When Apple Notes Become a National Security Threat

How a Google Engineer Spent His Lunch Breaks

Google employs thousands of security engineers. Spends billions protecting its infrastructure. Designs data loss prevention systems considered among the best in the industry. Linwei Ding bypassed them all with a note-taking app.

On January 29, 2026, he heard the verdict: guilty on fourteen counts of economic espionage and trade secret theft.

The Sophisticated Attack Vector: Copy, Paste, Upload

Ding didn’t breach firewalls or deploy zero-day exploits. His penetration technique would embarrass a teenager: copy confidential documents into Apple Notes, convert to PDF, upload to personal Google Drive. That’s it. Google’s data loss prevention systems, presumably designed by some of the world’s finest engineers, watched this happen 1,255 times over twelve months. Approximately 14,000 pages of TPU chip architectures, GPU configurations, and cluster management software—the infrastructure powering Google’s AI dominance—walked out through a note-taking app.

• Share your thoughts in the comments on LinkedIn.

The Art of Work-Life Balance

Three weeks into his uploading hobby, Ding received a CTO offer from Beijing Rongshu at 100,000 RMB monthly. By 2023, he’d founded his own venture, Shanghai Zhisuan. The business pitch, shared via WeChat with the operational security of a college group chat: “we have experience with Google’s ten-thousand-card computational power platform; we just need to replicate and upgrade it.”

Meanwhile, a helpful colleague badged into the California office on Ding’s behalf while he attended investor meetings in Beijing. Google, tracking neither the five-month China trip nor the competing employment nor the systematic document harvesting, noticed nothing.

The Talent Program Application

Ding’s paperwork included an application to a Shanghai government talent program—those state-sponsored initiatives that U.S. counterintelligence has warned about for years. His stated goal: helping China achieve “computing power infrastructure capabilities on par with the international level.” Prosecutors generally appreciate when defendants document their intent this clearly.

The Inevitable Geometry Problem

An “Impossible Location Signal” finally triggered: Ding’s account accessed from a Chinese IP while his badge swiped in California. Confronted on December 8, 2023, he signed an affidavit certifying he’d deleted all confidential materials. Six days later, he booked a one-way Beijing ticket. The FBI arrived January 6—one day before departure.

The jury found intent sufficient. No actual transfer required.

I. Why It Worked: A Brief History of Simple Methods

Ding fits comfortably into a tradition where trivial vulnerabilities produce catastrophic consequences.

Dropbox, 2012: An employee reused the same password for corporate and personal accounts. One of those services got breached. Attackers tried stolen credentials on Dropbox—and they worked. Sixty-eight million user records leaked. The entire “breach” consisted of typing someone else’s password into a login form.

Target, 2013: Someone sent a phishing email to an employee at Fazio Mechanical Services—a small HVAC company servicing Target stores. The employee opened it. Malware stole credentials to Target’s vendor portal. Attackers moved laterally, installed card-skimming software. A hundred and ten million customer records leaked. Entry point: one email to an air-conditioning company.

Booz Allen Hamilton, 2017: Someone configured an Amazon S3 bucket—essentially a cloud folder—and forgot to set a password. The folder contained tens of thousands of files with data on contractors holding Top Secret clearances. Anyone with the URL could download everything. No hacking required.

KNP Logistics, 2023: A 158-year-old British logistics firm—500 trucks, 700 employees—went bankrupt because someone guessed an employee’s password. The Akira ransomware group encrypted all systems. The company had no usable backups. After 158 years, it closed because one password was too simple.

The pattern holds: initial entry is banal; consequences are not.

II. The Interrogation: How the FBI Nearly Lost the Case

January 6, 2024. Saturday, 6 AM. Eighteen officers and FBI agents knock on Ding’s door. No answer. They use a battering ram.

Ding comes down the stairs as they enter. Multiple weapons drawn, targeting lasers visible on his body. He’s handcuffed, placed in a patrol car. Wife and five-year-old son brought outside but not restrained.

Fifteen minutes later, the house is “cleared.” Family returns inside. Ding stays in the car.

The “Friendly Chat” Tactic

FBI Special Agents Gregory Toole and Sam Chen approach. They remove his handcuffs. They tell him he’s not under arrest—they simply “needed to detain him while they initiated the search there for everyone’s safety.” They suggest moving to an unmarked car so neighbors won’t think he’s under arrest.

They say the conversation is “completely voluntary.” That Ding is “free.”

Free to do what, they don’t specify.

This is a classic interrogation technique taught in police training manuals: use phrases like “we just want to hear your side,” “help us understand what happened.” The objective: lower defensive barriers, get the suspect talking before he understands he’s being interrogated.

The legal problem: under Miranda v. Arizona (1966), police must advise suspects in custody of their rights before questioning. Without this advisement, statements are inadmissible.

The key question: when is someone “in custody”? The test is objective—would a reasonable person feel free to terminate the conversation and leave?

