Corporate Spying

This is a good article on a new trend in corporate spying: companies like Wal-Mart and Sears have resorted to covert surveillance of employees, partners, journalists, and even Internet users to protect itself from "global threats."

"Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property and our people," Wal-Mart spokeswoman Sarah Clark said in a statement in April. Following the Gabbard firing, Wal-Mart said it conducted a review of its monitoring activities. "There have been changes in leadership, and we have strengthened our practices and protocols in this area," Clark said.

[...]

At a gathering of security specialists in New York City in January of 2006, David Harrison, the former Army military intelligence officer who was hired by Senser to head Wal-Mart's analytical security research center, provided a rare glimpse into the company's monitoring operations. Harrison told the gathering Wal-Mart faces a wide range of threats: "A bombing in China, an armed robbery in Brazil, an armed robbery in Las Vegas, another bomb threat, and that was just yesterday," Harrison said.

To safeguard its employees and operations Wal-Mart has tapped its massive data warehouse of information, now believed to be larger than 4 petabytes (4,000 terabytes), to look for potential threats. It tracks customers who buy propane tanks, for example, or anyone who has fraudulently cashed a check, or anyone making bulk purchases of pre-paid cell phones, which could be tied to criminal activities. "If you try to buy more than three cell phones at one time, it will be tracked," he reportedly told the audience.

[...]

Gabbard, the Wal-Mart employee fired for recording reporters' phone calls, said in his interview with The Wall Street Journal that Wal-Mart uses software from Raytheon Oakley Networks to monitor activity on its network. The Oakley product was originally developed for the U.S. Department of Defense.

The Oakley software is so sophisticated it can allow administrators to visually see what types of information are moving across the network, from Excel spreadsheets to job searches on Monster.com, or photos with flesh tones that might indicate a user is viewing pornography.

And this article talks about ex-CIA agents working for corporations:

The best estimate is that several hundred former intelligence agents now work in corporate espionage, including some who left the C.I.A. during the agency turmoil that followed 9/11. They quickly joined private-investigation firms whose U.S. corporate clients were planning to expand into Russia, China, and other countries with opaque business practices and few public records, and who needed the skinny on international partners or rivals.

These ex-spies apply a higher level of expertise, honed by government service, to the cruder tactics already practiced by private investigators. One such ploy is pretexting -- obtaining information by pretending to be somebody else. While private detectives have long posed as freelance reporters or job recruiters to get people to talk, former agents have elevated pretexting to an art.

[...]

Similarly, ex-agents have helped popularize the use of G.P.S.-based monitoring devices and long-range cameras for following people around. One corporate-espionage technique comes straight from the C.I.A. playbook. In the constant search for the slightest edge, some hedge funds and investment companies have turned to a handful of private-investigation firms for a tactic that seems to fall between science and voodoo. Called tactical behavior assessment, it relies on dozens of verbal and nonverbal cues to determine whether someone is lying. Signs of potential deception include meandering off topic rather than sticking to the facts and excessive personal grooming, such as nervously picking lint off a jacket. This method was developed by former lie-detector experts from the C.I.A.'s Office of Security, which administers polygraph tests to keep agents honest and verify the stories of would-be defectors.

[...]

Most of the ex-agents' activities, from surveillance to lie detection, are perfectly legal. In the wake of the 2006 Hewlett-Packard scandal, detectives used pretexting to obtain the private telephone records of company directors, employees, and journalists. In an effort to track leaks to the media, federal law was tightened to prohibit using fraudulent means to obtain telephone records. Financial records were already off-limits. But federal law doesn't forbid assuming a false identity to get other information -- an area that ex-spies exploit.

Still, a few techniques favored by the spies-for-hire do appear to violate privacy statutes. One of these involves using "data haunts," extreme methods of electronic monitoring such as tracking cell-phone calls and gathering emails by relying on secretly installed software to record computer keystrokes. An ex-C.I.A. agent described a group of his former colleagues who set up shop offshore so that they could tap into telephone calls -- a practice prohibited by federal law -- outside U.S. jurisdiction. "They call themselves the bad boys in the Bahamas," he said.

Even some of the legal methods are controversial within the industry. Certain old-school firms won't stoop to dumpster diving or stealing garbage -- which is usually legal as long as the trash is on a curb or other public property --" because they consider it unethical. They say that the prevalence of former intelligence agents in the field and the rise of unscrupulous tactics have tarnished a business that often struggles with its reputation. One longtime investigator complained that he recently lost business to some ex-C.I.A. officers who promised a potential client that they could obtain the phone and bank records of a target -- something that is illegal in most cases.

