CHAPTER 11

FUNDAMENTALS OF INTELLECTUAL PROPERTY LAW

William A. Zucker and Scott J. Nathan

11.1 INTRODUCTION

11.2 THE MOST FUNDAMENTAL BUSINESS TOOL FOR PROTECTION OF TECHNOLOGY IS THE CONTRACT

11.2.1 Prevention Begins at Home—Employee and Fiduciary Duties

11.2.2 Employment Contract, Manual, and Handbook

11.2.3 Technology Rights and Access in Contracts with Vendors and Users

11.3 PROPRIETARY RIGHTS AND TRADE SECRETS

11.3.1 Remedies for Trade Secret Misappropriation

11.3.2 Vigilance Is a Best Practice

11.4 COPYRIGHT LAW AND SOFTWARE

11.4.1 Works for Hire and Copyright Ownership

11.4.2 Copyright Rights Adhere from the Creation of the Work

11.4.3 First Sale Limitation

11.4.4 Fair Use Exception

11.4.5 Formulas Cannot be Copyrighted

11.4.6 Copyright Does Not Protect the “Look and Feel” for Software Products

11.4.7 Reverse Engineering as a Copyright Exception

11.4.8 Interfaces

11.4.9 Transformative Uses

11.4.10 Derivative Works

11.4.11 Semiconductor Chip Protection Act of 1984

11.4.12 Direct, Contributory, or Vicarious Infringement

11.4.13 Civil and Criminal Remedies

11.5 DIGITAL MILLENNIUM COPYRIGHT ACT

11.6 CIRCUMVENTING TECHNOLOGY MEASURES

11.6.1 Exceptions to the Prohibitions on Technology Circumvention

11.7 PATENT PROTECTION

11.7.1 Patent Protection Requires Disclosure

11.7.2 Patent Protection in Other Jurisdictions

11.7.3 Patent Infringement

11.8 PIRACY AND OTHER INTRUSIONS

11.8.1 Marketplace

11.8.2 Database Protection

11.8.3 Applications of Transformative and Fair Use

11.8.4 Internet Hosting and File Distribution

11.8.5 Web Crawlers and Fair Use

11.8.6 HyperLinking

11.8.7 File Sharing

11.9 OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS

11.9.1 Trespass

11.9.2 Terms of Use

11.9.3 Computer Fraud and Abuse Act

11.9.4 Electronic Communications and Privacy

11.9.5 Stored Communications Act

11.10 OPEN SOURCE

11.10.1 Open Source Licenses

11.10.2 GPL

11.10.3 Other Open Source Licenses

11.10.4 Business Policies with Respect to Open Source Licenses

11.11 APPLICATION INTERNATIONALLY

11.11.1 Agreement on Trade-Related Aspects of Intellectual Property Rights

11.11.2 TRIPS and Trade Secrets

11.11.3 TRIPS and Copyright

11.11.4 TRIPS and Patents

11.11.5 TRIPS and Anticompetitive Restrictions

11.11.6 Remedies and Enforcement Mechanisms

11.12 CONCLUDING REMARKS

11.13 FURTHER READING

11.14 NOTES

11.1 INTRODUCTION.

This chapter is not for lawyers or law students. Rather, it is written for computer professionals who might find it useful to understand how their concerns at work fit into a legal framework, and how that framework shapes strategies that they might employ in their work. It is not intended to be definitive but to help readers spot issues when they arise and to impart an understanding that is the first part of a fully integrated computer security program.

The word “cyberlaw” is really a misnomer. Cyberlaw is a compendium of traditional law that has been updated and applied to new technologies. When gaps have developed or traditional law is inadequate, particular statutes have been enacted. It is a little like the old story of the three blind men and the elephant: One of the blind men touching the elephant's leg believes he is touching a tree; the other touching its ear believes it is a wing, and the third, touching the tail, thinks it is a snake. Issues of cyberspace, electronic data, networks, global transmissions, and positioning have neither simple unitary solutions nor a simple body of law to consult.

In thinking about the application of law to computer security, it is helpful to think about the problems as issues in which the computer is

1. The target of the activity
2. The tool used for the activity
3. Incidental to the activity itself

For example, “hacking” into a computer can be analogized to the tort¹ of trespass (i.e., entering the property of another without permission), and “cracking” can be viewed as conversion of someone else's property. Similarly, using the computer to make illegal copies is a violation of copyright law in its most basis sense. Although trademark law has very little to do with computers, using trade names as part of keywords for search engines, or domain names to misdirect Internet traffic to a competitive Web site can be a violation of a trademark. While touching on some of the more traditional tort remedies, this chapter focuses on the property rights being invaded by such activities and the remedies that exist in the context of a business operation.

Recognizing that the body of law which touches on these problems is as global as the Internet itself, this chapter is intended to help readers actually see the elephant in the room. In selecting what legal issues to highlight, we have tried to consider the routine needs of the computer professional. We have focused largely on the law of the United States, recognizing that these problems and subject matters often transcend national boundaries. There is a very simple reason for this. Most often, the impact of the computer security attack, denial of service, decryption, or theft of computer materials will have occurred here, or have a direct impact here, no matter where it originates. Imagine for a second a gunman—standing in Canada—who takes aim at someone in the United States, pulls the trigger, and hits his target. Since there is purposeful conduct aimed at this country, in the ordinary instance the U.S. judiciary will not only assert jurisdiction over the gunman but also apply its laws. There may be other problems, such as actually catching the gunman, but the example underlines the importance of the law of the United States for entities located here. For orientation purposes, we have also included a section at the end of this chapter that discusses some international issues.

One other introductory note. We use the phrase “security program” in this chapter with some frequency. Understanding that this phrase can mean one thing to a lawyer or risk manager and another thing to a computer security professional, we intend it as a shorthand reference to the generic and systemic effort to secure information stored on computers and not solely to the applications that may be employed as part of that effort.

11.2 THE MOST FUNDAMENTAL BUSINESS TOOL FOR PROTECTION OF TECHNOLOGY IS THE CONTRACT.

The computer security professional's job is to understand, anticipate, and then worry about risk: risks that are beyond control and risks that can be controlled. The most fundamental tool for controlling risk, whether predictable or unforeseeable, is the contract. Unlike other forms of risk control, a contract need not be static; it can be adaptable. We can limit use; we can limit distribution; we can impose conditions and confidentiality; we can specify rights as well as provide for certain remedies through contract. Contracts actually can take many forms: the traditional signed agreement; an e-mail exchange; Web site or product terms of use; employment agreements; workplace manuals and policies; and so-called shrink-wrap or click-wrap agreements. We sell or license products. Where we can contract, we can also define and limit risk.

11.2.1 Prevention Begins at Home—Employee and Fiduciary Duties.

There is an old hoary concept in the law that employees owe to their employers the fiduciary duty of utmost loyalty. The scope and extent of that fiduciary duty is a matter of common law that varies in each state. Generally, employees' fiduciary duty prohibits them from using any property that belongs to the employer in competition with the employer or for personal gain. Employees, however, are entitled to retain and use for whatever purpose their own skill and knowledge, which arguably could include contacts that they develop over the course of their employment unless those contacts are trade secrets. What comes or does not come within the ambit of fiduciary duty has spawned endless arguments and lawsuits. There is a simple remedy to this problem: the contract that covers technology issues and ownership as well as it covers pay and other benefits.

11.2.2 Employment Contract, Manual, and Handbook.

Whatever policy the security professional develops should be implemented through the organization's employment contract, manual, and handbook. Many contractual provisions can be applied, such as: nondisclosure agreements; definition of proprietary policy; restrictive covenants; concessions of ownership regarding discoveries, know-how, improvements, inventions, and the like during the term of employment; e-mail policies; terms of use regarding computer systems; and statements of authorized and unauthorized activity. The point is that employment contracts and handbooks should be the starting point for computer security.

11.2.3 Technology Rights and Access in Contracts with Vendors and Users.

Security protection necessarily includes vigilance about all contracts and licenses with vendors and users. This may not be sexy, but it is blocking and tackling. Vendors can be subject to many of the same limitations and nondisclosure agreements as employees. Rights of access to intranets and data should be controlled and privileges specified. Careful consideration should be given to what rights a user will have, the rules surrounding user access, and enforcement of those rules. Is this a sale or a license? There are many virtues to controlling technology through licenses (as opposed to sales), including imposing limits on rights of use, and specifying remedies for breaches of the license, or for unauthorized activity that involves the licensed product.

“Shrink-wrap” or “click-wrap” licenses have become common parlance. They are now accepted tools for licensing and controlling software distribution so long as: (a) they are business to business and thus between parties of roughly equal bargaining position; (b) their terms for other users or consumers are not unconscionable; and (c) they do not violate public policy. Concerns over whether contractual terms are unconscionable or the contracts are ones of adhesion arise because the licenses are not products of negotiation but of fiat, which users accept when they open the “shrink-wrapped” package or through an online click. These concerns have been addressed through requirements that users have been provided with adequate notice of the terms, an opportunity to reject, and conduct that sufficiently manifests consent. For shrink-wrap agreements, the opening of the product, its installation, and retention have been deemed sufficient acts to show consent to the terms of the license, noting that if the consumer does not wish to consent, the product could be returned.² Thus it is not necessary for the prospective user to be aware of all of the terms of a license before purchase if the remedy includes return after purchase. The license can impose restrictions on use, limit the number of machines on which the product can be installed, copying, and even available remedies.³

The issues of notice, actual or constructive, an opportunity to accept or reject, and manifestation of consent have led to general acceptance of online agreements such as the presentation of licensing terms followed by an active need to check, accept, or reject by clicking on the appropriate box.⁴ The same analysis applies to terms of use especially for intranet or network use.⁵ In Register.com v. Verio, Inc.,⁶ downloading data from a WHOIS database, having knowledge of the terms of use, was acceptance of those terms even if there was no click-through. These examples show that terms of use, properly positioned, can be binding on the user.

An active security program begins with a review of the contracts, licenses, and terms of use in all relationships with your organization. Just because a contractual arrangement has not existed does not mean that you cannot create one through proper notice of the terms of the contract and conduct that shows assent to those terms. Such contracts are the security professional's first line of defense. They give you the ability to limit risk with an organization's employees, contractors, vendors, and affiliates. With that in mind, this chapter addresses issues that arise largely outside of the terms of contractual protections and also suggests additional potential self-help remedies.

11.3 PROPRIETARY RIGHTS AND TRADE SECRETS.

For many years, unless an idea was patentable, the primary protection for internal business data, confidential or proprietary information, and computer code was through the common law doctrine of trade secrets.⁷ Generally, a trade secret might be considered any internal, nonpublished manufacturing know-how, drawings, formulas, or sales information used in a trade or business that has commercial applicability and that provides a business with some strategic advantage.⁸ Such information, so long as it was (a) not published or disseminated to others who were not obligated to maintain its confidentiality,⁹ and (b) maintained in confidence with the protecting organization, could be protected as a trade secret.

The law of trade secret thus recognized a business's ownership or proprietary interest in such information, data, or processes. There are, however, important practical limitations on the application of trade secret protection. First and foremost, for any product sold in the market, the law does not protect against a competitor seeing the product and then using it to figure out how to manufacture like or similar items. Competitors are therefore free to “reverse engineer” a product so long as the reverse engineering is done wholly independently.

The second caveat is that an organization has to prove not only that the information qualifies for trade secret protection, but also that it protected the secrecy of the information as required by the law of the applicable jurisdiction. This means that ownership will be a matter not of record but of case-by-case proof, making enforcement of trade secret protection time consuming and expensive. Generally, the required proof consists of a showing that there was an active security program in place that was sufficient to protect the information as confidential. Various programs may be deemed adequate, depending on the circumstances, but usually such programs have five principles in common:

1. An inventory of trade secret information that is periodically updated
2. A security program to protect the technology at issue, often on a need-to-know basis with clear marking of information as “confidential, access restricted”
3. A written description of the security program that is provided to all employees
4. An enforcement officer or oversight procedure
5. An enforcement program, including litigation, if necessary, to enjoin unauthorized access or distribution

In the field of computing, these principles often mean that source code or other readable formats should be secured in a locked file and marked “confidential.” All representations of the code as stored on magnetic or other media should be marked “confidential” and secured. Computerized information should be password protected with restrictions on circulation of the password and periodic password changes. A notice of confidentiality should be displayed as soon as access to the program is obtained, with appropriate warnings on limitation of use. Levels of access should be controlled so that privileges to copy, read, and write are appropriately restricted. Surveillance of entries and logon should be routinely conducted to verify that there has been no unauthorized entry. Finally, periodic audits should be conducted to test and substantiate the security procedures.

