Apple’s OpenAI lawsuit: The lunacy of trying to limit what ex-employees can tell future employers

5gDedicated

When Apple sued OpenAI last week, the argument it made was that former employees had stolen Apple data and then used it to benefit OpenAI. 

The technical details — an employee used “a rare, previously unknown authentication bug to access Apple’s shared network folders” — are interesting. But the larger story is Apple’s ridiculous attempt to stop its people from using anything they learned at Apple in other jobs.

“Hiring managers don’t mind some files being brought into the org during onboarding, but suddenly take umbrage when that same employee exits with some files later on,” said Mike Wilkes, enterprise CISO at Aikido Security. “Legal should be equally concerned about both events.”

The lawsuit focused on Chang Liu, an employee who had been recruited to work at OpenAI after working at Apple for eight years as a Senior System Electrical Engineer. The full text of the filing depicts a comedy of errors by Apple, offering the perfect “do not do” list of handling employee resignations — especially when they’re going to a direct competitor. 

“When Apple contacted Mr. Liu to sign Apple’s confidentiality reminder, schedule an exit interview, and confirm that he had returned his devices and complied with other exit procedures, Mr. Liu did not respond.” And “after leaving Apple, Mr. Liu failed to return an Apple-issued work laptop that he had previously authenticated to Apple’s network.”

First, typical procedure for handling departures is to tie the return of all equipment and the signing of documents to any final payments. With Apple, that is likely to be a large amount of money. The lawsuit does not say whether Apple exerted any financial pressure on their employee for compliance. 

But in terms of equipment with high-level access, why weren’t all privileges revoked, both for the employee and any and all company-issued devices? Did they not maintain a remote-wipe capability for these devices? Although remote-wipe is usually used when devices are missing or stolen, it should work as well when a departing employee refuses to return company equipment. 

According to Apple, Liu apparently had help at Apple from Tang Yew Tan, who was supposedly also interviewing with OpenAI. “While employed by OpenAI, [Liu] accessed and used his former colleague’s Apple-issued work computer that was authenticated to Apple’s network, without Apple’s authorization.”

Apple tried to make much of this Liu’s fault. Legally, yes, there might be liability there; still, Apple made itself look as if it couldn’t protect its own data. “Upon discovering that he had this unauthorized access to Apple’s systems, [the former employee] did not report it, return his stolen Apple-issued work laptop or delete the program that allowed the access.” 

Really, Apple? Your data-protection plan relies on ex-employees to “delete the program that allowed the access”? I’m not so sure you didn’t bring some of this data-leakage on yourselves. 

This gets worse: “Over several weeks, while developing hardware for OpenAI, Mr. Liu surreptitiously accessed and downloaded dozens of Apple’s confidential hardware-related files, including voluminous, detailed information about unreleased products, engineering presentations, technical specifications, and proprietary project data.”

Setting aside the issue of privileges, access, and unreturned equipment that apparently had its own privileges, that statement points to massive data exfiltration from Apple systems. Even if it is coming from a current employee, why didn’t that raise any red flags? 

Let’s get back to the broader implications. When professionals move from one company to another, they — of course — are bringing their experience and knowledge with them. Can Apple reasonably tell them that they can’t do so? Isn’t that experience and knowledge exactly why another company would want to hire them?

Now, to be sure, stealing diagrams and product spec sheets is a clear violation. Let’s say Apple spent a lot of money on some hardware research projects. A member of that technical team would learn an awful lot, all on Apple’s dime. 

But is it fair and reasonable for Apple to say that the former employee can’t leverage that knowledge at his or her next job? 

This brings us back to the point Wilkes made: If Apple is going to try to prevent any former employee from leveraging on-the-job experience, then it should instruct all new employees not to use anything they learned in a previous job. 

That would be ridiculous. Companies pay for experienced talent because of that experience. Why pay for expertise if you insist employees not leverage any of it?

Then there’s the amorphous nature of knowledge. So, it’s wrong to take detailed diagrams and spec details and hand them over to a new employer. But what if that worker heading out the door memorizes the documents (photographic memory) a day before resigning? Is a person prohibited from using something from memory?

There’s also the fruit-of-the-poisonous tree legal argument. Even if a former employee doesn’t directly use stolen data, what if their knowledge leads to other money-saving insights for the new employer? 

Given that Apple hires as many specialists as it loses to rivals, wouldn’t it make sense to leverage everything your workforce knows and then let new employers do the same? But before you do that, Apple, tighten your exiting employee tech controls. 

Then maybe you wont’t have to file lawsuits like this down the road.ComputerworldRead More