If I was to bring a freelancer to my team there is the concern for technological theft. There are plenty of platforms that allow for hiring freelancers but with our companies profit margins being razor thin a freelancer stealing proprietary information would be devastating. This is an international company and we have been having issues with our technology being stolen by China and sold back to people in the US. What would be the correct course of action to bring in a freelancer but also protect the companies interests?
1
-
1Optimize on your business profit model to be not razor thin.– inaCommented Jul 7, 2022 at 8:16
Add a comment
|
4 Answers
This is not just a freelancer problem. You have the same problem with employees.
There are two parts to solving this problem - people and process.
On the people side, it is important to hire reputable people, people who will sign an agreement and honor it. Background and reference checks can help here. Once hired, it is important to continue to educate about how loss of technology would hurt everyone and how to prevent such losses. Generally speaking, most technology "leakage" happens when an individual makes a security mistake.
On the process side, it is important to manage critical information and critical technology. That can mean limiting the knowledge to certain people, monitoring how they use that information, and checking for any leakage. The technology protection process requires constant upgrading as new risks appear. You also need to consider how to recover from disasters and ransomware attacks.
For an example of managing critical information, the encryption keys at a bank are kept broken into pieces and several people have to work together to put the keys together to load them into PIN pads or decryption boxes. No one person has all the knowledge.
Finally, if your company's profit margin is that small, I would recommend bringing in people who can help your company develop products or services that can command higher profit margins. Leave the low margin areas for the Chinese and have a better life.
Typically, one seeks to address these concerns from a judicial standpoint with non-disclosure agreements. However, in many/most jurisdictions if need be, this must be followed up by actual will and ability to enforce any transgressions. Having said that, making external contributors sign lawyer-speak documents seems worthwhile, although it probably will not deter people where the primary objective always was theft.
From a technical standpoint - if possible, one could ensure that no (external) contributor ever has the full picture, but only works on isolated modules that don’t have significant stand-alone value.
This is easier said than done, as most software tends to be an entangled mess where knowledge of other modules is essential to even run what should be isolated tests.
De-coupling one’s application into separate modules is not always simple and to non-technical staff (project managers, some business owners) it can seem a largely academic waste of resources. But perhaps framing the reasoning behind improving the architecture as a business concern addressing IP-theft will gain more traction.
Is this software or other?
If software, for the most part there's no way to prevent theft unless you have something rather unique, or under patent. General application software is reused all over the world without the original source really knowing it. In international settings, all but the big players have no IP rights leverage due to the cost/level-of-effort taking legal action.
Software contractors almost always keep copies of the applications they're working on, whether they have IP rights or not. You can have them sign they'll delete any copies of it upon termination, but good luck with that.
A better way is to factory your application into components and assemble it with trusted hands only. Contractors would get small parts only, never the entire application or enough of it to matter much should they reuse it elsewhere.
Interesting question. As another answer suggests, dealing with trust issues is a basic problem faced in all kinds of vocations, not just with freelance programmers or technologists.
Employees naturally have an edge when it comes to betraying your trade secrets compared to freelancers, just because they happen to be fully in on them in the first place. With freelancers, you already start with a position of cautioned trust since they're a third party. Besides, same thing applies to all professions. Imagine what kind of havoc your accountant or CA can bring with the kind of information he has! Or even your surgeon or doctor.
Having said that, below are a few pointers which you may want to follow before hiring freelancers in order to satisfy your tinfoil hats:
- Invest some time in doing a thorough check of the freelancer. Visit their Linkedin, Website, Github, etc. See what kinds of projects they've built and are they pertaining to the skills they're claiming to possess? Do they have sufficient skill endorsements or recommendations on Linkedin? What kinds of things they say on Twitter? You can make a good judgment from all of this.
- Make sure there isn't any conflict of interest by checking what kinds of projects they've taken in your industry. Did they work for any of your competitors? Usually, this is never a problem as freelancers seldom have enough organizational or business management skills sufficient enough to start a competing business like yours. Common sense should suggest that they wouldn't be doing freelance programming if that were the case. But there is a chance that they might approach your competitor to sell the same software as they developed for you - infamous Google vs Uber lawsuit comes to mind in which an employee infringed on IP relating to self-driving cars when he switched from Google to Uber. But remember, he was an employee, not freelancer! Such concerns can only be mitigated legally (like signing an NDA for the project).
- Don't give them actual production data. Even when you provide them samples for testing, alter it slightly as you see fit. Ask yourself whether that data or information is needed for building the software, only then do it. This will not only protect your privacy but compartmentalization will make it harder for the freelancer to reuse your business information in any meaningful manner by themselves.
