V. WAR
Tiversa’s undoing began in the summer of 2013, with a YouTube video. Michael Daugherty, the owner of a cancer-screening lab in Atlanta, had posted it to publicize his memoir, “The Devil Inside the Beltway”—a reference to the F.T.C., which Daugherty believed was destroying his company, in a conspiracy that included Tiversa. The video had an urban-doom aesthetic, reminiscent of “Batman.” Over a soundtrack of percussion and agitato strings, it opened with three title cards: “Government Funded Data Mining and Surveillance,” “Psychological Warfare,” and “Abusive Government Shakedown.” The sequence ended with an explosion and a pair of eyes glaring through a draped American flag—the book’s cover art.
In the video, Daugherty appeared beside a mural-size painting of George Washington, wearing a white oxford shirt and a dark blazer. In a flat Michigan accent, he asked, “What am I doing here?” Then he put a red plastic whistle in his mouth and blew. He explained that he had built his company, LabMD, into a successful business, until “suddenly one day the phone rings, and it’s a guy named Robert Boback.”
The call came in 2008, after a computer in Daugherty’s billing department exposed documents through LimeWire. Rick Wallace downloaded one of them—a file containing the private information of more than nine thousand patients—and a Tiversa sales executive made an initial pitch. Then Boback took over, pursuing a FUD-centered strategy. He declined to provide details about the source of the breach unless Tiversa was hired, while suggesting that the risk was growing because people were “searching precisely for the exact file name.” This struck Daugherty as preposterous: the file’s name was “insuranceaging_6.05.071.pdf.” Offended by Boback’s manipulations, he told Tiversa to direct all further communications to his lawyer, and put the matter out of his mind.
Then, in January, 2010, an attorney with the F.T.C. sent a letter, announcing that LabMD was under investigation for breaching federal data-security law. “The letter’s immensity shocked me,” Daugherty wrote in his memoir. In eleven pages of legalistic prose, the F.T.C. demanded proof of compliance. Daugherty sent over thousands of pages of records, noting that he had obeyed medical-privacy laws and had closed the breach the moment he learned of it. “The F.T.C. was on my mind at all hours of the day,” he wrote. “If I was up in the middle of the night to use the restroom, I thought of the F.T.C. If I drove down the road to work, I thought of the F.T.C.”
Almost as soon as the investigation began, Daugherty wondered if Tiversa had been involved: the LabMD file at the center of the inquiry was the same one that Boback had obtained. Haunted by the idea of a connection, Daugherty began researching. Both of his parents had been police officers, and, he told me, “my whole life was marinated in investigators and prosecutors and lawyers.” He found that Tiversa had provided LabMD’s breached documents to an academic at Dartmouth, and that Boback had cited them in congressional testimony, in 2009. The idea that Boback was publicizing his misfortune ate at him. He told himself, “This means war.”
Daugherty’s lawyer sent Tiversa a list of questions, which Boback ignored. Getting answers from the F.T.C. was no easier, and Daugherty began to vent his frustration. He claimed, publicly, that Tiversa had engaged in “property theft” when it took the file. Tiversa’s lawyers responded with a cease-and-desist letter, which argued that the file had spread on peer-to-peer and was available for anyone to take. “Tiversa is not a ‘thief,’ ” they insisted, adding, “The F.T.C. investigation is a direct result of LabMD’s security failings, and nothing more.”
The legal warning did not deter Daugherty from writing his book, which accused Boback of being a con artist and his company of “mental abuse.” Boback, irritated, wrote to an associate, “The problem is that he needs a face to his ‘villain’ and unfortunately (and incorrectly) chose me.” Soon after Daugherty posted the promotional video, Tiversa sued him for defamation. At almost the same time, the F.T.C.—nearly four years after it launched its inquiry—sued Daugherty’s company for failing to safeguard its data. Tiversa became involved in both cases, maintaining that it had originally downloaded the LabMD file from a computer, in San Diego, that appeared to belong to an identity thief.
At Tiversa, a former employee told me, Boback seemed intent on pursuing Daugherty, even though it brought no obvious benefit to the company: “It got very cultish. We had this very charismatic leader, who would call these meetings for the entire company and start rambling about how he was being persecuted, how he was going to win, how crazy Daugherty was.”
