J Wolfgang Goerlich's thoughts on Information Security
Concluding Information Security for Intellectual Property

By wolfgang. 29 April 2004 05:42

We have been looking into intellectual property law in brief this month, with an eye towards IP as a part of security. This series kicked off when The Copyright Society of the USA declared April as Copyright Awareness month. If you missed the beginning of this series, follow the "Intellectual Property" tag to view all of the articles.

To continue to safeguard information assets, information security practitioners are obliged to expand beyond the traditional technical controls. The information assets we protect flow over various networks and persist for decades. These properties will be outside of the professional’s direct control more often than not. Therefore, additional controls such as those afforded by intellectual property laws have taken on new significance.

At the same time, consider the ease in which intellectual property laws can be violated. The violations are typically, though not always, by digital piracy through copyright violations. Organizations such as the Recording Industry Association of America (RIAA) and Motion Picture Association of America (MPAA) have stepped up their prosecutions of individuals and organizations for such theft. This creates a climate wherein the information security professional must not only protect his technology from attack but also from misuse, particularly misuse leading to violating other’s IP rights. Knowing the laws and communicating the laws (in policy and training) is crucial in mitigating the risk of lawsuit.

In summary, today’s environment places new demands on information security. New skills are needed. A working knowledge and understanding of intellectual property laws is a critical component in a securing an organization’s information technology.

Tags:

Operations Security

Engaging with the business on Intellectual Property issues

By wolfgang. 26 April 2004 06:58

To provide security over intellectual property, the information security team must interact with several departments within the organization. The responsibility encompasses defending the organization’s intellectual property and shielding the organization from legal liability from misusing others’ intellectual property.

A common governance model relies upon data classification, data owners, data custodians, and security professionals. Executive management provides sponsorship of the classification process and designates the responsible parties. As part of data classification, the type and nature of the intellectual property must be decided. The data owner (typically, mid-management) is responsible for the decision of the type of data and the value of the data.  The data custodians (typically, information technology team) is responsible for maintaining the data and its associated controls. Information security is responsible for designing the controls and auditing the technology team to ensure the data is protected.

As part of designing the controls, the security practitioner must be apprised of the legal mechanisms in which content can be protected. A basic understanding of IP law and the data classifications provides a framework for the security team to engage with the legal team on how the company’s IP can be protected. The IP can then be protected as it is published and distributed beyond the organization’s network systems.

Knowing the existing laws also comes into play when protecting the organization from intentional or unintentional infringement. Due care and due diligence must be demonstrated. Administrative and technical controls must be deployed. By engaging with human resources team, the information security team can provide employee training and explain in lay terms the employee’s rights and responsibilities with respect to other’s intellectual property. By the same token, technology must be deployed to detect and prevent piracy and digital theft. Demonstrating that the organization has taken these steps is crucial in situations that end up in court, where intent and diligence will be considered.

Tags:

Operations Security

Avoiding infringement: Trade secrets

By wolfgang. 23 April 2004 09:22

With competition between firms, there exists a pressure to obtain a competitor’s trade secrets to either defuse the competitor’s advantage or to build an advantage for the organization. The information security professional must ensure that the organization’s equipment is not used for corporate espionage. There may be extra pressure on the professional to either turn a blind eye to such illegal activities, or (given the technological prowess of white hat hackers) to facilitate the illegal activities. Performing illegal activities for an employer does not shield an employee from prosecution. Such pressures must be avoided. 

Ideas and innovations can be legally gleaned from existing products. Organizations have legal methods at their disposal. Products can be reverse engineered to determine how they work. (The reverse engineering cannot be used to circumvent protection mechanisms according to the DMCA, however.) The Uniform Trade Secrets Act (1990) states that reverse engineering is permissible providing the “acquisition of the known product” are by “a fair and honest means, such as purchase of the item on the open market.” It is possible to purchase a software package or piece of equipment, take it apart, and determine the ideas behind its design and production.

Another option for obtaining trade secrets legally is to use a clean room technique. Here, a team is provided very specific requirements and source information. They work in a dedicated and isolated space to ensure that existing secrets are not used in reproducing the work. The key here is documenting the inputs and outputs of the team. “Records of the clean room development are saved to demonstrate that trade secrets were independently developed and to refute any claims that a work was copied. (Stim, 2001)”. This provides some level of protection, but clean room is not a defense in “doctrine of equivalents” cases.

References:

Stim, R. (2001). Intellectual Property: Patents, Trademarks, and Copyrights, 2nd Edition. Albany: Delmar.


Tags:

Operations Security

Avoiding infringement: Patents

By wolfgang. 21 April 2004 05:40

Avoiding infringing on other organization’s patents are conversely easy and difficult. For the most part, the day-to-day activities of a firm will not run into patent infringement. Business methods and processes, as discussed earlier, are un-patentable. It can be difficult to avoid the “doctrine of equivalents” should the organization be producing goods, as there is a gamut of patents that have been registered.