For many years, each state developed its own brand of trade secret protection through evolving judicial decisions that establish something in this country called the common law, as distinguished from legislative enactments of a statute addressing the same issue. In 1985 the Uniform Trade Secrets Act (UTSA) was promulgated by the National Conference of Commissioners on Uniform State Laws, with one of its purposes to make uniform the rights and remedies available to a holder of a trade secret. This model law, however, needed to be adopted by each state before it became the law of the state. As of this writing, it has been adopted to some degree in 46 states with the exception of Massachusetts, New Jersey, New York, and Texas.

The UTSA defines a trade secret as information, including a formula, pattern, compilation, program device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. It also defines the unlawful taking of a trade secret, or misappropriation, as the wrongful use of a trade secret, including (i) knowingly acquiring the secret through improper means or (ii) disclosing the secret without consent.

11.3.1 Remedies for Trade Secret Misappropriation.

Misappropriation of a trade secret is the unauthorized use or disclosure of the trade secret. In simple parlance, it is a taking or theft. The taking can be by one who owes a fiduciary duty of confidentiality such as an employee; it can be in breach of an agreement of confidentiality; or the taking can occur through improper access or means. The misappropriation can be treated under common law as the tort of conversion, trespass, unfair competition, or interference with contractual relations. As discussed, there are now specific statutory provisions under the UTSA for trade secret misappropriation. The UTSA grants the wronged party certain remedies that include enjoining the use of the misappropriated property, damages, and attorney's fees. When the misappropriation is of a physical item, such as a disk drive, the owner may ask the court to order seizure and return of its property.¹⁰ In addition, where the misappropriation also violates other laws protecting intellectual property, such as where the taking infringes a copyright, the property owner may be entitled to additional relief.

Exactly what remedies are available will vary among the states. Interestingly, the very uniformity that the UTSA was intended to create has led to different treatment of available claims and remedies. For example, before the UTSA, an employee's theft of the employer's confidential customer lists triggered a common law claim for breach of the implied fiduciary obligation owed by an employee to the employer as well as a claim for misappropriation of trade secrets. The UTSA provides that its remedies preempt other common law remedies; in other words, a claim under the UTSA trumps the claim for breach of fiduciary duty as well as the claim for misappropriation of trade secrets. There is a split in the courts whether the UTSA replaces only common law causes of action for misappropriation of trade secrets or extends to any tortious claims for relief that arise out of the misappropriation no matter how stated. The broader reach of the UTSA appears to be favored by the growing majority of courts that have considered this issue to date. The takeaway from this uncertainty is that computer security professionals should protect trade secrets, confidential information, and other valuable data through contractual terms with, among others, employees, vendors, and users to minimize the reliance on the UTSA.

In the event of a misappropriation, in addition to civil remedies, often separate state statutes treat the taking as a theft and a criminal act. Such statutes are generally state specific. Prior to 1996, the Trade Secrets Act (TSA) was the only federal statute prohibiting trade secret misappropriation. The TSA, however, was of limited utility because it did not apply to private sector employees and provided only limited criminal sanctions.¹¹ To combat an increase in computer crimes, Congress enacted the Economic Espionage Act of 1996 (EEA), which provided greater protection for the proprietary and economic information of both corporate and governmental entities against foreign and domestic theft.¹²

The EEA criminalizes two principal categories of corporate espionage: economic espionage and theft of trade secrets.¹³ Section 1831 punishes those who steal trade secrets “to benefit a foreign government, foreign instrumentality, or foreign agent.” Section 1832 is the general criminal trade secret provision.¹⁴ The EEA criminalizes stealing, concealing, destruction, sketching, copying, transmitting, or receiving trade secrets without authorization, or with knowledge that the trade secrets have been misappropriated. It also criminalizes attempting to and conspiring to do any of these acts.¹⁵ The EEA penalizes parties responsible for a taking that is intended to benefit a foreign government with fines up to $250,000 and imprisonment up to 10 years.¹⁶

The EEA explicitly defines a trade secret to include information stored in electronic media and includes “programs or codes, whether tangible or intangible” so long as:

Although one might assume that this definition is relatively straightforward, not everything is as it appears. In a case of domestic trade secret theft, the Court of Appeals for the Seventh Circuit examined what the EEA means when it says that the data or material “derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.”¹⁸ Noting that others had assumed that the word “public” meant the general public, the court in Lange astutely observed that this was not, in fact, the case. Moreover, the standard for measuring the persons who might readily ascertain the economic value of (in this case) the design and composition of airplane brake assemblies is not the average person in the street, for this assumes (as the court mentions) that any person can understand and apply something as arcane as Avogadro's number. Instead, the definition of the term “the public” should take into account the segment of the population that would be interested in and understand the nature of that which has allegedly been misappropriated.

The international reach of the act is limited, extending outside of the United States only if: “(1) the offender is a natural person who is a citizen or permanent resident alien of the United States, or an organization organized under the laws of the United States or a State or political subdivision…or (2) an act in furtherance of the offense was committed in the United States.”¹⁹ Few defendants have been charged under the act since its passage in 1996, so the precise reach has yet to be tested. However, the language of the EEA applies its provisions to corporations with headquarters or operations subject to U.S. jurisdiction that could be prosecuted under the act. Finally, the remedies under the EEA can be invoked only by the United States. There is no private right of action under the act.

11.3.2 Vigilance Is a Best Practice.

The key points of practice to remember are: Security and trade secret law are forever linked together. A trade secret cannot exist without such security. The maxim “Eternal vigilance is the price of liberty,” often attributed to Thomas Jefferson, should in the context of business information protection be restated as “Eternal vigilance is the price of trade secret protection.” It is not as catchy a phrase, but it is the price each business must pay if it relies in whole or in part on trade secret law for protection. In such situations, the greatest assurance of protection can be obtained through rigorous contractual terms and strenuous enforcement.

11.4 COPYRIGHT LAW AND SOFTWARE.

Because of anxiety over the true extent of protection afforded software under patent and copyright law, software programs initially were protected as trade secrets. Such protection became increasingly problematic in today's society, where information technology and pressure for the free flow of information makes confidentiality controls more difficult to police. Copyright law now has evolved to include computer programs.

Since 1964, the United States Copyright Office has permitted registration of computer programs, although judicial decisions were divided on the applicability of the Copyright Act. In 1976, Congress passed the Copyright Act of 1976, which did little to resolve the ambiguity. Clarification finally was obtained in the Computer Software Copyright Act of 1980, which explicitly extended the protection of the copyright laws to software.²⁰ Any type of work that can be fixed in any tangible medium can be protected by copyright as literary works based on the authorship of the source and object code²¹ even if the work can only be machine reproduced.

Copyright protection, however, does not protect “ideas.”²² Rather, it protects the particular expression of the idea. As can be seen by the parallel proliferation of spreadsheet programs, the idea for the spreadsheet program cannot be protected, but the particular code that produces the spreadsheet can be. In order to qualify for copyright protection, the work must be (a) original, (b) fixed in a tangible medium, and (c) not just the embodiment of an idea. Once obtained, copyright protection grants to the copyright owner the exclusive right to reproduce, to publish, to prepare derivative works, to distribute, to display, and to perform the copyrighted work. In 1990, Congress passed the Computer Software Rental Amendments Act,²³ which added to the list of copyright infringements the distribution of a computer program for commercial advantage. Materials copyrighted after 1978 are protected for the lesser of 75 years from the date of first publication or 100 years from the date of creation.

11.4.1 Works for Hire and Copyright Ownership.

The copyright for a work does not always belong to the person who creates it. The most frequent exceptions are works that fall under the concept of a “work for hire.” A work for hire is not owned by the creator but by the persons who hired the creator to create the work. Most often the concept applies to employees who have created a work within the scope of their employment. The key concept is the scope of employment. Even though a work is created outside of the office and normal working hours, it still will be a work for hire if it is within the scope of employment. However, a work that falls outside the scope of employment and that is created outside the office is likely not to be deemed a work for hire. Because of such issues, it is better practice when dealing with employees or independent contractors to provide specificity in an agreement as to what is a work and when the creation of a work will be governed by the doctrine of work for hire.

11.4.2 Copyright Rights Adhere from the Creation of the Work.

Everyone who has looked at a copyrighted work is probably familiar with the symbol © affixed to any published copyrighted work, together with the name of the copyright holder and the year of creation or publication of the work. For many years, such notice was a fortiori necessary for copyright protection. Today, however, the copyright arises from the creation of a copyrighted work itself. It is still good practice to advise the world of potential infringement by inserting the formalities of a copyright on the work itself. In addition, one should register the work in the United States Copyright Office, which is currently developing a process for online registration. Registration of the copyright also permits one to claim statutory damages ranging from $500 to $20,000 for each violation, which often is useful to prevent additional infringements when no actual damages can be demonstrated. Moreover, in some jurisdictions, it may be necessary to register the copyright with the copyright office before one can actually sue to protect the copyright.

The change in copyright protection has interesting applications when applied to electronic works. The creation of the work in some permanent form is sufficient to trigger copyright protection. Thus, the creation of an electronic copy is sufficient permanency. What that means is that any electronic data are already conceivably subject to copyright protection at the time that they are viewed or received. Thus in using any such information or “work,” care must be taken that one does not infringe on a potential copyright without a license.

11.4.3 First Sale Limitation.

The holder of the copyright has the right to sell or license the work. If the work is sold, the holder essentially loses all rights to control the resale of the work. This is known as the first sale doctrine. Once the item is placed in commerce, subsequent transfers cannot be restricted. The doctrine applies only to the copy that has actually been sold. It does not create a license to copy the item itself.

To avoid what sometimes can be a problem if the program winds up in the hands of a competitor, companies often prefer to license the item instead of selling it outright. If the work is licensed, only those rights that are contained in the license are transferred. All other rights of ownership remain with the licensor. Thus a breach of the license gives the licensor of the copyrighted work the right to reclaim the work or prevent its further use or publication. However, if the license has all the basic indicia of a sale, it will be treated as one, notwithstanding the label.

One interesting intersection of these two principles is the requirement when upgrading software that the old version be present. As a condition of making the upgrade available at a reduced rate, the seller normally requires that the older version be authenticated before the newer version can be installed. Such requirements are legal, as the owner of the earlier version could choose to sell it, but then would have to pay a higher price for the newer version and work to restrain subsequent sales of software from a user who expects to upgrade in the future.

11.4.4 Fair Use Exception.

All copyright protection is subject to the doctrine of fair use.²⁴ Fair use permits the use of a work without authorization for a limited purpose. But what use constitutes fair use? The Copyright Act of 1976 suggested four, nonexclusive factors, for a court to consider:

1. What is the purpose and character of the use?
2. What is the nature of the copyrighted work?
3. How much of the copyrighted work is used?
4. What is the effect on the potential market for the work?

Despite its codification in the Copyright Act of 1976, fair use remains a nebulous doctrine—an equitable rule of reason, with each case to be decided on its own facts.²⁵ It is often misquoted and misapplied. The essential concept behind the doctrine of fair use is to permit public discussion, review, and debate of a copyrighted work without violating the copyright. Thus, the Copyright Act of 1976 gives as examples of fair use, situations of “criticism, comment, news reporting, teaching (including multiple copies for classroom use) scholarship or research.”

Fair use is not an antidote for failing to license a work. It should be invoked with care—understanding that the more material that is used and the more commercial the purpose, the less likely a court will find it applicable. Indeed, sometimes the only way to harmonize cases on whether a use is a fair use is to decide whether the court ultimately viewed the user as a “good” or “bad” guy.

11.4.5 Formulas Cannot be Copyrighted.

There are limitations on what expressions can be protected by copyright law. A frequent source of argument is whether, since one cannot protect the idea, the expression is directly driven by its content (i.e., the expression is simply a function of the idea). For that reason, formulas cannot be copyrighted.²⁶ This means that when formulas are part of a computer program, other modes of defense need to be considered, such as trade secret or possibly patent protection. If one were to disclose the formula through copyright publication, one would lose the ability to protect that information.

