6

Firstly, a disclaimer. This question is not because I'm a disgruntled employee planning to hide some malicious code which I can later blackmail my employer with. I actually quite like the people I work with - just simply curious.

So if an old employer needed a password for some resource that only I had. Would I be obliged to give it to them or could I (probably unwisely) stick it to them and either refuse or charge an outrageous "consulting" fee for providing that password?

Or what if I designed some component for them like some sort of underlying encrypted security layer that required some a hash key that only I had, would I be obliged to give it to them?

These two scenarios are generally the fault of the employer, but what if in the third scenario, I built this component in stealth, without them actually knowing? I don't necessarily mean the component was built with the sole intention of locking the employer out in the future, it may have actually served a good purpose - it just never got documented how it functioned because company had poor documentation processes or developers were too busy etc.

In that scenario, when they finally need this hash key, would I be obliged to provide it?

gnat
  • 21,213
  • 29
  • 113
  • 291
RoboShop
  • 2,780
  • 6
  • 30
  • 38
  • 7
    I think this comes pretty close to not being a real question because the answer depends entirely on the facts of the case and the jurisdiction. As stated it's a nebulous hypothetical. In the California at least things like this can get very ugly and even escalate into criminal charges. Consider the case of Terry Childs: http://www.networkworld.com/slideshows/2008/071708-report-it-admin-locks-up.html – Charles E. Grant Apr 27 '11 at 04:01
  • 2
    If you stick it to them, what do you suppose the old employer will say when future potential employers call asking about your work there? – Kyralessa Apr 27 '11 at 05:03
  • 1
    @kyralessa : no one is saying it's a good idea. The question is about professional courtesy and legal obligation. – RoboShop Apr 27 '11 at 05:08
  • 1
    Your question doesn't say "legal" anywhere; you just said "obliged." You could have easily meant "moral" obligation or "professional" obligation or something else. – Kyralessa Apr 27 '11 at 05:18
  • The question does shine a bad light on an employer that doesn't think to obtain any of that kind of information when an employee leaves their company. Seems to me that when someone leaves a job, either willingly or unwillingly, it should be the first objective of their manager to find out everything they have access to currently and gather all relevant IDs, passwords and serial numbers and schedule their removal of access to said systems and resources. – BBlake Apr 27 '11 at 12:19
  • 5
    Best thing to do is come clean with all passwords and such before you leave. If they call you afterwards, chances are you've forgotten that info anyway and can honestly say you gave all such info when you left. – Mayo Apr 27 '11 at 16:01
  • @Charles: Terry Childs didn't reveal passwords and such when required to while employed, and kept vital information on his own laptop encrypted with a key only he knew. He did that while employed. Anybody setting up a time bomb or similar would likely be hit with criminal charges, but it may be worth considering accidental situations. – David Thornley Apr 27 '11 at 19:34
  • @RoboShop, I just love the question – DisEngaged Apr 28 '11 at 05:49

8 Answers8

29

When I was let go from a recent place of employment, I took the approach of telling them straight up which systems I had access to, and demanded they deny me access immediately. I had them change passwords, told them locations of all secret keys, deactivate my door entry codes, etc, and preemptively prevented the problem from happening. I then and had them write a letter saying they did so.

I thought that was the best way to get myself off any potential hook. If they had problems after that, it was pretty clear it was their problem and not mine.

whatsisname
  • 27,703
13

To not provide keys in the situations you described would be:

  1. Unethical
  2. Unprofessional
  3. Immature
  4. ..I am not a lawyer, so I won't say "illegal", but I will say that your former employer probably has more lawyers at his disposal than you do, and there's a good chance you'll find yourself snarled up in a lawsuit.

You're right to say that it would be "unwise" to try to stick it to a former employer by taking advantage of their poor documentation to hold them to ransom.

Carson63000
  • 10,500
  • 1
    I believe there was a case in San Francisco a few years back where a disgruntled sys admin got into legal trouble for withholding a password. – Mayo Apr 27 '11 at 16:00
  • +1 remember more lawyers ,lol assuming you need many to fight your supposedly good one. I think it would be right to state more finances to tackle legal hassles. – Aditya P Apr 27 '11 at 16:02
  • 1
    @Mayo: Childs did considerably more than withhold a password after being fired. Had he followed procedure while an employee, that password would have been unnecessary. – David Thornley Apr 27 '11 at 19:36
10

If they are a previous employer, meaning the work you did for them belongs to them, then yes, you should give it to them. In fact, you might be legally obliged to. Ideally you should have given them everything before you left. Even more ideally, before you left you should have given them everything and not kept a copy of it.

When it comes to such things as algorithms they cannot understand or your successor cannot figure out... that is not your problem. Help them or do not help them as your conscience and wallet require.

Martin Maat
  • 18,435
GrandmasterB
  • 39,224
  • 3
    In a "don't burn your bridges" kind of vein, I have been happy to help former employers with queries via phone/email for a couple of weeks/months after leaving. There's no real reason not to (unless the requests start getting outrageous or they don't start to trickle away after a reasonable amount of time...) – Dean Harding Apr 27 '11 at 04:54
  • 1
    @Dean Harding: Agree entirely, I look at is as an obligation in the sense that you rightfully owe them this level of respect. – Chris Apr 27 '11 at 16:42
3

You are absolutely obliged to make sure they have copies of stuff like this. And understand why. That's what being a professional means. Legally it probably depends on who's paying the lawyer, but in practice... leave a positive impression.

Not keeping a copy is important too. But more important is making it really, really clear that they need to have a copy of whatever it is and why. I've left one place I contracted at with two copies of a CD with the code, key and executable as well as instructions for making more and a USB key with the critical private key on it. Why? It was the key to their billing system that let them decrypt (and hence bill) customers credit card details. Without that key they'd have to contact every customer and get their credit card details again. I was in there partly to fix the problem of the CC details being in the database in clear (and visible to CSRs).

