USA – MASSACHUSETTS Trends and Developments Contributed by: Adam Gershenson and Audrey Pope, Weil, Gotshal & Manges LLP
like the system injection prompts allegedly deployed by Pathway challenge the limits of what can be read - ily ascertained. Now, every credentialed LLM user can access proprietary information, just by asking for it. This raises a potentially nettlesome issue – what, if any, information cannot be readily ascertained by AI? Early litigants in this space have invoked parallels in traditional software to establish the applicability of existing trade secret law to AI-related intellectual property. Compiled software source code, for exam - ple, can be protected as trade secret even after the outward-facing program or product is publicly dis - tributed, in part because the difficulty of untangling source code from object code maintains the former’s secrecy – the underlying source code is not “readily ascertainable”. OpenEvidence’s system prompt code functions in cer - tain ways like source code. Both code categories oper - ate as a sort of blueprint. They define how a model or program will behave with its users. And, like source code, system prompt code is meant to be safely hidden behind a user-facing model. With traditional software, it is difficult for users to “decompile” source code from the visible and machine-readable object code. But the desired function of LLMs – to provide complete and helpful responses to users – means that the tools can be “tricked” into producing the sensitive information on their own, as if they have been caught in Wonder Woman’s lasso. If a user relies on legitimate credentials to access the system, and uses only their curiosity, will - ingness, patience, or desperation to query what makes an LLM tick, whatever the system reveals could well be deemed readily ascertainable. In these circumstances, trade secret owners may turn to the second prong of the “readily ascertainable” test, which requires that information be acquired by “prop - er means”. Even if techniques like system injection prompts make sensitive information readily ascertain - able, trade secret protection may be maintained under the law if the techniques are held to be “improper” (even if the secret information is, in practical terms, vulnerable). Future courts may indeed deem injection prompts “improper”, especially in cases where injec - tion prompting directly violates the platform’s terms of use.
This would be in keeping with the DTSA, which includes “breach” of an existing duty as one means of improper acquisition of information. But it is also possible that this type of prompting will be characterised as some - thing more akin to traditional reverse engineering. If that were the case, then we would likely see new players enter the market with offerings built on competitors’ information. Treating these system injection prompts as reverse engineering might risk primary innovation at the margins, at least to the extent that entities are creating such models to secure a proprietary advantage. Alter - natively, entities might respond by ratcheting up their LLMs’ defences to thwart such queries, which would have a dual benefit as it could (i) decrease the ability of outsiders to acquire that back-end information and (ii) increase the likelihood that the underlying system prompt code merits trade secret protection. To be sure, even companies that do not rely on AI should prepare for the growing accessibility of power - ful technologies. Consider Coca-Cola. The soft drink formula has been kept secret for over a century and attempts to recreate the legendary flavour have long been unsuccessful. But early this year, a YouTuber known as LabCoatz was able to create a “chemically identical” recipe after a year of reverse engineering and with the help of sophisticated lab equipment he borrowed from fellow science content creators. While mass spectrometers are not ubiquitous, the possibility of effectively reverse engineering even complicated product profiles suggests that the amount of read - ily ascertainable information may be growing, even in industries that have historically been more insulated from this kind of business risk. With the contours of the “readily ascertainable” doc - trine in flux, the takeaway for now is that reverse engi - neering AI models and using techniques like injection prompting enhances the risks for all involved. Actors deploying these techniques should know that their conduct may not be protected from liability, particu - larly when it contravenes contractual obligations like terms of use. And parties holding sensitive or propri - etary information in AI tools should be aware of the limits of the existing law and accordingly take steps to strengthen their IP protocols where possible, without relying on traditional standards that have not been fully tested against the most modern intrusions.
206 CHAMBERS.COM
Powered by FlippingBook