2011-01-20 Bloomberg discloses FBI Contractor admits to Spying on Swedish [UPDATE]

In a report on Wikileaks, Bloomberg disclosed on January 20 that U.S. authorities may now be using contractors to spy on Swedish servers looking for creative ways to prosecute Wikileaks and Julian Assange.

Bloomberg reports that Robert Boback, Chief Executive Officer of Tiversa, Inc., a spying and surveillance firm that contracts with the FBI, declined to say who his company's client was when his firm surveilled four unidentified Swedish servers.

According to Boback, during a 60 minute period on February 7, 2009:

"Tiversa’s monitors detected four Swedish computers engaged in searching and downloading information on peer-to-peer networks. The four computers issued 413 searches, crafted to find Microsoft Excel spreadsheets and other information-rich documents among some of the 18 million users the company estimates are on such file-sharing networks at any given moment."

Tiversa also claims that:

"Those searches led to a computer in Hawaii that held a survey of the Pentagon’s Pacific Missile Range Facility

The company also claims that it "captured the download of the PDF file by one of the Swedish computers."

Tiversa's Sam Hopkins, identified by ZDNet as the company's CEO in 2009, says that events like these are "hardly unusual", when discussing how details about Marine One, the president’s helicopter, were found on a computer in Tehran in March of 2009. Hopkins remarks:

Everybody uses(P2P). Everybody. We see classified information leaking all the time. When the Iraq war got started, we knew what U.S. troops were doing because G.I.’s who wanted to listen to music would install software on secure computers and it got compromised. -- We see information flying out there to Iran, China, Syria, Qatar–you name it. There’s so much out there that sometimes we can’t keep up with it.

The reporter for Bloomberg, Michael Riley, did not indicate whether he had asked Mr. Boback or U.S. government authorities if there had been any use of P2P disruption and entrapment strategies by either party, in like manner to the Entertainment Industry's attempts to stop illegal downloads of copyrighted music.

Dubious Evidence

Riley's article betrays a credulity that could only come from a lack of acquaintance with the technologies involved. He goes on to report that Tiversa concluded that the searches came from Wikileaks because Wikileaks has servers in Sweden. Boback states:

“It would be highly unlikely that someone else from Sweden is issuing those same types of searches resulting in that same type of information.”

Beyond the location of the servers, however, little more is offered to support Tiversa's claims about the identity of the Swedish computers. Apparently, Tiversa also claims that the same document that the company asserts was downloaded by a Swedish server, "was renamed and posted on the WikiLeaks website two months later, on April 29, 2009." Riley confirms this, "according to a mirror image of the site."

He does not, however, link to the identified document or the site. Instead the article links to a list of Wikileaks mirror located at http://bluetouff.com/2010/12/03/acceder-a-wikileaks/.

Boback also claims his company estimates that "as much as half of the postings by the group [Wikileaks] could originate from information siphoned from peer-to-peer users." But no further methodology or analysis is offered to substantiate this allegation.

Undermining Wikileaks as a Media Organization

Tiversa claims that the company has turned over its evidence to the U.S. government in order to "aid what Boback called the early stages of an investigation into the matter." Congressional committees, "are pursuing a separate inquiry to undermine WikiLeaks’ claim that it’s a legitimate media organization with protections under the First Amendment," according to Boback.

Again, a naivety about the technology involved is in evidence. Riley reports that the tracking methodology employed by Tiversa was "using so-called Internet protocol addresses that every computer, server or similar equipment has." The use of the adjective "so-called" to qualify "Internet protocol [sic] address" is not elucidated by Riley.

