WHEN THE SPIES ARE OUT OF CONTROL
Corporate snooping is big business. But where do snoops draw the line?
IN 2002, DELL COMPUTER, the reigning king of the personal technology market, was looking to put the coup de grâce on its biggest rival, Hewlett Packard. Dell had already crushed rivals with its cheap, direct-to-consumer computers and it vowed to do the same in the printer business, which HP dominated. Not content to sit by and watch its core business eroded, HP officials dispatched the company’s competitive intelligence unit to uncover their rival’s plans. A few months later HP had what it needed—incredibly precise details about Dell’s upcoming line of printers. In the end, Dell’s printer business turned out to be less of a threat than some had feared, and the details of HP’s covert snooping operation stayed buried until late last month, when they came to light in documents related to a messy lawsuit with a former executive. But coming on the heels of HP’s espionage scandal last year, in which the company’s investigators spied on its board of directors and journalists, the episode served as yet another reminder of just how extensive, and sophisticated, and sometimes ruthless, such snooping operations have become among major corporations.
HP is far from alone. The company is just one of many willing to go to extraordinary lengths to protect itself and, some say, to throw a spanner into the spokes of opponents. Details have emerged that Wal-Mart operates a massive employee surveillance program, sends out undercover operatives to infiltrate activist groups, and has a threat analysis team that regularly sifts through customer records. Steve Jobs, the CEO of Apple, is believed to have planted evidence of a fake product in order to ferret out a mole operating within the company. And at least
two Canadian companies, Air Canada and drug maker Biovail, have paid private investigators to rifle through others’ garbage for evidence of wrongdoing. Last fall, lawyers for Toronto-based insurer Fairfax Financial reportedly tailed employees of a New York hedge fund that Fairfax accuses of trying to do it harm.
All these cases have raised a furor in the press, but the courts give companies plenty of leeway to snoop. And for good reason. In the post 9/ll environment, the world is focused on security intelligence. But the world of protecting corporate and trade secrets is just as big, and the stakes, arguably, just as high—especially if you believe that the health of a national economy is fundamental to a nation’s ability to defend itself. Companies are duty bound to their shareholders to do everything legally possible to protect their assets, especially with corporate espionage on the rise. As a result, a huge private security industry, drawing from the ranks of retired police and intelligence officers, is growing
to serve the needs of suspicious executives.
The question is, just where is the line between competitive intelligence and espionage? At what point does vigilance against spies and leakers—even practising aggressive defence against rivals in the name of cementing market share—become a threat in itself? The law is proving to be of little help in the matter, since technological advances have fast outpaced the courts. As recent history shows, corporate codes of ethics represent constantly shifting ground, where principles and guidelines are easily lost in the heat of battle, and where the line between smart business and malfeasance is defined by whether or not you get caught. “Some overzealous people are getting into areas that are unethical, and when the legal system catches up, will be illegal,” says Williamjohnson, founder of the Business Espionage Controls & Countermeasures Association. “For the moment, there are a lot of grey areas out there.” As technology gets more sophisticated, and with billions of dollars on the line,
the temptations and ethical questions are only going to get more troubling.
Of course, for a company that has seen its secrets stolen all too often, such issues may appear black and white. Wal-Mart, for instance, has been leaking insider information like a sieve for years. In 2005, a confidential memo raced across the Internet that detailed some of the options the company was considering in order to cut its health care insurance costs, such as hiring only healthy workers. The memo sparked a firestorm of criticism from union activists. In March, an internal PowerPoint presentation that detailed the results of a customer survey showed up on a blog and is now widely available for download. Then, in April, an employee Wal-Mart fired blabbed sensitive information about a plan called “Project Red” that could entail spinning off the Sam’s Club division as a separ ate company.
To put the importance of that information into perspective, consider that WalMart, with US$350 billion in sales, rivals the economic output of Sweden and Taiwan, while employing 1.9 million people worldwide. To a company like that, losing control of its sensitive financial information is potentially worth millions. Those who leak it are effectively stealing money from the pockets of untold thousands of shareholders.
To deal with its chronic leaks and other security threats, Wal-Mart has joined the ranks of the world’s most vigilant corporations. At the heart of the company’s efforts are men like Kenneth Senser—someone who knows a thing or two about keeping secrets. Senser was a career spook for Uncle Sam, logging nearly two decades as a field agent with the Central Intelligence Agency until he was appointed to tighten security at the Federal Bureau of Investigation. Now he is head of global security for Wal-Mart.
