A Response to David Blankfein-Tabachnick & Kevin A. Kordana, On Rawlsian Contractualism and the Private Law

Introduction

In their 2022 essay, David Blankfein-Tabachnick and Kevin Kordana reaffirm and further develop their long-standing position that John Rawls’s principles of justice, including the difference principle, should apply to determine and interpret private law, including not just property and contract law, but also torts.1.See David Blankfein-Tabachnick & Kevin A. Kordana, On Rawlsian Contractualism and the Private Law, 108 Va. L. Rev. 1657 (2022).Show More In recent papers, Samuel Scheffler and I have made similar arguments, though we have modestly departed from their views.2.Samuel Scheffler, Distributive Justice, the Basic Structure and the Place of Private Law, 35 Oxford J. Legal Stud. 213, 233 (2015); Samuel Freeman, Private Law and Rawls’s Principles of Justice, in Liberalism and Distributive Justice 167, 168 (2018) (arguing that Rawls’s principles apply to the private law).Show More I contend that, while the difference principle applies to much of the private law of property and contract, it does not apply to all tort law. Rather, in tort law, the difference principle applies primarily to economic torts in unjust economic systems that do not satisfy Rawls’s difference principle in the first place.3.Freeman, supra note 2, at 191–93 (arguing that in an unjust economy designed to maximally benefit the more rather than the less advantaged, the application of the difference principle to economic torts is a proper corrective to vast inequalities and economic injustices).Show More Blankfein-Tabachnick and Kordana (hereinafter “the Authors”) contest my argument, as well as my contention that Rawls’s difference principle requires maximizing the position of society’s less advantaged relative to the more advantaged, not their absolute position.4.Blankfein-Tabachnick & Kordana, supra note 1, at 1683–87 (contending that Rawls’s difference principle is “a maximizing and consequentialist theory, if a constrained one,” and not, as I contend, “an intra-schemic relational principle” of reciprocity that is nonconsequentialist and nonmaximizing).Show More After a brief summary of my position, I discuss why I believe the difference principle, under Rawls’s final interpretation of it, is often not suitable for consistent application in determining personal tort liability and remedies, even though the principle can play a significant role in economic torts involving the violation of economic rights and liberties. I also discuss why the difference principle is best understood to require society to maximize the relative, not absolute, position of the least advantaged. I conclude with some remarks on Rawls’s own reservations regarding courts’ interpretation and enforcement of the difference principle, or any principle that structures the economy, including economic efficiency and utilitarian wealth maximization.

  1.  See David Blankfein-Tabachnick & Kevin A. Kordana, On Rawlsian Contractualism and the Private Law, 108 Va. L. Rev. 1657 (2022).
  2.  Samuel Scheffler, Distributive Justice, the Basic Structure and the Place of Private Law, 35 Oxford J. Legal Stud. 213, 233 (2015); Samuel Freeman, Private Law and Rawls’s Principles of Justice, in Liberalism and Distributive Justice 167, 168 (2018) (arguing that Rawls’s principles apply to the private law).
  3.  Freeman, supra note 2, at 191–93 (arguing that in an unjust economy designed to maximally benefit the more rather than the less advantaged, the application of the difference principle to economic torts is a proper corrective to vast inequalities and economic injustices).
  4.  Blankfein-Tabachnick & Kordana, supra note 1, at 1683–87 (contending that Rawls’s difference principle is “a maximizing and consequentialist theory, if a constrained one,” and not, as I contend, “an intra-schemic relational principle” of reciprocity that is nonconsequentialist and nonmaximizing).

20/20 Hindsight and Looking Ahead: The Vision of the Five Eyes and What’s Next in the “Going Dark” Debate

The so-called “encryption debate” made national headlines in 2016 after Apple Inc. (“Apple”) declined to enable the Federal Bureau of Investigation (“FBI” or “the Bureau”) to unlock an iPhone recovered from one of the shooters involved in a terrorist attack in San Bernardino, California. The debate concerned whether the government should have the authority to compel technology manufacturers to create an “access key” for encrypted messages and share that key with law enforcement. Apple argued that allowing such access would undermine the security features of its products, while the U.S. Department of Justice (“DOJ”) insisted access was necessary to prevent future attacks. An existing dilemma came to the forefront: Should technology companies be able to use forms of encryption so secure that even they lack the keys? Or is such security not worth the possibility of allowing criminals to “go dark” from law enforcement?

