A now-former Google employee has been charged with stealing the ad giant’s AI trade secrets while quietly working for two Chinese companies – after easily defeating whatever security controls Big G had in place.
On Wednesday, the US Dept of Justice revealed an indictment that names Linwei Ding, aka Leon Ding, and states that during his time at Google his job involved the “development of software that allowed GPUs to function efficiently for machine learning, AI applications, or other purposes required by Google or Google Cloud clients.”
Ding, a Chinese citizen, was authorized to access confidential Google blueprints related to its datacenters, including hardware infrastructure, the software platform, and the AI models and applications they supported.
Prosecutors allege [PDF] Ding copied the contents of Google source files into the Apple Notes application on his Google-issued MacBook laptop, then converted the Notes files into PDFs that he uploaded into a Google Cloud account he operated.
Google’s data-loss prevention systems did not immediately detect that method, we’re told, and Ding is alleged to have exfiltrated over 500 documents between May 2022 and the same month in 2023.
The documents “detailed information about the architecture and functionality of GPU and TPU chips and systems, the software that allows the chips to communicate and execute tasks, and the software that orchestrates thousands of chips into a supercomputer capable of executing at the cutting edge of machine learning and AI technology,” according to the Justice Dept.
In June 2022 Ding was approached by a Chinese AI startup called Beijing Rongshu Lianzhi Technology Co Ltd and offered a job as its Chief Technology Officer, Uncle Sam says. In October 2022, while still working for Google, Ding traveled to China and participated in investor meetings to raise capital for Rongshu, which by April 2023 was telling investors he had taken the CTO gig, we’re told.
The next month, Ding founded his own AI company in China, called Shanghai Zhisuan Technology Co. Ltd and touted it as capable of accelerating machine learning workloads, including training large AI models powered by supercomputing chips.
Google was not aware of Ding’s work at Rongshu nor Zhisuan, nor that he was in China – the accused allegedly allowed another Googler to use his employee badge at office entrances to create the appearance he was still in the USA.
Ding left China in March 2023, then returned in November of the same year. On that trip he pitched his startup to Middle Kingdom investors by touting his expertise on and knowledge of Google’s AI infrastructure, which he said Zhisuan would replicate and improve, we’re told.
In December 2023, while Ding was in China and still employed by the American web giant, Google spotted him uploading more stolen documents to a Google Drive account, it is claimed. Ding told Google’s investigators he was just keeping evidence of his work – the sort of thing anyone would apparently do to back up their employment history.
He told Google he wasn’t planning to leave, agreed to delete the docs, and signed an affidavit affirming he had done so, according to prosecutors.
But, we’re told, he didn’t disclose the other files he had uploaded, nor his affiliation with Rongshu or Zhisuan.
Then on December 26, he resigned.
Three days later, Google reviewed surveillance footage and saw Ding’s employee ID badge being used by another staffer, it is said. The search giant also learned of Ding’s investor pitches in his role as Zhisuan CEO.
On January 4, Ding’s laptop was frozen and his access to Google networks revoked.
The FBI soon investigated and used a warrant to find the 500 files Ding uploaded to the G-Cloud.
And on Wednesday, March 6, this year, Ding was arrested in Newark, California, the Bay Area city where he lived. The 38-year-old now faces four charges of theft of trade secrets.
The DoJ’s announcement is full of angry proclamations about the USA’s resolve to protect itself from IP theft.
“The Justice Department will not tolerate the theft of artificial intelligence and other advanced technologies that could put our national security at risk,” reads Attorney General Merrick Garland’s canned quote. “We will fiercely protect sensitive technologies developed in America from falling into the hands of those who should not have them.”
The Register is struck by Google’s own protections being not very fierce, given Ding was able to exfiltrate without detection for a year, and work from China without being detected for six months.
We asked the web titan if it has changed its infosec practices since it detected Ding’s alleged doings. A spokesperson told us: “We have strict safeguards to prevent the theft of our confidential commercial information and trade secrets.
“After an investigation, we found that this employee stole numerous documents, and we quickly referred the case to law enforcement. We are grateful to the FBI for helping protect our information and will continue cooperating with them closely.”
Might want to double check how strict those safeguards are. ®