Michael in Print

28 Oct LabMD in THE NEW YORKER

A Cybersecurity Firm’s Sharp Rise and Stunning Collapse

Tiversa dominated an emerging online market—before it was accused of fraud, extortion, and manipulating the federal government.

 

Originally published by Raffi Khatchadourian in The New Yorker

Listen to the audio version

THE FOOTBALL

Before Robert Boback got into the field of cybersecurity, he was a practicing chiropractor in the town of Sewickley, Pennsylvania, twelve miles northwest of Pittsburgh. He was also selling used cars on eBay and flipping houses purchased at police auctions. The decision to branch out into computers came in 2003, after he watched a “60 Minutes” report by Lesley Stahl about pirated movies. For years, while digital piracy was devastating the music industry, Hollywood had largely been spared; limitations on bandwidth curtailed the online trade in movies. But this was changing, Stahl noted: “The people running America’s movie studios know that if they don’t do something, fast, they could be in the same boat as the record companies.”

Boback was thirty-two years old, with a Norman Rockwell haircut and a quick, smooth, entrepreneurial manner. Growing up amid the collapsing steel industry, he had dreamed of making it big, hanging posters of high-priced cars—a Lamborghini, a Porsche—on his bedroom wall and telling himself that they would one day be his. After high school, he trained to be a commercial pilot, imagining a secure, even glamorous, life style—but then the airline industry began laying off pilots, and he switched to chiropractic, inspired by a well-off practitioner his family knew.

Watching “60 Minutes,” Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turned the opportunity over in his mind, he was setting in motion a sequence of events that would earn him millions of dollars, friendships with business élites, prime-time media attention, and respect in Congress. It would also place him at the center of one of the strangest stories in the brief history of cybersecurity; he would be mired in lawsuits, countersuits, and counter-countersuits, which would gather into a vortex of litigation so ominous that one friend compared it to the Bermuda Triangle. He would be accused of fraud, of extortion, and of manipulating the federal government into harming companies that did not do business with him. Congress would investigate him. So would the F.B.I.

But as Boback was watching “60 Minutes” all he saw was a horizon of possibility. Stahl pointed out that pirated music and movies were spreading primarily on peer-to-peer networks—an obscure precinct of the Internet that was sometimes called the Deep Web. The networks were made up of hundreds of thousands of decentralized connections, in which one computer was linked to no more than five others, and then through those five computers to many more, expanding exponentially like the branches of a large tree. These connections were invisible to search engines like Google. Even the software that allowed users to browse them had only a limited field of vision—glimpsing just random fragments of the tree at a time. Boback wondered if it was possible to design a system that could scan the whole tree at once, then block people from sharing files on it. Certainly, this capability would be worth a lot.

Boback had no idea how to build such a thing, but he knew someone who might: a patient of his, Sam Hopkins, whose girlfriend had persuaded him to pursue chiropractic treatment after a car crash. Hopkins was in his thirties, too. He was soft-spoken, with a childlike disposition, a wispy physique, and a goatee. He had grown up in inner-city Pittsburgh, in a home where money was scarce. As a boy, he had taught himself how to program on a Commodore 64 that was on display at Sears. Bored with school, he dropped out, and built an Internet-service provider, which was sold to a local telecom company. By the time of his car accident, he was designing high-speed computer networks for Marconi Communications.

When Hopkins came in for treatment, Boback explained his idea, and after some thought Hopkins said that it could be done. At that time, the most popular peer-to-peer software was a free application called LimeWire. When a user searched for a file—say, an MP3 of “Hey Ya!”—LimeWire sent a query to other users asking for it. If the file turned up, this meant that someone had designated it for sharing. The main peer-to-peer network limited the number of computers a person could search. But Hopkins told Boback that the limitation could be overcome with a system that scattered virtual users, or “nodes,” throughout the network—in effect emulating many, many copies of LimeWire running simultaneously. With enough nodes, the whole network could be seen.

That Christmas holiday, Hopkins locked himself in a room to program, and in a couple of weeks built a rough prototype. Even though it could maintain only a small number of nodes, data flowed through it in a torrent. The system could track the search terms that thousands of users were entering—offering unique insight into what was in demand, half clandestinely, on the Deep Web. The terms filled the screen so rapidly that Hopkins had to program a “decelerator” to slow them down. Watching the words race by, the two men began to suspect that they had genuinely struck it big.

By the end of the year, Boback and Hopkins were sitting in the well-appointed offices of a Pittsburgh law firm that specialized in intellectual property. The attorneys were optimistic. Rather than charge billable hours, they offered to work for ten per cent of the proceeds when the system sold. One said that the deal could be worth fifty million dollars. With the firm’s help, Boback and Hopkins formed a corporation. Hopkins came up with its name, Tiversa, a portmanteau of “time” and “universe.” It was also an anagram of veritas: Latin for “truth,” but scrambled.

Boback is a storyteller. Words pour out of him in cascades that, depending on the listener, can register as beguiling, slick, questionable, or bullshit. One colleague described him as “very confident, sometimes bordering on cocky.” Another told me, “He was a master manipulator. Watching him was like watching van Gogh use oils.”

As Boback began marketing his system, he landed a big meeting with lawyers representing the Recording Industry Association of America, but the lawyers said they already had a strategy to combat file sharing: sue the problem into oblivion. Undeterred, he and Hopkins flew to Los Angeles, where they met with Darcy Antonellis, the head of anti-piracy efforts at Warner Bros. The studio was gearing up to release a summer blockbuster, “Troy,” an epic in the mold of “Ben Hur,” rumored to have cost almost two hundred million dollars. A screener had already leaked, and, during the meeting, Boback strove to convey how much money Warner Bros. was losing: in his hotel room beforehand, Hopkins had added to the software a digital counter that appeared to track downloads of “Troy,” tabulating a fifteen-dollar loss with each one. Boback explained that the system, which he was calling Media Spy, could be designed to jam the activity. Antonellis listened patiently, and then said that it seemed too good to be true. She meant it literally. Such an intrusion would require Warner Bros. to block people from posting files at the point of their computers, which she suspected was legally impossible.

After the meeting, Boback’s lawyer mentioned that a partner in his firm knew Orrin Hatch, the chairman of the Senate Judiciary Committee, who had spoken out against pirated music and movies. Perhaps, if Hatch gave his imprimatur to the system, the concern about its legality could be overcome. That May, Boback and Hopkins drove to Washington with another lawyer in the firm, to meet with Hatch in a conference room in the Hart Senate Office Building. They brought a laptop and made their pitch, as Hatch listened with polite interest. While wrapping up, they explained that their system could track not only music and movies (the vast bulk of the content on peer-to-peer networks) but anything else that people were sharing: documents, spreadsheets, PowerPoint decks. Some of those items appeared to have national-security implications, so Hopkins had created a second user interface for the software, called Patriot Spy. Boback shared a few examples of what the system had found, including files belonging to a person in Australia who had jihadi literature and bomb-making manuals.

“Stop what you’re doing,” Hatch said. He led his guests to his office, seated them in faux-leather chairs, and commanded an assistant, “Get me George Tenet.” Within a few minutes, the director of the C.I.A. was on speakerphone, and Hatch was telling him that, if the agency did not have the capability he had just witnessed, then it should. Boback and his colleagues looked at one another in disbelief. By the end of the call, Tenet had invited them to visit the C.I.A.’s headquarters, in Langley, Virginia, first thing the next morning.

Unprepared to spend the night, Boback and the others bought clean underwear and toothbrushes, then tried to find a hotel in D.C. They were laughed out of a downtown Marriott, and eventually landed in a tumbledown joint on the city’s outskirts. Still, they were giddy. If the C.I.A. wanted to buy their system, then Hollywood could wait.

In the morning, they pulled up at the front gate of Langley and explained that they had an appointment with the head of the Directorate of Science and Technology. They were sent to the Original Headquarters Building, but Boback made a wrong turn and the car was soon surrounded by security personnel, their weapons drawn. A guard warned them to leave immediately. “Do you understand?” he screamed. Boback, unsure whether the guard meant the road they were on or the entire property, rolled down the window. “No,” he said. “Can you explain it to us?” The other passengers were terrified, but Boback was unfazed. As he turned the car around, he said, “We got to get in here. It’s the meeting of a lifetime! ”

Inside, the head of the Directorate of Science and Technology was joined by an official representing In-Q-Tel, a corporation that the C.I.A. had set up to fund new technologies. (The “Q” refers to the technician in James Bond films.) A follow-up call from one of the participants led to more trips to D.C., and suddenly Boback and Hopkins were journeying through the shadow world of the post-9/11 national-security establishment.

There were visits with the F.B.I. and the military. They returned to Langley, to meet with another enthusiastic official, who introduced himself only as Bad Bob. The agency also instructed them to go to a Starbucks in Reston, Virginia, from which a C.I.A. officer would convey them to a secret facility. The officer drove them for several minutes before arriving at a large building, where they gave a presentation in a packed room. One audience member asked if they were prepared to sell, and, as they headed back to the car, the officer pressed them to name a price. Hopkins said, “I’m thinking two billion dollars,” which prompted laughter, and some advice: sell your technology to a large contractor, like Raytheon; don’t deal with the government yourself.

On the drive back to the Starbucks, Boback asked what prevented the C.I.A. from simply stealing their technology. The officer told them, “If you weren’t an American citizen, I would have already stolen it—and, oh, you have a connection to Senator Hatch.” The offhand comment sent a jolt of paranoia through Boback and Hopkins, who began to refer to their laptop as “the football”—the White House term for the briefcase that allows the President to access the nuclear codes. They decided to secure the software. At the time, Hopkins lived on thirty-eight acres that he had converted into a makeshift wildlife sanctuary. He burned the code to a DVD, and then walked out and buried it.

The more that intelligence operatives expressed an interest in the technology, the more Boback sought to prove its value. He and Hopkins renamed the system EagleVision X1—a reference to the “X1” markings on some classified files. When Boback saw an apparent spike in searches containing “Chechnya” and “jihad,” he let Bad Bob know. When he saw a file suggesting that an attack might be imminent in Egypt, he told a congressman.

EagleVision X1 had been designed to comb the peer-to-peer networks using search terms that Hopkins set for it. But, as Boback tried to market the software, Hopkins worked to improve the system, so that if it had a hit on a search term then it would automatically pull down everything else that was being shared on that computer. New material flooded in. EagleVision X1 found a document in China belonging to the F-35 Joint Strike Fighter program. It also pinpointed a man, about an hour from President George W. Bush’s Texas ranch, who was sharing files about sniper rifles and photos of the President’s daughter. Boback notified the Secret Service, and early the next morning agents turned up at Boback’s home.

At first, Boback assumed that anyone who willingly shared this kind of information must be engaged in some kind of illicit trade. But, as Tiversa’s system vacuumed up more examples, he learned that there was a surprisingly benign reason. LimeWire and its competitors were confusingly designed, causing people hunting for music to open up their hard drives—inadvertently designating sensitive files for sharing on peer-to-peer. In pursuit of a free MP3, jihadis and federal contractors, soldiers and diplomats, executives and celebrities were doxxing themselves. Because the people who used LimeWire were looking almost exclusively for music, this mass exposure had gone largely unnoticed.

Despite Boback’s hustle—or perhaps because of it—he struggled to sell EagleVision X1 to the C.I.A. With the chance of a big payout receding, Boback thought that perhaps the technology would be easier to sell if he built a business around it. So, in 2005, he met with a Pittsburgh financier, who agreed to invest seed money to elevate Tiversa from some lines of code into a startup. The investor recommended that Tiversa focus on corporate clients; they could bring in agencies like the C.I.A. later.

