Posts Archive
Technical and litigation notes
Trade Secret vs Patent — The Strategic Choice for AI Systems
A patent gives exclusive rights for 20 years in exchange for full public disclosure. A trade secret protects indefinitely but falls the moment an adversary independently discovers or reverse-engineers the system. For behavioral AI, the right answer is a deliberately constructed hybrid.
IP Law for AI BuildersCan You Patent a Behavioral AI Architecture?
The Alice/Mayo framework, the EU's technical character requirement, and India's CRI Guidelines 2016 each determine whether a behavioral AI orchestration architecture is patentable. The answer is yes — with the right claim drafting strategy.
AI Governance & RegulationWhatsApp Media API — Platform Terms and Developer Obligations
Developers using the WhatsApp Media API agree to Meta's platform policies as a condition of API access. Those policies constrain how media can be processed, stored, and shared — with immediate revocation as the enforcement mechanism. Understanding these constraints is part of responsible API use.
Data Privacy & GDPRMedia Storage and the Right to Erasure
the WhatsApp AI agent downloads WhatsApp voice notes, stores them temporarily as files, transcribes them, and then stores the transcripts in the database. GDPR gives users the right to erasure of their data. Cascading deletion from the database record through to backup systems is harder than it looks.
AI Governance & RegulationAI-Generated Audio — Disclosure, Consent, and Deepfakes
Kokoro TTS generates voice audio that sounds human. The legal status of that audio — whether it requires disclosure, whether consent is required to receive it, and whether it can be regulated as a deepfake — is actively being determined across multiple jurisdictions.
Data Privacy & GDPRDatabase Schema Design and Data Protection by Design
GDPR Article 25 requires data protection by design and by default. Database schema design is a data protection design decision. Whether you use soft or hard deletes, how you structure audit tables, and whether you store personal data in JSON columns all have GDPR implications.
Security & ComplianceWebhook Security — HMAC, Rate Limiting, Replay Attacks
Webhook HMAC verification is widely implemented and widely misunderstood. It proves the payload was signed by someone with the app secret — not that the payload is fresh, not that it hasn't been seen before, and not that the app secret hasn't been compromised. Understanding what HMAC proves is as important as implementing it.
Security & ComplianceXSS, JSON Injection, and Output Encoding
Cross-site scripting (XSS) via JSON injection in HTML attributes is consistently underestimated because it requires an unusual combination of conditions: JSON output inside an HTML attribute, combined with content that contains HTML-special characters. When all three coincide — as they do in legal case data that contains names like "O'Brien" — the vulnerability is real.
Data Privacy & GDPRLogging Personal Data — GDPR and Application Logs
Application logs capture request URIs, query parameters, and response bodies. In a legal SaaS, these often contain personal data: client names in URL slugs, phone numbers in query strings, case details in response bodies. GDPR requires a lawful basis and a retention policy for every category of personal data — including what ends up in log files.