Intellectual property

Intangible assets

Almost all information security concerns intangible assets. Trade in software, media content and other intangible products requires distribution of those products, which creates protection challenges that differ from other areas of information security.

In English, intangible assets are usually referred to as intellectual property, and when regulations are created to protect them, one usually speaks of intellectual property rights, often abbreviated as IP or IPR. Copyright is the most common of these, but since there are others, this overarching concept is needed. Intellectual property rights are negative rights in the sense that they restrict the ability of others to carry out actions concerning the property. The English term copyright expresses this clearly: others do not have the right to make copies.

Some intellectual property rights arise when they are registered and granted by an authority after examination and payment of fees, for example patents and registered trademarks. Copyright, on the other hand, typically arises without any involvement of authorities.

The fact that certain information content is publicly available, whether for a fee or free of charge, intentionally or accidentally disclosed, does not mean that it is not protected by IP rights. In Finnish this confusion may not arise easily, but in English the term public domain is sometimes used in everyday language merely to mean public as opposed to secret. Its more precise meaning is that the holder of the IP rights has renounced their rights and has expressed this in a binding manner.

If one wishes to publish a work while retaining some but not all rights, one may use a Creative Commons licence. This initiative began in the United States in 2001, but it has been adapted to several legal systems, including Finland. From the project’s website, one can generate a licence with a few simple choices in three different forms: the full licence (“the form understood by lawyers”), a summary (“the human-readable form” with visual symbols), and a machine-readable version, meaning RDF-encoded metadata (Resource Description Framework). It includes URL references to explanations, but more importantly it provides descriptions, suitable for search engines, of permitted and prohibited actions and the requirements associated with possible uses. These enable others to automatically identify the permissions associated with material found online. The important GPL licence (GNU General Public License) for open-source software is also part of the CC licence family, as is the Public Domain Dedication, which allows one to renounce all rights (USA).

List of intellectual property rights

This section introduces the key intellectual property rights encountered in the cybersecurity field. Other intellectual property rights that may arise in the field include protection of semiconductor topographies, the prohibition of copying or reusing the contents of a database, and registered and unregistered designs.

In many cases, contracts, especially licences, complement intellectual property rights, and they may even be treated as a type of intellectual property. The terminology may also be confused by the fact that in everyday language intellectual property may refer to any result or process of intellectual work. Legally, only some of these fall within the scope of IPR.

Copyright

Copyright is an unregistered right that arises for the author upon the creation of a sufficiently original literary or artistic work. “Literary” must be understood very broadly. The Finnish Copyright Act (404/1961) defines a work as follows: “a fictional or descriptive representation in writing or speech, a musical or dramatic work, a cinematographic work, a photographic work or other work of fine art, a product of architecture, artistic handicraft, industrial art, or expressed in some other manner.” The continuation of the definition is particularly important in cybersecurity: “Maps and other descriptive drawings or graphically or three-dimensionally executed works and computer programs shall also be considered literary works. ” Software is protected both as source code and as executable code.

Although it was stated in the introduction that IPR is a negative right, the Copyright Act expresses the right positively. It grants “exclusive right to control a work by reproducing it and by making it available to the public, in the original form or in an altered form, in translation or in adaptation, in another literary or artistic form, or by any other technique.”

The law imposes certain limitations on copyright, that is, it slightly extends the rights of users. Such cases include libraries, archives, museums, education, research, intermediary services and temporary copies, as well as the right of quotation. In addition, copyright expires 70 years after the author’s death (counted from the end of the death year). This is sufficient to ensure that, at least in the cybersecurity field, there is no need to wait for any software to enter the public domain.

Copyright applies to the expression of an idea, not to the idea itself. Thus, the copyright of program code usually protects only the code as it is written (and compiled), not the functionality of the resulting software product. Protection of functionality typically falls within the scope of patent law.

Demonstrating that someone has infringed copyright requires showing sufficient similarity between two works. In a sense, therefore, it is the work itself that infringes copyright, as the knowledge or intent of the unauthorised copier need not be proven. Numerous techniques have been developed to compare software source code in order to assess infringements.

Various techniques are used to enforce copyright, ranging from physical and software copy protection mechanisms to marking works with digital watermarks. These are collectively referred to as Digital Rights Management (DRM), and in legal texts as effective technological measures protecting the work and rights management information. Circumventing or removing either is prohibited, and tools for bypassing such protections may not be produced or distributed. On the other hand, the author is obliged to enable appropriate use of a legally acquired copy notwithstanding DRM technologies.

In Finland, the Copyright Act does not address other intellectual property rights beyond copyright and its neighbouring rights. Neighbouring rights relate to live performances, photographs, various recordings and catalogues, which may include databases. They are generally not considered works but receive similar, albeit weaker, protection.

Answer the questions.

Question 1

Tea Teekkari searches the Internet for a suitable image for a meme. One is found using Google Image Search. May she use the image?

Images found on the Internet can, in principle, be used for memes.

Images under a CC licence can be used for memes.

Question 2

Does editing the image transfer the original rights to Tea?

