Richmond Journal of Law and Technology

The first exclusively online law review.

Month: December 2016

Shut The Yak Up


By: Victoria Linney,

Yik Yak is a popular app among many college and university students. The app is a location-based network that helps people connect with others around them.[1] However, the app differs from Twitter and Facebook in that users are able to post on the app anonymously and must be within a certain radius to see the posts.[2] Only users who are seventeen and older are allowed to use the app, and the company actively blocks middle and high schools from Yik Yak by using geofences.[3] Geofencing is a method of placing boundaries based on location, and depending on where you fall in said boundary you are either able to use the Yik Yak app or not.[4]

Due to the anonymity of the app, users feel free to post whatever they are currently thinking, and sometimes these posts lead to cyberbullying.[5] But, Yik Yak takes cyberbullying very seriously, and asks that users screenshot and “downvote” the post before reporting the post.[6] Once the yak has been reported, it is removed from the user’s feed and if the yak violates Yik Yak’s rules the user who posted the yak is suspended and the yak is removed from all feeds.[7]

However, the measures taken by Yik Yak to prevent cyberbullying are not enough for some people. While middle and high schools are unable to access the app, there has been a call for college campuses to block Yik Yak.[8] Some campuses have responded to this call by banning the app from their wireless networks.[9] But this move is largely symbolic, because as long as students are able and willing to switch off wifi on their phones, they are able to access the app by using phone data.[10] In an attempt to make more than a purely symbolic move, some colleges have asked Yik Yak to install a geofence around their campuses, which would prevent students from accessing the app, even while using data.[11] However, Yik Yak does not comply with these requests, and states clearly on the geofence request form on their website that they “only geofence middle and high schools (primary and secondary) and will not geofence an entire town or college campus.”[12]

But, the question still remains – even if Yik Yak was willing, or compelled, to put geofences around university campuses, would doing so violate students’ First Amendment rights? If a public college or university were to implement a geofence to ban Yik Yak, they would be violating the First Amendment.[13] This is because the Supreme Court has stated that the purpose behind the First Amendment is to “protect unpopular individuals from retaliations – and their ideas from suppression – at the hand of an intolerant society.”[14]

Protecting unpopular ideas, however, does not mean that threatening language is protected. True threats of violence are constitutionally unprotected, but true threats are not the only things being posted on Yik Yak.[15] People post about what the dining hall is serving, or about a tough breakup they are going through.[16] To block an entire platform designed for people to express their thoughts and opinions simply because some posts on the app are unpopular is contrary to the spirit of the First Amendment. As such, implementing a geofence to ban Yik Yak on college campuses would likely be held as unconstitutional, regardless of whether the university is public or private.



[1] See About, Yik Yak, (last visited Nov. 13, 2016).

[2] See Tasnim Shamma, Yik Yak Tests Universities’ Defense of Free Speech, NPR (Jan. 23, 2016),

[3] See How Do You Prevent Children From Using Yik Yak?, Yik Yak, (last visited Nov. 13, 2016).

[4] See Shamma, supra note 2.

[5] See Adam Steinbaugh, The Futility of ‘Banning’ Yik Yak on Campus, The FIRE (Feb. 22, 2016),

[6] See I’m Being Bullied/Targeted, Yik Yak, (last visited Nov. 13, 2016).

[7] See id.

[8] See Steinbaugh, supra note 5.

[9] See Nathan Rubbelke, Campuses ‘Symbolically’ Ban Yik Yak as Battle Over App Rages, The College Fix (Oct. 21, 2015),

[10] See Tyler Kingkade, Students Dip Into Their Data Plans to Get Around College’s Yik Yak Ban, Huff Post (Apr. 12, 2016),

[11] See College of Idaho Tries to Ban App Yik Yak on Campus, Wash. Times (May 15, 2015),

[12] Geofence Request, Yik Yak, (Nov. 13, 2016).

[13] See Steinbaugh, supra note 5.

[14] McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 357 (1995).

[15] See Eugene Volokh, National Coalition in Favor of Campus Censorship, Wash. Post (Oct. 26, 2015),

[16] See Shamma, supra note 2.

Image Source:

Volume XXII Issue IV

May 16, 2016

Dear Readers,

The Richmond Journal of Law and Technology is proud to present its fourth and final issue of the Twenty-Second Volume. At its inception in 1995 JOLT became the first law review to be published exclusively online. From this moment on, the Journal has continued to set trends in legal scholarship. As one of the leading publications in the legal technology field, JOLT has the privilege of publishing articles that address topics at the forefront of the law. The articles in the Fourth Issue offer exciting discussions on forward-looking areas of the law and give readers a glimpse into the ways in which technology is transforming the legal landscape. The Journal hopes that these articles will drive advancements in the law and in practice, and we look forward to the discussions they evoke.

In our first article, entitled “Digital Direction for the Analog AttorneyData Protection, E-Discovery, and the Ethics of Technological Competence in Today’s World of Tomorrow,” authors Stacey Blaustein, Melinda McLellan, and James Sherer outline some of the many challenges facing attorneys operating in the current high-tech legal environment. The article examines the ways in which existing and emerging ethical rules and guidelines may apply to the practice of law in the digital age. Cloud technology and social media are among the prominent technical platforms which, while convenient and efficient, pose significant threats to the technologically incompetent lawyer and his clients. This article is certain to spark further conversation about these issues as they continue to evolve.

Our second article, and final article of Volume XXII, is the selected 2016 JOLT Student Comment. Written byJOLT’s graduating Managing Editor, Megan Carboni, this article makes an exciting and bold proposal to bridge the gap in employment classification for workers in the “sharing” or “collaborative” economy. This new technology-enabled marketplace, spurred by Uber and mimicked by numerous other innovative service-sharing applications, posits a vexing balancing act between meeting the needs of businesses and their quasi-employees. Uber and similar businesses rely on classifying their workers as independent contractors, avoiding the potentially crippling benefits and obligations that these businesses would be forced to provide for their employees. At present there are only two definitions—employee and independent contractor—making it difficult to strike a balance without severely interfering with the employer’s business or employee expectations and needs. This article proposes an innovative third classification, the “dependent contractor,” as the best solution to meet the needs of both employer and employee.

On behalf of the entire 2015–2016 JOLT staff, I want to extend our sincerest thanks for your continued readership. I would also like to thank each of our authors for the time and hard work they have put into these articles. As always, JOLT greatly appreciates the ongoing support from the University of Richmond School of Law and is especially grateful for the guidance of our faculty advisors, Dean Jim Gibson and Professor Chris Cotropia.

On a more personal note, I wanted to extend my utmost appreciation and gratitude to the 2015–2016 JOLTEditorial Board and staff. It has been a pleasure serving as the Editor-in-Chief of Volume XXII and I could not have successfully completed the Volume without the consistent hard work and dedication of the Journal’s members. On behalf of the outgoing class of 2016, I would like to wish Volume XXIII and the new Editorial Board all the best as they continue shaping JOLT’s reputation as the leading publication in the legal technology world.




John G. Danyluk                                                                                                                             Editor-in-Chief, Volume XXII


Digital Direction for the Analog Attorney – Data Protection, E-Discovery, and the Ethics of Technological Competence in Today’s World of Tomorrow, by Stacey Blaustein, Melida L. McLellan, and James A. Sherer

A New Class of Worker for the Sharing Economy, by Megan Carboni

The Skeleton of a Data Breach: The Ethical and Legal Concerns

pdf_icon BDM Publication Version PDF

Cite as: Hilary G. Buttrick et al.,The Skeleton of A Data Breach: The Ethical and Legal Concerns, 23 Rich. J.L. & Tech. 2 (2016),

Hilary G. Buttrick,* Jason Davidson,** Richard J. McGowan***



[1]       After over thirty data breaches spanning the third and fourth quarter of 2012, Forbes magazine labeled the summer of 2012 as “The Summer of the Data Breach.”[1] Four years later, businesses across multiple industries have suffered brand-image damage and paid millions of dollars in remedial expenses; we are living in the era of the mega breach.[2] In 2014, companies such as Target, Home Depot, JP Morgan Chase, Anthem, Sony, UPS, Jimmy John’s, Kmart, Neiman Marcus, Community Health Systems, and the White House suffered data breaches.[3] The Home Depot breach alone resulted in the loss of “56 million credit card accounts,” “53 million email addresses,” and an estimated 63 million dollars in damage.[4] In addition to the economic fallout associated with data breaches, the 2015 Ashley Madison data breach highlighted the personal toll faced by consumers when their “private” information becomes “public.”[5] That data breach exposed the identities of millions of would-be philanderers, shaming not only the subscribers to Ashley Madison’s service, but also innocent bystanders such as their family members.[6] The frequency of data breaches has shown no signs of abating in 2016—in the first quarter, multiple hospitals fell victim to “ransomware,” a data breach that allows hackers to literally hold patient data hostage.[7] Several hospitals had to pay hackers to regain access to their patients’ data.[8]

[2]       “Decentralized technology” creates a different set of problems than the simple misuse of a single individual’s “technological profile” and information.[9] Today, unauthorized access to electronic information, a result of what Burnham in 1983 referred to as “transactional information,”[10] includes “hackers breaking into systems or networks, third parties accessing personal information on lost laptops or other mobile devices, or organizations failing to dispose of personal information securely.”[11] Data breaches exemplify the first type of unauthorized access and despite their frequent occurrence, they are little examined from an ethical standpoint. Though Google Scholar lists over 82,000 entries under “ethics of a data breach,” very few combine both terms in the title.[12] One article that does so notes a “dearth of prior organizational-level privacy research, which has largely overlooked ethical issues or the personal harms often caused by privacy violations.”[13] Even within the field of technology, “there has not been a huge literature on ethics within the mainstream of information systems journals.”[14] Part of the problem is the novelty of data breach cases. They are so new and different that they appear to be technologically, morally, and legally unlike other problems. We suggest that analogies and analyses exist which can help resolve some of these moral and legal puzzles.

[3]       First, this paper discusses the anatomy of a data breach, providing technical background on the way breaches occur. Next, we identify the ethical dimensions of data breaches. While privacy is a key topic in any ethical analysis of a data breach, other issues are more pressing, such as the responsibility of organizations to prevent and to repair consequences of data breaches. Then we analyze the current status of the law with regard to data breaches. We note immediately that the laws of various states are exactly that, various and eclectic. No consistent and stable legal understanding appears to have availed itself. The article concludes with guidance regarding data breach prevention, which can help businesses meet their ethical and legal obligations.

I. Data Breach Basics

[4]       According to popular folklore, the first computer “bug” was officially documented in 1945.[15] This was years before the first personal computer was released, and instead of malware or social engineering deception, the “bug” was literally a moth that was stuck between two components of IBM’s Harvard Mark II.[16] After a cataclysmic data breach in the modern computing age, however, postmortem reports eventually surface that provide the details of each individual breach.[17] These reports explain the hacker’s methodology, the company’s missed warning signs, and the collateral damage from the breach.[18] Each individual breach has its own signature as every data system is as unique as a fingerprint; however, these breaches generally occur in one of several ways.

[5]       The most common and well-documented method of cyber-attack uses malware.[19] Malware, which includes viruses, worms, and trojan horses, is the “generic name for evil software.” [20] A 2016 data breach report by Verizon found that malware continues to be the major contributor to data breaches involving stolen credentials and point of sale attacks. [21] Malware attacks, specifically worms, were publically credited for both the Target[22] and Home Depot[23] data breaches. Ironically, the first worm was created in 1975 by Xerox as a network analysis tool.[24] Modern day worms are standalone programs that can replicate and spread throughout a network when activated.[25] Some of the more notable worms include Melissa, ILOVEYOU, Slammer, and the Morris worm.[26] Malware is not the only factor that can lead to network compromise. Security breaches often are attributable to social engineering.[27]

[6]       Social engineering employs deception tactics to persuade the user to simply give the cybercriminal direct access to the system under attack, similar to the modus operandi of a traditional con-artist.[28] Social engineering attacks direct messages and correspondence to users who have access to the systems that are being attacked.[29] Through different methods of deception, the user is prompted to give away the information needed to access the system.[30] The most common methods of social engineering are spear phishing, smishing, and vishing.[31] Spear phishing is direct correspondence, usually via email, that is personally crafted to gain the trust of the end user.[32] Once trust is obtained, the user is prompted for login credentials and the system is compromised. Smishing and vishing are similar to spear phishing; however, they use text messages (smishing) and voice communication (vishing) as mediums.[33] It is also worth noting that old-fashioned tactics such as breaking and entering, removing files from the printer, or simply guessing passwords are still commonly used tricks of the trade.[34]

[7]       To circumvent the millions of dollars companies invest in information technology security, hackers often use a combination of the tactics discussed above. As detailed in the Dell SecureWorks report on the Target infiltration, a combination of social engineering and malware was used to cause the collapse.[35] Hackers first targeted Fazio Mechanical Services, a vendor for Target.[36] They were able to gain login credentials through spear phishing, which in turn granted them direct access to the systems that opened a pathway to Target’s network.[37] Upon accessing Target’s data network, the hackers injected a worm into the system.[38] This worm compromised Target’s point of sale systems using a customized version of malware called Black POS.[39] This malware then compromised Target’s server, which allowed the data to be distributed and copied to servers located throughout the world; accordingly, the hack was very difficult to trace.[40]

[8]       For businesses, the question of data breach is not “if” but “when.” It is indisputable that the hackers in the examples discussed above bear the moral responsibility for their acts.[41] But the moral responsibility of the business that sustains the data breach presents a closer question. Businesses require consumers to provide their private information when completing even the most routine transactions; this places the business in a unique position of trust. The scope of a business’s moral responsibility for breach of that trust is discussed below.

II. Moral Responsibility and Data Breach 

[9]       Of course, the right to privacy is at the fore. However, information technology “explicitly embodies particular important values…privacy, autonomy, universal usability, trust, and cooperation.”[42] The existing literature does not explore the scope of a business’ moral responsibility for data breach. Accordingly, reference to other areas, such as moral responsibility for marketing, is instructive. The values associated with information technology suggest moral analysis based on the ethics of marketing and on notions of corporate responsibility, inasmuch as knowledge plays a role in making autonomous choices and trust is associated with responsibility.[43]

[10]     Three main positions have been staked out over the years with regard to marketing: the contractual view, the due care theory, and the social costs view, sometimes referred to as the “deep pockets” view.[44] Captured in the phrase, caveat emptor, the contractual view of the buyer-seller relationship holds that the seller, typically a business, only has the duties to the buyer that the contract states.[45] Thus, under the contract view, Ford could indeed sell a product which, when struck from behind at 21 miles per hour, could produce a flaming inferno.[46]

[11]     The problem is that consumers lack the knowledge that the producer has and therefore cannot act knowledgably in purchasing a product. The due care position recognizes the imbalance and the vulnerable position of the consumer by placing additional duties on the business.[47] As Culnan and Williams put the matter, “[w]e further argue that because consumers are vulnerable in their dealings with businesses due to information and control deficits, organizations have a moral duty—often overlooked, we observe—that extends beyond legal compliance requiring them to take reasonable precautions with consumer data and to avoid harm in using this data.”[48] The “deep pockets” view­–analogous to the legal notion of strict liability–would have the seller assume all costs–even when exercising “due care” to protect the consumer from risk and injury–of a product.[49] In other words, when a problem occurs, no investigation need be undertaken: the seller takes the responsibility, or caveat vendor.[50] Given the poor record of businesses with regard to handling data breaches,[51] the third option appears most reasonable.

