OwnershIP Of Machine-Generated Cybersecurity Threat-Pattern Maps Used By Omani Banks.
1. Nature of Threat-Pattern Maps
These maps are:
- Data-driven outputs (based on logs, transactions, threat feeds)
- Often autonomously generated by AI systems
- Used for security decision-making, not expressive creativity
π This distinction is critical because functional outputs receive weaker IP protection.
2. Key Legal Issues
(A) Copyright Ownership
- Requires human authorship and originality
- AI-generated maps may lack:
- Human creativity
- Expressive authorship
(B) Database Rights
- Banks compile:
- Transaction logs
- Threat intelligence feeds
- Protection may arise from investment in data collection
(C) Trade Secrets (Most Important in Practice)
Threat maps are typically:
- Confidential
- Security-sensitive
- Competitively valuable
π Thus, they are often protected as trade secrets rather than copyrighted works
(D) Banking & Data Sovereignty (Oman Context)
Although Oman does not yet have AI-specific IP laws:
- Central Bank regulations emphasize:
- Data confidentiality
- Cyber resilience
- Ownership is often tied to:
- The bank controlling the infrastructure
- Not the AI vendor
3. Detailed Case Laws (More than Five)
1. Feist Publications, Inc. v. Rural Telephone Service Co.
Facts:
A telephone directory listing names and numbers was copied.
Judgment:
- Facts are not protected
- Only original arrangement is protectable
Application:
Cybersecurity threat maps:
- Built from raw threat data (facts)
- AI arrangement may not qualify unless:
- Human judgment shapes output
π Pure machine-generated threat clustering may lack copyright protection
2. SAS Institute Inc. v. World Programming Ltd
Facts:
A competitor replicated software functionality.
Judgment:
- Functionality and logic are not protected
- Only expression is protected
Application:
Threat-pattern maps:
- Represent functional cybersecurity logic
- Example:
- βIP cluster β high fraud riskβ
π Such logic is not copyrightable, even if AI-generated
3. Eastern Book Company v. D.B. Modak
Facts:
Copyright claimed over edited legal judgments.
Judgment:
- Requires modicum of creativity
Application:
If Omani banks:
- Customize threat maps
- Add human interpretation
π Then protection may arise
But:
- Fully automated outputs β fail creativity threshold
4. Infopaq International A/S v. Danske Dagblades Forening
Facts:
Extraction of short text snippets.
Judgment:
- Protected if it reflects authorβs intellectual creation
Application:
Threat maps:
- If shaped by:
- Human-defined risk models
- Strategic visualization
π Could qualify as protected works
Otherwise:
- Pure AI output β not protected
5. University of London Press Ltd v. University Tutorial Press Ltd
Judgment:
Originality requires skill, labour, and judgment
Application:
- Human cybersecurity analysts:
- Curating threat signals
- Designing classification rules
π Can claim ownership
But:
- Autonomous AI β lacks βjudgmentβ
6. Naruto v. Slater
Facts:
A monkey took a photograph.
Judgment:
- Non-humans cannot own copyright
Application:
AI-generated threat maps:
- AI cannot be author
- Ownership must vest in:
- Bank
- Developer
- Or none (if no human input)
7. Thaler v. Commissioner of Patents
Facts:
AI system claimed as inventor.
Judgment (final position):
- Inventorship requires human identity
Application:
- AI cannot own:
- Threat models
- Pattern maps
π Ownership defaults to human or corporate entities
8. Waymo LLC v. Uber Technologies Inc.
Facts:
Trade secrets relating to autonomous driving were allegedly stolen.
Judgment:
- Recognized high value of algorithmic trade secrets
Application:
Cybersecurity threat maps:
- Similar to:
- Proprietary detection systems
- Fraud models
π Strongly supports:
- Trade secret protection over copyright
4. Ownership Scenarios in Omani Banking Context
Scenario 1: In-House AI System (Bank-Owned)
- Bank develops AI internally
- Uses internal data
π Ownership:
- Bank owns:
- Data
- Models
- Outputs
Protected via:
- Trade secrets
- Banking confidentiality laws
Scenario 2: Vendor-Provided AI (SaaS Model)
- External cybersecurity firm provides AI
π Ownership depends on:
- Contract terms:
- Vendor may own:
- Algorithms
- Bank may own:
- Data
- Derived insights
- Vendor may own:
β οΈ Disputes arise if contracts are unclear
Scenario 3: Fully Autonomous AI Output
- No human intervention
π Likely outcome:
- No copyright
- Controlled via:
- Contracts
- Access rights
- Confidentiality
Scenario 4: Human-AI Hybrid System
- Analysts:
- Tune models
- Interpret results
π Ownership:
- Bank (as employer)
- Protected under:
- Copyright (limited)
- Trade secrets (strong)
5. Regulatory Overlay (Oman-Specific Insight)
Although case law is mostly international, in Oman:
- Central Bank cybersecurity frameworks emphasize:
- Confidentiality
- Operational control
- Data protection principles imply:
- Banks must retain control over:
- Sensitive cybersecurity outputs
- Banks must retain control over:
π This indirectly supports bank ownership of threat maps
6. Key Legal Principles Emerging
- AI cannot be an owner
(Naruto, Thaler) - Functional outputs are weakly protected
(SAS Institute) - Raw data is not protected
(Feist) - Creativity threshold is essential
(D.B. Modak, Infopaq) - Trade secrets dominate cybersecurity assets
(Waymo v. Uber)
7. Practical Conclusion
For Omani banks:
Ownership Reality:
- β
Bank usually owns:
- Data
- Threat insights
- β AI does not own anything
- β οΈ Copyright may be weak or absent
Strongest Protection:
- Trade secrets
- Confidentiality regimes
- Contractual control
8. Final Insight
Cybersecurity threat-pattern maps are less like creative works and more like strategic intelligence assets. Courts across jurisdictions consistently show that:
- IP law alone is insufficient
- Control + secrecy + contracts = real ownership
RELATED Blog
comments