Blowing the whistle on wrongdoing is harder than ever for tech workers
A weak whistleblowing regime is in nobody’s interest
Most tales of sleaze, malpractice and fraud within the tech industry are only able to hit the frontpages once an internal employee speaks out. In pursuit of public safety, employees who blow the whistle put their career, finances, health and sometimes life at the mercy of their former employers. It is rarely easy for someone to disclose wrongdoing or illegality at work, but harder still when your employer is a trillion dollar company stacked with resources to fight back. Regulation of ‘Big Tech’ exists in a patchwork, unlike the blanket regulation that exists for sectors like financial services, pharmaceuticals or aviation, and the feeble protection offered by the Public Interest Disclosure Act doesn’t exactly make the prospect of speaking out enticing. Whistleblowers perform an important service in exposing both criminal behaviour and risks to public safety; a robust legal and regulatory whistleblower protection regime acts both as an instrument of social justice and as an incentive for organisations to behave in an accountable way.
In January, I started researching how AI workers might use whistleblowing as a mechanism to unveil and prevent the development of unsafe AI products. But the more I researched, the more I realised the reporting problems that AI developers face are not unique to their profession, but stem from the deeply structural barriers that workers in the tech industry more broadly and whistleblowers across the UK face from the onset. The aims of this piece are to outline how the whistleblowing regime in the UK falls short, what risks are particularly pervasive for tech workers, and measures the UK government could take to reform the system. The information and conclusions I present below are based on conversations and interviews with technology regulation experts, legal and policy experts from whistleblowing charities, whistleblowing solicitors and barristers, and tech workers who work in startups and AI labs.
Different Types of Tech Whistleblowing Cases
Exposing illegal practices
Cambridge Analytica -
The Cambridge Analytica-Facebook scandal is a key case of a whistleblower exposing breaches of existing data protection regulations. In 2018, former employee Christopher Wylie revealed that the firm had harvested data from millions of Facebook users without their consent. This data was used to create detailed voter profiles and influence key political events, including the 2016 US presidential election and the Brexit referendum. Wylie's disclosures brought to light the misuse of personal data by Cambridge Analytica , which was found to already be illegal under the UK and EU law - both the Data Protection Act 1998, and the Privacy and Electronic Communications Regulations 2003 (GDPR was not yet fully in force). Given the US did not have the same level of privacy regulation, the US Federal Trade Commission more tenuously found that Cambridge Analytica had acted illegally by using deceptive tactics to harvest data.
The Post Office-Fujitsu -
The Post Office scandal involved over 700 sub-postmasters being wrongly accused of stealing money between 1995 and 2015 due to accounting errors in Fujitsu’s Horizon IT system. Despite repeated warnings about system faults, the Post Office dismissed concerns, insisting the system was not to blame. Many sub-post masters were given fines in the tens of thousands, sometimes above hundred thousand pounds; others did jailtime. In 2015, Richard Roll, a former software engineer at Fujitsu, spoke to Panorama about how some Fujitsu employees had remote access to terminals on the Horizon software, something both Fujitsu and the Post Office had furiously denied. Roll’s disclosure played a key role in a high court hearing which ruled that the accounting imbalances were ultimately down to bugs in the Horizon software and not theft by sub-postmasters.
Exposing unethical behaviour
The Uber Files -
In 2022, former Uber executive Mark MacGann leaked 124,000 internal documents to the Guardian. The files revealed Uber’s aggressive and unethical approach to global expansion between 2013 and 2017. Revelations included the use of a ‘killswitch’ to prevent police and regulators accessing information during raids, the use of a fake app ‘greyball’ to dupe specific individuals (e.g. policemen) with fake cabs and an aggressive/ethically dubious lobbying strategy which implicate Emmanuel Macron, George Osborne, and Neelie Kroes (former EU Digital Chief). The latter secretly acted as a lobbyist on behalf of Uber, despite her request for permission to work for Uber directly after leaving her EU post being denied. Though there is little doubt that Uber acted illegally in several countries, MacGann’s disclosure unveiled a culture of promoting unethical and illicit behaviour to aid Uber’s expansion, including risking passenger and employee safety.
