Intellectual property (IP) protections are one of the few structural issues covered in the phase-one trade agreement between the United States and China. The combination of new commitments under this agreement and growing domestic pressure to strengthen protections for domestic innovators has led some observers to suggest that China may be moving toward more robust IP protections. Others, however, point out that previous commitments have failed to curb large-scale IP theft. Jonathon Marek interviewed James Pooley, former deputy director general of the World Intellectual Property Organization, regarding developments and trends in China.
What are the key changes in Chinese intellectual property (IP) protections since the phase-one trade agreement? How credible are these commitments compared to previous ones in the absence of an independent judiciary to adjudicate claims?
The Judicial Interpretation from the Supreme People’s Court regarding trade secrets gives good reason to expect at least some modest progress. There are quite a few provisions, but two specifically may be key indicators of whether China is making real progress toward providing safe, effective, and robust mechanisms to enforce trade secrets.
The first of these is shifting the burden of proof (Article 8). Bringing a claim for trade-secret misappropriation can be prohibitively difficult if the court expects the plaintiff to marshal and present sufficient evidence at the outset of the case because China does not have a civil discovery procedure. Therefore, the idea is to set a minimal threshold requirement of initial proof to ensure that the case is reasonably grounded, following which the defendant would have the burden of establishing independent development of the trade-secret information. This notion was not new with the phase-one agreement; it had been introduced as an amendment (with immediate effect) in the 2019 revision of the Anti-Unfair Competition Law. Article 8 of the Judicial Interpretation states that the trade-secret holder first must submit “preliminary evidence” to prove the elements of the claim, and then if the accused infringer claims independent development, “it should provide proof.” The challenge here is to understand what is meant by “preliminary” evidence. In practice, will this come to look like the U.S. threshold of “reasonable suspicion” based on a plausible, but circumstantial, set of allegations? Or will preliminary evidence in effect be subject to the same assessment as at trial? We will not know whether the intent of Article 1.5 of the phase-one agreement, which requires changes in this vein to the burden of proof, has been implemented until there are sufficient examples of actual decisions.
The second key indicator in the Judicial Interpretation is found in Articles 14 and 15, which appear to describe indirect misappropriation. This could be significant because China has in practice only punished misappropriation of a form close to slavish copying. Obviously, improperly gained information can be used to influence the development of a competing product that may look nothing like the original. And there is substantial value in so-called negative trade secrets consisting of experiments through which what does not work, or what works less well, is determined. Although Articles 14 and 15 are not clear (at least in the translation that I read), it is possible that they could be interpreted to allow a court to find that a trade secret has been “used” if it has been “modified” or if “business activities” have been “adjusted” according to the plaintiff’s secret. Again, we will not know whether this portion of the Judicial Interpretation will be followed in that way unless and until we have enough examples of published case reports.
What is the likelihood that China ever makes it fully down the path toward protecting foreign IP? Will there always be significant risks to foreign firms as a result of the Chinese political and economic model?
There can be no doubt that China has been moving toward a more robust IP-protection regime for several decades. This has been in part an assumed obligation of membership in the World Trade Organization (WTO) and in part a classical reaction to the need to construct a framework to provide sustained incentives for domestic innovation. But China’s path, unlike that taken by, for example, Japan, Taiwan, and South Korea, has been strictly controlled by its Communist government, which has tilted the economic playing field to favor Chinese companies.
Therefore, in a sense the very significant and rapid progress made by China since the 1980s in constructing a world-class IP system is a bit like wax fruit: it looks good, but can you eat it? China’s current system, which in practice favors domestic players, must evolve to apply fairly to all litigants, in accord with the principle of national treatment. Moreover, China will move fully down the path toward protecting foreign IP only when its judicial system is sufficiently transparent that one can be confident of even-handed application of the rule of law. Although some within the Chinese judicial system are pushing for such reforms, I do not expect this kind of change will happen in the foreseeable future.
What future policy reforms or other developments would indicate that China will increasingly take trade-secret protection seriously? To what extent might these reforms be influenced by international pressure?
I believe that we need to see fulsome implementation by China of leading reforms, such as reversing the burden of proof and finding misappropriation based on indirect use rather than copying. That sort of demonstration naturally requires more transparency, and in particular the regular publication of judicial opinions. In my view, although there is some internal pressure on China to move in that direction (largely from professors who would like to have access to the reported data to inform their research), domestic forces will never be enough to effect meaningful change. This is simply because the government does not see a compelling reason to give up the inherent advantages of opacity.
Therefore, I believe that change will only come from external influence. As a multilateralist, I hope that such influence is exerted by countries operating through institutional frameworks such as the WTO, but of course there is room for unilateral action by the United States or the European Union, each of which can apply pressure relative to the size of its market.
If China does not fully implement the changes it has promised, or the pace of progress slows due to heightened tensions, what unilateral or multilateral policy measures would be most effective in getting things back on track?
The answer to this question depends very much on what one understands as getting things back on track. It is probably unrealistic to expect that China, without a fundamental change in government, will ever change its court system in a way that would allow us to be fully confident about the implementation of the most important reforms. If by being on track we mean being diplomatically engaged in active discussions about these issues, then I would say that direct economic pressure—perhaps not as drastic as some of the tariffs that have been levied by the United States, but of the same nature—is the most effective means for keeping China at the negotiating table and talking productively. Progress may be measured in inches, but if the parties are engaged, then it is a way of being “on track.”
What is the role of the World Intellectual Property Organization (WIPO) in trade-secret protection, especially with respect to China?
Having spent five years at WIPO, much of it engaged in attempting to facilitate negotiations to improve international IP systems, I am of the view that the organization is highly unlikely to play a meaningful role in securing improvements in China’s trade-secret-protection regime. In large part, this is because the concerns we have with China are about enforcement of the laws, not so much about their content. And enforcement in general is a forbidden subject at WIPO because it is largely perceived to invade the sovereignty of the member states’ judicial systems. This issue is both too diplomatically sensitive and arguably outside WIPO’s mandate. Additionally, there is the problem that trade secrecy in general is largely misunderstood in the international diplomatic community. Among many countries, any discussion of trade secrecy often focuses exclusively on Article 39(3) of the Trade-Related Aspects of Intellectual Property Rights (TRIPS) Agreement. Many believe that this article, which requires protection of pharmaceutical test data, was an unfortunate giveaway to the drug industry. More broadly, the notion of secrecy simply seems inconsistent with the general idea of transparency and so has a sinister connotation.
This debate suggests that WIPO’s primary contribution to protecting trade secrets in China could be to provide a forum to facilitate better understanding of the role of robust protection in enabling technology transfer. This issue itself is a subject of broad interest, particularly among developing countries. If there were a more sophisticated view of the role that secrecy plays in accelerating innovation, it might over time provide very helpful context for a continuing examination of the shortcomings of China’s trade-secret regime.
Given the rather decisive defeat of the Chinese-backed candidate for director general earlier this year, how will China work to influence WIPO in the years to come?