[...]

Current and former employees said Diligence's ex-spies also held classes in using false identities to obtain confidential information. Ex-employees said it wasn't unusual for an investigator to have five or six cell phones, each representing a different identity, on his or her desk. And while ex-C.I.A. and former MI5 agents were old hands at such deception, the new initiates sometimes got confused and answered a phone with the wrong name.

All interesting. It seems that corporate espionage has gone mainstream, and the debate is more about how and when.

On a related note, this paragraph disturbed me:

On occasion, Diligence investigators were dispatched to collect garbage from a target's home or office. In some cases, two former employees said, Diligence hired off-duty or retired police officers to take trash so that they could wave their badges and fend off any awkward questions.

It's public authority being used for private interests. We see it a lot -- off-duty police officers guarding private businesses, for example -- and it erodes public trust of authority. In the case above, I'm not even sure it's legal.

Posted on January 16, 2008 at 12:21 PM • 37 Comments

Comments

Good Old Boys NetworkJanuary 16, 2008 12:42 PM

@Bruce Schneier

"It's public authority being used for private interests."

Can you name any public authority that isn't used, at least occassionally, for private interests?

Tangerine BlueJanuary 16, 2008 12:51 PM

> public authority being used for
> private interests

That reeks.

But at least in the US cops supplement their income with second jobs, instead of taking bribes (one hopes).

Carlo GrazianiJanuary 16, 2008 1:31 PM

"...This method was developed by former lie-detector experts from the C.I.A.'s Office of Security, which administers polygraph tests to keep agents honest and verify the stories of would-be defectors."

I'm glad that private industry is seeing a "peace dividend" from the Government's "research" on lie detection. To get the level of assurance normally associated with polygraphing, corporations might otherwise have to resort to ouija boards. That would be embarrassing.

Good Old Boys NetworkJanuary 16, 2008 2:00 PM

@Dewey

Trusted by whom? Those it "serves" ? The 'still' implies it was trusted to begin with.

PhilJanuary 16, 2008 2:10 PM

>> public authority being used for
>> private interests

> That reeks.

> But at least in the US cops supplement their income with second jobs, instead of taking bribes (one hopes).

Flashing one's badge in exchange for money is a bribe.

AnonymousJanuary 16, 2008 2:26 PM

There's old and mostly foolproof technique for defeating dumpster diving, but it requires a cat. Shred your sensitive stuff and mix it with used cat litter. Anyone willing to pick through used cat litter for information probably deserves it. :)

Carlo GrazianiJanuary 16, 2008 2:52 PM

@Anonymous:

I wouldn't count on the yuck factor for deterrence.

During the Cold War, there existed in East Germany teams of Western military observers, created by the postwar settlement. These functioned as legal military espionage units -- they tracked Warsaw Pact military activity, and were a fairly productive source of information.

One source that they mined had to do with the unsanitary habits of Soviet troops. As it turns out, Soviet Army ground forces on maneuver in East Germany were not issued with a reliable source of toilet paper. Soldiers consequently substituted whatever paper was at hand, including maps, orders, plans, etc.

While the Western military observers were excluded from training areas during exercises, they would scour the ground after the troops had left, looking for latrines, dumps, or even just stinky paper blowing about in the wind. Apparently the intelligence take could be considerable, certainly enough to justify this otherwise dismal form of collection. As an added bonus, Western analysts would occasionally forward to allied colleagues particularly fetid samples "for further analysis".

Source: Richard Aldrich, "The Hidden Hand: Britain, America, and Cold War Secret Intelligence"

Rich WilsonJanuary 16, 2008 3:10 PM

According to the TimesOnline:

Microsoft submitted a patent application in the US for a “unique monitoring system��? that could link workers to their computers. Wireless sensors could read “heart rate, galvanic skin response, EMG, brain signals, respiration rate, body temperature, movement facial movements, facial expressions and blood pressure��?, the application states.

http://technology.timesonline.co.uk/tol/news/tech_and_web/article3193480.ece

JilaraJanuary 16, 2008 4:33 PM

If excess personal grooming is a sign of lying, etc. I wonder what it says that I often do this when I'm stuck in overlong meetings. I guess I'm lying in my heart, trying to pretend I really want to be there...