As the fight intensified, Rick Wallace was spending less and less time in the ops room. Once Tiversa signed up companies like LifeLock and MetLife, his skills at uncovering eye-catching records were less relevant. Boback, instead, pushed him into the role of part-time superintendent—dealing with elevator breakdowns, burst pipes, and broken light bulbs. Eventually, Boback hired Wallace and his wife, Amy, to clean up a house that he was flipping: a ramshackle place occupied by feral cats, which had left it in a toxic, stomach-turning condition. They called it Catmandoo.
Wallace began drinking heavily and talking less to Boback. Nonetheless, he says, Boback called him in just before Tiversa issued Daugherty the cease-and-desist letter, asking him to make it appear as if the LabMD file had spread across the peer-to-peer network. Wallace was reluctant: he was conscious that he had pulled down the file from Daugherty’s company, and had noted his findings in writing. Still, he complied, linking the file in the Data Store to several burnt I.P. addresses. In 2013, as Tiversa pressed Daugherty to settle, he did so again, making it appear as if the file had spread to six locations, including a computer in San Diego.
Recognizing that his fabrications were becoming legally significant, Wallace began to come apart. “I was already stressed,” he recalls—suffering, he says, from P.T.S.D., caused by his online research into child exploitation. On New Year’s Eve, 2013, he got drunk and ended up in a physical altercation with his wife and daughter, and the police arrested him—the first of several arrests tied to drinking. “No one was even trying to understand what was happening to me,” he told me. “I drank too much alcohol—always beer—and got in trouble.”
In January, 2014, Wallace received a subpoena from Daugherty’s lawyers, who were seeking to understand how the LabMD file had been exposed. He worried that he would have to either lie under oath or implicate himself and risk retaliation. After he expressed his fears to Boback, he says, Boback summoned him to his office, where he was toying with a pistol: “He’s, like, ‘Well, Waldo, if you fuck with the bull, you get the horn.’ ” (Boback says that he had no weapon, and that he simply directed Wallace to tell the truth—which, he maintains, is that he never ordered anyone to create false spread.)
On February 4th, Tiversa’s lawyers agreed to have Wallace deposed. Soon afterward, Wallace says, he got a prescription for Ambien, which he took after drinking, then got into his car and totalled it. The following day, he drove the family’s other car to Tiversa, where he and Boback had another standoff over the deposition. (Boback says they never met at the office.) As Wallace left, he says, Boback followed him into the elevator. “We were on the seventh floor, and he pushed the sixth-floor button, and as soon as the elevator doors closed he slammed me against the wall,” Wallace recalled. Boback commanded him, again, to lie in order to corroborate the company’s version of events. When the elevator arrived at the sixth floor, he got off.
Afterward, Wallace sat in his car and drank beer for a while, trying to calm down. Finally, he started the engine. “I just went around the corner from Tiversa and sped as fast as I could into a light pole,” he says. “I just wanted to end it.”
He was arrested. Boback picked him up and drove him home, warning that if he didn’t get treatment for his drinking he would be fired. Days later, Wallace checked himself into a facility, which Boback had chosen. Whatever the benefits of rehab, it would also serve to isolate Wallace—perhaps even make his deposition impossible. (Boback told his executive assistant to avoid contact, explaining, “He needs treatment, not friends right now.”) When Daugherty’s lawyers tried to contact him, they were told that he was inaccessible for medical reasons.
Almost as soon as Wallace started rehab, Boback fired him. He then hired a private-investigation company, Inpax GPS, to dig into the Wallaces’ background, and brought security professionals to Tiversa to conduct “self-defense training.” Inpax GPS produced a threat assessment that blended verifiable facts with assertions that seemed to originate from Boback, for instance that Wallace exhibited “extreme jealousy and threatening behavior directed toward Tiversa’s CEO.” It described Wallace’s run-ins with the law, including one from 2013. The previous summer, the Wallaces had hosted an eight-year-old girl from New York, through the Fresh Air Fund, and the girl’s mother complained that Wallace had behaved inappropriately. Wallace strenuously denied the accusation. Following an investigation, the authorities declined to pursue a case, and an administrative judge who reviewed the evidence recommended that the complaint be expunged. But Boback knew of the inquiry, and details about it turned up in the Inpax GPS assessment. He then cited the report to associates, giving the impression that Wallace was a molester.