One can conclude from China’s promotion of its own candidate for director general at WIPO, following several successful campaigns for the lead spot at other UN agencies, that China has shifted rather dramatically from a lead-from-behind approach of exercising its influence to a much more aggressive posture that looks like a broad grab for power at the United Nations. This is occurring at a time when the United States has retreated somewhat from its traditional multilateral engagement, which has significant implications for the structures and mandates of multilateral institutions. Notwithstanding its failure in the WIPO elections, I have no doubt that China will continue to assert leadership, at least behind the scenes, where it exerts very powerful influence over a number of other developing countries. On this point, it is important to keep in mind that stopping something from happening at WIPO takes very little political power (as is probably true at most other UN agencies). In general, I would expect China to continue to assert itself at WIPO in ways that will help the country maintain control over the speed and substance of domestic IP reforms. If the United States wishes to understand how that will play out in the coming years, not to mention have any influence over the process, it must engage vigorously in the organization.
Back in ancient times, in this case 1990, John Gray, an obscure “relationship counselor” with a correspondence degree in psychology, was perplexed. The communication problems of the heterosexual couples he worked with were so serious that he couldn’t explain them by individual circumstances. His clients seemed to be talking past each other, almost as if they were coming from different planets. With that tired metaphor in mind, he penned the book Men Are from Mars, Women are from Venus, generalizing what he thought were the universal, contrasting communication styles of the sexes.
Rarely has a book so widely panned by critics been so successful. Despite its obvious stereotyping, indeed sexism, sales have exceeded 15 million copies in 43 languages. The book spawned a Broadway show, a TV sitcom, and innumerable weekend seminars. Mr. Gray has continued to plumb the shallow depths of his thesis with several follow-on volumes. In effect, he has become rich by talking about how incompatible men and women are, despite eons of evidence to the contrary.
In our world of intellectual property, it once was like this between patents and trade secrets. The early common law concept of trade secrets, summarized in the 1939 Restatement of Torts, appeared to limit coverage to machines or processes run behind closed doors. But as courts began to embrace the idea that any valuable business information deserved protection, some academics raised the alarm that secrecy was moving on to the turf previously reserved for patents. How, they asked, could the same innovations be regulated simultaneously by a system that encouraged public disclosure and another that enforced private confidentiality?
The conundrum was especially difficult because of the very different pedigree of patents and trade secrets. While the former system was governed by a federal statute and grounded in the Constitution, secrecy was nothing more than the collective observations of judges expounding on notions of state law. Indeed, trade secret law was a mongrel, with parentage vaguely traceable to principles of tort, contract, employment and unfair competition law. Surely, the academics argued, there was no room in our carefully crafted federal system for this state-law carpetbagger. Patent law must preempt it.
A few judges agreed, and the issue eventually made its way to the U.S. Supreme Court, which in 1974 issued its opinion in Kewanee Oil Co. v. Bicron Corp. I can recall the day when as a relatively new lawyer I saw a partner sitting at his desk reading the advance sheets with unusual intensity. I asked him what was up, and he said, “The Supreme Court has said we can still have trade secret law.”
I came to study that opinion very carefully over the years, and it remains for me one of the best examples of a decision reaching the right outcome for a wrong reason. Basically, the court said that the federal patent system was not losing any business to trade secret protection. If someone with an invention that was obviously or likely unpatentable, the public lost nothing if it was kept secret. And while patents grant the right to exclude, trade secrets are “weak” because of the risk of independent invention. Therefore, the court assumed, anyone with a clearly patentable invention would never choose secrecy, so there was nothing in this parallel form of protection that would interfere with the integrity of the federal patent system.
The assumption that no one in their right mind would choose secrecy for a patentable invention was, and is, demonstrably wrong. Process technology, for example, has classically been protected as a trade secret, largely because it is so difficult to detect infringement by a competitor.
In any event, one of the concurring judges pointed out, patents and trade secrets had been in coexistence for almost 150 years, with Congress occasionally amending the patent laws without ever muttering a word about secrets.
So, we are allowed to simultaneously enjoy a disclosure-oriented patent law alongside a separate system that enforces secrecy. This is where we come back to the theme of Mr. Gray’s book. While generalizations about the sexes may be neither accurate nor appropriate, patents and secrets are so different in so many ways that it seems remarkable to me that they work in parallel, not to mention that they can each contribute to a company’s IP strategy.
Understanding the differences can help us appreciate the complementary relationship and make better use of each. Here are some observations that should be useful.
Patent law is legislated, while trade secret law is constructed by judges. This is less true than it was 40 years ago with the introduction of the Uniform Trade Secrets Act, but only slightly less so. The UTSA official comments declare that it was designed to codify the common law. The model statute, like the more recent federal Defend Trade Secrets Act which was based on it, is very short, certainly relative to the patent statute. If you want to understand trade secret law, you have to read the cases, because the foundation was built on individual judgments about ethical business behavior.
Patents are rules-based, while trade secrets are principles-based. This difference is closely related to the first. The reason the UTSA is so short is that the balancing of competing interests – for example, between employer and employee – inherently requires interpretation of ambiguous circumstances and application of ethical and moral judgments. With most patent cases, the path to a decision can be laid out in a flowchart. Which is not to say that patent cases are easy; but they are more predictable.
Patents are not about fault, while trade secrets are all about fault. As an attorney, preparing a patent case for trial to a jury can be challenging, as you search for the human-interest element that will sustain attention through an otherwise fairly dry presentation. In stark contrast, almost any trade secret case will capture the jury with its inherent focus on themes like treachery, abandonment, jealousy and revenge. No problem keeping everyone awake for that.
Patents are narrow and specific, while trade secrets are broad and vague. I sometimes use the metaphor of a large storage room, filled up to the ceiling with a physical representation of the data assets that help distinguish any business – R&D, financial plans, secret processes, road maps, customer preferences – and point out that, for most companies, the relative size of its patentable inventions might be equivalent to a grapefruit or maybe a basketball. There’s a lot there that potentially deserves protection, and the trick is in discerning what matters most, and then managing to maintain control over its integrity.
Patents are defined, while trade secrets are assumed. With a patent you get a government-approved description of the invention. You can show patents to investors. You can count them. You can flaunt them, to keep competition at bay. But secrets are usually not defined until you have to do it because (most often) you are in litigation over them and a judge tells you to. This is not ideal, of course, and in recent years I have seen this difference narrowing, as businesses pay closer attention to proactive management of secrets. What used to be the Patent Committee is now the Innovation Committee, and the most sophisticated companies are implementing specific business systems to identify and manage their critical information assets.
Recognizing all these differences should help us exploit them, to find synergies that can supercharge our IP strategies. Remember, all patents start out as secrets. And you don’t necessarily have to choose one or the other exclusively, as there are aspects of most products that suggest using both (as well as other forms of IP). Yes, patents and trade secrets come from different planets, but they are joined in a valuable, and creative, orbit.