11.4.6 Copyright Does Not Protect the “Look and Feel” for Software Products.

Copyright protection ordinarily extends to the physical manifestation of the computer program in the source code and object code. The operation of that code, as it translates to what the human mind perceives, has been described as the “look and feel” of the program. In attempting to quantify the concept of “look and feel,” courts have considered whether the organization, structure, and sequence of the program can be protected. In the United States, Whelan Associates, Inc. v. Jaslow Dental Lab., Inc.,²⁷ gave the greatest extension to protecting “look and feel.” In that case, none of the code had been copied and the program operated on a different platform. Nonetheless, copyright infringement was found because the organization, structure, and sequence of the program had been copied. The court recognized that the structure and logic of the program are the most difficult to create and that the idea could be protected as it was embodied in the program structure since, given the variety that was possible, the structure was not necessarily just an extension of the idea. Since Whelan, courts in the United States have retreated from such broad protection. In 1992, Computer Associates, Inc. v. Altai, Inc.²⁸ developed the so-called abstraction-filtration test. The results of that test define as unprotectable: (a) program structures that are dictated by operating efficiency or functional demands of the program and therefore deemed part of the idea and (b) all tools and subroutines that may be deemed included in the public domain. Only what remains is to be compared for possible copyright infringement.

While protection of “look and feel” may vary among the different federal circuits, in general, the courts are swinging away from broader protection. However, this may not necessarily be true internationally; English law appears to grant the broader protections afforded by the Whelan decision.

11.4.7 Reverse Engineering as a Copyright Exception.

Within the field of computer software, cases have considered whether “dissection” in order to reverse engineer the program is a violation of the copyright. To those involved in protecting software programs, the answer appears to be that reverse engineering does not constitute an infringement, even though the disassembly of the program falls squarely within the category of acts prohibited by the Copyright Act because of the doctrine of fair use. The Ninth Circuit in Sega Enterprises Ltd. V. Accolade, Inc.²⁹ found as a matter of law that:

The Ninth Circuit is not the only circuit that has upheld reverse engineering against a copyright claim. The Federal Circuit reached a similar conclusion regarding reverse engineering of object code to discern the “ideas” behind the program in Atari Games Corp. v. Nintendo of America, Inc.³¹ The fair use rationale of Sega was also adopted by the Eleventh Circuit in Bateman v. Mnemonics, Inc.³² on the grounds that it advanced the sciences. In addition, in Assessment Techs. of WI, LLC, v. WIREData, Inc., the Seventh Circuit relied on Sega and determined that WIREData, Inc. could extract uncopyrighted data from a copyrighted computer program, noting that the purpose of the extraction was to get the raw data, not compete with Assessment Technologies by selling copies of the program itself.³³ In Evolution, Inc. v. SunTrust Bank, the Tenth Circuit relied on both Sega and WIREData when it allowed the defendant to copy part of plaintiff's source code to extract uncopyrighted data from plaintiff's copyrighted computer program.³⁴ Thus, unless careful thought is given to the application of copyright protection, merely copyrighting the software will not necessarily protect against imitation.

11.4.8 Interfaces.

There is an open issue as to whether copyright protects the format for interfacing between application and data. Competitors, particularly in the area of gaming, look to reverse engineer the interface format to make new modules compatible with existing hardware. Such reverse engineering has been held not to violate the copyright laws, so long as the new product does not display copyrighted images or other copyrightable expressions.³⁵ Thus, the nonprotectable interface may be protected if such copyrighted images or expressions are embedded in the display.

11.4.9 Transformative Uses.

One of the factors that the doctrine of fair use considers is the “amount and substantiality of the portion used in relation to the copyrighted work as a whole.”³⁶ In practical terms, this means that courts look at how much was taken and for what purpose. One could take a little but still take the essence of the program. One could also take a little that did not attempt to duplicate but rather used the copyrighted material as a springboard for a new creation. Out of this qualitative and quantitative investigation comes the notion of transformative use, which became the coin of analysis in the Supreme Court's 1994 decision in Campbell v. Acuff-Rose Music, Inc.³⁷ Campbell addressed the concept in terms of a claim of copyright infringement involving a rap parody of a popular song. There, taking its clues from the opening language of Section 107 codifying fair use, the Supreme Court asked whether the “new” work “adds something new, with a further purpose or different character, altering the first with new expression, meaning or message; it asks, in other words, whether and to what extent the new work is transformative.”³⁸ The Court then laid down the test to be applied.

Thus, a transformative use may play off of a prior copyright and still not be deemed an infringement so long as the resulting new work is just that—new.

11.4.10 Derivative Works.

Under Section 106 (2) of the Copyright Act of 1976, the copyright owner has the exclusive right “to prepare derivative works based upon the copyrighted work.” The act defines a “derivative work” as:

A derivative work is thus defined as an original work that is independently copy-rightable. To infringe the exclusive right to prepare a derivative work granted by the Copyright Act to the copyright owner, the infringer need not actually have copied the original work or even have fixed in a tangible medium of expression the allegedly infringing work.⁴⁰ The right, therefore, to create the derivative work can be a useful tool in counterbalancing attempts to pirate computer programs and the issue of fair use.

The Copyright Act creates an exemption for a lawful owner of a purchased license for a computer program to adapt the copyrighted program if the actual adaptation “is created as an essential step in the utilization of the computer program in conjunction with a machine and it is used in no other manner.”⁴¹ The adaptation cannot be transferred to a third party. The right to adapt is, in essence, the right to modify or, in the language of the act, to create a derivative work. Such changes can be made even without the consent of the software owner so long as such modifications are used only internally and are necessary to the continuing use of the software.⁴²

11.4.11 Semiconductor Chip Protection Act of 1984.

The Semiconductor Chip Protection Act of 1984 (SCPA) protects as part of the Copyright Act “mask works fixed in a semiconductor product.”⁴³ The SCPA protects not the product itself but the copying of the circuit design or blueprint. Because of reverse engineering, the protections afforded by SCPA are limited in practice.

11.4.12 Direct, Contributory, or Vicarious Infringement.

Copyright infringement generally requires a showing of substantial similarity between allegedly offending use and the protected expression contained in a work. Infringement can occur through the simple act of printing (without permission), by posting on the Web or other form of unauthorized distribution, by creating a derivative work, or by another act that interferes with the copyright holder's rights.

A copyright can be infringed directly, contributorially, or vicariously. Direct infringement is the term ascribed to the actor who violates the copyright. Contributory infringement involves knowingly providing the means for the violation to occur. Liability for contributory infringement may be predicated on actively encouraging (or inducing) infringement through specific acts, or on distributing a product that distributees use to infringe copyrights, if the product is not capable of “substantial” or “commercially significant” noninfringing uses.⁴⁴ But secondary liability for copyright infringement does not exist in the absence of direct infringement by a third party. Vicarious infringement occurs when one is responsible for or controls the actions of another who violates the infringement. The usual situation is that of an employer's responsibility for the acts of an employee.

Not all situations admit themselves of simple answers, as when a person commits direct infringement by actually photocopying a work. New technologies constantly pose issues as to whether infringement has occurred and whether the infringement violates the public interest. In general, when faced with an issue of potential copyright infringement, the questions to ask are:

• Can the product or service be used to infringe a copyright, or is the product capable of substantial noninfringing uses?
• If so, did the owner of the product or service encourage the user to use it for infringement?
• Alternatively, did the owner of the product or service have knowledge of the specific infringing use and have the ability to prevent it?

Today, we take Internet Service Providers (ISPs) for granted. But application of these questions initially led courts to conclude that ISPs were liable for contributory infringement. For example, a Web site that encouraged and facilitated the uploading of copyrighted materials was found to be a direct infringer of the copyright of the owner even though the provider did not actually do the uploading.⁴⁵ Similarly, an ISP that was notified of a copyright violation that was posted on its server and failed to correct it could be found to have contributory liability for the infringement.⁴⁶ In its wisdom, however, Congress in the Digital Millennium Copyright Act (DMCA) created a safe harbor for Internet service providers so that, as a matter of public policy, an ISP does not have to monitor each and every transmission for potential copyright infringement.

11.4.13 Civil and Criminal Remedies.

The Copyright Act contains several sections that specifically address the penalties and remedies for infringement. They include injunctive relief (i.e., a court order terminating the infringing conduct),⁴⁷ impounding and disposing of infringing articles,⁴⁸ damages,⁴⁹ litigation costs and attorneys' fees,⁵⁰ and criminal penalties.⁵¹ Although this chapter cannot address all of the permutations of remedies and penalties available, a few are worth mentioning.

Generically, a copyright owner must choose between its actual losses (i.e., what it actually lost and any profits realized by the infringer) and statutory damages.⁵² Actual damages imply economic losses actually suffered as a result of the infringement. The kinds of actual damages that have been awarded include development costs of the software,⁵³ the economic consequences of lost customers,⁵⁴ lost future sales,⁵⁵ the value of the infringer's licensing fees where the licensor is precluded from market sales,⁵⁶ lost market value of the material infringed,⁵⁷ and lost royalty payments.⁵⁸ An award of actual damages is not automatic; the license holder has the burden of proving that the infringing activity and the economic loss are causally connected, at which point the infringing party must show that the license holder would have incurred the loss anyway.⁵⁹

A copyright owner may elect to receive statutory damages rather than actual damages and the infringer's profits.⁶⁰ Making the election is mandatory, and it must be done before final judgment is entered. Once the election is made, it is final. The statutory damages generally range from $500 to $20,000 “for all infringements involved in the action, with respect to any one work, for which any two or more infringers are liable jointly and severally For purposes of this section, all the parts of a compilation or derivative work constitute one work.”⁶¹ This amount may be increased to $100,000 if the court finds that the infringement was willful and reduced to $200 if the court finds that the infringer “was not aware and had no reason to believe” that the act was an infringement.⁶²

Statutory damages theoretically⁶³ are intended to approximate the actual damages suffered, and were crafted as an alternative compensation scheme for copyright owners, when actual damages are difficult to calculate. In determining whether to elect actual or statutory damages, a copyright owner ought to perform a careful analysis to determine how many separate infringements occurred that justify, under the statute, separate awards. Although posting different copyrighted computer software programs on a bulletin board for downloading constitutes multiple infringements,⁶⁴ making multiple copies of the same cartoon character in different poses constitutes a single infringement because only one work was copied.⁶⁵

As mentioned, this is one of the statutory schemes that discourage frivolous litigation by imposing the cost of litigating on the losing party. The statute permits the substantially prevailing party to recover its reasonable attorneys' fees and costs from the losing party. Who is the substantially prevailing party and what constitutes reasonable attorneys' fees are separate and distinct issues that will be decided by the courts.

Copyright violations also can be criminally prosecuted, and generally require demonstration of mens rea, or intent. One or more infringements having a total retail value of more than $1,000 within a 180-day period or “for purposes of commercial advantage or private financial gain” can be punished by one to five years of imprisonment and fines. Even without demonstration of a motive of financial gain, 10 or more infringements having a value in excess of $2,500 can result in up to three years in jail and fines. Repeated violations carry stiffer penalties. Finally, one who knowingly aids or abets a copyright infringement is also subject to criminal prosecution.

11.5 DIGITAL MILLENNIUM COPYRIGHT ACT.

In 1998, Congress passed the Digital Millennium Copyright Act to address concerns raised by the Internet and copyright issues in the context of our increasingly technological society. The DMCA creates a civil remedy for its violation as well as criminal penalties starting after October 2000. One of the purposes of the DMCA is to protect the integrity of copyright information. Removal of a copyright notice, or distribution knowing that such copyright has been removed, is now actionable.⁶⁶

11.6 CIRCUMVENTING TECHNOLOGY MEASURES.

Article 11 of the World Intellectual Property Organization Copyright Treaty required all signatory countries to provide adequate legal protection and remedies against the circumvention of technical measures intended to secure copyrights. In response, Congress adopted Section 1201 of the DMCA, which generally prohibits the act of circumventing, and trafficking in the technology that enables circumvention of, protection measures designed to control access to copyrighted work.⁶⁷ Both civil and criminal remedies also now exist under the DMCA if one circumvents “a technological measure that effectively controls access to a work protected” by the Copyright Act.⁶⁸ It is a civil violation and a crime to “manufacture, import, offer to the public, provide or otherwise traffic in any technology, product, service, device, component, or part thereof,” that “is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected” under the Copyright Act.⁶⁹ A technological measure effectively controls access to a work if the measure, “in the ordinary course of its operation, requires the application of information or a process or a treatment, with the authority of the copyright owner, to gain access to the work.”⁷⁰ One circumvents such technology measure if one uses a means “to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure,” without the authority of the copyright owner.⁷¹

In RealNetworks, Inc. v. Streambox, Inc.,⁷² Streambox distributed software that enabled users to bypass the authentication process employed by RealNetworks, which distributes audio and video content over the Internet. Thus, Streambox users could get the benefit of the RealNetworks streaming audio and video content without compensating the copyright owners. The United States District Court in Washington State found that the Streambox software was a technological measure that was designed to circumvent the access and copy control measures intended to protect the copyright owners.⁷³

In a case involving digital video disc (DVD) encryption, a U.S. District Court in New York enjoined posting links to sites where visitors may download the decryption program as trafficking in circumvention technology and a violation of the DMCA.⁷⁴ In Universal City Studios, Inc. v. Reimerdes, the court rejected an argument that the use of the decryption software constituted free expression protected by the First Amendment of the U.S. Constitution. On appeal, the appellant argued that the injunction violated the First Amendment because computer code was speech, was entitled to full protection, and was unable to survive the strict scrutiny given to protected speech.⁷⁵ The appellate court found that the computer code used in the program was protected speech:

The court then analyzed the type of scrutiny that should be applied where the restriction is content neutral:

Finding that the government's interest in preventing unauthorized access to encrypted copyrighted material is unquestionably substantial, and that the regulation of decryption programs served that interest, the appellate court upheld the prohibitions against both posting of, and linking to, the decryption program.

