Ruslan Rakhmetov, Security Vision
We continue our series of publications dedicated to the body of knowledge on cybersecurity – Cybersecurity Body of Knowledge (CyBOK). Chapter 3 of this body of knowledge describes the key regulatory norms and principles of international law that relate to cybersecurity and can be applied in cyber risk assessment, information security management, and cyber incident investigation. Today is the seventh part of the review of Chapter 3 of CyBOK, which examines international approaches to protecting intellectual property rights (copyright, patent, trademark, trade secret) and liability for their infringement.
3.8. Intellectual Property.
3.8.1 Understanding Intellectual Property Rights.
Intellectual Property Rights (Intellectual IP rights (abbreviated IP) are considered "negative rights" – they mean the right to prevent others from performing prohibited actions specified by law. However, intellectual property rights do not imply the right holder to perform absolutely any actions – for example, some actions may violate the intellectual property rights of third parties or competition rules. Registered intellectual property rights (e.g., patents, trademarks) are granted after registration and verification with government agencies, while unregistered intellectual property rights (e.g., copyright) generally arise without the participation of government agencies. The term "public domain" can be used in the field of cybersecurity in two meanings: for example, if a confidential document was published in open sources, then, despite the loss of its confidentiality, the information can still be protected by intellectual property rights – until the author has explicitly waived them, for example, by using a license of the "public domain" type (public domain), which does not provide for the registration and protection of copyright.
3.8.2. List of types of intellectual property rights.
There are many different types of intellectual property rights, but this section only covers those that information security professionals are most likely to encounter. It's also important to note that in common usage, the term "intellectual property" refers to any intellectual product, work, or process, although legally, intellectual property rights may not be properly formalized.
3.8.2.1. Copyright.
Copyright is an unregistered right that arises from the creation of an original work, such as software code. The object of copyright protection is not the idea itself, but its embodiment in a specific work – for example, the source code is protected, not the functionality of a program (functionality is protected by patent law). Copyright protects the author's work for their entire life plus 70 years after their death, after which the work enters the public domain. Copyright infringement is considered copying, transmitting, displaying, or translating a significant portion of an original work, which can be proven by document/source code similarity analysis, including the use of forensic technologies. Copyright protection has been expanded to combat copyright infringers who interfere with work and circumvent restrictions imposed by technical copyright protection systems (DRM systems, Digital Rights Management). However, liability for copyright infringement can be avoided by taking advantage of various limitations and exceptions (e.g., proof of fair use, honest dealing, etc.), which vary from country to country.
3.8.2.2. Patents.
A patent is an intellectual property right registered by a government agency after the relevant application processing and verification procedures have been completed for the result of intellectual activity – a work, invention, utility model, or industrial design (i.e., the subject of patent rights). Patents protect new, significant, non-trivial, and industrially applicable inventions that involve an inventive step-an unconventional approach devised by the inventor to solving a specific technical problem. Information security inventions, such as algorithms or cryptographic methods, can be patented as part of a software or hardware implementation. For example, the implementation of the DES standard and the RSA algorithm were covered by patents in the US (they expired in 1993 and 2000, respectively).
Obtaining and maintaining a patent involves two aspects: state verification and registration of the invention, as well as regular patent fees and international patent support, all require financial outlays. After receiving a patent, a description of the invention's operation and technical documentation must be published, which theoretically allows others to copy the invention. The patent term is calculated from the filing date and, in Russia, is 20 years for inventions, 10 years for utility models, and 5 years for industrial designs (according to Article 1363 of the Civil Code of the Russian Federation). Patent application verification procedures can take several months, and exclusive rights arise only after state registration. However, the copyright holder can then demand compensation from third parties for the use of the invention between the filing of the application and the issuance of the patent (according to Article 1392 of the Civil Code of the Russian Federation). Infringement of the patent includes the production, distribution, import, or export of goods or services incorporating the patented invention. While evidence collection may include forensic analysis, in many cases, violations occur unknowingly due to the existence of numerous patents in the IT/IS field.