It happened to Japan in the 1950s. Then it happened to Taiwan, and then Korea. Rapidly-developing countries started out relying on copying foreign technologies to drive their economies. But as growth increased and investments in education led the way to domestic innovation, each country found that a framework of strong intellectual property (IP) laws was necessary to sustain economic expansion.
For many years, the relationship between China and the United States (as well as other Western countries) around IP has felt like pulling uphill on a very heavy wagon, as we tried to convince, cajole and threaten, often demanding reforms as part of trade negotiations. The relationship with China was further weighed down by the perception that the government was itself involved in misappropriation and that in general it was a proponent of weak IP protection. This past January, in the midst of a tariff war, China signed the “Phase One Agreement” that promised certain improvements in its trade secret regime in return for the United States dialing back some of the trade pressure.
Given this history of adversarial trade negotiations, it came as something of a surprise when on June 9 China’s Supreme People’s Court (“SPC”) issued an extensive draft “Judicial Interpretation” (“JI”) of the country’s civil trade secret laws. (It released two other JIs at the same time, related to internet IP and e-commerce platforms.) JIs are quasi-legislative enactments of the SPC that can have the force of law. In a number of areas, the new trade secret pronouncement not only went beyond what had been promised in Phase One, but included some provisions that seem more creative and sophisticated than the analysis we might find in many U.S. court decisions.
Until a more formal translation is available, the best resource for understanding this new development is the China IPR blog by Mark Cohen of Berkeley Law, who for years was the USPTO’s senior counsel for China and who speaks and reads Mandarin. See his post on the JI here.
Does this mean that China, like other Asian countries before it, has finally turned a corner and is now strengthening its IP system to meet its own interests, rather than being pressured to do so? Is it now pushing where we in the past have been pulling? Perhaps. But a couple of caveats are in order before we take a look at the most remarkable provisions of this JI. First, it was published as a draft for comment (the period ends July 27), so it’s likely there will be changes. Second, we are working from a preliminary translation of the JI. Third, the Supreme People’s Court doesn’t have direct control over administrative or criminal procedures where some trade secret cases are resolved. However, the recent consolidation of all technology-based IP disputes into the IP specialty court makes it likely that the SPC’s interpretation will not only be considered authoritative but may also influence the administrative and criminal trade secret enforcement agencies.
Here are the aspects of the trade secrets JI that (after consultation with Professor Cohen) I think are most interesting.
Identification of secrets (Article 1). The trade secret owner has to “clarify the specific content” of the claimed trade secret in the first level court, which may dismiss all or a portion of a claim that is not clear. The defendant can ask for greater specificity,and the court may resolve the issue by taking evidence subject to cross-examination. On appeal (where the case is essentially re-tried) the plaintiff can amend its specification. This tracks the general approach in the U.S. to force an early identification but allow refinement as the case proceeds.
Combination secrets (Article 2). Under U.S. law a trade secret may consist of a unique combination of elements each of which may be generally known. The JI similarly provides that a claim will qualify if “the information known to the public is collated and improved.”
Value from secrecy (Article 3). The U.S. rule, exemplified by the DTSA (18 U.S.C. § 1839(3)(B)), requires that a trade secret “derive independent economic value, actual or potential” from not being generally known. The JI speaks in similar terms that the plaintiff has to show “real or potential market value” that “can bring about a competitive advantage.”
Reasonable efforts (Articles 6 and 7). The SPC’s treatment of this universal requirement that the plaintiff demonstrate reasonable efforts to maintain secrecy is especially remarkable for the way that the court’s expression aligns with the practical security concerns of any information-based business. While most U.S. courts address this issue with a shallow recitation of typical practices such as NDAs, passwords, marking etc. (which the SPC also does in Article 7), in Article 6 of the JI it suggests a number of “factors” that should be considered by trial courts in making a judgment about the issue. Among these are the nature of the business and the “degree of matching of confidentiality measures with trade secrets.” In other words, while it gives a nod to the “checklist” of efforts, the JI introduces proportionality into the calculus, by pointing out the utility of tying particular measures to particular risks to particular secrets.
Shifting the “burden of proof” (Article 8). As in most civil law countries, China has no discovery, and just getting into court on a trade secret claim can be very difficult. In the Phase One Agreement at Article 1.5, China promised to implement a provision that, if “prima facie” or “preliminary” evidence of the required elements is provided by the plaintiff, the burden shifts to the defendant to prove that there was no misappropriation. The JI appears to address this promise, requiring the defendant to back up any claim of independent development with evidence.
Implied confidentiality (Article 10). The confidential relationship inherent in most trade secret claims does not require a written contract, but can be inferred from “the principle of good faith,” “trading habits,” and the like. This is consistent with China’s laws on commercial contracts.
Access to secrets by an employee or former employee (Article 13). As with the reasonable efforts issue, the JI suggests multiple factors that the court may consider in determining whether an actor had access to obtain secrets. This is interesting primarily because it reflects an embrace of circumstantial evidence, implying more flexibility in the court process.
Indirect misappropriation (Articles 14 and 15). One of the perceived barriers to effective trade secret enforcement in China has been a rather rigid view of what constitutes misappropriation that seems to require something close to copying. The JI indicates that this approach may be softening. Whether what the defendant has done is “substantially the same” should be based on consideration of a number of factors, including the “degree of similarities and differences,” whether the differences would be obvious to a skilled person, and the extent of related public information. Perhaps most importantly, the court may find that a trade secret has been “used” if it has been “modified” or if “business activities [have been] adjusted according to” the plaintiff’s secret. All of this points in the direction of U.S. law finding liability when a defendant’s project has been influenced or accelerated by exposure to the plaintiff’s secret information.
Head start injunction (Article 22). Under U.S. law, if following entry of an injunction the information ceases to be a trade secret (for example by publication of a patent application), a court may continue the injunction for a period of time necessary to deprive the defendant of the unfair advantage obtained by the earlier misuse. The JI appears to allow a court to do the same thing if the provisions of the injunction are “not enough to eliminate the unfair competitive advantage.”
Damage apportionment and punitive damages (Article 24). Again, the JI suggests a factor-based analysis for the court to determine the “proportion and role of the infringed technical information in the entire technical plan or the infringement of trade secrets.” Significantly, courts are directed to take into account the “infringer’s fault” in considering an award of damages that represents “a reasonable multiple of the license fee for trade secrets.”
Limited damages discovery (Article 26). In cases where the plaintiff has presented “preliminary evidence” of misappropriation, and “the books and materials [presumably accounting records] related to the infringement of trade secrets are mainly controlled by the infringer,” the court may order those materials to be produced.
Protection of trade secrets in litigation (Article 27). The JI requires that the trial court “take the necessary confidentiality measures” in connection with litigation and trial. However, it provides no specifics on exactly what kind of protective orders are recommended or even allowed.
Venue (Article 29). Signaling increased flexibility in permitting venue other than in the defendant’s domicile, the SPC now gives the plaintiff in a technology trade secret case a choice, initially where the infringement occurred or the defendant is domiciled. And if it is “difficult to determine” those places, the action may be filed at the plaintiff’s domicile.
