TFA makes it sound as if the entirety of the blame can be placed on one employee. Sure, his actions do seem to support that view, but then again, Nvidia did hire him precisely for his previous experience at this rival company, on the very same project that the two companies were partnered on, which is the same project that Nvidia hired him for.
There is no argument to be made that Nvidia wasn't aware he'd be coming with secrets. The argument that that's precisely why he was hired, OTOH, is looking very strong.
> Nvidia did hire him precisely for his previous experience at this rival company, on the very same project that the two companies were partnered on, which is the same project that Nvidia hired him for.
Yes, this happens all the time.
> There is no argument to be made that Nvidia wasn't aware he'd be coming with secrets.
This is not a logical conclusion from the above. Hiring for the exp is fine. Hiring for the trade secrets obviously is not. No serious company would do the latter, esp a company the size of Nvidia.
This proves individual employees routinely steal trade secrets; yes, they do. It does not prove that the companies they join (US public companies in the United States anyway) willfully use it.
Think about the large scale conspiracy required to keep something like that secret from an entire company.
There's no need to rope conspiracies into this. The structure of incentives in corporate environments have people in the company not looking for something they don't want to find. Managers would rather not know about violations and be able to tell their boss that their team are pros who got the job done fast, than investigate their reports for violations and quite possibly find a big mess that needs to be cleaned up.
Point is, shit that shouldn't happen routinely does happen anyway. "That wouldn't happen because it would be illegal" is generally bullshit.
Companies of this size have routine code audits that would find copyright infringements of this sort. If the employee literally brought in source code files and not even change the name of the directory like it was highlighted here, it'd have been caught. The audit is also not conducted by the manager, but a third party. There is no possible way this would fly unless the individual intentionally stripped the source of copyright notices (the individual's fault), or the source code was just sitting on their laptop and never acted upon, etc.
So I think the question (and I'm not a lawyer...) is whether Nvidia conducted such audit and to what extent (if any) the other company's source code was merged into theirs (versus just sitting on the laptop).
The article mentions the directory containing the files was still named as it was in Valeo. If he didn't bother renaming the path, I'm not sure he bothered removing the copyright.
> "This proves individual employees routinely steal trade secrets; yes, they do. It does not prove that the companies they join (US public companies in the United States anyway) willfully use it."
Why do you think that either the ethics or the willingness to risk breaking the law would be different between people being hired by a company vs. people working at a company?
A company's decisions are the decisions made by people who work there, and who once were being hired there. For a company to be complicit in encouraging a new hire bringing illegal IP with them requires one or more people at the company to make the same ethical/risk decision as the person joining. It doesn't require an announcement at an all-hands followed by a long slack conversation with the legal department, it doesn't need to be a huge scale conspiracy.
And it's no harder for a person who said "hey come bring your old employer's IP to my team" to keep it a secret from the entire company than it is for the person who joined doing that to do so.
In fact it's a bit easier, as long as they weren't stupid enough to discuss in a way that gets logged, the person or people encouraging it from inside the company are less likely to get caught, as a comparison of IP may be enough to prove wrongdoing on the part of the person who brought it, while anyone in the company who encouraged it couldn't be caught unless somebody ratted them out.
A thought that came to me recently in the shower: Isn't all knowledge effectively based on previous knowledge, and by extension, experience?
i.e: A programmer knows how to do X, leaves a company to do Y, where Y is in the same field of work as X. Doesn't X still affect the programmer on a subconscious level and henceforth, their thoughts indirectly?
This is the "inevitable disclosure" argument - AKA the idea that the experience is the secret, and thus nobody should ever be allowed to switch employers ever again.
For various reasons (notably, the fact that slavery is illegal), we don't accept this in general. You have to show that secrets were copied in full. Employees cannot memorize millions of lines of source, they can only memorize vague architectural details that would be easily reverse engineered by competitors. If you want to own those vague details, get a patent, or shut up.
