Cloudy with a Chance of Lawsuits
By Alan Dove, PhD, NYAS Contributor
Google Docs. Open notebooks. The Internet of Things. Open source software. Cloud storage. For researchers, the ever-expanding world of digital data handling tools seems like a theme park built just for them. For intellectual property lawyers, security experts and technology transfer managers, however, it can look more like a house of horrors.
Scientists focused on their projects often set up collaborations, configure networked data-gathering equipment and write software with little thought about patents, copyrights or liability. Those choices can come back to haunt them years later. However, researchers can avoid many of the pitfalls of modern intellectual property management and data security with a bit of forethought.
The Other Kind of IP Address
The original intent of the internet was to facilitate scientific collaborations over a single network for defense department projects at multiple institutions, and it still excels at that, subject to caveats about data security.
“Collaboration has always occurred across research institutions, [but] online collaboration has made it happen more quickly,” says attorney Jim Singer, chair of the intellectual property department at the law firm Fox Rothschild in Pittsburgh, Pa. Singer adds that “often what we see is that the collaboration occurs ... before the researchers have considered that they might have some intellectual property that's worth protecting.”
Even simple online collaborations can lead to legal quagmires. “If you're collaborating using, say, Google Docs ... what you're left with can be a joint work where it's not clear what each party owns, and in fact, you end up with a co-ownership situation,” says Jeremy Pomeroy, an intellectual property attorney and founder of the Pomeroy Law Group in New York City. To be clear, that's not always a good thing. “Often clients like the idea of joint ownership, it sounds friendly, [but] they don't understand the implications of that,” says Pomeroy.
Without an agreement to the contrary, there is joint ownership of a copyright of “a work prepared by two or more authors with the intention that their contributions be merged into inseparable or interdependent parts of a unitary whole.” (17 U.S. Code § 101). Co-inventors on a patent are all considered equal contributors, each able to license or sell the invention however they like. Worse, it may not be up to the scientists to decide who to include on that list. “Patent law decides who is an inventor in a patent application, and joint inventorship means joint ownership. If you're claiming something in the patent application and a collaborator contributed anything to those claims, then that collaborator must be named as an inventor,” says Singer. A minor contributor could wield outsized influence over the fate of the invention.
Cloud-based storage and high-speed connections also make it easy to collaborate across continents and sometimes conflicting legal systems. Singer says that the U.S. Patent Act states that if you invent something in the U.S., you must file your patent application first in the U.S. before filing in other countries. That would be simple enough if China, India and other nations didn't have similar types of requirements. Even if all of the scientists involved work for the same institution or company, “the question becomes 'where can you file the patent application first?'” Singer says.
The rise of rapid publication platforms, such as preprint servers, has added yet another twist. Singer explains that the U.S. gives inventors a one-year grace period to file a patent after describing an invention in a publication, but most other nations don't. Once the paper is published, the invention becomes unpatentable. “I've seen inventors lose international patent rights because of that,” he warns.
Officers Are Standing By
While explaining the litany of risks inherent in collaboration, intellectual property experts emphasize that effective protection can be as easy as having each collaborator contact their institution's technology transfer office as soon as the project begins. That office can then ensure appropriate allocation and documentation of collaborators’ respective intellectual property rights. The call will likely be well received. “We routinely have to educate new faculty members, [and] something we harp on is that before you put anything online you should come and talk to us first,” says Andy Bluvas, a technology commercialization officer at the Clemson University Research Foundation (CURF) in Clemson, S.C.
One of the most common collaborative activities online, sharing computer code, involves shifting legal nuances that many researchers don't know about. In 2014, the U.S. Supreme Court ruling in Alice v. CLS Bank invalidated hundreds of software patent claims and made patenting new code much harder. The expression of ideas in software can still be subject to copyright protection, but it requires a different legal approach.
Scientists and engineers working on technologies for the "Internet of Things" (IoT) are also discovering complex interactions between patents, copyrights and product development cycles. “Usually they release the technology or the products with some sort of software inside, and then what happens is they incrementally improve it,” says Bluvas. He recommends that researchers working on those types of projects bring their attorneys aboard to keep the software and hardware designs aligned with the legal code.
The common programming practice of reusing source code can cause other problems. “We'll have researchers that borrow from multiple different packages of software, and they may be open source or they may be proprietary,” says Chris Gesswein, executive director of CURF. Open source software allows such borrowing, but different open source licenses place different restrictions on how the borrowed code can be used, and proprietary software has even stricter limits. Also, use of open source code may, under the terms of the license, cause the entire software package to become subject to the license’s open source requirements. The result can be software covered by multiple conflicting licenses, making it difficult or impossible to commercialize.
Academic researchers may be reluctant to involve administrators in their work, but technology transfer officers share the scientists' priorities. “No matter what, our goal is to get [scientists' results] out there ... in peer-reviewed journals,” says Bluvas. Patent and copyright filings usually proceed faster than research journals' publication cycles, so scientists don't have to choose between timely publication and protecting their intellectual property.
Nonetheless, a majority of investigators don't take advantage of the technology transfer officers' expertise. Gesswein estimates that only 15 to 25 percent of Clemson's research faculty interact with his office.
Who Let the Data Out?
Privacy laws present another challenge for many projects, whether researchers want to know about them or not. “I appreciate more than anybody that scientists don't want to think about stuff like this, they just want to do the science,” says attorney Mark McCreary, chief privacy officer at Fox Rothschild. But ignorance of privacy laws can have serious consequences, especially for multinational collaborations.
McCreary points to the European Union's recent implementation of the General Data Protection Regulation (GDPR) as an example. The law includes a controversial “right to be forgotten,” which allows for medical research exceptions where individuals may rescind their consent for the use of their data. Subjects could retroactively withdraw from a biomedical study, and researchers would have to delete the associated data, but this exception is, as yet, untested and it is unclear if a narrow reading could lead to invalidated studies.
Failure to comply with such rules can be costly; the maximum fine for a GDPR violation is four percent of global revenue from a project, or 20 million Euros, whichever is greater. “You'd have to really be a bad actor [to incur] something like that, but it's there, it's a possibility,” says McCreary.
Scientists may also have an obligation to protect the privacy of personal data, and cloud-based tools raise the risk of a breach. Hackers are unlikely to target a single project, but “when you put it into a service provider where they [have] tens of thousands of other organizations' data, that becomes a lot bigger target, so there's a lot more risk,” says McCreary.
Researchers developing or collecting data with IoT devices face more diffuse risks, as every device they add to the network is another potential security hole. “When you think about it from an attacker's perspective, they're going to go after the weakest links in your system,” says Vyas Sekar, assistant professor of electrical and computer engineering at Carnegie Mellon University in Pittsburgh, Pa.
IoT devices often fit that description. Sekar explains that many networked devices employ shoddy programming practices and receive inconsistent or nonexistent security updates. To combat those problems, he advocates delegating security to professionals in university or corporate technology departments.
While many of the specific legal and security risks of online collaboration and data collection are new, experts in the field agree that the fundamental principles aren't. “You have security issues that come up, you have privacy issues that come up, but really a lot of the old laws still apply, it's contract law and it's intellectual property law, it's just in a different venue,” says McCreary.