ThousandtyOne! - .NET, Life and Logical Thoughts By Rajiv Popat - Protecting Intellectual Property Vs. Trusting Employees

Saturday, January 20, 2007

Protecting Intellectual Property Vs. Trusting Employees

If you run a company that owns a product, or have put your mind and soul into writing a product that you believe will make you or your organization big bucks and success in the long run, you’re probably worried about protecting your intellectual property.

Lately, I’ve been hearing a Lot about Intellectual Property and what Organizations should do to protect their intellectual property. Multiple discussions have taken place, with multiple people from different Organizations. Just to give an idea of the crowd I’ve been discussing this with, let me introduce an acquaintance who works in a 400+ person, Indian solution provider as a developer.

Another individual is a Lawyer in a 100+ employee Organization having offices in US and multiple offshore countries including UK and Europe. Just to bring a slightly different perspective to discussion I’ve also included comments from a very old client that I worked with – who had a no-work-from-home policy. And then there are guys from IT / Administration world back from MCSE days, that I am still in touch with and who work with some really medium-to-small-sized development shops.

Before I go any further however, let me take of my ‘I-know-everything-about-this’ hat off and hide it somewhere. Because, this is my blog which runs on a server I pay for, it goes without saying that I will present my opinions. However, this is also a good time to bring to everyone’s notice that my opinions (by their very nature) here are highly opinionated and may be as far from correct as anything can be. But after hearing so much about this topic I really feel that I have to post about this. If nothing else, this post is an attempt to take a look at one problem from multiple perspectives, including mine. :)

"They are not allowed to carry USB drives to work. No Floppies, no CDs, they code on desktops with 512 Megs of RAM, unless of course, someone can justify that he needs a Gig of RAM for his project. 90% of Internet is blocked from them including Yahoo mail, Hotmail, Messengers or anything that can potentially be used as file transfers."

An acquaintance back from my IT Days describes. He works at an Indian IT consultancy firms which is small enough for every employee to know every other employee on a first name basis. By “They” he is referring to the developers. There’s a particular advantage of having worked in various departments in my early part of professional life. I associate with both IT and Development folks equally well, and completely “get-it” when the folks in one camp refer to the folks in other came as “They” :)

"In fact, our IT takes a Pessimistic approach to security. They start by blocking everything. Employees over years have requested specific site to be unblocked which has resulted in a fairly large database of safe sites which have been unblocked. Once a request is filed, it is analyzed to see if the site offers any mechanisms to transmit confidential data. Analysis is also done on why this site should be opened up. There are cases, where we’ve asked for a specific site to be opened up because we wanted to read an article and have received an email attachment in reply with the content on the article attached and our request to open-up the site denied, mainly because the site provided free mailing services. The concern is that we would email code to ourselves."

These are measures a 400+ employee consultancy firm takes to protect its Intellectual Property. This comes from a Developer and here “they” of course refers to the IT folks :). The third perspective is slightly Non-Technical coming from a lawyer who works for a relatively smaller development firm.

"The key to this is Making employees sign Non-Disclosure-Agreements (NDA’s), Non-Compete agreements and copyrighting your code. Once these measures are in place, the real work needs to begin - the technical departments, like the IT needs to move in and enforce measures that code-theft cannot happen even if an employee wants to commit a theft e.g. disabling their USB drives, not giving them CD/DVD-Writers etc. Making the employees sign is the easy part. Setting up systems so that you don’t have to be at the mercy of mutual trust with your employees is the difficult part"

Another person at fairly small US based organization, sites an example of an employee running away with a laptop and some code and the team being worried for a couple of weeks till the employee was tracked down and they had confirmed that he hadn't released the source code to anyone.

After I listening to these discussions, some-thing deep down somewhere kept telling me that there’s something wrong, somewhere. As if one side of the story is being ignored. One thing that seems to resonate through all these comments and remarks is – "It's difficult to trust your Employees. Doing that will always mean big trouble". In an attempt to discover the other side I decided to cling on to Google and go on a search for other opinions.

My Ideas on this topic are very different from the ones that had been brought to the plate so far, and Google seemed like an excellent tool to figure out if there are others who had similar thoughts and to figure out if my thoughts are working out for them too.

The first result is an interesting instance of stealth and sleuthing – what’s most interesting about this article is that it sticks to the side of story that’s been presented by all other quotes in this post so far, but ends with lines that come very close to the other-side of the story, therefore striking a really nice balance. The article includes an interesting and (in my opinion) a very true remark:

"It is impossible to provide for a completely foolproof system... To devise a foolproof system, you would need a set of people working on it...This set could have a thief in its midst too. In the ultimate analysis, everything works on trust. After all, software employees are capable of anything."

Why I particularly like this remark is because it addresses the problem from a real perspective and considers the fact, that when dealing with developers companies are dealing with smart individuals who are capable of writing highly secured and scalable systems. It goes without saying that any developer worth his salt, who is capable of writing these systems, is also capable to stealing code or in fact, anything, if he really wanted to do it, specially if he's a little lucky. There is no such thing as a fully secured process or system! And that’s one thing we tend to forget when talking about Systems that we claim will replace (or enforce) human trust and dignity through security.