The division responsible for developing the goods is equally responsible for avoiding patent conflicts. The effort is largely comprised of informal searches and formal searches of the patent database. The effort begins with an informal web search on UPSTO for comparable ideas and products. Once found, note the claims and ensure that the organization’s product is not substantially equivalent to those claims. If any patents are found or if there is any doubt as to whether infringement will occur, a patent attorney should also be engaged. The patent provides the formal search and review. At this point, if one or more patents are being infringed upon, then the attorney and the organization can proceed with negotiating a license with the patent holder. If not, then the organization can proceed with the product production.

Tags:

Operations Security

Avoiding infringement: Copyrights

By wolfgang. 18 April 2004 04:54

There have been some discussions as to an organization’s responsibilities for enforcing copyright protections and preventing digital piracy. The Digital Millennium Copyright Act (DMCA) includes a safe harbor provisions that shield service providers from fines if their networks are used for digital piracy. A comparable safe harbor does not exist for organization’s private networks. Thus, the first area to secure is the network against it from being used to breach copyright. Due diligence applies again insofar as an organization must demonstrate an active security program with regular reviews. Many commercial firewalls can be configured to block software that facilitates piracy. From an administrative perspective, the organization’s acceptable use policy must explicitly forbid violating the intellectual property rights of others using the organization’s technology.

As part of the information security education program, copyright and fair use can be explained. Copy writers and the creative staff must understand how they can reuse text from copyrighted materials without opening the organization to liability. Application developers must understand the differences in software copyrights and respect the various licenses when making derivative works. Systems engineers must understand how software licenses allow and restrict use, and follow these licenses when deploying software onto the organization’s equipment. The legal and information security departments can perform subsequent audits to ensure that people are aware of the laws and the policies, and are taking appropriate steps to respect other’s property.

Tags:

Operations Security

Avoiding infringement: Trademarks

By wolfgang. 17 April 2004 04:45

When designing trademarks, the organization has a responsibility to ensure that the new mark is not infringing on an existing mark. There was a case in 1998 where Tommy Hilfiger was assessed for damages on the “Star Class” trademark. Hilfiger had his attorney perform a search of federally registered marks, but failed to search state and common marks. This lead to damages as Hilfiger was not shown to have performed due diligence in the duty to search. New trademarks – whether it is a product name, service name, slogan, domain name, or other initiative – should be thoroughly researched to ensure that there is not a use in the federal or state registration systems, or in the commons.

When reusing another organization’s trademark, reasonable effort should be put forward to use the exact mark and include the ™ trademark symbol as appropriate. Many firms have restrictions on how their logo and mark can be used (for example, on a partner’s website or a business card.) These restrictions must be researched and understood. In doing so, an organization can avoid accidental misuse of another firm’s IP.

Tags:

Operations Security

Avoiding infringement

By wolfgang. 16 April 2004 09:11

April is Copyright Awareness month according to the Copyright Society of the USA. This article is part of a series delving into the topics of trademarks, copyrights, patents and trade secrets. Follow the tag "Intellectual Property" to read all the articles.

An information security professional has a duty to his organization to protect its information assets, and a duty to his profession to ensure the organization’s technology is not used for illegal activity. The next four articles cover Intellectual Property from the perspective of avoiding infringement.

Tags:

Operations Security

Protecting your assets: Trade secrets

By wolfgang. 13 April 2004 07:31

The purposes of copyright and patents are to publically distribute and protect intellectual property, while trade secrets are used to privately hold and use IP. While the information security field is naturally cautious of security through obscurity, keeping specific aspects of an organization’s processes and knowledge secret can provide an advantage. To define a trade secret, three items must be present: “the information is not generally known or ascertainable by proper means; the information has economic value; the owner of the secret must use reasonable efforts to maintain secrecy. (Stim, 2001)”

Demonstrating due care and due diligence in guarding an organization’s information systems and informational assets is critical in keeping trade secrets undisclosed, and prosecuting competitors should the secrets by discovered. “The enforcement of trade secret protection is time-consuming and expensive later on. Generally, the proof required consists of a showing that there was an active security program in place that was sufficient to protect the information as confidential (Bosworth & Kabay, 2002).”

There are several ways to protect trade secrets. The information security program and the controls over access (both physical and digital) play a role. Agreements – confidentiality, non-disclosure, and third-party – can also be used to restrict people who have access to the trade secret from communicating it out. The agreements can be used in breach of contract suits to prevent the trade secret from being released or to seek compensation for its release. In addition, the “inevitable disclosure doctrine” can be enacted to prevent employees who have access to sensitive information from leaving for a competitor where that information will naturally be a part of their role.