Boback rented office space in a Pittsburgh suburb, and took on his first full-time employee, a Wharton graduate, who started trying to bring order to his vision. The two clashed. In 2005, no one at Tiversa was taking a salary, and, to stay afloat, Boback spent much of his time at his chiropractic practice. (In addition to seeing patients, he had to fight to keep his license: the Pennsylvania Board of Chiropractic briefly suspended it, because he was unable to prove that he had completed an education requirement.) When Boback was in the office, his freewheeling style was often at odds with normal business practice. He admitted to me that, early on, Tiversa installed phony computer towers—plastic shells with blue lights “that literally did nothing”—to give visitors the impression that his software required more powerful hardware than it did. Sometimes he inflated the number of his employees, by having friends occupy desks in the office. Tiversa’s early literature referred to its Pennsylvania office as its “World Headquarters.” (The company had no other facilities.) “We had no credibility in the space,” Boback told me. “We wanted to make it look as good as we could.”

In 2006, a more significant investor signed on: Adams Capital Management, named for its founder Joel Adams, a Pittsburgh venture capitalist. Several years earlier, Adams had put his money into a scrappy startup that marketed laser technology, and later it sold for more than a billion dollars—a “unicorn,” in investor parlance.

Adams Capital invested more than four million in Tiversa, and helped secure an all-star board of advisers. Maynard Webb, the former eBay executive and chairman of Yahoo!, joined, and he brought on other executives from Silicon Valley. Howard Schmidt became an adviser, and soon afterward was appointed the cybersecurity czar for the Obama Administration. General Wesley Clark, the former Supreme Allied Commander of NATO, came on, and developed a good rapport with Boback, who sold his practice to devote himself to Tiversa full time.

Tiversa’s prominent supporters quickly helped Boback assemble an impressive client list: Capital One, Lehman Brothers, Goldman Sachs, American Express. The companies were paying for a monthly monitoring service, in which Tiversa scanned for breached corporate information, or the personal data of top executives. By this time, EagleVision X1 could access more than a million users, and its capabilities were expanding. Because peer-to-peer networks were constantly in flux, as people turned their computers on and off, Hopkins had designed a stable repository for the system, which became known as the Data Store. EagleVision X1, programmed with search terms that were set for clients (for instance, “Lloyd Blankfein,” for Goldman Sachs), would scour the networks, then deposit what it found in the Data Store. Each file was labelled to indicate when it was downloaded and what I.P. address it came from, so that its behavior could be tracked—if it remained in the same location, or if it was being shared, or if it suddenly vanished.

As the company matured, Boback created an “ops room,” where Tiversa analysts probed the Data Store for files related to clients. Over time, the room evolved to resemble a set from “The Bourne Identity”—a darkened space with electric-blue lighting, a window that could be triggered to go opaque, and a retinal scanner at the entrance. Tiversa’s analysts took special care to see if any files appeared to be “spreading”—passing from user to user, out of the company’s control.

American Express had the largest contract, paying a monthly fee of about seventy-five thousand dollars. Once the money began to flow, Adams Capital valued Tiversa at seventy million dollars. Along with the revenue, the company began to gain attention. In 2007, the House Committee on Oversight and Government Reform scheduled a hearing on inadvertent file sharing; it invited Boback to testify, and he asked Wesley Clark to join him.

To prepare, Clark asked if there were classified documents on the Deep Web. Boback pulled up two hundred marked “SECRET,” including information about lifesaving technology to neutralize radio-controlled bombs. Clark notified an intelligence official in the White House, who noted, with alarm, “They’re in full color!” A week before the hearing, Boback contacted Clark to report that Tiversa had located records pertaining to the Defense Department’s network for handling classified material. They were on the home computer of a contractor who was using LimeWire.

At the congressional hearing, Clark brought up the tranche of records, calling it “sort of a hacker’s dream,” though no one, of course, had hacked them; they were just sitting there in public view. He also emphasized that potential victims often had trouble understanding the issue. EagleVision X1 had found a contractor’s threat assessment of American cities—a catalogue of weak points that an enemy might attack. “We immediately contacted the contractor, and the city,” he said. “They denied the problem. They don’t understand what has been leaked.”

Seated beside Clark, Boback gave an expansive list of what a motivated searcher might find: “Federal and state identification, including passports, driver’s licenses, Social Security cards, dispute letters with banks, credit-card companies, insurance companies, copies of credit reports.” The documents, he alleged, had been harvested in Pakistan, Africa, and Eastern Europe, from foreigners who were “grabbing this information.” Only a few years earlier, he was fixing lumbar problems and selling cars on eBay. Now he was explaining to the country’s top lawmakers, “This is the new threat to information security.”

II. WALDO

At about the time that Boback and Hopkins realized that governments and businesses were hemorrhaging information on the Deep Web, so had another man, living thousands of miles away. Richard Wallace grew up in rural Idaho, among family members who struggled with addiction. His mother’s life was consumed by pills, and two siblings would eventually die from overdoses. In a chaotic home, he developed the habit of helping people around him. After high school, he moved to Spokane, to train as a firefighter. There, he met Amy Speelmon, an R.O.T.C. student at Gonzaga University, and they were soon married. After 9/11, Amy deployed to a garrison in Germany. Wallace put firefighting on hold and joined her.

In Germany, Wallace strove to find his place. He was too independent-minded, too odd, to thrive as a military employee. But he was inclined to serve, and when his skills were acknowledged—particularly by people with authority—he was eager to please. Wallace volunteered to oversee the personal effects of soldiers killed in Iraq and Afghanistan. It was grim work that no one else was enthusiastic about doing, and he was commended for it.

To relax, Wallace often turned to his computer. Before moving, he and Amy had been watching “The Sopranos,” and at the garrison he began to hunt for pirated episodes. Exploring the Deep Web, he found that many members of the armed forces had downloaded peer-to-peer file-sharing programs, and were inadvertently exposing files: records of troop movements, accounts of I.E.D. attacks, and intelligence summaries. He helped the military identify which computers were leaking.

In 2004, the Wallaces relocated to western Illinois, where Amy worked as an R.O.T.C. instructor. Rick stayed home with their children (they eventually had five), and farmed, a little. He also kept his head in his computer. He had exploited a loophole in LimeWire that allowed him to crawl across the network, a solitary digital explorer. He sent the military more tips, and began to warn civilians about breached files, too. A neighbor suggested that he channel his expertise into a business, but entrepreneurship wasn’t in his nature; he was a volunteer. When Hurricane Katrina hit Louisiana, he drove down to assist FEMA and spent weeks helping to sort out the wreckage.

Wallace never asked for payment from the people he warned, and, perhaps as a result, they were often suspicious of his motives. To give his efforts legitimacy, he created a Web site, seewhatyoushare.com, where he blogged about his work. He sent some items to Matt Drudge and Michelle Malkin, conservative pundits he admired, and he says that they responded gratefully. Eventually, he caught the attention of Thomas Sydnor II, a former Senate staffer who had sat in on Boback’s meeting with Hatch. Sydnor had gone on to work at the Patent and Trademark Office, but he remained interested in inadvertent file sharing, and began checking in with Wallace, whom he considered one of the few people who understood the dangers.

Peer-to-peer networks were awash in child pornography, and Wallace had been issuing warnings on his Web site. Sydnor told him to stop trying to track such images, because possessing them is a crime, no matter what the reason. Sensing that Wallace could use a more structured outlet for his work, he mentioned him to Boback. Annoyed, Boback told Hopkins, “He is ruining our credibility by just being out there winging it with these calls.” The two men considered hiring Wallace, merely to eliminate competition, but on reflection wondered whether he might also have something productive to add. Tiversa had only one full-time analyst, and though he had conventional skills—he had worked at Microsoft—he lacked deep experience with peer-to-peer networks. Boback flew Wallace in for an interview, and was struck by his offbeat manner, but he reasoned that this was common in cybersecurity. Two weeks before the congressional hearing, Wallace moved his family to Pennsylvania and started work, racing to dig up material that Boback could use in his testimony.

Tiversa’s office culture, Wallace quickly discovered, was anything but formal. Early on, Boback had instituted a rule: new hires were bestowed a sword representing their character. Tiversa’s chief technology officer was given a samurai’s katana. Another employee got Gandalf’s sword, from “The Lord of the Rings.” Boback planned outings to a shooting range and sometimes came in with a pistol. Once, he displayed his gun to an executive who had challenged him. As the executive later recalled, Boback “sat at a desk in front of me and reached into his sock holster and pulled out a revolver and showed me its features.”

Wallace quickly adapted to the unconstrained atmosphere. Hired as an analyst, he helped comb the Data Store for client information, but he also commandeered an independent DSL line to run manual searches in his old way. He was often able to find files that EagleVision X1 could not, and the company’s software developers began studying his methods to improve the system’s code.

Soon after the congressional hearing, Wallace made a discovery that captivated Boback’s imagination: someone was sharing suspicious financial documents, along with images of gold bars and passports. The I.P. address belonged to a lawyer in California, who was touting investments that could return forty per cent a week. Boback, who suspected that the investments were a fraud, had the files printed; then he and Wallace, like detectives, spread the pages out on a table to study them. They spent weeks on the project, hoping to somehow earn money from the discovery.

Ultimately, there was no way to gain from it, but for Wallace the episode demonstrated the value of his idiosyncratic skills. For Boback, the puzzle was thrilling. He was an avid gambler. Often, he would stride past Wallace’s desk and summon him to leave, saying, “Waldo, you’re with me.” Wallace typically didn’t know where they were headed, but often the destination involved bets. An employee who worked closely with Boback later told the F.B.I. that she thought he was a gambling addict. (Boback denies this.)

A strange intimacy grew between the two men. There were flurries of texts at all hours, games of Halo past midnight. To others, they seemed to inhabit an atmosphere of semi-continuous scheming. The office had a window overlooking a parking lot near a Red Roof Inn. Wallace noticed a woman who often turned up to wait for a man—another puzzle that became the topic of speculation, jokes, even a mock stakeout.

At times, Boback had conflicts with peers. As a former Tiversa employee told me, “The Bob that he presents to people he just meets—that Bob is very charming, very likable, very engaging. Then, there is the person behind the mask, who is a little bit paranoid, angry, untrustworthy, greedy, generally not a nice person. If you got on his bad side, you stayed on his bad side.” Wallace began supporting Boback in conflicts. After an employee argued with him, colleagues say, Wallace designed a simulated F.B.I. arrest report, indicating that he had groped someone on a flight, and circulated it within the company. (Wallace denies this.) “Rick became Bob’s puppet,” another former employee told me. “Bob completely controlled him.”

Boback also clashed with Hopkins’s wife; she had helped start the company, but then became openly distrustful of Boback. Wallace found a clip of a porn actress who resembled her and joked with Boback about adding her name and phone number and sharing it on peer-to-peer.

Wallace says that he and Boback also purchased a G.P.S. tracker to surveil her. “We snuck over to her car, stuck it on, and watched her go to a place in Indiana,” he recalls. “She had a boyfriend there. So then Bob pulled Sam into the office, and goes, ‘Well, I hired this private investigator to see what’s going on. I just wanted to let you know.’ Of course, Sam reacts terribly, goes home, has a big fight. Sure enough, they get a divorce. Bob takes credit for it.”

Boback now tends to claim that any bad behavior at Tiversa was caused by Wallace going rogue. He told me that he ordered the G.P.S. device because he suspected that members of his sales team were defrauding Tiversa. “They were charging mileage on everything, and I was, like, come on, you’re getting paid a commission!” he said. “So I was, like, I’m going to get a G.P.S. I want to see how far these people are driving. I ordered it, got it. Wallace saw the G.P.S. sitting there, and then, without any knowledge of mine, when Sam was going through his divorce, Wallace put it on her vehicle. Now, I did know that he put it on that vehicle—after—because he had told me, and I was, like, ‘You shouldn’t be doing this, get it off.’ Which he did.”