While public attention on this issue has waned in recent years, the problem is not going away; instead, answers are needed now more than ever. As recently as December 2023, a leading technology company announced it would use end-to-end encryption (“E2EE”) as a default for calls and messages across some of its platforms. Analyzing the strengths and weaknesses of laws passed in other countries in The Five Eyes provides guidance for how the U.S. may best proceed with future legislation to promote privacy and security on a global scale.

Introduction

In 2015, then-FBI Director James Comey testified before the Senate Judiciary Committee, saying, “There’s no doubt that [the] use of encryption is part of terrorist tradecraft now.”1.Adam Nagourney, Ian Lovett & Richard Pérez-Peña, San Bernardino Shooting Kills at Least 14; Two Suspects Are Dead, N.Y. Times (Dec. 2, 2015), https://www.nytimes.com/‌2015/12/03/us/san-bernardino-shooting.html [https://perma.cc/4UJN-B78T].Show More Months earlier, a heavily armed couple had killed fourteen people and seriously injured seventeen others in San Bernardino, California.2.Daniel Kahn Gillmor, One of the FBI’s Major Claims in the iPhone Case is Fraudulent, ACLU (Mar. 7, 2016), https://www.aclu.org/news/privacy-technology/one-fbis-major-claims‌-iphone-case-fraudulent [https://perma.cc/YYF5-8UMQ].Show More As part of its investigation, the Bureau obtained a warrant to search an iPhone owned by one of the shooters, but the phone was programmed to automatically delete all data after ten failed password attempts.3.Government’s Ex Parte Application for Order Compelling Apple Inc. to Assist Agents in Search 1–2; Memorandum of Points and Authorities at 1­–2, 4, In re Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 15-mj-00451 (C.D. Cal. Feb. 16, 2016).Show More Unable to unlock the phone due, in part, to encrypted user data, the FBI requested that Apple rewrite its software to disable security features and install it for investigators to gain access.4.See Letter from Tim Cook, CEO of Apple, to Apple Customers (Feb. 16, 2016), https://www.apple.com/customer-letter/ [https://perma.cc/P5G9-5A7N]; Apple’s Tim Cook: Complying with FBI Demand “Bad for America,” CBS News (Feb. 24, 2016, 9:02 PM), https://www.cbsnews.com/news/apples-tim-cook-complying-with-fbi-demand-bad-for-amer‌ica/ [https://perma.cc/59FU-YKXR]; Shara Tibken, Countdown to Doomsday: Apple, FBI Face Off in Court Tuesday, CNET (Mar. 19, 2016, 5:00 AM), https://www.cnet.com/news/‌privacy/apple-fbi-case-encryption-iphone-backdoor-hack-terrorism-privacy-surveillance/ [https://perma.cc/5AFT-H2LW].Show More Apple refused, arguing that deliberately weakening encryption on its devices by creating a “backdoor” through the encryption for law enforcement would make its products more susceptible to hacking by bad actors and foreign governments.5.See Reema Shah, Comment, Law Enforcement and Data Privacy: A Forward-Looking Approach, 125 Yale L.J. 543, 543 (2015).Show More

The dispute between Apple and the DOJ is the most prominent example of an ongoing and contentious debate about government regulation of E2EE.6.Mallory Knodel, Fred Baker, Olaf Kolkman, Sofía Celi & Gurshabad Grover, Definition of End-to-End Encryption, Internet Eng’g Task Force (June 13, 2022), https://www.ietf.org/‌archive/id/draft-knodel-e2ee-definition-04.html [https://perma.cc/8W7P-FG5L].Show More E2EE describes a secure communication method that prevents third-party access to data transferred from one device to another.7.Steven Song, Keeping Private Messages Private: End-to-End Encryption on Social Media, B.C. Intell. Prop. & Tech. F., 2020, at 1, 2.Show More Many forms of encryption can be accessed by anyone with the appropriate decryption key, but E2EE goes beyond other forms of encryption by limiting access to messages and data to only the communicating parties.8.How End-to-End Encryption in Google Messages Provides More Security, Google Messages, https://support.google.com/messages/answer/10262381?hl=en [https://perma.cc/‌2H7S-R3GX] (last visited Feb. 25, 2024).Show More E2EE scrambles data so only the sender and intended recipient may read E2EE messages; not even the manufacturer of the communication devices can access such data.9.Lucian Armasu, End-to-End Encryption Could’ve Protected Yahoo Mail Users from 2014 Data Breach and NSA Spying, Tom’s Hardware (Oct. 14, 2016), https://www.tomshardware.‌com/news/e2ee-yahoo-mail-hack-spying,32857.html [https://perma.cc/YGQ7-K5G2].Show More E2EE also ensures that data is encrypted before it is sent over a network, avoiding exposure of such communications to bad actors (such as hackers) in the event of a data breach.footnote_id_11_10 In this way, E2EE is considered the gold standard for ensuring consumer privacy. However, E2EE’s airtight seal means law enforcement may not be able to effectively investigate dangerous criminal activity unless the encryption is weakened. The modern encryption debate centers around a challenging dilemma: Should the government be able to compel technology companies to build systems in such a way that permits law enforcement access? Or should considerations about safeguarding privacy be paramount, even at the expense of governmental investigation and oversight?

