Preventing trade secret and IP theft

Trade Secret Theft In the Spotlight Over Stolen Google IP

The indictment of Anthony Levandowski on 33 charges related to trade secret theft and subsequent outcome of the criminal proceedings could have big ramifications for technology and other industries. Most in Silicon Valley are watching intently to find out if moving to a new job at a competitor will become that much harder as a result of this case. Despite California law preventing non-compete clauses, will large tech companies “use” of new federal trade secret laws mark the beginning of the end of what the was started by the Traitorous Eight? Regardless of the outcome for Anthony Levandowski it’s clear that need to better protect trade secrets and intellectual property (IP) while also protecting employees is going to be a hot topic over the coming weeks.

What Crime Did Levandowski Allegedly Commit?

While there are conflicting details on the value of the information that Lavandowski downloaded from company servers prior to resigning from Google, one fact is undisputed: He removed some 14,000 files relating to work on Google’s autonomous vehicle program that he was part of. It’s also not completely clear how much of the alleged stolen trade secret data was then used by his startup company Otto or by Uber following the subsequent acquisition of Levandowski’s company.

Last year Waymo (Google) sued Uber for trade secret theft alleging their stolen IP was used by Levandowski to develop self-driving tech for Uber. The case was settled at a much lower value than the original claim for damages with both sides claiming a level of victory. In response to the 33 charges Levandowski’s lawyers cite the previous civil action as proof that their client committed no crime. “The downloads at issue occurred while Anthony was still working at Google—when he and his team were authorized to use the information. None of these supposedly secret files ever went to Uber or to any other company.”

For the prosecution and the defendant, the challenge for the former will be to show that the downloaded documents were directly used in the work that Levandowski carried out while at Uber or to prove the opposite in the case of the latter. Determining what information within the 14,000 files constitutes a trade secret is itself going to be part of the case.

Why Data-centric Protection Can Shield Employers and Employees Alike

IP is the crown jewel of any tech company and is at risk from not just outsiders but trusted insiders as this case clearly shows. Better data-centric protection of Google’s intellectual property could have prevented the whole scenario for occurring in the first place.

If data-centric protection is a new concept, then I suggest looking at some of our previous blogs on the subject. In cases like Levandowski’s there are a few areas where it could have helped protect both the company and employee.

First, it’s important to note that when the download of the files took place Levandowski was employed by Google and had legitimate access to the files as part of his employment. There was no stereotypical “hacking” and stealing of files that he was not authorized to use. This very much falls into the category of an ‘Insider Threat’; someone who has legitimate access to files and leaks or exfiltrates them either accidentally or maliciously. Part of this case hinges around the latter – whether the download was part of a process that resulted in deliberately sharing or using those files at the competitor – in this case at Uber.

There are two capabilities of data-centric protection that immediately spring to mind that could have helped on this scenario.

  1. Preventing download of sensitive files
  2. Expiring access to downloaded files

Regardless of Levandowski’s authorized access to the files did he really need to be able to download them from the secure Google server in order to carry out his duties? If the files do contain key trade secrets as Google claimed, then would it have been better to limit what Levandowski could have done with those files to ensure that they remained on the server? For example, some of the files apparently contain schematic drawings of the LIDAR system, a key component for Google’s autonomous driving capabilities that enables the vehicles to see the road and environment around it. Was there a need to only be able to view the schematics for reference purposes in which case disabling the ability to download the file would significantly reduce the chances of it leaving the Google servers.

Even if he was authorized to download the files during his employment it would have been possible, using another data-centric feature, to prevent him from accessing those files after he left the company. The download of the files took place nine months before Levandowski tendered his resignation from Google. If files contained key intellectual property how long would employees need to be able to retain their own local copies of those files? Nine months sounds like a long time for what was supposed to be a fast-moving project. Data-centric protection allows organizations to expire content after a designated time which would means that users must renew their access to the file in order to be able to open it. Let’s say we want to ensure our highly sensitive information is expired after a week. For users who still have access to the original data location the access renewal process can be seamless and the user continues to work as normal. For users who no longer have access the authentication will fail, and the file is locked with encryption therefore protecting the contents from unauthorized use. Although Levandowski is apparently a workaholic how likely would it have been that he would have been able to open all 14,000 files within a short window in order to maintain access long enough to use the data after leaving Google?