Within a year at Tiversa, Wallace had taken on a new title, director of special operations. He continued to work as an analyst, but also spent hours on the DSL line searching for government files, or for documents with criminal implications. This work had no immediate business value, but Boback hoped that it could serve as a proof of concept, to help secure a federal contract.

Most people in the office knew little about how Wallace spent his time, but he was quietly achieving something remarkable. He passed on tips to the C.I.A., the Secret Service, the Treasury Department, the military, and the F.B.I.’s Pittsburgh field office, which began sending a special agent to Tiversa almost weekly to coördinate with him on child-pornography research. Wallace also sent the Bureau evidence of online identity theft: I.P. addresses that seemed to be harvesting Social Security numbers or credit-card information.

Sometimes, frustrated by the slow pace of federal law enforcement, Wallace fed his tips directly to police departments. In 2013, the Law Enforcement Executive Development Association, a national training organization, presented him with an award for assisting in hundreds of cases. (The F.B.I. recognized his efforts, too, in a ceremony conducted by Robert Mueller, near the end of his term as director.) Steven Pickett, who worked a dozen cases with Wallace as a deputy sheriff in Mississippi, told me, “He is a real unsung hero from another world.”

Wallace’s research opened doors into law enforcement for Boback, but it became clear that the men had different ideas about it. Once, Wallace discovered child pornography on a computer at a Catholic seminary, and told the F.B.I. Boback, he says, saw a business opportunity, and called the seminary’s director to pitch Tiversa. (Boback disputed this, saying, “I reached out and told him the problem, and he immediately said, ‘Oh, my gosh, we are going to address it immediately.’ There was never a ‘Here’s how much it’s going to cost.’ No contract discussed!”) The director notified the F.B.I., too, and Wallace soon got a call from the special agent he worked with in Pittsburgh, angrily warning him that Tiversa should never pull a stunt like that again.

III. FUD

For most of us, computers are effectively magic. When they work, we don’t know how. When they break, we don’t know why. For all but the most rarefied experts, sitting at a keyboard is an act of trust.

A human-to-machine relationship defined by estrangement offers a unique sales opportunity: fomenting anxiety turns out to be an excellent way to draw in clients. One of the first people to identify the tactic was the director of I.B.M.’s Advanced Computing Systems Laboratory, Gene Amdahl, who left his job in 1970 to build machines that could run I.B.M. software more cheaply. As Amdahl went to market, he learned that his former employer was warning potential customers that any hardware not made by I.B.M. was fraught with risk. The feeling that I.B.M. was hoping to inspire, Amdahl noted wryly, was “FUD”—fear, uncertainty, and doubt. The name stuck. In the nineties, Microsoft pursued a canonical FUD strategy, creating phony error messages to make consumers wary of using Windows on a competitor’s operating system—a tactic that resulted in a legal settlement exceeding two hundred million dollars.

In cybersecurity, where ordinary digital anxiety is compounded by esoteric threats, the use of FUD to generate business is especially notable. Misleading tactics—dubious assessments and glossy graphics supported by underwhelming data—have become so common that one researcher recently went online to chide colleagues to “cut the FUD.” The practice thrives because a small system failure can carry tremendous financial risk, and the immediate customers of cybersecurity services are often corporate executives, not technical experts. Given that a publicized breach can damage both a corporate brand and a career, it is safer to pay a security firm and tell no one outside the company.

“If you’re told that cyber security attacks are purported by winged ninja cyber monkeys who sit in a foreign country who can compromise your machine just by thinking about it you’re going to have a fear response,” the technical director of the British National Cyber Security Center recently noted. “The security companies are incentivized to make it sound as scary as possible because they want you to buy their magic amulets.” Among firms that occupy the gray zone between outright hacking and responsible behavior, FUD can drift into criminality: threats by innuendo, extortion.

Boback quickly intuited the possibilities that FUD could offer a skilled sales force. He pushed his staff to emphasize to potential clients that their businesses were inextricably linked to venders and customers, which meant there was no way they could close all their points of exposure. He encouraged dire warnings of “file spread,” even though it was rare for users to pass around anything but music. At Tiversa, file spread was sometimes called “digital wind,” as if it were a natural phenomenon that could not be controlled. Key to Boback’s pitch was that Tiversa had a singular ability to track the wind across millions of computers. That was true—but this unique capability meant that almost no one outside his company could verify his claims.

In early 2008, Boback called Wallace into his office, shut the door, and told him that the American Express account was in jeopardy. With Tiversa’s help, Amex had eliminated the significant data breaches on its network, and now it wanted to drastically reduce its fee. If this happened, Boback might not be able to make payroll.

Wallace later told the F.B.I. that the two men devised a strategy to convince Amex that the threat remained urgent: they would make it seem as though Tiversa had detected Amex files involving hundreds of invitation-only credit cards being shared overseas and among suspected criminals. To make this believable, Wallace secretly altered the Data Store, to give the appearance that the files had spread. In some cases, he used “burnt” I.P. addresses, from computers shut down by law enforcement because they had been involved in scams or in child pornography. Once they were taken offline, there was no way to confirm what was attributed to them. Amex ended up replacing the cards, at the cost of a million dollars, but it did not renew its contract.

Boback denies conspiring with Wallace, and claims that there was never any fraud at Tiversa. But Wallace says that in 2008 he began to systematically plant false spread in the Data Store to inspire FUD among prospective clients and to promote Tiversa’s technology. That summer, Wallace was given a performance review, praising his work: “Rick always seems to be able to find a hard hitting file or P2P situation to accelerate our client acquisition.”

Around that time, Wallace stumbled on an I.P. address in Virginia that was sharing a file with hundreds of Social Security numbers belonging to prominent people around Washington, D.C., including Stephen Breyer, the Supreme Court Justice. Immediately, Wallace pulled down everything that the address was sharing. The tranche included documents on letterhead from the Wagner Resource Group, an investment firm in McLean—clearly the source of the breach. “Bob was standing right behind me,” he recalled. “He said, ‘Don’t tell anyone.’ ” Boback’s plan, Wallace told the F.B.I., was to call the Wagner clients whose information had leaked, pretending to be investigating the breach. After angry clients began putting pressure on the firm, Tiversa could make a sales pitch.

Midway through the effort, the company’s founder, Phylyp Wagner, phoned the Tiversa offices, eager to talk, but Boback refused to take his call until more of his clients were reached. (Boback told me that he was earnestly trying to locate the source of the leaked files.) When the two men eventually spoke, Wagner later recalled, Boback told him that his files had spread to Asia, suggesting that criminals there were using them to manufacture credit cards. After the call, Wallace manipulated the Data Store to support the story, and the fraudulent data were written up in a report. The following day, Wagner, desperate to protect his clients, agreed to engage Tiversa. “These are people I’ve known for years,” he told me. “So exchanging money for their well-being—I’m willing to do that.”

For Tiversa, this was an extraordinary promotional opportunity: a Supreme Court Justice had just had his Social Security number exposed by the very problem that Boback’s business was set up to fight. But Tiversa had signed confidentiality agreements with Wagner, and so there was little it could reveal openly. Wallace says that he and Boback concocted a new plan, to use a false persona to tip off the press. Wallace had just the thing: an alias, Glen Breakwater, that he had briefly used on his old Web site. (Later, he created a Facebook profile for Breakwater, casting him as an African-American fan of Michael Jackson and Tyler Perry. The profile was a barely coherent pastiche of stereotypes, but it attracted friends, some of whom still send birthday greetings.)

Wallace, using a burner phone and masquerading as Breakwater, called the Washington Post to leak the story. The resulting article, which ran under the headline “Justice Breyer Is Among Victims in Data Breach Caused by File Sharing,” noted that the files were downloaded as far away as Colombia and Sri Lanka. Wagner told the Post that this news was “devastating.” The story pointed out that Tiversa had been brought in to remediate, and quoted Boback, saying that Wagner’s clients had been “at a very high risk, almost imminent, of identity theft.”

Wagner’s files were like a briefcase forgotten on a train but recovered moments later. The company had failed to secure its clients’ data, but there was no apparent harm: no one outside of Tiversa seemed to have noticed the slip. Later, a Tiversa employee on the Wagner account conceded, “I don’t think we ever saw the files reappear” on the Deep Web. But, by signalling that the files had spread, Boback had concocted a potent marketing parable: inadvertent file sharing could have dire consequences.

After the Post story ran, Boback and Wallace drove to Fairfax, Virginia, to meet Wagner at a bar. Wallace later recalled that he was so preoccupied by the lie he had helped engineer that, as he crossed the street from their parking spot, “I damn near got hit by a bus.” While the men talked at the bar, he said, he fantasized about what might happen if Boback were called away for a moment: “I would have slid right over to Phylyp, and said, ‘This is the biggest sham ever.’ But I never got the opportunity. Then I thought that I was glad I didn’t do that. I would have been fired on the spot.” Boback denies any wrongdoing concerning the account. Wallace told the F.B.I. that, on the drive back to Pittsburgh, Boback joked about how Wagner had been “fucked.”

With Amex withdrawing, Tiversa scrambled to sign up new customers. But, Boback told me, “we were exhausting the contacts who were helping us get to clients, the economy was starting to get a little dicey, and budgets were tightening up.” He was convinced that the problem was communication. Boback’s sales technique often involved hinting at an ominous data breach, then withholding details until potential clients paid, and on a number of occasions the approach had backfired. G.E.’s information-security team felt it was being extorted. PNC Bank contacted the authorities. Boback believed that these reactions were misdirected animus: companies were blaming Tiversa for their own security failings. He began to wonder, “How do you deliver a message without having a shoot-the-messenger-type response?” That February, a Tiversa analyst unwittingly provided an answer—a clandestine way to publicize data breaches. In an e-mail, he told Boback about a Web site called WikiLeaks, which had launched two years earlier and was attracting attention. “It claims that postings are untraceable,” the analyst explained.

Several weeks later, Wallace says, Boback told him on short notice to prepare for an overnight trip: they would fly to Atlanta and pick up a Mercedes. He added, incongruously, that Wallace should make sure to bring his computer. They retrieved the car, and on the drive back to Pennsylvania Boback asked if it was possible to use a Wi-Fi router that someone had left unprotected to submit files culled from peer-to-peer to WikiLeaks; if it was, then Tiversa could use the uploads to illustrate the need for its protection.

In Charleston, Wallace later told federal investigators, Boback pulled off the highway to look for an open router, and found one near a suburban development that was under construction. Both men were spooked and exhilarated. Boback told Wallace that he needed to use a nearby Port-a-Potty, while Wallace started his laptop and began the transfer. When a police car drove by, Wallace threw a blanket over the laptop and continued working beneath it.

Wallace uploaded to WikiLeaks an Airbus business agreement; a spreadsheet of Chevron’s assets in Canada; Dyncorp schematics for a military camp in Afghanistan; a Defense Department manual on data protection; and other documents from a folder he had named “Files for the bus”—indicating that any company with records inside could get thrown under one. On a later trip, Wallace uploaded more files to WikiLeaks, from a Starbucks in Indianapolis.

Among the most sensitive files that Wallace says he submitted were two classified technical studies of a jammer that the Army had used in Iraq to disrupt radio-controlled bombs—evidently drawn from the same tranche of documents that had alarmed Wesley Clark. Their publication triggered some of the first real criticism of WikiLeaks. Even though the jammers had largely been replaced by a newer model, there was no obvious point to revealing the way they worked, no wrongdoing exposed. As the Washington editor for Ars Technica wrote, “The decision to run with this one is just utterly baffling.”

Wallace later said that submitting documents to WikiLeaks was a low point in his life. Boback spoke about the uploads in the same gleeful way that he had spoken about other escapades. “I remember him talking about how they were going to be rich after all this broke,” one person recalled. As WikiLeaks began publishing the documents, Boback sent an e-mail to Tiversa executives, urging them to pitch the affected companies, “before some IT goon in the organization tries to convince them that they have it covered.”

