Sunday, October 10, 2021

Courtney Cox on Trade Secrets and Lying

Courtney Cox, a professor at Fordham University Law School, has a very interesting trade secret law article forthcoming in George Washington Law Review called "Legitimizing Lies." The article can be downloaded on SSRN

Cox argues, in short, that trade secret law could generate an unexpected incentive for trade secret holders to "lie." The reason is that federal and state trade secret statutes require anyone who wishes to own a trade secret to take "reasonable" measures to keep that information secret, and in some instances deception—including deception effectuated by lies—may be the most reasonable way to keep something secret.  For example, companies sometimes use "deception technology" in their cybersecurity systems "to trick hackers into thinking they are getting close to critical data.” (25). Cox highlights increasing use of a cybersecurity device, affectionately called the "honeypot," which operates as a decoy computer system that can lure away would-be hackers. (24).

Cox suggests that, to the extent deception-based information security becomes the most effective option for protecting secrets in a certain industry or context, then trade secret law may require taking that deceptive act. This is because the trade secret statutes, at the federal and state level, include taking "reasonable" measures to preserve secrecy as a necessary element of a plaintiff's trade secret case. Thus, the law encourages, or at least gives its blessing, to "lying."

Monday, September 27, 2021

How would the proposed American Pandemic Preparedness Plan help address underinvestment in pandemic-related innovation?

By Jacob S. Sherkow, Lisa Larrimore Ouellette, Nicholson Price, and Rachel Sachs

Historically, the United States’ preparedness for a pandemic is like Charles Dudley Warner’s aphorism on the weather: everybody talks about it but no one ever does anything. Before COVID-19 struck, it was clear that the threat of a pandemic was real and that the world was not ready. As one of many examples, a September 2019 report from the Global Preparedness Monitoring Board (GPMB)—an expert group convened by the World Bank and WHO—concluded that “there is a very real threat of a rapidly moving, highly lethal pandemic of a respiratory pathogen killing 50 to 80 million people and wiping out nearly 5% of the world’s economy.” Perhaps the tragedy of the current crisis will provide sufficient motivation to better prepare for next time.

As a step in this direction, earlier this month the Biden administration released a twenty-seven page American Pandemic Preparedness Planwith a $65 billion price tag—to provide the United States with “broad and deep protection against biological threats, ranging from the ongoing and increasing risk of pandemic disease, to the possibility of laboratory accidents and the deliberate use of bioweapons.” These include, of course, several innovation policy commitments to encourage the development of pandemic-related tools for COVID-19 and beyond. What are those commitments? How do they work—or would have worked—for COVID-19? And what does this say about innovation policy more generally?

Friday, August 27, 2021

How does the CDC’s Advisory Committee on Immunization Practices impact innovation and access to COVID-19 vaccines?

By Rachel Sachs, Jacob S. Sherkow, Lisa Larrimore Ouellette, and Nicholson Price

In previous blog posts in this series, we have explored the roles different federal agencies, including the NIH, FDA, and CMS, play in the development and distribution of new healthcare technologies in the fight against COVID-19. But we have devoted much less attention to the CDC and its Advisory Committee on Immunization Practices (ACIP), which has a key role to play in the distribution of vaccines, including those against COVID-19. In this post, we explain the role played by ACIP, discuss several important COVID-19 vaccine decisions ACIP has been involved in, and consider what ACIP’s processes might teach policymakers more generally about innovation and access to health technologies.

Friday, July 30, 2021

What’s happening with proposals for a WTO waiver of COVID-related IP?

By Nicholson Price, Rachel Sachs, Jacob S. Sherkow, and Lisa Larrimore Ouellette

If COVID-19 were a pandemic movie, we’d be very close to the end since we’ve identified several excellent vaccines; the conventional biomedical innovation narrative often ends with the product being fully developed. But we’ve still got a long way to go with COVID-19, and the biggest challenge is getting the vaccines to billions more people (and getting them to take the vaccines, but that’s a separate topic). Only 0.3% of global doses have been administered in low-income countries, many of which are confronting severe outbreaks. A staggering 1 million infections were reported in Africa in just one month, with few vaccines in sight. By some estimates, much of the world’s population won’t be vaccinated until well into 2023. Amid pledges of sharing vaccines, perhaps the most prominent policy debate today is about waiving intellectual property rights to COVID-19 technologies, including vaccines. In this post we explain what’s being proposed, what’s happening with the waiver negotiations, and what impact these negotiations might have.

