Waymo v. Uber: The Legal Implications of Sharing Sensitive Data

In recent years, In the past few years, intellectual law has come under intense scrutiny, especially due to a lack of consensus on the issue, especially in Silicon Valley. the rapid development of technology and the horizontal expansion of companies into multiple industries has greatly complicated the field of intellectual lawcomplicated the matter. As companies like Apple, Google, and Facebook are increasingly pursuing similar ventures, there is a growing risk for illicit sharing of trade secrets.[if !supportFootnotes][1][endif] Specifically, there are cases in which employees at one company bring ideas from their previous workplace to another company, in the hopes of gaining a competitive advantage in their new job. Thus, what are the legal implications when these stolen ideas involve sensitive data? US v. Nosal establishes a legal precedent regarding the illegitimate access of secure documents. By applying this precedent to the pending Waymo v. Uber case, where a former Employee of Waymo is accused of bringing trade secrets to revamp Uber’s self-driving division, it is clear that only legitimate accessors should have authorization to handle and utilize sensitive data.


The United States v. Nosal case scrutinizes David Nosal’s activity at the company Korn/Ferry International, an “executive search firm.”[if !supportFootnotes][2][endif] He left the company in 2004, and secretly decided to create a rival search firm. Nosal decided to include some of his former coworkers on the plans, in order to use their log-in credentials to “download source lists, names, and contact information from a confidential database.” The company Korn/Ferry discovered the actions, and immediately pursued legal recourse. After investigating the company and Nosal’s actions, the 9th Circuit Court of Appeals based its findings on a strict interpretation of the Computer Fraud and Abuse Act (CFAA). The CFAA incriminates anyone who “accesses a protected computer without authorization, or exceeds authorized access.”


The District Court found that the phrase “without authorization” was a distinctly “unambiguous” phrase that meant only the system administrator could approve access to the computer system. Their strict interpretation evidently established that Nosal’s actions were in clear violation of the CFAA and justified pursuance of legal action for stealing confidential company data. Yet. a recent Harvard Law Review article recommends another approach that avoids the risk of over-criminalization—which may be promoted in the 9th Circuit’s approach. Rather than deeming access without approval from the one system administrator as illicit, Harvard Law Review proposes placing outsiders into categories of those who haven’t been denied access and those who have been explicitly banned access to the documents.[if !supportFootnotes][3][endif] This would allow for proper oversight to prevent stealing of data by unauthorized users, while at the same allowing outsiders with legitimate request to have access to the data. The categorical approach allows for the courts to properly prosecute unfair use of data, while also taking into account the motivations of the data accessor.


This should be the approach when dealing with the mishandling of trade secrets and can be applied to the upcoming Waymo v. Uber case, which will be tried in December. Anthony Levandowski, the former head of Google’s Waymo self-driving division, was found to have downloaded over 14,000 documents from Waymo about six weeks before his own resignation.1 He then allegedly used the data from those documents to create his own self-driving startup, Otto, which was later sold to Uber for $680 million. Waymo further believes that Uber’s self-driving program is primarily based on work at Waymo and presented leaked conceptual maps as evidence.


Though the court has yet to rule, it is logical to first scrutinize how the documents were being accessed and whether or not Levandowski constitutes a legitimate accessor. Current analyses of Waymo v. Uber immediately assumes that since he was head of the self-driving project, he should be allowed to download all documents regarding his company division and manage them with his best interests. This jumps to the conclusion that Uber used the data in its own self-driving project, rather than first looking into the legitimacy of the data-handling. As head of the self-driving project, Levandowski should be allowed to use company data for endeavors within Waymo. However, when he downloaded the files to an offsite hard drive to storage, that would constitute an illegitimate handling of data. Therefore, since Levandowski did not receive permission from a system administrator to download the documents to a private device (since it would have instantly raised suspicion), he is not a legitimate accessor.


In the last few weeks, there have been case developments that make predicting a clear winner very difficult. Most notably, the current district judge assigned to the case “threw out” one of Waymo’s nine trade secrets under review and also absolved Lewandowski’s individual company from any legal scrutiny.[if !supportFootnotes][4][endif] While the case will be tried in the end of December, these actions show how much influence the presiding district judge has over case materials. Because there is little precedence in how data-handling cases should be tried, district judges are afforded increased flexibility and freedom. In essence, the results of this case are partially dependent on what the district judge determines to be admissible evidence, which complicates the matter even further.


In the nascent field of self-driving technology, it is clear that fair competition is crucial for continuing innovation in the industry. Still, it is inevitable that illegitimate data handling and distribution will occur between companies or among coworkers. United States v. Nosal provides a precedent for handling cases of surreptitious data acquisition for only the system administrator can allow someone access to classified documents, as all other access would be deemed unacceptable. However, a more nuanced approach is a stronger solution to handling the legal ambiguity pertaining to data access, especially when the person’s status as a legitimate accessor is considered. This approach can be applied to Uber v. Waymo which will be tried in December, as well as to all future cases involving data breaches. Data can certainly be used for company projects, since those have assumed permission from an administrator. Regardless, in both of these aforementioned cases, data was handled offsite. In this case, explicit system administrator approval should be necessary to promote fair practices in the industry.

[if !supportFootnotes]

[if !supportFootnotes][1][endif] Hawkins, Andrew J. "Alphabet's Waymo sues Uber for allegedly stealing self-driving car secrets." The Verge. February 23, 2017. Accessed December 05, 2017. https://www.theverge.com/2017/2/23/14719906/google-waymo-uber-self-driving-lawsuit-stolen-technology.

[if !supportFootnotes][2][endif] United States v. Nosal (US Court of Appeals, 9th Circuit April 28, 2011).

[if !supportFootnotes][3][endif] "United States v. Nosal (Nosal II) ." Harvard Law Review 130, no. 4 (February 2017).

[if !supportFootnotes][4][endif] Mullin, Joe. "In new Waymo v. Uber order, judge pounds on Waymo." Ars Technica. November 03, 2017. Accessed December 05, 2017. https://arstechnica.com/tech-policy/2017/11/in-new-waymo-v-uber-order-judge-pounds-on-waymo/.