The Facebook Files -
In 2021, former Facebook employee Frances Haugen leaked thousands of internal documents to the media, ‘the Facebook Files’ to the Wall Street Journal. The files revealed that Facebook's algorithms amplified divisive content to increase engagement, and that the company often ignored its own research on the platform's harmful impact on users, particularly teenagers and amplification of content related to self-harm and weakness in blocking violent content outside English-speaking countries. Haugen filed eight separate disclosures to the SEC and testified before Congress in November of that year as well as appearing before the British and European Parliaments to comment on social media regulation.
Concerns about safety or potential product harms
Google’s AI models (Timnit Gebru) -
In December 2020, Dr. Timnit Gebru, co-lead of Google’s Ethical AI team, was controversially made to leave the company. The conflict arose when Gebru co-authored a paper highlighting the risks of large language models, including environmental impact, inscrutability of the models, and bias reinforcement. Google demanded she retract the paper, and when Gebru refused to, she was fired, although Google claimed she resigned. Gebru’s concerns were not that Google had behaved explicitly illegally but concern about the risks related to products it was developing. Her method of disclosure - co-authoring a paper commissioned by her employer - is atypical of a tech whistleblower, but her case is also remarkable because of her seniority at Google before she was forced to leave Google.
Google’s AI models (Blake Lemoine) -
In 2022, Blake Lemoine, another Google engineer, gained attention when he publicly claimed that LaMDA, an AI chatbot developed by Google, had become sentient. He argued that the AI exhibited human-like emotions and consciousness, and shared conversations with LaMDA to support his claims, including conversations where the chatbot expressed fears of being turned off and a desire for recognition of its rights. Google, and most AI experts and psychologists, dismissed Lemoine's concerns, and he was eventually fired. Lemoine’s case highlights how when dealing with disclosures based on perceived safety threats as opposed to clear-cut fraud, the lines between what constitutes a reasonable disclosure and not a frivolous one can quickly blur.
Tesla (Cristina Balan) -
Cristina Balan, a former engineer at Tesla, became a whistleblower after raising concerns about safety and quality issues within the company. Balan, who worked on the design of Tesla’s Model S, reported defects related to battery safety and the manufacturing process. When she brought these issues to the attention of Tesla’s management, she faced significant pushback. According to Balan, instead of addressing her concerns, Tesla's management retaliated by sidelining her and eventually forcing her out of the company in 2014. After her departure, Tesla portrayed her as a disgruntled former employee in a hit-piece in the Huffington Post, which Balan claimed damaged her reputation and career. She is now still engaged in a defamation lawsuit against Tesla.
Tesla (Lukasz Krupski) -
More recently, a former employee of Tesla in Norway, Lukasz Krupski, was fired for raising concerns about safety at Tesla. He then leaked confidential - and personal - company data to Handelsblatt, which revealed safety flaws about the company’s autopilot system.
The Status Quo of Whistleblowing in the UK
Most whistleblowers in the UK are covered by the Public Interest Disclosure Act (PIDA), which passed in 1998. Despite its limits, PIDA was a landmark piece of legislation when it was passed. It is fairly comprehensive, covering virtually all employees in the UK - unlike in the US, for example, where only workers for public companies are given protections. PIDA’s scope is wide, covering disclosures about a risk to someone’s health and safety, a miscarriage of justice, risk or actual damage to the environment, criminal offences, and cover-ups. On paper, the legislation protects whistleblowers from being fired, blacklisted, or in any way victimised. However, PIDA has demonstrably fallen short on multiple fronts over the last 26 years.
