For $12.98 (or best offer) you can buy live adult hissing Madagascar cockroaches on eBay. For 15.95 you can buy a bloody pig mask. Forty bucks gets you a funeral wreath. $38 bucks gets you a preserved fetal pig.
Or you can save the money, and just write negative articles about the San Jose online marketplace.
If you do that, eBay’s employees, including its Senior Director of Safety & Security, Director of Global Resiliency, its Senior Manager of Global Intelligence; manager of Global Intelligence Center (GIC); Senior Manager of Special Operations for eBay’s Global Security Team and contractor who worked as an intelligence analyst in the GIC will send these all to you for free! But wait, there’s more. There’s doxing. And stalking. And lying to investigators. And impersonating police. And creating phony police reports. In essence, eBay engaged in a reign of terror against a Natick, Massachusetts couple who had the temerity to write articles critical of eBay.
The United States Attorney for the District of Massachusetts has criminally charged seven people, six of whom were eBay employees and managers, with engaging in a three part campaign of harassment against the Natick couple.
Phase one was for the eBay employees to send the above mentioned items to the Natick couple, or to their neighbors. In addition to the roaches and pig, they sent a book on surviving the loss of a spouse, and they sent pornography – addressed to the Natick couple, but sent to the neighbors’ house.
In phase two the eBay employees sent private Twitter messages and public tweets criticizing the newsletter’s content and threatened to visit the victims in Natick, with the messages becoming increasingly threatening and disturbing, and with plans to publish the couple’s home address in an effort to enlist online supporters to harass and intimidate the couple.
In phase three, the eBay employees and contractor travelled to Boston under the guise of a software development conference and drove to the victims’ home in Natick several times intending to break into the couple’s home and install a GPS tracking device on their car. They were also going to falsely tell the police that the couple had threatened eBay executives, and that the couple were “persons of interest” in a criminal investigation. When the couple thwarted these efforts by reporting the eBay employees to the Natick police (who tracked the rental car to the eBay employees), they told the cops that they were there to prevent the harassment, and tried to divert attention to some other fabricated “person of interest.” They also lied to eBay’s lawyers. They deleted digital information showing their involvement and otherwise obstructed the Natick police investigation.
What stands out in this case is both who was criminally charged, and equally important, who was not. This was not some low-level prank by some systems engineer. These were high level eBay employees whose jobs it was to protect the company and to protect the company’s reputation. These were allegedly security professionals, including former law enforcement officers. These were senior directors, senior managers, and other security professionals. This was a well-organized, tightly controlled effort to reign terror on the couple, and to induce them to stop writing articles critical of the company. While eBay’s counsel may have been lied to about the case after the fact, someone took it upon themselves to engage in this activity. And someone decided, if not that this course of action was “proper,” at least that it would be tolerated.
Which brings me to my next point. Information security professionals often work with other security professionals within a company — whether these are security directors, physical security professionals, risk loss people, or even counsel. Everyone in the chain of command needs to have clearly defined rules of engagement about what kinds of activities are legal, illegal, proper, improper, ethical, moral, and the like. Certain activities, like “pretexting” — pretending to be someone other than who you are – while common, actually present moral, ethical and legal concerns. “Undercover” operations, penetration testing and probing of threat actors, intelligence gathering and dissemination, “hacking back” and other activities all present legal, reputational and moral risks. Even activities like anonymously or pseudonymously replying on social media presents legal, ethical and reputational risks. Not only should every one of these practices (not to mention sending pig fetuses) be approved by counsel, but strict guidelines and rules of engagement should be promulgated and a culture of, if not compliance, at least inquiring, needs to be established and rewarded. Otherwise, you end up with live cockroaches in mailboxes.
Which raises the next question. Why was eBay, as a corporation not charged with a crime?
There is little question that the corporation COULD be criminally charged. The test is whether the corporation’s agents (the employees and contractors) were acting (1) within the scope of their employment; and (2) generally for the benefit of the company when they committed the criminal offense. Just as a company is civilly liable when its truck driver strikes a pedestrian on a delivery, the company is criminally liable for the crimes the employees commit in the name of the company. It should be noted that eBay’s criminal liability does not arise because it failed to supervise or give direction to the security employees, but rather because the employees themselves were committing crimes with the intent to benefit eBay. The prosecutor would not have to show that eBay was negligent, or that senior officials knew or should have known about the pig mask people – just that it happened.
For some reason, the U.S. Department of Justice has decided not to charge eBay with a crime, but only to charge the (now former) employees. Perhaps eBay’s counsel convinced the prosecutor that the employees were not acting within the scope of their employment. Perhaps it was a policy decision based on the fact that eBay might fight back. It represents a trend under the Barr Justice Department not to prosecute perceived white collar crimes, and not to prosecute companies for criminal activities. Companies as corporate entities are simply not being prosecuted. Therefore they have little incentive to reign in the activities of their employees. If the employee’s actions are successful (the doxing works and the annoying articles stop) the company benefits. If the actions are not successful, the company just cuts the offending employees off, fires them, and the corporate Secretary disavows any knowledge of their actions. The actions of the security professionals (and that term is used loosely) are reprehensible. I’m not sure that the actions of their employer are much better.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.