Is There a Trilemma Associated with Using Blockchain to Protect Trade Secrets?
In the quest for security, decentralization, and scalability, only two of the three requirements can be achieved simultaneously. Is the compromise on the third requirement something that a cautious company can live with?
February 05, 2019 at 07:00 AM
9 minute read
The original version of this story was published on Legal Tech News
|
The authors express gratitude to Steven S. Nam, Managing Editor of the Stanford Journal of Blockchain Law and Policy, for his time and support. While Bitcoin has popularized the notion of the blockchain, the underlying architecture is versatile enough to be employed in a wide range of non-cryptocurrency-related applications, such as food tracing, bills of lading in the shipping industry, and secure mobile voting. Over the past two years, there have even been a handful of commentaries expressing mixed views on how blockchain technology could be applied to protecting a company's most valuable trade secrets.
Before tackling this dilemma, we take a step back and evaluate whether and why (or why not) the blockchain may be a good fit for realizing this objective conceptually, make reference to the inherent blockchain trilemma, correlate any complementary technological merits to business needs or legal requirements, and then ambitiously set the stage for analyzing real-life implementations and the value-add.
One question to keep in mind as we go through the following, is whether the blockchain would serve to supplement or completely substitute existing storage mechanisms. After all, supplementation merely introduces an additional vault from which the same secret may be stolen.
|Inherent Characteristics
One can view a blockchain as a ledger or database of information. Each new entry, or block of data, is appended to the last block along with a time stamp, and upon verification, is finalized as part of the continuing “chain” of blocks. Whether the authority to verify lies in a single entity, or a subset of entities, or is consensus-driven, is a question dependent on how centralized or decentralized the system is. The data in each block is run through a hash function, which, depending on the particular hashing algorithm, is supposed to produce a virtually unique numerical output of a predetermined number of bits—a hash value or “signature.” Anyone could use this unique output sequence later to check to see whether the stored data has been tampered with. Further, tampering is frustrated by each block's inclusion of the preceding block's hash value; so too will its own hash value be included in the subsequent block. Hence, to escape detection, a bad actor would need to modify (and re-verify) all of the blocks, not just the one.
The trilemma of the blockchain, as Ethereum founder Vitalik Buterin observed, is that in the quest for security, decentralization, and scalability, only two of the three requirements can be achieved simultaneously. Is the compromise on the third requirement something that a cautious company can live with?
For protecting trade secrets, plainly security is paramount. One would not want the company's prize formula to be corrupted, lost, or overwritten. Data integrity is crucial. One way to heighten security is to decentralize the verification process. A centralized system would not only be subject to hacking, but would present a single point of failure; in contrast, a large group of nodes are more resistant to attacks (in a proof of work system, a 51 percent attack would require one or more conspirators to amass the majority of the hashing power of the entire network) and still maintain operational status even if some nodes are down, temporarily compromised (e.g., by a denial-of-service “DoS” cyber-attack), or corrupt.
That leaves scalability. The system may operate more slowly (lengthy verifications as the nodes work towards consensus) as the number of nodes increases. But would a company that had stored its trade secret on a blockchain years in the past necessarily care about the speed at which current transactions are being processed? The verifiable transactions per second (tps) is probably a mere frill and not a deal-breaker. After some threshold number of participant nodes has been established and exceeded, after which it becomes impractical for a bad actor to seize control of the decentralized network, the company presumably would be satisfied with the scale, albeit, the more the merrier—again, to fight off the 51 percent attack.
|Other Related Properties and Merits
In connection with the above, decentralized blockchains exhibit higher resilience to attack and can remain properly functioning, short of a mass concerted effort that overwhelms the network of honest nodes.
Another trait of a decentralized blockchain is its relative immutability. This is a natural consequence of having a distributed, public ledger. Integrity is so high that the Hangzhou Internet Court in China's Zhejiang province has recently allowed the introduction of electronic evidence stored in Bitcoin and Ethereum blockchains, albeit in a copyright case: Hangzhou Huatai Yimei Culture Media Co., Ltd. v. Shenzhen Daotong Technology Development Co., Ltd. In addition, still more recently, the Supreme People's Court of China recently promulgated rules allowing Internet courts to consider blockchain to verify and authenticate evidence when the parties dispute it.
Of note, permanence can be beneficial for some aspects of trade secret protection, but probably not for keeping safe third party confidential information. After the partnership or vendor-customer relationship is over, the disclosing party's information must typically be returned or deleted by the receiving party, which execution would not be practical for a distributed database.
