Ask HN: How do you hire remotely when you have to turn over the crown jewels?

7 points by loopdoend ↗ HN
How are people managing having remote workers who have full access to their codebase?

What happens when they turn around and steal your code and launch a competing service?

How do you sue some digital nomad?

20 comments

[ 3.3 ms ] story [ 47.7 ms ] thread
If its that much of a concern don't hire "some digital nomad" and instead hire someone in a country (or state) that has to follow your laws, non-compete, and NDA agreements.
is this a resolved problem outside of remote work?

as far as I have ever been able to tell 'trust' is a commodity that has to be managed no matter how the work is being done.

to put it another way : does a lawsuit actually prevent an employee from stealing the code and launching a competing service?

Not sure whether their 'remote' attribute is the biggest concern if they're liable to behave in that way.

"Hire the right people" might be the best advice; remote or otherwise.

Pretty much everyone takes a copy of the codebase they've been working on with them when they leave, unless it's too huge to copy without being noticed. For reference purposes more than anything.

I know people with private copies of some decent chunks of FAANG source code, for example. They'd never leak it, it's tucked away just in case they want to refer back to it, for whatever reason.

Just don't worry about it, it's not a big deal.

This has never, not once crossed my mind. I've worked at two FAANG companies and I'm fairly certain that at least at Google they'd be able to tell you've exfiltrated some code, and even if they couldn't it's morally questionable to be doing that in the first place.

High risk, very low reward

I haven't worked at a FAANG but I don't delete my local copies of codebases that I largely wrote myself.

Yes, it's probably illegal and ethically questionable.

I don't show or sell the codebase to anyone else. It's more for me to refer to when I encounter a similar problem that I recognize I already tackled years ago. I'm not going to copy verbatim, but if it can save me time to refer to a working implementation of a solution I need to repeat, I'm going to do it.

And this happens pretty rarely, but I'm competing in this job market with people who are doing the same, or, if they're not, probably have much better memories than myself. If I can keep up with competition by referencing things, it improves my own ability to do the work I do.

I'm in my late 30s btw, so already at the point in my life where I need to do whatever I can to keep a competitive edge against 20-somethings in the industry... I'm very concerned about my memory continuing to get worse and the implications it may have on my employability, despite not having much money saved up.

If we're ever in some weird sci-fi future where people who leave jobs have their memories erased, I'll gladly delete my copies of code I wrote. That way, at least my age will only work against me in the context of my current job.

Until then, I don't see why someone with perfect recall should be able to refer to things they worked on in the past, and I shouldn't.

That’s one of the tricks at google. There are no local copies. Your laptop never actually has the repo checked out into the file system.
"I'm in my late 30s btw, so already at the point in my life where I need to do whatever I can to keep a competitive edge against 20-somethings in the industry"

I am interested to explore this recurring theme, in that how does 10 years difference at that age make such a big difference?

When you think a world class sprinter is not regarded to coming into their own until their 30's at best, it can't be physical condition.

Then you think, is it mental condition, the ability to absorb and adapt to new things, and sharpness of memory? But I wonder if not, when I think back to my 20's and of my friends and collegues, any sharpness was well overwhelmed in a wholistic sense by inexperience and often excessive hubris.

I would have said 30's is about when an individual may have accumulated enough balance and skills to really start considering to eb able to deliver, unless being managed exceptionally well earlier in life.

So that leaves possible other factors

1) Many manegers are quite young these days and don't like to manage people older than them, for a wide variety of reasons.

2) Tech is cashing in on a bunch of unpaid work when they acquire fresh young talent who have worked hard in their own time for many years previous, to be up to date with the latest languagse/stacks etc. After ten years unless they have really kept up, they are stale.

3) Once you hit 30, you might be a little sick of living to work and want to spend more spare time with family and friends, so therefore maybe not doing the extra (unpaid) work to do more and/or keep up.

4) Once you hit 30, tried your guts out, been unlucky with hitting the fuck off money and still really need to work, maybe the hunger is gone. (or that is the perception)

5) It's a cult and there is no reason, but once the club has formed that's how it runs.

By now I am getting more and more out there, but all of the above have some premise of plausability, but I am interested to know what everyone's experiences/thoughts are from SV/tech.