[12]     Corporations have been reluctant to take steps to exhibit moral responsibility in the area of data breach.[52] Normally, when wrongdoing occurs in an organizational setting, the elements of magnitude and certitude of harm as well as connection and contribution to the harm are utilized.[53] Corporations appear to underestimate magnitude and certitude of harm and appear to ignore the contribution they make to data breaches by being primarily reactive rather than proactive.[54] While an analysis of a business’s moral responsibility for a data breach suggests the appropriateness of a rule akin to strict liability, the law is far from imposing such an obligation.[55]

III. Legal Liability and Data Breach

[13]     Not surprisingly, the development of data breach law has lagged behind the speed of technological innovation.[56] There are two significant legal questions surrounding data breaches. First, what legal obligations does a business owe its customers regarding data security and notifications of a breach? Second, what legal remedies do consumers have if their private information is compromised as the result of a data breach? As discussed below, there is currently no comprehensive federal regulatory scheme addressing data breach.[57] Instead, businesses must attempt to comply with a patchwork of state laws addressing data breach notifications.[58] Additionally, consumers are left with few effective civil remedies when their private information is breached.[59]

A. Data Breach Notification Laws

[14]     At present, there is no comprehensive federal statute addressing a business’s obligation to safeguard personal information.[60] While there are a few federal statutes aimed at protecting personal information in narrow contexts (such as the protection of medical and health-related information under the Health Insurance Portability and Accountability Act of 1996),[61] the legal rules governing data breach are handled largely at the state level.[62] Currently, “[f]orty-seven states, [and] the District of Columbia” have laws addressing business obligations with regard to data breaches.[63] Three states—Alabama, New Mexico, and South Dakota—have no statutes on the books addressing consumer notification of data breaches.[64] Most states impose obligations on businesses to maintain “reasonable security” measures “to protect personal information.”[65] While definitions vary from state to state, “personal information” commonly includes an individual’s social security number,[66] or

[A]n individual’s first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted: (A) A driver’s license number. (B) A state identification card number. (C) A credit card number. (D) A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person’s account.[67]

[15]     A “breach” occurs when there is an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. . . .”[68]

[16]     In the event of a data breach, existing statutes require businesses to provide some type of notification to the consumer.[69] The type and timing of that notice, however, varies from state to state.[70] Some states require consumer notification whenever unauthorized access of personal information occurs.[71] Other states require businesses to notify consumers only if there appears to be a reasonable risk that some harm will result from the breach.[72] Many states require businesses to notify the attorney general of data breaches.[73] Some statutes require notification within a specified time frame, while others simply require that notification be done expediently.[74] Businesses that serve consumers in multiple states must comply with the notification requirements of each of the states where affected consumers reside.[75] Thus, when a large data breach occurs, businesses face a considerable challenge in ensuring compliance with the various notification laws throughout the country.[76]

[17]     This patchwork of state regulation leads commentators and policy advocates to suggest that a comprehensive federal data breach statute should be enacted.[77] A federal data breach statute would preempt state regulation, thus simplifying the breaching business’s compliance requirements and costs.[78] Instead of struggling to comply with the various notification laws of multiple states, a business would look to only one source—federal law—to discern its obligations in the event of a data breach.[79] While federal bills have been proposed,[80] Congress has failed to pass any comprehensive proposal.[81]

[18]     Moreover, critics claim that draft bills are weak and do not offer enough protection for consumers.[82] In particular, critics note that the proposals do not do enough to incentivize data breach prevention because they focus on consumer notification after a breach has already occurred.[83] To incentivize data breach prevention, businesses must view added security measures as solid investments that minimize risks of loss.[84] The primary business risks associated with data breaches are loss of customer goodwill and, of course, lawsuits from affected consumers.[85] As discussed below, data breach lawsuits are difficult to pursue. Accordingly, the threat of consumer litigation has not played an extensive role in influencing businesses to adopt more stringent security measures.[86]

B. Consumer Remedies for Data Breach

[19]     Some commentators have argued that in order to meaningfully encourage businesses to adopt better data protection measures, businesses must view customer litigation as a serious threat.[87] The threat of litigation in this context has been largely hollow because consumers have few legal remedies when their personal information is breached.[88] While data breach statutes require businesses to notify consumers in the event of a breach, only a handful of those statutes create a private cause of action that allows the consumer to bring a lawsuit against the business.[89] Thus, in the majority of states with data breach statutes, the consumer is statutorily entitled to notice of the breach but little else.[90] Given the lack of meaningful statutory remedies for data breaches, consumers have looked to the common law for a cognizable theory of recovery.[91] Consumers have sought damages for data breaches under theories of negligence, breach of contract, breach of fiduciary duty, and infliction of emotional distress.[92] These common law theories are not well-suited to data breach cases and often end in dismissal for several reasons.[93]

[20]     First, the harm that results from data breaches is most commonly economic harm—there is no personal injury or physical property damage sustained by the consumer as a result of the data breach.[94] Many jurisdictions follow a rule called the “economic loss doctrine,” which prevents consumers from recovering purely economic damages under a tort theory (such as negligence or infliction of emotional distress).[95] Thus, in jurisdictions that follow the economic loss doctrine, data breach claims sounding in tort rarely reach the jury because they are dismissed as the result of pretrial dispositive motions filed by the defendant.[96]

[21]     Second, many data breach cases are dismissed because the consumer lacks standing to bring such a claim.[97] Standing is a constitutional prerequisite to litigation that requires the plaintiff to have suffered an injury in fact.[98] In other words, the harm sustained by the plaintiff must be real, not hypothetical or speculative.[99] In data breach cases, the injury can be hard to define. Plaintiff consumers often argue that the data breach itself and the risk of future identity theft are sufficient harms; defendant businesses contend that no injury has occurred unless the plaintiff can show a link between the data breach and an actual instance of identity theft.[100] Not surprisingly, the courts are divided on what type of injury suffices to confer standing in a data breach case.[101]

[22]     Even if the plaintiff consumer in a data breach case survives the standing hurdle, he or she must still prove all of the elements of his or her case in order to win. In most instances, the consumer will have to prove that his or her injury was caused by the defendant’s data breach.[102] Proving causation in data breach cases can be difficult because the plaintiff’s personal information may have been compromised in other data breaches, making it nearly impossible to establish that the suffered identity theft was solely the result of the defendant’s breach.[103]

[23]     The procedural and substantive difficulties associated with data breach litigation mean that very few of these cases are likely to survive dispositive motions and reach a jury, which in turn makes them less attractive to class action attorneys.[104] The procedural hurdles, the cost of litigation, and the prospect of a small recovery are enough to deter most individual consumers from bringing a data breach lawsuit.[105] Without effective legal remedies, most consumers must simply put up with the headaches associated with data breaches.[106] While external litigation pressures and the current data breach regulatory state may not incentivize businesses to take additional steps to safeguard consumer privacy, ethics would certainly suggest that businesses should voluntarily adopt higher standards for data protection.[107]


IV. Business Strategies to Minimize the Risk of Data Breach

[24]     Several tactics can help reduce the threat of cybercrime. The first tactic is infrastructure.[108] A modern company must continually perform routine maintenance including, but not limited to, security patches, operating system upgrades, and hardware upgrades. Often cyber criminals exploit older software to maliciously gain access to data networks.[109] The initial discovery of these exploits before the software manufacturer has developed a security patch is called a “zero-day attack.”[110] Once a hardware or software exploit is identified, software and hardware vendors act to create patches to repair the problem as quickly as possible.[111] It is up to the corporation to obtain and apply these patches.

[25]     The second prevention method is active monitoring.[112] Similar to the way that the FBI manages the national threat level, a company’s IT department must manage the cybercrime threat level.[113] Myriad firewall and IT monitoring software is available to monitor network traffic.[114] Many anti-virus software programs automatically scan and remove commonly found malware.[115] In addition, IT security companies provide external monitoring services to augment a company’s internal monitoring procedures.[116] These offsite IT services offer network traffic monitoring and even provide built-in client insurance/reimbursement if a data breach occurs due to negligence within their services.

[26]     The third prevention method is education.[117] While most people envision a hacker in a dark basement surrounded by computers, social engineering is a remarkably effective method of data intrusion.[118] For example, a study of data breaches occurring in 2015 found that “30% of phishing messages were opened by the target across all campaigns.”[119] The risk of data breach can be mitigated if employees know they should never share passwords; they should frequently change passwords, and they should lock their office doors.[120] Additional security measures such as key fobs, biometric readers, and similar devices that must remain with employees, should also be kept private. While no one strategy can guarantee that a business will not sustain a data breach, the preceding measures will lessen the risk.

V. Conclusion

[27]     Though data breaches are a relatively new phenomena, guidance about the technology, morality, and legality of data breaches is available. If we are correct, corporations must do a better job of determining where data breaches are likely to occur, whether from human error or informational system flaw. Corporations must take steps to minimize risk before data breaches occur. Protocols must be put in place that assume responsibility for the consumers’ negative consequences, such as notifying them immediately and providing help in diminishing the harm from the data breach. The legal liability will be mitigated; trust and cooperation will more likely flourish.




*J.D., Assistant Professor of Business Law, Butler University.

**M.B.A., Instructor of Management Information Systems, Butler University.

***Ph.D., Instructor of Business Ethics, Butler University.

[1] See Dave Lewis, Notes from RSA: Accountability in Security, Forbes, (Apr. 29, 2015, 6:30 PM),, archived at

[2] See Bill Hardekopf, The Big Data Breaches of 2014, Forbes, (Jan. 13, 2015, 7:06 PM),, archived at

[3] See id.; see Ellen Nakashima, Hackers Breach Some White House Computers, Wash. Post (Oct. 28, 2014),, archived at

[4] The Home Depot, Inc., Annual Report (Form 10-K) (Mar. 25, 2015), at 18–19.

[5] See Eric Basu, Cybersecurity Lessons Learned from the Ashley Madison Hack, Forbes, (Oct. 26, 2015, 11:55 AM),, archived at

[6] See id.

[7] See Seung Lee, Ransomware Wreaking Havoc in American and Canadian Hospitals, Newsweek, (Mar. 23, 2016, 10:23 AM),, archived at

[8] See id.

[9] See Mary J. Culnan & Cynthia Clark Williams, How Ethics Can Enhance Organizational Privacy: Lessons From the ChoicePoint and TJX Data Breaches, 33 MIS Q. 673, 673 (2009).

[10] David Burnham, The Rise of the Computer State 50 (1983).

[11] Culnan & Williams, supra note 9, at 675.

[12] See Search Results for “Ethics of a Data Breach,” Google Scholar,, archived at (last visited Sept. 20, 2016).

[13] Culnan & Williams, supra note 9, at 673.

[14] John Mingers & Geoff Walsham, Toward Ethical Information Systems: The Contribution of Discourse Ethics, 34 MIS Q. 833, 837 (2010).

[15] See Computerworld Staff, The Moth in the Machine: Debugging the Origins of the Bug, Computerworld (Sept. 3, 2011, 7:00 AM),–debugging-the-origins-of–bug-.html, archived at; see also Fred R. Shapiro, Etymology of the Computer Bug: History and Folklore, 62 American Speech 376, 376–77 (1987).

[16] See Shapiro, supra note 15, at 376–77 (noting that a moth was found in the Mark II in 1945, but contending that the word “bug” was used to describe defects in machines long before 1945; thus, the term did not originate with the insect found in the Mark II).

[17] See Pragati Verma, You’ve Been Breached — What Now? A Post-Mortem Checklist, Forbes: AllClear ID (Aug. 17, 2015, 11:27 AM),, archived at

[18] See id.

[19] See Raymond R. Panko & Julia L. Panko, Business Data Networks and Security 91 (Pearson, 10th ed. 2015).

[20] Id.

[21] See Verizon, Inc., 2016 Data Breach Investigations Report, at 20 (2016),, archived at (follow “Download the 2016 DBIR”) [hereinafter Verizon Report].

[22] See Keith Jarvis & Jason Milletary, Inside a Targeted Point-of-Sale Data Breach, Dell SecureWorks, at 1 (Jan. 24, 2014),, archived at

[23] See Hardekopf, supra note 2.

[24] See Michael A. Hiltzik, Computer Viruses Can Be Healthy for Innovation, L.A. Times (Apr. 5, 1999), at 1,, archived at

[25] See Panko & Panko, supra note 19, at 93.

[26] See, e.g., Ned Potter, Top 10 Computer Viruses and Worms, ABC News (Sept. 3, 2009),, archived at (listing the top 10 most well-known computer viruses and worms).

[27] See Verizon Report, supra note 21, at 17 (noting that most phishing cases “feature phishing as a means to install persistent malware,” leading to security breach).

[28] See Panko & Panko, supra note 19, at 96–97.

[29] See id. at 96.

[30] See id. at 97.

[31] See id. at 96–97; see FBI, Smishing and Vishing and Other Cyber Scams to Watch Out for This Holiday, Federal Bureau of Investigation (Nov. 24, 2010), [hereinafter Smishing and Vishing].

[32] See Panko & Panko, supra note 19, at 97.

[33] See Smishing and Vishing, supra note 31.

[34] See, e.g., Eric Geier, Your Printer Could Be a Security Sore Spot, PC World (Apr. 25, 2012, 6:01 PM),, archived at (discussing five security threats network printers may impose); see also Matt Smith, The 5 Most Common Tactics Used to Hack Passwords, Make Use Of (Dec. 20, 2011),, archived at

[35] See Jarvis & Milletary, supra note 22, at 1,10.

[36] See Staff of S. Comm. on Com., Sci., and Transp., 113th Cong., A “Kill Chain” Analysis of the 2013 Target Data Breach 4 (2014),, archived at

[37] See id. at 8.

[38] See id. at 9.

[39] See id. at 2, 9.

[40] See id. at 4.

[41] See generally Richard J. McGowan & Hilary G. Buttrick, Moral Responsibility and Legal Liability, or Ethics Drives the Law, 11 J. Learning in Higher Educ. 9, 10 (2015) (discussing the three basic elements of moral responsibility).

[42] Mingers & Walshman, supra note 14 at 839.

[43] See generally John Rawls, A Theory of Justice 347-50 (1971) (discussing the moral psychology and the acquisition of the sentiment of justice).

[44] See Manuel Velasquez, Business Ethics: Concepts and Cases 308 (7th ed. 2012).

[45] See id. at 314; see generally Thomas Garrett & Richard Klonoski, Business Ethics 88 (2nd ed. 1986) (discussing the fairness of a sales contract and the importance of protecting the dignity of the buyers).

[46] See generally Clark Butler, Human Rights Ethics: A Rational Approach 80 (2008) (discussing the moral psychology and the acquisition of the sentiment of justice).

[47] See Edgar H. Schein, The Problem of Moral Education for the Business Manager, 8 Indust. Rev. 3, 4 (1966).

[48] Culnan & Williams, supra note 9, at 674.

[49] See Reed Dickerson, The Basis of Strict Products Liability, 16 Food, Drug, Cosmetic L.J. 585, 591 (1961).

[50] See David A. Hall, Strict Liability and Computer Software: Caveat Vendor, 4 Computer/L. J. 373, 373 (1983).

[51] See generally Culnan & Williams, supra note 9, at 681-82 (discussing the ways in which consumers are vulnerable when businesses lack appropriate data security measures); see also Simon Petravick & Stephan G. Kerr, Protect Your Portable Data—Always and Everywhere, 6 J. of Acct. 30, 31 (2009) (discussing the ways in which businesspeople often fail to appropriately safeguard confidential client information).

[52] See Culnan & Williams, supra note 9, at 681-82.

[53] See McGowan & Buttrick, supra note 41, at 11.

[54] See Culnan & Williams, supra note 9, at 674.