# Standards for Employers
Unlike the more recent EU Whistleblowing Directive, PIDA puts employers under no compulsion to investigate the claims made, no matter the gravity of the claim. Employers are also not mandated to have an internal reporting system, although sectoral regulators like the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) do individually go further in their requirements for employers. Unless the claims are about explicitly illegal behaviour or fraud, there is no way for whistleblowers to legally force their employer to look into the harms outlined in the disclosure.
# Making a Qualifying Disclosure
In order to be protected under PIDA, whistleblowers must have a ‘reasonable belief’ that their claim is true and have made a disclosure in ‘the public interest’ (i.e. not an individual employment issue). Although this doesn’t form a particular problem for most whistleblowers it also matters to whom the disclosure was made. Under PIDA, the whistleblower should have made the disclosure internally or to a prescribed regulator, ombudsman or an MP. Disclosing to the media only guarantees protection if the wrongdoing is particularly egregious or if there is an imminent threat. Most regulators are already overburdened with workload and don’t see whistleblowing disclosures as a priority, with the exception of a few, including HMRC. Equally, most MPs won’t know exactly what their role as a prescribed authority under PIDA entails or how far their duty of confidentiality extends.
# Retaliation and Career-consequences
Despite retaliation against whistleblowers in any form being illegal under PIDA - including firing, bullying, ostracisation or even being moved to a different department - backlash from managers is not uncommon. Employee who complain or ‘snitch’ are viewed as troublemakers. If retaliation does happen, how is the victim supposed to prove that it was in response to their disclosure? Blacklisting is virtually impossible to prove, whilst arguing that a demotion or change in role is performance-related is easy for corporate legal teams. Most PIDA cases take 1-2 years until the final hearing - risk of unemployment and becoming unemployable deters whistleblowers from making a disclosure.
# Access to Justice
Only 4% of claims made under PIDA are successful, or in other words, employers are all but guaranteed a win against former employees. When a whistleblower makes a claim under PIDA, the burden of proof lies with them to prove that their dismissal or retaliation was related to their disclosure. Overwhelmingly, they end up having to represent themselves in court or rely on charity support against former employers who can afford to rack up six-figure legal fees. There is no legal aid available to whistleblowers and the employment tribunal being cost-neutral (i.e. neither side pays the other’s legal fees if they lose) means the potential damages a whistleblower receives in the unlikely event that they win the trial might not be enough to cover their fees, particularly for lower-paid workers in factories or retail. The damages are almost never enough to make the emotionally strenuous and career-damaging ordeal of a 2-year employment tribunal worth it. In rare cases, judges can even order whistleblowers to pay a portion of their employers’ fees.
Whistleblowing is Uniquely Difficult for Tech Workers
# No Overarching ‘Technology’ Regulator
In the UK, regulation of ‘tech’ tends to focus on regulating products and not sectors as a whole, as opposed to finance, aviation, or pharmaceuticals which are all fairly comprehensively regulated by the FCA/PRA, CAA or MHRA respectively. Though Ofcom, the CMA, and ICO have come together to form the Digital Regulation Cooperation Forum, regulation of the sector remains patchworky and claims about certain forms of wrongdoing within a technology firm can fall through the cracks. It might be obvious for an employee that data privacy breaches should be reported to the ICO, but to whom should an engineer worried about harms in a foundation model they’re working on report? Wrongdoing in tech can often be a whole lot more complex than a tax fraud case in HMRC because perceived ‘big picture’ harms are not always explicitly illegal, as was the case for Timnit Gebru and Frances Haugen’s disclosures.
Regulation of tech products is also much harder, as specialist expertise is needed in a way that it is not for complaints about tax fraud, for example. Existing regulators are overstretched with responsibility and limited resources, leaving them unable to prioritise or even fully process whistleblower disclosures.