What if Levandowski is telling truth? Could data-centric protection help him?

Prior to now we’ve looked this incident from the angle of an organization looking to protect its trade secrets. What about employees who want to ensure that they are protected from wrongful accusations or legal action? How can they show that they were using sensitive information as part of their job and not for other purposes? Organizations also have a responsibility to ensure that employees are provided with a level of protection and reassurance when carrying out their duties.

In the examples above you can turn the perspective to the employee and show how data-centric technologies also offer protection to them. If there are controls in place that give an employee the level of access and usage rights that needed to carry out their job but prevent them from being able to do things with the information that’s not needed to fulfill their job. For example, if there is no need for a user to download sensitive files to their desktop to work on them and this can be enforced from a technical perspective, then the user can’t be accused of, or actually, download and steal trade secrets.

Preventing download and/or expiring access to files after a period of time also protects employees from accidentally removing trade secrets and inadvertently landing themselves in trouble. I’m sure that we’ve all forgotten about internal presentations and reports that we’ve downloaded to review at home prior to a meeting the next day. How many of them are left on our own machine or in our own cloud storage account after we can claim that we have a legitimate reason for having a copy of those files? Worse, how many remain when we move onto another project or company?

Discouraging Trade Secret Theft

It’s very likely that determining what constitutes a trade secret within the cache of 14,000 documents will be a key factor in the outcome of the Lewandowski indictments. In the civil case an engineer gave evidence that the files only contained low-value information. Google/Waymo obviously claimed otherwise. It’s clear from Levandowski’s lawyer’s use of “supposedly secret documents” in his statement that this point will once again be part of case for the defense. Again, data-centric protection could have played a key role to protect both parties.

Data-centric protection technologies can automatically place a watermark in files when they are classified as confidential. In some cases, it’s possible to use dynamic watermarks where the file is stamped with attributes of the file and those of the user opening or downloading the file. In the Levandowski case if the any of the downloaded files were regarded as trade secrets by Google then a watermark indicating that could have been placed with the files. Not only that, Levandowski’s name, email address and the date and time of download could also have been placed in the watermark. If dynamic watermarks had been used there would have been little doubt where the accusers and defendants stood for those files. The company or the user would have been protected depending on who is in the right.

As well as providing a definitive answer in this case, use of dynamic watermarks also help to remind users of their responsibilities when handling sensitive company trade secrets. Most organizations rely heavily on user education when it comes to their data handling policies. Using a dynamic watermark that clearly identifies data as sensitive or propriety to the end user accessing it, including that user’s name and time of access, shows that user that the system is aware of their activity and helps remind them to take their information handling responsibilities very seriously. It also as discourages trade secret theft by clearly documenting chain of custody that can be used as part of an incident investigation process.

Balancing Protection for Organizations and Employees

The Anthony Levandowski case includes a mix of behaviors and actions by the defendant that could bring about his own downfall. During his tenure at Google Levandowski operated in some murky ethical areas by starting up sideline companies who then sold technology back to Google. He also used those sideline ventures to solicit and court competitive autonomous driving companies which effectively forced Google into buying his loyalty by purchasing his extracurricular work. The perceived attitude is one of someone who thought that the end justified the means and the end was possibly to line the pockets of Lewandowski with as much money as possible.

Despite what employment contracts typically state, it could be that Levandowski thought he had some claim to the intellectual property due to its origination regardless of actual legal ownership. While most Silicon Valley employees don’t exhibit these behaviors, there is concern that tech companies, who will have the resources to fund trade secret litigation, will hold all the cards when it comes to employees departing to take a new job at potentially competitive companies.

Companies need to protect against trade secret theft, while user’s working on IP need protection too. This case underscores the importance of getting the right balance for protecting intellectual property and trade secrets that takes into account both the needs of the organization and the employees.

Learn more about the insider threat landscape in 2019 and see how your company is faring. Download the 2019 Insider Threat Report.