Over the past couple of years, Google employees have helped expose a steady stream of information about the company’s operations. Less well known is how Google tries to staunch this flow with confidentiality agreements and programs like Stop Leaks, a web portal where employees can report suspected leakers. Offenders can be subjected to digital forensic investigations and terminated.
Details about the Stop Leaks program came to light as part of a lawsuit—filed in December 2016 by an unidentified Google employee—claiming the company’s confidentiality policies amounted to an internal “spying program” that illegally infringed on employees’ rights to discuss working conditions, report illegal conduct or product defects to authorities, or talk to other employers about job opportunities.
The employee first made Google aware of his intent to sue in June 2016. Between spring of 2016 and March 2017, Google relaxed a number of its complex confidentiality policies, including easing rules governing when employees can talk to the press, clarifying that some data is not confidential by default, and softening training programs like You Said What? that discouraged employees from writing in email about topics that could invite antitrust scrutiny or product liability lawsuits. The changes clarified that employees could discuss pay, wages, and working conditions.
Now, documents filed in April argue that Google has not investigated recent high-profile leaks with the same tenacity as in the past. Those included an internal memo written by former Google engineer James Damore critiquing Google’s diversity efforts; Project Dragonfly, Google’s stalled plan to launch a censored search engine in China; and details about multimillion-dollar exit packages paid to executives accused of sexual harassment. The new documents include depositions of Google’s head of human resources and a member of the Stop Leaks team.
The absence of probes in those cases contrasts with Google’s allegedly more aggressive stance against the employees involved in the 2016 lawsuit, which now has three plaintiffs. The first employee claims he was investigated and fired for leaking memes critical of Nest founder Tony Fadell, although he was later reinstated. The second plaintiff, a contractor and a former two-time Google intern, was investigated and terminated after she gave college students advice about applying to Google through a job site called Purple Squirrel. The third plaintiff claims he was compelled to sign allegedly illegal confidentiality agreements.
The new documents arrive as Google’s workforce is closely watching management’s response to employee activism, to see whether increased public scrutiny will change the company’s famously open culture. Historically, Google employees have viewed all leaks as bad. Employee activists say that the conflation between whistle-blowing, disclosing proprietary product information, and discussing workplace conditions, which is protected by federal law, has worked to Google’s advantage. Workers also have little visibility into investigations, which contributes to the sense that the company’s enforcement can be selective.
In response to questions from WIRED, Google said it continues to investigate leaks with the same tenacity and considers leaks to be disclosure of confidential proprietary information. In 2018, the number of internal investigations involving mishandling of confidential information increased 40 percent, compared with 2017, the company said. Google also says employees can still report leaks through the “Stop Leaks” tool, which the company’s security team investigates. In court documents, Google has acknowledged the written policy changes, but said they were in response to a National Labor Relations Board charge filed in February 2016 alleging that the policies infringed on an employee’s right to protected concerted activity. That charge did not focus on confidentiality requirements.
In April, WIRED reported that two organizers of the Google Walkout, a massive protest against the company’s mishandling of sexual harassment claims against Rubin and others, claimed they had been demoted, given less responsibility, and asked to abandon longtime projects after the protest. On Tuesday, BuzzFeed News reported that Kent Walker, Google’s top legal executive, sent a company-wide email last week telling employees that they could be terminated for accessing documents classified as “need to know.” That was followed by an update in the company newsletter clarifying that employees “were typically only terminated when intentional violations resulted in data leaks, risks to user privacy, or harm to coworkers,” BuzzFeed reported.
Google said Walker’s email was not a new policy and that Google periodically sends company-wide reminder emails. In this case, the policy had been in place since 2007 and periodically updated, including adding examples of things the company has always considered “need to know” information, such as customer data. Google has said it prohibits retaliation against employees who raise concerns.
As part of the 2016 lawsuit, the plaintiffs last fall deposed Eileen Naughton, Google’s vice president of people operations, and Brad Fuller, an investigator with the Stop Leaks team. Fuller testified that he was not aware of any investigation into the leak of the Damore’s memo about Google’s diversity programs, which was published by Gizmodo in August 2017; Naughton testified that no one was fired for leaking the memo. Fuller said he was unaware of any Stop Leaks investigation into a video of a company-wide meeting where Google executives discussed President Trump’s election, which was published by Breitbart in September 2018. Naughton said, to her knowledge, Google would not terminate anyone for exposing information about Project Dragonfly, first reported by The Intercept in September 2018.
Got a Tip?
If you’d like to tip WIRED anonymously, we have a couple ways for you to do that here.
The depositions took place the same day as the Google Walkout, where 20,000 employees briefly walked away from their desks to protest the company’s mishandling of sexual harassment claims, a week after The New York Times disclosed the payout to Rubin. The plaintiffs’ lawyer, Chris Baker, asked if Google had investigated the sources of the information in the Times article. Naughton said she was not aware of any intent to investigate, nor was she aware of any employee being terminated for speaking to the Times for the Rubin article.
In his deposition, Fuller offered one of the most detailed public descriptions of Stop Leaks, which describes itself on an internal FAQ as a team of “super sleuths” that “investigates every leak,” interviewing victims and witnesses, as well as the subject of the investigation. Fuller said that Stop Leaks includes between eight and 13 investigators, managers, and analysts, who meet either monthly or biweekly to discuss investigations. Investigators sometimes use digital forensics to review an employee’s search history, as well as their activity in Google Drive, downloads, emails to personal accounts, whether they have connected a USB drive to their computer, searches within Google’s intranet, and click-throughs.
Google has pioneered a uniquely open company culture, which encourages transparent conversations between executives and employees at weekly meetings or on internal company mailings lists, and the ability to access the company documents and code. To ensure that crucial information still stays secret, Google, much like Facebook, relies on social norms around employee loyalty, as well as aggressive investigations teams.
In his 2015 book Work Rules! Insights from Inside Google That Will Transform How You Live and Lead, Laszlo Bock, then senior vice president of Google, wrote, “We suffer about one major leak each year. Each time, there’s an investigation, and each time, whether it was deliberate or accidental, well intentioned or not, the person is fired. We don’t name the person, but we let everyone in the company know what was leaked and what the consequence was. Lots of people seeing lots of information inevitably means a few people screwing up.”
In the deposition, Naughton said Google did plan to investigate the disclosure of employee information to right-wing sites as a way to instigate harassment, which she said took place between October 2017 and February 2018, allegations previously covered by WIRED.
In the deposition, Naughton says, “I recall one specific occasion in which a group of employees stood up and expressed their fear and unsafety around their personally identifiable information being leaked in a form of doxing to mostly extreme right-wing sites, and they, as a result being hounded and receiving threats on their lives.” Naughton said she told the employees that it violated Google’s code of conduct to leak personal information, adding, “And if we find who leaked such information with the intend [sic] to do harm, we will take full disciplinary action against them.” Naughton added that she remembered the question because “it was a very raw moment.”
Baker then asked whether it violated Google’s policy to disclose communication that an employee believed demonstrated discrimination without personally identifiable information. “In the way you phrased that question, counselor,” Naughton responded, “I would think that, if there were no personally identifiable information, but rather content attendant to the workplace culture, that would be within their right.”
Update, 5-16-19, 9:35pm ET: This story has been updated with additional comment from Google.