It is relatively common knowledge that 'IP address' is a term widely used to identify the numerical label assigned to a devices - for example, a computer - that participate in a computer network using the Internet Protocol as a means of communication" (Source: Wikipedia.org)

Tangled Web

Bloomberg reports Tiversa has "done investigative searches on behalf of U.S. agencies including the FBI," and that "Howard Schmidt, a former Tiversa adviser, is cybersecurity coordinator and special assistant to U.S. President Barack Obama." However, the U.S. Department of Justice spokesman, Dean Boyde, declined to comment as to whether the agency was officially investigating the downloads Tiversa asserts were done by Wikileaks. Furthermore, as we learn, Tiversa also declined to say who its client was when the company observed the Swedish downloads, leaving some questions as to Tiversa's interests in the matter.

Mark Stephens, Wikileaks' London attorney, wrote in an email to Bloomberg that "Tiversa’s claim is “completely false in every regard."

(Source: Bloomberg | "WikiLeaks May Have Exploited Music, Photo Networks to Get Classified Data")

[UPDATED February 4, 2011]

See also 2011-02-04 UPDATE on Bloomberg reports about FBI contractor and Wikileaks

Yesterday, Bloomberg reporter Michael Riley 're-drafts' his flawed article as a magazine story in Bloomberg Business Week.

On the day the original Bloomberg article appeared, Andy Greenberg of Forbes reported that he interviewed Robert Boback of Tiversa about the original Bloomberg article claims:

Boback sounded distinctly less sure of his firm’s deductions than he did in the Bloomberg piece. 'What we saw were people who were searching [computers connected to filesharing networks] for .xls, .doc, .pdf, and searching for those generic terms over and over again,' says Boback. 'They had multiple Swedish IPs. Can I say that those are WikiLeaks? I can’t. But we can track the downloads of people doing that, and a short time after those files were downloaded, they’re listed on WikiLeaks.' (Source: Forbes)

Greenberg also writes that:

Boback...says that he saw downloads of documents that later were posted to WikiLeaks from other countries too, both 'in the U.S. and across Europe.' 'Many of the searches are in Sweden, many are outside,' adds Boback. 'It’s hard for us to say that any IP address was WikiLeaks.' (Source: Forbes)

Even Paul Ohm, the "expert in cyber crime at the University of Colorado in Boulder," who Riley quotes in the original Bloomberg piece, posts his own response to the quality of Riley's reportage.

On his blog, Freedom to Tinker, Ohm writes:

I have no idea whether these accusations are true, but I am interested to learn from the story that if they are true they might provide 'an alternate path for prosecuting WikiLeaks,' most importantly because the reporter [Michael Riley] attributes this claim to me. Although I wasn't misquoted in the article, I think what I said to the reporter is a few shades away from what he reported, so I wanted to clarify what I think about this.The question presented by the reporter to me (though not in these words) was: is it a violation of the CFAA to systematically crawl a p2p network like Limewire searching for and downloading files that might be mistakenly shared, like spreadsheets or word processing documents full of secrets?

I don't think so. With everything I know about the text of this statute, the legislative history surrounding its enactment, and the cases that have interpreted it, this kind of searching and downloading won't "exceed the authorized access" of the p2p network. This simply isn't a crime under the CFAA.

But although I don't think this is a viable theory, I can't unequivocally dismiss it for a few reasons, all of which I tried to convey in the interview. First, some courts have interpreted 'exceeds authorized access' broadly, especially in civil lawsuits arising under the CFAA. For example, back in 2001, one court declared it a CFAA violation to utilize a spider capable of collecting prices from a travel website by a competitor, if the defendant built the spider by taking advantage of 'proprietary information' from a former employee of the plaintiff.

Second, it seems self-evident that these confidential files are being shared on accident. The users 'leaking' these files are either misunderstanding or misconfiguring their p2p clients in ways that would horrify them, if only they knew the truth. While this doesn't translate directly into 'exceeds authorized access,' it might weigh heavily in court, especially if the government can show that a reasonable searcher/downloader would immediately and unambiguously understand that the files were shared on accident.

Third, let's be realistic: there may be judges who are so troubled by what they see as the harm caused by Wikileaks that they might be willing to read the open-textured and mostly undefined terms of the CFAA broadly if it might help throw a hurdle in Wikileaks' way. I'm not saying that judges will bend the law to the facts, but I think that with a law as vague as the CFAA, multiple interpretations are defensible.