There are tons of articles out there which tell you that you cannot trust your employees, not even your administrators – but ones which tell you that it’s OK to place a little bit of trust in sensible programmers who you hired in the first place, are few and difficult to find!

After spending some time on Google searches I finally landed on some sound-advice that came close the kind of answer I was really looking for. A very wise comment on this forum states:

"It seems you've learned firsthand that you can't *really* protect your IP. That said, you could talk to a lawyer and get some more specific advice. Certainly requiring your hires to sign a non-disclosure agreement is nothing onerous. But I think the best thing to do is hire people with integrity and all. Be so successful that nobody in their right mind would think about splitting, and that none of your customers would think about switching"

These are not my words, but if I was to say something on this topic this is exactly what I would say and then I would add a few more numbered points (read on).

You cannot prevent your employees stealing your code unless you’re planning on frisking people: In each of the remarks people made in their discussions with me, and as they were describing their security-measures to protect their Intellectual Property, I could instantly think of more than one ways by which a developer could easily steal code if he really wanted to. The comment in this forum, that you cannot prevent employees from stealing code unless you’re planning on frisking people, seems quite true and at-least I agree to it.
What is your Intellectual Property, by the way? As a developer I spend countless hours, throwing away code that I’ve written in the past and writing better code. Those of us, who believe in TDD, refactor ruthlessly and make that a way of life. A lot of the projects I’ve been involved with are re-writes of existing systems. So, as developers, if throw away so much code, is code what you really want to protect? Is it even wise to consider just your code your real (and only) form of intellectual property?

I for once want to, believe that an Organization's Real Intellectual Property is the knowledge that was gathered in writing that code and the individuals who retain that knowledge. That’s what I would be really interested in protecting.

In a discussion one of my Managers once asked me how long my team would take if I was to scrap every single line of code I’ve written for a product and start fresh. My reply was that it would take half the time and I would come up with a product that would be faster and much more feature rich.

As developers, we grow with each project, module and problem that we solve. I personally feel that it’s this growth that organizations and individuals should be striving to protect. Not just Code!
A Lot of code isn’t complete or looses meaning out of context: some years ago; a part of Windows NT code base and a part of Windows 2000 code base was leaked out. Everyone in the community talked about it. People discussed it. Some of us even downloaded it and took a peek at it. People analyzed it, more out of curiosity than anything anything else. But that was it. People couldn’t build the code. Of-course they couldn’t compile Windows NT / Windows 2000 out of it. The code was incomplete and it was out of context.

There was a particular client that I worked with at an early part of my life, who wouldn’t let any consultants work from home because the DBA was particularly concerned about a Table in the new system which sucked legacy data and had an Item-Id column containing millions of items Ids. While, I completely understood and respected the DBA’s passion to protect data from leaking out, the fact remains that 2 million random numbers (which happen to be a list of item ID) are utterly useless for me, because they are out of context. There is nothing I could have done with a huge list of their Item IDs even if I wanted to. It took quite a bit of convincing to get the permission to be able to work from home so that I could fix bugs I was really concerned about during late nights and weekends and in the end it worked out really well. We delivered a couple of weeks before the planned date and there was no loss of any intellectual property.
Shouldn’t you focus on what’s coming in rather than focusing what’s going out? In all the arguments for strict systems to protect intellectual property the focus seems to be on “what is going out of the organization” - either an employee or code. Why not spend more time on focusing on employees that are coming in the organization and create processes for hiring people with Dignity and Maturity. Something makes me feel that if some of these Organizations, that spend huge amounts of time in building these extreme measures, spent as much time in thinking about the quality of employees they're hiring, they wouldn't have to worry about Protecting Intellectual Property.
I respect NDA’s and honestly, I don't mind signing them: I don't think any developer does. As one of the quotes above mentions "Making the employees sign is the easy part". It really is. And Important too. Thought I should clarify that before I start getting emails from people I know and don’t know telling me that I am a moron who doesn’t care about protecting intellectual property and respecting NDAs. I completely understand a client's concern to protect their Data and Intellectual Property. I also understand policies of not letting people carry parts of projects or Data on laptops in some cases or projects where the sensitivity is high.

However, I would find it a little awkward, if I ever had to work in an organization that implementing policies and had systems which constantly keep telling me every-day, that I am a potential threat to the business. In my personal opinion, some of the comments I heard during these conversations sounded a little extreme which is what got me thinking.

I find the measures, mentioned by some of my friends, in this post, a little extreme. It's probably because of the fact that I've changed very few organizations in my professional life and have been lucky to work at Organizations (including clients and project-teams) which have very difficult interview processes but provide tremendous amount trust, freedom and liberty in the hands of their employees once they are a part of the team.

