Safeguarding Companies' Online Data In The AI Era: Evolving Technology And Legal Protection

• Published date: 06 September 2023
• Subject Matter: Intellectual Property, Technology, Copyright, Trademark, New Technology
• Law Firm: Duane Morris LLP
• Author: Agatha Liu and Ariel Seidner

The rapidly evolving landscape of advanced technology renders data one of the most valuable commodities today. This is especially true for artificial intelligence (AI), which can advance significantly in capability and complexity by learning from massive data sets used as training data.

A company can have various types of data online — for example, content in the form of text, images, audio, and/or video. This article addresses proprietary content a company makes available on its website or a third-party website.

The web is a unique data source because the interface is widely accessible and the data is quickly transmitted. Such uniqueness leads to special technical and legal issues, the treatment of which often benefits from reinterpreting existing situations in new light. It is important for a company that makes data available online to stay informed of not only advancements in technology, but also laws and legal remedies that may be available to protect that data from unauthorized use.

Companies should consider the extent to which they make data available and the method in which they do so. Companies often have a strong business interest in making at least some of their data available publicly or without modification, as the introduction of restrictions can interrupt the user experience.

A company that makes data publicly available or as-is may find itself more exposed to unauthorized use of that data, particularly in the absence of taking more proactive measures. Fortunately, various measures are available, which when applied wisely can reduce unauthorized use without significantly sacrificing accessibility or usability.

In this article, we identify considerations companies should account for when undertaking efforts to protect their online data based on an analysis of legal protections applicable to companies' online data against unauthorized use.

Restricting computer access with computer technology

A company that restricts access to the computer hosting its data with computer technology, thus restricting access to that data at the infrastructure level, is inherently afforded more protection. An example of such restriction includes employing authentication mechanisms that require a username and a password. The company can also make claims under federal law when such restriction is violated.¹

Computer Fraud and Abuse Act against circumvention of computer access

The Computer Fraud and Abuse Act (CFAA) prohibits intentionally accessing a computer without authorization or exceeding authorized access, thereby obtaining information.² The "without authorization" or "exceeds authorized access" elements of the CFAA are applicable when a user obtains information from the computer by bypassing the restriction, where "access" and "authorization" are specifically construed. The current law prefers restricting access such that a website becomes "generally" unavailable and requiring permission.³

Web scraping to collect training data for AI technology might not involve hacking to bypass user authentication, which was conventionally the target of the CFAA, but instead often involves improper use after gaining initial access.

Specifically, where a user accesses a restricted part of a website by logging in with a valid username and password, such access is "authorized." At that point, using the accessed data for an unauthorized purpose (e.g., collecting data to misappropriate in violation of the data owner's intellectual property rights) is insufficient to...