When Wallace came home from rehab, some of his law-enforcement contacts would no longer return his calls. He had no obvious way to turn his career around, and felt increasingly isolated. On the evening of April 2, 2014, he was sitting in front of his computer at home. On impulse, he began searching for Mike Daugherty’s number. A few months earlier, Daugherty had announced that he could no longer stay in business; in a melancholy note to employees, he had written, “Our futures are full of unknown waters.” Suddenly, Wallace felt compelled to confess.
That evening, Daugherty was at a Thai restaurant in Atlanta. He had arrived early, and was waiting for some friends, when his phone rang. He answered, and a man’s voice he didn’t recognize said, “Is this Mike Daugherty?”
“Yeah,” Daugherty said.
“Do you know the name Tiversa?”
“Yeah,” Daugherty said.
“Well, I know a guy who would be willing to talk to you about what really happened. Can you talk to him? Would you retaliate?”
“Can you tell me who the guy is?”
“It’s Rick Wallace,” the man said.
Daugherty said that he wanted to get his lawyer’s advice, and hung up. The lawyer told him to call back immediately, but Daugherty didn’t have the number: the caller’s I.D. was masked. Twenty minutes later, the man phoned again. Daugherty ran to the parking lot to take the call. “O.K., yes,” he said, hurriedly. “I can talk to him.”
There was a pause. “Well,” the man said, “I’m Rick.” Wallace almost immediately started to cry. “I destroyed your company,” he told Daugherty. “I did terrible things.” He spoke a little about what he had done at Tiversa; LabMD, he explained, had been on the list that went to the F.T.C. Then he passed the phone to his wife, and to one of their daughters. “Everyone was wanting to apologize,” Daugherty recalled. He assured Wallace that redemption was possible. He said, “Let’s focus on fixing this.”
Daugherty strove to help Wallace obtain legal immunity to testify in his F.T.C. hearing, and he put Wallace in touch with the House Committee on Oversight and Government Reform. Darrell Issa, the committee’s chairman, believed that LabMD’s case raised questions about the scope of the F.T.C.’s authority. Moreover, Boback had twice testified before his committee. If he had not been truthful, Issa wanted to know. The committee launched an investigation.
Wallace was suddenly poised to be a star witness in two significant Washington inquiries. But he was drinking again, and still terrified of retaliation. In April, a congressional staffer reached out, to inform him that his testimony was required. Days later, he walked into the local police department in a panic, fearing that a scheduled call with Congress was a ruse orchestrated by Boback to intimidate him, or to find out what he planned to say. Wallace told the police that he had been receiving threatening phone calls and death threats posted on his car. His preoccupation with being harassed often interfered with his ability to testify. He later told congressional investigators that he found a Tiversa envelope in a shed behind his house, with a note scrawled on it: “I.C.U.” He took a photo—evidence, he said, that Boback was monitoring him and his family.
That spring, Boback travelled with his family to the Yemeni island of Socotra, and in the summer they went to Namibia. At home, though, he resembled a man at war. He hired the former White House press secretary Ari Fleischer to advise him in Washington, and he worked to assail Wallace’s credibility with Congress and the F.T.C. Tiversa also passed the Inpax GPS threat assessment to David Sitler, the police chief in Wallace’s community, who initiated a “force protection” measure. As summer gave way to fall, Wallace says, Sitler became a near-constant presence at his home. (Sitler, who was later fired for police brutality, denies this, saying, “We only monitored him if we came into contact with him.”)
Inpax GPS also increased its efforts, assigning two investigators to track Wallace’s movements. Under Boback’s direct guidance, they coördinated with the police to place a hidden camera in a traffic cone outside Wallace’s home. The footage was unremarkable—the mailman, Wallace’s children—and after three days the investigators suggested that the surveillance be discontinued. An employee at Tiversa learned about the camera and secretly sent word to Wallace to be careful.