Nonetheless, even with its high fidelity, a blockchain is still at risk of a coordinated effort to rewrite past entries on the local version of the ledger on enough nodes. The more centralized the authority or the fewer the nodes, the larger the risk.
This brings us to trust. One way to side-stepping the bottleneck of a consensus-based model as the network grows in scale is to centralize and entrust some of the decision-making in a reputable third party provider. The tradeoff to consider is whether the central authority is corrupt (or corruptible), and if not, whether it is more likely to be hacked than a decentralized system. And what guarantees are there that the third party will remain solvent over the course of a century? If Coca-Cola intends on safeguarding its recipe for another hundred years, would it be confident enough to shred all paper copies, digitize the only surviving copy, and leave that file in the hands of an up-and-coming blockchain management company?
One final facet worth raising here is visibility. Information encoded within the blocks of data are visible to any with access. On a public, permissionless blockchain, that means everyone. Transparency allows users to police and quickly detect any tampering. Displaying one's trade secret in plain sight would normally be fatal—frustrating the legal requirement of secrecy—but data may be encrypted before it is hashed and uploaded. How reliable this additional measure proves to be will depend on the initial encryption strength and, over time, the improvements in decryption methods and computational power.
|Preliminary Observations, Limitations and Vulnerabilities
First, blockchain can be used to record data, but it falls short of proving ownership of a trade secret. Even with the time stamp and the decryption key, the most the company can show is that it had possession at a certain time. Possession alone is insufficient to press an offense against party B (that the information they're using is yours) or put up a defense (that you did not simply acquire the information from someone else, a party C). This is unfortunate, given that demonstrating ownership of a trade secret is a particularly thorny issue for rights-holders—i.e., how to produce enough of a paper trail to convince a judge of the existence of a secret while simultaneously trying to minimize that paper trail to stymie attempts by competitors and rogue employees to steal it—but the blockchain is not a catholicon.
Second, there is the risk of a hash collision—where two sets of data inputs result in the same output—which is not very likely, but not impossible. In many ways, hashing algorithms are like many scientific hypotheses—popularized until disproven and then discarded. SHA-1, first published in 1995, was “broken” in 2017 after a small team of researchers spent 2 years to find a method to write two different PDFs that would ultimately have the same SHA-1 hash signature.
The threat is that by sleight of hand, a competitor could produce a similar but different document to hold up in court that would cast doubt on whether plaintiff's copy was an exact copy of the time-stamped one whose hash signature was stored in the blockchain. It is estimated that another SHA-1 collision could be reproduced for as little as US$130,000, a seemingly small price to pay for legal defense that could gut a multibillion dollar misappropriation claim.
Although the industry quickly moved on to SHA-256, whose probability of collision is reportedly one in 1060, or others from the SHA-2 algorithm family, the take-away is that a motivated competitor with enough time, financial resources, and computing power—which grows more or less in line with Moore's law—could eventually crack the next embraced hash standard as well. Some have theorized that with Google's present processing power, for a particular set of data, SHA-256 may be cracked in about 52 to 60 years, but in no case more than 104 years—not a particularly comforting thought for companies who want a vehicle for safeguarding their trade secrets indefinitely.
In part 2, we will continue to explore the suitability of this technology as a solution and contrast existing legal applications and offerings. Stay tuned.
Gino Cheng is a partner in intellectual property at Winston & Strawn. As a registered U.S. patent attorney with a EE background, his practices focuses on licensing negotiations, trade secret audits, patent litigation, section 337 ITC investigations, and adversarial post-grant proceedings (IPR) at the USPTO, predominantly in the semiconductor and LED space. Gino is also a member of the firm's Disruptive Technologies Team and the cross-functional Global Privacy and Data Security Task Force. Wakako Inaba is a foreign legal advisor in Winston & Strawn's Los Angeles office and member of the Osaka Bar Association. Wakako's practice focuses on commercial litigation and international arbitration. She advises clients on commercial disputes in a wide variety of sectors including aviation, automotive, and pharmaceutical and medical device technologies.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLess Is More: The Risks of Excessive Data Collection from Mobile Devices
6 minute readHow My Postpartum Depression Led to Launching My Firm’s Parental Leave Coaching Program
9 minute readProtecting Attorney-Client Privilege in the Modern Age of Communications
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250