A sarcastic answer to “extreme measures and systems to protect your intellectual property” posted at this forum seems like a good way to end this post. A person with a sense of humor comments –

"I want to work for you people! A boss who considers me a significant threat to his business and acts as if I'm a thief waiting for the opportunity to strike would make me feel like such an appreciated member of the team."

Do you feel that you work at a place that considers you a significant threat to their business? Wondering what you can do about it? If you answered "Yes" to these questions, remember - you can either change your company, or you can change your company. :)

Personal Thoughts on Software Development

posted on Saturday, January 20, 2007 7:53:30 PM UTC

Comments [2] Trackback
Related posts:
Detailed Planning And Project Plans Are Highly Overrated.
Have You Thrown Away Your Gantt Charts Out Of Window Yet?
That's Not An Office. Software Shops Around The World Just Want You To Think It Is.
The Secret Sauce Of Successful Software Development Teams - Do You Really Like Them? Or Are They Just Colleagues?
Resume Driven Development, The Hammer And The Nail.
Two Golden Rules For Software Development - Don't Police, Don't Panic.
Tracked by:
"15 Percent Rule Manifesto - Just A Glamorized CYA Document?" (ThousandtyOne! - ... [Trackback]
"15 Percent Rule Manifesto Is Just A Glamorized CYA Document!" (ThousandtyOne! -... [Trackback]
"The 15 Percent Rule Manifesto Is Just A Glamorized CYA Document!" (ThousandtyOn... [Trackback]
"CMM, RUP and Gant charts don't build Successful Software. Kick Ass Programmers ... [Trackback]
"You Don't Ask Why, You Don't Get Innovation." (ThousandtyOne! - .NET, Life and ... [Trackback]
"You Don't Ask Why, You Don't Get Innovation (Comment Reply)" (ThousandtyOne! - ... [Trackback]
"CMM, RUP and Gantt Charts Don't Build Successful Software. Kick Ass Programmers... [Trackback]
"Deadlines Driven Development For Dummies" (ThousandtyOne! - .NET, Life and Logi... [Trackback]
"Deadlines Driven Development Is For Dummies" (ThousandtyOne! - .NET, Life and L... [Trackback]

Friday, February 09, 2007 10:27:13 AM UTC

A really nice article and I completeley support your point of veiw. I myself faced such an instance in on of my previus companies where many sites and other emails except the official email were blocked. The primary reason of blocking the mails was not only theft of intellctual property , more because the management feared that employees would apply to other copmanies using their personal emails during office hours. The funny part of the whole thing is many employees left the company and I bet all of them used their personal emails (not from office , but from a cybercafe located exactly opposite to this office :)) . Isn't that stupid from the management's part to block personal emails, without thinking these.

Dheeman | dheeman_duttaAT NOSPAMyahoo dot com

Friday, February 09, 2007 11:12:15 PM UTC

Use of office bandwidth for personal uses – Hmmm… Now that’s a complicated question, I would rather not answer - But coming from an IT world myself I’ll give you both perspectives using a very lengthy comment :)

Two Examples:

Example 1: Mr. X. trying to say a Hi to his X-colleague and is getting an access denied. (Now that’s really stupid of the Management, Isn’t it? Ok, now here’s a different perspective – read on.)

Example 2: Mr. X is downloading his Baby Boy’s 2-Gig Birthday video and is choking the bandwidth of everyone else trying to download their email. (Now that doesn’t sound like Mr. X is doing the right thing, does it? :)).

It really depends on how / what different people define as “Personal email” and “Personal Use of internet” - This is one place where I would rather not take any stand what-so-ever mainly because it’s way too relative :)

Two reasons why policies which prevent official internet for personal reasons are often placed in small to medium sized companies:

Reason 1: Mr. Y who is an Administrator woke up one fine morning and figured out that it will be “cool” to block all sites, except a set of approved sites. You say, “Stupid”. I Say, “I Agree”. (But then again, that’s just my personal opinion) :)

Reason 2: Mr. Y. who is an Administrator was analyzing the Bandwidth usage and discovered 30% of the bandwidth was used in downloading files with DivX extensions and decides to block personal sites – (A very “wise decision" indeed, wouldn’t you say?)

It’s relative and it depends on a lot of different things – organization size, existing culture and so many other things.

This post was more focused on the fact that taking extreme measures to protect IP (so much so that it impacts developer productivity) is not a “full proof solution” to protecting IP. But the whole debate on, “use of office bandwidth and resources for personal uses” is a topic that’s mostly an Age-Old-Can-Of-Worms and I didn’t want to open it in this post. :)

As far as I am concerned, having seen both the IT / Administration and Development side of the story and having worked as both; an IT Administrator and a Developer, I would think that striking a correct balance which by providing freedom and at the same time ensuring people aren’t grossly misusing office bandwidth is always a tricky affair. I’ve seen so many organizations struggle to strike this balance and personally, I haven’t figured out the golden 100% correct answer to that yet. :)

rajiv | rajivpopatAT NOSPAMgmail dot com

Name
E-mail
Home page

	Remember Me
Comment (HTML not allowed)

Live Comment Preview