[55] See Norman C. Simon, Brendan M. Schulman & Samantha V. Ettari, Beware the Breach: Data Breaches, Notification Duties, and Legal Liability, (Aug. 29, 2012),, archived at

[56] See Adi Snir, Dealing with the Law Lag, LegalVision (May 6, 2016),, archived at

[57] See Peter J. Arant, Understanding Data Breach Liability: The Basics Every Attorney Should Know, 40 Mont. L. 8, 8–9 (2015) (“At the federal level, there is no comprehensive data privacy or security law. Instead the U.S. follows a ‘sectoral’ approach, meaning there are federal laws that apply to specific sectors.”).

[58] See id.; see also Comparison of U.S. State and Federal Security Breach Notification Laws, Steptoe & Johnson LLP (Jan. 21, 2016),, archived at

[59] See Rachel M. Peters, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 Ariz. L. Rev. 1171, 1175 (2014) (“[O]nce an individual has been notified of a breach, she has limited legal recourse against the company or organization that exposed her personal information.”).

[60] See Arant, supra note 57, at 8–9.

[61] See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936; see Arant, supra note 57, at 9 (noting that the Federal Trade Commission may bring lawsuits against companies with “lax security and privacy practices” because they are considered “unfair or deceptive practices”); see also Charlotte A. Tschider, Experimenting with Privacy: Driving Efficiency Through a State-Informed Federal Data Breach Notification and Data Protection Law, 18 Tul. J. Tech. & Intell. Prop. 45, 47, 53–54 (2015) (“Because no federal law in the United States provides a broad, comprehensive set of data breach notification or data protection requirements for all businesses and consumers, other federal administrative bodies have provided catch-all protection in some circumstances.”).

[62] See Jeff Kosseff, Cyberwars: Navigating Responsibilities for the Public and Private Sector: Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System, 19 Chap. L. Rev. 401, 402 (2016) (We have “a patchwork of related laws, including breach notification and privacy statutes, that focus on penalizing companies for inadequate data security. But our legal system lacks a coordinated network of laws that are designed to promote cybersecurity and prevent data breaches from occurring in the first place.”); see also Peters, supra note 59, at 1181 (discussing various state law data-breach notification statutes).

[63] Security Breach Notification Laws, Nat’l Conf. of St. Legislatures (Jan. 4, 2016),, archived at [hereinafter NCSL Security Breach Research]

[64] See id.

[65] Timothy J. Toohey, Beyond Technophobia: Lawyers’ Ethical and Legal Obligations to Monitor Evolving Technology and Security Risks, 21 J.L. & Tech. 1, 14 (2015) (explaining general state law requirements for data breach security in context of attorneys’ obligations to secure data).

[66] See Ind. Code § 24-4.9-2-10(1) (2014).

[67] Ind. Code § 24-4.9-2-10(2)(A)-(D) (2014).

[68] Ind. Code § 24-4.9-2-2(a) (2014).

[69] See NCSL Security Breach Research, supra note 63.

[70] See Data Breach Charts, Baker Hostetler 1, 17-18,, archived at (last visited Oct. 4, 2016) (providing state-by-state-survey of data breach notification requirements).

[71] See id. at 9.

[72] See id. at 9-12.

[73] See id. at 13-16.

[74] See id. at 15-16, 18-19.

[75] See Sasha Romanosky et al., Empirical Analysis of Data Breach Litigation, 11 J. Empirical Legal Stud. 74, 80 (2014) (“[I]t is the residence of the individual that drives disclosure, not the location of the breach. That is, disclosure to an individual is required only if the state in which the individual is a citizen has adopted a disclosure law.”).

[76] See Arant, supra note 56, at 10 (“Given the heterogeneous nature of state data breach notification laws, simultaneous compliance with multiple laws can be a logistical nightmare—and an expensive one at that.”).

[77] See Jill Joerling, Note, Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 Wash. U. J.L. & Pol’y 467, 486 (2010) (“Congress should take action immediately to enact a federal data breach notification law.”); see also Jay P. Kesan, et al., A Comprehensive Empirical Study of Data Privacy, Trust, and Consumer Autonomy, 91 Ind. L.J. 267, 346-48 (2016) (suggesting “a complete overhaul of data privacy law[s] and the creation of [centralized] profile repository” for consumers’ data that would operate in a fashion similar to credit bureaus); Tschider, supra note 61, at 72 (“a federal statute should regulate all businesses involving consumer personal information to effectively preserve customer choice and control with respect to their information, to drive contract efficiency, and to facilitate international trade.”).

[78] See Joerling, supra note 77, at 486.

[79] See id. (“Replacing the current patchwork of . . . state laws with a single comprehensive federal law would give businesses a clear road map to follow after a breach.”).

[80] See, e.g., Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. (2d Sess. 2016) (demonstrating a proposed federal data breach law that did not pass in Congress).

[81] See Brett V. Newman, Hacking the Current System: Congress’ Attempt to Pass Data Security and Breach Notification Legislation, 2015 U. Ill. J.L. Tech. & Pol’y 437, 445 (2015) (“The patchwork state legislation and numerous bill introduced in Congress show how difficult it is to agree on breach notification and data security measures. There is likely an agreement that the United States needs a data breach law, but that does not mean that one will be passed. The problem may also come from a surplus of Congressional committees claiming jurisdiction and trying to tackle the issue—resulting in too many different bills.”).

[82] See Peters, supra note 59, at 1196. (Although Peters analyzes an earlier draft bill, the Data Security & Breach Notification Act of 2013, her criticism holds true for the Data Security Breach Notification Act of 2015.)

[83] See id.; see also Tschider, supra note 61, at 74-75 (emphasizing the need for a federal law that focuses on data protection in addition to data breach notification: “Having clear data protection standards will dramatically reduce uncertainty for consumers and business, as standard data protection requirements will be articulated and required for implementation . . .”); see also Andrea Peterson, Why this National Data Breach Notification Bill has Privacy Advocates Worried, Wash. Post (Apr. 15, 2015),, archived at (noting that consumers could have fewer protections under Data Security Breach Notification Act of 2015 than they have under existing state laws).

[84] See Kosseff, supra note 62, at 403 (arguing that laws should create incentives through tax credits and litigation safe harbors to encourage businesses to invest in cybersecurity infrastructure; rather than focus solely on penalties for data breaches).

[85] See Ponemon Inst., 2016 Cost of Data Breach Study: United States, IBM, 1, 3, 13 (2016).

[86] See Peters, supra note 59, at 1193.

[87] See id. at 1197 (noting that a national data breach law that gives consumers a private right of action or requires mandatory credit monitoring “will be an incentive for companies to minimize data breaches.”).

[88] See, e.g., Nicole Hong, For Consumers, Injury Is Hard to Prove in Data-Breach Case, Wall St. J. (June 26, 2016, 8:06 PM),, archived at

[89] See Baker Hostetler, supra note 70, at 16–18.

[90] See Kesan et al., supra note 77, at 277 (noting that “many other states merely require companies to notify customers of data breaches and the relevant statutes do not create any additional duties or entitlements.”).

[91] See also Thomas Martecchini, A Day in Court for Data Breach Plaintiffs: Preserving Standing Based on Increased Risk of Identity Theft After Clapper v. Amnesty International USA, 114 Mich. L. Rev. 1471, 1474 (noting that courts are divided on “whether increased risk of identity theft is an injury-in-fact sufficient to create standing…”).

[92] See Peters, supra note 59, at 1185 (discussing various common law theories available to consumers for data breach).

[93] See id. at 1185-87 (“[A] principle reason that civil causes of action in data-breach cases are rarely successful is the difficulty consumer data-breach victims have in meeting the standing and injury requirements.”).

[94] But see Kesan et al., supra note 77, at 344 (discussing the various types of harm that result from loss of control over personal data, “including dignitary harms; a chilling effect from law enforcement having too much control over individual expression; and circumstances that interfere with an individual’s ability to exercise freedoms or develop a sense of self-determination.”).

[95] See, e.g., Gunkel v. Renovations, Inc., 822 N.E.2d 150, 154 (Ind. 2005) (holding that economic losses are not recoverable in a tort action premised on the failure of a product or service to perform as expected unless the failure results in personal injury or physical harm to property other than the product; proper remedy sounds in contract).

[96] See Peters, supra note 59, at 1186 (discussing data breach cases dismissed on economic loss grounds).

[97] See id. at 1187 (discussing split of authority with regard to whether consumers have standing to bring suit in data breach cases).

[98] See, e.g., Remijas v. Nieman Marcus Group, LLC, 794 F.3d 688, 691–92 (7th Cir. 2015) (holding that standing requires a litigant to show a concrete injury that is causally linked to the defendants conduct and can be redressed by the court).

[99] See id.

[100] See Peters, supra note 59, at 1189–92 (collecting cases addressing standing and injury-in-fact in context of data breach litigation).

[101] See id.; see also Martecchini, supra note 91, at 1474 (noting that courts are divided on “whether increased risk of identity theft is an injury-in-fact sufficient to create standing…”).

[102] See Michael D. Simpson, All Your Data Are Belong to Us Consumer Data Breach Rights and Remedies in an Electronic Exchange Economy, 87 U. Colo. L. Rev. 669, 685–86 (2016) (discussing difficulties of applying common law tort theories to data breach cases).

[103] See Peters, supra note 59, at 1188 (“[I]f a person is the victim of two or more data breaches in which similar personal information is stolen and that information is not used until years later to harm her, it may be difficult for the victim to demonstrate which breach was the source of the information used.”); see also Newman, supra note 81, at 440 (“proving that a customer lost money due to a specific breach can be difficult.”).

[104] See Peters, supra note 59, at 1192–93.

[105] See generally Jeff John Roberts, This Court Ruling Just Made It Easier to Sue Companies That Get Hacked, Fortune (July 29, 2015, 7:00 PM),, archived at (discussing the hurdles victims of data breaches face when trying to sue).

[106] See Simpson, supra note 102, at 698 (observing that “the average consumer is essentially at the mercy of a breached entity’s largesse to gain any recompense for stolen data.”).

[107] See supra Part II; see also Martecchini, supra note 91, at 1473 (noting that while many businesses are implementing data protection plans, “many other businesses still remain in denial about the threat of data breaches, either failing to implement any data-security changes or making only nominal modifications.”).

[108] See Pierluigi Paganini, Preventing and Recovering From Cybercrime, Tripwire (Nov. 4, 2014),, archived at

[109] See Panko & Panko, supra note 19, at 92.

[110] See id.

[111] See id.

[112] See Paganini, supra note 108.

[113] See DC Metro Cyber Security Summit, The CyberWire (June 3, 2015),, archived at

[114] See, e.g., Panko & Panko, supra note 19, at 116–23 (discussing various forms of firewalls, their strengths, and their weaknesses).

[115] See id. at 124.

[116] See, e.g., Third Party Monitoring – Vendor Monitoring, ObserveIT,, archived at (last visited Sept. 23, 2016) (illustrating the monitoring services that a third party security company provides).

[117] See Paganini, supra note 108.

[118] See Verizon Report, supra note 21, at 17.

[119] Id. at 18.

[120] See generally Jerry Fitzgerald, Alan Dennis & Alexandra Durcikova, Business Data Communications and Networking 362 (11th ed. 2012) (noting that security policies should explain to employees how to control the risk of intrusion).

Co-Developing Drugs with Indigenous Communities: Lessons from Peruvian Law and the Ayahuasca Patent Dispute

Sem Publication Version PDF

Daniel S. Sem*

Cite as: Daniel S. Sem, Co-Developing Drugs with Indigenous Communities: Lessons from Peruvian Law and the Ayahuasca Patent Dispute, 23 Rich. J.L. & Tech. 1 (2016),

I.  Introduction

[1]       This paper will examine the issues surrounding the co-development of drugs derived from traditional medicines used by indigenous peoples in Amazonia, with a focus on Peru. In particular, this paper will explore what national, regional and international legal structures are in place to protect the interests of indigenous peoples, while at the same time providing medical benefit to the world. This issue is explored in the context of Peruvian, U.S., and international treaties – especially the TRIPS agreement, the Andean Community, sui generis protections, and the US-Peru Trade Promotion Agreement.

[2]       Commenters have noted that historically, drug development ventures based on traditional medical knowledge (TMK) from Amazonia had not been pursued in a manner that was fair and just to the indigenous peoples who owned this knowledge.[1] There are two pragmatic “fairness” considerations in the U.S.-Peruvian co-development of drugs derived from indigenous peoples in Amazonia, based on TMK.[2] First, any co-venture should identify the best legal structure(s) that protects the interests of researchers in both Peru and the United States, and the need to also protect the interests of indigenous peoples.[3]

[3]       Second, any co-venture should consider whether international pharmaceutical patent protection is inherently biased to protect drugs as defined in western (U.S.) medical practice, versus the traditional and historically-based practices of indigenous peoples.[4] There are potential problems for intellectual property (IP) protection, since medical treatments in traditional cultures are typically developed by groups over long periods of time, as opposed to the more rapid discovery by individual researchers or companies in the pharmaceutical industry. In the former situation, it may be impossible to patent a medical treatment if it has been “in use” for many years since prior public use can create novelty or obviousness bars to patenting.[5] Furthermore, most traditional medicines are mixtures of natural products (i.e., chemical compounds that are “products of nature”), comprised of two or more active chemical ingredients; whereas, drug discovery and development in the U.S. focuses on composition of matter patent protection for single chemical compounds. Additionally, most pharmaceutical companies will not develop drugs in the U.S., unless they can obtain composition of matter patent protection on single chemical compounds.

[4]       Given these differences in how medicines are developed and used in the U.S. versus Peru, coupled with different views of IP and TMK, what is the best IP protection and collaborative structure for co-development of medicines by pharmaceutical researchers in the U.S. and Peru, and traditional healers (shamans) in Amazonia? This paper explores the legal and cultural issues surrounding this question, then proposes solutions that build on existing legal structures and trends in the U.S. and Peru.

[5]       Section I of this paper introduces challenges associated with co-development of drugs by researchers, defines key terms and concepts, and provides an example of one TMK-based medicine used by Amazonian shamans. Section II presents an attempted drug development initiative where indigenous rights were ignored. This involved the attempted patenting in the U.S. of a traditional medicine from Amazonia, ayahuasca. Section III of this paper explores the various legal structures and treaties in Peru, the Andean region, and the U.S., as well as international treaties that pertain to intellectual property rights (IPR) of indigenous peoples, with respect to their general traditional knowledge (TK), and TMK in particular. Section IV builds on this background, and proposes a collaborative co-development research agreement that could be used by U.S. and Peruvian researchers who team up to discover and develop new medical treatments based on TMK. Such collaborations could be a tremendous new source of medicines.

[6]       As the pipeline of new medicines coming from the U.S. pharmaceutical industry is dwindling, research and development costs are increasing and productivity of the industry is decreasing.[6] These forces are converging to create intense market pressures, and perhaps more openness to explore new solutions to address the world’s medical needs.[7] These solutions will likely include academic researchers in the U.S. (and Europe) teaming up with researchers in Amazonia, to learn from their indigenous peoples.[8] Together, they can co-develop new medical treatments based on the TMK possessed by Amazonian shamans; but, this can only work efficiently and fairly if the interests of the collaborating research teams and of the indigenous peoples from which the TMK originates, are considered upfront and with equal weight.[9] This paper aims to facilitate that process.

          A.  What are Traditional Knowledge (TK) and Traditional Medical Knowledge (TMK)?

[7]       Traditional knowledge (TK) is defined by the World Intellectual Property Organization (WIPO) as “knowledge, know-how, skills and practices that are developed, sustained and passed on from generation to generation within a community, often forming part of its cultural or spiritual identity.”[10] Negotiations on an international legal instrument, developed by the WIPO Intergovernmental Committee (IGC), are focused on developing protections for TK, along with protections for Traditional Cultural Expressions and Genetic Resources. This paper will focus on identifying protective strategies for a subset of TK, with a focus on TMK.