3.8.2.3. Trademarks.
A trademark is an intellectual property right registered by a government agency after completing the appropriate application processing procedures. A trademark is a symbol or sign used to visually distinguish between products and services from different manufacturers to protect a brand's reputation. In Russia, a trademark is registered as a certificate issued by Rospatent and is valid for 10 years, with the possibility of renewal. Classes of goods and services are systematized in the International Classification of Goods and Services (ICGS), and identical trademarks may exist in different fields of activity – for example, the same trademark may be used by different companies in construction and software development. Displaying a logo that is identical or confusingly similar to a protected trademark, which may mislead consumers, is considered trademark infringement. Furthermore, competitors using a domain name similar to the original brand's domain may also be considered trademark infringement. Therefore, trademark owners often register multiple domains with spellings similar to the original. Another type of trademark is a certification mark, which confirms the compliance of corporate processes with various standards–for example, ISO 9001 certification for a quality management system, ISO 14001 certification for an environmental management system, and ISO 27001 certification for an information security management system. A collective mark is another type of trademark that can be used by all members of a specific association (professional association, industry union) that produce or sell certain products (according to Article 1510 of the Civil Code of the Russian Federation).
3.8.2.4. Production secret.
Production secrets (know-how, trade secrets) have traditionally been protected by civil law, providing owners of know-how with legal protection against those who unauthorizedly obtain, use, or disclose trade secrets. For example, in the United States in 1996, the Economic Espionage Protection Act was passed to prevent the theft of trade secrets, which was supplemented in 2016 by the Defend Trade Secrets Act. The EU is governed by Directive 2016/943 on the protection of trade secrets and business information against their unauthorized acquisition, use and disclosure, which entered into force in 2018. Trade secret legislation protects confidential information that is valuable because it is unknown to third parties and for the protection of which the owner takes reasonable measures. Information such as a client list, production method, details of the operation of an invention prior to the filing and publication of a patent, search engine algorithms, and proprietary cryptographic algorithms may be protected. In Russia, the concept of a trade secret (know-how) is defined in Article 1465 of the Civil Code of the Russian Federation, and protection is ensured, among other things, by establishing a trade secret regime in accordance with Federal Law No. 98–FZ "On Trade Secrets" dated July 29, 2004. Thus, information constituting a trade secret, including trade secrets (know-how), is protected by introducing a trade secret regime within the organization. However, information constituting a trade secret is a broader concept than trade secrets (know-how): a trade secret regime can be introduced with respect to any information processed within the company (subject to the exceptions set out in Article 5 of Federal Law No. 98).
The key element of protecting a trade secret is ensuring its confidentiality, which remains in effect as long as confidentiality is not breached. The primary threat to trade secrets is industrial cyberespionage, and breach of confidentiality (for example, publication by third parties) of a patented invention before filing a patent application renders the invention inaccessible and can cause significant damage to the author. Owners of legally valid trade secrets can legally protect their interests from third-party infringement, including those who have illegally obtained protected know-how from those violating the protection measures.
3.8.3. Law enforcement tools.
The protection of intellectual property is ensured by the means of law enforcement available to participants in the legal process.
3.8.3.1. Criminal liability.
In certain circumstances, infringement of intellectual property rights (such as trademarks and copyright) may result in criminal liability for the infringer, especially if it can be proven that the infringer was aware of the illegality of their actions and committed infringements on a regular and widespread basis. For example, in the United States, copyright infringers pursuing commercial or financial gain face a maximum penalty of five years in prison for a first offense and ten years for a second offense. British law provides for criminal penalties of up to two years for the production, import, and distribution of devices designed to circumvent intellectual property protection measures. However, not all countries have regulations protecting trade secrets or laws against industrial cyberespionage.
3.8.3.2. Civil liability.
A copyright owner can generally file a lawsuit to protect their interests against an infringer of intellectual property rights. Legal action may include monetary compensation to the injured intellectual property owner, calculated based on a fair (reasonable) royalty rate. A royalty, a state-established tariff, or a demand for compensation in the amount of profits the infringer received from the illegal use of intellectual property. Furthermore, products infringing intellectual property rights may be prohibited from use, and items infringing trademarks and copyrights may be destroyed.
A civil remedy for protecting intellectual property rights is a court order prohibiting unlawful actions by a third party. In the event of patent violations or the unauthorized use of trade secrets, the infringing company faces an injunction prohibiting it from engaging in activities related to the production or sale of products that infringe the patent or know-how. A court order may include requirements to disable online services and remove content from websites that infringe copyrights or trademarks.
