Published by The Lawfare Institute
in Cooperation With
In 2021, former Facebook product manager Frances Haugen disclosed tens of thousands of pages of internal Facebook documents to the Securities and Exchange Commission, Congress, and the Wall Street Journal. The so-called Facebook Files exposed the inner workings of a company struggling to address the many kinds of harms its product caused. For critics of Facebook and of social media platforms more generally, the Facebook Files provided a welcome glimpse into the company’s internal policies and dynamics, many of which up until then had been largely inaccessible to outsiders. In revealing Facebook’s inner workings, Haugen received a hero’s welcome: She was interviewed by 60 Minutes, profiled in Time magazine, and invited to testify before Congress.
Beyond the substantive and systemic problems that the Facebook Files revealed, Haugen’s disclosures also were notable for how they came about: not through a corporate press release or a letter from Sen. Ron Wyden (D-Ore.), but through an individual who worked at the company and became disillusioned with its progress. At the time, breathless news coverage heralded the “new era of tech whistleblowing” that Haugen apparently augured. Amid growing consensus that the tech sector ought to be more transparent, whistleblowing and leaking offered a sudden and significant pathway to exposing the industry’s secrets.
In a forthcoming article, from which this piece is adapted, I argue that whistleblowing occupies a central but often overlooked position in technology law and policy. Because the technology industry is largely secretive, whistleblowing and leaking play an essential part in informing regulators, lawmakers, and the public about critical issues of public concern. Despite their intuitive appeal, however, leaking and whistleblowing are deeply imperfect ways of steering public debate and policymaking. Lawmakers can embrace tech whistleblowing as an important contribution to transparency and use the law to more productively shape and channel disclosures.
Tech Whistleblowing as Information Flow
Tech law and policy are afflicted with serious information asymmetries. Lawmakers, regulators, and the public often struggle to understand the technological developments, internal policies, and other factors that shape the regulatory environment and the public sphere. This lack of information contributes to the “pacing problem”: the apparent gap between technological innovation and effective regulatory oversight. In the context of debates about how to effectively regulate digital platforms, artificial intelligence, self-driving cars, and other emerging technologies, a critical consideration is how to get the information necessary to understand even the basics of these developments.
The tech industry’s proclivity toward secrecy amplifies this problem. Tech firms often aggressively leverage trade secrecy and corporate confidentiality to shield corporate information from public view. While some firms use transparency reporting to disclose information about privacy, content governance, and other issues, these voluntary disclosures are often incomplete. Many tech companies use broad nondisclosure agreements to prevent employees from speaking about a wide range of issues and topics and often bar workers from speaking to journalists via other means. To control corporate information, companies use complex policies on internal and external communications (like requiring workers to vet social media posts with public relations), technical restrictions on access (like prohibiting workers from accessing colleagues’ calendar items), and extensive workplace surveillance (like tracking workers’ keystrokes, mouse movements, and even their personal electronic devices).
Against this background of broad-scale secrecy, unauthorized leaks of information from tech company insiders play an essential role in oversight and accountability efforts. They provide valuable sources of insight into problematic dynamics that are otherwise largely invisible to lawmakers and regulators. And they serve to challenge the broad assertions of secrecy so common in the technology industry.
The Law of Whistleblowing
In light of the significance of whistleblower disclosures, one might expect that the law would protect or even incentivize workers who decide to come forward about their company’s wrongdoings. After all, a key rationale for whistleblower protections rests on the importance of regulatory and law enforcement access to insider information. Technical and organizational complexity makes it easy for firms to do wrong and to get away with it. Regulators, therefore, rely on insiders to come forward with evidence of illegal activity. From financial regulation to workplace safety and beyond, whistleblowing plays a critical role in ensuring that regulators and oversight bodies can monitor organizations’ compliance with their legal obligations. In recognition of that role, many statutes incorporate provisions that protect whistleblowing workers from retaliation by their employers.
But the United States lacks general whistleblower protections that would protect workers who disclose wrongdoing. Instead, U.S. workers are protected by a patchwork of state and federal statutes and judicially created exceptions to the general rule of at-will employment. Unlike in Europe—where the European Union’s whistleblower directive requires member states to adopt at least minimum standards to protect whistleblowers across domains who report legal violations—American whistleblower protections are typically specific to subject matters, industries, or legal domains.
The structure of whistleblower law has therefore led tech workers to unexpected legal sources of protection that have, at first glance, little to do with technology itself. Broad protections for whistleblowers under the nation’s securities laws make them a particularly appealing and powerful source of protection for workers. Under the Dodd-Frank Wall Street Reform and Protection Act, individuals who disclose information about violations of the securities laws to the Securities and Exchange Commission (SEC) are not only protected from employer retaliation; they also stand to reap significant financial rewards. The nation’s securities laws prohibit people from making false or misleading statements of fact in connection with the sale of securities—for example, in quarterly or annual reports. So if firms make statements in their public disclosures and filings that might mislead investors about the risks of their products or the steps they are taking to address identified risks, the SEC may investigate. The Dodd-Frank whistleblower protections recognize that it is workers who are most likely to have access to information that undermines or calls into question many of the generalized and carefully worded commitments that firms make in their disclosure documents. Importantly, Dodd-Frank also shelters workers who disclose information about potential violations, not just established violations. Additionally, even if the SEC never investigates or takes action based on a whistleblower’s disclosures, the individual is shielded by the anti-retaliation provisions of Dodd-Frank. Collectively, these features make Dodd-Frank a broad and appealing source of protection for workers who see their employers’ promises as at odds with reality.