Two years ago, the company set up an intelligence gathering centre and hired David Harrison, a veteran military intelligence officer, to deal with a dizzying array of potential threats. Last year Harrison explained to a gathering of security professionals some of what the company is up against: “A bombing in China, an armed robbery in Brazil, an armed robbery in Las Vegas, another bomb threat, and that was just yesterday.” To help safeguard itself, Harrison said, Wal-Mart keeps a vast storehouse of personal data on its current and former employees, Sam’s Club
members and even customers. For instance, it specifically tracks those who buy propane tanks and make bulk purchases of prepaid cellphones. “If you try to buy more than three cellphones at one time,” he reportedly told the audience, “it will be tracked.”
To the average consumer, it all might seem like overkill, but companies are under increasing pressure to take security of all kinds seriously. Almost monthly there are reports of yet another case of corporate espionage, and the stakes are getting higher.
Back in 1965 Time magazine, in a story titled “Corporate Spies” that could have been ripped from today’s headlines, described how companies regularly hired professional sleuths, tapped telephones and sorted through rubbish to steal rivals’ trade secrets. The difference today is a matter of scale. Because of globalization and outsourcing, corporations are now just as likely to be operating in Tianjin and Tamil Nadu as they are in Toronto and Toledo, exposing
them to a wider range of threats.
In February it was revealed that chemical giant DuPont had foiled an attempt by a former employee to steal US$400 million worth of proprietary information in 2005 and hand it over to his new employer, a company in China. The following month, software maker Oracle sued German rival SAP, alleging “corporate theft on a grand scale.” And those are just the cases we know about. “You hear about one or two good ones a year,” says David Carpe, founder of Clew, a competitive intelligence firm based in Boston, Mass. “For each one of them, there are hundreds and thousands of others.” Each year, the FBI estimates, U.S. companies lose US$100 billion as a result of the theft of trade secrets.
Figures for Canada are hard to come by, but earlier this month Chen Yonglin, a former Chinese diplomat, claimed his country operates a network of1,000 informants here, with orders to, among other things, steal commercial and scientific secrets. Last month Jim Judd, director of the Canadian Security Intelligence Service, warned senators that half of all foreign spies in Canada are from China. Indeed, prior to 9/11, CSIS was well
on its way to becoming an agency focused on corporate espionage as much as national security.
Thanks to the complexities of securing vast online networks accessed by thousands of employees, companies are more vulnerable than ever. It was through Air Canada’s website that rival Westjet accessed detailed information about the airline’s routes and traffic. (Last year, Westjet agreed to pay out a total of $15 million for its actions.) “Security used to mean having fences, cameras and guards,” says Ray O’Hara, a senior vice-president of corporate security firm Vance International, a division of Montreal-based Garda. “We still have that, but all the information that used to be behind those walls is now sitting on the Internet.”
The problem is, for those companies that do suspect they’re being robbed or spied upon, there is often nowhere to turn for immediate help. The legal system is already stretched to the limit and getting a prosecutor’s attention is often impossible until the
secrets are already out the door. In April, Montreal aerospace giant Bombardier succeeded in getting a court in Quebec to issue a special pre-emptive order when it suspected a former senior executive had stolen sensitive documents and intended to give them to his new employer. But such cases are the exception. “In most cases, governments and the courts can’t really help companies because prosecutors are already overwhelmed,” says Ed Roche, a director with Barraclough Ltd., a corporate intelligence research firm in New York. “That’s the weakness in the system.” As a result, companies are increasingly taking matters into their own hands. And that has presented substantial risks—both legal, moral, and to precious corporate reputations. Take last year’s HP spy scandal. Outside private investigators impersonated individuals in order to obtain cellphone records of board members and journalists, a practice known as “pretexting.” But what started out as an internal investigation of boardroom leaks spiralled into a full-fledged cloak-and-dagger misadventure that resulted in high-profile resignations, huge embarrassment, and even a criminal indictment against chairwoman
Patricia Dunn. A California judge recently threw out the charges, but the damage was already done.
Wal-Mart, too, has come under severe criticism for the extent of its counter-intelligence efforts. In March, the company fired a technician, Bruce Gabbard, who had intercepted text messages and recorded phone calls involving, among others, a reporter from the New York Times. Wal-Mart stressed that while Gabbard hadn’t broken any laws, his actions weren’t authorized. But pink slip in hand, Gabbard did what any double agent would do. He sang like a canary. The former
employee told the Wall Street Journal that Senser had pressured him to uncover the source of several embarrassing leaks. And Gabbard claimed the company not only tracks employee phone calls, but keeps tabs on workers, vendors and consultants through advanced technology capable of tracking every keystroke on computers connected to its vast network. And in one truly bizarre episode, Gabbard said the corporate gumshoes dispatched a long-haired employee, fitted with a wireless microphone, to infiltrate Up Against the Wal, an anti-Wal-Mart activist group suspected of planning a protest at last year’s annual general shareholders meeting.