Not all efforts to “circumvent” restrictions, however, come within the prohibitions of the DCMA. In I.M.S. Inquiry Mgmt. Sys. v. Berkshire Info. Sys.,⁷⁸ the defendant had used a valid password provided to plaintiff's own customers and user identification to view plaintiff's e-Basket system exactly as the customer itself might have done. The court concluded that although this might be viewed as a technology measure, it was not circumvention of a digital wall within the meaning of the DCMA.

11.6.1 Exceptions to the Prohibitions on Technology Circumvention.

The DMCA, however, explicitly carves out all defenses to copyright infringement, including the doctrine of fair use, as being unaffected by the passage of the DMCA. In some circumstances fair use can include reverse engineering.

11.6.1.1 Fair Use and Reverse Engineering.

Within the field of computer software, recent cases have considered whether “dissection” in order to reverse engineer the program is a violation of the copyright. To those involved in protecting software programs, the answer appears to be that reverse engineering in the form of disassembly does not, under certain circumstances, constitute an infringement because it is considered “fair use.”⁷⁹ The Ninth Circuit in Sega Enterprises Ltd. v. Accolade, Inc.⁸⁰ found as a matter of law that:

The Ninth Circuit is not the only circuit that has upheld reverse engineering against a copyright claim. The Federal Circuit reached a similar conclusion regarding reverse engineering of object code to discern the “ideas” behind the program in Atari Games Corp. v. Nintendo of America, Inc.⁸² The fair use rationale of Sega was also adopted by the Eleventh Circuit in Bateman v. Mnemonics, Inc.⁸³ on the grounds that it advanced the sciences. Thus, one can spy through reverse engineering still without running afoul of copyright protection or the DMCA.

However, in Bowers v. Baystate Technologies, Inc.,⁸⁴ a split Federal Circuit Court of Appeals found that a shrink-wrap license prohibiting reverse engineering was enforceable against the licensee who had reverse engineered Bowers's CAD Designer's Toolkit to develop a competing product. The Bowers court found that the contractual language trumped the “fair use” permitted under the Copyright Act. The Fifth Circuit has reached the opposite result in the earlier decision of Vault Corp. v. Quaid Software, Ltd.,⁸⁵ specifically finding that the Copyright Act preempts state law that attempts to prohibit disassembly, and holding amass distribution license agreement unenforceable.

Thus, the extent to which Bowers may be followed is still unclear, but it appears to be questioned in subsequent decisions.⁸⁶ Bowers suggests a course that businesses can attempt to follow to curtail reverse engineering, which is to limit that right by contract. If Bowers becomes widely accepted, the United States will be in conflict with the European Union on this issue. In its 1991 Software Directive, the European Union set forth a right to reverse engineer that is consonant with “fair use” under the Copyright Act. The Software Directive also provided that the right cannot be waived by contract. So, until Bowers is settled, if a shrink-wrap license prohibits reverse engineering, it would be best to consider engaging in such activity abroad.

11.6.1.2 Other Exceptions.

The DMCA also creates an important exception that recognizes the right to reverse engineer if (a) the person has lawfully obtained the right to use a copy of a computer program, and (b) the sole purpose of circumventing the technology measure is to identify and analyze “those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs.”⁸⁷ The DMCA creates a similar exemption for circumvention for the purpose of “enabling the interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability.”⁸⁸ The term “interoperability” is defined to encompass the “ability of computer programs to exchange information and of such programs mutually to use the information which has been exchanged.”⁸⁹ The information acquired through these permitted acts of circumvention may also be provided to third parties so long as it is solely used for the same purposes.⁹⁰

Circumvention is permissible under these exemptions, however, “only to the extent [that it] does not constitute copyright infringement.” Two cases, Chamberlain Group, Inc. v. Skylink Techs., Inc.,⁹¹ and Lexmark Int'l, Inc. v. Static Control Components, Inc.,⁹² are particularly instructive. In both cases, the courts permitted a competitor's access and reverse engineering under this exemption. In contrast, in Storage Tech Corp. v. Custom Hardware Engineering Consulting, Inc. (D.Mass. 2004), the defendant bypassed a protective access key to activate the diagnostics program by copying the code into the random access memory (RAM) of the defendant's access device. The District Court found that this copying constituted infringement. The result was reversed in a 2 to 1 decision in the United States Federal Circuit⁹³ based on a reading of sections 117(a) and (c) of the DMCA, which permits copying for maintenance purposes. This string of decisions has led to recommendations that access be controlled by a method that would cause copyright infringement and that access protect not just the copyrighted program but copyrighted data so as to exclude the rationale of the Federal Circuit. Suggestions have been made that certain parts of copyrighted executable code be encrypted and that a decryption key be required that will create a copy of the code and protected data as part of the process so as to create an argument of copyright infringement. These types of recommendations remain untested, and the simpler course may be control through terms inserted into the licensing agreement.

Exempt from the DMCA, as well, are “good faith” acts of circumvention where the purpose is encryption research. A permissible act of encryption research requires that (a) the person lawfully have obtained a copy, (b) the act is necessary to the research, (c) there was a good faith effort to obtain authorization before the circumvention, and (d) such act does not constitute an infringement under a different section of the Copyright Act or under the Computer Fraud and Abuse Act of 1986. With the caveat that it must be an act of good faith encryption research, the technological means for circumvention can be provided to others who are working collaboratively on such research. The issue of good faith encryption research looks to what happened to the information derived from the research. If it was disseminated in a manner that was likely to assist infringement, as opposed to reasonably calculated to advance the development of encryption technology, then the act still falls outside of the exemption. Other factors that go into the determination of good faith are whether the person conducting the research is trained, experienced, or engaged in the field of encryption research, and whether the researcher provides the copyright owner with a copy of the findings.

The DMCA also has a bias against the collection or dissemination of personally identifying information. Thus, it is not a violation of the DMCA to circumvent a technology measure that essentially protects, collects, or disseminates personally identifying information, provided that the circumvention has no other effect, and provided that the program itself does not contain a conspicuous notice warning against the collection of such information and a means to prevent or restrict such collection.⁹⁴ In short, one can disable “cookies” if the program does not itself permit a user to do so.

Finally, insofar as relevant to this chapter, the DMCA also excludes from its scope “security testing.” The DMCA grants permission to engage in security testing that, but for that permission, would violate the terms of the DMCA. If the security testing, for some reason, violated some other provision of the Copyright Act or the Computer Fraud and Abuse Act of 1986, then it is still an act of infringement. The DMCA, in part, considers whether a violation occurred, and by whom the information was used. The factors to be considered include if the information was used to promote the security of the owner or operator of the computer network or system, if it was shared with the developer, and if it was used in a manner that would not facilitate infringement.⁹⁵ For purposes of the DMCA, security testing means accessing either an individual computer or network for the purpose of “good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator.”⁹⁶

11.6.1.3 Remedies.

The criminal penalties for violation of the DMCA can be quite severe. If the violation is willful for commercial gain, the first offense bears a fine of up to $500,000 or 5 years imprisonment. Subsequent violations bear fines of up to $1 million dollars or 10 years imprisonment. Civil remedies include an order to restrain the violation, damages for lost profits, damages for recovery of the infringer's profits, or statutory damages for each violation. Depending on the section of the DMCA at issue, each violation can generate fines of up to $2,500 or $25,000. Since each act of infringement can constitute a violation, the statutory fines can become quite substantial.

11.7 PATENT PROTECTION.

Ideas, which are not protected by copyright, can be protected through a patent. In general, the patent laws protect the functionality of a product or process.

11.7.1 Patent Protection Requires Disclosure.

A patent can be properly obtained if the invention is new, useful, nonobvious, and disclosed. The patent exchanges a grant of an exclusive monopoly over the invention in return for disclosure. Disclosure is the trigger point for patentability. The disclosure supports the claims of patentability (i.e., it sets up the claim that the invention is both new and nonobvious) and also the scope of what can be protected. Thus, 35 U.S.C. section 112 provides:

A patent therefore must disclose the best mode for implementing the invention, a clear written description of the invention, sufficient detail so that a practitioner can understand and make use of the description, and distinct claims, in order for a patent to issue.⁹⁷ Through adequate disclosure of the invention, the application gives notice of the technology involved in the patent so as to put the public on fair notice of what would constitute an infringement. From a public policy perspective, the disclosure enlarges the public knowledge. From the inventor's perspective, the trade-off is disclosure for exclusivity. Depending on how the invention is to be used and the areas in which protection will be necessary, disclosure may not be the best means of protecting the invention. This is particularly true if the inventor is not convinced it will be deemed nonobvious from prior art, in which case it will be subject to challenge, or if, after disclosure, other companies may legally use the disclosed information for competitive advantage. The effects of disclosure should be carefully considered before applying for patent protection.

11.7.2 Patent Protection in Other Jurisdictions.

Patent protection is jurisdictional. What that means, in general, is that a patent has legal meaning in the country that granted it. The United States is a signatory to the Paris Convention for the Protection of Industrial Properties, which has roughly 160 signatories. The Paris Convention essentially grants a one-year grace period for filing national patent applications in each selected signatory, to obtain the benefit of the original filing date in the United States. An alternative, open to members of the Paris Convention, is the Patent Cooperation Act. This permits the filing of an international patent that basically gives the patentee an 8- to 18-month window to test feasibility, and which simplifies the national application process.

11.7.3 Patent Infringement.

Like the remedies for copyright infringement, the remedies for patent infringement include injunctive relief and damages that, by statute, are not less than a reasonable royalty for the infringing use.⁹⁸ If the infringement is willful, the damages can be trebled. Attorneys' fees can be awarded, but only in exceptional cases.

In the area of exported computer software, an issue of note has arisen under 35 U.S.C. section 271(f). Section 271(f) was added in 1984 to the patent law to prevent infringers from avoiding liability by finishing goods outside of the United States. An infringer will be liable if its intent is to manufacture or supply a component from the United States to be combined elsewhere, if it would be an infringement had it occurred within the United States. Exported software may be considered a “component” under section 271(f). In Microsoft Corp. v. AT&T Corp.,⁹⁹ the issue was whether a master disk supplied by Microsoft abroad for duplication and installation abroad of its Windows program ran afoul of AT&T's patent. In overruling the Federal Circuit, the Supreme Court concluded that it did not:

Unless section 271(f) is amended, it may have profound implications for subverting the ability of a U.S. company to control patent infringement where software is a component of a patented invention.

11.8 PIRACY AND OTHER INTRUSIONS.

For as long as ideas and innovation have been a source of commercial or social value, the terms on which these ideas and innovations have been available for use and exchange by others has been the subject of significant tension. Although inventors and creators of commercially viable products and processes want to maximize the return on their investment, marketplace pressure for cost efficiency (often motivated by human and corporate greed) fuels a constant drive to remove the inventors' and creators' royalties from the cost of production. Thus, the ancient notion of piracy, the unauthorized boarding of a ship to commit theft, and the unauthorized use of another's invention or production,¹⁰⁰ remains alive and well. The piracy we speak of is not simply the unauthorized copying of millions of compact discs (CDs); increasingly it includes the unauthorized scraping of data from Web sites, abuse of authorized Internet use, theft of employee data, and similar activities.

11.8.1 Marketplace.

The demand for unlicensed access to and use of software and entertainment media increases annually. In its 2007 survey regarding computer security among corporate and governmental institutions, the Computer Security Institute and the U.S. Federal Bureau of Investigation found that 59 percent of all respondents discovered employees who abused Internet privileges for a variety of unauthorized purposes.¹⁰¹ A 2007 study by the Software & Industry Information Association reported worldwide revenue loss from the piracy (unlawful copying and distribution) of software exceeding $28.8 billion in 2007.¹⁰² In countries such as China, despite recent overtures to the contrary, piracy is not merely sanctioned, it constitutes an investment by government agencies.¹⁰³

In recent years, in large part due to the saturation of Internet access, there has been a tremendous proliferation of technologies designed to access and distribute (without authorization) protected software applications and entertainment media. This has posed a tremendous challenge for license holders, legislators, and law enforcement authorities. The results have included attempts to punish both unauthorized access and use of protected material. In the process, there has been a transformation in the definition of what is protected and some confusion about the extent of that protection when the Internet is involved.

