DISCOVERY ORDER

Re: Dkt. No. 110

THOMAS S. HIXSON, Magistrate Judge.

The parties have filed a joint discovery statement concerning whether Plaintiffs Lawrence Olin, et al., may disclose Defendant Facebook, Inc.'s source code to their proposed experts, Dr. Istvan Jonyer and Dr. Jae young Bang. ECF No. 110. The Court continued the hearing on this dispute pending a ruling on Facebook's motion to dismiss. On October 31, 2019, the parties filed a status report concerning this dispute, ECF No. 144, and the Court heard oral argument today.

By way of background, Plaintiffs are suing Facebook for its alleged exploitation of a vulnerability in the permission setting for the Facebook Messenger1 smartphone application that existed in prior versions of the Android operating system. Sec. Am. Compl. ¶ 1, ECF No. 88. When users install the app, they are prompted to grant Facebook access to their contacts and then are given the choice to allow or deny. But when they made that choice, the app scraped users' call and text logs, which Facebook then monetized for advertising purposes. Id. Or at least that's the allegation. Plaintiffs say this conduct ended in October 2017, when the Android OS fully deprecated this vulnerability in all versions of the Android SDK. Id. ¶ 22. They now purport to sue on behalf of a nationwide class for violations of the California Computer Data Access and Fraud Act, violations of the California right to privacy, and for intrusion upon seclusion, unjust enrichment and fraud. Id. ¶¶ 36-65.

On April 3, 2019, Plaintiffs provided Facebook with a list of their proposed experts to whom they intend to show Facebook's source code. Facebook objected to two of them, Jonyer and Bang. As to Jonyer, Facebook objected that he "worked for Facebook competitor Google from August 2010 to February 2012." ECF No. 110-1, Ex. A. In addition, Facebook objected that Jonyer has an "active consulting business working with a variety of technology companies, including NearMe, NimbleVR, and startups coming out of Stanford and in the `ex-Google network.'" Id. As to Bang, Facebook objected that he "worked for Kakao Corporation for three-and-a-half years until just two months ago when he left to work for Quandry Peak Research. As Dr. Bang's resume discloses, he designed and implemented the user identity platform used by over 100 million people who use Kakao services, including KakaoTalk, which is a messaging app available on Android devices." Id.

The Protective Order in this action, ECF No. 91, states that "the Party opposing disclosure to the Expert shall bear the burden of proving that the risk of harm that the disclosure would entail (under the safeguards proposed) outweighs the Receiving Party's need to disclose the Protected Material to its Expert." Id. ¶ 7.5 (unnumbered subparagraph). But it also defines an expert as "a person with specialized knowledge or experience in a matter pertinent to the litigation who (1) has been retained by a Party or its counsel to serve as an expert witness or as a consultant in this action, (2) is not a past or current employee of a Party or of a Party's competitor, and (3) at the time of retention, is not anticipated to become an employee of a Party or of a Party's competitor." Id. ¶ 2.6 (emphasis added). Facebook argues that Jonyer and Bang do not come within the definition of an "expert" and therefore are per se disqualified under the Protective Order, and thus Facebook has no burden to prove risk of harm under paragraph 7.5. In other words, as Facebook reads the Protective Order, the definition of an "expert" screens out certain groups of people who are categorically unqualified from being an expert, and then leaves a subset of people who are presumptively qualified, and the burden under paragraph 7.5 only applies to people in that subset. In the alternative, Facebook argues that it has shown risk of harm. Plaintiffs disagree with Facebook's interpretation of the Protective Order and additionally argue that no showing of risk of harm has been made here.

As an initial matter, it is factually true that both Jonyer and Bang are past employees of a competitor of Facebook's. Jonyer worked for Google in 2010-12. ECF No. 110-1, Ex. B. Google competes with Facebook for advertising revenue, as Plaintiffs themselves allege. Sec. Am. Compl. ¶ 17 ("the online advertising industry has formed into a duopoly between Facebook and Google"). Also, Gmail and Google's messaging applications are services that compete with Facebook Messenger. Jonyer's work at Google focused on Google TV, the predecessor to Chromecast, ECF No. 110-1, Ex. B, and no one contends that product was or is in competition with Facebook.2 Bang worked for Kako from 2015-2019. ECF No. 110-1, Ex. C. Kakao makes a messaging app that competes with Facebook Messenger. Plaintiffs assert that Bang's work was limited to the app's user authentication platform and that he did not participate in the development of KakaoTalk (the messaging app).

The Protective Order in this action is based on the District's model order. As Facebook observes, at least one court in this district has rejected an attempt to modify the model order in a way that would have allowed the plaintiffs to hire former employees of a defendant's competitors as experts, noting the "unnecessary risk of competitive harm if the court permitted Plaintiffs to hire the former employees of [Defendant's] competitors as experts." Corley v. Google, Inc., 2016 WL 3421402, at *2 (N.D. Cal. June 22, 2016). In TVIIM, LLC v. McAfee, Inc., 2014 WL 2768641 (N.D. Cal. June 18, 2014), the Court explained that "[t]his district clearly requires that an `expert' under the Protective Order may not be `a past or current employee of a Party or of a Party's competitor,'" id. at *2. In that case, the plaintiff's proposed expert was then-currently employed by ImmuneSoft, which defendant McAfee claimed was a competitor. Id. When the plaintiff failed to address that issue head on, the Court took that as a concession and found that the proposed expert "is not an `expert' as defined by the Protective Order." That section of the Court's order did not go on to assess the risk of harm in determining whether to allow that person to serve as an expert. In isolation, that section of the order therefore seems to support Facebook's view that paragraph 2.6 of the protective order categorically excludes certain people from the definition of an expert, so no further analysis of risk of harm is needed. On the other hand, the proposed expert in TVIIM was also a named inventor of the patent at issue, and in the next section of the order the Court held that this was an additional reason not to allow him to have access the defendant's confidential information, and the Court included an analysis of risk of harm in that section of the order. Accordingly, this case does not cleanly support Facebook's argument that being outside of the definition of "expert" is the end of the matter, since the Court did end up doing an analysis of risk of harm, albeit in the next section of the order.