[8]       Traditional Environmental Knowledge (TEK) is a subset of TK and the focus of western scientific fields such as ethnobotany and ethnomedicine.[11] Martha Johnson defined TEK as “…a body of knowledge built by a group of people through generations, living in close contact with nature. It includes a system of classification, a set of empirical observations about the local environment, and a system of self-management that governs resource use.”[12] TEK can be distinguished from western science in a number of ways, including that: (a) it is transmitted via oral tradition, (b) is holistic (versus reductionist), (c) is based on a view of social and spiritual connections between life forms, (d) views the natural elements as having a life force (infused with spirit), and (e) explains natural phenomena based on cumulative and collective experiences that are regularly validated and revised over time.[13] Thus, while TEK bears some resemblance to western scientific knowledge, it is also distinct in many ways.[14] TEK is especially relevant for this paper, since it is a source of TMK.

[9]       Traditional medical knowledge (TMK) is a type of TK that centers specifically on the knowledge of traditional healers in their use of plant-based medicines.[15] The World Health Organization (WHO) defines TMK as “the sum total of the knowledge, skills and practices based on the theories, beliefs and experiences indigenous to different cultures, whether explicable or not, used in the maintenance of health, as well as in the prevention, diagnosis, improvement or treatment of physical and mental illnesses.”[16] This paper focuses on the use and protection of TMK in Amazonia, with a focus on Peru.

          B.  TMK as a Source of New Medicines

[10]     The pharmaceutical industry benefits greatly from TMK. One estimate is that of the 119 plant-derived chemicals used in modern medicine, 74% have similar current uses as the medicinal plant from which the chemical was identified.[17] The market value of plant-derived medicines was estimated at over $15 billion in 1990, for United States pharmaceutical sales.[18] Amazonia, and Peru in particular, is an especially rich source of traditional medicines.[19] One of the most prominent and spiritually important traditional medicines to Peruvian shamans is ayahuasca.[20]

           C.  Peruvian TMK – Ayahuasca

[11]     Of particular fame and importance amongst shamans in Peru is the ayahuasca plant (Banisteripsis caapi),[21] of the plant family Malpighiaceae. Ayahuasca was discovered and introduced to the scientific community by Harvard biologist and “father of modern ethnobotany,” Richard Evans Schultes.[22] In the native Quechua language of Amazonia, ayahuasca means “vine of the soul.”[23] Ayahuasca is used by indigenous peoples in religious and healing ceremonies.[24] Shamans have used ayahuasca for centuries to treat various psychiatric disorders, which indigenous peoples sometime believed were associated with witchcraft.[25]

sem pic

Fig. 1. Picture of a live ayahuasca root (left panel), and a piece of the root sold in a Peruvian market (right panel).[26]


[12]     While available for purchase in markets (Fig. 1),[27] the use of ayahuasca is generally restricted to shamans or ayahuasqueros who possess valuable TMK, since they know best how to prepare it in a way that is safe and effective.[28] The ayahuasca plant (Banisteriopsis caapi) vine is mixed in defined ratios and manners with plants such as Psychotria viridis, then boiled.[29] Chemicals from both of these plants work synergistically to produce the desired effect. Specifically, “harmala alkaloid” molecules (Fig. 2)[30] in ayahuasca inhibit an enzyme called monoamine oxidase (MOA) – preventing the chemical breakdown of the active chemical present in the Psychotria viridis plant, dimethyltryptamine (DMT).[31] DMT produces the psychoactive effects of this traditional medicine by altering the activity in brain synapses of the serotonin receptors (Fig. 2).[32]


sem pic 2

Fig. 2. Active chemical components in ayahuasca teas used by shamans, with serotonin comparison.[33]


[13]     In cases where shamans develop and administer medical treatments based on TMK, and scientists later explain the molecular basis for that medical effect and identify the active chemical components, who is the inventor? This question, exemplified in the case of ayahuasca, is complicated.[34] While the shamans, as TMK practitioners, knew how these plants needed to be mixed to achieve the desired effect, scientists ultimately discovered the molecular reason for needing the mixture.[35] Indeed, scientists could extract the active chemical components, mix them in the correct ratio, and develop this as a drug – taken perhaps as a pill. Which is the greater discovery? Both are important, and certainly the shaman’s TMK is a “but for” cause of the scientific (i.e. molecular) discovery. It seems self-evident that the scientific discovery cannot and should not proceed to the benefit of others, without first considering the rights of the indigenous peoples who made the initial discovery.

[14]     By using TMK, Amazonian shamans uncovered a pharmacologically useful and valuable medical treatment from ayahuasca. This treatment exists only because of specific molecular level interactions. While these molecules might not be patentable subject matter (as products of nature)[36], combinations of molecules might be considered patentable subject matter, as composition of matter. Pharmaceutical companies will typically only develop a drug if composition of matter protection can be obtained. Thus, co-development of TMK-derived drugs poses a challenge to the IP community, in terms of how a useful medical treatment can be patented. It is possible to patent at the level of the plants used, the active chemical components extracted from the plants, or mixtures of those active chemical components.

[15]     TMK-derived drug development also challenges the international community to consider whether it is ethically permissible to allow this type of patenting. Is it right to allow researchers who discover the active molecular components, used in traditional medicines, to patent and then profit from their scientific discoveries, without returning benefit to the shamans? Can they patent them, or are there 35 U.S.C. §102 novelty (prior art) bars that prevent patenting, since shamans have been treating with traditional medicines, like ayahuasca, for centuries? These questions are addressed in Section III. While the scientists who discovered the active chemical components in ayahuasca made no attempt to patent their discovery, there was a significant controversy over an attempt to patent the ayahuasca plant itself.[37] It was after this ayahuasca patent dispute that significant changes to protect TK and TMK were implemented in Peru.


II.  A Case Study in Bioprospecting of TMK: Lessons from Ayahuasca

[16]     Despite the fact that ayahuasca use was in the shaman’s TMK toolbox for centuries, Loren Miller obtained a U.S. patent, Plant Patent No. 5,571 on the ayahuasca plant (Banisteriopsis caapi), which issued on June 17th, 1986 (Fig. 3).[38]


sem pic 3

Fig. 3. Patent on ayahuasca (Banisteriopsis caapi).[39]


[17]     Recognizing this as an exploitation of TK and TMK, in what is referred to as “bioprospecting,” David Downes and Glenn Wiser filed a request for re-examination.[40] Downs and Wiser were with the Center for International Environmental Law (CIEL), working on behalf of the Coordinating Body of Indigenous Organizations of the Amazon Basin (COICA) and the Amazon Coalition, on March 30, 1999.[41]

[18]     The Miller patent had a single claim, for “a new and distinct (cultivar) of the species Banisteriopsis caapi,” which Miller called “Da Vine.”[42] Downs and Wiser argued this claim was invalid on a number of legal theories, but especially based on prior art that included publications and plant specimen sheets, such as one listed as: “Plants of Cultivation: Banisteriopsis caapi, Accessioned Specimen Sheet, The University of Michigan Herbarium (mounted Jan. 5, 1981).”[43]

[19]     Wiser and Downes raised five arguments before the U.S. Patent and Trademark Office (PTO) as to why the Miller patent was not valid.[44] First, they claimed the existence of significant prior art, which should produce 35 U.S.C. §102 rejections.[45] Specifically, they argue that the plant Miller is patenting is not new and distinct, because it is “well described in the scientific literature and in the ‘traditional knowledge of indigenous peoples throughout Amazon.’”[46] Banisteriopsis caapi was described in herbarium specimens, as well as a number of more typical printed publications that discuss the medicinal and ceremonial use of ayahuasca.[47]

[20]     Second, Wiser and Downes argued that under the U.S. Patent Act one cannot patent plants if they “[are] found in an uncultivated state,” in the wild.[48] There is a statutory bar in 35 U.S.C. §161 that prevents patenting of plants found in the wild, and this should prevent patenting of Miller’s “Da Vine.” While Miller argues that “Da Vine” was only found in a garden (i.e. in a cultivated state), this was apparently not true. Banisteriopsis caapi is actually found throughout the Peruvian Amazon region.[49]

[21]     Downes and Wiser then make a third argument – one that has significant implications, since it also suggests a mechanism by which indigenous peoples might protect their plant-based TMK.[50] They argue that accession sheets of plants from herbarium collections can be categorized as prior art within the meaning of 35 U.S.C. §§ 102 and 103.[51]


sem pic 4

Fig. 4. Sample of a herbarium sheet from Cayetano University in Peru.[52]


[22]     The existence of such herbarium sheets should bar any future patenting of the plant that was preserved on the sheet.[53] While there may only be a single copy of the herbarium sheet, if it is accessible to the public, it may be considered prior art. In the same way that “a single catalogued thesis in one university library [constitutes] sufficient accessibility to those interested in the art exercising reasonable diligence,” is considered a printed publication, for purposes of a prior art rejection under 35 U.S.C. §102.[54] To serve as prior art, the herbarium sheets must be accessible and available to persons interested in the subject matter­–in this case medicinal plants associated with the TMK of Amazonian shamans. If this is true, then one way for indigenous peoples to prevent patenting of their medicinal plants is to make herbarium sheets containing dried plant specimens with written entries (e.g. describing the plant, where collected, date collected), such as that shown in Fig. 4 from the University of Cayetano in Peru.[55]

[23]     Downs and Wiser make a fourth argument, based more on a sense of social justice than on patent law.[56] They argue that the patent should be canceled because the plant (ayahuasca) has been used by indigenous peoples for hundreds of years, long before Miller considered patenting “Da Vine.”[57] Of course, the challenge from a patent perspective is that this use – part of an oral tradition – may not have been documented in any printed publication and U.S. patent law does not prevent patenting of subject matter that was simply “in use” in a foreign country (at least not before the 2013 America Invents Act [AIA]).[58] In an analogous situation, a U.S. patent for use of turmeric in wound healing (based on Indian TMK) was issued in 1995.[59] This patent was canceled because turmeric had actually been used for many generations by indigenous peoples in India for this same purpose, so the invention was not considered novel.[60]


[24]     Finally, Downs and Will argued that the Miller patent should not be allowed on moral and public policy grounds:

“… issuance of the Patent does not meet the public policy and morality aspects of the Patent Act, which preclude awarding a patent on a plant … that is sacred to indigenous peoples … and revered in their cultures for many generations … the PTO should not provide patent protection to a plant based on supposed medicinal characteristics that are well known in the systems of traditional knowledge of indigenous peoples … the PTO may and should decline to award intellectual property rights where their imposition would violate established moral, religious and cultural values.”[61]

[25]     While this moral argument is attractive, there is little support in U.S. patent law for an argument based on protection of “moral, religious and cultural values.”[62] U.S. patent law has no equivalent to the moral rights doctrine of copyright law. Although, a PTO Media Advisory statement[63] offers a glimmer of hope for moral grounds arguments – noting that courts had excluded inventions that are “injurious to the well-being, good policy, or good morals of society.”[64] Downs and Wiser argue that patenting plants like ayahuasca, which are used widely in religious ceremonies as part of indigenous peoples’ TMK, “offends religious and moral sensibilities” and “wrongly appropriates traditional knowledge of indigenous and local communities [and] may deprive its creators and conservators of incentives to preserve, develop and improve upon it.”[65] Perhaps because this moral sensibilities argument is not supported by U.S. patent law and associated legal precedent, the PTO ultimately based its decision to reject the Miller patent on other arguments presented by Downs and Wiser.[66]

[26]     After considering the request for reexamination and the various arguments presented by Downs and Wiser, the PTO responded by rejecting the Miller patent in a November 3, 1999 office action.[67] They did this in part based on a consideration of the herbarium specimen sheets as being “printed matter” that could serve as prior art, under §102(b).[68] One particular herbarium specimen that was identified as prior art was: “Plants of Cultivation: Banisteriopsis caapi, The University of Michigan Herbarium (mounted Jan. 5, 1981).”[69] This is significant precedent because it is the first such consideration of herbarium sheets as prior art. Thus, herbarium sheets like those in Fig. 4 could be used as a bar to prevent patenting of plants that are part of TMK, and a potential source of new drugs.[70] This result suggests one mechanism by which countries with indigenous populations might protect their plant-based TMK – by creating herbarium collections documenting the plants they use in traditional medicine. By rejecting the patent based on this narrow view only (i.e. §102, prior art), the PTO avoided the broader question of rejection based on public policy and morality grounds, which could potentially be associated with the Patent Act’s utility requirement, as noted in the Media Advisory statement.[71]


[27]     The “Da Vine” patent reexamination teaches three important lessons. First, one way to prevent biopiracy is to create “printed documents” that could serve as prior art, and therefore block the patenting of plant-based TMK. Second, one effective type of “printed document” that can be used for this purpose are collections of herbarium sheets that document the plants that are part of shamanic TMK. If indigenous peoples take this defensive move of creating herbarium sheets as prior art, they should be aware that this may also prevent them from patenting as well, either alone or as part of a collaborative drug co-development effort. Prior art creation is a protective tool that cuts both ways; so, it should be used with caution. Third, an argument based on the moral and social harm caused to indigenous peoples, while intuitively attractive, may not carry weight with the PTO due to lack of supporting legal precedent and statutory language.


III. Legal protections of TMK For Drug Co-Development in Peru

          A.  Peruvian, Bolivian and Ecuadoran Law

               a.  Constitutional Protections in Peru, Bolivia and Ecuador

[28]     While Peru does not directly protect indigenous rights, Chapter II, Article 68 of the Peruvian Constitution provides a related protection: “The State is obliged to promote the conservation of biological diversity, and protected natural areas.”[72] So, to the extent that TMK is associated with biological diversity (i.e. plant-based medicines), Peru has some relevant constitutional protection. In contrast, Bolivia and Ecuador’s more recent constitutions have more explicit protections for indigenous people’s TK, with several articles of the Bolivian Constitution excerpted below:

Article 42: The promotion of traditional medicine shall incorporate a registry of natural medicines and their active substances, as well as the protection of the associated knowledge as intellectual, historical and cultural property, and as patrimony of indigenous nations and peoples.