11.8.2 Database Protection.

Databases, the organized compilation of information in an electronic format, are prominent elements of any discussion concerning copyright protection. Compilations of information, data, and works are protectable under the Copyright Act.¹⁰⁴ To secure copyright protection for a compilation, a party must demonstrate that (1) it owned a valid copyright in the compilation; (2) the alleged infringer copied at least a portion of the compilation; and (3) the portion so copied was protected under the Copyright Act.¹⁰⁵ In this context, the Copyright Act protects the “original” selection, coordination, or arrangement of the data contained in the compilation.¹⁰⁶

To the extent that compilations contain purely factual information (e.g., existing prices of products and services), there is no protection because the facts themselves lack originality.¹⁰⁷ It does not matter that the author “created” the facts of the prices being charged for the product or service.¹⁰⁸ To sustain a claim of copyright protection for compilations of fact, the author must demonstrate creativity in the arrangement of the data. Standard or routine arrangements are likewise beyond the act's umbrella.¹⁰⁹ This is in contrast to the European Union's Database Directive, which does not require creativity as an element for the protection of a database. Rather it protects investment in databases under copyright protection subject, however, to fair use qualifications.

The United States Supreme Court has held that the compilation into a database of original works by contributing authors to newspapers and magazines violates the copyrights of the individual authors when the database does not reproduce the authors' articles as part of the original collective work to which the articles were contributed. In New York Times Co., Inc. v. Tasini,¹¹⁰ authors who contributed articles and other works to the New York Times, Time magazine, and Newsday sued when they learned that the articles that they sold to the publishers for use in the respective publications were being reproduced and made available online, through LEXIS/NEXIS, an online database, and on CD-ROM. In most instances, the reproductions were of the individual articles outside of the newspaper or magazine context, in a collection of works separately protected by the Copyright Act. The Supreme Court held that, because the publishers of the new collective works made no original or creative contribution to the individual authors' original works, they could not reproduce and distribute those works outside of the format that each publisher created for the original collections of works, without permission from, or payments to, each author.¹¹¹

11.8.3 Applications of Transformative and Fair Use.

The concepts of transformative use and fair use (to the extent that they are separable) discussed earlier in this chapter have played a substantial role in recent decisions involving the authorized use of electronic media and the Internet. The starting point for this application of the doctrine is the U.S. Supreme Court's decision in Sony Corporation v. Universal City Studios, Inc.,¹¹² the famous battle over Betamax initiated by the movie industry. At issue was whether electronic recording machines could record television programs to permit individuals to “time-shift” television programs (i.e., to record programs for viewing at a time other than the time of airing). In its decision, the Sony Court found that time shifting was a productive use of the television programs for a purpose other than the original commercial broadcast, and was not an attempt either to duplicate the original purpose or to impact the commercial market for these programs. The Court emphasized the noncommercial element inherent in time shifting.¹¹³

11.8.4 Internet Hosting and File Distribution.

The growth of the breadth and scope of the Internet has been accompanied by increasing questions about the extent to which the distribution of otherwise protected expressions change their form when converted into an electronic format. These questions arise for Internet service providers (ISPs), which provide the pathway for distributing protected material, and for end users who post such materials on their Web sites and bulletin boards. For ISPs, the DMCA provides some initial comfort.

Title II of the DMCA, designated the “Online Copyright Infringement Limitation Act” establishes several infringement liability safe harbors for service providers. The “Information residing on systems or networks at direction of users”¹¹⁴ safe harbor is available to any provider of “online services or network access, or the operator of facilities thereof,…” including “digital online communications, between or among points specified by user, of material of the user's choosing, without modification to the content of the material as sent or received”¹¹⁵ that “has adopted and reasonably implemented, and informs subscribers and account holders of the service provider's system or network of, a policy that provides for the termination in appropriate circumstances of subscribers and account holders of the service provider's system or network who are repeat infringers” and “accommodates and does not interfere with standard technical measures.”¹¹⁶ To qualify for the safe harbor, the service provider must demonstrate that

1. It has no actual or constructive knowledge that information on its system is infringing, it is not aware of circumstances from which infringement is apparent or, upon obtaining such knowledge or awareness, it acts expeditiously to remove those materials;
2. It receives no financial benefit directly attributable to the infringing activity, and
3. Upon receipt of a notice of infringing material on its system, responds expeditiously to remove, or disable access to, the material.¹¹⁷

Assuming that the safe harbor does not apply (as, for instance, because the ISP failed to act on a notice of infringing activity), many service providers may nonetheless escape liability. In the first, and seminal, case on this topic, Religious Technology Center v. Netcom On-Line Communication Services, Inc.,¹¹⁸ an ISP hosted a bulletin board service on which Church of Scientology publications were posted by a former minister. The District Court held that the ISP must demonstrate that its use was of public benefit (facilitating dissemination of creative works including, but not limited to, the infringing work); that its financial gain was unrelated to the infringing activity (e.g., subscription fees from providing e-mail systems rather than fees from the display or sale of the infringing work); that its use was unrelated to the use of the owner of the work; that the ISP copied only what was necessary to provide its service; and that its use of the material had no demonstrable effect on the potential market for the work.¹¹⁹ In CoStar Group, Inc. v. LoopNet, Inc., the Fourth Circuit relied on Netcom, its codification in the DMCA, and the fact that the DMCA does not limit the application of other infringement defenses, and held that “the automatic copying, storage, and transmission of copyrighted materials, when instigated by others, does not render an ISP strictly liable for copyright infringement under §§501 and 106 of the Copyright Act.”¹²⁰

For Web site owners and users who post allegedly infringing material, the courts have had much less difficulty discarding the transformative fair use arguments. This has been particularly true in the purely commercial setting, as where the infringing party gains direct financial benefit from the infringing material,¹²¹ and where the posted material is an exact copy of the protected work without any transformation to something creative or original.¹²² In a case that goes to the heart of the open-access nature of the Internet, one court recently held that a copyright owner, who posts its work on the Internet for free distribution as shareware, may defeat a transformative fair use defense by also posting an express reservation of distribution rights.¹²³

11.8.5 Web Crawlers and Fair Use.

The Internet, premised on open exchange of data and economic efficiency, has spawned a spate of data search and aggregation software tools that scan the Web looking for information requested by the user. The process used by these search engines¹²⁴ includes identifying data on the Web that conforms to the search parameters and then downloading that data. Since the copying usually occurs without the express permission of the copyright owner, some have argued that such copying constitutes an infringement. Although there is very little precedent concerning the application of transformative fair use to automated data retrieval systems, at least one court has upheld the use of the defense to an infringement claim.¹²⁵

11.8.6 HyperLinking.

In Perfect 10 v. Google, Inc.,¹²⁶ affirmed in part and remanded in part, Perfect 10, Inc. v. Amazon.com, Inc.,¹²⁷ Perfect 10 (P10) claimed that Google was infringing its ownership of copyrights in certain images and thumbnails hosted by third-party and P10's Web sites when Google's image search picked them up for display as framed full-size images and as thumbnails on computers and cell phones. The court concluded that hyperlinking did not constitute display for purposes of direct copyright infringement. On appeal, the case was remanded for further consideration as to whether the conduct fell within the general rule for contributory liability. To appreciate the context in which the courts are wrestling with these issues in the light of new technology, a review of the District Court's analysis should be studied.

11.8.7 File Sharing.

Transformative fair use will not protect the verbatim retransmission of protected work in a different medium when there is a substantial and detrimental impact on the market for the protected work. In A&M Records, Inc. v. Napster, Inc.,¹²⁸ Napster enabled users to share music files over the Internet by downloading the file-sharing software to their hard drive, using the software to search for MP3 music files stored on other computers, and transferring copies of MP3 files from other computers. The court of appeals held that Napster users were merely retransmitting original works in a different medium and that this did not constitute a transformation of the original work. The court also found that sharing of music files over the Internet had, and would have, a significant and detrimental impact on the existing and potential market for CDs and digital downloads of the copyright owners' works. Picking up on the Sony decision's emphasis on the distinction between commercial and personal use, the Court of Appeals found that Napster's Web site effectively made the works available for use by the general public and not simply for the personal use of individual users.¹²⁹

Napster's demise, however, did not end the controversy over file sharing. Trying to avoid Napster's method of directly enabling file sharing, entities such as Grokster and StreamCast developed software creating peer-to-peer networks through which individual computers communicate to exchange files without the necessity of a central server.¹³⁰ The Supreme Court recently revisited copyright infringement and file sharing specifically with respect to these peer-to-peer networks and applied the “inducement rule” to file-sharing services. Evidence demonstrated that 90 percent of the files available to download from Grokster and StreamCast were copyrighted works, and Grokster and StreamCast conceded that most users were downloading copyrighted material. There was also an abundance of evidence that through their respective software applications and advertisements, both entities marketed themselves as the alternative to Napster, and their business models demonstrated “that their principal object[ive] was [the] use of their software to download copyrighted works.”¹³¹ The Court vacated the court of appeals' affirmation of summary judgment for Grokster and StreamCast, and rejected the court of appeals' broad interpretation of Sony Corp. v. Universal City Studios, but declined to further discuss the balance between protecting copyrighted works and promoting commerce in the context of how much noninfringing use each service was capable of providing, and did not at all discuss the issue of fair use. Instead, the Court noted that Sony did not preclude other forms of infringement liability and, focusing on the intent of the defendants in their inducement of file sharing, held that “one who distributes a device with the object of promoting its use to infringe copyright, as shown by clear expression or other affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by third parties.”¹³² Citing Sony, the Court further opined that mere knowledge of potential or actual infringement are not sufficient bases for liability, but that “the inducement rule…premises liability on purposeful, culpable expression and conduct, and thus does nothing to compromise legitimate commerce or discourage innovation having a lawful purpose.”¹³³

Since the service and software in Grokster had other lawful purposes, the Supreme Court's decision underscores the importance of proving an intent to infringe or cause infringement. Thus, when asking a court to look behind stratagems and disclaimers that hide unlawful purposes, the copyright holder should consider what other evidence exists or is likely to exist of product design, advertising, marketing, external and internal communications, revenue plans, and other factors that would prove unlawful intent. In addition, for copyright holders, the problem remains that many providers of file-sharing software may not be subject to the jurisdiction of U.S. courts and that file-sharing software, such as “Darknet,” provides anonymity to users illegally downloading copyrighted materials. As will be discussed, many countries are signatories to Trade Related Aspects of Intellectual Property Rights (TRIPS). See Section 11.11.1 of this Chapter and subcribe to international copyright protection. Following Grokster, the maker of KaZaa file-sharing software was enjoined in Australia from using its software to commit copyright infringement. The remedy required alteration of the software so that it would not duplicate copyrighted works.

11.9 OTHER TOOLS TO PREVENT UNAUTHORIZED INTRUSIONS.

Several legal principles and laws support the right to prevent and prosecute unauthorized intrusions. These include the definition of trespass, terms of use, and several critically important and widely used laws explicitly addressing the issues.

11.9.1 Trespass.

Trespass is a common law concept that we are all familiar with when applied to land. We have all seen and probably at some point in our youth violated the no-trespassing signs that are posted on an unfriendly neighbor's property. Trespass is also a concept that can apply to computers and informational databases. Courts have been taking older concepts and reapplying them to new situations.

In eBay, Inc. v. Bidder's Edge, Inc.,¹³⁴ the Federal District Court granted eBay an injunction forbidding Bidder's Edge from using a software robot to scrape information from eBay's Web site. The court based the injunction on its finding that accessing the Web site in a manner that was beyond eBay's posted notice (there were actual letters of objection) constituted a trespass. The court reasoned that the “electronic signals sent by Bidder's Edge to retrieve information from eBay's computer system [were] sufficiently tangible to support a trespass cause of action.” The court further viewed the ongoing violation of eBay's fundamental right to exclude others from its computer system as creating sufficient irreparable harm to warrant an injunction. Thus, it was not necessary that eBay prove that the access actually interfered with the operation of the Web site. Rather, proof of the “intermeddling with or use of another's personal property” was sufficient to establish the cause of action for trespass. What is significant here is that eBay did permit others to access its Web site under license, and the court viewed conduct that exceeded the licensed use, upon notice to the violator, to be a trespass.