Boback disputes just about everything in Wallace’s account of the trip. The first time that I discussed WikiLeaks with him, he told me, “We had no interaction with them.” Then he paused, and added, “Directly.” After another pause, he said, “That we know of.” Later, when I pressed him about the uploads, he offered a confused set of denials, saying flatly that they did not happen, but also that Wallace may have performed them without his knowledge. I told him that I intended to gather more information, and his voice sharpened. “Check it!” he demanded. “You will see it was not from a Tiversa I.P. address.”

IV. MARINE ONE

In the summer of 2008, Boback got an unexpected break, when an intermediary connected Tiversa with LifeLock, the identity-theft-protection service. The match was logical. Tiversa had patented technology but limited sales. LifeLock was adept at marketing but had no intellectual property.

Boback flew to LifeLock’s headquarters, in Arizona, and the executives he met were so enthusiastic that they called in the C.E.O., Todd Davis. Boback’s pitch, Davis told me, had “great sizzle.” Soon, a trial arrangement was negotiated. LifeLock turned over private information belonging to thirty thousand clients, so that Boback’s team could demonstrate how Tiversa would protect them. Wallace later told the F.B.I. that, on Boback’s instructions, he created about a hundred cases of false spread for those clients—manufacturing threats for people who had apparently experienced no data breaches whatsoever. According to Wallace, Boback used the LifeLock information to fill out passport applications and other official documents, which were uploaded to the Data Store, to give the impression that criminals had been circling Davis’s customers. (Boback denies doing this.)

In January, 2009, Davis flew Boback to a desert resort in Phoenix, where he indicated over a long breakfast that he was ready to work together more closely. Boback returned home energized, and in the coming months he urged Davis to buy Tiversa. He proposed a price of more than a hundred million dollars, and then worked to demonstrate his company’s value. “Every time we talked to him, he mentioned this unbelievable discovery that they had made,” Davis recalled. “He was basically saving the world every few weeks.”

A month after Boback’s breakfast with Davis, an NBC affiliate in Pittsburgh aired an explosive story: it reported that Tiversa, surveilling a computer in Iran, had discovered records involving one of the President’s helicopters—part of a squadron known as Marine One. The origins of the story went back two years, to when Wallace joined the company. During one of his open-ended searches, he discovered files belonging to Vyalex Management Solutions, an avionics firm in Maryland, which served as a contractor for Naval Air Systems Command. Concerned that the breach might harm the military, he notified an Army officer who specialized in computer crime.

In February, 2008, the officer reached out to Vyalex’s founder, an engineer named Al Leandre, to say that his company was exposing more than two hundred files. Leandre was horrified. When he was a boy, his family had fled Haiti’s dictatorship for the U.S. As a young man, he had joined the Army, out of gratitude to his adopted home, and had worked on the electronic-warfare systems of the F-18. Although Vyalex was a private company, he regarded it as an extension of his service.

Leandre quickly discovered the source of the leak: a disused Vyalex laptop that his daughter had borrowed and used to run LimeWire. None of the files were classified, but he made a risk assessment of each one, and his team tried to determine whether the files had spread. Based on information that the officer provided, they found that three inconsequential business records, including one with “Amex” in its name, had ended up at an I.P. address in Tehran. But the address had no history of espionage; it apparently belonged to a civilian trawling for financial data.

Leandre purged the old laptop and provided the military with two detailed reports. He believed that the matter was resolved. But, several months later, Boback reached out, claiming that Tiversa was still detecting “very sensitive information from Vyalex.” Rather than specify what kind of information, Boback directed Leandre to the Post story about Stephen Breyer, and warned that the reporter was “actively scouring the file-sharing networks to find any information relevant to ‘DC-area businesses.’ ” He added, “For clarity, we would never provide any information or files to any reporter whether you decided to work with our firm or not, however he will probably find them.”

Leandre politely told Boback that he had taken care of the breach, and could not afford the service. The next day, Boback wrote again, claiming that malicious people were scouring peer-to-peer networks explicitly for Vyalex records. “A great cause for concern,” he said—adding that Tiversa could reduce its fee. “We can begin right away,” he said. “Timing is critical to avoid the additional spread of the files.”

Leandre told himself, “It sounds like blackmail.” Again, he declined.

Half a year passed. Then, shortly after Boback had breakfast with Todd Davis, Tiversa began to advertise the Vyalex leak—in particular, a cost assessment that the Navy had given contractors, seeking bids to upgrade the electronic defenses of one of the President’s helicopters. In a presentation to a firm that conducts business research, Tiversa noted that the file had been downloaded in Tehran. Wallace says that the claim sent him racing to the Data Store, where he appended the file about the helicopter to the same Iranian I.P. address that had downloaded the inconsequential Vyalex files.

Boback had assured Leandre that he would never publicize his misfortune, but two days later he gave an interview to NBC, noting that a defense contractor in Bethesda had exposed “highly sensitive blueprints for Marine One” that were later downloaded in Iran. (There were no blueprints.) Wesley Clark also spoke to NBC about the file. Trusting Boback’s information—he says he knew of no impropriety at the company—he declared, “We know where it came from, and we know where it went.”

Rachel Maddow and Wolf Blitzer quickly followed with their own segments. On CNN, an analyst speculated that Iranian cyber warriors were waiting for the file, ready to pounce. (Why? “We have no idea.”) Lawmakers clamored for action. As Leandre watched the story on CNN, he began to understand that the media storm was about him. “I was scratching my head, and I was, like, Wow, Tiversa is making up this story,” he told me.

Within days, his office was packed with federal agents. “There was F.B.I., Secret Service, Naval Criminal Investigative Service, and they were all interviewing me, so stern,” he told me. “They were saying, ‘Do you have any reason to harm the President?’ And I’m, like, ‘What are you talking about?’ They thought this could have been some kind of espionage!” The investigation lasted for weeks, before the military exonerated Leandre. “I lost weight, I vomited for so many days,” he said. “I mean, I thought I was getting shipped to Guantánamo.”

After his NBC interview, Boback and several Tiversa employees had dinner at a family restaurant north of Pittsburgh. An attendee later told the F.B.I. that Boback laughed about how he had got away with the story, while one of his tablemates plugged his ears and said that he didn’t want to hear it.

When I pressed Boback about his media blitz, he told me, “I have often wondered if Wallace did, in fact, find the file in Iran. To this day, I have no idea.” N.C.I.S. never verified that the file was in Iran, either. But, in the course of the inquiry, two agents paid a call on Tiversa. They interviewed Wallace, who, fearful of losing his job—Boback had just dramatically fired an executive—confirmed Tiversa’s account of the file. Boback, meanwhile, found a way to turn the inquiry to his advantage. That March, a LifeLock executive wrote, asking, “Did you get a ride on the President’s copter for saving the day on that one?” Boback replied, “No ride on the helo yet but I have had meetings with NCIS on Thursday. I already met with DoD, USSS, FBI, and Defense Security Service over the breach. I am trying to set up a broader deal with military on ID theft as well using our access now. Do you see what we bring to the table????? :-)”

The following month, LifeLock agreed to incorporate Tiversa into its premium service. That summer, Todd Davis invited Boback to a Nascar event that LifeLock was sponsoring at the Chicagoland Raceway. “I remember walking in with Todd, and there were these pictures of him there that were fifty feet tall—tons of them in the grandstand,” Boback told me. Davis let him ride in the pace car with the event’s grand marshal, Jimmy Fallon. Later in the trip, Boback impulsively bought a Lamborghini, his boyhood dream car, and shipped it home to Pittsburgh.

The headquarters of the Federal Trade Commission occupy a monumental building on Pennsylvania Avenue, in Washington. When the structure was erected, during the Great Depression, Franklin Delano Roosevelt heralded the commission’s mandate to apply “the golden rule” to the conduct of business. Originally founded to protect consumers from monopolistic behavior, the F.T.C. was by then working to guard against false advertising and other unfair practices. At the headquarters, a granite sculpture—a man taming a wild horse—acknowledges the difficulty of that task.

As the F.T.C. began to explore its role in the digital marketplace, it had no technologists on staff, and no court had affirmed its authority in cybersecurity. But it was clear that the reason for concern was growing. Among the problems were peer-to-peer networks. By 2004, consumers had downloaded file-sharing programs more than six hundred and forty million times. When Boback testified before Congress in 2007, he framed the concern in a way that fit with the F.T.C.’s mission of protecting consumers: file-sharing programs could cause corporations to expose clients’ private data. If such a security failure amounted to an “unfair act” against consumers, the commission reasoned, then it could intervene.

After Boback’s testimony, lawyers with the F.T.C. reached out to him, requesting that Tiversa turn over information on companies that had exposed private customer information, so that it could investigate. The lawyers explained that they were prepared to issue Tiversa a legal demand for the information. (Companies often turn over privileged customer data only if compelled.) Tiversa asked that it be sent instead to a shell company that would serve as a conduit—the Privacy Institute, which listed an address at Boback’s uncle’s house, in New Jersey. This would neuter the demand, but the F.T.C. agreed. Tiversa’s Data Store by then contained more than five million breached documents, and the lawyers wanted access.

When the demand arrived, Boback asked his staff to draw up a list of companies that fit the criteria. (He claims that this was the extent of his involvement.) The job fell to Wallace, who says that Boback helped him compile a kind of roster of retribution. In August, the Privacy Institute sent the F.T.C. a spreadsheet of eighty-four companies that had suffered security failures. None were Tiversa clients; eleven had worked with Tiversa for a time and then stopped.

Boback understood that he could exploit this information. As the list was being drafted, he sent a note to Todd Davis, marked “keep this confidential.” In it, he boasted that he had an inside tip: the F.T.C. was investigating about a hundred companies that had exposed private consumer data. (He neglected to mention Tiversa’s role in the inquiry.) That autumn, Boback plotted with LifeLock to pitch the affected businesses. He claimed that the companies collectively had exposed information for as many as seven hundred thousand people, each one a potential customer, and he promised Davis “a huge upswing in members.”

One of the companies on the list was an AIDS clinic in Illinois, the Open Door Clinic, which had declined to hire Tiversa to fix a data breach. Three days after Boback promised Davis a surge in membership, he and Wallace began calling Open Door patients whose information had been exposed. “One guy I talked to said, ‘How did you know I was H.I.V.-positive? I haven’t even told my family yet!’ ” Wallace recalled. “And it was, like, ‘Sorry, bud, you probably should talk to Open Door.’ ” (Boback told me that Tiversa never made the calls. When I noted that phone records unearthed by Congress indicated otherwise, he said that they were likely faked.) Tiversa’s lawyer also reached out to the patients, and filed a class-action suit against the clinic, which was eventually settled.

After the F.T.C. made its investigation public, in February, 2010, Boback triumphantly declared that fourteen of the companies on the list had contacted him for help. Davis told me that his own company didn’t sign up any clients. But by then Tiversa’s deal with LifeLock was bringing in so much business that Boback mounted an L.E.D. ticker on a wall to track the gains. Joel Adams decided to buy five million dollars’ worth of shares. Although none of the money went into the company, Boback assured his employees they were millionaires who just didn’t know it yet.

Despite this windfall, Tiversa was facing a growing problem. The F.T.C., in its effort to protect consumer privacy, had been pressuring the designers of peer-to-peer applications to make their software less confusing. Newer iterations of LimeWire effectively shut down the mechanisms causing accidental breaches; then, in 2010, LimeWire itself was shut down by a court injunction, for mass copyright infringement. At the same time, Spotify and other streaming services were causing people to stop sharing files entirely. EagleVision X1 was pulling in less and less. By the end of 2010, Todd Davis was noticing. Eventually, after paying Tiversa about forty million dollars, LifeLock cut all its ties.