VickiJanuary 16, 2008 6:22 PM

Anonymous--If mixing trashed records with used cat litter became common, it would create a nichebusiness and/or job market for people with no sense of smell, and a willingness to wear rubber gloves. For such an anosmic person, the task might be less unpleasant than creating the mess would be for you.

(If you're that concerned, shredding your records and burning the shreds might be prudent.)

SofaJanuary 16, 2008 6:45 PM

Once trash hits the street, its perfectly legal for the government to search it warrant free as defined by Greenwood vs. California. It was my assigned case from Crim 13, Constitutional Interpretation back in college. You can find out more here:
http://www.fightidentitytheft.com/shred_supreme_court.html

Syllabus
Acting on information indicating that respondent Greenwood might be engaged in narcotics trafficking, police twice obtained from his regular trash collector garbage bags left on the curb in front of his house. On the basis of items in the bags which were indicative of narcotics use, the police obtained warrants to search the house, discovered controlled substances during the searches, and arrested respondents on felony narcotics charges. Finding that probable cause to search the house would not have existed without the evidence obtained from the trash searches, the State Superior Court dismissed the charges under People v. Krivda, 5 Cal.3d 357, 486 P.2d 1262, which held that warrantless trash searches violate the Fourth Amendment and the California Constitution. Although noting a post-Krivda state constitutional amendment eliminating the exclusionary rule for evidence seized in violation of state, but not federal, law, the State Court of Appeal affirmed on the ground that Krivda was based on federal, as well as state, law.

Held:

1. The Fourth Amendment does not prohibit the warrantless search and seizure of garbage left for collection outside the curtilage of a home. Pp. 39-44

FNORDJanuary 16, 2008 6:49 PM

Security, as you say, is a trade-off.

It admits that stores were evacuated for bomb threats, but it doesn't mention if real bombs were found. An evacuated store is still means reduced profits, and so a victory for wal-mart's opponents.

Now, bomb threats are illegal. But if their institutional paranoia leads to them responding to false positives, especially intentional false positives, they're only hurting themselves.

If an anti wal-mart extremist can shut down a store by purchasing a dozen pre-paid cellphones and 4 propane tanks, that could be a useful strategy.

JKBJanuary 17, 2008 12:36 AM

Well it isn't like Walmart doesn't track their customers. If the police investigate a purchase, they can not only produce the receipt but also backtrack the person throughout the store and possible into the parking lot. Given that kind of tracking info on Joe Sixpack, it might be good that they are also tracking their employees and suppliers.

Of course, security can be a vulnerability as well. With all the tracking, it is hard to hide your own bad deeds. It doesn't look good when you have complete coverage except for that one period when the "good guys" are alleged to have done wrong. That kind of "gap" brought down a President and makes juries suspicious.

Zane SelvansJanuary 17, 2008 1:13 AM

Interestingly, it seems that that paragraph about the off-duty cops is no longer in the article.

JohnJanuary 17, 2008 2:26 AM

If it is possible to gather information in some way then somewhere a private corporation is paying someone to do it.
This has been done for centuries.

As new ways of collecting information are found then, of course, they will be used by governments and corporations.

The new thing is the ability to deal with very large amounts of data in a reasonable period of time.

Corporations have always done whatever they can get away with to maximize profit and protect their revenue. This is just new ways to do the same old thing.

wsindaJanuary 17, 2008 5:44 AM

Bruce's criticism on blanket surveillance against terrorism also applies to corporate security:

1. To justify the surveillance, the advocates mention the big crimes (bombing, espionage). To "prove" its effectiveness, they give the number of small crimes (downloading adult material) that were detected.

2. There is a tendency to gather all information that is technically available, whether it's useful or not. (Even more so in corporations, where employees have less legal protection than citizens.) And when the data has been stored, it is subject to "scope creep".

3. It's questionable whether the surveillance will catch a professional criminal. (If you were an insider who copied confidential material, would you send it off in an unencrypted email using your own account? If you were planning to bomb Wal-Mart, would you buy propane tanks in the same store?) It's usually the stupid crooks and the petty thiefs that get caught.

Mr.BearJanuary 17, 2008 5:59 AM

@Jilara

>>If excess personal grooming is a sign of lying, etc. I wonder what it says that I often do this
>>when I'm stuck in overlong meetings.

It says you are thinking of something you'd rather not share. Picking imaginary lint is a particulary obvious example of "witholding information."

Of course, the INTERPRETATION depends on the situation, in this case you'd probably prefer not to tell your boss to "shut the f**k up,already."

