Leaked recording: Inside Apple’s global war on leakers

Leaked recording: Inside Apple’s global war on leakers

Former NSA agents, secrecy members on product teams, and a screening apparatus bigger than the TSA.

By William Turton JUN—20—2017 09:00AM EST

 

A recording of an internal briefing at Apple earlier this month obtained by The Outline sheds new light on how far the most valuable company in the world will go to prevent leaks about new products.

The briefing, titled “Stopping Leakers - Keeping Confidential at Apple,” was led by Director of Global Security David Rice, Director of Worldwide Investigations Lee Freedman, and Jenny Hubbert, who works on the Global Security communications and training team.

According to the hour-long presentation, Apple’s Global Security team employs an undisclosed number of investigators around the world to prevent information from reaching competitors, counterfeiters, and the press, as well as hunt down the source when leaks do occur. Some of these investigators have previously worked at U.S. intelligence agencies like the National Security Agency (NSA), law enforcement agencies like the FBI and the U.S. Secret Service, and in the U.S. military.

The briefing, which offers a revealing window into the company’s obsession with secrecy, was the first of many Apple is planning to host for employees. In it, Rice and Freedman speak candidly about Apple’s efforts to prevent leaks, discuss how previous leakers got caught, and take questions from the approximately 100 attendees.

The presentation starts and ends with videos, spliced with shots of Tim Cook presenting a new product at one of Apple’s keynotes, that stress the primacy of secrecy at Apple. “When I see a leak in the press, for me, it’s gut-wrenching,” an Apple employee says in the first video. “It really makes me sick to my stomach.” Another employee adds, “When you leak this information, you’re letting all of us down. It’s our company, the reputation of the company, the hard work of the different teams that work on this stuff.”

Steve Jobs ran a notoriously secretive ship during his tenure as Apple’s CEO, and in 2004 the company even unsuccessfully tried to subpoena a group of tech bloggers to unmask their sources. Cook first publicly mentioned doubling down on secrecy at a 2012 tech conference, and this presentation seems intended to reveal the results of that effort.

“This has become a big deal for Tim,” Greg Joswiak, Apple’s Vice President of iPod, iPhone and iOS product marketing, says in one of the videos. “Matter of fact, it should be important to literally everybody at Apple that we can't tolerate this any longer.” Later, Joswiak adds that “I have faith deep in my soul that if we hire smart people they’re gonna think about this, they’re gonna understand this, and ultimately they’re gonna do the right thing, and that’s to keep their mouth shut.”

To make sure of it, Apple has built an infrastructure and a team “to come after these leakers,” Joswiak says, and “they're being quite effective.”

After the first video concludes, Hubbert addresses the room. “So you heard Tim say, ‘We have one more thing.’ So what is that one more thing?” she asks. “Surprise and delight. Surprise and delight when we announce a product to the world that hasn’t leaked. It’s incredibly impactful, in a really positive way. It’s our DNA. It’s our brand. But when leaks get out, that’s even more impactful. It’s a direct hit to all of us.”

“So today we’re going to share with you some of the behind the scenes of leaks that have happened on the supply chain, but also, right here in Cupertino,” she says. “So let’s paint a picture as to this team that Tim said we’d put in place.”

She then introduces David Rice to talk about the “New Product Security” team, a part of the larger Global Security team that Rice says “is really a secrecy group, we’re a little bit misnamed.” Rice worked at the NSA as a Global Network Vulnerability Analyst for four years, and before that was a Special Duty Cryptologist in the U.S. Navy. He’s directed the Global Security team at Apple for more than six years, according to his LinkedIn page. Hubbert also introduces Lee Freedman, who previously worked as the Chief of Computer Hacking Crimes at the U.S. Attorney’s Office and as an Assistant U.S. Attorney in Brooklyn, according to LinkedIn. He joined Apple to lead Worldwide Investigations in 2011.

The New Product Security team is “very heavily on supply chain,” Hubbert says, and that’s the focus of the first part of the presentation.

Historically, Apple’s biggest leaks happened when parts were stolen from factories in China. Those parts get shared with the press, like when photos of the iPhone 5 leaked in 2012, or sold on the black market.

However, Rice says, Apple has cracked down on leaks from its factories so successfully that more breaches are now happening on Apple’s campuses in California than its factories abroad. “Last year was the first year that Apple [campuses] leaked more than the supply chain,” Rice tells the room. “More stuff came out of Apple [campuses] last year than all of our supply chain combined.”