References:

Bosworth, S., & Kabay, M. E. (2002). Computer Security Handbook, 4th Edition. New York: John Wiley & Sons, Inc.
Stim, R. (2001). Intellectual Property: Patents, Trademarks, and Copyrights, 2nd Edition. Albany: Delmar.

Tags:

Operations Security

Protecting your assets: Patents

By wolfgang. 11 April 2004 05:55

Copyright protects the expression, while patents protect both the expression and the underlying idea. For innovative intellectual property that required up-front capital expenditures and may have a long sales cycles, (e.g. durable goods in established industries), the patent is ideal. Years of sales may be necessary to realize the return from the initial reduction to practice investment. The patent provides a 20-year guaranteed monopoly over the idea and its sale.

What can be patented? The “smell test” used on the intellectual property that is applying for patent is that it is useful, novel, and non-obvious. The IP could be a composition of matter, a machine or a transformative process. Certain things cannot be patented, including: scientific principles, mathematic formulas, methods of doing business, and natural processes and compositions. Processes may be patented if they meet the “machine-or-transformation” test (that is, the process requires a mechanism or substantially transforms matter). Even here, if the process does not require specialized machinery or directly transform matter, it still may be patentable. The “smell test” and “machine-or-transformation” tests are two of many tests that the UPSTO uses when deciding on the patentability of an idea.

Once filed and granted, the patent becomes publically accessible on the UPSTO and other websites. The concern becomes, of course, infringement of the organization’s patent property. The infringement can be literal infringement: someone copies the property in its entirety and exactly. An infringement can be substantially the same as the original machine and produce substantially the same results. Under the “doctrine of equivalents”, the organization could push forward with an infringement suit to stop the opposing firm from selling the similar machine. The organization’s patented IP is also protected from other firms reproducing the core design and providing basic improvements. Should a product be found to infringe on the organization’s patents in any of these ways, an injunction can be filed to stop production and protect the organization’s market share and sales.

 

Tags:

Operations Security

Protecting your assets: Copyrights

By wolfgang. 8 April 2004 07:47

Copyright can be contentious issue for security practitioners weaned on open source and raised on Slashdot. It is important to remember that open source licenses, Copyleft, and Creative Commons are themselves imaginative hacks on traditional copyright law. It is copyright that makes these alterative licenses possible. 

The purpose of Copyleft and Creative Commons is simple: disperse information as widely and as freely as possible. The purpose lines up neatly with the hacker ethic. Information wants to be free, after all, and these licenses are ways to ensure its freedom while still maintaining some protective controls for the author. The purpose is in turning works into generative pieces. Standard copyright reserves all rights for the author.

The decision on the copyright license to use lies with the organization. Specifically, the designated owner of the information asset is charged with making these decisions. As the security managers for the information networks, our responsibility is to educate the designated owner and ensure that the decisions are enforced correctly and consistently.

Copyrighting a document has a few obvious requirements. The document must be original and not infringe on other’s existing copyrights. It must be fixed form, like a document, image, or an audio/visual recording. Architectural plans and software source code can also be copyrighted. The copyright protects a given expression of an idea, but not the idea itself. Thus an architecture plan that is copyrighted protects the plan itself, but not the ideas behind designing the plan. Software copyrights are similar. The copyright protects the specific source code but not the underlying idea, method, or algorithm. Copyrighted works must be substantive. A short phrase, a brief sound clip, a plan for a room’s walls, and a short code snippet all are non-copyrightable.

Copyright provides specific protections. Other organizations cannot copy without permission (unless permission has been granted with Creative Commons or similar licensing). People and firms that buy copyrighted material, however, do have extended rights (called First Sale doctrine) to resell or redistribute the purchased copy. Similarly, the Right to Adapt exists that gives control over derivative works are produced to the original author. End user license agreements can be tailored to avoid First Sale doctrine and Right to Adapt. These licenses provide tighter control over how the property is used.

The commercial impact of unauthorized works is taken into account in copyright infringement cases. The end users can still reuse and create the document under Fair Use. Fair Use allows remixes based on four conditions: how different and unique the new content is, the nature of the work, the amount of the original copyrighted material in the new material, and the effect on the market. Evidence of the market effect may be present in the information systems. The evidence, for example, may be in sales trends, in store traffic, or in web site traffic. It is, therefore, important that copyright protection mechanism include systems that gather, correlate, and maintain statistics on use.

Copyright materials can be registered with the United States Patent and Trademark Office (USPTO). Simply affixing the © symbol to a work (or corresponding Creative Commons symbol) creates an enforceable copyright. Copyright protects intellectual property for the life of the longest living author plus a period of 70 years. Works for hire, created for a firm for pay, are protected for 95 years from the date of first published or 120 years from when the material was created, whichever is less.

Tags:

Operations Security

    Log in