Generative Artificial Intelligence & Attribution

by Dan Minutillo, Partner

  • International Trade Law

This blog addresses legal exposure using “Generative Artificial Intelligence” (AI) without attribution. For context, commercial law issues are discussed, leading to international trade law issues related to AI and attribution.

AI has helped create automobiles without human drivers, commercial airplanes without human pilots,  AI-generated robot mates, and outstanding, award-winning doctoral theses by average postgraduate candidates. AI has also created immense legal uncertainty and related litigation regarding international trade law and commercial law when AI-generated source code is used in a product without attribution.


Source code is deposited by its creators in open, free, and publically available (OSS) digital repositories with global access to that source code via the internet. On deposit, the creator of this source code receives a license that usually requires attribution on the release of the code by the repository.

The use of OSS repositories radically speeds up the creation of new digital technologies. Code is constantly deposited, used, and improved on the platform. Source code is obtained from the repository, and integrated into a product or service, to make that product or service better at no cost (for the code) to the user. The creator/depositor by license usually has the right to attribution as a creator.


AI digital searches can suggest specific source code or combinations of code as a solution to a technical problem without attribution. That source code may already be in a repository requiring author attribution by license. Considering this, is AI the creator of that solution? Is the person or entity who initiated the search the creator of that solution? Who or what is liable if part of the solution includes OSS code protected by a license requiring attribution if no attribution is given?

At first blush, the answer seems obvious. Whoever created and deposited the source code in an open repository should receive author attribution, and whoever initiated the AI search and used the code should be responsible for accomplishing author attribution and be liable if attribution is not given.


  1. Suppose software came from an OSS repository and that software was used as part of a solution by an AI generator. Is the repository liable if the depositor is not given attribution in violation of the OSS repository/depositor contact?
  2. Without attribution, do the source code author and the repository have standing to sue whoever accomplished the AI search and used the code?
  3. How is “knowledge of violation” and “knowledge of use” (scienter) satisfied if the AI-generated software solution is used to advance a product, service, or technology but not attributed to the source code author?
  4. What if the AI solution replicates but does not use code from the OSS repository?


From an international trade perspective, does the US have the authority to regulate the movement of an AI-generated product containing source code from unattributable sources from countries unknown to the exporter?

Assume a software engineer based in the US creates a new product concept in the US using AI-generated code and procedures. The product contains source code from various global open-source repositories without attribution.

The code is compiled in Canada. The finished commercial product will be exported from servers in Canada into the global marketplace. The US claims that this is a product of US origin, thereby tripping US export jurisdiction and control over the product because it was created in the US, thereby assuming this technology is of US origin.

But is it? AI-generated code is the result of search parameters, but often, that result does not include attribution making it impossible to determine the code country of origin. Can the US assert export control over a software product created in the US, compiled in and exported from Canada, for which the components (code) were AI generated without attribution? What is the country of origin of the technology?

This is one of many problems created by AI-generated code. Companies must manage legal risks when using AI to improve products, services, or foundational technology. To help mitigate risks:

  1. In case of an audit by US export authorities, have procedures in place to prove AI-generated code has no attribution, blurring country of origin; and
  2. Obtain contractual indemnification from the subcontractor or other entity providing the AI-generated unattributed code to minimize liability for a claim of copyright infringement or unfair use.

Address these issues before using AI-generated unattributed source code to avoid becoming a defendant in this newborn litigation or the target of a US Department of Commerce, Bureau of Industry and Security investigation for violation of US export controls.