Monday, July 12, 2021

New Free Patent Casebook by Masur & Ouellette

As previously announced, I have been writing a new free patent law casebook with Prof. Jonathan Masur (Chicago Law), and we're very grateful to everyone who has provided helpful comments on the beta edition over the past year.

We are excited to be releasing the 1st edition. You can download a free PDF or purchase an at-cost color printed copy through Amazon here: https://www.patentcasebook.org/

We've tried to achieve a number of goals with this project beyond simply lowering the cost of course materials:

  • The casebook is heavily problem-focused, including problems that can be used for out-of-class assignments, in-class multiple-choice polls, and small-group activities. Some problems are drawn from real cases, while others are hypotheticals constructed to isolate and explain difficult concepts.
  • A key goal was bringing conceptual clarity to the details of modern patent practice, which means that cases are very heavily edited, some topics are presented through means other than case excerpts, and we have many diagrams and notes to help explain the points that are most likely to trip students up.
  • Finally, we have worked to place patent law in its social context, including by surfacing issues of race and gender and exploring the connections between patent law and inequality among innovators and inequality in access to innovations.

For adopting instructors, we have an accompanying slide deck (including many multiple-choice questions and figures from the patents at issue in excerpted cases) and a teacher's manual with answers to practice problems and suggestions for Q&A with students about cases. We are also happy to share a Word version of the casebook.

The casebook is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. We are likely willing to authorize many derivative uses; please contact us to discuss.

If you have questions, suggestions, or interest in adopting the casebook, please let us know at ouellette@law.stanford.edu and jmasur@uchicago.edu.

We're delighted that patent law instructors will have multiple free course materials to choose from for the coming academic year. For those looking for free or low-cost options across different areas of IP, James Grimmelmann maintains a helpful compilation here.

Thursday, July 1, 2021

Rob Merges Guest Post: Who Gives a Hoot About Minerva? The Patent Act and the Common Law of Patents

Guest Post by Rob Merges, UC Berkeley

In the immediate, practical sense, the Minerva opinion registers like the mildest tremor on the landscape of patent law. With a few tweaks of the standard patent assignment agreement, and putting aside the potential that the Federal Circuit will bollix up the follow-through, the opinion changed very little.

But, sometimes, a ripple on the surface denotes more dramatic movement in the deep crust. So it may be with this prosaic little case of assignor estoppel. Justice Barrett’s dissent signals a potentially radical reappraisal of the many common law rules that supplement, permeate and modify the body of operational U.S. patent law. If the signals are portents, then many settled doctrines of patent law – and other fields of IP law as well – have been quietly but surely put into play.

Wednesday, June 30, 2021

Why do differences in clinical trial design make it hard to compare COVID-19 vaccines?

By Lisa Larrimore Ouellette, Nicholson Price, Rachel Sachs, and Jacob S. Sherkow

The number of COVID-19 vaccines is growing, with 18 vaccines in use around the world and many others in development. The global vaccination campaign is slowly progressing, with over 3 billion doses administered, although the percentage of doses administered in low-income countries remains at only 0.3%. But because of differences in how they were tested in clinical trials, making apples-to-apples comparisons is difficult—even just for the 3 vaccines authorized by the FDA for use in the United States. In this post, we explore the open questions that remain because of these differences in clinical trial design, the FDA’s authority to help standardize clinical trials, and what lessons can be learned for vaccine clinical trials going forward.

Friday, June 4, 2021

What Does it Mean to Exceed Authorized Access?

After years of debate and prosecutorial overreach, the Supreme Court has now narrowed the Computer Fraud and Abuse Act (CFAA). In Van Buren v. U.S., the Court ruled that obtaining information by "exced[ing] authorized access" is limited to information on the computer that one is not authorized to access at all, rather than to information simply gathered for an improper purpose.

To explain, consider the facts of Van Buren. Van Buren had rightful access to a database of DMV license plate information. He accessed that database using valid credentials, but looked up information for an improper purpose. He was convicted under the CFAA for exceeding his authorized access. I have blogged about this issue before. The broad reading that sent him to jail is a really scary interpretation of the statute, one in which many ordinary people could go to jail for innocuous use of the internet.

The Court narrowed the meaning, and held that the language of the statute: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” cannot be read to cover the purpose of gathering the information. Instead, "entitled so to obtain" must mean entitled to obtain in the manner prior referenced, which means obtained by access to a computer with authorization. Based on this reading, Van Buren cannot be guilty because he accessed records that he was already entitled to access. But he might have been guilty if he looked at personnel files on the same computer.