In November, 2014, the Department of Justice finally granted Wallace immunity to testify. Boback passed the news to one of his private investigators, striking a cool tone. “It will work out for the best,” he told him. “Even though he will say ridiculous lies about Tiversa, he will get exposed.” But, at the office, he seemed far from calm. Two former employees say that they witnessed Boback trying to manipulate Daugherty’s file in the Data Store—making further changes to metadata that might figure in Wallace’s testimony. In April, 2015, a month before the F.T.C. hearing, Wallace says, he found a warning chalked on his driveway: “U R DEAD.”
Wallace was a quiet presence in court. Sitting before an administrative-law judge, he described systematically creating fraudulent file spread in the Data Store at Boback’s direction. When asked how many Tiversa clients had been given false information, he said, “Probably every company that we’ve ever done business with.” During testimony about Daugherty’s company, the judge asked, “Did Mr. Boback have any reaction to LabMD’s decision not to do business with Tiversa?”
“Yes,” Wallace said.
“And what was that reaction?”
Wallace glanced at his lawyer, who instructed him to answer. “He basically said, Fuck him,” he said. “Make sure he’s at the top of the list.”
The hearing triggered a storm of coverage—as Ari Fleischer informed Boback, “one story after another with similar bad headlines.” CNN went with “Whistleblower accuses cybersecurity company of extorting clients.” The bad press worsened after Darrell Issa’s committee released a long report that asked whether Tiversa was a “hi-tech protection racket.”
Joel Adams wrote to Boback, “F these guys Bob. We are the winners here.” Boback responded, “They’ll get theirs.” With Fleischer, he drafted a letter to the Wall Street Journal saying that his company was a “good Samaritan.” He argued that if Tiversa had never contacted LabMD its internal records would still be online, exposing the private information of thousands of patients. And he asserted that “the suggestion that Tiversa provided information on exposed files to the Federal Trade Commission as a means of retribution because LabMD didn’t hire Tiversa is 100% false.” Wallace, Boback said, “is an individual with a history of not telling the truth, and the information he testified about is demonstrably false.” But he refrained from demonstrating how any of the allegations were false.
By this time, the Department of Justice had launched a criminal probe into Tiversa, and on March 1, 2016, a convoy of black vehicles filled with armed federal agents pulled up to the company’s headquarters. They stormed the building and also interviewed employees at their homes, including one executive who was so nervous that he kept trying to drink from an empty water glass; eventually, he confessed to knowing that Wallace had added false metadata to the Data Store. The agents also commandeered records and seized the Data Store. The archive—a room filled with servers, stacked in racks seven feet tall—by then contained an estimated billion files, a trove measurable in petabytes. The federal agents sought to copy just a fraction of it; the process took so long that they needed a second search warrant.
Law-enforcement officers strive to keep such investigations secret. But, during the raid, a mysterious Twitter account made this impossible. By then, Tiversa’s employees were in open revolt. (Several had left the company, while others had written to Adams, begging him to take action against Boback: “He risks everything for his own personal gain, and will lie to anyone to maintain his status.”) The Twitter account posted a dramatic photo of the F.B.I. convoy, copying it to the Pittsburgh Post-Gazette, with a note indicating that Tiversa was being raided. The news was a deathblow. The board, driven by Adams, installed a new C.E.O., but there was very little that he could do. The company’s brand was demolished. Tiversa would soon have to be sold.
The judge in Daugherty’s case found Wallace credible, and he ruled against the F.T.C. (Based on a videotaped deposition, he deemed Boback evasive and untrustworthy.) His ruling was validated last year by an appellate-court judge, who noted, with unusual indignation, that the “aroma that comes out of the investigation of this case is that Tiversa was shaking down private industry with the help of the F.T.C.” The commission’s lawyer conceded, “Tiversa engaged in serious, serious misconduct.” Before he could argue that the F.T.C. was untouched by that conduct, the judge cut him off, insisting that the commission should have let the matter go “after the evidence collapsed.”