# Culture in Big Tech & Startups
Employees blowing the whistle on a Big Tech employer face a huge inequality of arms when it comes to the courts. Large Tech firms can bankrupt their employees and use this as a means to discourage legal action in response to retaliation by threatening to come armed with a legal team that costs millions. Whistleblowing legal advisers I’ve spoken to confirm that whistleblowers they support have directly been threatened by Big Tech employers, scaring them into avoiding the courtroom. Additionally, they can be very liberal with their use of NDAs to go after individuals. In general, tech has a higher proportion of whistleblowers who settle, especially when compared to other employers like the NHS, because the both the financial and mental strain of taking a Silicon Valley giant to court is colossal.
Whereas the FCA and PRA’s strict whistleblowing procedure rulebook ensures most employees in large financial institutions are well aware of both internal and external disclosure routes, this is not the case for most tech workers. Research engineers I’ve spoken to, including in both startups and in Big Tech AI labs, have not been made aware of what the whistleblowing or reporting procedure exists within their firms. For them, the obvious route seemed to be escalating to their line manager and there were no obvious anonymous reporting systems. In large firms with hundreds of teams, it can be difficult to know where to escalate concerns if your line manager ignores them. Particularly in startups, independent reporting systems are low-down the priority list. Whilst it would be shortsighted to assume data engineers in large firms are incapable of searching up their employer’s procedure - a quick search reveals Google employees can make an anonymous report to their Audit Committee - this is not nearly as clearly signposted to all employees as it is in large financial institutions.
Culturally, tech as an industry tends to operate with a ‘move fast, break things’ ethos and are more resistant to regulation that they feel stifles innovation, particularly employment regulation. The sector’s resistance to regulation and transparency has inadvertently encouraged workers to leak information or disclose wrongdoing to the media or public.
# Worker Demographics and Close-Knit Industry
Tech firms employ a high proportion of migrant workers on skilled visas, who depend on their employer to be sponsored to remain in the UK. If these workers complain or make a disclosure that gets them sacked, they would have to go to an employment tribunal, which they are already unlikely to win, which can take up-to 2 years to conclude. Unless they can find another employer soon after being fired, they would not be able to remain in the UK. Employers have almost no incentive to even offer a settlement in these cases, and so migrant workers are hugely disincentivised from putting their livelihood and resident status at risk to report wrongdoing.
Finding a job after being fired for making a disclosure is hugely difficult because of how small the UK tech sector is. High-profile whistleblowers will almost certainly never be able to work in the same industry with the same level of executive power again. For lower rank workers who don’t make a public disclosure, it is easier to find a job but informal blacklisting of former employees is not uncommon. It is fairly easy for hiring managers to share details of ‘troublemaker’ employees to teams in other firms without consequence - how would someone prove or even know that they aren’t able to secure another job because they’ve been blacklisted? This problem is far worse for people working in AI development - there are only so many places ML engineers can work - and so the risk of being blacklisted is far higher.
Measures to Reform the UK’s whistleblowing regime
# Updating the Legislation
A fairly easy and cheap way of improving whistleblower protections is to include journalists as prescribed bodies (which, though controversial, mandates journalists to keep the identity of the whistleblower anonymous and protects both parties from being hit with SLAPPs) and expanding the definition of ‘worker’ protected by PIDA to include non-executive directors, trustees, volunteers and unpaid workers, contractors, and shareholders, and job applicants. Mandating firms and organisations over a certain size to have clearly signposted internal and external disclosure channels (as is required in the EU whistleblowing Directive) and compelling them to have an internal procedure to investigate the claims is also a fairly simple way to eliminate some of the barriers and disincentives to making a disclosure. For those more interested in the details of PIDA and where it falls short, I highly encourage you to read Protect’s 2022 ‘Draft Whistleblowing Bill’.