Such seemingly extreme measures worry privacy advocates who say the line between public law enforcement and private security is vanishing. “Wal-Mart appears to be trying to match some of the capabilities of government intelligence agencies,” says Steven Aftergood, head of the government secrecy project at the Federation of American Scientists in Washington, “but without any of the oversight.”
In case after case, the way corporations are choosing to defend themselves is being put to the legal and ethical test. At one point,
People for the Ethical Treatment of Animals sued Kenneth Feld, the CEO of Feld Entertainment, which manages Ringling Bros, and Barnum & Bailey Circus, accusing him of hiring a former CIA agent to infiltrate the organization. But legally they were on shaky ground. Last year, a jury in Virginia dismissed the case because, as long as nothing is stolen, there’s nothing in the law against sending an employee into a group to eavesdrop, say security experts. Police regularly go undercover to fight crime. Journalists and activists, including PETA, do it in the name of social justice. But when corporations spy, many people inherently feel there is an ulterior motive— and the whole affair undoubtedly hurt Feld more than PETA ever did.
That’s been a concern in the cases of Biovail and Fairfax. Both companies have accused hedge funds and analysts of manipulating their shares. But observers complain the companies are using hardball tactics to stifle critical analysis. For example, Biovail claims Jerry Treppel, a former Banc of America
analyst who had been critical of the company, worked with hedge funds to drive down the stock. In late 2005, Treppel caught two private investigators, who worked for Biovail, stealing garbage from outside his home. Another research firm, Arizona-based Gradient Analytics, has accused Biovail and online retailer Overstock.com of waging “a campaign of intimidation and baseless litigation” by hiring investigators to harass employees and their relatives.
Meanwhile, Fairfax last year launched a US$5-billion lawsuit against a number of hedge funds and analysts, alleging they “engaged in an organized effort to destroy”
the company. Fairfax claims one forensic accountant, Spyro Contogouris, misrepresented himself to get into the company’s offices. In turn Institutional Credit Partners, a New York investment firm that last year raised questions about Fairfax’s accounting, claimed the company’s lawyers hired investigators to follow its employees. The question, as Fortune magazine asked in a March story on Fairfax: “Is it a quest for justice or an attempt to silence critics?” Those questions are often as much about ethics as the law, says Ira Winkler, author of a new book called Zen and the Art of Information Security.
Experts warn that when companies hire ex-police officers and former G-men, they often get more than they bargained for. Indeed, many companies continue to flirt with the line between intelligence and espionage. Wal-Mart recently posted job openings for former military and government intelligence officers to assess threats stemming from “world events, regional/national security climates, and suspect individuals and groups.” There’s no shortage of retired agents to chose from. “I get a lot of resumés from former military guys,” says Clew’s Carpe. “My main issue is about 99.9 per cent of the time, they know so little about how industry and business works and what you can and can’t do.”
Advances in technology make that distinction even blurrier. Corporate crooks and those out to stop them have a growing array of tools to draw from, making it hard to know where to draw the line. Some security experts argue the law should be the ultimate guide. “I’m in control of the investigation, and I don’t step outside the law,” says Mark Northwood, director ofToronto-based Northwood/MJM, a firm that does investigative work for corporate clients. “We’re there to protect our clients’ interests and we therefore have a duty to protect their reputation.” But others say it’s not that simple. Stephen Martin, a business ethics professor at the Daniels College of Business at the University of Denver, encourages companies to draft strict ethical guidelines for their security departments. “I don’t like to see companies guided solely by the basement standard of what the law states,” he says. “I like to see them work off a higher ethical plane.”
That’s easy for an academic to say. But the reality is, companies are increasingly faced with a lose-lose proposition when it comes to defending themselves: fail to effectively counter spies and thieves, and they risk the loss of invaluable trade secrets. But employ excessive tactics, and they risk their spy games appearing in the headlines, and landing executives in court. Judging by the steady flow of corporate spy cases, companies are having a hard time striking that balance. M
'I CONTROL THE INVESTIGATION, AND I DON'T STEP OUTSIDE THE LAW'