To compensate for the diminishing flow of files, Tiversa’s developers recalibrated the software to pull down virtually everything it encountered. Meanwhile, Boback tried to devise malware that would trick people into exposing files; he told his reluctant developers that it was for the intelligence community. Wallace, according to his F.B.I. testimony, hunted for material in hacked records from Sony, Stratfor, and Adobe and uploaded it to the Data Store.

Sam Hopkins cashed out and left. Increasingly, Boback told people that he had little interest in running the company. Amid the crisis, his behavior seemed scattershot. In 2012, Tiversa bought a seven-story landmark building in downtown Pittsburgh: a grand headquarters, plus extra floors that could be rented out for income. Boback created a spinoff, Tiversa Media, hoping to somehow monetize pirated MP3s that the system pulled in. In an upbeat note to Wesley Clark, he wrote, “We have now acquired the largest music repository in the world. We have roughly 4x the music content of Apple’s iTunes.” Clark remembers telling him, “What are you going to do with that? Is it legal?”

Boback was also working with MetLife on an I.D.-protection deal, resembling the one with LifeLock. For the pitch, he had devised a dramatic flourish. He purchased the Social Security numbers of several MetLife executives, from a service that private investigators use, then flashed them on a slide during a presentation, implying that Tiversa had found them on peer-to-peer. Bill Wheeler, who was MetLife’s president of the Americas, saw through the stunt, but decided to sign on anyway. Once under contract, Boback began urging MetLife executives to buy his company.

V. WAR

Tiversa’s undoing began in the summer of 2013, with a YouTube video. Michael Daugherty, the owner of a cancer-screening lab in Atlanta, had posted it to publicize his memoir, “The Devil Inside the Beltway”—a reference to the F.T.C., which Daugherty believed was destroying his company, in a conspiracy that included Tiversa. The video had an urban-doom aesthetic, reminiscent of “Batman.” Over a soundtrack of percussion and agitato strings, it opened with three title cards: “Government Funded Data Mining and Surveillance,” “Psychological Warfare,” and “Abusive Government Shakedown.” The sequence ended with an explosion and a pair of eyes glaring through a draped American flag—the book’s cover art.

In the video, Daugherty appeared beside a mural-size painting of George Washington, wearing a white oxford shirt and a dark blazer. In a flat Michigan accent, he asked, “What am I doing here?” Then he put a red plastic whistle in his mouth and blew. He explained that he had built his company, LabMD, into a successful business, until “suddenly one day the phone rings, and it’s a guy named Robert Boback.”

The call came in 2008, after a computer in Daugherty’s billing department exposed documents through LimeWire. Rick Wallace downloaded one of them—​a file containing the private information of more than nine thousand patients—and a Tiversa sales executive made an initial pitch. Then Boback took over, pursuing a FUD-centered strategy. He declined to provide details about the source of the breach unless Tiversa was hired, while suggesting that the risk was growing because people were “searching precisely for the exact file name.” This struck Daugherty as preposterous: the file’s name was “insuranceaging_6.05.071.pdf.” Offended by Boback’s manipulations, he told Tiversa to direct all further communications to his lawyer, and put the matter out of his mind.

Then, in January, 2010, an attorney with the F.T.C. sent a letter, announcing that LabMD was under investigation for breaching federal data-security law. “The letter’s immensity shocked me,” Daugherty wrote in his memoir. In eleven pages of legalistic prose, the F.T.C. demanded proof of compliance. Daugherty sent over thousands of pages of records, noting that he had obeyed medical-privacy laws and had closed the breach the moment he learned of it. “The F.T.C. was on my mind at all hours of the day,” he wrote. “If I was up in the middle of the night to use the restroom, I thought of the F.T.C. If I drove down the road to work, I thought of the F.T.C.”

Almost as soon as the investigation began, Daugherty wondered if Tiversa had been involved: the LabMD file at the center of the inquiry was the same one that Boback had obtained. Haunted by the idea of a connection, Daugherty began researching. Both of his parents had been police officers, and, he told me, “my whole life was marinated in investigators and prosecutors and lawyers.” He found that Tiversa had provided LabMD’s breached documents to an academic at Dartmouth, and that Boback had cited them in congressional testimony, in 2009. The idea that Boback was publicizing his misfortune ate at him. He told himself, “This means war.”

Daugherty’s lawyer sent Tiversa a list of questions, which Boback ignored. Getting answers from the F.T.C. was no easier, and Daugherty began to vent his frustration. He claimed, publicly, that Tiversa had engaged in “property theft” when it took the file. Tiversa’s lawyers responded with a cease-and-desist letter, which argued that the file had spread on peer-to-peer and was available for anyone to take. “Tiversa is not a ‘thief,’ ” they insisted, adding, “The F.T.C. investigation is a direct result of LabMD’s security failings, and nothing more.”

The legal warning did not deter Daugherty from writing his book, which accused Boback of being a con artist and his company of “mental abuse.” Boback, irritated, wrote to an associate, “The problem is that he needs a face to his ‘villain’ and unfortunately (and incorrectly) chose me.” Soon after Daugherty posted the promotional video, Tiversa sued him for defamation. At almost the same time, the F.T.C.—nearly four years after it launched its inquiry—sued Daugherty’s company for failing to safeguard its data. Tiversa became involved in both cases, maintaining that it had originally downloaded the LabMD file from a computer, in San Diego, that appeared to belong to an identity thief.

At Tiversa, a former employee told me, Boback seemed intent on pursuing Daugherty, even though it brought no obvious benefit to the company: “It got very cultish. We had this very charismatic leader, who would call these meetings for the entire company and start rambling about how he was being persecuted, how he was going to win, how crazy Daugherty was.”

As the fight intensified, Rick Wallace was spending less and less time in the ops room. Once Tiversa signed up companies like LifeLock and MetLife, his skills at uncovering eye-catching records were less relevant. Boback, instead, pushed him into the role of part-time superintendent—dealing with elevator breakdowns, burst pipes, and broken light bulbs. Eventually, Boback hired Wallace and his wife, Amy, to clean up a house that he was flipping: a ramshackle place occupied by feral cats, which had left it in a toxic, stomach-turning condition. They called it Catmandoo.

Wallace began drinking heavily and talking less to Boback. Nonetheless, he says, Boback called him in just before Tiversa issued Daugherty the cease-and-desist letter, asking him to make it appear as if the LabMD file had spread across the peer-to-peer network. Wallace was reluctant: he was conscious that he had pulled down the file from Daugherty’s company, and had noted his findings in writing. Still, he complied, linking the file in the Data Store to several burnt I.P. addresses. In 2013, as Tiversa pressed Daugherty to settle, he did so again, making it appear as if the file had spread to six locations, including a computer in San Diego.

Recognizing that his fabrications were becoming legally significant, Wallace began to come apart. “I was already stressed,” he recalls—suffering, he says, from P.T.S.D., caused by his online research into child exploitation. On New Year’s Eve, 2013, he got drunk and ended up in a physical altercation with his wife and daughter, and the police arrested him—the first of several arrests tied to drinking. “No one was even trying to understand what was happening to me,” he told me. “I drank too much alcohol—always beer—and got in trouble.”

In January, 2014, Wallace received a subpoena from Daugherty’s lawyers, who were seeking to understand how the LabMD file had been exposed. He worried that he would have to either lie under oath or implicate himself and risk retaliation. After he expressed his fears to Boback, he says, Boback summoned him to his office, where he was toying with a pistol: “He’s, like, ‘Well, Waldo, if you fuck with the bull, you get the horn.’ ” (Boback says that he had no weapon, and that he simply directed Wallace to tell the truth—which, he maintains, is that he never ordered anyone to create false spread.)

On February 4th, Tiversa’s lawyers agreed to have Wallace deposed. Soon afterward, Wallace says, he got a prescription for Ambien, which he took after drinking, then got into his car and totalled it. The following day, he drove the family’s other car to Tiversa, where he and Boback had another standoff over the deposition. (Boback says they never met at the office.) As Wallace left, he says, Boback followed him into the elevator. “We were on the seventh floor, and he pushed the sixth-floor button, and as soon as the elevator doors closed he slammed me against the wall,” Wallace recalled. Boback commanded him, again, to lie in order to corroborate the company’s version of events. When the elevator arrived at the sixth floor, he got off.

Afterward, Wallace sat in his car and drank beer for a while, trying to calm down. Finally, he started the engine. “I just went around the corner from Tiversa and sped as fast as I could into a light pole,” he says. “I just wanted to end it.”

He was arrested. Boback picked him up and drove him home, warning that if he didn’t get treatment for his drinking he would be fired. Days later, Wallace checked himself into a facility, which Boback had chosen. Whatever the benefits of rehab, it would also serve to isolate Wallace—perhaps even make his deposition impossible. (Boback told his executive assistant to avoid contact, explaining, “He needs treatment, not friends right now.”) When Daugherty’s lawyers tried to contact him, they were told that he was inaccessible for medical reasons.

Almost as soon as Wallace started rehab, Boback fired him. He then hired a private-investigation company, Inpax GPS, to dig into the Wallaces’ background, and brought security professionals to Tiversa to conduct “self-defense training.” Inpax GPS produced a threat assessment that blended verifiable facts with assertions that seemed to originate from Boback, for instance that Wallace exhibited “extreme jealousy and threatening behavior directed toward Tiversa’s CEO.” It described Wallace’s run-ins with the law, including one from 2013. The previous summer, the Wallaces had hosted an eight-year-old girl from New York, through the Fresh Air Fund, and the girl’s mother complained that Wallace had behaved inappropriately. Wallace strenuously denied the accusation. Following an investigation, the authorities declined to pursue a case, and an administrative judge who reviewed the evidence recommended that the complaint be expunged. But Boback knew of the inquiry, and details about it turned up in the Inpax GPS assessment. He then cited the report to associates, giving the impression that Wallace was a molester.

When Wallace came home from rehab, some of his law-enforcement contacts would no longer return his calls. He had no obvious way to turn his career around, and felt increasingly isolated. On the evening of April 2, 2014, he was sitting in front of his computer at home. On impulse, he began searching for Mike Daugherty’s number. A few months earlier, Daugherty had announced that he could no longer stay in business; in a melancholy note to employees, he had written, “Our futures are full of unknown waters.” Suddenly, Wallace felt compelled to confess.

That evening, Daugherty was at a Thai restaurant in Atlanta. He had arrived early, and was waiting for some friends, when his phone rang. He answered, and a man’s voice he didn’t recognize said, “Is this Mike Daugherty?”

“Yeah,” Daugherty said.

“Do you know the name Tiversa?”

“Yeah,” Daugherty said.

“Well, I know a guy who would be willing to talk to you about what really happened. Can you talk to him? Would you retaliate?”

“Can you tell me who the guy is?”

“It’s Rick Wallace,” the man said.

Daugherty said that he wanted to get his lawyer’s advice, and hung up. The lawyer told him to call back immediately, but Daugherty didn’t have the number: the caller’s I.D. was masked. Twenty minutes later, the man phoned again. Daugherty ran to the parking lot to take the call. “O.K., yes,” he said, hurriedly. “I can talk to him.”

There was a pause. “Well,” the man said, “I’m Rick.” Wallace almost immediately started to cry. “I destroyed your company,” he told Daugherty. “I did terrible things.” He spoke a little about what he had done at Tiversa; LabMD, he explained, had been on the list that went to the F.T.C. Then he passed the phone to his wife, and to one of their daughters. “Everyone was wanting to apologize,” Daugherty recalled. He assured Wallace that redemption was possible. He said, “Let’s focus on fixing this.”

Daugherty strove to help Wallace obtain legal immunity to testify in his F.T.C. hearing, and he put Wallace in touch with the House Committee on Oversight and Government Reform. Darrell Issa, the committee’s chairman, believed that LabMD’s case raised questions about the scope of the F.T.C.’s authority. Moreover, Boback had twice testified before his committee. If he had not been truthful, Issa wanted to know. The committee launched an investigation.