The agents told Ding he was “free.” But context said otherwise.

Ding asks if they can go to the police station, “where it’s safe.” The agents say it’s far away. Ding asks to use the bathroom. The agents say the search is ongoing but they can go inside. Ding asks if they can stay in the house. The agents initially agree, then suggest it won’t work because “it would take a little time to process the house.”

Ding says he “can hold for maybe five to ten minutes.” The agents begin questioning.

The interrogation lasts three hours and fifteen minutes. Ding gets an eight-minute bathroom break after two hours. Under escort.

Judge Chhabria’s Ruling

In an order dated June 24, 2025, Judge Vince Chhabria partially granted the defense motion. Ding’s statements were excluded as obtained in violation of Miranda.

The government argued the analysis should begin when Ding was offered the unmarked car—suggesting he “chose” it. The court rejected this: “In reality, any reasonable person would have understood that the only choice was staying in a marked car or moving to an unmarked car, not moving to an unmarked car or leaving.”

The government also argued Ding was told he was “free” and “not under arrest.” The court: “The mere recitation of the statement that the suspect is free to leave or terminate the interview . . . does not render an interrogation non-custodial per se.” And further: “It almost seems as if officers believe that they need only utter the magic words ‘not under arrest’ or ‘free to leave’ to inoculate themselves from a claim that their otherwise-highly-coercive detention and interrogation triggered the Miranda obligation.”

One especially revealing moment: when discussing travel plans, agents told Ding he was “not under arrest” and “free to travel”—while simultaneously taking his passport. Agent Toole: “We can’t restrict you from leaving, you can . . . still go, the only issue for you though is that we’re taking your passport.” And a moment later: “Yeah but legally like you’re . . . free.”

Free to travel. Without a passport.

The court’s analysis, applying Ninth Circuit factors:

• Circumstances of summons: “At the initiation of the government’s interaction with Ding, he had firearms pointed at him and was ordered into a marked car. . . . This was not a situation where Ding chose to speak with the officers over another viable option that did not involve speaking with them.”
• Duration: “The duration of this interrogation, around three hours and fifteen minutes, was beyond the outer bounds of the higher end identified by the Ninth Circuit”—which had previously held that two-and-a-half-hour interrogations were “at the high end.”
• Degree of pressure: “Not only were there 18 officers involved in ramming down Ding’s door with guns drawn, but he also knew that there were guns pointed at him because he had lasers on his body.”

The conclusion: “Considering the totality of the circumstances, then, a reasonable person in Ding’s shoes would have understood his situation to be equivalent to the restriction of movement associated with a formal arrest.”

What Was Not Excluded

The court declined to exclude evidence from Ding’s devices. The passwords he provided were not testimonial within the Fifth Amendment meaning. Unlike cases where knowledge of a password proves control over incriminating files, here “there is nothing inherently incriminating about the fact that Ding has the passwords for his own personal cellphone and personal computers.”

The FBI nearly lost key evidence through an elementary procedural error. It didn’t—because the court determined that providing a password is not testimony.

III. The Legal Construction: Is Intent Enough?

Ding filed a motion to dismiss the economic espionage charges. His argument: 18 U.S.C. § 1831 requires a connection to a foreign government. He didn’t start a company on Beijing’s orders. He didn’t receive instructions from Chinese intelligence. Simply operating a business in China, in an industry the Chinese government promotes, doesn’t make someone a spy.

The Order of June 9, 2025

Judge Chhabria denied the motion, but his reasoning showed notable caution.

The court confirmed that Section 1831 does not require the foreign government to have coordinated or sponsored the theft. It cited United States v. Chung (9th Cir. 2011): a conviction under Section 1831 does not “require evidence of a foreign government’s direction or control” but “can rest solely on the defendant’s intent to benefit a foreign government.”

The court also confirmed that “benefit” need not mean actual disclosure. Legislative history indicates a benefit can be “reputational, strategic, or tactical.”

The prosecution presented three theories:

1. A PowerPoint presentation citing Chinese state policies encouraging domestic AI development
2. An application to a talent program sponsored by the Shanghai government
3. An internal Zhisuan memo indicating intent to offer services to universities and local governments controlled by the PRC

The Court’s Skepticism

Judge Chhabria wrote plainly:

“The Court is somewhat skeptical of the government’s first two theories. The idea, apparently, is that Ding knew about the PRC’s AI initiatives and intended to benefit the PRC by filling the gap identified by the PRC and so help the PRC achieve its domestic AI goals. The idea that Ding actually intended to benefit the PRC, as opposed to benefiting himself through an opportunity PRC was providing, seems dubious.“

And further:

“At times, it seems as if the government is reading out of section 1831 the word ‘government’ and is asking the Court to apply the statute to anyone who intends or knows that the trade secret theft will benefit a foreign country.”

The motion was denied solely because of the third theory—the memo documenting intent to provide services directly to government entities.