Article 100. The State shall protect knowledge by means of a registry of intellectual property that safeguards the intangible rights of indigenous nations and peoples…

Article 304. Indigenous autonomies have the following competences: … safeguard and register collective intellectual rights related to knowledge on genetic resources, traditional medicine and germplasm …[73]

[29]     The Bolivian Constitution is relatively new, having been approved only in 2009; and, it is a result of the 2005 election of Evo Morales, an Aymara coca peasant who fought for the rights of indigenous peoples.[74] Given its origins in a political movement focused on indigenous peoples, it can be viewed as a model for national protection of TK IP rights. While Bolivia and Ecuador are unique in having these protections at the constitutional level, their Constitutions may have value as persuasive legal authority for other Andean Community countries like Peru, and for any country that seeks to protect the TK and TMK of its indigenous peoples.

               b. Sui Generis Protections in Peru: Law No. 27811

[30]     While Peru does not protect TMK at the constitutional level, it does protect TK and TMK in its national legislation.[75] In particular, Peru passed Law No. 27811 in 2002, introducing a Protective Regime for the Collective Knowledge of Indigenous People Derived from Natural Resources. The objectives of Law No. 27811 are stated in Article 5:

(a) To promote respect for and the protection, preservation, wider application and development of the collective knowledge of indigenous peoples;

(b) To promote the fair and equitable distribution of the benefits derived from the use of that collective knowledge;

(c) To promote the use of the knowledge for the benefit of the indigenous peoples and mankind in general;

(d) To ensure that the use of the knowledge takes place with the prior informed consent of the indigenous peoples;

(e) To promote the strengthening and development of the potential of the indigenous peoples and of the machinery traditionally used by them to share and distribute collectively generated benefits under the terms of this regime;

(f) To avoid situations where patents are granted for inventions made or developed on the basis of collective knowledge of the indigenous peoples of Peru without any account being taken of that knowledge as prior art in the examination of the novelty and inventiveness of the said inventions.[76]

[31]     Noteworthy is the emphasis on informed consent and equitable sharing of benefits, along with specific protections for patents and other protections.[77]

[32]     The “Protective Regime for the Collective Knowledge of Indigenous People Derived from Natural Resources” (Law No. 27811) goes beyond the general objectives outlined in Article 5, to describe in detail how TK (and TMK) is to be protected. It explains the key considerations when intellectual property is to be licensed from indigenous peoples. In particular, if a third party is going to commercialize traditional knowledge (Article 7) it requires outside parties to sign license agreements to “ensure due reward for said access and … equitable distribution of the benefits … .”[78] A percentage of benefits (at least 10%) must go to the Fund for the Development of Indigenous Peoples (Article 8).[79] Thus, it ensures that the indigenous owners of TMK are duly rewarded, and benefits obtained in any drug co-development efforts are shared equitably. Furthermore, it explicitly points out that protected knowledge does not belong to individuals, but rather to groups of indigenous peoples.[80] That is, knowledge and discovery is “collective” (Article 10), in contrast to the individualistic approach that underlies U.S. patent law and, more generally, U.S. culture.[81]

[33]     The law goes on to describe how national registers of TK and TMK are to be created. Title VI describes the formation of registers of collective knowledge, with Article 15 explicitly creating three types of registers: (a) Local Registers of Collective Knowledge of Indigenous Peoples, (b) Private National Registers of Collective Knowledge of Indigenous Peoples, and (c) Public National Registers of Collective Knowledge of Indigenous Peoples.[82] Article 20 describes what type of information must be included in the registration of the TK and TMK into these registers.[83]

[34]     These three registers each serve unique and important purposes. The first, The Local Registers, are managed by indigenous peoples with assistance of the National Institute for the Protection of Competition and Intellectual Property (INDECOPI).[84] They serve the local needs of indigenous peoples, to enable sharing of their TMK with each other, and to provide a high level of access to and control of information by the local community. The second, the Private National Registers, are kept confidential, and contain what could be viewed as trade secrets.[85] These trade secrets could be licensed to third parties, if desired. The third, the Public National Registers, could serve the alternative purpose of providing prior art that will prevent the patenting of TMK by other countries (e.g. via 35 U.S.C. §102 in the U.S.).[86] Indeed, Article 23 specifically states that “INDECOPI shall send the information entered in the Public National Register to the main patent offices of the world in order that it may be treated as prior art in the examination of the novelty and inventiveness of patent applications.”[87] Thus, Peru has made a very explicit defensive move to prevent the patenting of its TK and TMK; this was a valuable lesson from the ayahuasca case above (section II), and is now institutionalized in national policy.[88] Interestingly, the recent passage of the U.S. AIA has obviated some of the need for this defensive strategy, since prior use (even if no printed publication exists) is now considered a bar in considering novelty or non-obviousness (inventiveness).[89] This is discussed in greater detail in section III(E).


[35]     The Private National Register contains TK and TMK trade secrets which could be of significant value to the world as a source of new medicines. To enable dissemination of this TMK, if desired, indigenous peoples can license their TMK to third parties, such as pharmaceutical companies. But, they must register the license according to the Article 26 “Compulsory written form for license contracts” requirements.[90] The contents of this contract are designed to protect the intellectual property rights (IPRs) of the indigenous owner, and are specified in Article 27:

(c) A statement of the compensation that the indigenous peoples receive for the use of their collective knowledge; such compensation shall include an initial monetary or other equivalent payment for its sustainable development, and a percentage … of the gross sales resulting from the marketing of the goods developed …;

(d) The provision of sufficient information on the purposes, risks and implications of the said activity … ;

(e) The obligation on the licensee to inform the licensor periodically … of progress in the research on and industrialization and marketing of the goods developed …;

(f) The obligation on the licensee to contribute to the improvement of the ability of the indigenous peoples to make use of the collective knowledge …[91]

[36]     A “toolkit” to assist in compliance with this licensing process is available from WIPO.[92] The required elements of a TMK license contract are designed to protect the interests and rights of the indigenous owners, and should be considered in the preparation of any drug co-development research agreements between Peruvian researchers and their U.S. or other foreign collaborators.[93]

          B.  U.S.-Peru Trade Promotion Agreement (TPA)

[37]     Beyond the scope of TRIPS (Trade Related Aspect of Intellectual Property) standards, the U.S.–with WTO (World Trade Organization) enforcement (as described in Section III(D))[94]–has also pursued bi-lateral trade agreements with individual countries, typically seeking higher IPR standards.[95] Such bi-lateral agreements often lead to less protection for TK, so are often conceded to by developing countries only because of the other benefits they receive. While the end result may provide broader benefits to the government that signs, such bi-lateral agreements – and the associated concessions that are made – can anger indigenous groups and their representatives. This appears to have been the case in Peru as well.

[38]     The U.S. and Peru signed the Trade Promotion Agreement (TPA) in 2006.[96] Within the TPA is a benefit to the so-called Andean Community countries (Bolivia, Peru, Ecuador, Columbia)[97], via the Andean Trade Protection Act (ATPA). This benefit to the Andean Community countries required that IPRs be protected adequately under WTO, as specified by TRIPS standards. Peru signed various amendments on Dec. 21st, 2008, to permit compliance with the TPA with the U.S. These changes generally strengthened IP, and weakened protections of TK, TMK and biodiversity, against patenting and bioprospecting.[98] At about this same time (Dec. 31st, 2008), likely in reaction to signing of the TPA, the local government in Cusco released an executive order to “protect traditional knowledge, practices and innovations of local communities.”[99] This protection included a requirement to use “informed consent, compulsory benefit sharing and the right of communities to say no to bioprospecting.” [100] Furthermore, any bioprospecting requires a permit, and the government will monitor such activities to protect the interests of local communities.[101] These protections of TK and TMK are in keeping with the Article 5 priorities outlined in Peru’s sui generis protection (described above, in section III(A)(b)), and are consistent with the Constitutional IPR protections provided in Bolivia (described in section III(A)(a)).[102]


[39]     Importantly, the TPA with the U.S. included an “Understanding Regarding Biodiversity and Traditional Knowledge,” in an effort to provide some protection of TK and TMK.[103]   The Understanding stated:

The Parties recognize the importance of traditional knowledge … to cultural, economic, and social development. The Parties recognize the importance of the following: (1) obtaining informed consent from the appropriate authority prior to accessing genetic resources under the control of such authority; (2) equitably sharing the benefits arising from the use of traditional knowledge and genetic resources; and (3) promoting quality patent examination to ensure the conditions of patentability are satisfied …

Each Party shall endeavor to seek ways to share information that may have a bearing on the patentability of inventions based on traditional knowledge or genetic resources by providing:

(a) publicly accessible databases that contain relevant information; and

(b) an opportunity to cite, in writing, to the appropriate examining authority prior art that may have a bearing on patentability. [104]

[40]     While the Understanding does not oblige each country or its nationals to undertake specific actions in relationship to TMK, the Understanding’s basic recognition of TMK sets an important precedent. Previously, the U.S. had felt that TK and TMK protections should be secured through the WIPO; but, the Andean Community countries – operating as a regional group with enhanced political bargaining power – were successful in getting this Understanding added to the TPA.[105] This Understanding can hopefully serve as a starting point and model for how the IPRs of indigenous peoples can and should be protected in trade agreements, as well as in other contexts. Noteworthy is its emphasis on informed consent, sharing of benefits, assistance in obtaining patents, and use of TK databases.[106] These are also key elements in regional regulations for the Andean Community, described in the next section.


          C.  Regional Protections: The Andean Community Intellectual Property Regime

[41]     The Andean Community is an agreement that was signed in 1969, and currently includes Peru, Bolivia, Ecuador and Columbia (Venezuela withdrew in 2006 when Peru signed the Free Trade Agreement (FTA) with the U.S.).[107] The Andean Community has generated a number of supranational institutions, including the “Commission of national executives, a General Secretariat of regional administrators, and a Tribunal of Justice (the ATJ or the Andean Tribunal).”[108]

[42]     This Andean Community has had its most significant successes in the realm of protecting intellectual property (96% of rulings relate to IP), developing supranational laws called “Decisions” to regulate patents, trademarks and copyrights.[109] Andean IP Decisions are adopted at the national level by member states. Then they are interpreted in national courts, administrative agencies in member states, or by the ATJ.[110]

[43]     The Andean governments have used the political clout afforded to them, via participation in the Andean Community, to facilitate incorporation of normally optional TRIPS “flexibilities” as obligatory features of Andean law.[111] To this end, “member states made a collective decision to capitalize on TRIPS’ flexibilities as a way to promote public health,” and to resist pressure from stronger international forces, like pharmaceutical companies from the United States.[112] In effect, membership in the Andean Community gives strength to individual countries, by virtue of their banding together, to enforce what are sometimes optional and yet advantageous TRIPS features. This enhanced bargaining power plays a central role in securing TK and TMK protections for indigenous peoples, as in the U.S.-Peru TPA agreement discussed above.

[44]     As a complement to regional treaties, local laws can provide additional protections – as Cusco had pursued in parallel with Peru’s signing of the U.S.-Peru TPA.[113] As discussed above, the signing of this international agreement (the TPA) by Peru was closely linked to complementary and compensatory initiatives at the local (Cusco) and regional (Andean Community) levels, which ultimately led to stronger TK and TMK protections. Accordingly, any drug co-development initiative with Peru must recognize the complementary TMK protections that have been created at the local, national, regional, and international levels.

          D.  International Treaties: Role of UN, TRIPS, WTO and WIPO

[45]     International protections for indigenous IPRs go beyond bi-lateral agreements like the TPA. Although they are not a focus of this paper, since regional and bi-lateral agreements are usually compliant with and more specific than the international treaties. Nonetheless, a brief overview of key international treaties and agreements will be presented. One such agreement is the United Nations (UN) Convention on Biological Diversity.[114] This agreement protects TK, which is related to biological diversity, and encourages sharing of the benefits of that knowledge. Article 8(j) of the Convention provides that each Party shall:

[s]ubject to its national legislation, respect, preserve and maintain knowledge, innovations and practices of indigenous and local communities embodying traditional lifestyles relevant for the conservation and sustainable use of biological diversity and promote their wider application with the approval and involvement of the holders of such knowledge, innovations and practices and encourage the equitable sharing of the benefits arising from the utilization of such knowledge, innovations and practices.[115]

[46]     The emphasis on preservation of TK is noteworthy, promoting the wider application of the TK and the sharing of benefits obtained through the use of the TK. More broadly, the Convention on Biological Diversity focuses on protecting biological diversity in the context of other goals such as the need for medicines.[116] The treaty has importance for bioprospecting, as well as collaborative research between countries involving natural products and TMK.

[47]     The Trade Related Aspects of IP (TRIPS) agreement is an international treaty that seeks to harmonize IP laws between member countries while still honoring and respecting national laws and sovereignty.[117] TRIPS is the most extensive multinational agreement on IP and covers patents, trademarks, copyrights, and trade secrets.[118] But TRIPS has not provided significant protections for TMK (beyond certain “flexibilities”), since the interests of developing nations must often yield to those of more powerful developed countries (and opt-out of the “flexibilities”).[119] The World Trade Organization (WTO) requires TRIPS ratification for membership. So it is not uncommon for developing countries to make undesired concessions regarding IP rights (defined in TRIPS), in order to secure the trade benefits they desire.[120] Counteracting this pressure is the strength that regional alliances, like the Andean Community, provide so that TMK protections can be obtained (e.g. making TRIPS “flexibilities” mandatory in member countries).[121]

[48]     Both Peru and the United States are members of TRIPS. Membership in TRIPS requires compliance with earlier IP treaties and conventions, including WIPO, the Paris Convention for the Protection of Industrial Property (Paris Convention),[122] and the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention).[123] While TRIPS provides the underlying IP principals, enforcement typically occurs within member states and disputes are handled by the World Trade Organization (WTO).[124] Since any IPR agreement or treaty developed by or between Peru and the U.S. must be compliant with TRIPS, the agreements and treaties with greatest impact on drug co-development between researchers in Peru and the U.S. are the bi-lateral, regional and national agreements discussed in sections III A-C.


          E.  Changes in U.S. Patent Law: the America Invents Act (AIA)

[49]     What effect do the America Invents Act (AIA) changes to U.S. patent law have on protections of indigenous IPR?[125] Under the old 35 U.S.C. §102, if TMK was “in use” for hundreds of years by shamans in Peru but never recorded in a printed publication, then there would be no prior art bar to patenting in the U.S. This would seem to enable biopiracy of TMK in an undesirable way. Prior to March 16th, 2013 (when the AIA went into effect), U.S. patent law did not recognize TK and TMK as prior art if it was only “in use” in a foreign country.[126] Indeed, the Patent Act of 1952 would have permitted patenting of an invention based on long-held TMK (as long as it was undocumented) based on the previous version of 35 U.S.C. §102 (key elements underlined):

A person shall be entitled to a patent unless –

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this or a foreign country, before the invention thereof by the applicant for patent, or

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this country, more than one year prior to the date of the application for patent in the United States.[127]

[50]     According to the plain language of the statute, while an invention may have been used in the country of origin (e.g. Peru), 35 U.S.C. §102 will only prevent patenting of inventions that were in use in the U.S. or described in a printed publication anywhere.[128] Thus, when the University of Mississippi Medical Center tried to patent turmeric for healing wounds, they were not prevented from patenting simply because turmeric was widely used for that purpose in India.[129] Rather, what led to the patent being revoked was the appearance of this use of turmeric in printed publications.[130] Likewise, even though ayahuasca had been used for centuries by Amazonian shamans (i.e. been “in use”), this did not produce a 35 U.S.C. §102 prior art rejection (see section II). Rather, the rejection of the Miller patent on ayahuasca was based on the presence of herbarium sheets that described the ayahuasca plant.[131] Indeed, this is a significant reason why countries like Peru are documenting the plants associated with their TMK in registries and using herbarium sheets. One of the objectives of Peru’s sui generis protections (section III(A)(b)) is to ensuring that foreign bioprospectors are barred from patenting due to the existence of this prior art.[132] But the situation has changed under AIA, where the new language of 35 U.S.C. §102 is:

(a) A person shall be entitled to a patent unless:

(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention;[133]

[51]     Notably, now 35 U.S.C. §102 considers “public use … or otherwise available” anywhere (in foreign countries and in the U.S.) as creating a prior art bar to patenting.[134] Thus, under the AIA, the need for countries to maintain registries and herbarium sheets of plants used in TMK is lessened, as long as they have other means to establish that the plant and/or TMK had been “in use … or otherwise available.”[135]   This is a significant step forward in the prevention of biopiracy, and the protection of TK and TMK.


IV.  Model For U.S.-Peru Collaborative Drug Development

          A.  Building on Current IPR Protections for TMK in Peru

               a.  Key Elements of TMK Protections to Include in Research Agreements Involving Indigenous Communities

[52]     Constitutional protections of TMK in Peru are limited to “conservation of biological diversity,” which includes plant-based medicines.[136] Bolivia, a member of the Andean Community along with Peru, has constitutional protections (see section III(A)(a)) that go further to explicitly ensure “promotion of traditional medicine” by mandating a “registry of natural medicines and of their curative properties … as well as the protection of their knowledge as intellectual … property … of nations and indigenous peoples.”[137] This theme of protecting TMK in registries and protecting it as the IP of indigenous peoples, is also manifested in Peru’s sui generis protections (see section III(A(b))).

