Monday, May 30, 2011

PayPal v Google: Big Brother May Not Be Watching, But He’s Probably Recording

On Thursday, Google announced a new mobile payments initiative.  On Friday, PayPal sued Google and two of its executives, Osama Bedier and Stephanie Tilenius (formerly PayPal/eBay executives), alleging that they’re using PayPal’s trade secrets and violated fiduciary duties and contractual agreements not to poach PayPal employees.  Here’s a link to the complaint.

The trade secret allegations are mostly standard stuff.  Bedier, in particular, knew just about everything there was to know about PayPal’s mobile strategy and the argument is basically inevitable disclosure:  He can’t help but be using PayPal’s trade secrets in his new job and Google can’t help but benefit from that.  California is a tough jurisdiction for claims like this, but Bedier was a particularly delicate hire for Google.  It seems likely that Google was fully aware of the problem and has been taking well-documented measures to insulate itself and Bedier from charges of misappropriation.  If the parties go through discovery and file for summary judgment, it will be interesting to see what comes out.

For now, the more interesting point is the surprising detail of some of PayPal’s allegations and what it reveals about digital communications by corporate employees.  PayPal’s complaint quotes from Facebook messages, e-mails to "Bedier's non-PayPal account," and text messages Tilenius sent to Bedier.  They cite the specific date of Bedier’s “culminating” job interview at Google, with Jonathan Rosenberg and Larry Page.  PayPal just filed the complaint, so they haven’t done any discovery yet.  So where did they get that detail?

I’m speculating, of course, but it seems obvious that Bedier was accessing Facebook from inside the PayPal firewall, exchanging texts with Bedier on a phone owned by PayPal and recording his job interviews either on a corporate calendar or one that he was accessing with corporate technology (e.g. on his phone or via his corporate web access).  It would be interesting to know the technical details of how PayPal recorded these messages and later reconstructed them.  The text messages are obvious.  The others might have to do with temporary files Bedier inadvertently stored on a company computer, a key logger (remember that PayPal is a financial company, so they have a pretty good excuse to take extreme surveillance measures), or something else.  But that’s subsidiary to the main point:  Employers now almost universally have the means to record and store vast amounts of information about their employees’ use of employer-provided technology.  And they also have the means to retrieve and reconstruct the information if it turns out to be important.

From an employer’s perspective, PayPal’s use of its technology is instructive.  Presumably (at least I hope), PayPal didn’t have an internal Stasi, constantly monitoring its executives’ Facebook messages and texts in real time.  Not only would that be creepy (and thus piss off and alienate lots of valuable employees when it inevitably came out), it would be almost as inefficient as the real Stasi was or the current Chinese internet police are.  No.  PayPal just asked Bedier to consent to a broadly worded policy subjecting everything he did on company technology to company surveillance.  Some combination of Bedier’s carelessness and (possibly) cleverly programmed surveillance systems did the rest.  When PayPal realized that things had gone wrong, it had the information it needed to reconstruct what had happened in great detail.  That also has the potential to creep out employees.  But if you only use the capability when you really have something to investigate, it might be worth it.  That said, it’s worth thinking a bit before leaping into some kind of corporate Total Information Awareness program.  At some point, having information, or the capacity to gather it, can tempt people into doing things they later wish they hadn’t.  At very least, you need to set up as a gatekeeper some very responsible adult who has the personality and institutional position to say no to powerful people when they come asking for things they’ll later wish they hadn’t.  The press hasn’t yet focused on this aspect of the case, but that may only be because the defense lawyers are still coming up with their public strategy (only “people” take off Memorial Day weekend, not lawyers).  If they choose to make a public issue of it, it could easily boomerang on PayPal.

From an employee’s perspective, I would just say what I said to a friend of mine who once called me from jail (long story, but he hadn’t done anything).  The first thing I said to him was “Do you see the sign next to the telephone warning you that conversations can be overheard?  Do you know why it’s there?  BECAUSE THEY’RE LISTENING TO OUR CONVERSATION, SO DON’T SAY ANYTHING ABOUT THE ACCUSATIONS, JUST LISTEN TO ME!”  Substitute “Acceptable Use Policy” or whatever your employer calls it and you get the idea.  If they warn you that uses of their technology belong to them and that they can intercept your communications, TAKE IT SERIOUSLY (or in good humor).  Communications are so cheap these days, that it baffles me why people continue to ignore the problem in high risk situations like interviewing with a competitor.  Bedier was presumably very well compensated even before he went to could easily have afforded a personal smartphone, including, if he really wanted it, tethering service that would have let him access the internet from a personal laptop or tablet.

All of that leads to another lesson for employers and their counsel:  It’s not enough to force new employees to sign a stack of paper that, somewhere in small type, asks them to represent and warrant that they aren’t under any undisclosed obligations to their former employers and that they won’t violate any of those obligations.  People (and by “people,” I deliberately mean to exclude lawyers) sign things like that all of the time and then ignore them, if they ever read them to begin with.  You need to force new employees to show you the agreements by which they’re bound and then counsel them about what they plan to do and what you expect them to do in order to comply.  And don’t just start the process on their first day at work.  If someone is coming over from a competitor, the coaching should ideally start before the recruiting does.  It should certainly start no later than the day you make an offer (among other things, PayPal is alleging that Bedier sent sensitive documents to his personal computer days before he announced he was leaving).  Yes, it’s their responsibility.  But if they don’t understand or they’re just clueless or irresponsible, it’ll be your headache.