By then, Tiversa had been dismantled. It had too many liabilities to be sold outright, so the board had decided to carve out its assets. Still, no sale could be undertaken without ethical complications. The Data Store was the cybersecurity equivalent of nuclear waste—a vast repository of personal, financial, and corporate information, sensitive government records, and whatever else had been exposed on the Deep Web. Was it moral to put a price tag on it—to profit from, say, Justice Breyer’s Social Security number? Was it even legal? Would there be an audit to insure that the deal contained none of the hacked content that Wallace had uploaded, none of the pirated music, no child pornography? The sale included health-care information protected by strict privacy laws. Was that a crime?
In February, 2017, Tiversa’s primary shareholders began negotiations with Kroll, the corporate-intelligence firm, to sell off the company’s core assets for several million dollars. The deal, closed within four months, was kept quiet. Earlier this year, a spokesperson for Kroll agreed to make an executive available to discuss the acquisition, if I provided a list of questions in advance. After I sent the list, the discussion was abruptly cancelled. Kroll instead offered a brief statement. It said that Tiversa’s technology strengthens its “existing business offerings,” and that Kroll is not pursuing the company’s former “business operations.” One person involved told me that Kroll wanted the assets for corporate-intelligence purposes. It hired a handful of Tiversa employees to maintain the system. This January, someone in England detected it working and wrote on Twitter, “Care to tell me why you are snooping my I.P. address?”
After the raid on Tiversa, Boback moved his family to a waterfront compound in Florida, with a tennis court, a pool, a pier. He bought a construction company in Tampa Bay. Its Facebook page posted a photo of him, standing on a yellow Komatsu truck, wearing jeans and a safety vest and grinning.
At the time of the photo, Boback was still under federal criminal investigation. A year after the raid, though, the Department of Justice decided to drop its inquiry. Prosecutors typically do not comment on such matters, but it is possible to speculate on the reasoning. For one thing, the Data Store was a forensic hall of mirrors. For another, not all forms of FUD are criminal. Tiversa’s actions never seemed to achieve the sharp edges of extortion. As for fraud, while some potential clients appear to have been fed entirely fabricated information, the tactic, as Wallace described it, was more often to exaggerate real breaches. It wouldn’t be easy for a jury to delineate where Tiversa profited from fiction and where from fact. And, even though there were at least three other witnesses to the creation of false spread, the prosecution would have to build its case around the testimony of a man with a drinking problem and a record of arrests.
In March, 2017, two weeks before the Department of Justice closed its Tiversa case, Wallace fell from a tree while helping a neighbor do some pruning. He smashed his spine, and, paralyzed from the waist down, was unlikely to be able to testify for many months. Confined to a wheelchair, he now works as a security consultant. Daugherty is trying to return to health care. In the meantime, he promotes himself as an expert in “cybersecurity response,” and focusses on litigation. He recently sent me a pie chart demonstrating the many cases he had initiated.
Boback, despite his efforts to project the image of a carefree construction magnate, remains mired in the legal fights over Tiversa, and is still sensitive to accusations about how he ran the company. Shortly after Joel Adams forced him out, he wrote a post on LinkedIn promoting a memoir. When I asked about the book, Boback told me that it existed only in his mind—a fiction to communicate to business associates that he had a story to tell. In any case, he said, an imaginary memoir is the best kind to have when you can still be deposed.
The LinkedIn post described the book as the tale of a heroic businessman, fighting to overcome small-minded enemies—particularly Adams, whom Boback now likes to depict as the cause of Tiversa’s problems. Titled “Politics of Greed,” it would contain supportive forewords by Wesley Clark and Ari Fleischer. Although the book was still unwritten, Boback offered a sample of the advance buzz: a blurb from a reader who called his story a “travesty of justice,” and one from another who asked, presumably of Adams, “Is this Pittsburgh’s Bernie Madoff?” The description suggested that Boback was a whistle-blower, sacrificing everything to expose wrongdoing. “The entrepreneur was terminated, investigated, and ‘scape-goated’ in his effort to bring this information,” it read. “However, he overcame these attacks to build a new multi-million dollar firm to provide the resources to bring this forward.” Boback assured readers that he would ultimately triumph over his foes: “You’ll be cheering in the end!” ♦
Article reposted with permission