Google executives are clamping down on what information can and cannot be shared among employees, amid a wave of employee activism that has caused the tech giant to sideline numerous projects, including some that had the potential to be highly lucrative.
According to an internal email sent to employees last week and obtained by Business Insider, Google’s Chief Legal Officer Kent Walker re-enforced the company’s restrictions for sharing “need-to-know” information with colleagues and re-iterated that the consequences for misclassifying and mishandling such information could result in termination.
“It’s a violation of our policies to improperly access, copy, or share confidential or need-to-know information, whether or not it is explicitly marked,” Walker wrote in the email. “Doing so could subject you to disciplinary action. We have fired people who violated our data policies.”
According to Walker, the “need-to-know” definition extends to any information that is specific to an individual’s or team’s job, like notes and emails from a brainstorming session, project evaluations, and details of an organization’s financial or strategic plan. That would suggest that sharing — or even having access to — any information outside of an employee’s immediate role could be a fire able offense. News of Walker’s email was first reported by BuzzFeed on Tuesday.
Fears of retaliation
Two current employees who spoke to Business Insider said that some now feared that the company could arbitrarily retaliate against Googlers for something as simple as improper access to a document or potentially, reporting an ethically questionable project. Fears over retaliation are especially high at the tech giant as of late, after two women who helped spearhead the November Walkouts — Meredith Whittaker and Claire Stapleton — said the company tried to demote and dramatically change their roles in response to their organizing efforts.
Although Walker characterized his email as a reminder of Google’s “longstanding data security policies,” both employees Business Insider spoke with said there appeared to be updates to the policy which tightened the tech giant’s control over information being spread internally.
Specifically, one employee pointed to the sharing of technical design documents — which are widely used by engineers to explain the concepts, motivations, and implementations of features they’ve created. Given the policy laid out in Walker’s email regarding “need-to-know” information, the employee said that sharing those design documents — which can be critical to navigating Google’s massive code base — could now be considered off limits.
A Google spokesperson told Business Insider that the overall intent of policies are not meant to limit conversation amongst employees, and internal docs like post mortems and design docs would still shareable across teams.
The employee said the limitations laid out in the email far exceeded how information is shared in actuality at the tech giant today, where a culture of openness and transparency has long been its mantra. New hires as recent as 2014, for example, were encouraged in orientation trainings to look up the company’s holy grail — its Search algorithm source code — which is almost entirely accessible to anyone capable of finding it.
However, after Walker’s email, employees are left to question whether a document they’ve shared in the past or one that has been shared with them, could now get them in trouble.
On Tuesday, the company sent a follow-up note to clarify its policy, though both employees we spoke to both said it did not provide reassurance regarding fears of retaliation.
Preventing the next ‘Dragonfly’
The memo comes at a time when Google’s expanding technological capabilities and business ambitions have pushed it into markets long considered off-limits or controversial within the company. The backlash Google faced when details of some projects became public has rocked the company.
Already over the past year, Google decided not to renew its artificial intelligence contract with the Pentagon — known as Project Maven —after thousands of employees signed a petition (and dozens quit) in protest. Similar pressure was applied when employees discovered the company was working on a censored search engine for China — known as “Dragonfly.”
Although employee petitions slowed down Google’s ambitions for its censored search, the secretive nature of the project left a chilling effect on employees and brought into question the level of transparency that would be offered by executives moving forward, according to the employee who spoke to Business Insider.
“They [leadership] were determined to prevent leaks about Dragonfly from spreading through the company,” a source told The Intercept back in November. “Their biggest fear was that internal opposition would slow our operations.”
Below is the email from Google’s’ SVP for Global Affairs and Chief Legal Officer, Kent Walker. (Note: This email was dictated over the phone and transcribed by Business Insider, so formatting may differ from the original message sent.)
Subject: An important reminder on data classification
Many of the tools we use every day are designed to foster a collaborative, problem solving culture. People who join Google are often surprised by the access they have to tools like Buganizer and to information resources like other teams post-mortems. As you saw at I/O, we use information to build some incredibly helpful tools, sharing knowledge to build better and smarter without reinventing the wheel.
And more than ever, we need to take care of good information we hold. User data has long been subject to very tight security restrictions. Across our PAs and business teams we increasingly partner with a growing range of companies in various industries, many of which are highly regulated. The data we work with — content like customer health care records, payment information, product plans, device specs, or financial projections or our own internal material — is often governed by strict contractual requirements and national laws. Failing to comply with our obligations exposes Google and each of us to signification risk.
In addition to controls and information access and processing, we have longstanding data security policies that classify the types of information we work with and that make clear when its appropriate to access and share and when it is not. So I wanted to take moment to remind everyone of those policies which apply to Google’s internal information as well as to information relating to our work with partners.
As a reminder, our data security policy established three categories of information.
“Public” covers any information that Google has explicitly and intentionally made available to the public, like Keyword blog posts.
“Confidential” covers any non-public business or company financial information that is appropriate to share broadly with other Googlers. Think daily insider emails, product dog foods, or physical site information about our offices published on Moma, or this email…
“Need-to-know” covers sensitive information that should not be shared beyond certain people, typically the individuals or teams working directly on a specific project who are authorized to have the information to do their jobs. Examples of need-to-know information could include notes or emails from a product teams’ brainstorming, candid project evaluations, details of an organization’s budget or strategic plan.
Some things to bear in mind and some steps you can take
It’s a violation of our policies to improperly access, copy, or share confidential or need-to-know information, whether or not it is explicitly marked. Doing so could subject you to disciplinary action. We have fired people who violated our data policies.
If you see information marked or shared inappropriately, please flag it to the data owner or report misdirected data. If you’re not sure whether something is confidential or need-to-know, ask the owner. If you’re not sure who has access to your data or whether it had been inadvertently shared too widely in the past, use this handy drive visibility tool to quickly scan your drive account. It will show you the levels of access on each of your files. E.g. Which ones are available to any Googler with the link and let you change any incorrect settings.
If you’re creating emails or other documents containing Google confidential or need-to-know information, make sure to label them appropriately to minimize the risk of unintended exposures. We’ll be rolling out additional training as we extend communications on our policies throughout the year. There are also some helpful links at the bottom of this email.
Thanks for re-familiarizing yourself with these policies, checking the status of your files, and for taking this as seriously as we do.
Do you work at Google? Got a tip? Contact this reporter via Signal or WhatsApp at +1 (209) 730-3387 using a non-work phone, email at firstname.lastname@example.org, Telegram at nickbastone, or Twitter DM at @nickbastone.