The Court leaves open the question whether access to other information must be barred by code or merely policy. In the hypo above, if Van Buren bypasses a password on the computer to which he has access in order to obtain the personnel records, there's no question that such conduct would be barred. But what if the files were there for all to see if they merely looked, and it was simply policy that barred access? The court leaves that question open. The legislative history, which I discuss here, makes clear that the policy based bar was contemplated at the time of the statute, because "exceeds authorized access" was left out of some provisions of the CFAA to keep unwary employees from being ensnared: "It is not difficult to envision an employee or other individual who, while authorized to use a particular computer in one department, briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at. This is especially true where the department in question lacks a clear method of delineating which individuals are authorized to access certain of its data." (S. Rep. 99-472)

This brings me to my discomfort with the opinion. I'm thrilled at the outcome. The CFAA is much too broad, and this is one way to narrow the scope of it. Otherwise, it made all sorts of innocuous activity illegal. But from a textual standpoint, I've never been convinced that this is the proper reading of the words of the statute.

So long as the Court allows policy-based access restrictions (which is not crazy given the legislative history, even if it's not great policy), my view continues to be that the actual statutory interpretation part of it is not nearly as clear as the Court would have it. 

As noted above, the Court envisions two situations: 

    1. You may access the computer. You may access file A but (by policy) not file B, even though technically your access to the computer allows you to download file B. This exceeds authorized access. 

    2. You may access the computer. You may access file A, but (by policy) only for a particular purpose, even though technically your access to the computer allows you to download file A for any purpose. This does not exceed authorized access. 

For many policy reasons this is a better outcome than saying No. 2 exceeds authorized access. But the Court offers little support for the conceptual (or textual) notion that these two scenarios are distinct. There is nothing in the “entitled so to obtain” discussion that differentiates what is entitled by access once given and what is not. Both of these scenarios are types of information you could get with your access, but have no right to get under the terms of your access. 

The only difference is that as a matter of policy we don’t want to impose a purpose based limitation on that right. Even if you accept the Court’s reading of the statute wholesale, you do not get to (quoting the Court's new rule): “an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”  So long as “off-limits” is not code based, this is a common law gloss rather than a textual one. I’m fine with that, but would rather the Court say that, or alternatively limit liability for all policy based breaches.

To illustrate the point that we cannot differentiate policy limits, as I noted in this post years ago: what is to stop everyone from rewriting their agreements conditionally: "Your access to this server is expressly conditioned on your intent at the time of access. If your intent is to use the information for nefarious purposes, then your access right is revoked." Problem solved, Van Buren goes to jail. If this seems far-fetched, consider Google's terms of service at the time of the Nosal case:  "You may not use the Services and may not accept the Terms if . . . you are not of legal age to form a binding contract with Google . . . .”  That sounds like an access restriction to me. I can see everyone rewriting policy to match; but this shows the folly of it all.

As a final note, the Court's appeal to the civil provisions is unavailing – standard hacking, captcha breaking, password guessing and any number of other things that might give unauthorized access to information are illegal yet cause no damage or loss as the Court describes those provisions. Further, the Court ignores the ridiculous, “we spent money finding the leak and that’s loss” that lower courts have upheld. That type of loss would apply to a broader definition of "exceeds authorized access" as well. 

In sum, this is a good outcome even if I'm not entirely convinced it's the technically proper one. I'm good with that.

Thursday, June 3, 2021

What’s the difference between vaccine approval (BLA) and authorization (EUA)?

By Jacob S. Sherkow, Lisa Larrimore Ouellette, Nicholson Price, and Rachel Sachs

Recently, Pfizer and BioNTech and Moderna announced that they are seeking full FDA approval for their mRNA COVID-19 vaccines—filing, in FDA parlance, a Biologics License Application (BLA). Johnson & Johnson plans to file its own BLA later this year. But currently, all three vaccines are being distributed under a different FDA mechanism, the Emergency Use Authorization (EUA). What’s the difference, under the hood, between these two mechanisms? Why would these companies want to go through the BLA process? And what tools can policymakers use to make the EUA to BLA shift better?

Monday, May 17, 2021

Guy Rub: Copyright or Contract?

Using software often means you have to sign a contract as a condition for using the software. This "end user license agreement," called a EULA, will lay out the terms under which the software can be used. For example, the EULA you sign to play a video game might say: "The player of this video game cannot cheat while playing the game."  What if you breach the EULA by playing the game using a commercially available cheating "bot"?  Is this copyright infringement? Or is this just a breach of contract?  This may seem obscure, but the question matters a lot.  For one thing, in this example, if the video game publisher has a copyright claim against the cheater, not just a contract claim, this could mean very large statutory damages versus no damages at all.

