Blog: Protecting Your Machine Learning Investment

Article By : Wil Michiels

How machine learning models can be protected by intellectual property laws now and in the future (Part 1 of 2)

Manufacturers and suppliers commonly offer maintenance contracts to companies who purchase operation-critical equipment. A preventative maintenance application based on a machine learning (ML) model can be used to help avoid failures that could impact business. To build the model, the manufacturer or supplier must spend time, money, and effort. However, to eliminate the costs of a maintenance contract, the customer could duplicate the model and manage the maintenance without the supplier’s assistance.

To build a machine learning (ML) model for maintenance, an appropriate training set must be collected and labeled; the architecture and training parameters must be chosen for optimal accuracy–speed trade-offs for the algorithm; and computing time is required to train it.

ML models can be considerable investments and valuable assets for any company. Although ML-driven applications are gaining more and more traction, some companies are reluctant to make the required investment for data collection and model building simply because they have concerns about other individuals and companies, including competitors, potentially exploiting and profiting from their work. For example, If the intellectual property (IP) of an ML model for maintenance is not properly protected, a competitor can copy and steal the ML model with very little time and effort, lightly tweak the model to avoid detection, and deploy the model in their own products.

Traditional IP rights such as patents or copyrights are available to protect investments in the creation of nonphysical assets. However, across the legal community the question remains about the protection of ML through IP rights: how much — and what — is covered?

Machine learning terminology

Before we dive further into the IP aspects of ML, it is important to understand the terminology. Broadly, machine learning is the scientific study of algorithms and statistical models that computer systems use to effectively perform a specific task without using manually programmed instructions, relying instead on patterns and inference.

Typically in ML, a set of training data is used to derive weights for the statistical models. These weights are then applied to new situations to obtain an answer from the model that is applicable to the new situation. One popular type of ML model is the neural network. To clarify the process of employing neural networks, we refer to the picture below:

(Source: NXP)


In the neural network type of ML, there are two steps. First, in the training phase, parameters for the architecture are derived to give the model a specific functionality. We call this training the model. The quality of the trained model is measured by using test data. Second, in the inference phase, the trained model is used to make predictions, for example, to perform classification on new data. Although terminology for all these concepts varies in the literature, in this white paper, we use the following:

Neural network architecture: The collection of neurons in the neural network, the connections between them, and the activation functions used. This architecture can be visualized as a directed graph.

Training set: A set of data which is used to train the architecture, allowing it to determine the right weights.

Test set: A second set of data, used to test and validate that the model is providing the expected result.

Machine learning system: The software and hardware that implements machine learning (training and/or inference).

Model: For neural networks, the model is the collection of weights associated to the connections of the neural network architecture. These weights are collected during training.

Training parameters: Parameters are used to steer the training algorithm (e.g., how many times should we repeat the training set? How many data items do we process before we update the weights? How large are the changes we apply to the weights per update? What cost function do we use for optimization?).

ML is used today for a wide variety of tasks. A popular application is classification and examples include recognizing certain objects in images or videos, classifying texts as particular categories, and detecting fraud or anomalous measurements (which includes our previous example for predictive maintenance).

Other applications include forecasting and object detection, which are used in autonomous vehicles. For many companies deploying ML, the training set and the model used for an ML application are valuable pieces of information that competitors should not access. This issue has led to the question of how to protect these and other ML elements through legal means, or IP rights.

Intellectual property rights: IP rights (IPR) are legal rights that protect non-tangible business assets against various types of misuse by third parties. Such misuse can be stopped by a legal injunction issued by a court, often combined with claims of financial damages and/or seizure of infringing products. However, each type of IPR has its own particular requirements and limitations. In this white paper, we discuss copyrights, patents, database rights, and trade secrets.

Copyright: Copyright is the most well-known type of IPR. A copyright is the right to forbid copying and dissemination of a protected work. Traditionally this right has predominantly been used in the creative arts (e.g., music, books, and photographs). However, copyright applies just as much to business works including software, manuals, white papers (even this one!), company videos, and so on.

The law on this type of right is greatly standardized around the world. A work is automatically protected upon creation, with no application or registration needed. Not even a copyright notice is required, although this is often done in an effort to scare off would-be copyists. The only real requirement is that some form of creativity is present in the work. A mere list of dates, for example, is not copyrighted, but a cleverly formulated sentence could be.

A limitation of copyright is that it only protects against actual copying. An independent recreation of the same work is not an infringement of copyright. The independence of the re-creation can be demonstrated through documentation or logs of the process of the creation.

Patents: Patents are the heavy lifters of the IPR world. When an innovation is protected by a patent, no one may make, use, or sell any device incorporating that innovation. Unlike a copyright, a patent protects any independent re-creation. The patent holder can demand royalties or simply put an end to someone’s commercial use of their innovation.

The major drawback with patents is the application process, which involves costly fees and a multiyear examination process with uncertain outcome.

A complication with software is the strict case law on “software patents,” which are perceived negatively around the world. It is hard to enforce a patent on an innovation that heavily draws on software or automation.

In general, to be awarded a software patent, the invention must provide a real-world improvement — not just better working software. For example, today a compression algorithm is typically considered patentable, as would be a more memory-efficient matrix multiplication technique. An algorithm to accurately predict the next soccer world cup winner would not be patentable.

Database rights: A relative newcomer in the IPR world is the database right. Introduced in Europe in the late 1990s, the database right protects a collection of information against copying and reuse. The main requirement to qualify for a database right is that substantial investment was made in the creation or maintenance of the data in the database. As with copyright, no formal registration or application is required.

Examples of protected databases include online dictionaries, labeled image collections, and source data for cartographical maps. In all cases, the data must be organized for search and browsing.

Outside of the European Union, however, the database right is not recognized, which further complicates IPR. The U.S. has a long-standing legal tradition that collections of data are not protectable by IPR — only creative works can be protected under copyright.

Trade secrets: The status of trade secrets in the IPR world differs around the world, but in general, misappropriation of well-protected information is actionable by law. In this instance, the owner of the information would be required to show how it applied adequate security measures against unauthorized access. A would-be trade secret thief could then counter by proving that the information was already available in the public domain.

Typically, companies guard their trade secrets by signing nondisclosure agreements (NDAs) with customers or other third parties. Strict contractual obligations then prohibit copying or reuse — strengthened, in some jurisdictions, by contractual fines or other legal measures. NDA provisions may also be present in other agreements. However, someone who learns the confidential data from a legitimate purchase of a product is not bound by such provisions — even when using special techniques such as reverse engineering — which limits the strength of trade secret law.

A competitor or other entity with less than noble intentions has various options to profit from the work or investments made by the creator of an ML system. Given the unique nature of ML, the question then arises: How can IP law be applied to protect the various aspects of this novel technology? In the second part of this white paper, we’ll cover intellectual protection options for machine learning.

About the Author

Prof. Dr. Wil Michiels is a Security Architect at NXP Semiconductors who focuses on security innovations to enhance the security and trust of machine learning. Topics of interest include model confidentiality, adversarial examples, privacy, and interpretability. Michiels is also a Professor who specializes in security for machine learning at the Eindhoven University of Technology (TU/e), where he obtained his PhD in computer science. To learn more about NXP’s innovative solutions for Security and Machine Learning, visit

This material has been created in consultation with IT lawyer Arnoud Engelfriet, ICTRecht BV.

Leave a comment