Former Bungie, Pokémon Lawyer Explains How They Caught Leakers

Hi everyone. Today we’re talking to one of the video-game industry’s veteran leak investigators, but first...

This week’s top gaming news:

• Xbox Game Pass is getting a price hike
• Shift Up Corp., the maker of Stellar Blade, went public in South Korea

Plugging the leaks

A few weeks ago, this newsletter delved into the culture of video-game rumors and insiders, and how they’ve faced a reckoning in recent months. But I was curious to learn more about what it’s like to chase down leaks from a video-game company’s perspective.

So I spoke to Don McGowan, the former general counsel at Sony Group Corp.’s Bungie, the maker of Destiny 2. Before that, he spent more than a decade as the chief legal officer at The Pokémon Company and also worked at Xbox.

In other words, McGowan has had to plug a lot of leaks. When screenshots or details of upcoming content for games such as Bungie’s Marathon pop up before they’re supposed to, he’s been charged with investigating what happened.

We talked about tracking down these leaks, the differences between content leaks and misconduct leaks and how people get caught. (The following conversation has been edited for brevity and clarity.)

So when you’re general counsel at Bungie, what leads to you starting to investigate a leak?

I had a regular sync with our PR team. A lot of stuff came to me through them or the community team, which is usually the best way to find out about leaks, because they are plugged in. Bungie is fairly internally free with information, which led to certain challenges. Everybody had access to everything.

If you hire fans, fans are interested and are getting clout inside their clans by talking about stuff. The problem is, our information is their currency.

Can you give me a specific example of a situation where you had to track someone down and figure out who they were and why they did it?

We had a little stuff come out about Marathon. I did some internal digging. We figured out who it was, and they became what I refer to as ‘a future ex-employee of Bungie.’

Do you know why they did it?

Because they wanted to be cool with their clan.

So a Bungie employee just shared information with their clan?

Then it got out from there, because the clan members have the information, and so they can be cool by telling it to other people.

How’d you track down who did it?

There is an interesting phenomenon, which is that a lot of people use the same online identity over and over again. My Bluesky handle is the same as my Twitter handle. It’s often also their email address, and they’ve registered an email address with us, and so we can figure out who the clan member is.

And then it becomes a question of looking at server logs. Who is in the clan with this person? Do we know who the people are in that clan? That results in an internal person. That’s very likely to be our guy.

How do you feel personally about the fact that doing this work will lead to someone losing their job?

The way I always said it to myself, and the way I still think about it now, is: You knew how to not lose your job. Come on, buddy. You should have known better than this. Just because our information is your currency — this wasn’t your currency to spend.

I think people will have less sympathy for someone who's leaking information about Marathon than someone who's leaking about, say, workplace misconduct.

When it’s somebody complaining about workplace issues, I don’t really necessarily want to know who it is, unless what they’re complaining about is, ‘My boss is sexually harassing me.’ Then I want to know who it is, because I want to know who their boss is. I’m investigating, not to try to out the person, but to try to assess the truth of what they’re saying.

Is it your job to get them fired, report them to the proper channels?

Let’s say someone’s hypothetically talking to our friend Jason Schreier about the content of an upcoming release of a game. That’s a very different conversation to me than if someone’s talking to my friend Jason Schreier about a boss who’s sexually harassing them. I care a lot more about the second one, and I care about the second one not because I’m going to get the person fired, but because I want to find out if what they’re saying is true.

So you find out David is talking to me. What happens to David next?

Washington has fairly strong whistleblower protections. Even if I was disposed toward taking retaliation against somebody in that situation, and I’m not, I’d be very remiss to do that in the state of Washington.

I might have a talk with David. I might say, ‘Listen, I’ve figured out it was you. Do I not seem approachable? Why are you and I not having a conversation about this?’ Obviously, my job is to protect the organization, but ‘protect the organization’ takes on different meanings to different people. To me, ‘protect the organization’ has always meant: protect your people from bad things.

I think people go to journalists as a last resort, when they have no other options.

I did my best to make myself as approachable as I could. I know the title screams louder than anything I could do. That would be the conversation I would have with them: ‘What was the reason you felt you couldn’t come tell me about this?’ Because I need to get better.

What’s the wildest story of a leaker you dealt with?

Back when I was at Pokémon, some kid figured out how to extract the images from the card game. He found an icon from the developer and said ‘Holy s----, I found a new Pokémon.’ This kid included his email, and because of the way Pokémon did account creation, when we got the child’s account, we got the parent information, which included a phone number.

So I called his mom and said, ‘Listen, I wanted to tell you some things that Andrew is doing on the computer.’ She says, ‘So you’re saying he hacked your game.’ And I hear in the background: ‘I didn’t hack anything!’ I start describing it more technically. She says, ‘Is this a problem?’ I say, ‘Hacking software, that’s a federal crime, but I don’t want that to be the conversation. Why don’t we make it a conversation about the good and bad things he can do with a computer?’

The kid was live-tweeting it. The tweets were this:

1. Pokémon just called my house.
2. What the hell is a general counsel?
3. I now know what I did was wrong, and I’ll never do it again.

Which was fantastic. Absolutely baked my legend in at Pokémon for like five years.

Can you walk me through your exact process for finding leaks? Are you looking at emails, badge logs?

Bungie is a fully remote company. So there, badge logs were no use to me. Confluence logs were very useful. My first thought is that I have to authenticate if it’s real. Because a lot of the leaks were educated guesswork. My next thought would be: Who had access to it?

We had a situation with a content creator. We’d done a community day where we’d brought in a bunch of community content creators and opened up a stream. One of them took photos of his computer and released those, for clout. Not on his own name, just leaked them out, so he could get clout with the websites he was leaking them to.

We figured it out. Who were the streamers on that call? There were 12 of them. Let’s start looking at these streamers. One of them had two computers, and one day he streamed from his other PC. We saw the icons on the bottom of his screen were exactly the same ones as in one of the photographs. Alright, that’s our guy. So we set up a call with him.

He started trying to say, ‘It must have been my roommate who walked in and took a photo of my screen.’ One, we don’t care. Secondly, and more important my friend, no it wasn’t. Because if you look at the angle of the camera, you can tell the camera was being held in the photographer’s right hand. We can see the room you’re in right now. Your door is to your left. So either your roommate came in, walked behind you to your right and took a photograph, and you didn’t notice it — or you took the photograph yourself.

Do you pursue legal action or just ban them?

No, we just ban them from future content. And we banned his account from the game for good measure.

That probably pissed him off even more.

He’s a streamer. He found out he was banned when he went to stream.

Sad. Well, tragic, I should say.

Sad as in: ‘Why did you shoot yourself in the face?’

What to play this weekend

I’ve been diving back into Final Fantasy XIV, the beloved online roleplaying game that recently got a new expansion, Dawntrail. Although Square Enix Holdings Co.’s multiplayer online role-playing game can be intimidating — and pricy, thanks to the monthly subscription — the vibes are just so good. Between the clever writing and delightful music, it’s a fun place to spend a few hundred hours.

You can reach Jason at jschreier10@bloomberg.net or confidentially at jasonschreier@protonmail.com.

More from Bloomberg

Get Tech Daily and more Bloomberg Tech weeklies in your inbox:

• Cyber Bulletin for coverage of the shadow world of hackers and cyber-espionage
• Power On for Apple scoops, consumer tech news and more
• Screentime for a front-row seat to the collision of Hollywood and Silicon Valley
• Soundbite for reporting on podcasting, the music industry and audio trends
• Q&AI for answers to all your questions about AI