Wallace was suddenly poised to be a star witness in two significant Washington inquiries. But he was drinking again, and still terrified of retaliation. In April, a congressional staffer reached out, to inform him that his testimony was required. Days later, he walked into the local police department in a panic, fearing that a scheduled call with Congress was a ruse orchestrated by Boback to intimidate him, or to find out what he planned to say. Wallace told the police that he had been receiving threatening phone calls and death threats posted on his car. His preoccupation with being harassed often interfered with his ability to testify. He later told congressional investigators that he found a Tiversa envelope in a shed behind his house, with a note scrawled on it: “I.C.U.” He took a photo—evidence, he said, that Boback was monitoring him and his family.

That spring, Boback travelled with his family to the Yemeni island of Socotra, and in the summer they went to Namibia. At home, though, he resembled a man at war. He hired the former White House press secretary Ari Fleischer to advise him in Washington, and he worked to assail Wallace’s credibility with Congress and the F.T.C. Tiversa also passed the Inpax GPS threat assessment to David Sitler, the police chief in Wallace’s community, who initiated a “force protection” measure. As summer gave way to fall, Wallace says, Sitler became a near-constant presence at his home. (Sitler, who was later fired for police brutality, denies this, saying, “We only monitored him if we came into contact with him.”)

Inpax GPS also increased its efforts, assigning two investigators to track Wallace’s movements. Under Boback’s direct guidance, they coördinated with the police to place a hidden camera in a traffic cone outside Wallace’s home. The footage was unremarkable—the mailman, Wallace’s children—and after three days the investigators suggested that the surveillance be discontinued. An employee at Tiversa learned about the camera and secretly sent word to Wallace to be careful.

In November, 2014, the Department of Justice finally granted Wallace immunity to testify. Boback passed the news to one of his private investigators, striking a cool tone. “It will work out for the best,” he told him. “Even though he will say ridiculous lies about Tiversa, he will get exposed.” But, at the office, he seemed far from calm. Two former employees say that they witnessed Boback trying to manipulate Daugherty’s file in the Data Store—making further changes to metadata that might figure in Wallace’s testimony. In April, 2015, a month before the F.T.C. hearing, Wallace says, he found a warning chalked on his driveway: “U R DEAD.”

Wallace was a quiet presence in court. Sitting before an administrative-law judge, he described systematically creating fraudulent file spread in the Data Store at Boback’s direction. When asked how many Tiversa clients had been given false information, he said, “Probably every company that we’ve ever done business with.” During testimony about Daugherty’s company, the judge asked, “Did Mr. Boback have any reaction to LabMD’s decision not to do business with Tiversa?”

“Yes,” Wallace said.

“And what was that reaction?”

Wallace glanced at his lawyer, who instructed him to answer. “He basically said, Fuck him,” he said. “Make sure he’s at the top of the list.”

The hearing triggered a storm of coverage—as Ari Fleischer informed Boback, “one story after another with similar bad headlines.” CNN went with “Whistleblower accuses cybersecurity company of extorting clients.” The bad press worsened after Darrell Issa’s committee released a long report that asked whether Tiversa was a “hi-tech protection racket.”

Joel Adams wrote to Boback, “F these guys Bob. We are the winners here.” Boback responded, “They’ll get theirs.” With Fleischer, he drafted a letter to the Wall Street Journal saying that his company was a “good Samaritan.” He argued that if Tiversa had never contacted LabMD its internal records would still be online, exposing the private information of thousands of patients. And he asserted that “the suggestion that Tiversa provided information on exposed files to the Federal Trade Commission as a means of retribution because LabMD didn’t hire Tiversa is 100% false.” Wallace, Boback said, “is an individual with a history of not telling the truth, and the information he testified about is demonstrably false.” But he refrained from demonstrating how any of the allegations were false.

By this time, the Department of Justice had launched a criminal probe into Tiversa, and on March 1, 2016, a convoy of black vehicles filled with armed federal agents pulled up to the company’s headquarters. They stormed the building and also interviewed employees at their homes, including one executive who was so nervous that he kept trying to drink from an empty water glass; eventually, he confessed to knowing that Wallace had added false metadata to the Data Store. The agents also commandeered records and seized the Data Store. The archive—a room filled with servers, stacked in racks seven feet tall—by then contained an estimated billion files, a trove measurable in petabytes. The federal agents sought to copy just a fraction of it; the process took so long that they needed a second search warrant.

Law-enforcement officers strive to keep such investigations secret. But, during the raid, a mysterious Twitter account made this impossible. By then, Tiversa’s employees were in open revolt. (Several had left the company, while others had written to Adams, begging him to take action against Boback: “He risks everything for his own personal gain, and will lie to anyone to maintain his status.”) The Twitter account posted a dramatic photo of the F.B.I. convoy, copying it to the Pittsburgh Post-Gazette, with a note indicating that Tiversa was being raided. The news was a deathblow. The board, driven by Adams, installed a new C.E.O., but there was very little that he could do. The company’s brand was demolished. Tiversa would soon have to be sold.

The judge in Daugherty’s case found Wallace credible, and he ruled against the F.T.C. (Based on a videotaped deposition, he deemed Boback evasive and untrustworthy.) His ruling was validated last year by an appellate-court judge, who noted, with unusual indignation, that the “aroma that comes out of the investigation of this case is that Tiversa was shaking down private industry with the help of the F.T.C.” The commission’s lawyer conceded, “Tiversa engaged in serious, serious misconduct.” Before he could argue that the F.T.C. was untouched by that conduct, the judge cut him off, insisting that the commission should have let the matter go “after the evidence collapsed.”

By then, Tiversa had been dismantled. It had too many liabilities to be sold outright, so the board had decided to carve out its assets. Still, no sale could be undertaken without ethical complications. The Data Store was the cybersecurity equivalent of nuclear waste—a vast repository of personal, financial, and corporate information, sensitive government records, and whatever else had been exposed on the Deep Web. Was it moral to put a price tag on it—to profit from, say, Justice Breyer’s Social Security number? Was it even legal? Would there be an audit to insure that the deal contained none of the hacked content that Wallace had uploaded, none of the pirated music, no child pornography? The sale included health-care information protected by strict privacy laws. Was that a crime?

In February, 2017, Tiversa’s primary shareholders began negotiations with Kroll, the corporate-intelligence firm, to sell off the company’s core assets for several million dollars. The deal, closed within four months, was kept quiet. Earlier this year, a spokesperson for Kroll agreed to make an executive available to discuss the acquisition, if I provided a list of questions in advance. After I sent the list, the discussion was abruptly cancelled. Kroll instead offered a brief statement. It said that Tiversa’s technology strengthens its “existing business offerings,” and that Kroll is not pursuing the company’s former “business operations.” One person involved told me that Kroll wanted the assets for corporate-intelligence purposes. It hired a handful of Tiversa employees to maintain the system. This January, someone in England detected it working and wrote on Twitter, “Care to tell me why you are snooping my I.P. address?”

After the raid on Tiversa, Boback moved his family to a waterfront compound in Florida, with a tennis court, a pool, a pier. He bought a construction company in Tampa Bay. Its Facebook page posted a photo of him, standing on a yellow Komatsu truck, wearing jeans and a safety vest and grinning.

At the time of the photo, Boback was still under federal criminal investigation. A year after the raid, though, the Department of Justice decided to drop its inquiry. Prosecutors typically do not comment on such matters, but it is possible to speculate on the reasoning. For one thing, the Data Store was a forensic hall of mirrors. For another, not all forms of FUD are criminal. Tiversa’s actions never seemed to achieve the sharp edges of extortion. As for fraud, while some potential clients appear to have been fed entirely fabricated information, the tactic, as Wallace described it, was more often to exaggerate real breaches. It wouldn’t be easy for a jury to delineate where Tiversa profited from fiction and where from fact. And, even though there were at least three other witnesses to the creation of false spread, the prosecution would have to build its case around the testimony of a man with a drinking problem and a record of arrests.

In March, 2017, two weeks before the Department of Justice closed its Tiversa case, Wallace fell from a tree while helping a neighbor do some pruning. He smashed his spine, and, paralyzed from the waist down, was unlikely to be able to testify for many months. Confined to a wheelchair, he now works as a security consultant. Daugherty is trying to return to health care. In the meantime, he promotes himself as an expert in “cybersecurity response,” and focusses on litigation. He recently sent me a pie chart demonstrating the many cases he had initiated.

Boback, despite his efforts to project the image of a carefree construction magnate, remains mired in the legal fights over Tiversa, and is still sensitive to accusations about how he ran the company. Shortly after Joel Adams forced him out, he wrote a post on LinkedIn promoting a memoir. When I asked about the book, Boback told me that it existed only in his mind—a fiction to communicate to business associates that he had a story to tell. In any case, he said, an imaginary memoir is the best kind to have when you can still be deposed.

The LinkedIn post described the book as the tale of a heroic businessman, fighting to overcome small-minded enemies—particularly Adams, whom Boback now likes to depict as the cause of Tiversa’s problems. Titled “Politics of Greed,” it would contain supportive forewords by Wesley Clark and Ari Fleischer. Although the book was still unwritten, Boback offered a sample of the advance buzz: a blurb from a reader who called his story a “travesty of justice,” and one from another who asked, presumably of Adams, “Is this Pittsburgh’s Bernie Madoff?” The description suggested that Boback was a whistle-blower, sacrificing everything to expose wrongdoing. “The entrepreneur was terminated, investigated, and ‘scape-goated’ in his effort to bring this information,” it read. “However, he overcame these attacks to build a new multi-million dollar firm to provide the resources to bring this forward.” Boback assured readers that he would ultimately triumph over his foes: “You’ll be cheering in the end!”

Article reposted with permission

Read More
LabMD and the FTC: Guilty until proven innocent in the court of public (and customer) opinion

03 Jan Guilty Until Proven Innocent

The Conflict between LabMD and the FTC

The FTC charged LabMD with a failure to maintain proper cyber security for our patient records. In the final FTC order, the FTC stated that LabMD “did not employ basic risk management techniques and safeguards such as automated intrusion detection systems, file integrity monitoring software or penetration testing, and failed to monitor traffic coming across its firewalls. We knew these charges were false. We had our networks monitored electronically, rather than the FTC’s definition of “monitored”, which they believe should be a person watching files and data move across the network.

We had our log files on auto delete after 10 days, so there was no proof of whether we did or did not have any of these things, but this is where the regulators made things up. They didn’t think we had the proper precautions in place, so they charged us with not having them in place. We never got our day in court to rebut these charges, because we were always in their court answering their many inquiries.

It is very difficult to fight back when you’re always only on defense answering to the power of the Federal Government. And you’re all alone.

If It Bleeds, It Leads. But If Not…

When you’re not famous or you’re not a Fortune 500 company, the media simply ignores you, and they don’t do any investigative work. If it’s not a front page story, you won’t get any media coverage. This lack of reporting was a constant problem because when you say “we didn’t do it”, they might report it, but they don’t believe you and neither does anyone else.

Your name is tarnished based on allegations made by the Federal Government, rather than proof that you did anything wrong. You are, by definition in the court of public opinion, guilty until proven innocent.

The Final Word in Our Favor: Too Late

After 8 years, the 11th circuit came out with their written ruling, but who reads court rulings except for those directly impacted? Furthermore, who reads the most important part of the ruling when it is in the Footnotes of the ruling? Below are the two footnotes from our victorious ruling over the FTC:

  1. LabMD’s program included a compliance program, training, firewalls, network monitoring, password controls, access controls, antivirus and security related inspection.
  2. The record is not clear but we assume the billing manager installed the peer to peer sharing app on her workstation computer.

Nobody Challenges the Federal Government

The truth was finally printed, ten years after the FTC began its systematic destruction of the company called LabMD. Federal regulators had lied and exploited our company. It was in the record – pictures of everything as proof of our actual policies and practices – but nobody reads the record. Nobody doubts the government. They just report what the government says, and the government agencies know this.