Over the years, the two sides of the conversation have become increasingly polarized, with law enforcement groups on one side and privacy and civil liberties advocates on the other. Much has been written about the constitutionality of potential solutions to the cryptology debate. This Essay adds a new, unique perspective to the existing literature by discussing it within the context of rapidly evolving technology making E2EE policies instrumental to the lives of most Americans. Part I provides an overview of the debate within the technology and law enforcement communities and describes the failures of Congress to address the issue. Part II evaluates the strength of Australia’s and the United Kingdom’s approaches for addressing the problem. Finally, Part III provides recommendations for what Congress should do to address the encryption debate.

  1.  Sen. Charles E. Grassley Holds a Hearing on Oversight of the Federal Bureau of Investigation, S. Comm. on Judiciary (Dec. 9, 2015), https://congressional.proquest.com/‌cong‌ressional/docview/t65.d40.12090003.s98?accountid=14678 [https://perma.cc/DR82-DB‌N3].
  2.  Adam Nagourney, Ian Lovett & Richard Pérez-Peña, San Bernardino Shooting Kills at Least 14; Two Suspects Are Dead, N.Y. Times (Dec. 2, 2015), https://www.nytimes.com/‌2015/12/03/us/san-bernardino-shooting.html [https://perma.cc/4UJN-B78T].
  3.  Daniel Kahn Gillmor, One of the FBI’s Major Claims in the iPhone Case is Fraudulent, ACLU (Mar. 7, 2016), https://www.aclu.org/news/privacy-technology/one-fbis-major-claims‌-iphone-case-fraudulent [https://perma.cc/YYF5-8UMQ].
  4.  Government’s Ex Parte Application for Order Compelling Apple Inc. to Assist Agents in Search 1–2; Memorandum of Points and Authorities at 1­–2, 4, In re Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, No. 15-mj-00451 (C.D. Cal. Feb. 16, 2016).
  5.  See Letter from Tim Cook, CEO of Apple, to Apple Customers (Feb. 16, 2016), https://www.apple.com/customer-letter/ [https://perma.cc/P5G9-5A7N]; Apple’s Tim Cook: Complying with FBI Demand “Bad for America,” CBS News (Feb. 24, 2016, 9:02 PM), https://www.cbsnews.com/news/apples-tim-cook-complying-with-fbi-demand-bad-for-amer‌ica/ [https://perma.cc/59FU-YKXR]; Shara Tibken, Countdown to Doomsday: Apple, FBI Face Off in Court Tuesday, CNET (Mar. 19, 2016, 5:00 AM), https://www.cnet.com/news/‌privacy/apple-fbi-case-encryption-iphone-backdoor-hack-terrorism-privacy-surveillance/ [https://perma.cc/5AFT-H2LW].
  6.  See Reema Shah, Comment, Law Enforcement and Data Privacy: A Forward-Looking Approach, 125 Yale L.J. 543, 543 (2015).
  7.  Mallory Knodel, Fred Baker, Olaf Kolkman, Sofía Celi & Gurshabad Grover, Definition of End-to-End Encryption, Internet Eng’g Task Force (June 13, 2022), https://www.ietf.org/‌archive/id/draft-knodel-e2ee-definition-04.html [https://perma.cc/8W7P-FG5L].
  8.  Steven Song, Keeping Private Messages Private: End-to-End Encryption on Social Media, B.C. Intell. Prop. & Tech. F., 2020, at 1, 2.
  9.  How End-to-End Encryption in Google Messages Provides More Security, Google Messages, https://support.google.com/messages/answer/10262381?hl=en [https://perma.cc/‌2H7S-R3GX] (last visited Feb. 25, 2024).
  10.  Lucian Armasu, End-to-End Encryption Could’ve Protected Yahoo Mail Users from 2014 Data Breach and NSA Spying, Tom’s Hardware (Oct. 14, 2016), https://www.tomshardware.‌com/news/e2ee-yahoo-mail-hack-spying,32857.html [https://perma.cc/YGQ7-K5G2].