Application of national law (Article 30). In what may be seen as a response to trade secret claims filed at the ITC involving trade secret infringement that occurred in China, the JI directs that any civil cases “involving foreign-related violations of trade secrets” will be determined in accordance with Chinese law.
Although China has for some time now shown interest in trade secret reform, this week’s trade secret draft JI undoubtedly was motivated in part by recent trade negotiations, including the Phase One Agreement. But this most recent pronouncement seems in some respects to go beyond what was required, and in those respects also seems to reflect an imprint of U.S. practices. Nevertheless, it will be important to watch what happens as the JI is finalized in the next few months, and what its practical impact on Chinese courts and administrative agencies might be. Perhaps we are at an inflection point with China where reform and strengthening of its trade secret protection system will become self-generating and ever closer to our own, albeit with Chinese characteristics.
“Information wants to be free.”
— Stuart Brand
Stuart Brand, the creator of the Whole Earth Catalog, is famous for saying in 1984 that “information wants to be free,” which became a battle cry for anti-intellectual property activists. But this is what he actually said:
“On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.”
Not exactly a Marxist manifesto. But the shorter version of his words took on a life defined by others. In fact, it has been used in different ways. For the anti-IP crowd, it is a political expression of the idea that the benefits of information should be freely open to society as a whole, and not corralled by intellectual property laws to the benefit of a few. But it also can be taken as a neutral observation of a simple fact: once information has been transmitted to a new place outside the control of the originator, it will naturally propagate toward wide distribution, eventually into the public domain.
That process is a good thing if you are an academic trying to advance the state of knowledge and make a reputation for yourself at the same time. However, if you run a business that depends on data to drive success — and what business doesn’t these days? — this tendency of information assets to escape is a major, perhaps existential, risk. Given that those assets are handled by human beings, the management challenge can feel a lot like trying to contain . . . a virus.
Indeed, one of the reasons that Brand’s quote went viral (sorry) is that it attributes human desire to information (it wants to be free), just as we describe a virus in anthropomorphic terms (it wants to find a home and propagate; it wants to mutate).
The metaphor is not perfect. After all, a virus, unlike bacteria, is rarely considered valuable or helpful. But I believe the comparison is apt and useful in many ways, not least as a mnemonic device to help us stay focused on the difficult but necessary discipline of caring for the integrity of the company’s most valuable property, just as we care for our individual health.
So stay with me as we look at several main areas of overlap between trade secret management and pandemic response. To begin with, let’s recognize that our concerns are not only about our own information propagating outwards, but also about blocking unwanted information from infecting our data systems. So our control systems are naturally tuned toward containment: keeping our data in and others’ data out.
Policies and procedures: your immune system. When was the last time you checked up on the health and performance of your company’s strategy and tactics for maintaining the integrity of your data assets? In fact, are you sure you know what your data assets are? Just like human systems, no two companies are exactly the same in their information security risks. As things settle in following the current crisis and we begin adapting to a new normal, this is a great time to engage in a fresh risk assessment exercise and recalibrate your systems to align with the new environment.
Employees: your behavioral system. While our body’s systems are programmed, the workforce needs training and attention to ensure that it is on alert for risks and makes good choices every day. As regards confidential information, this is a particular challenge not only because employees are distracted by other priorities, but also because they often can connect to the company’s systems through their own phones and tablets, which they then use at home to engage with social media, a system which trains them to share.
It’s not that they intend to cause problems. But just consider the two times of greatest risk with a mobile workforce: when they are coming and when they are going. New hires can be like people infected with a virus but exhibiting no symptoms: they are carriers, but in this case the source of contamination and infection is their former employer, where they were entrusted with access to valuable information that may be relevant to what you are asking them to do. And then when they leave, they carry your trade secrets in their heads as they walk out.
In between those two high-risk moments, you have the opportunity to increase their awareness through training, so that their behaviors are more cautious when it comes to handling sensitive information. As with your Fitbit, there are monitoring systems that can help you understand how well they are complying with your information hygiene instructions.
Outsiders: social distancing. As Ryan Lilly said, “For any creative thought to be contagious, it must first be worthy of a sneeze.” When senior engineers or sales people attend conferences, your company’s important information can easily be exchanged through casual contact. For more organized third-party contact, there is protection available in the form of nondisclosure agreements that permit communication at a respectful distance. But here too we have to pay careful attention, both to how those protections are designed and how they are used, to make sure they perform as intended.
Disputes: falling ill, with luck briefly. When infection with another’s trade secrets occurs, in either direction, great efforts will be made to reduce the fever and recover. The alternative is to go to the hospital (court), which ironically can risk intensifying the symptoms. Happily, almost all patients recover and use the experience to reconsider their health habits.
Misappropriation: mutation. One of the frustrations of dealing with a virus is that it can mutate rapidly to stay ahead of treatments and cures. Similarly, when secrets are stolen, the misappropriator rarely incorporates them into its own systems or process in the same way they were deployed by the victim. Instead, the information is used indirectly, to inform and accelerate development, and the original information has morphed beyond recognition. Reconstructing what happened becomes a research project of its own.
As companies grapple with the consequences of the current economic and social disruption, they will face fundamental changes in how we do business. But self-isolation is not an option. In the information economy, unlike the pre-industrial cottage shops of the 17th century, we need to share. The key is to balance that need with the risks it creates. We should expose our information only to those who need access, and who have acquired the protective gear of confidentiality agreements, training and other controls.
“Artists work best from home."
— Steve Wozniak
If while you’re reading this you are stuck at home or some other location trying to work remotely, give some thought to 18th century self-proclaimed alchemist Johann FriedrichBöttger. As a young and ambitious man living near Dresden, he was convinced that he could actually make gold from base metals, and when King Augustus the Strong (who was apparently in need of more gold) heard about his audacious claim, he had Böttger taken into “protective custody,” which turned out to be a dungeon in his castle. Böttger was to set up a lab and stay at it until he could produce the real stuff.
Unsurprisingly, Böttger produced only a lot of foul smells and the occasional small explosion, and over the next two years, earning his freedom seemed increasingly remote. In fact, he feared for his life. But the king decided instead to appoint a real scientist, Ehrenfried Tschirnhaus, to oversee Böttger’s work. Tschirnhaus was not interested in gold, but rather something that at the time was equally valuable, because it had to be imported from China: white porcelain. Böttger didn’t care about such frivolities, but he was not in a position to resist acting as a lab assistant. Eventually Tschirnhaus cracked the code for porcelain, but suddenly died. Böttger got his hands on the formula, went to the king with the good news, and that’s how Böttger came to fame and wealth as the “inventor” of Dresden china. #dumbluck
Böttger of course got a much nicer lab in the castle, with doors he was free to use. But perhaps because he had learned how much more productive one could be when imprisoned, he famously had his own employees chained to their desks and, in an early form of social distancing, prohibited them from contact with others, lest the secrets be lost. This worked for several years until one of them escaped to Vienna with the formula, which is why you can afford nice china dishware today.