Tech workers who have spoken out about unjust workplace matters have also turned to labor law for protection. Sections 7 and 8 of the National Labor Relations Act (NLRA), which protects workers who engage in “concerted activities for the purpose of … mutual aid or protection” from retaliation or interference, have become particularly salient. The NLRA’s “concerted activity” provisions have encouraged tech workers to organize to improve their material working conditions while also advocating on “political” issues such as cooperation with immigration enforcement or climate change. Tech worker organizing explicitly mingles concerns about the workplace with broader concerns about the ethics and politics of the products that tech firms are building, selling, and deploying. In a growing number of cases before the National Labor Relations Board, tech workers who have been engaged in organizing and later fired are successfully claiming that their employers terminated them in violation of labor law.
But in many domains, tech workers who “blow the whistle” on corporate malfeasance are totally unprotected. Consider, for example, Christopher Wylie, the former Cambridge Analytica employee who violated his nondisclosure agreement (NDA) with the company to go public to the Guardian. Wylie’s revelations prompted a significant backlash against both Cambridge Analytica and Facebook for their use of user data in political campaigns’ psychological targeting of voters. Wylie was willing to come forward even though he was subject to an NDA that prohibited him from sharing corporate information. Despite the legal and political salience of Wylie’s disclosures, no statutory provisions would have protected him if Cambridge Analytica had chosen to try to enforce its NDA in court.
Informational Effects of Whistleblowing
Whistleblowing highlights wrongdoing that might otherwise escape scrutiny and produces important information relevant to lawmaking, policy, and public discourse. As an informational source, whistleblowing is both critical and undervalued. But whistleblowing is also an imperfect mechanism to ensure that crucial information reaches an appropriate audience.
For one thing, whistleblower disclosures are often uneven. Whistleblower protections encourage disclosures in domains where Congress has spoken and implicitly discourage disclosures in other areas. If a statute shields someone who blows the whistle on financial fraud, but not someone who blows the whistle on data breaches, a plausible result is that the public learns more about fraud than about breaches. Relatedly, the high potential costs of whistleblowing might foster inequity. The likelihood that a worker will brave the consequences of violating an NDA to share important information depends on what they might have to lose. In the absence of clear statutory protections, workers face reputational, financial, and legal risks that affect how, whether, and when or if they decide to go public with their concerns. The possibility of a lengthy, costly battle against a well-resourced former employer (not to mention the professional cost of appearing disloyal) undoubtedly deters many people from coming forward. Further, empirical research suggests that women are more likely to blow the whistle on wrongdoing but also are more likely to be the victims of retaliation.
Whistleblowing also functions to stimulate what scholars have called “fire alarm” oversight in Congress. The “fire alarm” model of congressional oversight—developed initially to explain how Congress oversees executive branch agencies—relies on private individuals and groups to alert lawmakers to issues of concern and to prompt scrutiny. The “police patrol” model, in contrast, relies on Congress itself to systematically and regularly examine a representative sample of agency conduct, whether through regular oversight hearings, reports, or sunset reviews. By acutely highlighting wrongdoing, whistleblowers contribute to congressional oversight. But to the extent lawmakers are engaged in purely reactive lawmaking in response to the scandal du jour, they may also miss important dynamics that ought to be addressed. Indeed, whistleblowing related to content moderation or platform governance might amplify lawmakers’ focus on these issues at the expense of, say, a comprehensive privacy law.
All of this is to suggest not that whistleblowers ought to be discouraged but, rather, that they ought to be encouraged—and that policymakers should seek avenues to incentivize and systematize this crucial source of information. An obvious first step is for lawmakers interested in regulating platform transparency, algorithmic transparency, and other tech transparency issues to incorporate whistleblower protections into legislative text. Indeed, as lawmakers contemplate ever-more complex mechanisms for extracting information from tech companies, it is all the more important for regulators to ensure that they have access, if need be, to insider information to assess and verify compliance.
Congress should also consider amending the Federal Trade Commission Act to incorporate whistleblower protections. Although the Federal Trade Commission (FTC) is the primary regulator of emerging technology, it lacks the authority and the practical resources to systematically monitor compliance with its orders. Whistleblowers can serve as an early warning system to alert the FTC to potential noncompliance and to broader consumer harms. With the FTC’s announcement earlier this spring that it intends to launch an Office of Technology (OT), in part to assist in law enforcement investigations, the time is also right for the agency to consider how it might encourage whistleblowers to come forward. As FTC Chief Technologist Stephanie Nguyen put it in her announcement of the OT’s creation, “We need to strengthen our in-house capacity to develop new skills and methods to investigate and mitigate widespread consumer and market harms.”
Expert agencies such as the National Institute of Standards and Technology, the FTC, and the Office of Science and Technology Policy might also consider establishing whistleblower “hotlines” to receive complaints about legal and ethical violations. These agencies have substantial expertise in a variety of highly tech-specific domains and are uniquely capable of assessing complaints. Whistleblower hotlines are in widespread use in the private sector and at many agencies—including the SEC; the Commodity Futures Trading Commission; and offices of inspectors general in the departments of Justice, Commerce, Health and Human Services, and others.
Crucially, these suggestions would not just lead to better law enforcement. They would also play a vital role in ensuring that the nation’s lawmakers and regulators can make informed decisions about how to tackle evolving, emerging risks. Whistleblowing isn’t a panacea for all issues in the technology sector—but it is a vital component of oversight, regulation, and lawmaking.