Cyber Vulnerabilities as Trade Secrets

Can a cybersecurity vulnerability—like a bug in code or a backdoor into a system—be a trade secret? Claiming a flaw as a trade secret may sound strange. Usually, talk of trade secrets conjures up images of scientists in laboratories or complex computer algorithms. But nothing in the definition of a trade secret excludes vulnerabilities. As the electronic theft of company secrets increases, recognizing cyber vulnerabilities as trade secrets could play an important role in safeguarding business information. For companies that depend on trade secret protections, increased digitalization means that their trade secrets may be exposed. And this exposure could result not only in diminished legal protections but also in a devastating loss of company profits, strategic advantage, or cutting-edge research. This Essay proposes that recognizing cyber vulnerabilities as trade secrets can limit those harms and protect important company information.

Introduction

Every year, trade secret theft costs American businesses between $225 billion and $600 billion.1.Fed. Bureau of Investigation, Executive Summary—China: The Risk to Corporate America (2019), https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf/view [https://perma.cc/93BF-FGZR].Show More Some of the thefts are perpetrated from the inside, like by a disgruntled employee who takes confidential files with him to his next job. But a significant portion of this figure comes from cyber espionage—digitally stealing confidential information or trade secrets from a commercial entity.2.See, e.g., Nicole Sganga, Chinese Hackers Took Trillions in Intellectual Property from About 30 Multinational Companies, CBS News (May 4, 2022, 12:01 AM), https://www.cbs‌news.com/news/chinese-hackers-took-trillions-in-intellectual-property-‌from-about-30-multi‌national-companies/ [https://perma.cc/WT93-T5HL] (noting that “[t]he CCP continues to increase its theft of U.S. technology and intellectual property” via hacking operations).Show More The digitalization of business records and data assist this form of cyber theft.3.Tim Maurer & Arthur Nelson, The Global Cyber Threat, Fin. & Dev. 24, 25 (Mar. 2021), https://www.imf.org/en/Publications/fandd/issues/2021/03/global-cyber-threat-to-financial-systems-maurer [https://perma.cc/6DN4-3YQR].Show More No longer do thieves need to break into a company’s offices and sneak out with physical files. Now, the crime can happen from anywhere, including the other side of the world.4.See, e.g., Phil Mercer, China Accused of Economic Espionage on an Unprecedented Scale, VOA News: East Asia (Oct. 18, 2023, 2:39 AM), https://www.voanews.com/a/china-accused-of-economic-espionage-on-an-unprecedented-scale/7315625.html [https://perma.cc/5ZPY-K‌4EV].Show More And as companies increase the amount of information they store digitally, “they have more bits and bytes worth stealing.”5.Corporate Espionage Is Entering a New Era, Economist (May 30, 2022), https://www.‌economist.com/business/2022/05/30/corporate-espionage-is-entering-a-new-era [https://perm‌a.cc/8NJ3-S4T8].Show More

Accompanying this increase in corporate espionage is an increase in the kinds of businesses targeted. The world of corporate spying is “no longer cent[e]red on a few ‘sensitive’ industries, such as defen[s]e and pharmaceuticals.”6.Id.Show More Any business is at risk of having its proprietary information electronically stolen. Instead of a rarity, corporate espionage has “become a general business risk.”7.Id.Show More

On top of the direct economic costs of corporate spying, this increase in cyber espionage greatly reduces companies’ incentives for innovation and investment.8.Steve Morgan, Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021, Cybercrime Mag. (Oct. 26, 2020), https://cybersecurityventures.com/annual-cyber‌crime-report-2020/ [https://perma.cc/JG3C-Q8WL].Show More And understandably so. There is less incentive to devote resources to research and development if that research, or any related proprietary information, could be compromised in a cyberattack. A competitor hiring a hacker to break into your system and steal your cutting-edge research is the modern-day version of a competitor hiring a photographer to take aerial photographs of your company’s new factory from an airplane. (Yes, that actually happened.)9.See E. I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012, 1013 (5th Cir. 1970).Show More A foreign government may target American companies’ data to help their own businesses “catch up with advanced U.S. technology.”10 10.Eamon Javers, Inside China’s Spy War on American Corporations, CNBC (June 21, 2023, 9:10 PM), https://www.cnbc.com/2023/06/21/inside-chinas-spy-war-on-american-corporatio‌ns.html [https://perma.cc/LXB2-3MCU].Show More Or a cybercriminal may target your data in the hopes of selling it to a third party for a profit.11 11.See, e.g., United States v. Genovese, 409 F. Supp. 2d 253, 255 (S.D.N.Y. 2005) (describing defendant’s charges for attempting to resell Microsoft source code on his personal website).Show More Given the range of threats, keeping trade secrets “safely locked in the digital vault can be devilishly difficult.”12 12.Corporate Espionage Is Entering a New Era, supra note 5.Show More