[53]     Peruvian sui generis protections emphasize creation of databases of TMK, both public (as a defense against foreign patents) and private (as a source of licensable trade secrets). Other elements of the sui generis protections include: (a) promotion of respect, preservation, and wider application of TMK, (b) promotion of the use of TMK to benefit the “indigenous peoples and mankind in general,” (c) freedom to license TMK (with state oversight; to be registered using the WIPO “toolkit”), (d) release of TMK only with informed consent of the indigenous owners, based on full disclosure of risks and benefits, (e) equitable sharing of benefits derived from the use of TMK (including >10% for the Fund for Development of Indigenous People), and (f) a desire to prevent patenting of indigenous peoples’ TMK by others.[138] These elements and priorities should be addressed in any collaborative research agreement between research scientists in Peru and foreign collaborators seeking to co-develop drugs derived from TMK. Significantly, all of these elements fall under the broader umbrella of the U.S.-Peru TPA (e.g. informed consent; equitable sharing of benefits). So, there is a strong foundation for including them in collaborative agreements between U.S. and Peruvian researchers.[139]

               b.  Defensive Strategy to Protect TMK – Creation of Public Databases of TMK as Prior Art

[54]     One of the key elements in the Bolivian Constitutional protections and the Peruvian sui generis protections is the creation of public databases of TMK. The stated purpose of these databases is, in part, to create prior art that prevents others from patenting – without permission – the TMK that belongs to indigenous peoples.[140] The need for and value of such databases is illustrated within the ayahuasca patent dispute described in section II. While post AIA changes in U.S. patent law lessened the need for such databases, they still provide a clear demonstration of what TMK was “in use or otherwise available.” This serves the stated goal of providing a strong defense against uninvited and undesired foreign patents, like the Miller “Da Vine” patent. Such patents could exploit the TMK of indigenous peoples, without equitable sharing of the benefits derived from that TMK and without informed consent.

[55]    It is important to point out that this defensive use of databases as prior art can have undesired consequences if the indigenous peoples ever want to patent their own TMK. A key element of the indigenous peoples’ TMK protections (sections III(A)(b) and IV(A)(a)) was a desire to benefit “indigenous peoples and mankind in general” and to permit – with informed consent – licensing of TMK-based discoveries in a co-development initiative.[141] But, pharmaceutical companies will not develop a drug if they cannot obtain composition of matter patent protection. Therefore, the inability to patent TMK-derived medicines – or active substances derived from them – prevents any co-development of drugs.

[56]     The most likely patentable subject matter in a drug co-development collaboration, since the plant cannot be patented (i.e. as TMK, it has already been “in use”), are the extracted chemical substances – or combinations thereof. For example, the ayahuasca plant could not have been patented under AIA, even if there were no “printed documents” describing it, since it was already “in use” by shamans. But, the active ingredients shown in Fig. 2, mixing in the ratios needed to obtain clinical effect, might have been patentable as composition of matter (ignoring for now any potential § 101 issues because they are “products of nature”).[142] In this regard, the registry suggested in the Bolivian Constitution seems to anticipate the patenting of active substances (like those in Fig. 2) since it suggests adding “active substances” to the registry.[143] This would enlarge the prior art shield beyond plants, to include the active components contained in the plants.

[57]     While the inclusion of active chemical substances in national registries might prevent undesirable patenting by foreign bioprospectors, it would also prevent desired patenting by Amazonian researchers seeking to develop or co-develop drugs derived from TMK. This is unfortunate, since there may be situations where an Amazonian research scientist may want to co-develop a drug derived from TMK, but now will not be able to do so. The irony of pharmaceutical development is that no matter how noble one’s intentions are (e.g. to “benefit mankind”), a strong patent position is needed so that a company financing the drug development can at least recoup its significant investment, often estimated to be in excess of $1 billion.[144] How can the stated goal of using TMK to benefit mankind be achieved, if there is no way to finance the clinical trials that are required as part of drug co-development? This should be considered when Andean countries decide to pursue registries as a source of prior art; and, it is a reason to consider keeping chemical structures of active substances in private rather than public registries.

               c.  Trade Secrets – Private Databases of Licensable TMK

[58]     The above dilemma is largely solved by using private rather than public databases of TMK, so that the ability to patent is not lost. For this reason, and in light of the recent passage of AIA, the private database should be considered the preferred strategy for protecting the IPR of indigenous peoples. It is preferred because it leaves open the option to license their TMK-based IP if and when it is desired, as part of a license agreement. Such an agreement would of course only be executed with informed consent and the promise of equitable sharing of benefits. Although, given that TMK is typically already “in use,” it is questionable whether – under AIA – it will ever be possible to patent TMK-based treatments again. But, combinations of active chemical substances, like those in Fig. 2, may still be patentable; so, that type of information should be kept private, if indigenous peoples may ever want to patent and/or license this valuable TMK-derived knowledge.[145] It is these active chemical substances, and strategic combinations thereof, that may be the only patentable subject matter based on TMK. It is this IP that is most likely to be the topic of drug co-development projects. And, it is in enabling these drug co-development projects, eventually involving a pharmaceutical company that demands composition of matter patent protection, that the lofty goal of benefiting mankind with TMK can be best achieved.

               d.  Strategies to Obtain Composition of Matter Patent Protection for TMK-derived Drugs

[59]     Given the stated desire to benefit the world with TMK, and to – in some cases – license TMK, there may be times when indigenous peoples, in collaboration with academic researchers in Peru and abroad, would want to patent TMK-related inventions, including active substances.[146] Is it possible that the active chemical substances extracted from these plants – the “drugs” – may be patented as composition of matter (e.g. see Fig. 2)? Naturally occurring chemicals (aka “natural products”) are not patentable subject matter under 35 U.S.C § 101 if those chemicals are considered “products of nature.”[147] Thus, the answer to this question is, or was, thought to be no. In general natural products are not thought to be patentable, unless there is some unique manmade combination of natural products that is useful in an unanticipated way; and, that combination may be patentable as composition of matter.[148]

[60]     But, the definition of a “product of nature” may be changing in a way that could open the door to patenting natural products. While an early case decided by Justice Learned Hand allowed patenting of adrenalin[149], a purified natural product with clinical value, there has not been subsequent case law to support patenting of natural products simply because they have been purified.[150] This may change, as the U.S. Supreme Court recently clarified what molecules fall under the “product of nature” exclusion, in Ass’n for Molecular Biology v. Myriad.[151] In this case, Myriad identified mutated genes (BRCA1 and BRCA2) associated with breast cancer, and sought to patent this for use as a breast cancer diagnostic.[152] The issue is whether purified naturally occurring deoxyribonucleic acid (DNA) segments are patentable subject matter, or whether they are excluded as a product of nature under 35 U.S.C. § 101. Justice Thomas, speaking for the majority, held that purified DNA was naturally occurring, and therefore could not become “patent eligible under § 101 simply because they have been isolated.”[153] In contrast, complementary DNA (cDNA) that was synthesized in the laboratory based on that same DNA sequence was not considered naturally occurring, so was not excluded as patentable subject matter; and, therefore, was not considered a product of nature.[154] This is because cDNA is prepared synthetically in the laboratory, and because it differs from naturally occurring genomic DNA (gDNA) in that it has noncoding DNA segments (called “introns”) removed, making it distinct from gDNA.[155]


[61]     Myriad teaches that naturally occurring molecules like gDNA (and by analogy, the ayahuasca active substances in Fig. 2) cannot be patented, because they are simply purified products of nature. But, if the chemical substance that is a product of nature is synthesized in a laboratory, and modified in a routine manner that makes it distinct from its naturally occurring form, then the molecule is no longer excluded as patentable subject matter.[156] By analogy, one would only need to synthesize and make routine modifications to the molecules shown in Fig. 2, to be able avoid the product of nature exclusion. This is a significant change in IP law surrounding natural products, and may increase the interest of pharmaceutical companies in the pursuit of such molecules as drugs.

[62]     It remains to be seen whether the post-Myriad broadened definition of “product of nature” will extend to natural products, like the active chemical substances from ayahuasca (Fig. 2); and, if it does, what will be the nature of the routine modifications (if any) that are needed. It is possible that copies of plant-derived molecules, which are synthesized in the laboratory by chemists, will be considered patentable as composition of matter under 35 U.S.C. § 101, just as the manmade cDNA copy of gDNA was found to be patentable in Myriad. It might be argued that the cDNA molecule is more than simply a manmade copy of the naturally occurring gDNA molecule, because it has been modified by removal of introns.[157] But, intron removal is a trivial and routine change that is inspired by what nature does anyhow (introns are removed in making mRNA).[158] It cannot be considered a novel or inventive modification to the naturally occurring gDNA molecule; although, admittedly, novelty and inventiveness do not have direct bearing on this § 101 question. Myriad seems to indicate that one can patent a synthetic copy of a naturally occurring molecule, if a routine modification is made.[159] The key point is that the molecule does not occur in nature.[160] Applying this new test to other natural products, like the active substances in Fig. 2, there are a number of foreseeable routine chemical changes that would make the molecule chemically distinct. A non-exclusive list of possibilities is provided here:


  1. Synthesize chemical variants that have isotopic substitutions, such as replacing hydrogen atoms with deuterium atoms. This is a commonly used chemical substitution in drug design.[161]
  2. Convert the basic amine to HCl or other salts. This is also a routine change to the naturally occurring molecules, and often has utility for increasing drug bioavailability.[162]
  3. Make a simple chemical modification, such as acetylation of amines or alcohols (g. with acetic anhydride).[163] This type of modification is what led to drugs like aspirin (acetylated salicylic acid, from willow tree bark) and heroin (acetylated morphine, from opium).[164]

[63]     All of the above chemical modifications are routinely used in drug development, so do not represent novel techniques or changes. But, they are analogous to and at least as novel as the changes made and techniques used in going from gDNA or mRNA to cDNA.[165] The latter techniques are performed so routinely that scientists can purchase kits to perform the production of cDNA from mRNA.[166] Thus, it seems that Myriad has opened the door to patenting natural products, after small and even routine chemical structure changes are made.

[64]     If natural products (after routine chemical alteration) can be patented as composition of matter, this would increase the pharmaceutical industry’s interest in pursuing natural products as drugs. This would open the door to more patenting of drugs derived from TMK in co-development initiatives. This could lead to significant revenue generation (to be shared equitably with indigenous peoples) and to medical benefits for the rest of the world.

[65]     Even if individual plant-derived molecules (after modification) cannot be patented as easily as just described, combinations like those shown in Fig. 2 could be patentable.[167] Indeed, combinations of active substances are central to how many traditional medicines, like ayahuasca, work (see section II). This is a distinguishing feature of traditional medicines relative to western medicine.[168] Only the shaman, based on TMK, knows which combinations of plants will produce the desired therapeutic effect. Then, the chemist can build on this TMK to identify which combinations of purified active chemical substances extracted from those plants are needed to reproduce these clinical effects. This combination, discoverable only through a collaborative co-development effort between indigenous peoples and scientific researchers, could then be patented.[169]

[66]     In summary, indigenous peoples should consider the value of composition of matter patent protection, if they hope to reap the full benefit of their TMK for themselves and the world. Recent developments in U.S. patent law suggest new strategies to obtain composition of matter protection to increase the value of indigenous peoples’ TMK to a potential drug co-development partner from the pharmaceutical industry.


          e.  Proposed Structure for a Drug Co-Development Research Agreement

[67]     In the interest of transparency and ensuring that the interests of all parties are considered, it is advisable that drug co-development projects between Peruvian and U.S. researchers execute a research agreement when working with indigenous peoples. Such an agreement should build upon the above legal protections for TMK (section IV(A)(a)), and be consistent with regional and international laws. A sample agreement is provided below:[170]


(Sample) TMK-Based Drug Co-Development Research Agreement

[68]     This research and drug co-development agreement (“Agreement”) is made by and among the following collaborating parties (“Parties”): Indigenous Peoples Representative (“Party 1”), Peruvian Research Team Representative (“Party 2”), and U.S. Research Team Representative (“Party 3”).


[69]     “TMK” means traditional medical knowledge: “knowledge, know-how, skills and practices that are developed, sustained and passed on from generation to generation within a community, often forming part of its cultural or spiritual identity.”[171]

[70]     INDECOPI” means National Institute for the Protection of Competition and Intellectual Property: an organization that manages the Local, National and Public Registers of Collective Knowledge of Indigenous Peoples.[172]

[71]     “TPA” means The U.S.-Peru Trade Promotion Agreement, the agreement between the U.S. and Peru that governs trade, but also includes the “Understanding Regarding Biodiversity and Traditional Knowledge.”[173]

[72]     “Indigenous Peoples” means “aboriginal peoples holding rights that existed prior to the formation of the Peruvian State, maintaining a culture of their own, occupying a specific territorial area and recognizing themselves as such. These include peoples in voluntary isolation or with which contact has not been made, and also rural and native communities.”[174]

[73]     “Informed Consent” means authorization given under this protection regime, by the representative organization of the indigenous peoples possessing collective knowledge and in accordance with provisions recognized by them, for the conduct of a particular activity that entails access to and use of the said collective knowledge, subject to the provision of sufficient information on the purposes, risks or implications of the said activity, including any uses that might be made of the knowledge, and where applicable on its value.[175]

[74]     “CDA” means confidential disclosure agreement.


[75]     WHEREAS, the Parties share a common interest in developing drugs derived from TMK;

[76]     WHEREAS, the Parties share a desire to see TMK and associated intellectual property rights (IPRs) protected, yet also benefiting the world;

[77]     WHEREAS, the Parties agree to equitably share financial and other benefits that could result from this collaboration;

[78]     WHEREAS, the Parties agree to show mutual respect for each other’s governing laws, customs and values;

[79]     WHEREAS, the Parties agree that TMK is owned by Indigenous Peoples, and any development and patenting of drugs derived from TMK will only occur with permission that is be granted by Party 1, after being fully informed of all relevant risks and benefits via Informed Consent;

[80]     WHEREAS, Parties 1 and 2 agree to collaboratively pursue studies directed to identifying the active chemical component(s) derived from TMK-based plants, which are responsible for desirable medical effects;

[81]     WHEREAS, the Parties agree to negotiate in good faith any license agreements for TMK and TMK-derived patents, including composition of matter patents on active chemical substances;

[82]     NOW, IT IS THEREFORE RESOLVED, in consideration of the forgoing, that the parties hereby agree to the following:

[83]     1. Purpose and Scope

The Parties recognize that Amazonian TMK is a rich source of useful medical treatments that have been collectively developed over many years, and is owned by the Indigenous Peoples which Party 1 represents. Parties are mutually committed to the promotion of respect, preservation and wider application of TMK, as well as the use of TMK to benefit Indigenous Peoples, and mankind in general. Such benefits include the development and dissemination of new and better medical treatments. Benefits may also be financial, based on revenue generated from sales drugs and/or licensing of IP based on development of TMK-based medicines. Such development is only to be pursued according to the other sections of this agreement, which emphasis equitable sharing of benefits, and Informed Consent (Appendix A) from Party 1, before developing TMK-derived drugs.