> nobody should ever be allowed to switch employers ever again
Venetian glassmakers were banned from leaving Venice with their technical know-how. The Venetian government employed assassins to take them down if they tried to defect.
Bringing knowledge is one thing, which is legal, but stealing source code and design files from your employer to copy it to the systems of their competitor where you now work is a completely different thing which is illegal.
Companies want your knowledge, not you bringing proprietary IP from their competitor to work, as they know that's a very expensive lawsuit waiting to happen.
Idemic or "photographic" memory as depicted in popular culture does not exist. most of the people who can remember a lot of information very quickly are actually on some level of deliberately using mnemotechnique methods, such as nursery ryhming (like that one released soldier in vietnam) or graph traversal. it's preposterous to assume that anyone could recite fragmented data such as source code simply by being exposed to it (ie not by purposefully memorizing it)
Then you'd be able to draw and type out everything from scratch directly on your employer's PC and not have to download it via USB drives or email, like this guy did.
Probably because very few people have idetic memory to store 6GB of data in their brains with the utmost fidelity and unless you can also install a printer to your brain, it would take you a long time to reproduce 6GB of data by hand from your brain.
Transport method it is because it means there's hard proof and a paper trail of the IP theft that you can prove in court. Memorizing something has no paper trail and also leads to a clean room deisgn. That's why companies want to hire people or entire teams, to do clean room deign, without any of the original data.
If I go watch a movie and then tell people what I saw it's fine. If I record the movie with a camera and show it on screen that's the IP theft.
Then copyright comes in to play. You should have been taught how to avoid plagiarism in school. Use those techniques to reimplement. These techniques involve more than just using synonyms and rephrasing.
Where is the proof that the source code was merged? The article only mentions that former employees caught an eye of the source on the individual's computer; it does not mean the source code was merged or acted upon.
Risk is always balanced against reward. I doubt Nvidia is culpable here not because I have some strong belief in their morality but because I trust they would not take stupid tradeoffs.
IMO this is more of a "don't ask don't tell" thing. I'm sure there was never an explicit agreement that the employee would bring trade secrets, but they can promise to be able to build for Nvidia what was built at the last company, and Nvidia could say "yes I want that", and not audit the new employee's dev environment.
>IMO this is more of a "don't ask don't tell" thing.
I assure you isn't. If your company (in the law abiding west) has any suspicion you're using another company's illegally obtained proprietary IP, they won't see you as some hero doing God's work and put you on the promotion track wile closing a blind eye to what you're doing, but they immediately ask you to delete everything and every trace related to that.
Foreign IP is radioactive and they don't want to get sued because you're bringing some source code and PDFs from their competitor, which might not even be that useful for them anyway.
There were even cases of companies ratting out their employees they found using IP they stolen from their previous employers and getting them arrested, because if you stole IP from their competitor what's stopping you from also stealing from them?
>not audit the new employee's dev environment
Audit how? Against what? Stolen foreign source code you don't have? That's just not realistically possible to audit every employees work and accurately determine if they are or not reusing source code they stolen form a competitor, especially if the employee doing this is careful to change or redact what he's checking in.
Only thing you can audit is against FOSS code that is public, but not if it's stolen proprietary code and the employee made sure to not check-in anything giving away the origin of the original IP holder. They didn't catch this guy until he got sloppy and made this huge blunder.
You can never secure everything and audit everyone, especially if you want people to get any work done and not feel violated, so everything boils down to trusting employees they won't steal from you, and trusting the legal framework and law enforcement they'll do their job when in need, so you just have everyone sign NDAs and hope for the best.
I don't have direct knowledge of this company or the parties involved but I would be highly doubtful that Nvidia would want to have an employee steal the secrets of a competitor/partner. In my experience, companies of this size would aggressively not want tainted IP inside their companies. He would need to be bringing across something as valuable as AGI, cure for cancer, etc for it to be even worth considering. There are numerous examples of companies being offered trade secrets of their competitors and reporting it back to the FBI just so they can avoid even the suspicion of stealing corporate secrets.