Fortunately for companies, trade secret law has developed rapidly over the last few decades to provide robust protection against these thefts. The Economic Espionage Act was passed in 1996 to “protect the trade secrets of all businesses operating in the United States, foreign and domestic alike, from economic espionage and trade secret theft and deter and punish those who would intrude into, damage, or steal from computer networks.”13 13.President William J. Clinton, Statement on Signing the Economic Espionage Act of 1996, 32 Weekly Comp. Pres. Doc. 2040 (Oct. 11, 1996), reprinted in 1996 U.S.C.C.A.N. 4034.Show More The Computer Fraud and Abuse Act, most recently amended in 2008, allows for both criminal charges and civil suits against anyone who breaks into a computer “without authorization or exceeding authorized access.”14 14.18 U.S.C. § 1030(a)(1).Show More Nearly all fifty states have adopted the Uniform Trade Secrets Act (“UTSA”),15 15.Trade Secrets Act Enactment Map, Unif. L. Comm’n, https://www.uniformlaws.org/‌committees/community-home?CommunityKey=3a2538fb-e030-4e2d-a9e2-90373dc05792 [https://perma.cc/ML7V-BSCT] (last visited Feb. 26, 2024).Show More and Congress passed a federal version of the UTSA—the Defend Trade Secrets Act—in 2016.16 16.Defend Trade Secrets Act, Pub. L. No. 114-153, 130 Stat. 376 (2016).Show More So if a company’s top-secret formula is stolen, the legal system affords the company a variety of ways to remedy the issue.

But the problem of corporate espionage is not limited to stealing data or research outright. Though companies spent $219 billion globally on cybersecurity defenses in 2022,17 17.Matt Kapko, Global Cybersecurity Spending to Top $219B This Year: IDC, Cybersecurity Dive (Mar. 17, 2023), https://www.cybersecuritydive.com/news/cybersecurity-spending-increase-idc/645338/ [https://perma.cc/6TV9-D7QT].Show More there is no such thing as perfect cybersecurity, meaning that vulnerabilities—weaknesses in a system that can be exploited by an attacker—exist in any system.18 18.Jay Pil Choi, Chaim Fershtman & Neil Gandal, Network Security: Vulnerabilities and Disclosure Policy, 58 J. Indus. Econ. 868, 869 (2010).Show More Rather than hacking into a system and selling the data or information located within, some cybercriminals try to monetize these flaws by selling hacking tools, hidden exploits, or discovered system vulnerabilities on the black market.19 19.See, e.g., Kate O’Flaherty, Notorious Hacking Forum and Black Market Darkode is Back Online, Forbes (Apr. 10, 2019, 12:06 PM), https://www.forbes.com/sites/kateoflahertyuk/20‌19/04/10/notorious-hacking-forum-darkode-is-back-online/ [https://perma.cc/‌LX4Y-HY8J] (discussing a site on the black market which “serves as a venue for the sale & trade of hacking services, botnets, malware, and illicit goods and services”).Show More This market for previously undiscovered software flaws (otherwise known as zero-day vulnerabilities) is of particular concern because, unlike data theft, it is unregulated.20 20.Tom Gjelten, In Cyberwar, Software Flaws are a Hot Commodity, NPR (Feb. 12, 2013, 3:25 AM), https://www.npr.org/2013/02/12/171737191/in-cyberwar-software-flaws-are-a-ho‌t-commodity#:~:text=In%20the%20context%20of%20escalating,inside%20his%20‌ene‌my%‌27s%20computer%20network [https://perma.cc/JT9J-NZSL].Show More

Currently, there is a private market for weeding cybersecurity vulnerabilities out of companies’ systems. Some cyber specialists, often dubbed “white hat hackers,” search company systems and equipment for vulnerabilities and report their findings to the company, sometimes for a small reward.21 21.Chris Teague, White Hat Hacker Cracked Toyota’s Supplier Portal, Autoblog (Feb. 8, 2023, 9:35 AM), https://www.autoblog.com/2023/02/08/white-hat-hacker-toyota-supplier-po‌rtal/ [https://perma.cc/B8V2-7NPE].Show More More proactive companies hire hacking specialists to find weak spots in their systems so they can address these issues before they are exploited.22 22.David Rudin, Safety Net: Hackers for Hire Help Companies Find Their Weak Spots, Fin. Post (Mar. 3, 2023), https://financialpost.com/cybersecurity/hackers-help-companies-find-we‌ak-spots [https://perma.cc/HPV2-H3D9].Show More