You could look at it this way. Picking imaginary lint enables you to remove yourself from the situation (avoiding eye contact, concentrating on something else,expressing negative feelings in a less transparent way [lowered head, coupled with other indicators is often used as a sign of negativity]), all the while just "picking lint."

It's a transfer. To avoid looking like you feel you start doing something that (you'd think) MASKS it thus "transferring" the signals.

Hope this helps.

averrosJanuary 17, 2008 6:14 AM

@Good Old Boys:

"Can you name any public authority that isn't used, at least occassionally, for private interests?"

Can you name any public authority that isn't used, at all times, for private interests?

That'd be usually interests of the bosses in these authorities, and interests of their political patrons and interests of their family & friends business pals.

"Public authority" is newspeak used to conceal the glaringly obvious fact that any "public" institution consists of private persons, with their own private interests.

SofaJanuary 17, 2008 11:07 AM

Interestingly, it seems that that paragraph about the off-duty cops is no longer in the article.

Posted by: Zane Selvans at January 17, 2008 01:13 AM

Bruce linked two articles, the off duty cops are in the second one linked further down the post, not the first one. The paragraph can be found in this article:
http://www.portfolio.com/news-markets/international-news/portfolio/2007/12/17/Ex-Spies-Corporate-Work

On occasion, Diligence investigators were dispatched to collect garbage from a target's home or office. In some cases, two former employees said, Diligence hired off-duty or retired police officers to take trash so that they could wave their badges and fend off any awkward questions.

beadsJanuary 17, 2008 12:02 PM

Two things about shredding. First, since your shredding things already do yourself a favor and not throw all the shredding into one bag. Mix it up and withhold half the bag for the next pickup. For that matter wait for the garbage truck and transfer the material manually if you have to. This way anyone willing to go through kitty's material as well gets approximately 1/2 of the needed information. A well mixed pile is better than a complete pile. Adds a constant complication to show up every trash day to collect what they hope will be a "good" sample. Like using very basic encryption. Not terribly effective but enough to dissuade the more casual operator.

Second. If you have the luxury of composting your newspapers, bills, kitchen scraps on your property - do so! No curb, no public access but trespassing does come to mind as long as the compost pile is clearly intended for personal use. Takes a while to compost even shredded scraps (depending on your method) but 100% recycled. Okay. Maybe the local neighborhood raccoon might stop by for a sniff or two but I can live with the occasional critter or two in my compost pile. Usually there isn't enough of anything they want but some worms, anyway.

Good Old Boys NetworkJanuary 17, 2008 2:01 PM

@averros

"That'd be usually interests of the bosses in these authorities, and interests of their political patrons and interests of their family & friends business pals.

"Public authority" is newspeak used to conceal the glaringly obvious fact that any "public" institution consists of private persons, with their own private interests."

I couldn't agree more.

AndrewJanuary 17, 2008 4:12 PM

>> If you were an insider who copied confidential material, would you send it off in an unencrypted email using your own account? If you were planning to bomb Wal-Mart, would you buy propane tanks in the same store?

Um, yes, people do these dumb things.

MarkJanuary 18, 2008 7:46 AM

@FNORD
Now, bomb threats are illegal.

So, in many cases, are bombs. The difference is that it takes a skilled person to build an effective bomb. i.e. one which which which will only explode when it should.

Whereas to make a telephone call, send a note/fax/email, etc. Dosn't require someone anywhere so skilled.

walterzueyJanuary 18, 2008 10:09 AM

"There used to be an argument over whether we should be doing this at all," says Alan Paller, director of research at the SANS Institute, an industry-sponsored research group and computer security training body. "It rarely comes up as an issue any more."

This is the leitmotif of every verse on the march to a totalitarian society.

AnonymousJanuary 18, 2008 11:09 PM

To me, there is a difference between legitmate practices to protect business assets and invading the privacy of the general populace. And only a fool would not question whether or not Walmart and its' "former" (sic) CIA agents are not still working for / with our government in some manner to circumvent the laws restricting public officials to spy on American citizens.