If you think about it for a second, it is kind of obvious. Pretty much every technology is reproducible with the right amount of talent, funding and time. Why commit a crime when you can simply throw money (of which you have a lot) at the problem? Responsible corporate officers know this and act accordingly.
The company I worked for, was paranoid as hell about IP in the code. They hired some source scanning firm, for a lot of money, to continually scan our codebase.
They were mostly looking for GPL (nasty, naasssssty GPL!) code, but they also scanned for code that couldn't be accounted for in our "clean" repos. Not exactly sure how that worked (or even, if it worked at all. I think they brought smoke[0]).
What does that mean? Why would scanning for gpl code be looked at badly? It presumably means a company is proactively abiding by gpl licensing. The only thing better would be to use gpl and share their source as well. But of course it's a legit choice to just not use any gpl'd code.
It's probably more common to just turn a blind eye to gpl code, so it's good to see companies making sure they're on the right side of it.
I'm not a fan of "viral" licenses, and agree that, if a company doesn't want to abide by the license, they should not include them, but I am also not a fan of trying to force others to force others, to force others, etc., ad nauseam.
I tend to use MIT, which isn't always everyone's cup of tea, but means that you can use my code, and it would be nice to be credited, but I won't cry myself to sleep, if you don't.
The MIT license requires giving credit. The difference between MIT and GPL is that GPL requires sharing the modified source code and licensing it the same.
Huh, I wasn't trying to argue one license is better than the other. I was just trying to clarify what the licenses require. I didn't want someone to see your comment and think that it would be ok to use someone else's MIT-licensed code in a product without giving credit.
I take the MIT license and excise the credit clause for publishing my least important personal projects. I feel it gives me just enough cover (no warranty etc.) and avoids requiring people to stick my name into whichever unaffiliated project.
For work, I’ve definitely had to bury the fineprint MIT credits on some random help screen. It’s easy enough to do.
Re TFA: it’s kind of nice doing a bit of open source work on the job when you can reference or use random utility code later. There’s only so many times I want to write code for walking a dictionary in JavaScript or whatever.
As with anything, there are shades of gray and certainly more or less scrupulous ways to behave. Stealing GB’s of code is a bit much.
Would Nvidia the company want to engage in this? No. Would some middle manager involved in poaching this guy from the competitor want to do it? I have my suspicions. It takes two to tango and Nvidia didn't catch this themselves which raises some red flags. How was he hired? What kind of compensation was he able to negotiate? Was it well above the compensation Nvidia would ordinarily pay for an engineer of his level? How did he introduce the code into Nvidia's version control? Were there obvious red flags about the "development" pace that should have raised eyebrows during peer review?
I work at a big tech company and if I tried something similar, I'm pretty sure it would be caught internally. Even if I managed to pull it off, all it could realistically give me is a foot in the door. Some sketchy hiring manager isn't going to be able to just sweep some $500,000 signing bonus under the rug and $100k isn't unheard of for regular engineers here anyways. As far as compensation and promotion opportunities afterwards it stands little chance of mattering for that either. For the first few months nothing I did was even used performance reviews and it's a peer driven process to rate/promote engineers.
Combined that means that even if I wanted to do this, and I found a corrupt hiring manager that wanted to play ball, I'd have to sit on that IP for a few months after being hired, slowly introduce it into the codebase, alter it in response to peer review and to fit the new code base's coding styles, etc. In the end, that would prove useful for a grand total of one peer review cycle and then it's sink or swim on my own merits from that point forward.
All that to say, yes Nvidia doesn't want this kind of thing as a company, but there are still individuals who potentially stand to benefit and there's a lot of opportunities for Nvidia to catch this before it's accidentally shown on screen to the competitor it was stolen from this far down the line. I don't know much about Nvidia's corporate structure but it kinda seems like they're trying to avoid finding out about it rather than trying to actually prevent it.