One thing I leave with employers when I go is a list of all the usernames and passwords I've generated while I worked there. If I think it's necessary I'll generate a new OpenID to get a set of SO accounts just for that employer. More often it's support forums for software they've bought. But whatever it is, they paid for it, they own it. This also helps the next guy to sit in my seat - they have an idea of what exactly I did from the forum posts, and they're not scratching round trying to work out how to access the development Db server or something, because they're all in the list.

  • 1
    Whilst I agree that doing all the above is a good idea and professional. I believe it is the companies responsibility to ensure they have this data in the first place, or at least ensure they have it before your departure. What if an employee was to die suddenly? It is not the employees responsibility in most cases to protect against loss of this nature. – Orbling Apr 27 '11 at 04:43
  • 2
    To me it's part of the service they're paying for - the whole point is that they don't need to know how to do my job, I'm there to do things that they can't do for themselves. Part of that might be pointing out that certain information is critical. –  Apr 27 '11 at 05:08
  • 1
    Aye, pointing it out, yes - you could be deemed remiss if you did not. But the point is, a single employee with delicate or essential information is a disaster waiting to happen, so the company must plan against it. Once you are no longer an employee, by whatever route, your obligations to the company usually cease - depending on certain contractual clauses, but they are usually of the "refrain from" type. – Orbling Apr 27 '11 at 11:27
  • 1
    @Orbling: yes. Very much yes, about the single point of failure especially. But also the "once you're gone that's it". I see that as a reason to make them panic if that's the only way to get the scale of the problem to sink in. "only I know the password to renew your domain. I'm cycle touring in South America for the next year. See ya". –  Apr 27 '11 at 21:22
  • 1
    Aye, when I left my last company they had really caused me grief and there was a mass exodus (85% of staff within one week). I'm still voluntarily helping out one or two of my subordinates who stayed. – Orbling Apr 27 '11 at 21:52
3

When it comes to company property maybe we need to avoid:

a resource that only I had

Sort of the 'hit by bus' or 'won the lottery' scenario. Nothing is perfect, but based on a lot of the answers it is something to consider.

JeffO
  • 36,816
2

So if an old employer needed a password for some resource that only I had. I'd provide all keys and etc when I left. If I'd forgot anything I'd email it. I agree with the other comments and Carson63000, its a safer option. However outside that, you aren't required to offer any support or give them any help. Although if you built your own third-party API outside work and was selling this API to other third-parties or you built it prior to working at your previous job. Well I'm no lawyer I don't believe they have a right to the source. Being Professional is always the best way, for your own future in the industry.

Nickz
  • 1,430
  • Be careful with "you aren't required to offer any support" as it really comes down to what you signed when you started employment there. I would guess most contracts do not have a after you leave support clause but you never know. – Chris Apr 27 '11 at 16:43
  • 2
    @Chris: Consultant or employee contracts typically cover the time of employment. I'm not sure what the legalities would be if a contract did specify continuing support without payment, but I really doubt it'd hold up in court. Support after leaving is a matter of professional courtesy. – David Thornley Apr 27 '11 at 19:38
  • @Chris: Typically I can't imagine a contract of continuing support after leaving employment as @David thornley stated. Any employer who thought otherwise would be fool. Service equal pay and pay equals service. Unless they your contract specified warranty for a give project. Still for an individual to be held accountable for a warranty period. – Nickz Apr 27 '11 at 23:23
2

I won't touch the legal - I'm not a lawyer. All three options sound sketchy enough to me that in a real world scenario, my advice would be "do not pass go, go directly to lawyer".

In the hypothetical, I think you have to ask, what game are you trying to win? I think, ethically, you are obliged to give passwords, keys, and information about anything you developed (overtly or covertly) within the system - even if the employer doesn't ask. I'm sure the lawyers can have a great, expensive fight about it, but I'd have problems respecting an engineer who didn't do some sort of hand off of this nature.

I think it also runs counter to enlightened self-interest. In the long run, do you want:

  • a 1 time big bag of cash - probably not enough to retire on.
  • a reputation for being ethical, helpful and decent?

In the long run, I think the latter is going to make you more money.

I know that if I was in the position of being your coworker, I would be inclined to recommend you for jobs in the future, if I could count on you sparing a few minutes to get me information that you were paid to provide once upon a time way back when - even if you are long gone, even if you weren't asked in your exit interview, even if you gave the company the info and they lost it. Generally, my expectation is that engineers help each other out.

If I know I can count one on someone, even after they've left the group/project/company - then I will go out of my way to work for them or do them a good turn in the future. If I think that I and my company will get hosed when we ask for a piece of information that takes 5 minutes to provide, then I will go out of my way to avoid working with the person in the future. I will, however, buy free lunches for the right to pick former coworker's brains.

NOTE: This is my assumption - it takes a few seconds to 10 minute to dig up the info and provide it. If we're talking hours or days, then it is, IMO, OK to ask for some cash to cover time... 10 minutes is professional courtesy, 2 hours is a support contract. That said, make the fee reasonable, not the "I've got you over a barrel" rate.

bethlakshmi
  • 7,625
1

I won't touch the legal aspects of this, but I will say that I would act as I would want some one else to act if I was the boss. IE Don't be a jerk.

If nothing else the high tech world is small enough that getting a reputation and a jerk is a good way to kill future jobs. Really If you leave make sure passwords are changed and access is revoked. It will protect you from headaches later.

Zachary K
  • 10,413
  • 2
  • 38
  • 55