One more history lesson about working outside an office. This one takes us to Venice, where the ancient Roman secrets of glassmaking had been rediscovered and perfected in the 13thcentury. If you have heard of the beautiful, multicolored Murano glass, that’s because the Venetian government in 1291 forced all the glassblowers to relocate to that neighboring island, ostensibly to prevent their furnaces from sparking a destructive fire in the then-wooden city. The real motivation was apparently to get better control over the craftsmen and their secrets, by putting them in one place and forbidding them from leaving, on pain of death. Now, there’s a serious lockdown. But the glassblowers were able to form a guild among the families and control both the secrets and their prices. So working from home turned out to be a pretty good thing.
Now fast forward to the 1970s, when I first got involved with trade secret management. Business had long before dispensed with life-threatening measures to protect secrets, but the process was fairly straightforward, because everything was on paper and there were no networks. The greatest threat to information security was the photocopier, and taking work home was seen (by the employer at least) as a good thing. Not everyone behaved, and there were plenty of lawsuits, but security was simpler.
We now enjoy networks with more or less infinite bandwidth, spread all over the planet, and supercomputers (that is, phones and tablets) in the hands of millions of employees. We have been able to produce way more valuable information much faster, but the digital world we work in also makes that data more vulnerable than ever. Thankfully, advances in technology have also made it possible for us to keep track of electronic information, both at rest and in transit, and so our sense of control around the security of trade secrets has not degraded that much. Unfortunately, people still sometimes do stupid things with data, just like they did with paper, and so the challenge of modern business has as much to do with managing behavior as with harnessing software.
And that’s the everyday challenge when most of the workforce comes into the office. But working from home increasingly is a hallmark of the digital age. We do it because we can, and it’s more convenient. And we do it because of the demands of employers, customers or clients for 24/7 availability. This means that we have to depend even more on our networks to get things done and the tools to track what we’re doing. But particularly as more people choose to, or have to, work from home, the issues around managing their behavior become more complex.
Security is a conundrum, a trade-off, a paradox. A kind of permanent tension exists between what we know is good for us and what we find more convenient. Remember the days before you had to recall passwords and PINs? Now consider two-factor authentication. Yes, it makes it really, really certain that it is you when you have to wait (after putting in your password) for a code to come to your phone. But should we have to endure that every time we want access to a file? Now, consider the use of Virtual Private Networks, or VPNs. Using these company-owned networks while at home allows us to communicate securely by using end-to-end encryption. But they’re usually slower than our personal WiFi, so when we need to send a lot of messages or move a lot of documents around, well . . . .
So working at home requires being very careful, and in normal times companies can usually manage those who need to be engaged remotely. But what about now, when almost everyone is doing it? And what about later, when we return to normal, but find out that normal includes new habits about when and where we can do our jobs? How can companies respond to the present needs, as well as prepare for the future?
First, focus on the basics. Review with your IT team how existing procedures and controls can operate in the dispersed environment. Companies with a lot of experience implementing mobile device management protocols and tools will mostly just need to increase resources. However, incident (i.e., breach or other security problem) reporting may not be as robust as when most people are operating in controlled surroundings, so you may need to explore how to adjust your systems to take into account those additional vulnerabilities.
Second, reinforce to all staff the importance of protecting confidential information in its various forms. Remind everyone about what kind of information is sensitive, and what your expectations are for hygienic business behavior, particularly their communications with the outside world. Tie this messaging to your existing policies and procedures, emphasizing that this effort is an extension of the company’s focus on protecting its sensitive data, an issue that obviously needs more attention when we are all in remote locations.
Third, provide everyone with sufficient cloud-based data facilities (such as Google Drive or Dropbox) that are easy to use for secure storage and transfer of information with customers, supply chain partners and other outsiders.
Fourth, encourage staff to use company-owned devices and the company’s VPN, and to continue to use company email systems for business matters. Make sure everyone knows that use of home computer systems and WiFi is not secure and that they should especially avoid using it for any sensitive communications. For those who resist (and sometimes the recalcitrant are executives), consider providing personal IT support to enhance the security of their environment.
During this unusual time, employers need to be flexible and understanding. Getting compliance with the full suite of security protocols is harder at a distance. Trade secret management is about balancing value against risk, and then measuring that risk against the cost (including inconvenience) of various measures to reduce it. One of the practical risks is that people won’t follow rules that get in the way of getting the job done, and so you need to be sensitive to their struggle and try to collaborate about finding acceptable solutions.
An essential element of trade secret protection is that the owner has made “reasonable” efforts to keep the information a secret. But as the Uniform Trade Secrets Act tells us, those efforts must be reasonable “under the circumstances.” When circumstances change, as they have recently, we need to recalibrate. In fact, when things return to whatever normal turns out to be, this will be an excellent opportunity for every organization to revisit the way in which it approaches management of its most important information assets.
WIPO and the other agencies may sound like obscure bureaucratic outposts, but they help shape standards and rules for global commerce. WIPO logs 250,000 patent applications every year, including more than 55,000 from the United States, and it’s supposed to keep them secret for 18 months until they’re published. The director general “exercises control over every aspect of WIPO’s operations,” according to James Pooley, a former WIPO deputy director general.
“Data that is loved tends to survive."
— Kurt Bollacker
In last month’s post, Part 1 of this series,we considered the view of European academics that trade secrets are not “intellectual property” because they don’t give the power to exclude others, like patents, copyrights and trademarks do. But considering that trade secrets are treated throughout the world like a kind of property – they can be transferred and taxed, and stealing them is considered theft – we concluded that what matters is not exclusion, but control. It is the ability to control access to secret data that can give companies an advantage over others that don’t know about it.
We considered the example of an Armenian family that has managed to keep – and profit from – the secrets of making the very best orchestral cymbals for four centuries. They did this by sharing only within the family, where presumably they had available some compelling ways to enforce trust.
For the rest of us in the modern, globalized and digital economy, we have what looks like an impossible task. How do you protect the company’s secrets when they are zooming around the globe at the speed of light and accessible by thousands of employees, contractors, partners and vendors, each with a small supercomputer in their hands? More specifically, what do you do when those people go home in the evening and use those same little devices to participate in various forms of social media, where they are relentlessly instructed to share the most molecular details of their lives with hundreds or thousands of “friends”?
Before we try to answer those big questions, here’s a comforting thought. What the law expects fits nicely with what the owners of a business should expect: that management will do what is “reasonable under the circumstances.” Okay, you might say, that is just an abstraction meant to dodge the problem. But there is some instructive guidance behind the “reasonableness” standard.
It starts with recognizing that perfect security is not feasible in today’s data blizzard. The more people we trust with access, the greater the risk. But in order to compete in fast-moving markets, we can’t go it alone. Today’s innovation and commercialization usually require large teams, including external partners. So being “reasonable” means accepting that risk.
