How Solid IP Security Policy Could Have Prevented The Waymo vs. Uber Legal Debacle

Waymo likely could have avoided a lawsuit against Uber over driverless car technology if it had an effective policy to prevent trade theft by its employees, legal and security experts say.

In this way, Waymo is seen as having neglected to protect its intellectual property from insider threats before its former engineer Anthony Levandowski allegedly gave stolen files to Uber. The court documents are available here [pdf].

“Waymo lacked policies to know what a former employee might offer a competitor,” Thomas Hoeren, a professor at the Fraunhofer Institute for Information technology (FIT) in Münster, Germany, told Intellectual Property Watch.

Indeed, Waymo has also admitted it has struggled to show which files Levandowski allegedly stole that harboured trade secrets during a recent court hearing. This was after Uber, under court order, released its due diligence document on Levandowski’s driverless commercial truck start-up Ottomotto before purchasing the company, called the Stroz report. Waymo lawyers then said they needed more time to determine exactly what trade secrets Levandowski allegedly stole that are documented in the Stroz report.

While Waymo lawyers claimed during the pre-trial hearing that the files in the due diligence report were “confidential to Waymo,” they also admitted they had yet to determine what exactly Levandowski accessed after he left what was then Google before Waymo was spun off from the company last year.

“We need the time to actually connect the dots because they’re not connected in the Stroz report themselves,” Waymo’s lawyers said.

The judge during the pre-trial hearing also admonished Waymo for its struggle to show how Ottomotto or Otto Trucking, benefited from any trade secrets Uber subsequently obtained.

“Help me understand what that evidence is,” the judge said. “Give me just one item of evidence that Otto Trucking, as opposed to Levandowski, but Otto Trucking ever acquired any of these trade secrets.”

The court proceedings clearly show Waymo was unable to provide documents to make its case against Uber, Hoeren said. “Waymo should have been able to allow the court to see that there was a clear policy in place that was applicable to what happened,” Hoeren said. “Waymo should also be able to clearly prove in a court of law and provide written documents that show they have a policy in place with sanctions if their policy is violated. But this was not done in this case.”

Policy Matters

Waymo, the driverless vehicle arm of Google before it was spun off, is seen as a technology leader in an industry that is expected to have a socio-economic impact comparable to that of the industrial revolution. Uber, the troubled ride-hailing company that is also testing driverless car fleets, has emerged a direct competitor that Waymo and obviously stands to benefit from its trade secrets.

As Waymo prepares to describe what trade secrets Levandowski allegedly stole after stepping down as one of the chief engineers behind Waymo’s driverless car initiative to eventually head Uber’s self-driving car project, it has already entered into evidence that Levandowski downloaded more than 14,000 “highly confidential and proprietary files.”

Waymo claims he copied the files to an external hard drive and then sought to remove his electronic tracks showing he had copied the files from his company-issued laptop and Google server.

Levandowski’s alleged data theft was facilitated by how Waymo, before it was spun off from Google, lacked the capability to monitor and track trade secret data its employees accessed, Clive Longbottom, an analyst for Quocirca, told Intellectual Property Watch.

“Data monitoring is particularly important for intellectual property, such as source code and other high-value information that needs to be fully traceable through the use of adequate source code-management tools,” Longbottom said.

In Waymo v. Uber, Levandowski had a laptop with thousands of company-related emails on it after having left the firm, Longbottom said. “This shows a lack of procedural stringency from Waymo, that should have ensured that all access to the company’s systems was blocked,” Longbottom said.

Waymo should have also ensured all company equipment was returned and that Levandowski had agreed in writing that he no longer held any company information in any form, Longbottom said.

“A good company would also have had tools in place to monitor any access attempts and block them; to disable or blitz any device that had tried to make such attempts; and should have been using DRM [digital rights management] systems to time out any data that could have been held by the employee and encrypt or securely delete it after the time limit had been reached,” Longbottom said. “This would not have stopped the memory, copying or photographing possibilities, but makes such mass data leakage far harder to happen – and far easier to prove as being malicious and against the law.”

More specifically, Waymo failed to implement specific systems such as identity and access management (IAM) and user behaviour analytics (UBA) that provide policies, procedures, and guidelines to help regulate employee behaviour, system access privileges, and data retention, such as when an employee might attempt to steal valuable intellectual property before leaving a company, Scott said.

“As in the case of Waymo and Uber, when potential instances of insider threats occur, the records provided by UBA and IAM systems along with policy adherence records, can significantly bolster a case by acting as a definitive and granular account of the insider’s action,” he said.

An International Scope

Waymo also lacked a policy to prevent trade theft that would have been applicable internationally, Hoeren said. An employee contract, for example, can protect a company’s intellectual property in jurisdictions around the world. “You must ensure [by contract] that employees will be sanctioned if they copy materials after they leave the company,” Hoeren said. “These clauses should be applicable in the US, Europe, and elsewhere.”

Thanks to a new European Union directive, for example, it will be easier for companies to protect their trade secrets in European Union member jurisdictions, Hoeren noted. Previously, applicable statutes for illegal use of trade secrets were determined separately among the different EU states. Now, the EU member have until March 2018 to adopt the EU-wide trademark laws.

“This will provide a whole new way to protect trade secrets across the EU member states,” Hoeren said.

Nevertheless, company policy should emphasise threat prevention, Scott said. Indeed, ironclad contracts for trade secret protection with terms applicable in international courts of law are important, but having to seek court remedies when trade theft occurs should be a last resort due to the cost and time involved.

“International patent law can resolve insider theft conflicts,” said Scott, “but the cases can be costly and disputes with insiders can draw negative attention to both companies, as may be the case with Waymo and Uber.”