However, the applicability of trespass to unauthorized computer activity is not settled. Where trespass involves an object, rather than land, there must not only be improper use but also some harm to the physical condition or value of the object or the misuse must deprive the rightful owner of the use of the object for a substantial period of time. The two must be causally related. In Intel v. Hamidi,¹³⁵ the California Supreme Court reversed a lower court's banning a former employee from sending unsolicited e-mails on the grounds of trespass. The court thought that the reach of the doctrine had been extended too far, concluding that bad analogies (i.e., viewing servers as houses and electronic waves as intrusions) create bad law. The court declined to view computers as real property. Rather, finding that they were like other personal property, the court found that this communication was no different from a letter delivered by mail or a telephone call. In short, the court declined to find a trespass because there was an “unwelcome communication, electronic or otherwise” that had fictitiously caused an “injury to a communication system.” Here there was no injury to the computer system although Intel claimed injury to its business.

Intel v. Hamidi simply warns against overbreadth of application of the concept of trespass. If injury to the computer system can be demonstrated, then the concept of trespass does lie as a tool in the arsenal of remedies assuming that the trespasser can be identified.

11.9.2 Terms of Use.

Terms of use can constitute a contract with respect to Web site usage. Thus, in any situation where electronic access is requested or permitted, the terms and conditions of use, together with an acknowledgment that such terms have been seen and consented to, can be enforced as restricting usage. In Register.com, Inc. v. Verio, Inc.,¹³⁶ the Second Circuit upheld an order enjoining Web site access primarily on the issue of contract. There, as described by the Second Circuit, the defendant Verio, against whom the preliminary injunction was issued, was engaged in the business of selling a variety of Web site design, development, and operation services. In the sale of such services, Verio competed with Register's Web site development business. To facilitate its pursuit of customers, Verio undertook to obtain daily updates of the WHOIS information relating to newly registered domain names. To achieve this, Verio devised an automated software program, or robot, which each day would submit multiple successive WHOIS queries through the port 43 accesses of various registrars. Upon acquiring the WHOIS information of new registrants, Verio would send them marketing solicitations by e-mail, telemarketing, and direct mail. To the extent that Verio's solicitations were sent by e-mail, the practice was inconsistent with the terms of the restrictive legend Register attached to its responses to Verio's queries.

Register at first complained to Verio about this use and then adopted a new restrictive legend on its Web site that undertook to bar mass solicitation “via direct mail, electronic mail, or by telephone.” The court concluded that Verio's conduct formed a contract, like buying an apple at a roadside fruit stand, which Verio breached:

Similarly, although in a different setting, in ProCD v. Zeidenberg,¹³⁷ where ProCD sold a CD with noncopyrightable data. Access to the data, however, was controlled by a license agreement; if there was no acceptance, there was also no access. The license agreement prohibited the use of the data for any commercial use. Zeidenberg took the data and posted it on a Web site, which he used commercially to sell advertising. Thus the data were being used to attract visitors. The court found the license limitation on use enforceable.

The importance of this decision is that so long as the owner prominently specifies the limitations, the restrictions can become a contract that is accepted by accepting the benefits of access and can be one safeguard against misuse of the access.

11.9.3 Computer Fraud and Abuse Act¹³⁸

11.9.3.1 Prohibited Behavior and Damages.

In 1984, Congress passed the original version of the Computer Fraud and Abuse Act (CFAA).¹³⁹ The general purpose was to protect “Federal interest computers” by criminalizing intentional and unauthorized access to those computers that resulted in damage to the computers or the data stored on them. The statute was substantially amended in 1986,¹⁴⁰ and again in 1996,¹⁴¹ and now contains both criminal and private civil enforcement provisions.

The statute proscribes these activities:

The linchpin among the relevant decisions concerning access to data under the CFAA is whether the access is “without authority” or “in excess of authority.” The factors considered by the courts include the steps taken by the owner of the information to protect against disclosure or use, the extent of the defendants' knowledge regarding their authority to access or use the data, and the use(s) made of the data after gaining access. The legislative history indicates that the statute was intended to “punish those who illegally use computers for commercial advantage.”¹⁴⁹

Broadly speaking, there are two sets of circumstances to consider. In the first instance, is the actual access authorized, either expressly or impliedly? In the Internet context, where there is a presumption of open access, the site or data owners must show that they took steps to protect the contents of their site and to limit access to the data at issue.¹⁵⁰ Once those steps are taken, the protection constitutes a wall through which even automated search retrieval systems may not go without express permission.¹⁵¹ Without the wall, there must be some evidence of an intent to access for an impermissible purpose, as when Intuit inserted cookies into the hard drives of home computers.¹⁵²

Second, has the authorized access been improperly exceeded? Generally speaking, those who use their permitted access for an unauthorized purpose to the detriment of the site or data owner have violated the CFAA. Examples include employees who obtain trade secret information and transmit it via the employer's e-mail system to a competitor for which the employee is about to begin work;¹⁵³ using an ISP subscription membership to gain access to and harvest e-mail addresses of other subscribers in order to transmit unsolicited bulk e-mails;¹⁵⁴ and using access to an employer's e-mail system to alter and delete company files.¹⁵⁵

The criminal penalties range from fines to imprisonment for up to 20 years for multiple offenses. As discussed in Section 11.9, the CFAA has become a prominent element of claims by the U.S. government and private parties seeking to protect data that are not always protected by other statutory schemes.

11.9.3.2 Its Application to WebCrawling and Bots.

Web robots, or “bots,” have become widespread to scrape data from Web sites. All of that data generally are available to the public. That is, any individual can access the same information, but not with the speed or accuracy of a Webspider. But when does such “scraping” run afoul of the CFAA? To what extent does the law protect site operators or company data from penetration by an outside third party?

The key to the analysis under the CFAA is to ask whether the data are in fact publicly available. Are there technical barriers, such as passwords or codes that have to be circumvented? Do the terms of use prohibit access or use other than by an individual consumer? These questions are critical to determining whether the access either exceeds authority or is without authority under the CFAA.

If the answer to either one of these questions (or similar questions) is yes, one needs to consider access carefully since such access and downloading of data is likely to violate the CFAA. In EF Cultural Travel v. Zefer Corporation, Zefer designed a Web bot to scrape travel trip and pricing information from the Web site of EF Cultural Travel (EF) for use by a competitive travel Web site. The bot, designed by Zefer, downloaded the information by calling URLs on which each separate trip and pricing information was stored, reading the source code for the key features, and storing the information on a spreadsheet. The bot did so in a fashion not to burden or interfere with EF's Web site. Once gathered, the information was turned over to a competitor, who used the information to adjust price and trip information that it offered. Zefer's scraping did not occur continuously, but only on two dedicated occasions. EF sued claiming that a violation of the CFAA had occurred. The First Circuit Court of Appeals disagreed, refusing to read into what is or is not authorized some “reasonable expectations” standard, instead requiring that the Web site operator expressly state any limitations on access in its terms and conditions. On remand to the Federal District Court, the court, following the First Circuit, granted summary judgment for Zefer.

11.9.3.3 Simple Preventive Measures.

Not surprisingly, there are several methods for preventing unauthorized access in the first instance and, if unsuccessful, in prevailing in any subsequent claim arising under the CFAA. Perhaps the most obvious measure, and one that the First Circuit Court of Appeals underscored, is to make sure that each visitor to a Web site is adequately notified that the owner of the site intends only limited use or access to the data on the site. The notice can take many forms.

For example, a detectable message easily identifiable on a home page warning visitors that the posted information is available only for viewing and not for use in any manner adverse to the host's interests would be sufficient. Understandably, most Web hosts are reluctant to post such a blatant limitation—it is not necessarily “good for business.” For those interested in an equally effective but less direct message, an increasingly common practice is to compel site visitors to register before gaining access to links and other pages available through the home page. The more difficult the registration process, the greater the host's apparent intent to restrict access to, and use of, the information that will be accessible after registration is completed.

Those hosts that require the payment of money, some kind of membership, or an access agreement before providing access establish what, for purposes of statutes like the CFAA that criminalize unauthorized access, will most often be seen as providing sufficient notice of the limits of authorized access. In the case of membership sites, the presumption is that each registrant is prequalified and therefore authorized to view and use the more restricted data, at least for purposes consistent with the terms of access. Enforceable click-wrap access agreements establish not only notice of access limitations; they also secure each visitor's agreement to use the Web site and the data therein within the stated limitations.

Securing Web-based data against unauthorized use or users is, in some ways, antithetical to the information-sharing intent and purpose of the Web. In this regard, however, the question arising when we post information on the Web differs little from the question posed over the centuries regarding the extent to which each of us wants our competitors or adversaries to use our proprietary work against our interests. The greater the concern, the more likely that each host will have to limit the data posted on the Web, or else increase each visitor's awareness of the rules of access.

11.9.4 Electronic Communications and Privacy.

Electronic privacy is becoming the issue in our society of databases and networking. Most of the U.S. “privacy” statutes are subject matter specific: the Telephone Consumer Protection Act of 1991 (do not call, for telemarketers); Health Insurance Portability Accountability Act of 1996 (privacy with respect to uses and disclosure of medical information); Children's Online Privacy Protection Act of 1998 (regulating collection of information from children under the age of 13 by Web sites directed to children); Gramm-Leach-Bliley Act of 1999 (regulating sharing of customer data by financial institutions); Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (restricting spammers and requiring an ability to opt out); the Fair and Accurate Credit Transaction Act of 2003 (providing very limited assistance with respect to identity theft such as the obligation to provide a yearly credit report). These laws do not provide assurances of privacy in the same way that the European Union did in its 1996 Data Protection Directive.¹⁵⁶ The EU Data Directive establishes protections against release of personal data, including e-mails, within the European Union, and restrictions on the transmission of such data outside the EU to countries or companies that do not have equivalent protections in place.¹⁵⁷

In 2005, ChoicePoint, a large data broker, admitted that it had sold personal data on over 160,000 people to phony companies established by identity thieves. Since then, other companies have announced data break-ins and data leaks. As a result of such data security breaches, approximately half of the states have passed laws that require disclosure of unauthorized access to personal data.¹⁵⁸

In the United States, the primary protection for privacy remains a lawsuit for tortious invasion of one's privacy. Because those rights are defined state by state, a review is beyond the scope of this chapter. However, most states recognize some form of the tort of invasion of privacy, and the tort has been recognized in the Restatement (Second) of Torts § 652, which courts reference as an authoritative source of the law. In general, the Restatement makes actionable (a) intentional intrusion, that is highly offensive to a reasonable man, into the seclusion of another's private affairs, (b) the public disclosure of private facts if such disclosure is highly offensive to a reasonable person, and is not a legitimate public concern, and (c) the appropriation for his own use or benefit of the name or likeness of another.

This chapter has already discussed the fiduciary obligation owed by employees to their employers with respect to confidential information. The development of the tort of privacy suggests that companies owe a similar obligation to their employees. Although slightly different in scope, but foreshadowing the growing body of law in this area, in Remsburg v. Docusearch, Inc.,¹⁵⁹ the New Hampshire Supreme Court was faced with a database company that had supplied information to a client that included a woman's personal information. The client used it to confront her and kill her. The supreme court held that the company had to act with “reasonable care in disclosing a third person's personal information to a client.” This decision is as yet an unanswered invitation to other courts.

On the federal level, the CFAA, of course, does address “unauthorized” access to computerized information. In addition, Congress has enacted some statutory regulations that specifically address electronic communications and privacy.

11.9.4.1 Wiretap Act and Electronic Communications Privacy Act.

The Omnibus Crime Control and Safe Streets Act of 1968, generally referred to as the Federal Wiretap Act,¹⁶⁰ established the general parameters for permitted interception of communications by law enforcement. As originally crafted, the Wiretap Act covered only “wire and oral communications.” In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA),¹⁶¹ which amended the Wiretap Act and created the Stored Wire and Electronic Communications and Transactional Records Act (Stored Communications Act or SCA) to “update and clarify federal privacy protections and standards in light of changes in computers and telecommunication technologies.”¹⁶² The SCA makes it unlawful to knowingly access a prohibited electronic communications service facility without authority, or in excess of authority, and for such public service provider to disclose information contained in such facilities. The ECPA allows a private plaintiff to bring a claim for knowing or intentional violation of the statute to recover actual damages or the statutory minimum of $1,000.

The 1986 amendment extended the Wiretap Act's coverage to include “electronic communications,” which is defined as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic or photo-optical system.”¹⁶³ “Intercept” is defined as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”¹⁶⁴ Consequently, the Wiretap Act now makes it an offense to “intentionally intercept…any wire, oral, or electronic communication.”¹⁶⁵ Thus, the definitions in the act now cover Internet transmissions such as e-mails or file transfers.