Rice compares Apple’s work of screening factory employees to that of the TSA. “Their peak volume is 1.8 million a day. Ours, for just 40 factories in China, is 2.7 million a day.” That number surges to 3 million when Apple ramps up production, he adds, and all of these people need to be checked every time they enter and exit the factory.

“In aggregate, we do about 221 million transits a year. For comparison, 223 million is the top level volume for the top 25 theme parks in the world,” Rice says. “So this is just one big theme park. People coming in, coming out, there's billions of parts flying around at any given instance. So you marry up a bunch of parts moving around plus a lot of people moving around and it's no wonder that we don't leak even more.”

The Global Security team in China has been “busting their ass” to solve the problem of leaks stemming from Apple’s factories, Rice says, describing the efforts as “trench warfare non-stop.”

“We deal with very talented adversaries,” he says. “They're very creative and so as good as we get on our security controls, they get just as clever.” Black market sellers solicit factory workers by posting signs at bus stops and factory dormitories, he says, offering “top dollar” for Apple parts.

Apple’s Chinese workers have plenty of incentive to leak or smuggle parts. “A lot, like 99.9 percent, of these folks are good people who are coming to a place that has a job, they're gonna make money, and they're gonna go back and start a business in their province or they're gonna do something else with it, support their family,” Rice says. “But there’s a whole slew of folks that can be tempted because what happens if I offer you, say, three months’ salary?’ In some cases we’ve seen up to a year’s worth of salary being rewarded for stealing product out of the factory.” Apple workers on the production line make approximately $350 a month, not including overtime, according to a 2016 report from China Labor Watch.

The most valuable part for a thief is the housing or enclosure, which is basically the metal back of an iPhone or MacBook. “If you have a housing, you pretty much know what we're going to ship,” Rice says.

Workers will stash parts in bathrooms, clench them between their toes, throw them over fences, and flush them down the toilet for retrieval in the sewer, Rice says. “We had 8,000 enclosures stolen a long time ago by women putting it in the underwire of their bra,” he says. “They're going to great lengths to steal this stuff. But it's not just enclosures. It's also anything that reveals product prior to announce.”

The stolen parts often end up in Huaqiangbei, one of the biggest electronics markets in the world, located in Shenzhen, Southern China. This market employs about a half million people and does about $20 billion a year in revenue, Rice says. One “particularly painful year” was 2013, when Apple had to buy back about 19,000 enclosures before the iPhone 5C announcement, he recalls, and then an additional 11,000 before the phones were shipped to customers. “So we're buying as fast as we possibly can to try to keep it out of every blog on Earth,” Rice says.

William Turton and Adrianne Jeffries discussed this story, with additional details, on our daily podcast, The Outline World Dispatch.

In the years since Tim Cook pledged to double down on secrecy, Rice’s team has gotten better at safeguarding enclosures. “In 2014 we had 387 enclosures stolen,” he says. “In 2015 we had 57 enclosures stolen, 50 of which were stolen on the night of announce, which was so painful.” In 2016, Rice says the company produced 65 million housings, and only four were stolen. “So it's about a one in 16 million loss ratio, which is unheard of in the industry.”

Later, during the employee Q&A, Rice gleefully recounts a blog post written by longtime Apple watcher John Gruber, in which Gruber criticized Apple scoop machine Mark Gurman, who now works at Bloomberg, for not having juicy details on Apple’s new HomePod speaker before it was released. “Even [Gruber] was like ‘Yeah, you got nothing.’ So he was actually throwing some shade out, which, like, ‘all riiight,’” Rice says, to the laughter of employees.

The presentation shifts away from China to focus on leaks coming from Apple’s campuses in the U.S. In the past, Apple’s U.S. employees have griped about draconian security measures, Rice says, because of the leakiness of the supply chain. “You always get this battle ... like, ‘Well, why do we have to do all this security stuff when our supply chain leaks so much?’” Rice says. “I think the noise has always been high here and once the supply chain noise dropped down suddenly we realized, ‘Oh crap. We have a problem here.’”

Apple embeds members of a team within Global Security, called Secrecy Program Management, on some product teams to help employees keep secrets, he explains. But when sensitive information does get out, Lee Freedman’s investigations team steps in to figure out what happened and who is responsible.

“These investigations go on a long time,” Freedman tells the employees. For example, one investigation that led to a leaker on an Apple campus took three years. “We don't take a defeatist mentality and say, ‘Oh well, it's going to leak anyways.’ For us, it's not, ‘Oh well, it just keeps showing up in the blogs and we have to live with it.’”

Hubbert prompts him to talk about two major leakers who were caught the previous year, one who worked at Apple’s online store “for a couple years” and one who worked on iTunes for “about six years.”