But the private market goes both ways: just as some hackers choose to sell their findings back to the company whose system is at risk, others choose to sell the information to competitor companies, foreign governments, or other interested parties.23 23.Andi Wilson, Ross Schulman, Kevin Bankston & Trey Herr, New Am., Cybersecurity Initiative, Open Tech. Inst., Bugs in the System: A Primer on the Software Vulnerability Ecosystem and Its Policy Implications 15–18 (2016), https://www.newamerica.org/oti/policy-papers/bugs-system/ [https://perma.cc/53AM-DYRN].Show More And for good reason—the price on the black market for vulnerabilities is often ten to one hundred times higher than on the white market.24 24.Lillian Ablon, Martin C. Libicki & Andrea A. Golay, Markets for Cybercrime Tools and Stolen Data: Hacker’s Bazaar 26 (2014).Show More As the black market for vulnerabilities grows, companies’ proprietary information is put increasingly at risk.

Unfortunately, due to the lack of regulation of this market, there has been little stopping the growth in corporate espionage. Existing suggestions in academic literature for tackling the global trade in zero-day vulnerabilities include criminalization,25 25.Mailyn Fidler, Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis, 11 I/S: J.L. & Pol’y for Info. Soc’y 405, 424 (2015).Show More regulation through export controls,26 26.Id. at 432.Show More and “increasing the payouts offered on the white market through a combination of liability protections, tax benefits, and subsidies.”27 27.Nathan Alexander Sales, Privatizing Cybersecurity, 65 UCLA L. Rev. 620, 620 (2018).Show More This Essay offers a simple alternative—or supplement—to these options: protecting cyber vulnerabilities through trade secret law.

By correctly applying trade secret law to zero-day vulnerabilities, companies will be afforded many options to protect their cybersecurity weaknesses from falling into the hands of their competitors or the public. A company whose system has been poked and prodded for vulnerabilities could bring trade secret claims under the applicable law, which could award them not only damages but also an injunction to prevent disclosure or use of the weakness. Federal trade secret law also allows for courts to issue warrants for property seizure, which could prevent the offending individual or organization not only from disseminating the vulnerability but also from conducting further operations.28 28.18 U.S.C. § 1836(b)(2)(A)(i).Show More Under the Economic Espionage Act or Computer Fraud and Abuse Act, an offending hacker—or competitor who knowingly uses stolen information—could be held criminally liable.29 29.Id. §§ 1832, 1030(a), (c).Show More Trade secret law provides companies with many powerful tools for combatting the growing vulnerability black market. By treating vulnerabilities as trade secrets, the legal system will provide companies with far more protections for their systems’ weaknesses than currently exist. This, in turn, will help protect their underlying research and data.

One case has contemplated the application of cybercrime law to system vulnerabilities. In 2008, three undergraduate students at the Massachusetts Institute of Technology (“MIT”) planned to present research at a cybersecurity conference that exposed “weaknesses in common subway fare collection systems,” particularly the Massachusetts Bay Transportation Authority (“MBTA”).30 30.Complaint at 1, 7, Mass. Bay Transp. Auth. v. Anderson, No. 08-cv-11364 (D. Mass. Aug. 8, 2008).Show More Their demonstration promised to “present several attacks to completely break the CharlieCard” (the MBTA’s subway card), “release several open source tools [they] wrote to perform these attacks,” and reveal “how [they] broke these systems.”31 31.Id. at 7.Show More

Ironically, the students’ presentation included a slide with the text: “What this talk is not: evidence in court (hopefully).”32 32.Complaint, Exhibit 7 at 3, Mass. Bay Transp. Auth., No. 08-cv-11364 (emphasis added).Show More But before they could give their presentation, the MBTA sued, alleging the students’ research violated the Computer Fraud and Abuse Act (“CFAA”).33 33.Complaint, supra note 30, at 12.Show More Though the MBTA was initially granted a temporary restraining order, the U.S. District Court for the District of Massachusetts later denied the MBTA’s request for a preliminary injunction and dissolved the restraining order, finding that discussing the system’s vulnerabilities was likely not the sort of “transmission” covered by the CFAA.34 34.Transcript of Motion Hearing at 60, 65, Mass. Bay Transp. Auth., No. 08-cv-11364(D. Mass. Aug. 19, 2008).Show More