3.8.4. Reverse engineering.
In the context of intellectual property protection, reverse engineering refers to the process of extracting know-how or knowledge from a product. This practice has traditionally been considered legally acceptable and viewed as scientific research into legally sold and purchased products, as opposed to the theft of trade secrets through industrial cyberespionage, bribery, and so on. However, if trade secrets are obtained and published as a result of reverse engineering, they cease to be confidential, lose their know-how status, and the corresponding legal protection. With advances in technology, new regulations have emerged prohibiting hacking or circumventing protective measures – for example, software licenses may include prohibitions on reverse engineering, decompilation, and disassembly. However, EU law explicitly prohibits restrictions on the analysis and study of software by its legitimate users.
3.8.4.1. Circumvention of technical measures to protect copyrighted objects.
The development of copyright protection legislation has led to the emergence of technical measures whose circumvention is considered an offense, with certain exceptions (for example, scientific research into the technology, subject to certain requirements). Penalties for circumventing technical measures protecting copyrighted works may vary depending on the specific country. For example, in some countries, it is not the circumvention of the protective measures themselves that is considered illegal, but rather the dissemination of information about circumvention methods, which could cause harm to the copyright holder.
3.8.4.2. Testing a proprietary cryptographic algorithm.
Testing a cryptographic system requires access to the implemented cryptographic algorithm. However, researchers may encounter difficulties studying a proprietary cryptographic algorithm, which is a trade secret and not disclosed by the manufacturer even for testing purposes. The CyBOK authors cite the example of Volkswagen's lawsuit against information security researchers who reverse-engineered a car immobilizer using a programming tool. As a result, the court allowed the publication of the researchers' report with minor redactions of sensitive paragraphs. It should be noted that, according to Kerckhoffs' principle, the strength of a cryptographic system should be determined solely by the secrecy of the key, not the secrecy of the algorithm. Therefore, cryptosystems that rely on the algorithm's secrecy to third parties, including information security researchers, are potentially vulnerable.
3.8.5. International regulation and legal conflicts.
If intellectual property rights arise and ownership is secured in one country, protection of these rights also applies in other countries in accordance with the Berne Convention for the Protection of Literary and Artistic Works, adopted in its original version in 1886 and ratified by Russia in 1995. Intellectual property violations are considered locally in accordance with local laws. However, legal conflicts can arise when identical or confusingly similar trademarks are registered in different countries by different persons, who are legally considered the rightful owners under the laws of each country. This is why international companies register their trademarks in each country where they operate and extend the validity periods of their trade names to protect against possible copying by third parties. Moreover, in accordance with Article 1486 of the Civil Code of the Russian Federation, legal protection of a trademark may be terminated if the owner does not use the trademark for three years.
3.9 Internet Intermediaries: Protection from Liability and Content Removal Procedures.
In the 1990s, legislation emerged that protected intermediaries (Internet service providers, hosting providers) from liability for illegal content posted by their users. For example, in the EU, Directive 2000/31/EC (Electronic Commerce Directive) to protect service providers from liability for the actions of their customers, and in the United States, Internet intermediaries are protected from liability under the Online Copyright Infringement Liability Limitation Act ( (OCILLA), which was passed in 1998 as part of the Digital Millennium Copyright Act (DMCA). Despite these exceptions, service providers must filter traffic upon court order and are also liable if they knowingly allow their users to post illegal content on their resources. Furthermore, providers must respond to copyright holders' takedown notices with demands to remove content that infringes copyright. Domain delimitation tools may also be used: Hosting providers and domain registrars are required to respond to reports that a website is phishing, distributing malware, or infringing copyright, and the website and domain name must be blocked or deleted. Cybercriminals are increasingly using "abuse-resistant" (or "bulletproof ") hosting services that do not respond to such requests and complaints. Furthermore, owners of internet services (social networks and instant messaging apps) are increasingly receiving fines from various governments for failing to remove content illegal in a given country or for lack of moderation, meaning the principle of protection from liability is gradually eroding.
.jpg)
 2 - копия.jpg)
.jpg)
