Trade Secrets and Theft by Steganography: When a Picture Contains a Thousand Words

sunrise-in-golden-gate-bridge-san-francisco-california-usa-picture-id1059094760-300x300In November 2018, the U.S. Department of Justice rolled out the China Initiative. This new policy includes plans to “identify priority Chinese trade theft cases, ensure we have enough resources dedicated to them, and … bring them to an appropriate conclusion quickly and effectively.” The new Attorney General, who has a master’s degree in Chinese Studies, supports the Initiative and intends to continue to advance it.

A number of defendants have been indicted under this new policy in quick succession. The indictments have come under a range of criminal statutes, including trade secret theft and economic espionage laws. Officials have acknowledged that similar previous efforts have sometimes failed, and it is unclear whether the recent indictments will actually result in guilty pleas or criminal convictions. Regardless, certain allegations are notable not only for the China Initiative policy driving them, but also for the steganography allegedly utilized to steal the trade secrets.

Typically, accusations are based on allegations of relatively simple methods of theft. For example, several recent cases involve accusations that an employee took photos of a computer screen displaying trade secret information. This act was alleged in a China Initiative trade secret theft case brought in February regarding a formulation for a coating for the inside of beverage cans, and in another one brought in January regarding Apple’s self-driving car project. Other China Initiative trade secret theft cases involve accusations of removing part of a robotic phone testing system from the owner’s laboratory in a computer bag, or copying files onto thumb drives.

But an indictment unsealed just a couple of weeks ago is more intriguing. United States v. Xiaoqing Zheng, Case 1:18-mj-00434-CFH (N.D. NY Aug. 1, 2018) includes charges of economic espionage and conspiracy to steal trade secrets regarding turbine technologies from General Electric Corporation. GE apparently became suspicious of its employee after it was discovered that files on his work computer had been encrypted using a program that the company does not provide to its employees. GE installed monitoring software on the computer to determine what information was being encrypted and what was being done with it.

The indictment states that the software captured the employee plugging an iPhone into his work computer, copying a photo of a sunrise onto the computer, adding text to the photo stating “Happy Fourth of July,” and saving the photo file in a temp folder. The employee then allegedly inserted a read-only copy of 40 encrypted files containing GE’s proprietary information into the binary code of the sunrise image file. He allegedly attached the file to an email message, typed “Nice view to keep” into the subject line of the e-mail, and sent the message from his work e-mail account to his personal e-mail address. The indictment explains that a person tasked with routine e-mail monitoring by GE “would have seen the digital photograph in Zheng’s GE e-mail, but unless they knew where to look within the binary code of the digital photograph, they would only have seen a photograph of a sunset.”

Image steganography is not new, and in fact criminals have utilized steganography to spread malware for some time. DOJ has even indicted others for attempted trade secret theft using these techniques before. But the affiant in the Zheng indictment states that these techniques are “uncommon even among trained computer experts, and both GE Digital analysts and FBI agents specializing in cyber crimes have told me that they were aware of these measures in theory, but that they had never actually seen a subject employ them.” What does this case mean for employers and employees concerned about protecting their trade secrets?

Whether or not the case signals a new trend in employee trade secret theft, companies may want to check their policies to determine whether and how this situation could have been addressed if it had happened to them. At minimum, specific prohibitions on the use of non-company-issued encryption software on work computers make sense. In certain circumstances, prohibitions on transferring files between personal phones and work computers, and/or prohibitions against attaching files to personal emails issuing from a work computer, may also be reasonable given the potential use of steganographic techniques. Of course, companies must also comply with labor and privacy laws regarding any monitoring of computers.


Can a Reporter’s Twitter Account Be a Newspaper’s Trade Secret?

Artificial Intelligence and Money Laundering: Would AI Catch Marty Byrde?

The Tricky Art of Assessing Damages for Infringement of Software-Related Patents