The Insider Threat: Work, Deception, Theft, Founding, Funding and Sale in the Valley
A new case filed by Alphabet accusing Uber of intellectual property theft could be a watershed event in bringing attention to the threat of industrial espionage by insiders.
Last week I became aware of a case which I believe will be referenced in the future as a landmark example of how the insider threat can, and often is, tied directly to industrial espionage. It’s a case that will no doubt be cited and referenced in books, periodicals, classrooms, VC meetings, and M&A meetings for years to come. This is the story of Google (specifically its parent company, Alphabet), Waymo (formerly the Google self-driving car project), Otto (a self-driving car startup acquired by Uber last year for $680M), and Uber. It’s also the story of a gentleman by the name of Anthony Levandowski and the allegations which Waymo are bringing against him within the courts and in the public domain.
Before I continue writing, I feel the need to state clearly that to date, Mr. Levandowski has not been found guilty of any crime(s) and as such ought to be treated as though he is innocent until proven guilty beyond a reasonable doubt in the court system. It is neither my intent nor is it my desire to attack, malign, libel Mr. Levandowski but rather to examine what has been publicly divulged by Waymo and other sources to date and to explore what this looks like from a data protection perspective. Having said all that, let’s begin first by examining what has been divulged in the public record.
Last week, on February 23, 2017, Waymo posted a blog regarding the legal action that they decided to take against Otto and its parent company, Uber, for “…misappropriating Waymo trade secrets and infringing our patents.” The team at Waymo go on to provide context with respect to their suit against Otto and Uber, citing Waymo’s establishment in 2009, the success that they have had in the in-house development of software and hardware, their exhaustive process of perfecting their solutions’ performance, and their accumulation of millions of miles in pursuit of perfecting the world’s first truly autonomous ride.
Waymo goes on to describe one of the most important elements of their self-driving technology, LiDAR. LiDAR stands for Light Detection and Ranging and according to Waymo works through bouncing millions of laser beams off of objects and then measuring the time it takes for the light to reflect. In doing so, a visualization of world around the LiDAR-enabled vehicle comes to life. This, according to Waymo, is crucial in that it enables the vehicle to detect and measure the shape, speed, and movement of objects around it including other vehicles, cyclists and pedestrians. Waymo rightly points out the time, effort, and energy associated with developing their LiDAR technology and equate misappropriation of that R&D data to stealing the secret recipe of a soft drink manufacturer.
Here’s where things get interesting. In 2016 Uber acquired Otto, a freshly minted provider of self-driving automobiles founded by a veritable who’s who of engineers and developers from companies such as Tesla, Apple, and Google. However, here’s where things get complicated: one of the founders of Otto had spent somewhere between 7 and 8 years working at Google on the team which became Waymo. Waymo goes on to say that, 6 weeks prior to his resignation from Waymo and subsequent founding of Otto, the party in question gained access (seemingly without authorization) to a Waymo server containing sensitive R&D data, downloaded ~14,000 confidential, sensitive, and proprietary files, exfiltrated them to an external hard drive, and finally wiped and reformatted his computer. The Waymo suit goes to state that the co-founder of Otto, along with several other former Google employees who left to join the fledgling startup, downloaded additional trade secrets before departing, including supply chain information (providers), manufacturing/production details, and other non-specific technical information – all the while sharing their plans to start another self-driving car company with Waymo coworkers.
The claims made by Waymo suggest that they have sufficient and detailed information related to the actions of the employees in question (the Otto co-founder and those who later left Google to join him) which can be corroborated through forensic investigation and timelines. However, it seems that this information was only discovered in the forensics process – by then the accused ex-employee had enough time to leave Waymo, launch a competing startup, and get acquired by a tech giant for $680 million – a deal that allegedly netted Otto’s founders around $500 million. The real kicker here is that seemingly none of this activity was discovered until a supplier of LiDAR technology that was working with both Waymo and Uber mistakenly sent an email to Waymo containing Uber’s LiDAR design documents – documents that bore a striking resemblance to Waymo’s own, the company claims.
Our question is simply this: if true, and given the hyper-competitive nature of the work being conducted and the importance of protecting and securing the information pertaining to this project (not to mention its value to Google and Alphabet shareholders), how were the accused employees able to carry out their actions in the first place? It’s important to understand that this is not a criticism of Alphabet or Google’s operational security, its programs, or its personnel. But rather this is a sincere question asked in order to understand how intellectual property theft and misappropriation leading to industrial espionage and the capitalization of said stolen intellectual property could happen within an organization which has devoted so much time and energy to doing good in so many areas of specialization – including information security.
From our vantage point, this case serves to highlight not only the inherent value that sensitive information – particularly IP – holds for a technology company or manufacturer, but also the impact on a company’s competitive advantage that results when that information falls into the wrong hands. It’s also a clear reminder of the importance of those organizations having technologies, people, and processes in place that detect and mitigate these behaviors before the damage is done. We will continue to monitor this story as unfolds. Stay tuned!