Plaintiffs cite to Codexis, Inc v. EnzymeWorks, Inc., 2017 WL 5992130 (N.D. Cal. Dec. 4, 2017).3 In that case the protective order had a different definition of an expert, stating in relevant part that an expert is someone who "does not have a current business relationship with a Party or Party's competitor," and it defined a business relationship to mean "being a current employee, being a current consultant pursuant to a consulting agreement, and/or being a current member of the Board of Directors or Scientific Advisory Board of a Party or of a Party's competitor. Id. at *6 n.11. The plaintiff Codexis moved to disclose confidential information to its expert witness, David Dodds. The defendants objected "on the basis that he consults for three biological companies." Id. at *6. The Court concluded that "defendants have failed to meet their burden to establish that the companies with which Dr. Dodds has an ongoing relationship directly compete with them." But it also went on to say that "even if the companies were found to be competitors, the technology at issue here is clearly different than the subjects of `competition' identified by defendants, and, as a result, none of their disclosures pertain to those potentially problematic areas." Id. at *8 (emphasis added). Thus, this passage in Codexis, while dicta, does stand for the proposition that falling technically outside the definition of an "expert" because of work for a competitor (there, a current consulting relationship; here, a past employment relationship) does not moot the inquiry into risk of harm.

To the same effect is Verigy US, Inc. v. Mayder, 2008 WL 4183493 (N.D. Cal. Sept. 8, 2008). In that case the defendants objected to two proposed plaintiff experts stating that they previously were employed by a competitor of the defendants. The Court did not make a finding regarding competitor status but instead noted that the two proposed experts had retired from the other company and neither had an ongoing relationship with it and therefore there was no risk of harm. Id. at *1. Thus, this case also shows that falling outside the definition of an expert because of an affiliation with a competitor is not categorically disqualifying in the way that Facebook asserts. Accordingly, in line with Codexis and Verigy, the Court finds that even for a proposed expert who used to be an employee for a competitor of the defendant's, the Court must still conduct the risk of harm analysis referred to in the last sentence of paragraph 7.5 of the Protective Order.

Performing this analysis, the Court finds that disclosure of Facebook's source code to Jonyer does not pose a risk of harm. Jonyer ceased working for Google seven years ago, and his prior work for that company was wholly unrelated to the technology at issue in this case. If he signs the acknowledgment and agreement to be bound that is attached as Exhibit A to the Protective Order, there is no reason to think there is a risk of harm from disclosure. See Verigy, 2008 WL 4183493, at *1.

But Bang is a different situation. Until nine months ago, he worked at Kakao in South Korea. ECF No. 110-1, Ex. C. KakaoTalk is a messaging app that allows users to send messages, photos, videos, voice notes and their location for free. ECF No. 110-2 ¶ 10. It's available in the United States for Android and Apple devices. Id. It is the largest competitor to Facebook's Messenger app in South Korea. Id. ¶ 11. Although Plaintiffs state in the discovery statement that Bang's work was limited to the user authentication program, Bang's resume states that his "[r]esponsible systems include[ed]" — in addition to "user authentication system for all Kakao services" — "[t]he anti-abuser and anti-spammer system" and "[t]he personal information protection system." ECF No. 110-1, Ex. C (emphasis added). Indeed, in the October 31, 2019 status report, Plaintiffs argue that it is important for them to be able to use Bang as an expert in this case because he "has several years of experience in software development practice focused on security and privacy-protection systems." ECF No. 144 at 2-3. Looking at his resume, this must be a reference, at least in part, to his time at Kakao — a fact Plaintiffs acknowledged at the hearing. This experience at Kakao working on privacy protection is concerning, rather than reassuring, because this lawsuit is about Facebook Messenger's access to users' personal information. In short, Bang was employed very recently at a company whose services include the biggest competitor in South Korea to Facebook Messenger, he worked on that competing service, and it appears that some of his work there concerned a subject matter that is at the heart of this lawsuit. Bang is not today employed by Kakao, but he did work there for almost four years, could go back there, and certainly still knows people there. The fact that this work was in a foreign country means that enforcement of the acknowledgment and agreement to be bound by the Protective Order would be impracticable if Bang did go back to work at Kakao, armed with knowledge of Facebook's source code.

Plaintiffs argue that they would be prejudiced if they were unable to use Bang as an expert. He has a Ph.D. in computer science from University of Southern California, and his areas of expertise include software design and architecture of Android apps and software version control technology, which they say are essential in analyzing how a software system has evolved and was developed over time. They assert, as noted above, that he also has several years of experience in software development practice focused on security and privacy-protection systems. Bang does sound highly qualified, but given the technology industry in the Bay Area and Silicon Valley, there are a multitude of people nearby who have similar qualifications. Plaintiffs have articulated no reason why they need Bang in particular.

Facebook's objection under paragraph 7.5 of the Protective Order to Plaintiffs' disclosure of its source code to Bang is SUSTAINED and as to Jonyer is OVERRULED.

IT IS SO ORDERED.