This is just one of many scenarios in which copyright owners use contracts to control the conditions of use, and whose breach may, or may not, give rise to copyright infringement. In his new article, Against Copyright Customization, Guy Rub addresses this thorny question—copyright or contract?—along with many closely related questions. For example: when is a software user a mere licensee versus an owner?  (Spoiler alert:  almost always!)  The article is forthcoming in Iowa Law Review and a draft can be downloaded on SSRN.

I interviewed Guy about the article. Here is a transcription.

Monday, May 3, 2021

What can policymakers learn from the UK’s RECOVERY trial to improve clinical research for COVID-19 and beyond?

By Rachel Sachs, Jacob S. Sherkow, Lisa Larrimore Ouellette, and Nicholson Price

We have written before about the challenges of making decisions under scientific uncertainty and the simultaneous importance and difficulty of developing high-quality clinical evidence under pandemic circumstances. To address these problems, scientists and regulators in the UK developed a national-scale trial, the Randomised Evaluation of COVID-19 Therapy (RECOVERY) trial, with the goal of rigorously testing the most promising potential therapies for patients who have been hospitalized with COVID-19. In this post, we consider how the design and success of the RECOVERY trial yield important lessons for U.S. policymakers to consider going forward.

Friday, April 9, 2021

How can Congress create infrastructure for the next pandemic?

By Nicholson Price, Rachel Sachs, Jacob S. Sherkow, and Lisa Larrimore Ouellette

After approximately 200 Infrastructure Weeks, policymakers now appear to be actually talking about passing legislation about infrastructure! Congress also seems like it might take action to lay the groundwork for combatting the next pandemic; bipartisan efforts are underway. Putting the two together: how should Congress think about creating innovation infrastructure, broadly defined, to help combat the next pandemic? 

Even before COVID-19, experts were sounding alarms about insufficient infrastructure to address the foreseeable risk of a global pandemic. In 2019, an expert group convened by the World Bank and WHO concluded that “[t]he world is not prepared” for the “very real threat of a rapidly moving, highly lethal pandemic of a respiratory pathogen,” among other things because “[t]oo many places lack even the most rudimentary health-care infrastructure.” COVID-19 has magnified these global health inequalities. But inadequate infrastructure investment is not just a problem in low-income countries: COVID-19 has also drawn increased attention to long-apparent weaknesses in many U.S. infrastructure sectors. We suggest priorities for three types of infrastructure: physical infrastructure, knowledge infrastructure, and human infrastructure (recognizing that these categories may overlap).

Tuesday, April 6, 2021

Google v. Oracle - The Final Shoe Drops

The Supreme Court ruled yesterday in Google v. Oracle that Google did not infringe Oracle's copyright in its APIs by virtue of fair use. The vote was 6-2, with Justice Breyer writing for the Court, and Justices Thomas and Alito dissenting. 

The opinion was straightforward and went to great lengths to attempt to explain the technology at issue. I thought it did a decent job of it (definitely more Godot than Guffman), even as the opinion continued to struggle for a good analogy. The Court adopted the file cabinet/drawer/folder analogy presented in Google's brief, which I thought was a terrible analogy...so I guess there's no accounting for taste (or winning advocacy). The court's fair use analysis was influenced by Judge Boudin's concurrence in Lotus v. Borland, though that concurrence didn't actually call it fair use, but instead "privileged use."

Others have and will surely write about the fair use aspects and what this means for software APIs. Contrary to Oracle's ridiculous and vitriolic press statement yesterday, this case will likely not change the way anyone in the industry behaves in the least. APIs have been used and reused for decades, and will continue to be. And contrary to being a barrier to entry, reuse of APIs allows for competitive inroads and entry, including by Oracle, in its mimicry of Amazon's AWS API. (Indeed, the hubris of Oracle's statement in light of its implementation of another company's API is stunning, assuming it was unlicensed-I've been unable to verify one way or the other.)  

The opinion also has some nuggets for other fair use - discussion of transformation and art, definition of markets for determining harm, another reaffirmation of Campbell v. Acuff-Rose Music, fair use as a mixed question of law and fact (something I discussed in a prior blog post), and so forth.

Instead, I will focus on my hobby horse-whether the APIs are copyrighted, and if so how we get to non-infringement. The Supreme Court explicitly decided that the copyrightability of APIs is a third-rail and did not attempt to touch the issue. There are two ways to read the tea leaves. First, perhaps a majority of the court thought they were uncopyrightable, but feared the effects of saying so. Second (and my guess), perhaps a majority of the court (or a 4-4 split) thought that they were copyrightable, but fair use was an acceptable compromise. The second possibility is why I wrote and submitted my amicus brief, which was intended to give a path to non-infringement even if the APIs were copyrightable.