But I restate my conclusion: I think a prosecution under the CFAA against someone for searching a p2p network should fail. The text and caselaw of the CFAA don't support such a prosecution. Maybe it's 'not a slam dunk either way,' as I am quoted saying in the story, but for the lawyers defending against such a theory, it's at worst an easy layup. (Source: Freedom To Tinker)

In the newer Bloomberg version, Riley does not add anything of substance to his original draft. He merely adds a stylistic flourish more suitable to magazine reportage. He recounts, for example, how a Tiversa analyst, "taps a few keys, and up pops the cell phone number of actress Lucy Liu along with the pseudonym she uses to check into hotels—attached to a production company document clearly labeled 'not to be made public.'"

The article then jumps into a spin cycle of logic saying, "Assange has told interviewers that his group has damaging information on pharmaceutical, energy, and financial companies, Boback confirms that confidential corporate documents are readily accessible [on file-sharing platforms]." Indeed, Tiversa told Riley that it hacks into other people's computers, and then demonstrates this fact. WL Central confirms that Riley is a 'sloppy' reporter.

Traditional media industries operate in what economists refer to as a 'dual product market'. They produce two commodities: content and audiences. Audiences are attracted to content, and those audiences are then sold to advertisers.

Media firms, like Bloomberg, fall under the traditional research and development business model - with its characteristic high production and low replication costs. Since creativity and intellectual property are both expensive and time consuming - what economists refer to as Baumol's effect, media firms, like Bloomberg L.P., have an economic imperative to control the entire supply chain and their downstream access to audiences.

What that means is that while most industries today are under pressure to flatten their business models, media firms, like Bloomberg L.P., are compelled to grow both horizontally and vertically. A natural by-product of this growth is that they have the ability to exploit their vertical and horizontal economies of scale by repurposing flawed and provocative content across multiple platforms.

The power of the press lies not merely in its capacity to express ideas. Media firms, like Bloomberg L.P., have the capacity to actually set the agenda for 'what' and 'how' the public in the United States discuss anything at all - simply by virtue of the fact that these firms can replicate, and thereby amplify, their messages across a multitude of communication platforms, which they control.

The print media landscape in the United States, for example, is dominated by 14 corporations, which own a myriad of vertically and horizontally integrated communication organs for print, TV, and film. (Source: freepress.net) Considering this reality, it would appear, that Bloomberg L.P., 85% of which is owned is by one man, is an example of the alternative press in the United States.

Riley ends his second draft of the Bloomberg article with a thesis set in stark relief:

The bottom line: WikiLeaks, which says it's a passive drop box for whistle-blowers, is accused of searching hard drives for classified documents.

In a like manner, we have our own thesis, set in equally sharp relief:

The bottom line: Bloomberg, which states on its ethics page that it adheres to:

  • 1. Accuracy.

    For the reader to believe our interpretations, we must start with accurate information, honestly and professionally gathered. Moreover, our interpretation must flow from the facts and be reasonable.

    Inaccurate or sloppy reporting of material that appears anywhere under the BusinessWeek name violates the spirit of this Code. The responsibility for accuracy lies with everyone who touches the editorial product. (Source: Bloomberg Business Week | Ethics

is accused of violating its own journalistic standards.

Another take...


...from Andy Greenberg's blog, The Firewall:

No Smoking Gun In Hints That WikiLeaks Actively Stole Data

A point of interest...

Wired (unsurprisingly) has covered this story also. A reader comment states that:

"Wikileaks primary server was based in France in 2009, then Switzerland, and only in Sweden in late 2010."

Does anyone have a Wikileaks article link handy to corroborate this? From my recollections of the endless news cycle, WL did not set up its primary servers in Sweden until 2010, so the above comment sounds correct. If this is indeed accurate, then it highlights another gaping hole in Bloomberg's story, which is already journalistic Swiss cheese.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer