue, so how is this dealt with in the digital and why does this occur?

The good news being, a DDoS is unlikely to be targeted at single users. There are other easier ways to target individual coupled with the real IT issues which are more likely to be the problem (mis-blocked ports, firewall settings etc.). However, to paraphrase the Sutton rule on illicit money, commercial enterprises are vulnerability to this type of attack. Not only is there is need under normal circumstances to be in operation 24/7, in seasonal sales times such as Christmas there is additional pressure to respond to any outage. If a business is unable to respond to user requests, then that sale's opportunity is likely gone. Thus even if there is no associated damage or corrupted, which could occurred in a Virus or Trojan based attack, loss of good will and customers would cripple a business. Thus what are means to deal with this under law and enforcement?

The Police have some measure of discretion of enforcement of legal matters. There would be difference between if the matter was minor and only effecting one person to the other extreme of a serious issue or effecting a group. However while Police have being more tech-savvy with an increasing online present (Anderson's "The Internet Police") due to the potential global nature of any DDoS attack, they are unlikely to be of intimidate assistance during an attack. Thus an IT department which has planned and drilled for this outage is a key requirement to handle such attacks.

Once the immediate DDoS is over what are the legal avenues to explore. In statute due to the evolving nature of IT the various acts which deal with computer crime are written as broadly as possible so as not to become obsolete which the common law filling any lacunas. Thus as the key effect of a DDoS is to deny the user proper use of his computer, then a Criminal Damage Act which covers actually impairing, threatening to or controlling items which damage property would be relevant. There might be more specific actions which is found in the UK's Computer Misuse Act under sections mentioning degradation of the target's PC functionality. All of these come under the remit of the steps which are required to be taken under the Council of Europe's Cybercrimes convention. Thus as per section 5 this provides a push to enact relevant laws which can deal with DDoS :

"

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

" - Article 5 –System interference 

An example of a course case involving DDoS would be the UK's DPP vLennon. Here the defendant was convicted for email-bombing (a type of DDoS attack) his former employees, blocking their IT system. Finally, the extortion element of such could be followed up in any civil or criminal actions.

A Saga of Copyright : Authors Guild, et al.v. Google.

A Saga of Copyright : Authors Guild, et al.v. Google.

A saga can commonly be held to be a long tale involving many parties interacting within a complex environment seeking to overcome both their own flaws and outside forces. A classic example of this would be the Eddas of Iceland. While not as long running or (as yet) as bloody, there is a similarity with Icelandic sagas the multitude of legal pleadings of the parties before a judge and the search for justice & fairness in the dispute which has embroiled Google Books; which continues as per the latest in Authors Guild, et al.v. Google.

The background to this being Google has positioned itself as the the premier search engine company in the global economy (see "How Google test Software" by Wittaker as an interesting insight into how this is achieved). The mission goal for this company can be captured in a desire to allow the world's information to be search-able. As a large part of this heritage of information is present outside the digital format in paper based books, in 2004 Google began to convert the physical to the binary by scanning in books. This however was done without the permission of the copyright owner's permission (leaving aside books which were in public domain or without know authors) and the US based Author's Guild in 2005 brought a copyright infringement suit with Google's defense being that of "fair use".

This term original from the US case of Folsom v Marsh (1841) and facts revolved around a book of one of the American rebel leaders, a George Washington, and the correctness of being able to quote sections of that book. Four main elements of allowing such quotes were enumerated as being.

1- the purpose of such quotes and if these were of commercial nature

2- the original work and if it were copyrighted.

3- the percentage of the work quoted

4- how this might effect the commercial aspect of the work

The Saga initially looked to have a fairly benign ending with an agreement between the parties but this was rejected on the grounds of unfairness, The excellent IPKitten site has commented that the which ever side is the victor, it will mark a key ruling on how "fair use" is to be viewed in terms of transformative (from physical to digital) copyrighted material.

In the European context, how the moral rights of the author might be effected given the less than perfect technology that underlies scanning, could also be an issue. Either way, the Google Books like any good Saga will likely continue to provide years more topics of interest.

Online freedom of expression : human rights and exceptions.

Online freedom of expression : human rights and exceptions.

There are numerous Human rights conventions, including the global and the regional ones. For example the UN's Declaration and that of the European Convention on Human Rights (UNDHR & ECHR).The signatory parties are obliged to respect certain restrictions on the State power to regulate certain aspects of the their citizens' behaviour. The theorist Prof. Eric Posner suggested in his book "Twilight of Human Rights" that Authoritarian states do so as it establishes a patina of respectability in the international community while the more Liberal states believe their own constitutional freedoms are equivalent to their convention obligations and regard it is a pro-forma exercise. As with any of the convention articles, there are very few absolute rights contained within. The signatory documents as well contain numerous exceptions. For instance the ECHR places express limitations in Articles 8-11.

                                                           

Thus concentrating on one of these rights: Freedom of expression. This has been held as being a right that "constitutes one of the essential freedoms foundations of a democratic society" - Handyside v UK 1976. One question though is how Freedom of expression is regulated in an online environment from the perspective of Authoritarian and Liberal Jurisdictions. In each case, other rights have been forwarded as a reason to restrict this. For instance, according to Prof. Tim Wu in "Who controls the Internet", China justifies speech restrictions with a mixture of justifications drawn from the needs of state security and that the social good requires a stable society which is the basis of a functional economy. Whilst Liberal nations may not stress the security aspect, they as well base restrictions on the need of the greater social good. As Wu mentioned, France expanded considerable resources against Yahoo to prevent Nazi related material (illegal under French law) being sold in that Country in the early days of the Internet. At a Convention level, the main case in imposing limitations of expression is Gunduz, where freedom of expression in (for instance in incitement to hatred) was upheld as this was deemed to be contra societal good.

However, as authors such as Jacobs (author of the text "European Convention on Human Rights") mentioned that there were qualifiers. One being context as per Jersild (if it were part of a media discussion) and in another if it were part of a political speech, as per Surek (albeit this was a split decision). These seem to suggest that limitation is possible in both circumstances but these would need to reach a fairly high bar for the authorities to prove that this was the case.

As well and for ECHR rights in general, the restrictions must be ones authorised by the convention and "shall not be applied from any other purpose other than those for which they have been prescribed". The conclusion from Jacob's seems to be that the court would frown on all but the narrowest restrictions on rights but this being very fact specific depending on the case. Hence there is a difficulty establishing hard and fast rules.