# A Dedicated Government Whistleblowing ‘Entity’
Opinions on whether this should take form as a government office for whistleblowers, an Ombudsman or a Commissioner vary, but it is generally agreed upon by people who work with whistleblowers that there should be some public entity dedicated to supporting whistleblowers and filling regulatory gaps. There has been a headstrong campaign by WhistleblowersUK for the government to establish an Office of the Whistleblower, but there is no reliable evidence that it would be the most effective or efficient way of supporting whistleblowers. If an Office of the Whistleblower was there to process claims, there would likely be overlap between its role and that of other regulators leading to duplication and inefficient processing. A similar entity in the Netherlands, the Dutch House of Whistleblowers, was both investigating claims and advising whistleblowers, which led to conflicts of interest; the aims of a regulator do not always align with what is best for a whistleblower. Given how overstretched existing regulators are, an Office of the Whistleblower is likely to be the same and there is a risk that the office becomes a blocker to quick processing of information. However, if the office’s powers lay not in investigating cases but enforcing efficient processing of whistleblowing claims in existing regulatory agencies, preventing information leakage or retaliation by regulators, the office would play a more helpful role. Given how overstretched existing regulators are, an Office of the Whistleblower is likely to be the same and there is a risk that the office quickly becomes overburdened and ends up blocking quick processing of information. However, if the office’s powers lay not in investigating cases but enforcing efficient processing of whistleblowing claims in existing regulatory agencies, preventing information leakage or retaliation by regulators, the office would almost certainly play a helpful role.
Separately, there are still gaps in where whistleblowers can go to make a disclosure. For AI workers, especially those working in frontier labs, there is virtually no regulator to make a disclosure to. However, the AI Safety Institute could fairly easily fill the gap by opening a reporting channel for AI workers and having a small team dedicated to investigating claims.
# Improving Access to the Courts
PIDA was originally a private members’ bill, and so though it was supported by the government, there was no money allocated towards it meaning no legal aid is available to claimants. Whistleblowers overwhelmingly have to rely on overstretched charities like Protect or Signals Network for legal advice or represent themselves and state-funded legal representation for whistleblowers would likely improve the 4% PIDA success rate by a significant margin. In lieu of any real plans to instate legal aid for employment tribunals, state funding of civil society groups that provide pastoral and legal advice to whistleblowers could be a cheaper and less controversial way to improve access to justice for whistleblowers, and there is a strong principled argument for some level of state support, given how many whistleblowers put their livelihoods and wellbeing at risk to bring information about public safety to light.
I can’t imagine there is Treasury appetite for another legal aid funding battle but there are other legislative changes that can be made to remove some of the barriers to justice. Reversing the burden of proof so it falls on the employer to prove that the employee’s dismissal or treatment was unrelated to their disclosure is one way. In theory, if the employee has been fired or demoted for a separate and valid reason, it should be easy to prove so.
Another way is to introduce qualified one-way cost-shifting (QOCS), where, like in personal injury cases, the respondent (employer) can be forced to pay the whistleblowers’ legal fees if they lose but not vice-versa, meaning the claimant (whistleblower) doesn’t risk having to pay their employer’s legal fees if they lose their claim. This both makes it more likely that the whistleblower will win damages worth their time and makes it easier for private lawyers to offer to represent whistleblowers on a no-win-no-fee basis if they believe the case can be won. Of course, this by no means will make it easier for a minimum-wage retail worker to make a claim against a supermarket giant but goes someway to re-centering the balance of power between whistleblowers and employers.
# Financial Incentives
Whistleblowers in the US who have tips about a public company can disclose information through the SEC’s whistleblower programme, which, if it leads to successful prosecution and fine, rewards the whistleblower 10%-30% of the value of the fine. Some whistleblowers do quite well out of it. It is lucrative enough that US law firms sometimes recruit whistleblowers from the UK if they believe they have a serious chance of winning from the rewards programme. In the UK, only HMRC offers a similar, though far less lucrative, rewards programme. Though it might feel un-British to commercialise doing the right thing (unlike the Americans who even pay people to donate blood?!), offering financial incentives for information leading to prosecutable offences is an effective way for regulators to both get better information about illegal activity and make back a lot of their costs in fines. It is, however, still important to remember that rewards aren’t an alternative to serious damages or compensation as successful tips are few and far between.