Besides the imperative to share, we also have to confront another reality of risk: security measures almost always come at a cost. It’s not necessarily about money, but about convenience and productivity. Think about two-factor authentication, where in addition to your normal password you have to wait for a special one to be generated and sent to your personal device. Now think about doing that 50 or 100 times a day, as you go through each office door and engage with each software program or database. It adds up. Most businesses can’t afford the efficiency loss that results from placing maximum protection on all forms of data.
So it’s pretty clear that we can’t have it all when it comes to information security. “Reasonable” means thoughtful management of the risk of losing control over your data, while not letting the perfect be the enemy of the good. So how does a business do that? Here are some observations grounded in the law and in sensible business management.
To begin with, recognize that “reasonable under the circumstances” refers to the unique circumstances of your business and the risks faced by your information assets. There is no one-size-fits-all checklist of “best practices” that applies across the board. If you think that checking off a list of security techniques is enough, or if you’re worried that you’re not doing everything on some list, forget that. What matters is the circumstances you are in, measured by three things: value, threat and cost.
Valuable information can be found everywhere in most companies, and we can’t protect it all with maximum effort, or the business would collapse under the weight of the effort. Instead, we have to understand where we get competitive advantage from data, and try to categorize it according to its value. This is not necessarily value in the absolute sense, measured by currency. Instead, knowing relative value will help inform decisions about what level and kinds of security are needed. The algorithm that powers a critical business process might deserve more attention than a marketing strategy.
Assessing value could be as simple as picking the top 10 or 20 trade secrets that cause you concern. To do that, you need to know what you have. But don’t be put off by fear that an “inventory” of information assets has to be a logistical nightmare, like the hardware store shutting down for several days in order to count all the individual nuts and bolts. Instead, the idea is to organize your data into categories that reflect similar kinds of value, such as tools, databases, strategies, R&D records, information about customers, financial data, and information entrusted to you by others.
The next step is to assess the threat, or risk, faced by the different kinds of confidential information you need to manage. Here there are two kinds of threat. First, there is risk of loss or leakage that can reduce or destroy competitive advantage. We can refer to this as “outbound” risk. In contrast, but often equally important, is “inbound” risk, that is the possibility that your information may become contaminated by unwanted data from outside the business. Most commonly, this sort of infection happens through hiring from competitors; but it can also come in through poorly managed confidential business relationships like a potential acquisition.
In order to thoroughly understand your risks, of course, you need to estimate the likelihood that the bad thing might happen, as well as its impact on the business if it does. Hiring an engineering manager from a direct competitor to lead an identical project will represent a substantial danger of potentially serious harm; while providing secret drawings to a trusted vendor without negotiating a non-disclosure agreement (NDA) may be more acceptable. Making these distinctions will help management focus not just on the hazards but about how much risk might be acceptable in the name of efficiency.
Once you know what you have and the array of threats you contend with, you can begin to consider where to focus your attention and allocate your resources. In this part of the process you consider the ways in which you might reduce the potential for harm, measuring the cost (in terms of money or operational friction) against the value of the information in question. In recruiting the engineering manager, for example, you might consider not only providing warnings and getting assurances about unwanted transfer, but also, if the perceived risk warrants it, providing the new hire with independent counsel to reinforce the message and to better distinguish between the skill he can apply and the trade secrets he can’t.
Many other decisions about information security will be taken in this way. Should the company adopt a labeling system for confidential information that applies multiple levels of restriction, or will a simpler system result in better compliance? Does a different risk environment in overseas facilities call for a different kind of employee training there? Should NDAs be managed centrally, or should business managers be allowed to negotiate special terms? Should access to various systems and databases be controlled for each application, or is universal access with passwords enough? Should we install software on employees’ phones to ensure they don’t share company secrets?
If you’re thinking that what I’ve described here is just classical business risk management, you’re right. The process of considering value, risk of loss and cost of mitigation techniques is how most companies approach caring for their assets and opportunities. For some, the analysis is more ad hoc than strategic, while others increasingly look outside the organization for help in designing a comprehensive data protection program.
The most important takeaway is this: your information is your property, and without due care its value can diminish or disappear. But you have control over it. Pay attention and be aware of your options. That is the “reasonable” thing to do.
“Knowledge conquered by labor becomes a possession – a property entirely our own.”
— Samuel Smiles
Sometimes it seems that trade secrets are always fighting for respect. I recently ran into a friend who teaches at a European university. He somehow found a way to squeeze into the conversation a pronouncement: “You know, trade secrets are not property.”
Stay with me; this gets interesting.
I sighed, because I knew what was coming. I’d heard it many times before. “The essence of property,” he said, “is the ability to exclude others, and that doesn’t exist with trade secrets. Anyone is free to discover the same information, or to reverse engineer a product to learn how it is made.”
I acknowledged that trade secret rights are not exclusive, and it’s easy to reverse engineer some things. “But what about secret formulas, like Coca-Cola’s, and secret algorithms, like Google’s? And companies often make products using processes that you can’t figure out by looking at what’s public.” He was ready with the ultimate squelch: “Sure, but all of that is not property, because you can’t exclude anyone; you might not even know when someone is using the same so-called secret. If you can’t order them off, it’s not property.”
Like I said, I’ve heard this before. Even in the specialized world of intellectual property, the other major rights – patents, copyrights, trademarks – give you exclusivity, at least for a time. (Twenty years for patents, life of the author plus 70 years for copyrights, and during commercial use for trademarks.) If someone tries to make the same invention, publish the same song, or use a confusingly similar mark, you can get a court to make them stop, just like you can protect your land against trespassers. But for trade secrets, you have to accept the fact that others may develop, or discover, the same information that gives you an advantage over your competitors.
In some parts of the world – mainly Europe, where my professor friend was from – this distinction can matter. When the EU in 2016 issued its Trade Secrets Directive, requiring all the member states to meet certain standards in their national laws, it specifically said that trade secrets were not to be treated as “intellectual property.” That meant that the earlier EU Enforcement Directive, which provided some helpful remedies like seizure, and which required sharing certain information with the owner of the IP, wouldn’t apply to trade secrets.
Never mind that every one of the EU member countries have long been signatories to the 1995 TRIPS Agreement, which declares, in Article 1, Section 2, that all categories of IP, including “Undisclosed Information” (Article 39), are “intellectual property.” In Europe, the combination of academic inflexibility and political cowardice has kept business secrets trapped in this “non-property” abstraction.
On our side of the Atlantic, we’ve taken a more practical view about treating information as “property.” As we imported the law of trade secrets from Britain (which is about to leave the EU, but apparently not because of how they treat secrets), U.S. judges recognized that the knowledge developed by a business that gives it an edge should be treated like more traditional forms of property. This was important to an emerging industrial economy that required sharing information in confidence with employees and others.
In 1868, Massachusetts’ highest court ruled that if one “invents or discovers, and keeps secret, a process of manufacture . . . he has a property in it” that courts will protect against a breach of confidence. But the ability to assert trade secrets had already been established by the same court many years earlier. It may seem deliciously coincidental to those of you familiar with Roald Dahl’s Charlie and the Chocolate Factory that the first trade secret case in the U.S. was about . . . a process for making chocolate. If you want to look it up, it’s Vickery v. Welch, 36 Mass. 523 (1837).