So, when the FTC judge says we had the proper systems, policies, and procedures in place, the FTC commissioners overturned it, and said the opposite, when it was all there all the time, in black and white, on the record.

It took years to get the court to say it. Meanwhile LabMD’s reputation is trashed and market doubt is created, while the lawyers make money off of the conflict. Nobody is paying attention any longer because it’s been 10 years, but we were right: we had all the policies, practices, and procedures that the government said we did not have.

LabMD was destroyed based on the false accusations of a Federal Government Agency.

 

Read More

08 Apr Don’t Be Fooled by Its Spin: Facebook Plans to Remain a Data Company

Don’t Be Fooled by Its Spin: Facebook Plans to Remain a Data Company - Facebook on Privacy

Mark Zuckerberg’s apologies notwithstanding, his social media creation is first and foremost a tool for gathering information about everybody

It has been a tough few months for Facebook CEO Mark Zuckerberg. He has gone from tipping his toe in the presidential waters to being hauled before Congress to defend his company’s privacy policy.

His company has hit troubled waters, some of which stem from a lack of understanding of how the company really operates — and others of which are completely of Zuckerberg’s own making.

Let’s be honest. If you put material on Facebook, you have lost control of it. The company vacuums users’ personal information and traffics it into the marketplace. Data have become currency, and America’s tech industry, led by Google and Facebook, are the Vanderbilts and Rockefellers of data information sales.

It should come as little surprise that the company, as Bloomberg reports, goes so far as to scan links and personal photos people send by Facebook’s messenger app.

Your information is what fuels its bottom line and the company is one of the largest and most powerful corporations in human history.

Zuckerberg’s initial response to the “crisis” is typical of the company and an example of what Rahm Emanuel said: “Never let a good crisis go to waste.” In response to congressional concerns about privacy, the company announced it would sever relationships with third-party data providers.

Facebook claims its action will tamp down on the information, but the truth is that it will monopolize the data the company has collected. If Congress allows this sleight of hand to happen, Facebook will emerge stronger and more powerful than ever before.

For conservatives, Facebook has become a chokehold on information. From Rare, a libertarian-leaning news and information platform, to RightWingNews.com, a long-standing place for conservative-leaning stories, a tweak of the Facebook’s algorithm was enough to limit traffic to their sites, which ultimately led to their demise.

The fear that the progressives who dominate the tech industry will use their platforms to punish conservatives is not conspiracy. It is a fact. Google tips the scales on search results by using the race-baiting and vehemently anti-GOP Southern Poverty Law Center.

Facebook has partnered with Snopes, the liberal “fact-checker,” to determine what is fake news. Twitter has banned conservatives with large followings while ignoring liberals who often call for President Donald Trump’s demise.

Recently, Zuckerberg added gasoline to the fire by telling Vox.com that his vision for the platform is not free speech but the creation of an independent “supreme court” that would determine what is acceptable speech.

“[O]ver the long-term, what I’d really like to get to is an independent appeal,” Zuckerberg said. “So maybe folks at Facebook make the first decision based on the community standards that are outlined, and then people can get a second opinion.

“You can imagine some sort of structure, almost like a supreme court, that is made up of independent folks who don’t work for Facebook, who ultimately make the final judgment call on what should be acceptable speech in a community that reflects the social norms and values of people all around the world.”

Over the last few days, Facebook has been rolling out some positive-sounding policies to provide Zuckerberg with some ammo before Congress, including giving users greater control over what information third-party apps can gather and bulk-delete capabilities for such apps.

Congress would be foolish to allow Zuckerberg to use the privacy issue to gain even greater control of the marketplace.

But the company isn’t changing much about the info it collects and use. Make no mistake about it: Facebook remains a data company. It can make rhetorical claims about protecting user privacy, but it profits, and profits mightily, from consumers’ information.

Congress would be foolish to allow Zuckerberg to use the privacy issue to gain even greater control of the marketplace, while allowing him to walk away from the upcoming hearing without addressing the elephant in the room. That’s the tech industry’s willingness to limit speech and information in a manner that discriminates against conservatives.

 

(photo credit, homepage image: Mark Zuckerberg, Cut Out, CC BY 2.0, by Anthony Quintano; photo credit, article images: Mark Zuckerberg, Cut Out, CC BY 2.0, by Anthony Quintano)

Originally posted on LifeZette

Read More

19 Dec LabMD Appeal Has Privacy World Waiting

Reblogged from JDSupra

It is the case that could define the scope of the U.S. Federal Trade Commission’s authority in data security.

The U.S. Court of Appeals for the Eleventh Circuit heard argument six months ago in LabMD, Inc. v. Federal Trade Commission. As readers of this blog know, the case turns on what kind of consumer harm is required for the agency to maintain a data security enforcement action.

Yet, for a case with such potentially broad implications, it doesn’t involve a high-profile data breach with millions of protected healthcare records roaming freely in the digital ether. Nor does it involve a single instance of identity theft or untoward use of patient information.

In fact, it’s doubtful that there was even a data breach.

The FTC’s enforcement action against LabMD focuses on two incidents dating back a decade. In the first instance, the FTC complaint charged that a report with the names, birth dates and Social Security numbers for 9,000 patients was compromised. But the back story is more complicated. A cybersecurity firm soliciting LabMD’s business allegedly “discovered” the report on a peer-to-peer file sharing program installed on one computer in LabMD’s accounting department. The cybersecurity firm allegedly shared the report with the FTC. There’s no evidence, however, that the report was shared with anyone else.

The second instance – the FTC charged – was a document with sensitive patient information that ended up in the hands of identity thieves in California. Again, there’s no evidence that this second document was used for illicit purposes, nor it is clear how the report found its way to California.

At the heart of the appeal is the scope and reach of the FTC’s enforcement powers under Section 5 of the FTC Act and the trigger for an enforcement action, all hotly debated issues since the case started in 2010 and a powerful test of the Commission’s authority. Section 5 prohibits “unfair” acts or practices that “cause[] or is likely to cause substantial injury to consumers….”

After a three-year investigation, the agency filed an Administrative Complaint in 2013 alleging that LabMD failed to adequately protect patient medical data, and demanded that, as part of a settlement, it institute a comprehensive data security program and submit to third-party security audits for the next 20 years. LabMD rejected the settlement.

Round One: LabMD Wins Administrative FTC Trial

In a stinging 91-page ruling, the agency’s own chief administrative law judge, J. Michael Chappell, dismissed the case against LabMD on the grounds that the Commission failed to demonstrate that it was “likely” consumers had been substantially injured – as required by Section 5 – by the two alleged data security incidents. ALJ Chappell concluded that the FTC failed to show any proof whatsoever of actual consumer injury. He flatly rejected the FTC’s theory that a statistical or hypothetical risk of future harm was enough to find LabMD liable for unfair conduct under Section 5 of the FTC Act.

“To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”

Round Two: Commission Reverses ALJ

In its Opinion and Final Order, the Commission reversed the ALJ’s ruling and held that the “wrong” legal standard was applied and that the pertinent inquiry is whether the act or practice at issue posed a “significant risk” of injury to consumers.

“[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’” the Commission wrote, “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action.

Round Three: Stay Tuned

In a 20-minute spirited oral argument on June 21, 2017, the Eleventh Circuit asked why the Commission didn’t simply use rulemaking instead of an enforcement action if its concern is the prevention of future incidents. As one member of the court observed during the hearing: “A tree fell and nobody heard it, that’s the case we have here.” To listen to the oral argument, click here.

Even before oral argument, the Eleventh Circuit signaled its discomfort with the FTC’s position that actual or likely consumer injury wasn’t required under Section 5. In a pre-appeal motion, the court noted that LabMD had “made a strong showing” that the agency’s legal interpretation of Section 5 may not be reasonable.

The Eleventh Circuit’s ruling – whenever and however decided – will have far-reaching implications. If the FTC prevails, the agency will likely have more discretion in defining the threshold for consumer harm under a Section 5 enforcement action; and, the agency’s consent decrees will be viewed a body of precedents indicating what data security practices are considered “unfair” by the Commission. But if LabMD wins, the enforcement bar will be raised – requiring more than just speculative or hypothetical consumer injury – to sustain an enforcement action.

Read More

20 Jun Oral Argument in LabMD Case to Test FTC’s Enforcement Authority

Reblogged from BloombergBNA

The Federal Trade Commission will have an opportunity to justify its data security enforcement authority when oral argument in LabMD Inc. v. FTC starts June 21 before the U.S. Court of Appeals for the Eleventh Circuit, attorneys told Bloomberg BNA.

One of the critical issues likely to emerge in the case is what level of harm is required for the FTC—the nation’s main data security and privacy enforcement agency—to act, attorneys said.

The issue of harm will be “front and center,” Phyllis H. Marcus, counsel in the global competition team at Hunton & Williams LLP in Washington, told Bloomberg BNA.

Oral argument “presents an opportunity for the FTC to explain its current view of ‘harm,’ and how it should be applied in the LabMD case,” Kurt Wimmer, Washington-based partner and chair of Covington & Burling LLP’s data privacy and cybersecurity practice, told Bloomberg BNA.

The FTC has no direct statutory or regulatory authority for enforcing the nation’s data security rules. In the absence of that authority, it relies on Federal Trade Commission Act Section 5—a catch-all prohibition against unfair and deceptive trade practices—to carry out data security compliance actions.

Companies under the FTC’s jurisdiction, from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD, have struggled with what level of data security they must provide to convince the agency that their efforts to protect personal data are reasonable.

Of those companies whose data security and privacy practices have been targeted by the FTC, very few have challenged its enforcement authority. Very few FTC data security actions are litigated, Marcus told Bloomberg BNA. Mostly, targeted companies have entered into no-fault consent orders with the FTC.

To date, there have been more than 50 data security settlements, according to the commission. LifeLock Inc., Oracle Corp., and Snapchat Inc. are among the companies that have settled with the agency.

A Question of Harm

The long-running dispute between the FTC and LabMD started when the agency alleged in 2013 that the Atlanta-based medical testing laboratory was storing patient information insecurely, on a peer-to-peer network. The now-defunct company countered that the agency hadn’t issued a rule or statement specifically describing the data-security practices permitted for patient information, and therefore lacked authority to bring the action.

LabMD objected to the FTC’s use of FTC Act Section 5 to take data privacy and data security enforcement actions. But in November 2015, FTC Chief Administrative Law Judge D. Michael Chappell ruled that the FTC had failed to show that LabMD’s data security practices either caused or were likely to cause substantial injury to consumers.

The FTC reversed Chappell’s ruling, holding that the disclosure of sensitive personal and health information was itself sufficient to establish consumer harm under Section 5. The commission also disagreed with the ruling that “likely to cause” necessarily means that injury was “probable.” Instead, it concluded that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

However, the Eleventh Circuit stayed the effective date of the FTC’s enforcement action until the appeal is resolved. Granting the motion for a stay, the appeals court said that it isn’t clear whether reasonable interpretation of Section 5 includes “intangible harms like those that the FTC found in this case.”

The court also questioned the commission’s interpretation that “likely to cause” doesn’t mean “probable” but “significant risk.” The appeals court said it doesn’t read “the word ‘likely’ to include something that has a low likelihood,” and found that the FTC’s interpretation isn’t reasonable.

Although the outcome of the case can’t be predicted, the appellate court seems to have put LabMD in a strong position heading into oral argument.

LabMD has “momentum from the appellate court’s decision to stay the commission order,” said Marcus, while the FTC is coming from a defensive position. Moreover, the Eleventh Circuit’s stay order adopted LabMD’s argument and tone, and the court publicly expressed skepticism about the commission’s authority, she said.

LabMD is represented by Ropes & Gray LLP. Counsel for LabMD and the FTC declined to comment.