Note of Context:

I work in another country, in a tech based field being industrial engineering of electrical and control systems, but any ageisim doesn't seem to really kick in until after 50, if at all.

But it is a bit more conservative, and uptake of new tech is much slower compared to SV because the risks are far more tangible (long lead very big money projects, possible harm to human life) and the conservative position is to do what is known to work. Breaking things is not in the normal acceptable range of outcomes.

The slower rate of new tech adoption is especially because Final Investment Decision (FID) may not occur until 10-20% of potential budget has been expended doing front end studies and tightly defining the path forward to completion.

I thought it was pretty clear from my post... my memory is much worse than it was in my 20s (and I have <10 years of professional experience). A 20-something with 10 years of experience is going to remember the things they solved in those 10 years (or they are much more likely to anyway). I might remember that I solved it once, but the details of how are entirely elusive.
OK, I just don't remember anything like that at 30, if anything I was just coming into my own

Is it actual capacity of memory, or amount of information required on tap so much higher?

At age 35 there was not quite mobile phones as common items, and I could rememebr 200+ landline numbers off the top of my head, people used to call out to me for them across the room.

I have to document the shit out of everything I work on so that if I come back to it 3 days later I can remember what the hell this component/module/api is supposed to do.

In my mid-to-late 20s when I started programming professionally I didn't have the experience to know how important thorough documentation was, but it didn't cause problems for me because I could generally just remember all the things I had worked on.

Definitely not everyone. Referring back to stolen code would be high risk and minimal return. Instant dismissal with chance of lawsuit style risk.

I periodically have to reimplement things from scratch and that is indeed irritating. Fortunately version N is usually better than N-1.

The solution to that annoyance is open source.

I've had about a dozen different jobs over my career and not once have I even thought about squirreling away an employers code base. I'd say this is a far from common practice.

I think it would be a big deal (worth worrying about) to have physical/digital proprietary information in your possession after you left the company.

This is an outlier rather than a norm.
How is this any different from having full access in an office?
This problem is much worse if you have an unmotivated untrustworthy person sitting in the office, meaning they have access to your internal LAN, too.

But in any case, you handle it the same way you'd handle this problem with regular employees. Get their personal data written down as part of the employment contract. Verify that it seems plausible. If legal issues occur, sue them at that address.

You have some good points, but digital nomads carry some challenging risks. They may be in unfriendly legal environments, and if they choose to move during the conflict, it can be very difficult to shift legal proceedings. Local employees are in a known legal environment, which the company is more familiar with, and locals are less likely to move than 'nomads'.
Require the nomads to set up a permanent company presence in a country that works for both of you and then hire them as consultants with a draconian NDA. That way, you can always sue the company and the government will surely keep in contact with the person that is legally liable for paying taxes.
1. Don't hire someone without knowing who they are. 2. Be prepared to sue if it came to that.

If you're US based and hiring US employees, you'll already have plenty of personal info available to be able to pay them, so you're unlikely to not know who they are.

If you're hiring out contract workers via 1099s, this is part of the risk.

Ways to lower this risk: - Meet in person before hiring. - Check references. - Check past work.

Also, if what you're actually worried about is someone launching a competing service, unless they have resources to Marketing, Sales, and Operations, it's unlikely to be so trivial as to just stand up your source code and have a viable business. And if it is that easy, you're probably not making any money now anyway.

I don't hire, but work for a 100% remote company. All of our code is open source, so I don't have any more access to take it than random person on the Internet. Don't make secrecy the key to your company's value.

For what it's worth, though, clearly a company needs some secrets even if the code isn't. I've only worked on government contracts and they handle this in a pretty simple way. You're required to use a CaC to access anything. That means you need to be a US person and go in person to an ID card office to have your identity and location verified. While your company doesn't have the means to set up remote offices all over the country to verify identities and issue smart cards to your employees, you can at least have them go to IdentiGO or something to get fingerprinted, which has the same effect of verifying they're in a locality where you can sue them and they won't easily disappear if they steal something from you. Remote workforce doesn't mean all of your employees are digital nomads. They can have a nice, stable, law-abiding existence in a US city that just happens to not be the same one you're in, and that is easy enough to verify.