In the first half of the 20th Century the courts took a small detour by emphasizing that the interest being protected was more about the confidential relationship than the information itself. In 1917, the U.S. Supreme Court declared that “the property may be denied, but the confidence cannot be.” But in later cases, the Court ruled that trade secrets may be taxed, that the constitutional requirement of compensation for seizure of property applied to trade secrets, and that “confidential business information” was “property” within the meaning of the mail and wire fraud statutes.
These decisions align with the way that business treats valuable information as an asset. It can be bought and sold, licensed, shared, and pledged as collateral. Is it “property”? The view here is that if it waddles and quacks, it’s a duck.
But apart from the way we treat it in transactions, what is it about this special right that should make us feel comfortable calling it property? It is the element of control. Although we can’t control whether someone independently develops the same information, we can control who gets access to our own, and under what circumstances.
Back in 1623 in Constantinople (now Istanbul), a fellow named Avedis Zildjian was trying to perform alchemy, and while he didn’t manage to transform base metal into gold, he did happen on a special alloy of copper, tin and silver that when fashioned into a circular sheet made a great sound. Today, the Zildjian family company still supplies what are considered the world’s best cymbals to leading musicians all over the world. The secrets are safe because they’ve not been disclosed outside the family for generations.
Other businesses can achieve the same effect, simply by managing their information assets. In fact, the modern law on trade secrets requires that, before courts will lend a hand to enforce promises of confidentiality, the owner has to show that it has engaged in “reasonable efforts” to keep the information secret. What’s “reasonable?” The law doesn’t specify, beyond teaching that every circumstance is unique, reflecting the value of the information, the risk of its loss, and the cost (including inconvenience) of instituting various measures to reduce the risk.
In the end, getting help from the courts to protect your secrets will depend to some extent on how much you exercise the control that comes with secrecy. Realizing the need to share information with employees, vendors, customers and collaboration partners, you should establish all the controls that help everyone understand the confidential nature of your data assets and reduce the risk of inadvertent leakage or contamination by someone else’s secrets.
Next month, in Part 2, we’ll take a closer look at what businesses should be doing to maintain the integrity of these most valuable assets. In the meantime, just remember this: you have control over who gets access and what they can do with those assets. Exercise that control, and you’ve staked a claim to your property. No matter what the European professor says.
“We’re from the government, and we’re here to help.”
— Anonymous
According to Merriam-Webster, the “Word of the Year for 2019 is “they” when used in the singular, typically to avoid ascribing a gender to the person being referred to. The larger point is this: language matters. Since this is a space dedicated to secrecy, let’s consider how we use language to determine who gets access to our trade secrets. For today, we’ll be looking specifically at how government does this. After all, they write the laws and so should be practiced at defining exceptions to property rights.
Why should the government care at all about business secrets? Examples will help us here. Locally, the fire department needs to know what hazardous chemicals you might be storing at your plant, in case they have to come and put out a fire there. For different but equally compelling reasons, the Food and Drug Administration (FDA) insists on knowing exactly how drugs are made, and the Environmental Protection Agency (EPA) requires submission of pesticide ingredients. And then there is the government as consumer: last year the U.S. spent over $550 billion on purchasing goods and services from the private sector, and with all that economic clout comes the right to demand access to a lot of related data.
Government purchases are regulated by the Federal Acquisition Regulation (FAR), a law only somewhat less complex than the tax code. But for “commercial items” the FAR gives the government no data rights. The seller can provide “limited rights,” allowing the government to use information only for internal purposes and repairs, protecting it from public disclosure.
Although not everyone sells to the government, many businesses are required to give the government a great deal of information that they don’t want the competition to see. A federal statute, aptly named the Trade Secrets Act, has been in place for over a century, making it a crime for federal employees to disclose valuable business information. In addition to the FDA and EPA, this law and other regulations designed to protect trade secrets apply to mandatory disclosures made to the Securities and Exchange Commission, the Consumer Product Safety Commission, the Occupational Health and Safety Commission, and even the Post Office.
Over the first half of the 20th century, as the federal government broadened its regulatory functions, keeping business data confidential was straightforward: companies would mark their records “confidential” and agencies would keep them sealed from public inspection. Then came the Freedom of Information Act (FOIA, pronounced with delight or disdain, depending on your interest, as “FOY-YAH”).
Originally adopted in 1966, FOIA was expanded in 1974 following the Watergate scandal, to allow broader and easier access to government by the public. It requires that federal agencies promptly make available to any “person” any requested record unless it is “exempt” from disclosure. Two aspects of “Exemption 4” are relevant here. The first is for “trade secrets,” which one might expect allows companies to breathe easy about the risk of disclosure. However, the courts soon interpreted the phrase “trade secrets” under a 1939 guide (the Restatement of Torts) to have a very narrow meaning, so that part of the exemption was not much help.
A second part of the exemption applied to “confidential commercial information,” and this at first seemed to provide comfort for submitters. But the courts eventually narrowed the meaning of this phrase, too, adding the requirement that, to prevent disclosure, a submitter had to prove “substantial competitive harm.”
This “competitive harm test” might not have been much of a problem if the issue were always resolved privately between the government and the owner of the secret information. But another actor was usually involved. Almost from the outset of FOIA, a statute intended to inform the public about the workings of their government, the most frequent applicant for disclosure has been — no prize for guessing — commercial entities. With the potential of access to information saving years of expensive research, competitors would challenge the exemption in court, leaving the trade secret owner to argue over the vague and speculative concept of “substantial harm.”
Not anymore. A few months ago the U.S. Supreme Court issued its first opinion on the meaning of Exemption 4. In a case called Food Marketing Institute v. Argus Leader Media, the issue was whether information about food stamp redemption at individual grocery stores, submitted by them to the FDA, had to be revealed under FOIA. Examining the text and history of the statute, the court held that “confidential” has an ordinary, dictionary definition and applies to any information that a business would customarily treat as “private.” The “competitive harm test” had been improperly added by the courts.
For companies that need to share competitively sensitive information with the government, this ruling provides much more certainty about keeping the information from competitors. But while celebration may be in order, it’s no time to relax. Agencies, and the people that work for them, can make mistakes. Just ask Monsanto, whose RoundupÒ herbicide dominates the market because it is effective against a large range of annual and perennial weeds and allows planting soon after spraying. In 1982, the EPA gave the secret formula to a lawyer for one of the company’s competitors. (The information was later retrieved.) And then of course there are state and local agencies to deal with.
What should companies do to protect themselves against the risk of disclosure by the government? First, put prominent labels on all sensitive records before they are submitted. This kind of marking may be required by a special statute or regulation that applies to your industry; but even if it isn’t required, it’s common sense to communicate boldly your claim of confidentiality to those who are handling your data.
Another way to control the risk of disclosure is to get an agreement from the agency involved. This is more cumbersome than just marking your documents, but it increases the odds that the information will be handled with care, and that the agency will refuse to disclose it to an outside party.