The research and drug co-development team shall engage in activities that include biological demonstration of safety and efficacy of TMK-derived treatments, including plant extracts that are prepared by Party 1. Activities performed by Parties 2 and 3 may also include purification and chemical characterization of the active chemical components present in TMK-derived treatments. This may be followed by chemical synthesis of these active chemical components, and demonstration of their biological safety and efficacy, alone and in combinations. Parties 2 and 3 agree to keep Party1 informed of significant developments in these studies, and to seek the Informed Consent (Appendix A) of Party 1 before filing patent applications on composition of matter identified in these studies. Likewise, Parties 2 and 3 agree to enter these chemical structures into Peru’s National Registries for TK. If a decision is made to patent the composition of matter, submission will only be made to the private registry (until the patent publishes). If Party 1 decides to keep the chemical structure information as a trade secret, Parties 2 and 3 agree to honor this request, subject to §2 of this agreement.


[84]     2. Decision-making

Party 1 agrees to develop governance procedures that ensure they are representing the broader interests of the Indigenous Peoples that own the TMK which is the topic of this research and drug co-development collaboration. Party 1 has the sole power to decide if chemical structures of active substances, derived from plant extracts, are to be: (a) kept as trade secrets, (b) the subject of a patent application, or (c) entered in the National Public Registry of Collective Knowledge of Indigenous Peoples. Party 1 agrees to not unreasonably withhold permission to patent; and, if both Parties 2 and 3 wish to file a patent application, but Party 1 refuses, Parties 2 and 3 may appeal the decision to an appellate body that has previously been chosen by the Indigenous People who Party 1 represents. Other project decisions, which do not directly relate to IPRs, will be made by majority vote of the three representatives.


[85]     3. Confidential Information

Parties agree to sign a CDA (Appendix B) to protect all confidential information that is shared or developed in this collaboration. Such information may include TMK-related trade secrets of Party 1, including those that are kept in the National Private Register of Collective Knowledge of Indigenous Peoples. Parties agree to not publicly disclose chemical structures that are identified during this collaborative co-development initiative, without unanimous agreement by all three representatives. Likewise, Parties 2 and 3 agree to not publicly disclose trade secrets that have been revealed to them by Party 1, unless Party 1 grants permission to do so.

[86]     4. Intellectual Property (IP)

Parties 2 and 3 agree that all TMK-related trade secrets that pre-date this agreement, including those that were previously entered into the National Private Registry of Collective Knowledge of Indigenous Peoples, are property of Party 1. Such trade secrets will be revealed and/or licensed at the discretion of Part 1. Parties 2 and 3 will not patent any TMK-derived invention without first obtaining permission from Party 1, and this permission is to be granted only after Party 1 has signed the Informed Consent document in Appendix A that outlines all significant risks and benefits.

The IP that is most likely to result from this collaborative co-development initiative includes chemical structures of active substances that are purified from plant extracts of TMK-based therapies. These chemical structures will be protected via composition of matter patents or trade secrets or, at the discretion of Party 1, publicly released via the Public National Register of Collective Knowledge of Indigenous Peoples, in order to create prior art that prevents patenting by other parties (subject to § 3 of this agreement). Parties will work with INDECOPI to enter TMK-derived information into the National Registers of Collective Knowledge of Indigenous Peoples, including chemical structures.


[87]     5. Licensing of TMK and TMK-derived Intellectual Property

Since Parties share an interest in benefiting the world based on TMK-derived therapies, and associated discoveries, and since drug development is extremely expensive, it may become necessary to license IP to an external partner. Such an external partner would typically be a pharmaceutical or biotechnology company that has the resources and experience needed to develop drugs that result from this collaboration. Such arrangements typically require that the composition of matter patent protecting the drug lead molecule be licensed to them; and, it is expected that the pharmaceutical partner and Parties would negotiate a revenue sharing arrangement that could include upfront financial payments, payments upon achievement of certain milestone events (e.g. completion of different phases of clinical trials), and royalties on net or gross profits from drug sales, once the drug is approved by appropriate regulatory agencies, such as the Food and Drug Administration in the U.S.

Parties agree to negotiate in good faith an agreement that equitably shares benefits between all three groups, and will be defined in detail in the license agreement (Appendix C). Such an agreement might include an equal sharing of revenues between all three groups, although other arrangements could be negotiated. In negotiating terms, Parties agree to consider and honor existing legal structures, such as those associated with the TPA, the Andean Community, and the sui generis protections in Peru (esp. Law No. 27811).[176] Accordingly, Parties agree that the license agreement will be prepared, executed and properly recorded using the WIPO “toolkit”[177]. Any license agreement will ensure equitable sharing of benefits derived from the use of TMK, including >10% of revenues provided to the Fund for Development of Indigenous People, before distribution to the three groups that comprise the Parties.[178] Such an agreement will only be executed after Party 1 has been made aware, via Informed Consent (Appendix A), of all the risks and benefits associated with pursuit of the license agreement (Appendix C). Any license agreement that is executed, even those which are categorized as “exclusive,” will provide an exception for the Indigenous People that Party 1 represents, to ensure that they will be able to continue to use their TMK as they had before the license agreement was executed.


[88]     Appendices: (A) Informed consent form, (B) Confidential disclosure agreement (CDA), (C) Draft license agreement.

V.  Conclusion

[89]     The TMK underlying medical treatments used by indigenous peoples has great value to their communities and may also have great untapped value for the rest of the world. The goal of the collaborative drug development projects described herein, involving researchers in the U.S. and Peru, is to extend the benefits of TMK to the rest of the world, while respecting the IPR of the indigenous peoples from whom TMK-based discoveries may be derived. Of particular importance is ensuring equitable sharing of any future benefits of drug co-development successes with the indigenous peoples, and making sure all decisions are made based on informed consent that fully discloses all material risks and benefits.

[90]     A model example of a TMK-based medicine is ayahuasca (Fig. 1).[179] For ayahuasca to work effectively, the shaman mixes two or more plants and prepares a tea – a type of plant extraction. Subsequent scientific research has established why it is necessary to mix these plants, based on chemical substances that have been extracted and identified from each (Fig. 2).[180] While the researchers who identified these active chemical substances did not pursue a composition of matter patent on them, such a strategy could have been taken. If it had, it should only have been pursued with the informed consent of the indigenous peoples who owned this TMK-based IP; and, there should be equitable sharing of future benefits. The example of the Miller patent on the ayahuasca plant (Fig. 3) illustrates an unsavory effort to bypass this process, which led to public outcry and the subsequent creation of laws and procedures to ensure protection of Peru’s IPRs.[181]


[91]     Future drug co-development initiatives should build on these lessons from ayahuasca, to ensure protection of IPR via compliance with national, regional and international laws and treaties, including those embodied in Peru’s sui generis protections (Law No. 27811), the Andean Community, and the U.S.-Peru TPA. With these constraints and guidelines, research collaborations between U.S. researchers, Peruvian researchers, and indigenous communities can proceed to co-develop TMK-derived drugs. To guide this process, a draft drug co-development agreement has been provided in this paper (section IV). Central to this agreement is a focus on identifying active chemical components from plant extracts and patenting them as composition of matter. This focus is a pragmatic requirement, since pharmaceutical companies who may license these patents for further co-development will only make a significant financial investment if they have the strong protection that composition of matter (not method of use) patents provide. This co-development process has the potential to extend the benefits of TMK to the rest of the world, which is a shared goal of all parties involved.









* The author is Dean and Professor of Business, and Professor of Pharmaceutical Sciences, at Concordia University Wisconsin. He would like to thank Dean Arneson, Pharm.D, Ph.D. (Professor and Dean of the CUW School of Pharmacy) for providing the pictures from his trips to Peru, and Professor Kali Murray at Marquette University for many helpful comments and guidance. This research was supported, in part, by National Institutes of Health (NIH) grants AI101975, GM118304 and HL112639.


[1] See, Manuel Ruiz, Isabel Lapeña, and Susanna E. Clark, The Protection of Traditional Knowledge in Peru: A Comparative Perspective, 3 Wash. U. Glob. Stud. L. Rev. 755, 760 (2004).


[2]See Ley N° 27811 [Law No. 27811], art. 5, Aug. 10, 2002, El Peruano,, archived at (trans. at, archived at (Peru) (Law Introducing a Protection Regime for the Collective Knowledge of Indigenous Peoples derived from Biological Resources).


[3]See generally, Howard Mann, Intellectual Property Rights, Biodiversity and Indigenous Knowledge: A Critical Analysis in the Canadian Context, Report Submitted to the Canadian Working Group on Articles 8(j) of the Convention on Biological Diversity (Ottawa, 1997) (Analyzing intellectual property rights of Aboriginal people in Canada with regard to today’s laws, and addressing the correlating barriers and opportunities for the use of intellectual property rights in relation to indigenous knowledge and resources).


[4] See, e.g., Heather A. Sapp, Monopolizing Medicinal Methods: The Debate Over Patent Rights for Indigenous Peoples, 25 Temp. J. Sci. Tech. & Envtl. L. 191, 196 (2006) (“…[W]estern patent systems appropriately exclude [Traditional Knowledge] from patent protection.”).


[5] See Gene Quinn, The Impact of the America Invents Act on the Definition of Prior Art, IP Watchdog (Oct. 3, 2012),, archived at

[6] See Ish Khanna, Drug Discovery in the Pharmaceutical Industry: Productivity Challenges and Trends, 17 Drug Discovery Today 1055, 1088 (2012),, archived at


[7] Id. at 1095-96.


[8] See e.g., Carolyn Gregoire, Scientists Put Shamanic Medicine Under the Microscope, Huffington Post (Oct. 16, 2015),, archived at


[9] See id.


[10] World Intellectual Prop. Org. (WIPO), Traditional Knowledge,, archived at (last visited Sept. 21, 2016).


[11] Joe McCarter & Michael C. Gavin, Perceptions of the Value of Traditional Ecological Knowledge to Formal School Curricula: Opportunities and Challenges From Malekula Island, Vanuatu, 7 J. Ethnobiology & Ethnomedicine, no. 38, 2011,, archived at

[12] See Martha Johnson, Research on Traditional Environmental Knowledge: Its Development and Its Role, in Lore: Capturing Traditional Environmental Knowledge 3, 4 (Martha Johnson ed., 1992).

[13] See Fulvio Mazzocchi, Western Science and Traditional Knowledge: Despite Their Variations, Different Forms of Knowledge Can Learn From Each Other, 7 European Molecular Biology Organization Reports 463, 463–466 (2006).

[14] See Graham Dutfield, TRIPS-Related Aspects of Traditional Knowledge, 33 Case W. Res. J. Int’l L. 233, 242 (2001).


[15] See Ryan Abbott, Documenting Traditional Medical Knowledge, WIPO, 3 (Mar. 2014), archived at citing Fact Sheet No. 134: Traditional Medicine World Health Org. (WHO), archived at

[16] See World Health Org. (WHO), General Guidelines for Methodologies on Research and Evaluation of Traditional Medicine (2000),, archived at


[17] See Norman R. Farnsworth, Screening Plants for New Medicines, in Biodiversity 83, 95 (E. O. Wilson ed., 1988).


[18] See Peter Principe, Economics and Medicinal Plants, in Medicinal Plants: Their Role in Health and Biodiversity 42, 44 (Timothy R. Tomlinson & Olayiwola Akerele eds., 1998).


[19] See Rainer W. Bussmann & Douglas Sharon, Traditional Medicinal Plant Use in Northern Peru: Tracking Two Thousand Years of Healing Culture, 2 J. Ethnobiology & Ethnomedicine, no. 47, 2006,, archived at


[20] See id.

[21] See infra Figure 1.


[22] See Richard E. Schultes, The Botanical and Chemical Distribution of Hallucinogens, 9 J. Psychedelic Drugs 247, 251 (1977).


[23] See Kenneth W. Tupper, The Globalization of Ayahuasca: Harm Reduction or Benefit Maximization?, 19 Int’l J. Drug Pol’y 297, 297–303 (2006).


[24] See Marlene Dobkin De Ríos, Banisteriopsis in Witchcraft and Healing Activities in Iquitos, Peru, 24 Econ. Botany 296, 296 (1970).


[25] See id.


[26] E-mail attachment from Dr. Dean Arneson, Pharm.D, Ph.D., Dean of School of Pharmacy, Concordia University Wisconsin, to author (2013) (on file with author).


[27] See supra Figure 1.


[28] See De Ríos, supra note 24, at 296.


[29] See id. (stating that the boiled ayahusca infusion is sometimes mixed with additives like chacruna, a Quechua word describing the plant otherwise known as Psychotria viridis).


[30] See infra Figure 2.


[31] See J.C. Callaway et al., Pharmacokinetics of Hoasca Alkaloids in Healthy Humans, 65 J. Ethnopharmacology 243, 244 (1999).

[32] See id.; see also Dennis J. McKenna, J.C. Callaway & Charles S. Grob, The Scientific Investigation of Ayahuasca: A Review of Past and Current Research, 1 Heffter Rev. Of Psychedelic Research 65, 67 (1998); see infra Figure 2.


[33] See Callaway et al., supra note 31, at 245.


[34] See, e.g., Andrea Rinaldi & Pryia Shetty, Traditional Medicine for Modern Times: Facts and Figures, SciDev.Net (June 6, 2015),, archived at


[35] See generally Bussman & Sharon, supra note 19 (discussing Chiappe and Millones as the first scientists to study the Shaman’s use of ayahuasca).


[36] See Richard Seth Gipstein, Note, The Isolation and Purification Exception to the General Unpatentability of Products of Nature, 4 Colum. Sci. & Tech. L. Rev. 2 (2003).


[37] See Leanne M. Fecteau, Note, The Ayahuasca Patent Revocation Questions About Current U.S. Patent System, 21 B.C. Third World L.J. 69, 70 (2001).


[38] See U.S. Patent No. Plant 5,751 (filed Nov. 7, 1984); see infra Figure 3.


[39] Id.


[40] See David R. Downes & Glenn M. Wiser, Center for Int’l Envtl. Law, Comments on Improving Identification of Prior Art: Recommendations on Traditional Knowledge Relating to Biological Diversity Submitted to the United States Patent and Trademark Office, Aug. 2, 1999, at 15,‎, archived at [hereinafter Comments on Improving Identifications of Prior Art]; see also David R. Downes & Glenn M. Wiser, The Legal Elements of the “Ayahuasca” Patent Case, Center For International Environmental Law (Mar. 30, 1999),, archived at [hereinafter Legal Elements].


[41] See Downes & Wiser, Legal Elements, supra note 40.


[42] U.S. Patent No. Plant 5,751 (filed Nov. 7, 1984).


[43] David R. Downes, et al., Request for Reexamination of U.S. Patent No. Plant 5,751 (Mar. 30, 1999), at 1,, archived at;

Downes & Wiser, Comments on Improving Identifications of Prior Art, supra note 40, at 15.
[44] See generally Downes & Wiser, Comments on Improving Identifications of Prior Art, supra note 40, at 13–16 (discussing arguments against the validity of Miller’s patent).


[45] See id. at 4.



[47] See Downes, et al., supra note 43, at 1–2.


[48] Downes & Wiser, Comments on Improving Identifications of Prior Art, supra note 40, at 13 n. 39.


[49] See id. at 13; see also, supra note 35.


[50] See Downes & Wiser, Comments on Improving Identifications of Prior Art, supra note 40, at 14–15.


[51] See id. at 15.


[52] See E-mail from author, to Dr. Dean Arneson, Pharm.D, Ph.D., Dean of School of Pharmacy, Concordia University Wisconsin (2013) (on file with author).


[53] See Downes & Wiser, Comments on Improving Identifications of Prior Art, supra note 40, at 15.


[54] In re Hall, 781 F.2d 897, 900 (Fed. Cir. 1986) (“…we reject appellant’s legal argument that a single cataloged thesis in one university library does not constitute sufficient accessibility to those interested in the art exercising reasonable diligence.”).