RogerJanuary 19, 2008 2:23 AM

Mixing in cat litter is not going to defeat any but the most faint-hearted data thief. Here is some advice for shredding:

First, if shredding is your method of choice for destroying confidential documents, make sure you get a cross-cut shredder. All else being equal, the difficulty of extracting information from shreddies rises as the square of the number of shreddies (chads), and even the cheapest, coarsest cross-cutters typical produce about 4 times as many shreddies as even a high quality strip cut shredder. At one time, cross-cut shredders were only used in high security applications and so cost a lot of money, but nowadays the cheapest models only cost about USD $40. (If you want to spend more, for about USD $400, you can get a medium security "confetti cut" shredder that increases the number of shreddies by a factor of about 12 times, and for several thousand bucks you can get a high security micro-cut shredder that increases it by about 64 times, turning an 8 x 11 page into roughly 17,000 pieces.)

Secondly, regardless of your shredder type, make sure you insert the paper so that the longest direction of the chads cuts across the lines of text. This means that if you printed in "landscape mode", you need to turn the paper sideways when you shred. And unless you have a shredder with a very wide inlet, that will require folding, tearing, or cutting the page in half. If you don't do this a lot of text will still be legible after shredding. (As a corollary to this, I notice that a lot of corporate bills and suchlike now come with a long serial number and bar code printed in the margin at right angles to the text. I have no idea how sensitive this data is, but it is often still quite legible after shredding, so I rip these bits off and turn them around before putting in the shredder.)

Thirdly, if you dispose of the shreddies by putting them in municipal waste or recycling collection, then base your disposal frequency on the security of your shredder. As a rule of thumb, for typical domestic (low security) purposes you want to accumulate about 5,000 or more thoroughly mixed chads before disposal. That means that with a high security micro-cut shredder you could just shred one page and discard immediately, but for most other types you will need to accumulate some minimum number of shredded pages before disposal. For a typical cheap cross-cut shredder, this is about 20 pages; it will suffice to simply wait until the basket is full, periodically stirring the shreddies to mix them up. However for the coarsest grade strip cut shredders (~0.38 in), it will be around 240 pages, and you will need a moderate security area to store the shreddies before disposal, or else dispose of them other than in municipal waste.

We don't dispose of our shreddies in municipal waste. In winter, document disposal makes for good kindling paper for the wood fire, while in summer we shred and the shreddies go in the compost bin whenever the compost is turned over. (The volumes we dispose of are small enough that this doesn't exceed the "brown" fraction for the compost.)

DaleJanuary 19, 2008 6:09 PM

Anyone who counts on a shredder you can buy at your local office super store or Wal-Mart is nuts. It is quite easy to restore at least part of that information.

When I was in the service many years ago, the shredders we used sliced paper into about 1/16th of an inch - and even the output of those shredders went into burn bags.

I watched an episode of one of those real-life cop shows where they pieced together the remains of a shredded floppy diskette and recovered data off of it!

You would be surprised how much data can be gleaned from even burned ashes when carefully retrieved.

The value in shredding is that the remnants make better fire starter and smaller ashes. That's it.

MozJanuary 19, 2008 9:10 PM

The correct place to put shredder output is in your worm farm. It only takes a few days for it to be transformed from wet, dirty shreds into lovely worm casts that are only really useful to plants (the botanical kind, not the spy kind).

lisa rayJanuary 28, 2008 2:02 AM

The single most important thing with lists is that they have to be simple to use. Anything that takes more than three seconds to use will be great for about a week. After that only half the items get put in, worse than nothing.
Text file on the desktop is the one, so long as you can avoid spending half an hour making it look nice every time you open it. Ten minutes every morning organising it then the rest of the day getting things crossed off.

lisa rayJanuary 28, 2008 2:07 AM

It’s ineed important that we dispose off all the confidential documentation so that it doesn’t get into the wrong hands. Paper shredders these days have become an important office equipment.
I’m loving the above personal shredder .

QDecember 31, 2009 12:39 PM

If you're a smart spy with a big budget you could have a paper shredder scanner built with a built in hard drive and WIFI.
Here's the scenario:
Re-engineer a duplex scanner to capture both sides of the document and install it in custom made shredder. As the mark feeds the documents into the "shredder" it scans and stores the documents to a hard drive which will later be collected via wifi internet connection.

happy shredding

LeonidasJuly 30, 2010 12:37 AM

Why say ex-CIA agents now working for corporations? I would bet even money that companies like HP especially is infiltrated heavily and actually paid by and run by the current active-CIA, who use their systems and have been in bed together so long the two are scarecly distinguishable. I suspect they want me to send in my hard drive that "crashed" and buy a new one after ONE year because they want to probe the contents of it. the CIA IS HP. HP is the CIA. The two are indistiguishable.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.