Finally, closely examine your draft submissions. Try to find a way to supply the required information without revealing your business secrets. To the extent that you achieve that goal, then your data will have the best possible protection against government disclosure.
The “Word of the Year” for business in 2020 is “confidential.”
“Any sufficiently advanced technology is indistinguishable from a rigged demo.”
— James Klass
The spectacular failure of blood-testing firm Theranos is the subject of a riveting book, Bad Blood by investigative reporter John Carreyrou, and an engaging documentary, “The Inventor” on HBO, focusing on Elizabeth Holmes, the once-celebrated wunderkind who dropped out of Stanford at age 19 to “change the world” with a device that would perform hundreds of diagnostic tests with a few drops of blood from a finger stick. It’s a story made for Hollywood (Jennifer Lawrence will play Holmes in the forthcoming movie), filled with lies, deception, threats and sex, set in a Silicon Valley startup.
Once valued at $9 billion, Theranos raised hundreds of millions from famous investors such as Rupert Murdoch, Betsy DeVos and the Walton family (owners of Walmart). It landed a corporate partnership with drugstore giant Walgreens, which built a series of “wellness centers” in its stores, where customers could order blood tests without a prescription. Due to a legal loophole, the Food and Drug Administration (FDA) hadn’t examined the Theranos device, called “Edison,” which was still just a prototype. But the show had to go on. Most blood tests had to be performed with a traditional syringe draw. As for the “droplet” tests, they were dangerously unreliable. The technology that made everyone so excited, it turned out, didn’t actually work. Theranos collapsed. Elizabeth Holmes now faces trial for criminal fraud.
Theranos’ initial success was not something that Holmes could have achieved on her own. She needed the cooperation of a supporting cast of prominent men (yes, they were all men) on her board, including such luminaries as former Secretaries of State Henry Kissinger and George Schultz, former Senator Sam Nunn and retired General James Mattis (who would go on to serve as Secretary of Defense in the Trump administration). None of them had backgrounds in medicine. Also serving on the board, and as the company’s lead lawyer, was David Boies, the trial lawyer who had represented Vice President Al Gore in his election case before the Supreme Court.
But the most important enabler of the Theranos con was not a human being. Instead, it was secrecy. According to the book and documentary, to keep investors and business partners in the dark about what was going on, Holmes used the excuse that the breakthrough invention had to be kept under the tightest possible wraps, lest competitors leap ahead. Her lawyers reinforced this notion, giving it enough credibility that Holmes could draw in otherwise rational people with the promise of a healthier society, a disrupted industry, and capital gains. This gave Holmes the comfort to actually fake demonstrations of the Edison: while important visitors were taken on tour, their blood sample was taken out of the machine and whisked to a downstairs lab where it was analyzed using commercially available equipment, with the results returned to the meeting room just in time.
Nondisclosure agreements were secured from everyone who came into contact with the company. And those agreements were enforced vigorously, apparently even using private investigators and threats of crushing litigation to keep knowledgeable employees from speaking with the press. (If you are interested in learning how lawyers can terrorize well-meaning whistleblowers, I urge you to read the book.)
Secrecy was apparently also used within the company, keeping employees “siloed” from other areas by an extraordinarily strict need-to-know policy. As a result, those who worked on running the machines didn’t know what the engineers might be doing to fix and improve them, and new development projects kept people guessing about whether the real breakthrough technology was being sharpened in the next room. All of this partitioning of knowledge was coupled with enthusiastic “us vs. them” speeches by Holmes designed to keep morale strong and faith alive.
Of course, the “dark side” of trade secrets—where the law enforcing confidentiality is used in unintended ways—isn’t unique to Theranos. Nondisclosure agreements have been accused (without much empirical evidence) of discouraging employees from moving to new jobs, for fear that they will inadvertently misuse some confidential information. More recently and notoriously, they have become part of the “#MeToo” conversation, as a mechanism for suppressing the truth by silencing victims of abuse.
But we have ways of preventing, or at least mitigating, these inappropriate consequences. Courts routinely exercise discretion to favor the free movement of employees from job to job. There are now strong whistleblower protections built into federal law for those who want to share with the authorities confidential information about potentially unlawful conduct.
Even the Theranos story doesn’t mean that trade secret law is inherently dangerous. Consider Apple, one of the world’s most secretive companies. (Holmes famously modeled her clothing and business habits after Steve Jobs.) Apple has consistently used NDAs and secrecy management to protect products under development, to great effect when they are ultimately unveiled, all without touting non-existent technology. And it’s easy to imagine how Theranos might never have happened if investors and business partners had been less credulous and more insistent to understand the technology. It is entirely possible to couple information security with appropriate governance and oversight; indeed, that is how most companies behave. More than any problem with trade secret law, the Theranos debacle is about greed, hubris and the overwhelming power of human denial when faced with inconvenient facts.
However, the Theranos story got me thinking about other aspects of secrecy and technology that pose stickier problems. The one that comes to mind is artificial intelligence (AI). As a concept, AI has been with us a long time, representing the evolution of powerful computing that we imagine might someday mimic the human brain. But only recently has it seemed on the relatively near horizon, with systems being deployed on information sharing platforms like Facebook, and, soon it seems, in our cars. It’s one thing to let Google protect its search engine; but we have seen how fake news can affect elections, and we wonder how computers will be able to make life-or-death decisions while driving themselves (and us) down the road.
A common public reaction to these concerns about personal-impact technology is to demand “transparency” of the companies that use AI in their tools. We want to know exactly what the algorithm is that determines our news feed, and we want visibility on what the car will do when faced with the choice of hitting the baby carriage or grandma. But here we run into a dilemma common to all forms of advanced technology: we need to encourage the innovation that gives us new products and services; but to enable the necessary investment of money and risk we need to guarantee secrecy so that the innovator can recoup its investment.
When as a society we faced a similar problem a century ago with an emerging technology with profound individual consequences, it was pharmaceuticals, and eventually we fashioned an approach that has worked fairly well to serve both private and public interests, in spite of the narrow loophole that Theranos exploited. Drug companies are required to reveal to the FDA their formulations and test data, where technically qualified officials examine the drug or device for efficacy and safety. All this is done behind closed doors, to protect the company’s investment in some very expensive and risky research. But because we have confidence in the ability of the agency to get it right, we are comfortable using the drugs that have been approved.
It’s not clear to me that a similar model would work to address the potential flaws in secret AI engines. How would we develop models for testing everything that could possibly go wrong? How could a government agency reliably make predictive judgments about software that operates in the world, rather than chemicals that operate in the human body? And even if those challenges could be overcome, what do we do about the fact that the AI algorithms, unlike drug formulations, are not static, but are built to dynamically alter themselves through machine learning?
I don’t have a good answer to these questions. Unlike the situation at Theranos, where the risk of harm from secrecy could have been met by some healthy skepticism and common sense, AI presents a uniquely difficult challenge to find the right balance of competing interests. We need to keep talking about it.