Alas, the court did not buy into the abstraction/filtration argument I made, which I believe was doctrinally appropriate, nor did the brief get a cite, as many that discussed the importance of APIs did. However, in a sense, the court adopted the methodology I suggested. From my brief:

But the copyrightability of an entire work does not answer the question of whether any particular portion of it, if used by another, is infringing. That analysis requires determining whether the defendant has taken too much expression and not ideas, systems, methods of operation, or the like. And such a determination cannot be made outside of the infringement analysis. Any functionally required aspects—including any expression necessary to practice the idea—should be removed from the comparison. 

What remains should then be compared. The advantage of this approach is that it recognizes that while entire software programs may be copyrightable in some contexts, their pieces might not be infringed in others. There need be no zero-sum game, but only a recognition that the scope of copyright depends, as it always has, on the accused’s use of the copyrighted work. 

...

[T]he Court need not decide whether any part of Oracle’s code is copyrightable standing alone. It should only determine that the scope of its copyright in the Java source code cannot extend to infringement through the reuse of declaring functions necessary to create a compiler or interpreter that accepts the same commands and parameter names to allow programmers to use the Java programming language.

The primary pushback on this argument that I received from smart colleagues asked this question: why should context matter in the infringement analysis? Justice Thomas's dissent is replete with this same concern. My answer was always the same - because use in a functional context may be a use of the idea/method, whereas use in a different context might not be.

But Justice Breyer has sidestepped this question to essentially reach the same result using fair use. The one place where we can be sure that context matters is fair use. The nature and character of the use is one of the factors, after all. The Court's analysis tracks many of the same issues in my brief - the functionality of the APIs, their use as a de facto standard, switching costs, etc.

And so the Court's final resolution is not that far off from what I had asked. Rather than excluding the APIs from infringement by filtering them out, the Court would instead exclude them from infringement under a fair use analysis that considers many of the same factors. I can live with this solution--way back in 1999, I published a paper that argued that "courts have been able to determine efficient economic outcomes based on the cases before them, but they have been unable to settle on a rule that definitely determines how much reuse to allow in each case." The article lays out a variety of economic factors that predict how cases come out, and you'll be shocked to find out that they favor Google in this case (e.g. switching costs, de facto standards, lack of slavish copying of the implementation, no breach of an underlying economic duty, public benefits of compatibility). Perhaps that's a reason this case has stuck in my craw for so long: it's about the only one that didn't fit with my 20+ year old model.

Despite my doctrinal sanguinity, the downside of the court's approach is that it might still lead to framing issues in the future. Litigants might still be subjected to juries asked to simply decide whether the APIs were used (for infringement) and then hope to rely on fair use as a defense. Then again, a judicial fair use inquiry might keep the question from ever getting to a jury, which is basically the same result I've advocated. But this case went to a jury, by appellate order, and it's unclear that it should have. It was certainly costly. However, the strong language of this opinion may apply the next time, as in the case I recently blogged about with control codes.


The end is near for my Oracle and Google blogging, a 9 year expedition. But I do have one more in me, a more technical post in a week or so about the so-called 170 lines of code that supposedly all that are necessary to implement Java.

Thursday, March 25, 2021

How are COVID-19 vaccine developers and regulators responding to variants?

By Lisa Larrimore Ouellette, Nicholson Price, Rachel Sachs, and Jacob S. Sherkow

The remarkable news of record-breaking COVID-19 vaccine development has been clouded by the increasing emergence of new variants of the SARS-CoV-2 virus. Like other viruses, SARS-CoV-2 mutates over time, due to random errors in copying its genetic sequence. When one of these mutations helps the virus survive and reproduce—such as by making the virus more transmissible—that variant will spread more rapidly than the original virus through natural selection. The global effort to control the pandemic has thus been framed as a race between the vaccines and the variants: can the world be vaccinated before the virus evolves to evade the vaccines? In this post, we examine how COVID-19 vaccine developers are responding to the spread of variants, how the FDA plans to regulate updates to the vaccines, and other innovation policies governments should consider to combat the variant spread.

Thursday, March 18, 2021

Advice about the patent bar for current and prospective law students

Guest post by Professor Eric E. Johnson (ericejohnson.com)

I recently asked fellow intellectual property professors and others about advice for law students interested in taking the patent bar. The IP community generously responded, and I have synthesized their wisdom and opinions here, with some of my own advice sprinkled in. Of course, opinions differ and things change, so students should consider this post as a jumping-off point for doing their own research and asking their own questions.