There is an important exception to this prohibition. Under the “consent of a party” exception, it is permissible to intercept communications where “one of the parties to the communication has given prior consent to such interception.”¹⁶⁶ The requisite consent may be express or implied from the surrounding circumstances.¹⁶⁷ Furthermore, an employer may obtain consent by informing the employee of the monitoring practices in an employment contract or in an employee handbook.¹⁶⁸

Under the “provider exception,” a provider of electronic communication services “whose facilities are used in the transmission of a wire or electronic communication, [may] intercept, disclose or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident…to the protection of the rights or property of the provider of that service.”¹⁶⁹ This exception may allow an employer to lawfully intercept communications to detect an employee's unauthorized disclosure of trade secrets to third parties.¹⁷⁰

11.9.4.2 Contemporaneous Transmission Requirement.

The Wiretap Act only prohibits interceptions of electronic communications,¹⁷¹ a term that has been more narrowly defined by the courts than the definition in the act might suggest. The definition of interception provides that an individual “intercepts” a wire, oral, or electronic communication “merely by acquiring its contents, regardless of when or under what circumstances the acquisition occurs.”¹⁷² In the context of this section, a serious question arises about the legality of intercepting electronic communications as they were being transmitted and once they were stored, either temporarily or permanently. Although Congress intended to liberalize one's ability to monitor “wire communications” while it sought to make the monitoring of “electronic communications” more difficult,¹⁷³ courts have held that Congress intended to make acquisitions of electronic communications unlawful under the Wiretap Act “only if they occur contemporaneously with their transmissions”¹⁷⁴ and before they actually cross the finish line and become stored.¹⁷⁵ This is, of course, an interesting fiction when applied to Internet transmissions, which consist of packages that are broken up and passed from router to router as well as from temporary storage to temporary storage. It is a far cry from the interception of a telephone call. It may simply be that in applying the language of the statute, the courts are faced with applying it to a technology that was not really in existence when the statute was amended in 1986.

In recent years, the courts have attempted to apply the contemporaneous transmission requirement to various situations. For example, cookies used to recover personal data from visitors to a Web site constitute an interception of a contemporaneous electronic communication and a violation of the Wiretap Act.¹⁷⁶ Noting that electronic communications are generally in transit and in storage simultaneously, the court reasoned that users communicated simultaneously with the pharmaceutical client's Web server and with the software company's Web server and, thus, the information was acquired contemporaneously with its transmission.¹⁷⁷

Where electronic transmissions are found in RAM or on the hard drive, they are stored communications and can be retrieved because they are outside of the Wiretap Act.¹⁷⁸ Similarly, an e-mail that is recovered after it has been sent and received does not satisfy the contemporaneous transmission requirement and therefore has not been intercepted under the Wiretap Act.¹⁷⁹ Perhaps in response to these and other decisions, in 2001 Congress amended the Wiretap Act to apply the contemporary transmission requirement to wire communications that could not be retrieved, thereby permitting the recovery of stored wire communications.¹⁸⁰

11.9.4.3 Konop v. Hawaiian Airlines, Inc.

The Konop decision appears to be the most oft-cited case on the issue of “interception” under the Wiretap Act. Konop, the plaintiff, was an airline pilot who created and maintained a Web site where he posted bulletins critical of his employer, Hawaiian Airlines, Inc., and the airline union. Konop controlled access to his Web site by requiring visitors to log in with a user name and password and by creating a list of authorized users.

An officer of Hawaiian Airlines asked one such authorized user for permission to use his name to access the Web site. The officer logged on several times, and another officer, using the same technique, also logged on to view the information posted on Konop's bulletin. Konop eventually filed suit against Hawaiian Airlines, alleging that it violated the Wiretap Act when its officer gained unauthorized access to Konop's Web site.

The court first reiterated that the act only prohibits interceptions of electronic communications.¹⁸¹ “Interception,” the court held, requires that the party acquire the information contemporaneous with its transmission, and not while it is in electronic storage. In this case, the court concluded that the employer did not violate the Wiretap Act because the officers accessed an electronic communication located on an idle Web site, which did not satisfy the contemporaneous transmission requirement.¹⁸²

11.9.5 Stored Communications Act.

Unlike the Wiretap Act, the Stored Communications Act (SCA),¹⁸³ as its name suggests, establishes the limitations of access to stored communications (i.e., communications accessed after their transmission).¹⁸⁴ Specifically, the SCA makes it unlawful to “intentionally [access] without authorization a facility through which an electronic communication service is provided…and thereby [obtain], [alter], or [prevent] authorized access to a wire or electronic communication while it is in electronic storage.”¹⁸⁵ The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service provider for purposes of backup protection of such communication.”¹⁸⁶ The SCA exempts from liability conduct “authorized…by the person or entity providing a wire or electronic communications service”¹⁸⁷ or “by a user of that service with respect to a communication of or intended for that user.”¹⁸⁸

11.9.5.1 Electronic Storage: Backup Files.

The essential element that separates the SCA from the Wiretap Act is that the accessed communications reside in electronic storage. Therefore, the first question is what constitutes electronic storage. In Theofel v. Farey-Jones,¹⁸⁹ the United States Court of Appeals for the Ninth Circuit attempted to answer this question.

In Theofel, overzealous lawyers for Farey-Jones secured, through a subpoena issued to an Internet service provider, e-mails sent and received by their opponents in the lawsuit, a company called Integrated Capital Associates (ICA). The subpoena requested from the ISP virtually every e-mail ever sent or received by ICA and its employees. In response, the ISP posted a smattering of the e-mails on a Web site accessible to Farey-Jones and its lawyers. When ICA learned of these activities, it sued Farey-Jones for, among other things, violation of the SCA.

According to the court in Theofel, Congress recognized that users of Internet service providers have a legitimate interest in protecting the confidentiality of communications in electronic storage at a communications facility. Moreover, this legitimate interest cannot be overcome by fraud, or by someone who knowingly exploits a mistake that permits access to what is otherwise protected. The court found that the use of the subpoena to access ICA's e-mails when it was reasonably plain, at least to counsel, that the subpoena was invalid, negated any apparent authority that Farey-Jones and its lawyers may have had to view ICA's emails.

Farey-Jones claimed that the ICA e-mails were not in “electronic storage” and therefore no violation of the SCA occurred. The court disagreed. As stated earlier, electronic storage exists when messages are stored on a temporary, intermediate basis as part of the process of transmitting the message to the recipient, and when messages are stored as part of a backup process. In this instance, the court found that the e-mails, which had apparently been delivered to their recipients, were stored by the ISP as part of its backup process for retrieval after initial receipt. Access to those e-mails was therefore protected by the SCA, which Farey-Jones and its lawyers violated.

11.9.5.2 Electronic Storage: Temporarily Stored Communications.

Recent cases interpreting the meaning of “temporary, intermediate storage…incidental to” transmission of the communication have adhered to the letter of the law more than its spirit. In two cases involving the installation of cookies that were subsequently accessed by software companies for commercial gain, the courts have held that cookies are permanently (or at least indefinitely) installed in the consumer's hard drive and therefore cannot be considered “temporary, intermediate storage.”¹⁹⁰ The Doubleclick decision also emphasized that the “temporary, intermediate storage” element of the SCA means what it says, that is, the prohibited conduct involves only the unauthorized access to communications while they are being temporarily stored by an intermediate and does not include access to stored messages after they have been received.¹⁹¹ In the context of an employer's right to examine an employee's e-mails, the employee will have no claim that an employer has violated the SCA when the employer opens e-mails sent or received by the employee once the e-mail has been either received or discarded.¹⁹²

11.10 OPEN SOURCE.

With the continued proliferation of the Internet and computer software, the licensing, distribution, and use of open source code has gained publicity and added importance in the practice of intellectual property and computer security. “Open source” describes the distribution of computer code that is available (i.e., open) to all others and therefore allows computer programmers to read, apply, and modify the code, and also redistribute any changes.¹⁹³ The open source movement began with Richard Stallman's development of Gnu's Not Unix (GNU), a freeware form of UNIX that was meant to be free software (free as in the freedom to use, modify, and distribute the software).¹⁹⁴ GNU's development created the first open source license, the General Public License (GPL). Linux, an open source–based operating system and an alternative to Microsoft's Windows, experienced tremendous growth through its use of the GPL.¹⁹⁵ The prevalence of open source issues is evidenced by the 1998 formation of the Open Source Initiative (OSI), which not only promotes open source development and encourages its use by business¹⁹⁶ but also offers links to and information about most of the available open source licenses.

11.10.1 Open Source Licenses.

The author of an open source code holds a copyright that operates as other copyrights do, but the code is released under a certain license on a nonproprietary basis. There are various types of open source licenses. The first open source license was the GPL, as described. It offers the broadest application of free software. In contrast, other licenses do not seek to perpetuate the free nature of a particular program. According to the Open Source Initiative, there are nearly 60 open source licenses now available for authors of source code,¹⁹⁷ all of which assert certain requirements of the software user.

11.10.2 GPL.

Licensing under the GPL is premised on Stallman's idea of “copyleft,” which basically uses copyright as a tool to ensure the continued free distribution of source code.¹⁹⁸ In other words, the GPL affords application, modification, and distribution rights to the copyrighted source code only if the user agrees that the distribution terms remain the same. This creates an endless chain of GPLs attached to future distributions of either the original or derived versions, regardless of their form.¹⁹⁹ This endless chain often is referred to as the GPL's “viral effect,” as GPL-protected code multiplies from any modifications of original GPL-protected code.²⁰⁰ The GPL applies not just to an originally protected software program but also to what it broadly defines as the “Program”:

Moreover, although the GPL also states that independent and separate sections of a derivative work are not subject to the GPL's terms when they are distributed as separate works, the GPL does apply when the user distributes those same independent and separate “sections as part of a whole which is based on the Program….”²⁰² The broad application given to the program under the GPL further enhances the viral effect of the license.

Other provisions of the GPL require users who distribute verbatim copies of the source code to publish copyright notices, disclaim warranties, and provide copies of the GPL. In addition, the modifier/user must attach to any modifications a notice that the software was changed, and must distribute or license the software free of charge to third parties, and must provide appropriate copyright notices, warranty disclaimers, and GPL terms and conditions. In sum, the GPL's sweeping terms not only seek to achieve the free software goals of the FSF but also to impact whether authors chose the GPL, and whether businesses utilize software subject to the GPL.

11.10.3 Other Open Source Licenses.

The Berkeley Software Distribution (BSD) License and the Massachusetts Institute of Technology (MIT) License are very similar in that they both require copyright notices, disclaimers of warranties, and liability limitations. The BSD further prohibits contributors or similar organizations from endorsing the program, and also requires a copy of the BSD's terms, to be distributed with the software.

11.10.4 Business Policies with Respect to Open Source Licenses.

The issue of whether distribution of a proprietary work that incorporates a small portion of GPL-protected code subjects that proprietary work to the terms of the GPL has never been litigated.²⁰³ This is one risk of using open source software. Another risk is that failure to comply with the GPL's terms could lead to litigation.²⁰⁴ For instance, MySQL sought to enjoin Progress Software Corporation from distributing MySQL's Gemini program without a GPL-compliant agreement.²⁰⁵ Because there was a factual dispute as to whether Gemini was a derivative work or an independent work under the GPL, and because Progress stipulated that it disclosed Gemini's source code and would withdraw the end user license for commercial users, the court did not grant the injunction as to the GPL.²⁰⁶

Given the expanding use of Open Source, businesses need to develop comprehensive policies addressing their use of open source to avoid liability and publicly releasing their own proprietary technology.²⁰⁷ Concerns generally involve license requirements regarding the distribution of the software and its modifications,²⁰⁸ since those activities usually require the company to release the source code for any distributed modification, and modifications often terminate vendors' support agreements.²⁰⁹ In addition, distributing unmodified open source as part of a proprietary program may require the company to release its own proprietary open source code.²¹⁰ It is more likely, however, that the company would be enjoined from distributing the open source or would have to pay damages.²¹¹ These considerations should be addressed not only through company policy but also by choosing the best source code to use in programming, given the company's internal and external needs and the specific licensing requirements of that source code.

11.11 APPLICATION INTERNATIONALLY.

Because the laws of the United States are the laws of just one nation among many, the enforcement of U.S. law and the protection of intellectual property rights in large part depend on international treaties. To the extent that the infringing acts or acts of piracy may be deemed to occur in the United States, or the infringers can be found in the United States, then the United States has sufficient jurisdiction over these acts to enforce its laws. In other words, such actors can be sued directly in the courts of the United States for violation of the laws of the United States.