But the District of Massachusetts’s ruling is not the end-all-be-all for legal protection of vulnerabilities. The MBTA brought suit under the Computer Fraud and Abuse Act, not the Uniform Trade Secrets Act, as Massachusetts had yet to adopt the UTSA.35 35.Complaint, supra note 30, at 12.Show More Nearly a decade later, the Massachusetts legislature passed the Massachusetts Uniform Trade Secrets Act, bringing it up to speed with forty-eight other states.36 36.Aaron Nicodemus, Massachusetts Adopts Uniform Trade Secret Law, Bloomberg L. (Aug. 16, 2018, 5:29 PM), https://news.bloomberglaw.com/ip-law/massachusetts-adopts-unif‌orm-trade-secrets-law [https://perma.cc/FYS3-QAG4]. New York has not adopted the Uniform Trade Secrets Act and instead still relies on common law tort claims. Though North Carolina has not adopted the UTSA, it is counted as one of the forty-nine because its state trade secrets law is very similar to the UTSA. See Christopher T. Zirpoli, Cong. Rsch. Serv., IF12315, An Introduction to Trade Secrets Law in the United States (2023).Show More

Under the UTSA, the court’s decision to dissolve the temporary restraining order and deny preliminary injunctive relief could have come out very differently. A vulnerability or weakness in a company’s cybersecurity could qualify as a trade secret under the UTSA. Not only will recognizing vulnerabilities as trade secrets protect against innocent disclosures of proprietary information, as in the MBTA case, but it will also help reduce the growing threat of cyber espionage and weaken the market for vulnerabilities.

Part I of this Essay explains why vulnerabilities ought to qualify for trade secret protections under the definition of a trade secret in the Uniform Trade Secrets Act. Part II makes a normative argument for including vulnerabilities in trade secret protection. The Essay concludes by briefly revisiting the MBTA case to show how affording vulnerabilities protection under the UTSA would prevent future harms to the MBTA.

  1.  Fed. Bureau of Investigation, Executive Summary—China: The Risk to Corporate America (2019), https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf/view [https://perma.cc/93BF-FGZR].

  2.  See, e.g., Nicole Sganga, Chinese Hackers Took Trillions in Intellectual Property from About 30 Multinational Companies, CBS News (May 4, 2022, 12:01 AM), https://www.cbs‌news.com/news/chinese-hackers-took-trillions-in-intellectual-property-‌from-about-30-multi‌national-companies/ [https://perma.cc/WT93-T5HL] (noting that “[t]he CCP continues to increase its theft of U.S. technology and intellectual property” via hacking operations).