[55] See supra Figure 4.


[56] See generally Downes & Wiser, Comments on Improving Identifications of Prior Art, supra note 40, at 3, 5–6, 16 (discussing the social implications on the traditional knowledge of indigenous communities).
[57] See id.; see also Glenn Wiser, Center for Int’l Envtl. Law, U.S. Patent and Trademark Office Reinstates Ayahuasca Patent: Flawed Decision Declares Open Season on Resources of Indigenous Peoples, (June 25, 2001) at 1,, archived at


[58] See infra Section III (E).


[59] Use of Turmeric in Wound Healing, U.S. Patent No. 5,401,504 (filed Dec. 28, 1993).


[60] Sanjay Kumar, India Wins Battle with USA Over Turmeric Patent, 350 The Lancet 675, 724 (1997); Use of Turmeric in Wound Healing, U.S. Patent and Trade Office Reexamination Certificate B1 5,401,504 (Apr. 21, 1998).


[61] Detailed Statement in Support of Request for Reexamination of U.S. Plant Patent No. 5,751 from David R. Downs & Glenn Wiser to the Commissioner of Patents and Trademarks (filed Nov. 7, 1984),, archived at [hereinafter Detailed Statement].


[62] Id. at 4.

[63] See generally Press Release 98-6, USPTO, Facts on Patenting Life Forms Having a Relationship to Humans, (April 1, 1998) (on file with author),, archived at


[64] Tol-O-Matic, Inc. v. Proma Produkt-Und Marketing Gesellschaft m.b.H., 945 F.2d 1546, 1553 (Fed. Cir. 1991) (citing Lowell v. Lewis , Fed. Case No. 8568 (C.C. Mass. 1817)).


[65] Downes & Wiser, Detailed Statement, supra note 61, at 24.


[66] See infra Section III (E).


[67] See Glen M. Wiser, U.S. Patent and Trademark Office Reinstates Ayahuasca Patent, Flawed Decision Declares Open Season on Resources of Indigenous Peoples CIEL 2 (June 25, 2001).


[68] See Ex parte Nehls, No. 2007-1823 (B.P.A.I. Jan. 28, 2008).


[69] Downes & Wiser, Detailed Statement, supra note 61, at 1.


[70] See generally Glen M. Wiser & David R. Downes, Center for Intn’l Envtl. Law, Comments on Improving Identification of Prior Art: Recommendations on Traditional Knowledge Relating to Biological Diversity Submitted to the United States Patent and Trademark Office, (Aug. 2, 1999),, archived at


[71] See Press Release 98-6, USPTO, supra note 63.


[72] Constitución Política Del Perú [C.P.] art. 68.


[73] See GRAIN, The Struggle Against IPR in the Andes, Seedling, July 12, 2009, at 21.


[74] Id. at 20.


[75] See Ley N° 27811 [Law N° 27811], Ley que Establece el Régimen de Protección de los Conocimientos Colectivos de los Pueblos Indígenas Vinculados a los Recursos Biológicos [Law Introducing a Protection Regime for the Collective Knowledge of Indigenous Peoples Derived from Biological Resources], Aug. 10, 2002, El Peruano, at 227953–54 (Peru).


[76] Id. at art. 5.


[77] See id at art. 5(d),(e).


[78] Id. at art. 7.


[79] See Ley N° 27811 [Law N° 27811], supra note 75 at art. 8.


[80] See id. at art. 10


[81] Id.


[82] Id. at art. 15.


[83] See id. at art. 20.


[84] See Ley N° 27811 [Law No. 27811], supra note 75 at art. 24.


[85] See id. at art. 18.


[86] See id. at art. 23.


[87] Id.


[88] See discussion supra Section II.


[89] See infra Section III(E).


[90] See Ley N° 27811 [Law No. 27811], supra note 75 at art. 26.

[91] Id. at art. 27.


[92] See World Intellectual Prop. Org. (WIPO), Traditional Knowledge Documentation Toolkit (2012),, archived at (last visited Nov. 11, 2013).


[93] See id. at 22.


[94] See infra Section III(D).


[95] See Free Trade Agreements, Off. of the U.S. Trade Representative,, archived at (last visited Sept. 9, 2016).


[96] See Final Text United States – Peru Trade Promotion Agreement, Off. of the U.S. Trade Representative, (Apr. 12, 2006),, archived at


[97] See Communidad Andina,, archived at (last visited Sept. 9, 2016) (describing the countries benefitting).


[98] See GRAIN, The Struggle Against IPR in the Andes, supra note 73 at 18.


[99] Id.


[100] Id. (emphasis added).


[101] Id.


[102] See supra Sections III(A)(a)-(b); see Grain, The Struggle Against IPR in the Andes, supra note 73, at 17.


[103] U.S.-Peru Trade Promotion Agreement: Potential Economy-wide and Selected Sectoral Effects. Inv. No. TA-2104-20, USITC Pub. 3855 at 6-12 (June 1, 2006).

[104] Understanding Regarding Biodiversity and Traditional Knowledge, U.S.-Peru, (April 12, 2006),, archived at


[105] Id.


[106] See id.


[107] See GRAIN, The Struggle Against IPR in the Andes, supra note 73 at 17,19.


[108] Laurence R. Helfer & Karen J. Alter, The Influence of the Andean Intellectual Property Regime on Access to Medicines in Latin America, in Balancing Wealth and Health: Global Administrative Law and the Battle Over Intellectual Property and Access to Medicines in Latin America 1 (Rochelle Dreyfuss & César Rodríguez-Garavito, eds., 2013).


[109] See id. at 2.


[110] See id. at 1.


[111] See id. at 4.


[112] Id.


[113] See GRAIN, The Struggle Against IPR in the Andes, supra note 73 at 17,18.


[114] See Convention on Biological Diversity, June 5, 1992, 1760 U.N.T.S. 79, 31 I.L.M. 818 (1992),, archived at


[115] Id. at 6.

[116] See id. at 24.


[117] See generally, Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C, Apr. 15, 1994, Legal Instruments-Results Of The Uruguay Round, 1869 U.N.T.S. 299, 33 I.L.M. 81 (1994) (supporting need for multilateral framework between member countries).


[118] See Overview: The TRIPS Agreement, World Trade Org.,, archived at (last visited Sept. 9, 2016).


[119] See J.H. Reichman, The TRIPS Agreement Comes of Age: Conflict or Cooperation with the Developing Countries?, 32 Case W. Res. J. Int’l. L. 441, 452 (2000).


[120] See id.


[121] See World Intellectual Prop. Org. (WIPO), Advice on Flexibilities under the TRIPS Agreement,, archived at (last visited Aug. 30, 2016).


[122] See Paris Convention for the Protection of Industrial Property, Mar. 20, 1883, as last revised July 14, 1967, 21 U.S.T. 1583, 828 U.N.T.S. 311 (applying international treaty to industrial intellectual property).


[123] See Berne Convention for the Protection of Literary and Artistic Works, Sept. 9, 1886, as last revised July 24, 1971, 25 U.S.T. 1341, 828 U.N.T.S. 221 (international agreement governing copyright law).


[124] See e.g.,Overview: the TRIPS Agreement, supra note 118.


[125] See generally Leahy-Smith America Invents Act, Pub. L. No. 112-29, 125 Stat. 284 (2011) (modernizing the United States Patent Law system).


[126] See 35 U.S.C. § 102(a), (b) (2006) (emphasis added).


[127] Id. (emphasis added).


[128] See id. (emphasis added).


[129] See supra note 59.


[130] See supra note 60.


[131] See Leanne M. Fecteau, The Ayahuasca Patent Revocation: Raising Questions About Current U.S. Patent Policy, 21 B.C. Third World L. J. 69, 86 (2001).


[132] See id. at 73-74.


[133] 35 U.S.C. §102(a)(1).


[134] Id.


[135] Id.


[136] See Ley N° 27811 [Law No. 27811], supra note 75 at art. 2(e) (explaining the protections created by the Peruvian government for collective knowledge of indigenous peoples in regard to biological resources).


[137] Plurinational State Of Bolivia [Constitution] 2009, Ch. V, art. 43 (Bol.),, archived at

[138] See World Intellectual Prop. Org. (WIPO), Comparative Summary of Existing National SUI GENERIS Measures and Laws for the Protection of Traditional Knowledge, Intergovernmental Committee on Intellectual Property and Genetic Resources, Traditional Knowledge and Folklore, Fifth Session, WIPO Doc. WIPO/GRTKF/IC/5/INF/4, archived at (June 20, 2003).

[139] See Peru Trade Promotion Agreement, Office Of The U.S. Trade Representative, archived at (last visited Sep. 9, 2016).


[140] See Ley N° 27811 [Law No. 27811], supra note 75 at art 42.


[141] See supra note 138.


[142] See supra Figure 2.


[143] See id.


[144] Drug Developers Are Aggressively Changing the Way They Do R&D, Tufts Center For the Study of Drug Dev. (Jan. 5, 2011),, archived at


[145] See supra Figure 2.


[146] This is an example situation.


[147] See Ass’n for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107, 2116 (2013).


[148] See e.g., U.S. Patent No. 7,915,265 B2 (filed Feb. 15, 2006); see also U.S. Patent No. 8,067,433 B2 (filed Nov. 8, 2006); Alice Yuen-Ting Wong & Albert Wai-Kit Chan, Myriad and Its Implications for Patent Protection of Isolated Natural Products in the United States, Chinese Medicine,, archived at (last visited Sep. 7, 2016).


[149] See Parke-Davis & Co. v. H. K. Mulford & Co., 189 F. 95., 114 (S.D.N.Y. 1911); see also Michael D. Davis, The Patenting of Products of Nature, 21 Rutgers Computer & Tech. L. J. 293, 326 (1995).


[150] See id. at 324.


[151] See supra note 147 at 2111.


[152] See id at 2113.


[153] Id. at 2120.


[154] See id.

[155] Id. at 2119.


[156] See supra note 147 at 2111.


[157] See Jason Rantanen, Myriad: Isolated DNA out, cDNA in, patentlyo (June 13, 2013),, archived at (discussing the outcome of Ass’n for Molecular Pathology v. Myriad, 133 S. Ct. 2107, 2118 (2013)).


[158] See Z. Peter Sawicki et al., Patenting Biologicals: Myriad Issues and Options in the Wake of Myriad, Bench & Bar (Sept. 9, 2013),, archived at


[159] See supra note 147 at 2112, 2117 (indicating that a small modification to naturally occurring DNA would likely qualify as a patentable product).


[160] Id. at 2116.


[161] See, e.g., Kristin C. Buteau, Deuterated Drugs: Unexpectedly Nonobvious?, 10 J. High Tech. L. 22, 26̀–27 (2009); Amanda Yarnel, Heavy-Hydrogen Drugs Turn Heads, Again: Firms Seek to Improve Drug Candidates by Selective Deuterium Substitution, Chem. & Eng’g News (June 22, 2009),, archived at


[162] See, e.g., Patrick Makary, Principles of Salt Formation, 2 U.K. J. Pharmaceutical & Biosciences 4, 1, 3 (2014),, archived at .


[163] See C.R.A. Wright, On the Action of Organic Acids and their Anhydrides on the Natural Alkaloids, 27 J. Chem. Soc’y. 1031, 1032 (1874),, archived at


[164] See id; see also U.N. Office on Drugs & Crime, History of Heroin, 5 Bull. on Narcotics 3, 3 (1953),, archived at; Bayer, Felix Hoffmann,, archived at (last visited Sep. 8, 2016).


[165] See cDNA Production, Davidson Coll. Dept. of Biology,, archived at (last visited Sep. 8, 2016).


[166]See e.g., Thermo Fisher Scientific,, archived at (last visited Sep. 8, 2016).


[167] See supra Figure 2.


[168] E. Chan, M. Tan, J. Xin, S. Sudarsanam & D.E. Johnson, Interactions Between Traditional Chinese Medicines and Western Therapeutics, 13 Current Opinion Drug Discovery & Devel. 50, 52 (2010); see supra Section II.


[169] Id. at 63.


[170] This sample agreement was created for purposes of this article.


[171] See supra note 16.


[172] See Ley N° 27811 [Law No. 27811], supra note 75 at art. 20.


[173] See supra note 96.


[174] See Ley N° 27811 [Law No. 27811], supra note 75 at art. 2(a).


[175] Id. at art. 2(c).

[176] See id.


[177] See WIPO Toolkit, supra note 92 .


[178] See Ley N° 27811 [Law No. 27811], supra note 75 at art. 8.


[179] See supra Figure 1.


[180] See supra Figure 2.


[181] See supra Figure 3.

The Federal Government Has Just Granted You Permission to Hack Your Own Devices


By: Joe Strafaci,

Hacking a device, including one that you rightfully own, has been illegal under the Section 1201 of the Digital Millennium Copyright Act (DMCA) since 1998.[1] In effect, it prevents anyone from reverse-engineering hardware or software on any product they obtain in the marketplace.[2] While this might seem odd at first, companies have routinely cited its importance for maintaining the security of their products. This application ranges from protecting the copyright behind everything from a PlayStation to an automobile.[3]

But advocacy groups have long argued that certain types of hacking based on goodwill actually serves to help these companies and the general public. Recent research-oriented hackers have risked prosecution to show vulnerabilities in certain products.[4] Some examples of this research that includes showing how insulin pumps can be hacked to induce an overdose and how a Jeep could be hacked to affect the brakes and transmission.[5] As a result of this advocacy, an exemption finally kicked in on October 28, 2016 which will now permit what may be viewed as “good faith” hacking. While it permits the hacking of devices, the exemption will not provide a full bar from prosecution under Section 1201 of the DMCA.[6]

Several limitations have been placed on the exemption to permit hacking of commercial hardware and software products. The exemption only applies to what the DMCA refers to as “good faith” testing. This means that individuals will only be able to avoid the threat of prosecution if they are conducting their testing for the purpose of public safety or some similar reasoning. Additionally, any hacking or testing must be performed in a controlled environment in an effort to prevent potential harm to individuals involved or the public in general. Lastly, it is important to note that this exemption will only be active for two years, although it could potentially be extended.[7]

As a result of these limitations, the ability to hack into an individual’s own device will likely be severely limited. Different exemptions still exist for conducting specific activities, such as jail-breaking an iPhone.[8] However, most of the testing and hacking that the DMCA protects will be unavailable to the common individual. Due to these limitations, any individual that is not part of some type of research group is likely to risk prosecution under Section 1201.[9]

Despite these limitations, the general public will likely benefit greatly from this new exemption. It will allow sophisticated researchers to point out vulnerabilities in hardware and software that is now utilized in almost every industry. Furthermore, it will enable research groups to enact a degree of corporate oversight. For example, the recent Volkswagen scandal was initially brought to the attention of the public because researchers had reverse-engineered a Volkswagen automobile to show how Volkswagen had rigged its software to cheat emissions testing.[10] The limitations referenced above are likely a small price to pay for the general good that can come by providing an exemption to Section 1201 of the DMCA.



[1] See Digital Millennium Copyright Act, 17 U.S.C. § 1201 (1998).

[2] See id.

[3] See Understanding the Section 1201 Rulemaking, U.S. Copyright Office (Oct. 28, 2015).

[4] See Andy Greenberg, It’s Finally Legal to Hack Your Own Devices, Wired, (Oct. 31, 2016),

[5] See id.

[6] See id.

[7] See id.

[8] See Thomas Fox-Brewster, DMCA Ruling Ensures You Can’t Be Sued for Hacking Your Car, Your Games Or Your iPhone, Forbes, (Oct. 27, 2015),

[9] See id.

[10] See id.

Photo Source:

Powered by WordPress & Theme by Anders Norén