CSE-06: Intellectual Property in Cyberspace | Cybersecurity Ethics

Cybersecurity Ethics — Week 2 · Module 06

Intellectual Property in Cyberspace

Copyright, patents, trade secrets — the legal scaffolding around digital information. Where the security researcher and the IP attorney meet, and where they sometimes collide.

13 slides~13 minSpinello Ch. 4

Slide 2 of 13 · Why this matters here

Why IP Is a Cybersecurity Ethics Question

Spinello's frame: IP law in cyberspace was largely written before mass-scale security research existed. The result is a body of law that frequently fails to distinguish between piracy and protection. Practitioners live inside that ambiguity.

Slide 3 of 13 · The basics

Copyright in Cyberspace — Quick Reference

What it covers

Original works of authorship fixed in a tangible medium — in cyberspace terms: source code, compiled binaries, documentation, designs, audio/video, training data sets in some readings.

What it does not cover

Ideas, facts, methods of operation, mathematical formulas. The expression is protected; the underlying idea is not. (See Baker v. Selden, the foundational US doctrine.)

Fair use (17 U.S.C. § 107) provides a four-factor analysis — purpose & character of use, nature of copyrighted work, amount used, market effect. Security research arguments often invoke fair use for transformative purposes.

A researcher reverse-engineers a binary to find a vulnerability. The binary is copyrighted. Whether the copy is fair use depends on what the researcher then does with the finding — and which judge they get.

Slide 4 of 13 · The pivotal statute

DMCA: Three Pillars

Why § 1201 is the friction point: security research often involves bypassing technical measures (DRM, code signing, integrity checks) to reach the underlying behavior. Whether that bypass is "circumvention" depends on exemption status.

Slide 5 of 13 · The carve-outs

DMCA Security Research Exemptions

The exemption pattern

The Library of Congress conducts a triennial rulemaking and has granted security-research exemptions over multiple cycles. Permits good-faith research on lawfully acquired devices, controlled environment, responsible disclosure.

What it does NOT do

Does not preempt other applicable laws (CFAA, ECPA, contract). Does not create a defense for distribution of circumvention tools. Does not protect researchers from civil litigation in adversarial vendor relationships.

Practical reality: the exemption helps but does not make research unambiguously legal. Practitioners rely on counsel before publishing high-impact findings. "Responsible disclosure" carries legal weight as well as ethical weight.

Slide 6 of 13 · The harshest cases

When Research Meets Federal Charges

Why these cases mattered: they established that the gap between "security research" and "federal computer crime" was much narrower than practitioners assumed. Research labs added legal review of public disclosures. Bug-bounty platforms emerged in part to provide a structured channel that reduced this risk.

Slide 7 of 13 · The Supreme Court walks it back

Van Buren v. United States (2021)

The implication for security research: the broad reading of the CFAA that had threatened researchers in the Swartz / weev era was rejected. Violating terms-of-service restrictions is no longer per se a federal crime when access itself was authorized.

Slide 8 of 13 · Software patents

Patents and Software

Alice Corp. v. CLS Bank (2014)

The Supreme Court held that abstract ideas implemented on a generic computer are not patent-eligible under 35 U.S.C. § 101. Established a two-step test: (1) is the claim directed to an abstract idea? (2) if yes, does it contain "significantly more"?

Effect on cybersecurity

Many software patents have been invalidated under Alice. Cybersecurity-specific patents (encryption methods, intrusion detection, authentication systems) survive when they recite specific technical implementations rather than abstract methods.

The professional question: when a defensive technique becomes patentable subject matter, the security profession's traditional norm of free exchange of defensive techniques runs into property law.

Slide 9 of 13 · The third pillar

Trade Secrets and the DTSA

DTSA (2016)

Defend Trade Secrets Act. Created a federal civil cause of action for trade-secret misappropriation. Allowed federal-court access (state law had governed previously). Provided ex parte civil seizure remedies in extraordinary cases.

What counts as a trade secret

Information that derives independent economic value from not being generally known and is the subject of reasonable measures to keep it secret. The "reasonable measures" standard puts security operations in the trade-secret protection chain.

The DTSA's whistleblower provision (18 U.S.C. § 1833(b)): the statute includes immunity for individuals who disclose trade secrets to government officials or attorneys for the purpose of reporting or investigating a suspected violation of law.

Slide 10 of 13 · The recurring practice

Reverse Engineering — When Is It Legal?

Generally permitted

9th Circuit case law: Sega Enterprises Ltd. v. Accolade Inc. (9th Cir. 1992) on decompilation for compatible games and Sony Computer Entertainment v. Connectix Corp. (9th Cir. 2000) on PlayStation BIOS reverse engineering. Both held to be fair use. Reverse engineering for security research is the subject of the DMCA exemptions.

Generally restricted

EULA-imposed restrictions on reverse engineering. Trade-secret status of underlying information. State-law contract claims layered on top of federal IP frameworks.

The professional reality: reverse engineering is a routine security tool. Whether each individual instance is lawful depends on jurisdiction, EULA terms, the purpose of the activity, and the chain of how the binary was acquired.

Slide 11 of 13 · Working with the IP team

The Security Pro and the IP Attorney

Pre-publication review

Vulnerability disclosures, white papers, conference talks — legal pre-review is standard for high-impact findings. Not delay tactic; risk-management practice.

Vendor relationship management

Coordinated disclosure timelines, NDAs, contractual scope of testing engagements all run through legal.

Incident response

Breach notifications, regulatory disclosures, evidence preservation, attorney-client privilege scoping — legal sits beside IR in any serious incident.

The professional ethics implication: codes (CSE-02) require honesty. That includes being honest with your own legal team about what you actually did, found, and intend to publish. Hiding facts from your own lawyers is how individual exposure becomes catastrophic.

Slide 12 of 13 · CSF mapping

CSF Mapping — PR.IP

Slide 13 of 13

Module 06 Takeaways

1Copyright protects expression, not ideas. Reverse engineering involves copying; whether that copy is fair use is fact-specific.

2DMCA three pillars: anti-circumvention (§ 1201), safe harbor (§ 512), notice-and-takedown.

3Library of Congress security-research exemptions are triennial — helpful but not a complete shield.

4Aaron Swartz / weev: defining a decade of caution. Van Buren (2021) narrowed the CFAA's reach.

5Patents: Alice (2014) made abstract software ideas hard to patent. DTSA (2016) federalized trade-secret civil claims.

6The security professional's IP-law surface is large and routine. Honesty with your own legal team is non-negotiable.

Next up: CSE-07 — Privacy Rights in Cyberspace. Spinello Ch 5.