  3.  Tim Maurer & Arthur Nelson, The Global Cyber Threat, Fin. & Dev. 24, 25 (Mar. 2021), https://www.imf.org/en/Publications/fandd/issues/2021/03/global-cyber-threat-to-financial-systems-maurer [https://perma.cc/6DN4-3YQR].
  4.  See, e.g., Phil Mercer, China Accused of Economic Espionage on an Unprecedented Scale, VOA News: East Asia (Oct. 18, 2023, 2:39 AM), https://www.voanews.com/a/china-accused-of-economic-espionage-on-an-unprecedented-scale/7315625.html [https://perma.cc/5ZPY-K‌4EV].
  5.  Corporate Espionage Is Entering a New Era, Economist (May 30, 2022), https://www.‌economist.com/business/2022/05/30/corporate-espionage-is-entering-a-new-era [https://perm‌a.cc/8NJ3-S4T8].
  6.  Id.
  7.  Id.
  8.  Steve Morgan, Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021, Cybercrime Mag. (Oct. 26, 2020), https://cybersecurityventures.com/annual-cyber‌crime-report-2020/ [https://perma.cc/JG3C-Q8WL].
  9.  See E. I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012, 1013 (5th Cir. 1970).
  10.  Eamon Javers, Inside China’s Spy War on American Corporations, CNBC (June 21, 2023, 9:10 PM), https://www.cnbc.com/2023/06/21/inside-chinas-spy-war-on-american-corporatio‌ns.html [https://perma.cc/LXB2-3MCU].
  11.  See, e.g., United States v. Genovese, 409 F. Supp. 2d 253, 255 (S.D.N.Y. 2005) (describing defendant’s charges for attempting to resell Microsoft source code on his personal website).
  12.  Corporate Espionage Is Entering a New Era, supra note 5.
  13.  President William J. Clinton, Statement on Signing the Economic Espionage Act of 1996, 32 Weekly Comp. Pres. Doc. 2040 (Oct. 11, 1996), reprinted in 1996 U.S.C.C.A.N. 4034.
  14.  18 U.S.C. § 1030(a)(1).
  15.  Trade Secrets Act Enactment Map, Unif. L. Comm’n, https://www.uniformlaws.org/‌committees/community-home?CommunityKey=3a2538fb-e030-4e2d-a9e2-90373dc05792 [https://perma.cc/ML7V-BSCT] (last visited Feb. 26, 2024).
  16.  Defend Trade Secrets Act, Pub. L. No. 114-153, 130 Stat. 376 (2016).
  17.  Matt Kapko, Global Cybersecurity Spending to Top $219B This Year: IDC, Cybersecurity Dive (Mar. 17, 2023), https://www.cybersecuritydive.com/news/cybersecurity-spending-increase-idc/645338/ [https://perma.cc/6TV9-D7QT].
  18.  Jay Pil Choi, Chaim Fershtman & Neil Gandal, Network Security: Vulnerabilities and Disclosure Policy, 58 J. Indus. Econ. 868, 869 (2010).
  19.  See, e.g., Kate O’Flaherty, Notorious Hacking Forum and Black Market Darkode is Back Online, Forbes (Apr. 10, 2019, 12:06 PM), https://www.forbes.com/sites/kateoflahertyuk/20‌19/04/10/notorious-hacking-forum-darkode-is-back-online/ [https://perma.cc/‌LX4Y-HY8J] (discussing a site on the black market which “serves as a venue for the sale & trade of hacking services, botnets, malware, and illicit goods and services”).
  20.  Tom Gjelten, In Cyberwar, Software Flaws are a Hot Commodity, NPR (Feb. 12, 2013, 3:25 AM), https://www.npr.org/2013/02/12/171737191/in-cyberwar-software-flaws-are-a-ho‌t-commodity#:~:text=In%20the%20context%20of%20escalating,inside%20his%20‌ene‌my%‌27s%20computer%20network [https://perma.cc/JT9J-NZSL].
  21.  Chris Teague, White Hat Hacker Cracked Toyota’s Supplier Portal, Autoblog (Feb. 8, 2023, 9:35 AM), https://www.autoblog.com/2023/02/08/white-hat-hacker-toyota-supplier-po‌rtal/ [https://perma.cc/B8V2-7NPE].
  22.  David Rudin, Safety Net: Hackers for Hire Help Companies Find Their Weak Spots, Fin. Post (Mar. 3, 2023), https://financialpost.com/cybersecurity/hackers-help-companies-find-we‌ak-spots [https://perma.cc/HPV2-H3D9].
  23.  Andi Wilson, Ross Schulman, Kevin Bankston & Trey Herr, New Am., Cybersecurity Initiative, Open Tech. Inst., Bugs in the System: A Primer on the Software Vulnerability Ecosystem and Its Policy Implications 15–18 (2016), https://www.newamerica.org/oti/policy-papers/bugs-system/ [https://perma.cc/53AM-DYRN].
  24.  Lillian Ablon, Martin C. Libicki & Andrea A. Golay, Markets for Cybercrime Tools and Stolen Data: Hacker’s Bazaar 26 (2014).
  25.  Mailyn Fidler, Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis, 11 I/S: J.L. & Pol’y for Info. Soc’y 405, 424 (2015).
  26.  Id. at 432.
  27.  Nathan Alexander Sales, Privatizing Cybersecurity, 65 UCLA L. Rev. 620, 620 (2018).
  28.  18 U.S.C. § 1836(b)(2)(A)(i).
  29.  Id. §§ 1832, 1030(a), (c).
  30.  Complaint at 1, 7, Mass. Bay Transp. Auth. v. Anderson, No. 08-cv-11364 (D. Mass. Aug. 8, 2008).
  31.  Id. at 7.
  32.  Complaint, Exhibit 7 at 3, Mass. Bay Transp. Auth., No. 08-cv-11364 (emphasis added).
  33.  Complaint, supra note 30, at 12.
  34.  Transcript of Motion Hearing at 60, 65, Mass. Bay Transp. Auth., No. 08-cv-11364 (D. Mass. Aug. 19, 2008).
  35.  Complaint, supra note 30, at 12.
  36.  Aaron Nicodemus, Massachusetts Adopts Uniform Trade Secret Law, Bloomberg L. (Aug. 16, 2018, 5:29 PM), https://news.bloomberglaw.com/ip-law/massachusetts-adopts-unif‌orm-trade-secrets-law [https://perma.cc/FYS3-QAG4]. New York has not adopted the Uniform Trade Secrets Act and instead still relies on common law tort claims. Though North Carolina has not adopted the UTSA, it is counted as one of the forty-nine because its state trade secrets law is very similar to the UTSA. See Christopher T. Zirpoli, Cong. Rsch. Serv., IF12315, An Introduction to Trade Secrets Law in the United States (2023).