An emerging issue in cyber law is the role of data security firms and the methods they use to demonstrate value in trying to land clients.
- What do we think about firms that try to win clients by hacking the potential client, telling the potential client about it and attempting to sell data security services or information?
- Are these tactics bona fide sales efforts that serve the public good by effectively incentivizing apathetic businesses to invest in data security for the benefit of their customers?
- Or do these tactics cross the line of business ethics, and require legal boundaries and oversight?
In the very near future, we will get some very important insight into the matter, courtesy of a private-public sector partnership between one of these firms, Tiversa, and the Federal Trade Commission, the U.S. competition and consumer protection enforcement agency that has been aggressively carving out its niche’ in data security enforcement.
For some time, Tiversa informed the FTC about those prospective clients whose data it obtained but who refused to purchase the data security services that Tiversa marketed as necessary to cure the vulnerabilities. The FTC then sent warning letters to several dozens of those companies and launched a number of investigations. This partnership allowed Tiversa to demonstrate value based, not on the acumen of its data security practices but, on mitigating the threat of potentially crippling government enforcement. The partnership has allowed the FTC to generate a library of consent orders thereby establishing itself as a data security enforcer without substantially investing to develop internal technical expertise.
Most of the targeted companies settled with the FTC, but one of them fought back and perhaps at the expensive of its own existence. The fighter, now-defunct medical testing laboratory LabMD, won decisively within FTC’s own unique and controversial administrative justice system in which the agency plays the roles of prosecutor, judge and jury and has the ability (and tendency) to keep defendants in prolonged litigation before they have any right of appeal to the judicial branch.
As a result, the FTC’s relationship with Tiversa has come under the scrutiny of a Congressional oversight committee and prompted a Federal Bureau of Investigations raid on Tiversa’s headquarters.
The FTC Commissioners are now in the final seconds—and perhaps overtime—of their allotted time to rule on the FTC staff’s appeal of the FTC’s Administrative Law Judge’s dismissal of the LabMD case. Based on history, the FTC Commissioners would be a virtual lock to side with the FTC staff. But it is difficult to envision how they do so here without effectively endorsing the acts and practices that it may later be called on or seek to pronounce “unfair” or “deceptive.”
What is bug poaching?
“Bug Poaching” – a term recently cited by an IBM Security-blogger to describe the following process undertaken by a cyber-attacker:
- find and exploit vulnerabilities on a target company’s website;
- locate and store any sensitive data or personally identifiable information (PII);
- place the data on a cloud storage service;
- send the target company an email that links to the data as proof of network penetration; and
- ask for a payment via wire transfer in exchange for disclosure of how the data was stolen.
Importantly, the attacker does not explicitly threaten to release the data or attack the organization again. In fact,” bug poachers” may go so far as to assure that the data is safe and was only extracted for proof of the vulnerability.
Is bug poaching criminal conduct?
The IBM Security blogger certainly thinks so, labeling it a “malicious tactic” and “pure extortion on the black hat scale.” By contrast, the bug poachers claim to be good guys, providing a service to businesses by helping them identify security issues of which they might not otherwise be aware.
Turns out, the conduct does not exactly rise to the level of “extortion” provided that there is no threat of economic harm. Under DC Code § 22-3251, for example, the crime of extortion involves acquiring the property of another person with that other person’s consent either “by wrongful use of actual or threatened force or violence[;] . . . by wrongful threat of economic injury; or under color or pretense of official right.”
Nor does this conduct clearly violate the Computer Fraud and Abuse Act, which requires either that:
- the attacked organization is the United States government,
- the accessed information is a financial record,
- the attacker intends to commit fraud or
- the attacker causes or threatens to cause damage.
The FTC’s upcoming decision in LabMD.
As mentioned above, the three-Commissioner panel of the FTC is currently deciding whether to stand behind the FTC v. LabMD case that the FTC staff initiated effectively in partnership with “bug poacher” or “cyber-security firm” (depending on who you ask) Tiversa. FTC staff lost the case before the FTC ALJ, because the judge found Tiversa’s involvement to raise significant credibility issues for the staff’s arguments.
The LabMD case started in 2012 when Tiversa “located” a LabMD spreadsheet—containing “sensitive personal information for more than 9,000 consumers, including names, Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes”—through a peer-to-peer (“P2P”) file sharing network. Tiversa reported finding the records to LabMD and sought to be hired by LabMD to perform data security work. LabMD researched the data breach internally and discovered that the document was made accessible when an employee downloaded the P2P program LimeWire on a company computer. LabMD simply deleted the LimeWire application and decided against hiring Tiversa. In turn, Tiversa reported LabMD’s data security incident to the FTC, which proceeded to investigate LabMD’s data security practices and then file its enforcement action.
As a medical facility that is being sued by the government for failing to protect its customers’ sensitive health records, LabMD has since gone out of business. But the company’s former CEO continues the fight in the FTC administrative courts, in separate judicial proceedings, before Congress and in the court of public opinion. The United States House of Representatives, Committee on Oversight and Government Reform investigated and published a 99-page report about Tiversa and its relationship with the FTC. Among other things, the committee found that:
- Tiversa “often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks”;
- Tiversa submitted 88 companies to the FTC. The FTC sent warning letters to 63 of those companies, and opened investigations into 9 of them; and
- Tiversa appeared to have provided intentionally false information to numerous federal departments and agencies
The FTC staff lost its case before the FTC’s ALJ against LabMD in November of 2015. In reaching his decision to reject the case, the judge cited and echoed the sentiments of the late Commissioner J. Thomas Rosch, who in a 2012 statement about the investigation, expressed concern that “Tiversa is more than an ordinary witness, informant, or ‘whiste-blower.’” Rosch described Tiversa as “a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its services to help organizations protect against similar infiltrations.” Effectively, the business model described by Rosch in 2012 is the same model that is now referred to as “bug poaching.”
The FTC Commissioners heard oral arguments of the FTC staff’s appeal of the FTC ALJ’s decision on March 8, 2016. According to 16 CFR §3.52(b)(2), the Commissioners appear to be required to issue their decision within 100 days of the oral arguments, which based on our calculations expired today June 16, 2016. As far as we know, that has not happened.
The FBI raided Tiversa’s headquarters in early March to investigate whether Tiversa—in fact—provided the FTC “falsified information about data breaches at companies that declined to purchase its data protection services.” Whether that investigation has caused or permitted the FTC’s delay in issuing its final decision remains unclear.