It does

It does not

Patent (advanced)

A patent is an intellectual property right protecting an invention that is industrially applicable, granted on a country-by-country basis after application and examination. A patent provides its holder with an exclusive right to exploit the invention professionally.

A patent is intended to protect an invention that is novel and that also possesses a characteristic described in different jurisdictions in various ways, such as “inventiveness” or a “non-obvious” nature. This requirement limits patent protection to inventions that are in some way significant, not trivial. New inventions that would have been obvious to a professional in the field are usually excluded from patent protection. These limitations are not explicitly stated in the Finnish Patents Act (550/1967), but it does state, for example:

The following, as such, shall not be regarded as inventions: [...] schemes, rules and methods for performing mental acts, playing games or doing business, and programs for computers;

Inventions that include such elements may nevertheless be patentable. The United States patent system has, over the past decades, shifted towards a more favourable approach to software patents. Even jurisdictions that nominally reject the concept of software patents regularly grant patents for inventions embodied in software. In other words, software patents have become a common feature in the information technology sector.

Inventions related to cybersecurity that appear purely mathematical or algorithmic, especially cryptographic ones, may be subject to patent protection in various devices—including software-based devices. Historically significant cryptographic inventions have been protected by patents, including DES, Diffie–Hellman and RSA. Although the patents for these breakthroughs have now expired, the field of cybersecurity innovation is still full of patents and pending patent applications.

The cost of a patent is paid in two forms: money and disclosure. First, applications are expensive to process and patents are costly to maintain. The complexity of the process usually requires costly expert assistance. Disclosure is a key feature of the patent system. The patent application must describe the operation of the invention in a manner that would enable replication of the technology. The application, the granted patent, and communication relating to the examination are published for future research.

The duration of a patent is typically 20 years from the filing date. Several years may pass between filing and grant. The rights holder generally has the right to take legal action for infringements occurring between the application and the grant, even if the infringement occurred before the publication of the application. A common method of defence in such cases is to challenge the validity of the patent after it has been granted.

Proving patent infringement involves a technical comparison between a device or service and the invention described in the granted patent. The rights holder does not need to prove that the invention was copied from the patent or any product. Many information technology-related patent infringements occur without the infringing party initially being aware of another party’s products or patent rights.

Trademark (advanced)

Trademarks are generally registered intellectual property rights granted on a country-by-country basis on the basis of an application. There is also an EU trademark. A trademark is a symbol or sign used to distinguish the business of one person from that of another. The most common trademarks consist of words or figures, but they may also be, for example, a colour or a melody. Each trademark is granted within a defined class of use, meaning that two different parties may have exclusive rights to use the same symbol in different industries. The purpose of trademarks is to reduce the risk of confusion among those acquiring goods or services. At the same time, they protect the investment of the trademark holder in the reputation of the business.

Trademarks are usually registered for 10 years, but renewal is possible.

A typical infringement of a registered trademark is the use of an identical or confusingly similar sign in a context covered by the exclusive right. Misleading conduct itself is already a phenomenon examined in cybersecurity, but a specific area of concern is domain names. In Finland, domain names are not regulated within trademark law but in the Act on Electronic Communications Services (917/2014 Chapter 21).

A certification mark is a trademark used to indicate conformity with a specific standard. These marks are registered by a standardisation body, which then grants licences for their use on the condition that the requirements of the standard are met. Use of a certification mark on a product or service that does not comply with the standard constitutes trademark infringement.

A collective mark is a trademark intended for use by the members of its holder, for example a professional association, in their business activities.

Trade secrets (advanced)

A trade secret is generally considered to be information that is secret, valuable largely because it is secret, and remains secret due to reasonable efforts by its holder. It may include information as diverse as an ingredient list, a manufacturing method, a customer list, an algorithm, or details of a patentable invention prior to patent application and disclosure. Examples of current trade secrets in the ICT sector include details of Google’s PageRank algorithm and various cryptographic algorithms.

Maintaining confidentiality is a central element in protecting trade secrets, which can in principle continue indefinitely as long as secrecy is preserved. Trade secrets are widely leaked through cyber espionage, and the phenomenon provides an important field of work for cybersecurity professionals.

The European Union significantly harmonised its approach to trade secrets with a directive in 2018, and Finland enacted the Trade Secrets Act in the same year (cf. data crimes).

Reverse engineering

Traditionally, it has been considered acceptable to examine man-made objects in the spirit of reverse engineering. While it was never allowed to obtain trade secrets through industrial espionage or bribery or similar means, it was considered “fair play” if a trade secret was discovered by analysing a publicly available product and then published. Since the turn of the millennium, however, attitudes appear to have changed. In particular, laws have been enacted that prohibit disrupting techniques whose purpose is to make reverse engineering more difficult.

Conflicts arise in connection with reverse engineering of software products. Software licences often contain strict limitations on reverse engineering in general and/or decompilation in particular. However, European legislation generally prohibits restricting the right of an authorised user of software to observe and study its operation, and also grants such users a limited right to decompile software in order to obtain information necessary for interoperability.

Posting submission...