
Picture: PC Pro Issue 372
Some AI companies are using the complexity of law as excuse for their actions, but fundamentally theft is theft – and that applies to SMEs, too
I ’m not a techie. I don’t code. I like my tools to come with clear, concise instructions. I don’t want to spend hours configuring a system, and if your product requires me to purchase a second product to function, it’s going straight into the bulging tech drawer of obsolescence.
My role – as someone with three law degrees and a business-first mindset – is to cut through the noise. I translate the techno-babble, clarify the legal position, and give business leaders plainspoken, practical insight into the state of play. No fluff. No jargon. Just the law, as it stands, applied to the facts that matter to their business.
Being sufficiently equipped in the legal arena, I’m well positioned to make sense of the intersection between law and technology. I’m not pretending to be a genius. However advanced or opaque the technologies may be, determining whether an act falls foul of the law is rarely so complicated as to justify the creation of new grey areas or for anyone to deliberately muddy the waters.
While some issues may be complex, that doesn’t make them ambiguous.
So why am I setting out my stall quite so clearly?
For a number of reasons. First, small and medium-sized enterprises (SMEs) account for 99.8% of the business population. From a pool of 5.5 million private-sector businesses, 8,000 are large (250 employees or more), 38,000 are medium (50-249) and 5.45 million are small (0-49), with micro-businesses (0-9) making up the largest portion. If our nation is to prosper, it’s critical that our businesses – and particularly our SMEs – are able to innovate, produce and protect their assets.
This isn’t about sowing fear, uncertainty and doubt (FUD). It’s about encouraging fearlessness, understanding and knowledge, though I admit that the acronym “FUK” is unlikely to catch on.
Second, we need to reach SMEs with a single, coherent message – one that’s accurate, accessible and authoritative. It must come from a credible source, not a personality platform.
When podcasters and pundits cosplay as lawyers, waxing lyrical on legal matters without bothering to get the law right, it falls to us to step in. We must provide clarity in the face of the fire hose of misinformation, because for many businesses, the cost of confusion isn’t just wasted time: it’s operational risk, reputational harm and potential legal exposure.
Beyond the need for certainty, there is a deeper issue of trust. Trust is essential in any society. It enables us to reduce friction and lower the cost of doing business. When we rely on a trusted network – whether that’s institutions, advisors or legal frameworks – we not only gain efficiency but also resilience.
We are grappling with a profound crisis of mis- and disinformation. In uncertain times, clarity and accuracy aren’t luxuries, but obligations. Without them, trust falters.
Businesses in the UK are currently facing stark and escalating realities. They’re exposed to criminals who operate beyond organisational perimeters and often beyond our jurisdiction, and those criminals are infiltrating systems and networks with increasing ease.
But perhaps more dangerously, businesses face threats from insiders: staff, contractors, even interns. The insider threat is uniquely insidious. Unlike external attackers, insiders often require no technical breach to harm the business. They already have access. Without strong, role-based access controls and monitoring, they may effectively hold the keys to the kingdom.
So it is we turn to the issue of theft and misuse of information. There’s been much in the press lately on these matters: in particular, theft and the misuse of information by insiders in the matters of Rippling v Deel and R v Hasaan Arshad. And Getty v Stability AI provides us with an example of an external threat actor.
Corporate espionage as a service
Earlier this year, Rippling, a company headquartered in California, discovered that its global head of payroll, Keith O’Brien, based in Dublin, had spied for and harvested substantial volumes of sensitive and commercially valuable information for a direct competitor (Deel). He did this by browsing the firm’s Slack workspace, navigating to the Sales channel, and using his phone to screenshot insights from the business development stream.
The fact that O’Brien used his phone is not relevant. He could just as well have transcribed the information onto wax tablets. What matters is that the information was taken by someone with access, acting against the interests of his employer. That is material.
Nor does it lessen the offence that Rippling retained the original data. Theft is not dependent on exclusivity of possession.
To simplify the point: recall the piracy warning at the start of DVDs and cinema screenings in the 2000s: “You wouldn’t steal a car… a handbag, a TV, a movie. Downloading pirated films is stealing.”
There was never a suggestion that by downloading the film, the infringer had deprived the studio of the only copy. That was never the point. The point was — and still is — that by taking what isn’t yours, you deprive the rightful owner of its value, of control, and of the proceeds of lawful use.
Cambridge 5, Manchester 1
As if to underscore the point, consider the recent criminal prosecution of Hasaan Arshad, a graduate of Manchester University, who removed copies of secret material from GCHQ while on an internship. The material was classified under the Government Protective Marking Scheme as “TOP SECRET” — a level reserved for information where compromise could lead to the widespread loss of life, threaten the internal stability of the UK and its allies, or cause exceptionally grave damage to the UK’s military, intelligence, diplomatic or economic interests.
