The Death of Trade Secret Law

25 January 2000

See the California (Judge Elfving) DVD CCA preliminary injunction:

http://douglas.min.net/~drw/css-auth/legal-info/granted/

And the New York (Judge Kaplan) MPAA preliminary injunction:

http://cryptome.org/dvd-mpaa-3-pi.htm

Date: Mon, 24 Jan 2000 18:19:50 -0800
To: cypherpunks@cyberpass.net
From: Greg Broiles <gbroiles@well.com>
Subject: Re: cp sfbay meet agenda item

At 03:12 AM 1/24/00 , Mixmaster wrote:

> >Anonymous wrote:
> >
> >At least he'll have the knowledge that most of the people he's exposed
> >the trade secret to won't know about its illegal nature and so the
> >trade secret defense will probably be gone. The DMCA may still have
> >some teeth though, since that uses a different legal principle. So it
> >might all be for nothing.
>
>Greg B., is this right ?

If a trade secret is revealed to people who don't know it's a trade secret, the secret itself may have (at that moment) lost trade secret status; and if those people go on to disclose the secret to others (who are also unaware of the claim of trade secret status and misappropriation), yes, it's very likely that trade secret status will be lost.

On the other hand, the judges looking at the DeCSS stuff seem willing to overlook some pretty dramatic breaches in the security of the trade secret - so I'm sure not in a position to promise that anything will win. I don't agree with the opinion in the San Jose lawsuit; I get the impression that the judge is working very hard to avoid making a big mistake (in the eyes of his peers), rather than working hard to find the right answer. I believe that sooner or later the law will need to recognize that the Internet means the death of traditional trade secret law, which revolves in large part around actual secrecy. As the judge noted, the Internet makes it easy, fast, and cheap for anyone to destroy a trade secret, even anonymously , at least with respect to actual secrecy. It may be that only a state or the federal Supreme Court will have the judicial cojones to announce that the law of trade secret, as we've known it so far, is dying or dead.

Date: Mon, 24 Jan 2000 20:27:35 -0800
From: Martin Minow <minow@pobox.com>
Subject: Re: cp sfbay meet agenda item
To: Greg Broiles <gbroiles@netbox.com>, cypherpunks@cyberpass.net

At 18:34 -0800 2000.01.24, Greg Broiles wrote:

>I believe that sooner or later the law will need to recognize that the Internet
>means the death of traditional trade secret law, which revolves in large part
>around actual secrecy. As the judge noted, the Internet makes it easy,
>fast, and cheap for anyone to destroy a trade secret, even anonymously , at
>least with respect to actual secrecy.

I must respectfully disagree with Greg here. With a fairly modest end-user cost increase (perhaps $30/player), they could have had FIPS-140 quality security -- i.e. the same level of security used for Internet postage on demand applications. (I offer no opinion as to whether this would have been exportable, but I assume that, given the specific application, it would easily qualify for a "financial application" waver.)

They did not choose to implement this level of quality. That is certainly their right, and may well be appropriate for economic reasons. However, they are being a bit disengenuous when they claim that they used the best cryptographic security available.

Note that, with this level of security, they would not be as concerned with Internet piracy, so the customer cost of the actual movies might well be lower (he said with a straight face).

Martin Minow
minow@pobox.com

To: cypherpunks@cyberpass.net
From: daw@cs.berkeley.edu (David Wagner)
Subject: Re: cp sfbay meet agenda item
Date: 25 Jan 2000 01:02:10 -0800

In article <v04210101b4b2d46d1bf9@[63.193.122.223]>,

Martin Minow <minow@pobox.com> wrote:

> I must respectfully disagree with Greg here. With a fairly modest
> end-user cost increase (perhaps $30/player), they could have had
> FIPS-140 quality security -- i.e. the same level of security used
> for Internet postage on demand applications.

Yes, but they wanted to build software players too. We all know you can't have both software players and security: that's just blatantly-wishful thinking.

> They did not choose to implement this level of quality. That
> is certainly their right, and may well be appropriate for
> economic reasons. However, they are being a bit disengenuous
> when they claim that they used the best cryptographic security
> available.

