If you run a company that owns a product, or have put your mind and soul into writing a product that you believe will make you or your organization big bucks and success in the long run, you’re probably worried about protecting your intellectual property.
Lately, I’ve been hearing a Lot about Intellectual Property and what Organizations should do to protect their intellectual property. Multiple discussions have taken place, with multiple people from different Organizations. Just to give an idea of the crowd I’ve been discussing this with, let me introduce an acquaintance who works in a 400+ person, Indian solution provider as a developer.
Another individual is a Lawyer in a 100+ employee Organization having offices in US and multiple offshore countries including UK and Europe. Just to bring a slightly different perspective to discussion I’ve also included comments from a very old client that I worked with – who had a no-work-from-home policy. And then there are guys from IT / Administration world back from MCSE days, that I am still in touch with and who work with some really medium-to-small-sized development shops.
Before I go any further however, let me take of my ‘I-know-everything-about-this’ hat off and hide it somewhere. Because, this is my blog which runs on a server I pay for, it goes without saying that I will present my opinions. However, this is also a good time to bring to everyone’s notice that my opinions (by their very nature) here are highly opinionated and may be as far from correct as anything can be. But after hearing so much about this topic I really feel that I have to post about this. If nothing else, this post is an attempt to take a look at one problem from multiple perspectives, including mine. :)
"They are not allowed to carry USB drives to work. No Floppies, no CDs, they code on desktops with 512 Megs of RAM, unless of course, someone can justify that he needs a Gig of RAM for his project. 90% of Internet is blocked from them including Yahoo mail, Hotmail, Messengers or anything that can potentially be used as file transfers."
An acquaintance back from my IT Days describes. He works at an Indian IT consultancy firms which is small enough for every employee to know every other employee on a first name basis. By “They” he is referring to the developers. There’s a particular advantage of having worked in various departments in my early part of professional life. I associate with both IT and Development folks equally well, and completely “get-it” when the folks in one camp refer to the folks in other came as “They” :)
"In fact, our IT takes a Pessimistic approach to security. They start by blocking everything. Employees over years have requested specific site to be unblocked which has resulted in a fairly large database of safe sites which have been unblocked. Once a request is filed, it is analyzed to see if the site offers any mechanisms to transmit confidential data. Analysis is also done on why this site should be opened up. There are cases, where we’ve asked for a specific site to be opened up because we wanted to read an article and have received an email attachment in reply with the content on the article attached and our request to open-up the site denied, mainly because the site provided free mailing services. The concern is that we would email code to ourselves."
These are measures a 400+ employee consultancy firm takes to protect its Intellectual Property. This comes from a Developer and here “they” of course refers to the IT folks :). The third perspective is slightly Non-Technical coming from a lawyer who works for a relatively smaller development firm.
"The key to this is Making employees sign Non-Disclosure-Agreements (NDA’s), Non-Compete agreements and copyrighting your code. Once these measures are in place, the real work needs to begin - the technical departments, like the IT needs to move in and enforce measures that code-theft cannot happen even if an employee wants to commit a theft e.g. disabling their USB drives, not giving them CD/DVD-Writers etc. Making the employees sign is the easy part. Setting up systems so that you don’t have to be at the mercy of mutual trust with your employees is the difficult part"
Another person at fairly small US based organization, sites an example of an employee running away with a laptop and some code and the team being worried for a couple of weeks till the employee was tracked down and they had confirmed that he hadn't released the source code to anyone.
After I listening to these discussions, some-thing deep down somewhere kept telling me that there’s something wrong, somewhere. As if one side of the story is being ignored. One thing that seems to resonate through all these comments and remarks is – "It's difficult to trust your Employees. Doing that will always mean big trouble". In an attempt to discover the other side I decided to cling on to Google and go on a search for other opinions.
My Ideas on this topic are very different from the ones that had been brought to the plate so far, and Google seemed like an excellent tool to figure out if there are others who had similar thoughts and to figure out if my thoughts are working out for them too.
The first result is an interesting instance of stealth and sleuthing – what’s most interesting about this article is that it sticks to the side of story that’s been presented by all other quotes in this post so far, but ends with lines that come very close to the other-side of the story, therefore striking a really nice balance. The article includes an interesting and (in my opinion) a very true remark:
"It is impossible to provide for a completely foolproof system... To devise a foolproof system, you would need a set of people working on it...This set could have a thief in its midst too. In the ultimate analysis, everything works on trust. After all, software employees are capable of anything."
Why I particularly like this remark is because it addresses the problem from a real perspective and considers the fact, that when dealing with developers companies are dealing with smart individuals who are capable of writing highly secured and scalable systems. It goes without saying that any developer worth his salt, who is capable of writing these systems, is also capable to stealing code or in fact, anything, if he really wanted to do it, specially if he's a little lucky. There is no such thing as a fully secured process or system! And that’s one thing we tend to forget when talking about Systems that we claim will replace (or enforce) human trust and dignity through security.
There are tons of articles out there which tell you that you cannot trust your employees, not even your administrators – but ones which tell you that it’s OK to place a little bit of trust in sensible programmers who you hired in the first place, are few and difficult to find!