But the warning was clear: “The first two theories will only work if the government proves that Ding intended or knew that his trade secret theft would benefit the PRC—not solely China as a country or Ding’s own economic interests.”

What the Prosecution Proved at Trial

The jury found Ding guilty on all fourteen counts. The prosecution convinced them that:

1. The documents constituted trade secrets
2. Ding copied them without authorization, knowing he was harming Google
3. He intended economic benefit for someone other than Google (counts 1–7)
4. He intended or knew his actions would benefit a foreign government (counts 8–14)

For point four, the memo dated December 14, 2023 was critical—a list of government entities to which Zhisuan intended to offer services. As was the talent program application, stating his product would “help China to have computing power infrastructure capabilities that are on par with the international level.”

The judge was skeptical of the “awareness of state policies” theory. The jury apparently wasn’t—or was convinced by the third theory.

IV. The Seven Categories: What Was Actually Stolen

The superseding indictment defines seven categories of trade secrets. Each category forms the basis for one theft count and one espionage count.

Category 1: TPU Chip Architecture

Instruction sets, protocols, internal specifications, and implementation details for Google’s custom TPU chip components:

• TensorCore—the main processing component
• BarnaCore/SparseCore—sparse computation acceleration
• HBM access interface (High Bandwidth Memory)
• ICI (Inter-Chip Interconnect)—Google’s proprietary chip communication technology

Categories 2–3: TPU Systems and Software

Design documents, performance parameters, software managing hardware and allocating resources within TPUs, facilitating communication between TPUs, and orchestrating collections of interconnected TPUs for different workloads.

Categories 4–5: GPU Systems and Software

Analogous documents for Google’s GPU infrastructure—custom machines holding multiple GPUs, systems connecting thousands of GPUs, and software managing their allocation.

Categories 6–7: SmartNIC

Hardware specifications and software for Google’s custom-designed network interface card, enabling low-latency, high-bandwidth data transfers across large-scale networks powering AI supercomputers and cloud networking products.

The Strategic Significance

TPUs are Google’s answer to the computational demands of training large AI models. Unlike Nvidia’s GPUs—commercial products available on the market (though subject to export restrictions)—TPUs are technology Google has developed internally since 2013.

ICI—Inter-Chip Interconnect—allows thousands of chips to function as a single supercomputer. AI scalability depends not just on individual processor performance but on connecting them efficiently.

Ding copied a complete technology stack—from silicon to orchestration software. Material sufficient, as he wrote to investors, to “replicate and upgrade” Google’s infrastructure.

V. The Defense That Didn’t Work

The Authorization Argument

Ding had authorized access to every file he copied. The defense could have argued that viewing rights implied copying rights.

The problem: Google’s employment agreement explicitly required Ding not to use confidential information “for any purpose other than for the benefit of Google in the scope of employment” and not to retain documents after termination.

The No-Actual-Transfer Argument

The prosecution didn’t prove Ding actually transferred documents to Chinese entities.

The problem: 18 U.S.C. § 1832(a)(3) penalizes mere possession of trade secrets with knowledge of their unlawful origin. Transfer need not occur—intent and possession suffice.

The False Affidavit

On December 8, 2023, when Google detected uploads to Ding Account 2, Ding signed a “Self-Deletion Affidavit”—a sworn statement certifying he had searched all devices and deleted all Google materials.

He didn’t mention the more than a thousand files previously uploaded to Ding Account 1.

Six days later, he booked a one-way ticket to Beijing.

VI. Sentencing: What Comes Next

Ding is scheduled to appear February 3, 2026 for a status conference. Maximum sentence: 175 years—theoretically.

In practice, federal courts apply sentencing guidelines considering the value of stolen secrets, degree of planning, defendant’s role, and acceptance of responsibility.

Ding did not plead guilty. Documentation proves systematic activity over a year. His role: CEO of his own startup, CTO offer from another company. A false affidavit under oath.

The indictment includes a forfeiture demand under 18 U.S.C. § 1834—all property used to commit the offense or constituting proceeds from it.

Judge Chhabria ruled that Ding could remain free pending sentencing, finding him neither a flight risk nor a public danger. Given the one-way ticket to Beijing discovered in December 2023, this may raise some eyebrows.

VII. Lessons

The Ding case will appear in information security trainings for the next decade. Not because it represents a sophisticated threat—but because it is exceptionally simple.

Copy to Notes. Convert to PDF. Upload to the cloud. A thousand times. For a year.

The FBI nearly lost key evidence through a procedural error during interrogation. It didn’t—because providing a password falls outside the Fifth Amendment.

The prosecution presented intent theories the judge publicly questioned. The jury found them sufficient.

Ding documented his own intent—in investor presentations, in the talent program application, in WeChat messages.

On January 29, 2026, after an eleven-day trial, the jury deliberated approximately three hours before finding him guilty on all fourteen counts.

Some cases are difficult.

This one was not.

Robert Nogacki

Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.