Right.

Date: Tue, 25 Jan 2000 01:42:17 -0800
To: Martin Minow <minow@pobox.com>, cypherpunks@cyberpass.net
From: Greg Broiles <gbroiles@netbox.com>
Subject: Re: cp sfbay meet agenda item

At 08:27 PM 1/24/00 , Martin Minow wrote:

[Snip Minow message]

Actually, I don't think we necessarily disagree, though this illustrates well what I don't like about Elfving's opinion - specifically, he doesn't distinguish between two distinct arguments -

(1) that there never was a trade secret, due to weak or nonexistent security measures used to protect the algorithm/keys

and

(2) that the keys and algorithm were a trade secret until they were (perhaps wrongfully) posted to the Internet, at which point their trade secret status was lost.

(I'll admit that I haven't studied the defense's filings well enough to know whether or not they've made the distinction I'm making above, so perhaps it's not the judge's fault. Further, the elaborate descriptions of security procedures provided by the plaintiffs seem well-tailored to defeat (1), since they can't really dispute that their "secrets" have been available worldwide to any person or computer which cared to ask for them for 4 months now.)

.. and his opinion seems to merge the two, and deny (2) because (1) is wrong. I don't like (1) - at least, I think it's a very fact-dependent and expert-dependent line of argument, which is going to require the fact-finder to weight the costs of protection versus the level of protection available and make judgements about the likeliness of attacks and their likelihood of success, etc., which I think is a judgement that courts or juries are likely to get wrong.

I think (2) is the correct conclusion to reach - or at least to reach tentatively for the purposes of considering pretrial injunctive relief. I think what's left - and what will continue to be left, where the Internet is used to destroy trade secret status - is an argument about the [lack of] wrongfulness of the initial disclosure, and about the appropriate damages due the plaintiff if the defendant did wrongfully disclose or misappropriate the trade secret. In either case, I think the information - once it's hit the Internet, or at least once it's hit Slashdot - is no longer secret, no matter what a judge may order.

It's that last part that I think judges are having a hard time swallowing - that it's possible for 15-year-olds in Norway who've got a copy of Netscape and access to the Net to do something that no judge can undo, no matter how hard they bang their gavel, and no matter how wrongful the act may turn out to be in the end. It may well be that a few teenagers have radically transformed a multibillion-dollar electronics and content industry - in a way they're not even capable of fully predicting or understanding - and it's tempting, because the changes are informational, not physical, for judges to simply order the rest of the world to act as if the changes hadn't happened. Trade secret law has been willing to put up with a little bit of reality-bending, where people pretend that it's possible to stuff the secret toothpaste back into its tube, especially where the misappropriations have been limited to just a few people, all of whom are named litigants.

The immediate and irrevocable spread of information that the Internet allows forces the question - will that little bit of make-believe be expanded, such that we'll end up with random judges ordering the entire world to pretend they didn't read something that they did read .. or will judges become accustomed to the idea that the online world is a lot like the offline world, where single individuals are capable, in some circumstances, of destroying millions or billions of dollars' worth of value..? It's a scary idea, but denying it doesn't make it not true.

I realize that it's not very satisfying to the DVD industry to hear that their sole remedy is suing some 15-year-old for the value of their lost trade secret - that's probably not a lawsuit that's even worth filing, both because of the questions about whether or not the disclosure was wrongful, and because it's probably going to be difficult to collect enough even to cover attorney's fees. Still, so what? Plenty of damage is done in the world by people who aren't attractive or identifiable defendants (like, for example, the weather), and that's something that we all deal with - by using technological means to reduce risk, and by using underwriting or insurance to cover losses caused by people who can't or won't provide reimbursement for them.

If the DVD industry failed to take those sorts of prudent measures - and this is where I think discussions about the relative costs and benefits of, say, FIPS-140 level security are appropriate - then I think the relevant parties should make sure their director & officer liability policies are all paid up, because I can hear Milberg & Weiss sharpening their shareholder class-action knives, which is exactly as it should be.

Greg Broiles
gbroiles@netbox.com
PGP: 0x26E4488C