Apart from direct enforcement, international protection is usually a vehicle of bilateral agreements between the United States and individual countries or a function of international protocols or treaties to which the United States is a signatory. Thus, for example, the Paris Convention for the Protection of Industrial Property²¹² establishes a system for recognizing priority of invention, but only among member countries. In addition, there is the Patent Cooperation Treaty (PCT), a multilateral treaty with more than 50 signatories. The PCT permits the filing of an international application that simplifies the filing process when a patent is sought in more than one nation. For copyright protection, there is also a series of international treaties and agreements that include the Berne Convention,²¹³ the Universal Copyright Convention, and the World Trade Organization (WTO) Agreement.²¹⁴ Canada, Mexico, and the United States also signed the North American Free Trade Agreement (NAFTA) in December 1992. NAFTA addresses intellectual property and requires that member states afford the same protections to intellectual property as members of the General Agreement on Tariffs and Trade (GATT). At a minimum, members of GATT must adopt four international conventions, including the Paris Convention and the Berne Convention.

These agreements, conventions, and treaties in large part do not attempt to reconcile the differences in the national laws of intellectual property. The particular national rules and nuances are simply too complicated, and there are too many differences of opinion to expect that these differences could be internally reconciled. Rather, in large measure, these international accords attempt to codify comity between the member nations so that each will recognize the legitimacy of the intellectual property rights in the other.

11.11.1 Agreement on Trade-Related Aspects of Intellectual Property Rights.

On December 8, 1994, the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) was signed into law in this country. The signing of TRIPS required changes to be made in United States statutes and regulations to bring them into conformity with international norms. TRIPS, however, was a product of the United States and other industrial countries pressing for stronger, more uniform standards for international treaties concerning intellectual property. The basic structure of TRIPS is to set the minimum standard of protection for intellectual property with each member nation free to adopt more stringent standards. Under the rubric used in the United States, TRIPS applies to copyrights, patents, trademarks, service marks, mask works (integrated circuit designs), and trade secrets. It also covers geographical indications²¹⁵ and industrial designs.²¹⁶ Not addressed by TRIPS, although part of the international jargon for intellectual property, are breeder's rights²¹⁷ and utility models.²¹⁸ Thus, TRIPS establishes no standards as applied to these concepts, leaving each nation to set the parameters of protection unimpeded by TRIPS.

It is not by accident that TRIPS was negotiated within the context of GATT, which had set the international standards for trade tariffs and had provided remedies of trade retaliation if such standards were not adhered to. The structure of GATT provided the means under which developing countries agreed to reduce their trade tariffs in exchange for the right to export innovative products under an exclusive monopoly conveyed by intellectual property rights. The second benefit to the GATT format was to provide a means for trade retaliation if, under the dispute resolution provisions of TRIPS, the WTO determines that there is noncompliance. In reality, it is obvious that TRIPS benefits those industrial nations that are more likely to be at the forefront of innovation and more concerned with the protection of their citizens' intellectual property.²¹⁹ The major concession wrung by the developing countries under TRIPS was obtaining a period of 4 to 11 years to implement TRIPS and to bring their national laws into conformity.

TRIPS generally reflects the U.S. view that focuses on the economic underpinnings for intellectual property rights as serving the greater societal interests. There is thus a shift from “societal” interests to “enterprise” interests. In particular, TRIPS adopts high minimum standards for patents, which will require significant legislative changes in developing countries. The copyright section, however, affords less protection than may be afforded by European nations, but it is in line with treatment in the United States. In short, TRIPS responds to the concern of enterprises in the United States that too loose a system of international protection has enabled imitation of U.S.innovations through copying and outright piracy.

11.11.2 TRIPS and Trade Secrets.

Under its category for “Protection of Undisclosed Information,” TRIPS provides protection for the type of information routinely referred to as trade secrets in the United States. Member nations are required to implement laws that safeguard lawfully possessed information from being disclosed to, acquired by, or used by others without consent and contrary to “honest commercial practices” if such information is (a) a secret in that it is not in the public domain, (b) has commercial value because it is a secret, and (c) has been subject to reasonable steps to maintain its secrecy.

Because discussions that led to TRIPS are not institutionally preserved, unlike the United States Congressional Record, there is no negotiating history to be consulted to flesh out the meaning of the spare paragraphs instituting trade secret protection. There do, however, appear to be differences from the total panoply of protections afforded in the United States. The concept of public domain articulated by TRIPS is information that is “not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question.” This articulation appears to be addressing technological formulations of information, as opposed to general commercial information, such as financial information, that is generally considered proprietary and confidential in the United States. The focus on a technology formulation for protected information is bolstered by the TRIPS requirement that the information have commercial value. Thus, other types of information that are not part of a traded article may be deemed to have no commercial “value” and therefore to fall outside of the scope of protection. Depending on the particular jurisdiction in the United States, there is a distinction between confidential information and trade secrets, based on the requirement that a trade secret must have commercial value. This, in turn, has been held to mean that information that is not exploited commercially is unprotectable under the law of trade secret. For example, the results of failed experiments that never resulted in a commercial product lack commercial value, even though such experiments are certainly helpful in the next round of exploration, in that they are signposts of what not to do.

The lesson to be drawn is that one should not assume symmetry of protections just because of the TRIPS provision. Instead, as part of the reasonable steps to maintain secrecy, enterprises need to consider carefully thought out and structured contractual provisions as well as a system of data caching that leaves truly confidential data in the United States, even if access is permitted outside. Improper takings of such data are, arguably, acts that occur in the United States, and such acts are subject to enforcement and punishment under the laws of the United States.

11.11.3 TRIPS and Copyright.

TRIPS embraces the U.S. general model for copyright protection in its opening statement that “[c]opyright protection shall extend to expressions and not to ideas, procedures, methods of operation or mathematical concepts as such.” All member nations agree that, as to the protection of copyrights, the Berne Convention will apply. Under the Berne Convention, the duration of a copyright is the life of the author plus 50 years. If the life of a natural person is not involved, then it is ordinarily 50 years from publication. In addition, computer programs, whether in source or object code, are to be protected as literary works under the Berne Convention. TRIPS also recognizes that compilations of data can be protected as creative works. Article 10, ¶ 2 explicitly provides:

TRIPS, therefore, does establish some minimum standard in the growing debate over what protections will be afforded a database. In the United States, the clear demarcation point for unprotected information is compilations that represent no more than “sweat-of-the-brow” efforts. Such compilations cannot be copyrighted.²²⁰ The classic example of a sweat-of-the-brow effort is the copying and alphabetical organizing of names, addresses, and telephone numbers that are in telephone books. In the United States, the key for copyright protection is the creator's original contribution of selection and arrangement. Thus, arguably, the TRIPS provision mimics the law of the United States.

The European Union (EU) has taken a more protective path. In its 1996 European DataBase Directive, the EU granted databases sui generis protection as their own unique form of intellectual property. Under the EU Directive, a database is “a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means.” A database may be protected either because it represents a work of “intellectual creation” or because it was compiled through “substantial investment.” The EU Directive protects such databases from unauthorized extraction or use for a period of 15 years, with the ability to extend the period for an additional 15 years if there was a “substantial new investment” in the database. Such protection extends to databases of EU members and to databases of nationals of other countries that offer protections similar to the EU.

The United States, despite a number of legislative proposals, has not adopted a concomitant rule. The result, at least for multinationals, is that entities that rely on databases should consider “locating” such databases within an EU member to take advantage of the EU's database protections.

11.11.4 TRIPS and Patents.

TRIPS requires that all members recognize the right to patent products or processes in all fields of technology. A patentable invention must be new, inventive, and have an industrial application. The patent application must fully and clearly disclose the invention so that a person skilled in the art could carry out the invention. The best mode for carrying out the invention as of the filing date must also be disclosed. Patent rights are to be enforced without discrimination as to place of invention or whether the product is imported or produced locally. The patent of a product conveys the exclusive right to prevent, without consent of the inventor, the making, using, offering for sale, selling, or importing of the product. The patent of a process conveys the exclusive right to prevent all of the above for products that result from the process as well as the use of the process itself. The holder of a patent also has the rights to assign, transfer, or license the patent. The minimum period for a protecting a patent is 20 years from filing.

TRIPS gives each member state the right to carve out from patentability certain subject matters that have as their purpose the protection of human, animal, or plant life, or to avoid serious prejudice to the environment. In addition, TRIPS permits a member state to allow other use without authorization from the patent holder. The section defining when such use is permissible is the most detailed section among the patent provisions of TRIPS. In general, it permits such use only (a) after an effort to obtain a license from the patent holder on reasonable commercial terms and conditions, (b) with adequate remuneration to the patent holder, (c) if such use is limited predominantly to the domestic market of the member nation, and (d) if there is a review of the decision to permit, as well as the compensation, by a “higher authority in that Member.”

One of the circumstances envisioned by TRIPS is the grant of a second patent that cannot be exploited without infringing an earlier (first) patent. In such cases, a member nation may grant authority if the invention embodied in the second patent represents an “important technical advance of considerable economic significance” with respect to the first patent's invention and a cross-license on reasonable terms is granted to the holder of the first patent to use the second patent. For process patents, TRIPS creates a limited burden on the alleged infringer to prove that the identical product was produced using a different process. In particular, a member state can create a presumption that the process patent was violated in circumstances where the product is new, or where the patent holder is unable to demonstrate what process was actually used.

11.11.5 TRIPS and Anticompetitive Restrictions.

TRIPS acknowledges that some licensing practices or other conditions with respect to intellectual property rights may restrain competition, adversely affect trade, and impede the transfer and dissemination of technology. Accordingly, TRIPS permits member nations to specify practices that constitute an abuse of intellectual property rights, and to adopt measures to control or limit such practices, so long as the regulation is consistent with other provisions of TRIPS. In the event that a national of a member nation violates another member's laws and regulations regarding anticompetitive activity, TRIPS provides for the right of the involved nation's to exchange information confidentially regarding the nationals and their activities.

11.11.6 Remedies and Enforcement Mechanisms.

Each member nation is expected to provide an enforcement mechanism under its national laws to permit effective action against any act of infringement. Such procedures are to include remedies to prevent acts of infringement as well as to deter future acts. TRIPS imposes the obligation that all such procedures be “fair and equitable” and not be “unnecessarily complicated or costly” or involve “unwarranted delays.”²²¹ In general, these remedies mean access to civil judicial procedures with evidentiary standards that shift the burden of going forward to the claimed infringer, once the rights holder has presented reasonably available evidence to support its claim. Damages may be awarded sufficient to compensate the rights holder for the infringement if the “infringer knew or had reasonable grounds to know that he was engaging in infringing activity.” This means that vigilance and notice are essential to have meaningful protection for intellectual property rights, since notice is the best means for setting up a damage claim. TRIPS permits its members to allow the recovery of lost profits or predetermined (statutory) damages even when the infringer did not know that it was engaged in infringing behavior. Although injunctive relief is to be provided for, remedies may be limited in circumstances involving patent holders, as discussed, where adequate compensation is paid, and the alleged infringer has otherwise complied with the provisions of its national law permitting such use upon payment of reasonable compensation. In order to deter further infringement, infringing materials may be ordered destroyed or noncommercially disposed of.

In addition to civil remedies, TRIPS requires criminal penalties in cases of “willful trademark counterfeiting or copyright piracy on a commercial scale.”²²²

11.12 CONCLUDING REMARKS.

Data security ultimately involves the protection of proprietary or personal data and intellectual property. The competition to acquire and retain intellectual property legally is invariably met by unethical and illegal efforts to deprive legitimate owners of their rights. It is necessary, therefore, to be fully aware of the mechanisms and procedures required to protect these rights as part of any computer security program.

This chapter has attempted to delineate the most important aspects of the problem. However, many facets of the legal questions remain unanswered or have been answered generally rather than in the context of a particular problem. Prudent guardians of intellectual property should monitor relevant judicial determinations continuously and be certain to integrate them into a planned approach to protect these most valuable assets.

11.13 FURTHER READING

Bently, L., and B. Sherman. Intellectual Property Law. Oxford, UK: Oxford University Press, 2004.

McJohn, S. Intellectual Property: Examples and Explanations, 2nd ed. New York: Aspen Publishers, 2006.

Nard, C. A., D. W. Barnes, and M. J. Madison. The Law of Intellectual Property. New York: Aspen Publishers, 2006.

Poltorak, A. I., and P. J. Lerner. Essentials of Intellectual Property. Hoboken, NJ: John Wiley & Sons, 2002.

Stim, R. Patent, Copyright & Trademark: An Intellectual Property Desk Reference, 9th ed. Berkeley, CA: Nolo Press, 2007.

11.14 NOTES