>Would some middle manager involved in poaching this guy from the competitor want to do it? I have my suspicions.
No company or manager I ever worked at, at both good and bad companies, would even think you'd be bringing stolen proprietary IP from your old job let alone allow something like this to happen under their nose with their knowledge.
They're far too afraid of IP lawsuits, as knowledge of the use of stolen IP can easily leak, and you then rating out that manager making them an accomplice, for anyone to allow for something like this to happen with their blessing. And plus, you never want to hire IP thieves, if they stole source code from their old job they'll steal from you as well.
>How was he hired?
Most likely Nvidia poached the guy on the premise he's gonna build form them something very similar to what he was working on at Valeo. The guy probably sold himself well to get the senior job at Nvidia but most likely knew he overpromised and would underdeliver, so to make his life easy at his new job, he took all the sourcecode and documents from his old job to use at is next job.
>How did he introduce the code into Nvidia's version control?
Well it's not like he was dumb enough to just dump in git all the stolen source code from Valeo with all the headers, variable names and copyright notices and nobody would notice. Most likely he kept the code on the laptop as an offline copy and only used it as inspiration for the code he wrote for Nvidia or maybe he even bluntly took Valeo's source code then pruned, redacted or renamed any and all references to Valeo and checked it in as Nvidia's project so nobody was the wiser that the code was not originally written by him.
> Why commit a crime when you can simply throw money (of which you have a lot) at the problem?
Indeed. But the stupidity of committing a crime does not actually stop companies from doing so. Mainly because the penalties for it are never harsh enough.
>Stupidity in this case probably means low level employees cheating for benefits and career
That's most likely the case here. FFS, the guy stole 6GB of proprietary data and police found the stolen design files pinned on his wall at home, so the guy was fully committed to his scammer role, and not just an accidental "oopsie I walked out with some proprietary IP by mistake, better discard it and keep this low key so nobody finds out".
By the looks of it, this guy, most likely a Bluecard(German equivalent of H1B) was just cheating and stealing his way up the career chain through the revolving door of the blue-chip automotive sector, until he got caught.
Companies both big and small, never ever encourage you to bring to work proprietary files and data from your previous workplaces, since that's a guaranteed lawsuit as these things always get out eventually.
A problem here is that while the companies will generally make very clear that they don't want you to have any single line of code, any schematic, any drawing, anything at all from your previous company; they may also expect you to bring "experience" from the previous company, thereby pressuring more junior employees into doing exactly that - bringing some docs from the previous company - but not telling about it. Through my career I have been to several meetings where everyone was, notebook in hand, expecting to hear the "experience" from the new guy. That is obviously as legal as it gets, but the pressure for the junior employee to have kept a couple of notes is there, and you'd never know.
i.e. I suppose no one was aware that he had this code, and it's unlikely it went into nvidia's codebases or that nvidia wanted it; but it also doesn't mean nvidia did not pressure the guy into doing that.
That sounds wrong in so many ways. Do you live in China or something where this is expected?
I've worked at about 10 or so companies in 3 countries and it was never expected for the juniors to ever "bring documents from previous workplaces as knowledge and not tell about it".
Bringing your "experience" means only the experience and problem solving skills that are in your head as we're in the knowledge work business. Bringing documents to regurgitate just means IP theft, not knowledge work and is no guarantee to make you a productive employee, and no company would ever touch you for ever doing that.
> Bringing your "experience" means only the experience and problem solving skills that are in your head
it's hard to differentiate experience with IP. For example, there might be a tricky problem (say, in manufacturing), and the solution is a trade secret. The "experience" from said employee is really just relaying that trade secret.
Some people have very, very good memories and can bring all of that in their brain. Does that make it legal or not, just because it's in someone's brain and can be easily regurgigated at will? It's a subtle question.
There is no argument to be made that Nvidia wasn't aware he'd be coming with secrets. The argument that that's precisely why he was hired, OTOH, is looking very strong.