To contact the reporter on this story: Jimmy H. Koo in Washington atjkoo@bna.com

To contact the editor responsible for this story: Donald Aplin atdaplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Read More

13 Mar FTC vs LabMD: FTC tells experts what to find, ignores evidence, and changes their arguments to 11th Circuit Court of Appeals

image1

LabMD Says FTC Shifting Args On Data Security Lapses

By Allison Grande

Law360, New York (March 10, 2017, 10:12 PM EST) — LabMD on Thursday stepped up its opposition to a ruling by the heads of the Federal Trade Commission that declared the company’s data security practices were inadequate to protect against unauthorized disclosures, telling the Eleventh Circuit the agency keeps shifting its arguments to fit a conclusion it reached long ago.

In a reply brief, LabMD Inc. shot back at a brief filed by the FTC last month, which urged the appellate court to uphold a July ruling in which the heads of the agency overturned their own administrative law judge and concluded that the company’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the FTC Act.The FTC had argued in its February brief that the company’s failure to take standard precautions like training staff about data security and using inexpensive monitoring tools caused actual harm in the form of invasion of patient privacy. But LabMD countered Thursday that not only was the conclusion incorrect, it was a predetermined judgment that none of the lab’s arguments could alter.

“The FTC’s response brief confirms that this is a paradigmatic case where ‘the Commission clearly made its decision before it considered any contrary conclusion,'” the lab said. “Just as in the proceedings below where the Commission ignored evidence favorable to LabMD and shifted its theory of injury once its ‘evidence’ of harm was shown to be fabricated, the Commission’s response now ignores many of LabMD’s arguments demonstrating the opinion’s flaws and instead … resorts to new theories that are not in the opinion.”

LabMD added that the commission in its response brief also “repeatedly mischaracterizes” both the commissioners’ opinion and “the flimsy record upon which it was based” in order to “falsely paint LabMD in a bad light.”

Specifically, the lab contended that the FTC claimed the leaked patient data file at the heart of the case was exposed to “millions” of Limewire users who had “unfettered access to it” when “in truth only a small fraction of users could have searched for it and their access was quite ‘fettered'”; that the commission had falsely asserted that the file contained patients’ diagnoses; and that the agency misrepresented that the lab affirmatively “disclosed” the file to cybersecurity firm Tiversa.

Tiversa, which is currently embroiled in separate litigation with the lab over the data exposure and is under investigation by the FBI for its dealings with federal regulators, claims that it discovered the file on Limewire, while LabMD has countered that Tiversa stole the file and gave it to the FTC after the lab had refused to purchase its security services.

However, LabMD noted in its recent motion that even if these points were presented accurately, they still wouldn’t be enough to justify upholding the commissioners’ decision, which the lab argued went far beyond the authority that Congress had bestowed upon the commissioners to police unfair practices under Section 5(n) of the FTC Act.

“Each interpretation of Section 5(n) that the FTC now asserts is directly at odds with Congress’ clear intent and is, in any event, unreasonable,” the lab argued.

LabMD pointed out that in its response brief, the commission “walked away” from the commissoners’ assertion in their July ruling that the exposure of the patient data file could have caused the nearly 10,000 consumers whose information was contained in the document embarrassment or reputational harm, and instead for the first time contended that “the wholly conceptual ‘privacy harm’ referenced in the opinion constitutes ‘substantial injury’ under Section 5(n) because it is ‘concrete.'”

“Even if the court could consider it, this newfound position is no more reasonable than the FTC’s original theory,” the lab argued, adding that both the plain meaning and legislative history of the unfairness prong foreclose the finding of a “substantial injury” based on intangible harms such as privacy invasion.

In a statement provided to Law360 Friday, LabMD CEO Michael Daugherty urged the examination of two points: “that all commissioners, including Acting Chairwoman [Maureen] Ohlhausen, participated in willful blindness by ignoring very contrary evidence that proves LabMD had data security practices the FTC bellows we did not” and “that FTC expert witnesses themselves state they were told by the FTC to assume as a given that LabMD’s data security practices were unreasonable.”

“When and where is the outrage and fury directed toward these bureaucrats who stacked the deck with lies and willful blilndness against a cancer facility. Have they no shame?” Daugherty added. “Why are they still working in the Trump administration? Health care will never recover with regulators like this knocking on our door as Congress looks the other way.”

LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas Hallward-Driemeier of Ropes & Gray LLP.

The FTC is represented by staff attorneys Joel Marcus, Theodore Metzler and Michael Hoffman.

The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit.

–Editing by Philip Shea

Read More

19 Feb Privacy Profs. Get Behind FTC In LabMD Fight At 11th Circ

image1

By Steven Trader Law360 Click here for a downloadable copy

A group of eight privacy and security law professors on Thursday threw their support behind the Federal Trade Commission in its Eleventh Circuit battle with LabMD to keep intact a ruling that an alleged data leak harmed consumers, saying the agency’s approach to regulating privacy spurs better protection practices.

In an amicus brief, the group of academics, who hail from the University of California Berkeley and George Washington University, among others, lent their support to the FTC’s July ruling that overturned its own administrative law judge and concluded the lab’s failure to employ “basic” security precautions led to an unauthorized disclosure of sensitive medical data that caused “substantial” harm to consumers, in violation of the unfairness prong of Section 5 of the Federal Trade Commission Act.

While LabMD and its own amici supporters have contended that the FTC stretched its own unfairness authority too far, the academics on Thursday wrote that the agency’s use of its unfairness authority in the data privacy context actually encourages corporations to develop “progressive and dynamic approaches to privacy policies.”

“Its enforcement actions, in particular, have encouraged responsible companies to invest in internal privacy and security professionals and increased the power and resources these professionals have to evolve and strengthen firm privacy practices,” the group wrote.

Though the medical lab and its supporters have criticized the agency’s enforcement action as a “circumventing of the legislative process,” which harms businesses by subjecting them to vague and constantly changing data security measures,” the professors said Thursday the FTC’s governance style has been “open and collaborative,” and that its actions against LabMD were nothing out of the ordinary.

“The FTC has frequently used its Section 5 authority to curb or prevent disclosure of consumers’ confidential medical information in prior health-related enforcement actions,” the academics wrote. “Its finding of injury and substantial risk of injury stemming from LabMD’s disclosure of patient medical records here is thoroughly consistent with the FTC precedent.”

Thursday’s amicus filing comes on the heels of a Feb. 10 reply brief the FTC filed in the Eleventh Circuit defending its July decision and striking back against LabMD’s opening brief claims it overstepped its authority and in the process destroyed the small medical testing company’s business, which shuttered in 2014 due to the expense of fighting the enforcement action.

LabMD in particular has taken issue with the commissioners’ conclusion that the purported leak of a file containing personal data belonging to approximately 9,300 patients in 2008 constituted the type of “substantial” injury necessary to support a Section 5 claim, especially since there was no evidence that any of the compromised data had ever been misused or that the affected consumers had suffered any tangible harm.

A group of amici from the business, tech and medical communities, including the U.S. Chamber of Commerce, TechFreedom and the National Technology Security Coalition, backed up the lab in early January, contending that the power that Congress bestowed upon the commission when enacting Section 5 do not include the ability to set and enforce general data security policy.

In a response to the professors’ brief in support of the FTC, LabMD CEO Michael Daugherty told Law360 it was “quite telling that the FTC could only muster up academic lawyers.

“Where are all the technologists, chief information security officers, physicians and business leaders supporting the FTC? They’re not,” Daugherty said. Only academics and bureaucrats who make their living off regulation and government can look the court in the face and believe concrete harm comes from any situation where no victims can be found.”

The eight amici professors include Kenneth Bamberger, Woodrow Hartzog, Chris Hoofnagle, William McGeveran, Deirdre Mulligan, Paul Ohm, Daniel Solove and Peter Swire. The academics are represented by Michael W. Sobol, Nicholas R. Diamand and Laura B. Heiman of Lieff Cabraser Heimann & Bernstein LLP.

LabMD is represented by Doug Meal, David Cohen, Michelle Visser and Douglas HallwardDriemeier of Ropes & Gray LLP.

The FTC is represented by staff attorneys Theodore Metzler and Michael Hoffman.

The case is LabMD Inc. v. Federal Trade Commission, case number 16-16270, in the U.S. Court of Appeals for the Eleventh Circuit. –Editing by Kelly Duncan

~~~~~

Privacy Profs. Get Behind FTC in LabMD Fight at 11th Circ. by Mike Daugherty on Scribd

Read More

06 Jan Leaders from medical, business, tech rally around LabMD appeal of FTC ruling

image1

Reblogged from SC Media written by Teri Robinson

Six amicus briefs filed by business, tech and medical interests in a federal court Tuesday and on Dec. 28 support LabMD’s argument that the Federal Trade Commission (FTC) operated outside its authority when it found the now defunct cancer testing firm to in violation of Section 5 of the FTC Act following what the commission has characterized as a data breach.

“I am heartened that leaders from business, healthcare and technology are so supportive of LabMD,” company founder, President and CEO Michael J. Daugherty said in comments to SC Media. “They understand how this case will impact their own compliance efforts.”

He added that since “the FTC has tried everything to vilify LabMD, having our own physician clients eager to sign on and file their own brief was the cherry on top.” In addition to a group of doctors, cybersecurity pro Gary Miliefsky, TechFreedom, the International Center for Law and Economics, the National Federation of Independent Business Small Business Legal Center, and the National Technology Security Coalition filed in favor of the company’s efforts to challenge the FTC.

LabMD launched its appeal in December in the Eleventh Circuit court after the same court granted a temporary stay of the FTC’s order against the company. The case against LabMD has stretched from 2013 when the commission pursued enforcement action against the facility for leaving information on patients vulnerable to exposure through a file-sharing program. It has taken a number of twists and turns, some of them ugly and even sparked a congressional committee probe.

FTC Chief Administrative Law Judge Michael Chappell, dismissed the case on November 16, 2015, ruling that the FTC “failed to carry its burden of proving its theory that Respondent’s alleged failure to employ reasonable data security constitutes an unfair trade practice because Complaint Counsel has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”

But the commission challenged Chappell’s ruling and found LabMD to be in violation of Section 5 because it did not reasonably secure the data in its custody. The Eleventh Circuit gave the Atlanta-based company an opening for appeal in the fall with the temporary stay and the company filed the appeal in late December.

Arguing that medical data is governed and protected by HIPAA and noting the potential conflicts between that law and Section 5, a group of doctors in one brief said they and others “have a strong interest in ensuring that the FTC cannot abuse its “unfairness” authority to regulate the practice of medicine by imposing new, confusing, and burdensome patient-information data-security obligations inconsistent with federal healthcare law.”

Read More

05 Jan ‘Inconsistent’ Federal Regulations Put Innovative Cancer Lab Out Of Business

mike-jan-4th

Reblogged from The Daily Caller News Foundation

Federal Trade Commission (FTC) officials issued “new, confusing and burdensome” data security requirements that are “inconsistent with established federal healthcare law,” according to the non-profit government watchdog Cause of Action Institute.

The group’s comments came in a statement Wednesday after it filed an Amicus Curiae brief on behalf of 10 doctors in a federal court case. The FTC’s regulatory overreach has harmed medical patients’ welfare and put a cancer-detection laboratory out of business, the doctors claimed in their brief.

Cause of Action said the FTC put LabMD – a cancer detection lab – out of business, even though the company complied with HHS’s requirements. (RELATED: Obama Publishes $7.4 BILLION Worth Of Regulations In One Night)

“In its disregard for the rule of law and due process, the FTC destroyed a small cancer detection laboratory whose primary mission was to serve its physician-clients and save lives,” said Cause of Action Institute Assistant Vice President Patrick Massari in the statement.

Read more: http://dailycaller.com/2017/01/04/inconsistent-federal-regulations-put-innovative-cancer-lab-out-of-business/#ixzz4UqjlnRTz

Read More