There was no suggestion that Arshad deprived the government of its only copy of the material. But that is not the point. Possession does not equal protection. While additional legal duties applied in this case, the fact that the owner (HMG) still retained the “original manuscript” does nothing to reduce the seriousness of the offence.
Arshad didn’t sell, disclose or ransom the material. He made a copy, took it out of the building and uploaded it to his computer. This was enough to render all the material taken and anything linked to it as “valueless at best and positively dangerous at worst”, to quote the judge’s sentencing remarks.
Arshad abused his position of trust and was prosecuted under section 3ZA of the Computer Misuse Act 1990: unauthorised acts causing, or creating risk of, serious damage. He was convicted. In sentencing, the judge observed that, given the potential risk to life, the maximum sentence available under s.3ZA is life imprisonment. Arshad received a custodial sentence of six years for this offence. Fortunately for young Hasaan, I’m not on the bench. I’d have thrown the book at him.
Getty v Stability AI
Getty Images is a global visual media company and a major supplier of stock photography. Stability AI, a UK-based artificial intelligence company best known for its text-to-image model Stable Diffusion, is alleged to have used Getty’s content without permission — specifically, to train and develop its AI models. Getty argues that this amounts to a clear breach of copyright, involving the reproduction of substantial parts of its protected archive.
In response, Stability AI has acknowledged using some Getty images, but advances the rather unusual argument that because the training and development of Stable Diffusion occurred outside the UK, no acts restricted by Getty’s IP rights were committed within the jurisdiction.
This is a curious — and troubling — position. Stability AI is a UK company. It cannot sidestep its legal obligations by offshoring infringing conduct to a jurisdiction with weaker protections and then reimporting the resulting product into the UK market as though no infringement occurred.
To illustrate the absurdity:“Did your client take the blueprints?”
“He did, m’lud. But in his defence, he built the prototype overseas. He only wants to sell the product in the UK.”
Another spurious argument floated is the claim that enforcing Getty’s IP rights would cause economic harm to Stability AI. Every business would flourish if no-one had to pay their suppliers. Until you’re the supplier. But we all know that’s not how business works.
And one doubts very much that Stability AI would look kindly on another company cannibalising its codebase or platform content to train a competing system. Perhaps it would be willing to release its models, training data and codebase freely to the public. But I suspect not.
AI innovation can flourish, but not if we allow parasitic businesses to undermine healthy ones – to asset[1]strip the productive and then market the spoils as “progress”. The law provides protections for a reason, and assuming the law is correctly applied, it should protect legitimate innovators, not shield those who build off the backs of others.
This isn’t about innovation versus regulation. It’s about regulation protecting innovation, whether that’s Rippling, Getty or, as in R v Arshad, His Majesty’s Government.
Concluding remarks
Trust enables progress. When we have trust, we move further, faster. And in each of these cases — Rippling, GCHQ and Getty — trust was central.
Rippling built a global business on trust: trust in its people, its processes, its product. That trust was exploited and the business paid the price. GCHQ placed trust in a highly educated intern, granting access to matters of national security. That trust was also violated, with serious and far-reaching consequences.
In the case of Getty, trust underpins the basic expectation that others will respect intellectual property and engage in lawful, commercial negotiations. They won’t simply scrape or extract what they have no right to.
In each instance, the breach of trust caused harm. Not just to the immediate victims, but to broader systems of cooperation, commerce and national interest. That is why it’s imperative that the business sector has absolute clarity on the situation: it must protect itself, its investors and stakeholders who invest their time, toil and talent in building businesses and developing original work.
None of these cases is nuanced or ambiguous. Though the claimants sought redress using different legal levers, the core issue was the same. The defendants — Deel, Arshad and Stability AI — could have avoided legal trouble entirely by doing one simple thing: not taking property that did not belong to them.
The law is clear. Don’t steal a car. Don’t steal a handbag. And you certainly shouldn’t be stealing information, images or content.
Article by: Dr Rois Ni Thuama
First printed: PC Pro Magazine, Issue 360, Dated 1st September 2025, Pages 116-117, ISSN 1466-3821, issue available from https://www.pressreader.com/magazines/m/pc-pro/20250901, Subscribe to PC Pro Magazine: https://www.magazinesdirect.com/uk/pc-pro-subscription/dp/8ce631dc
Reproduced here with kind permission from PC Pro Magazine.