Both these leakers were “providing information to bloggers,” Rice says. One of the leakers started talking to a journalist over Twitter, Freedman says, while the other had a preexisting friendship with a reporter.

“So can you paint a picture of the characteristic[s] of the leakers?” Hubbert asks. “I mean, is there a common thread to what they do?”

“The common thread is they look just like you guys,” Freedman says to the assembled employees. “They come to work, they don't appear any different, and they start off with the exact same motivation about ‘I love Apple, I think this is a cool place to work, I

wanna make it better.’”

In the past, Apple has seen disgruntled employees leak after a bad performance review, he says. “But that's oftentime not what happens. We oftentimes get people who are really excited about our products and they end up finding something to share and they will go out and say, ‘Hey, guess what we did,’” he says. “Or somebody will ask them a question and instead of just saying, ‘I can't talk about it,’ they will say too much.”

Rice says that Apple’s focus on secrecy has not translated to a culture of fear. “I think what is unique at Apple is that we don’t have a Big Brother culture,” Rice says. “There’s nobody on my team reading emails, sitting behind you on the bus, we don’t do that.”

But the presentation makes working for Apple sound like working for the CIA. (At one point, Rice even refers to “blowing cover.”) There are repeated references to employees drawing boundaries in their personal lives, for example. “I go through a lot of trouble not to talk about what I work on with my wife, with my teenage kids… with my friends, my family,” an employee in one of the videos says. “I’m not telling you that you give up all relationships,” Rice says, “but that you have a built-in relationship monitor that you’re constantly using.”

“Active solicitation” is just one part of secrecy at Apple, Rice says; there is also the risk of passively mentioning something. Apple employees are expected to be discreet in their own office. The hallway and the Apple lobby are referred to as “red zones,” which “aren’t places to talk,” Rice says. The fear of accidentally “breaking secrecy” may be why some newly hired Apple employees tend to delete their Twitter accounts. Jonathan Zdziarski, a high profile security researcher, locked down his Twitter account after being hired by Apple.

“The sense we get when we talk to Apple engineers across the board is like, ‘Well gosh, what if I say something in a park? Did I just break secrecy?’” Rice clarifies that the internal myth that anything not on Apple.com is confidential isn’t true. Employees are free to share some things with outsiders, he says, like how “crappy [their] boss is” or their salary information, and they’re free to talk to law enforcement “if the company is doing something illegal.” The hard lines, he says, are around unreleased products, unreleased services, or availability of products, which Apple expects employees not to talk about with anyone who hasn’t been “disclosed.”

Rice urges employees to come forward if they are worried about having “broken secrecy.” Nine times out of 10, when people get in trouble at Apple, he says, it’s because they tried to cover up a mistake.

“Our role at NPS was created because someone spent three weeks not telling us a prototype was in a bar somewhere,” Rice says in the briefing, referring to the prototype iPhone 4 left in a bar by an Apple employee that made its way to Gizmodo in 2010. That leak was so devastating to Apple that Steve Jobs personally called the editor of Gizmodo to ask for the phone back. “The crime was in the coverup.”

Other tech companies have begun to follow Apple’s lead on instilling a culture of secrecy. According to a 2016 report from Business Insider, Snapchat CEO Evan Spiegel has a portrait of Steve Jobs hanging in his office, and the company has cultivated an obsession with leaks similar to Apple’s. Facebook is currently hiring a “Global Threat Investigations Manager,” and Google is facing a lawsuit in San Francisco alleging that the company operates an internal “spying program.”

Some of the hypothetical and real leaks discussed in the briefing seem inconsequential: the release of watch bands, or the fact that a new iPad will be “bigger,” for example. But Cook believes leaks directly hurt Apple’s bottom line. During the company’s most recent earnings call, Cook blamed flagging iPhone sales on “earlier and much more frequent reports about future iPhones.” Indeed, there have been a slew of leaks about the iPhone 8, scheduled to be announced in the fall. “Apple has a major iPhone redesign planned for 2017, with a glass body and edge-to-edge OLED display that includes an integrated Touch ID fingerprint sensor and front-facing camera,” according to MacRumors.

Such leaks may be why Apple is now hosting these internal secrecy briefings. Rice says he expects all employees to live and work within the “Adult Zone,” which essentially means to use discretion. “When I call it the Adult Zone, I really mean that,” he says. “One thing you have to recognize — I hope you recognize — is that Apple gives you an extraordinary amount of power.”

https://theoutline.com/post/1766/leaked-recording-inside-apple-s-global-war-on-leakers