After spending some time on Google searches I finally landed on some sound-advice that came close the kind of answer I was really looking for. A very wise comment on this forum states:
"It seems you've learned firsthand that you can't *really* protect your IP. That said, you could talk to a lawyer and get some more specific advice. Certainly requiring your hires to sign a non-disclosure agreement is nothing onerous. But I think the best thing to do is hire people with integrity and all. Be so successful that nobody in their right mind would think about splitting, and that none of your customers would think about switching"
These are not my words, but if I was to say something on this topic this is exactly what I would say and then I would add a few more numbered points (read on).
- You cannot prevent your employees stealing your code unless you’re planning on frisking people: In each of the remarks people made in their discussions with me, and as they were describing their security-measures to protect their Intellectual Property, I could instantly think of more than one ways by which a developer could easily steal code if he really wanted to. The comment in this forum, that you cannot prevent employees from stealing code unless you’re planning on frisking people, seems quite true and at-least I agree to it.
- What is your Intellectual Property, by the way? As a developer I spend countless hours, throwing away code that I’ve written in the past and writing better code. Those of us, who believe in TDD, refactor ruthlessly and make that a way of life. A lot of the projects I’ve been involved with are re-writes of existing systems. So, as developers, if throw away so much code, is code what you really want to protect? Is it even wise to consider just your code your real (and only) form of intellectual property?
I for once want to, believe that an Organization's Real Intellectual Property is the knowledge that was gathered in writing that code and the individuals who retain that knowledge. That’s what I would be really interested in protecting.
In a discussion one of my Managers once asked me how long my team would take if I was to scrap every single line of code I’ve written for a product and start fresh. My reply was that it would take half the time and I would come up with a product that would be faster and much more feature rich.
As developers, we grow with each project, module and problem that we solve. I personally feel that it’s this growth that organizations and individuals should be striving to protect. Not just Code!
- A Lot of code isn’t complete or looses meaning out of context: some years ago; a part of Windows NT code base and a part of Windows 2000 code base was leaked out. Everyone in the community talked about it. People discussed it. Some of us even downloaded it and took a peek at it. People analyzed it, more out of curiosity than anything anything else. But that was it. People couldn’t build the code. Of-course they couldn’t compile Windows NT / Windows 2000 out of it. The code was incomplete and it was out of context.
There was a particular client that I worked with at an early part of my life, who wouldn’t let any consultants work from home because the DBA was particularly concerned about a Table in the new system which sucked legacy data and had an Item-Id column containing millions of items Ids. While, I completely understood and respected the DBA’s passion to protect data from leaking out, the fact remains that 2 million random numbers (which happen to be a list of item ID) are utterly useless for me, because they are out of context. There is nothing I could have done with a huge list of their Item IDs even if I wanted to. It took quite a bit of convincing to get the permission to be able to work from home so that I could fix bugs I was really concerned about during late nights and weekends and in the end it worked out really well. We delivered a couple of weeks before the planned date and there was no loss of any intellectual property.
- Shouldn’t you focus on what’s coming in rather than focusing what’s going out? In all the arguments for strict systems to protect intellectual property the focus seems to be on “what is going out of the organization” - either an employee or code. Why not spend more time on focusing on employees that are coming in the organization and create processes for hiring people with Dignity and Maturity. Something makes me feel that if some of these Organizations, that spend huge amounts of time in building these extreme measures, spent as much time in thinking about the quality of employees they're hiring, they wouldn't have to worry about Protecting Intellectual Property.
- I respect NDA’s and honestly, I don't mind signing them: I don't think any developer does. As one of the quotes above mentions "Making the employees sign is the easy part". It really is. And Important too. Thought I should clarify that before I start getting emails from people I know and don’t know telling me that I am a moron who doesn’t care about protecting intellectual property and respecting NDAs. I completely understand a client's concern to protect their Data and Intellectual Property. I also understand policies of not letting people carry parts of projects or Data on laptops in some cases or projects where the sensitivity is high.
However, I would find it a little awkward, if I ever had to work in an organization that implementing policies and had systems which constantly keep telling me every-day, that I am a potential threat to the business. In my personal opinion, some of the comments I heard during these conversations sounded a little extreme which is what got me thinking.
I find the measures, mentioned by some of my friends, in this post, a little extreme. It's probably because of the fact that I've changed very few organizations in my professional life and have been lucky to work at Organizations (including clients and project-teams) which have very difficult interview processes but provide tremendous amount trust, freedom and liberty in the hands of their employees once they are a part of the team.
A sarcastic answer to “extreme measures and systems to protect your intellectual property” posted at this forum seems like a good way to end this post. A person with a sense of humor comments –
"I want to work for you people! A boss who considers me a significant threat to his business and acts as if I'm a thief waiting for the opportunity to strike would make me feel like such an appreciated member of the team."
Do you feel that you work at a place that considers you a significant threat to their business? Wondering what you can do about it? If you answered "Yes" to these questions, remember - you can either change your company, or you can change your company. :)