Last summer, members of eBay’s private security team sent live roaches and a bloody pig mask to the home of a suburban Boston couple who published a niche e-commerce newsletter.
The harassment campaign — which also included physical surveillance, sending pornographic videos to the couple’s neighbors, posting ads inviting sexual partners to the couple’s home and an attempt to attach a tracking device to their car — was detailed earlier this month in a federal indictment against six former eBay employees.
The lurid 51-page indictment describing how the employees of a multibillion-dollar company were loosed in what authorities described as an unhinged and illegal effort to intimidate critics drew national attention to the stunning lengths some tech companies will go when responding to their critics.
Silicon Valley companies have stacked what they often call their “trust and safety” teams with former police officers and national intelligence analysts. More often than not, their work is well within the law: protecting executives and intellectual property, fending off blackmail attempts and spotting theft. They conduct background checks on companies that could be acquisition targets, and they ensure employees aren’t doing anything illegal.
But the industry’s intense focus on reputation can lead their security units astray. Those perils were laid bare when federal authorities revealed the charges against the eBay employees.
“Most companies, especially established high-tech companies, have units within them that do this kind of work, respond in as close to real time as they can to online criticism of the company, to take steps to protect the brand,” Andrew Lelling, U.S. attorney for the District of Massachusetts, said. But, he added, “I can tell you that at least internally, we have never seen a company that did something like this before.”
Prosecutors charged the six eBay employees with conspiracy to commit cyberstalking and witness tampering but noted that eBay’s campaign against the husband-and-wife publishing duo was ordered up by senior executives.
“I want her DONE,” Steven Wymer, eBay’s former communications chief, told James Baugh, the company’s former senior director of safety and security. “She is a biased troll who needs to get BURNED DOWN.”
In case there was any confusion, Wymer added, “I want to see ashes.”
Contacted this past week, Wymer, who was not one of the employees charged in the indictment, said, “I would never condone or participate in any such activity.” He added that he was constrained in what he could say beyond that. EBay said in a statement that “neither the company nor any current eBay employee was indicted.”
Private security teams have long been part of corporate America, among them insurers’ fraud investigators and the “seed police,” as farmers call investigators for the agricultural giant Monsanto who secretly videotape farmers, infiltrate community meetings and recruit informants in their hunt for patent infringement.
These private detective teams, which typically operate under fraud divisions, are projected to grow into a $23.3 billion global industry this year from a $17.3 billion industry in 2018, according to Grand View Research.
Few industries have embraced the notion of private security as much as tech. One Silicon Valley investigator, who spoke on the condition of anonymity because of nondisclosure agreements, said a startup executive had paid his firm $50,000 over one weekend to root out employees he believed were plotting his ouster. (They were.) The total tab for the work was as much as half a million dollars.
But as with the eBay team, these private security groups are sometimes accused of crossing legal lines.
In 2006, for example, investigators hired by Hewlett-Packard were caught riffling through reporters’ trash cans and phone records. About a year ago, Tesla made headlines for its aggressive efforts to root out and punish an employee, Martin Tripp, who had tipped reporters off to waste at the carmaker’s Nevada factory.
According to police reports and whistleblower complaints filed by two Tesla security operators with the Securities and Exchange Commission, Tesla was accused of hacking into Tripp’s phone, having him followed by private investigators and passing along an anonymous, false tip to local authorities that Tripp planned to shoot up Tesla’s factory.
“Tesla’s investigators were tailing him, showing up at weird places, and completely spooked him,” Robert Mitchell, Tripp’s lawyer, said in an interview. Tripp has since moved to Hungary out of fears for his family’s safety.
Tesla did not respond to requests for comment, but the company has sued Tripp for $167 million for what it has said was data theft. Tripp has filed a countersuit for defamation and unspecified damages. Both suits are ongoing.
When working for tech companies, private investigators have advantages over traditional law enforcement: They have access to more data, deal with far less red tape, and have the ability to quickly cross jurisdictions and borders.
Justin Zeefe, a former intelligence officer who is now president of Nisos, a security firm in Virginia, said his company has worked for tech companies on a wide range of cases. On one occasion, they learned that a company’s overseas suppliers had ties to foreign intelligence agencies.
Another client asked his firm to determine whether an acquisition target had been infiltrated by foreign hackers. Yet another hired Nisos to determine the source of multiple cyberattacks. It turned out to be the work of a competitor that had intercepted the company’s Wi-Fi from an apartment rented across the street.
Joe Sullivan, chief information security officer at the internet company Cloudflare, still remembers the frantic call he received from a colleague while working as a security executive at Facebook several years ago.
She had met a man on Match.com who claimed to work in construction in San Jose, California, and he had convinced her to send him a topless photo. He was threatening to email the photo to the entire company if she did not pay him $10,000.
With her permission, Sullivan’s team took over her account and redirected her extortionist to a payment scheme that they knew would reveal his identity. They determined he was a former Google intern living in Nigeria.
Sullivan’s team hired Nigerian contractors to confront him. He confessed and surrendered access to his computer and online accounts, which showed he was extorting female executives across Silicon Valley. Investigators were able to destroy the nude photos and warned his victims not to pay.
It could have taken years, Sullivan said, for law enforcement to identify the extortionist and even longer for Nigerian authorities to do something about it.
Sullivan learned that lesson as a security executive at eBay in 2006. Romanian fraudsters were running rampant on eBay, and Romanian authorities refused to address the problem. It was only after Sullivan’s team shut off eBay access to all of Romania — with a message blaming eBay’s shuttering on Romanian law enforcement’s refusal to pursue online criminals — that Romanian police took action.
But Sullivan’s experience shows how easily tech’s aggressive security tactics can run into trouble. In 2016, two hackers approached Uber with security flaws that allowed them to obtain login credentials for more than 57 million riders and drivers, and the pair demanded a $100,000 payout in return.
Sullivan, who had recently joined Uber from Facebook, ran the same playbook he used in the Nigerian extortion case, pushing the hackers into a payment scheme to deduce their identities. Uber’s security team eventually confronted the men at their homes with nondisclosure agreements and asked them to destroy the data.
The plan, which was approved by Uber’s chief executive at the time, Travis Kalanick, was initially celebrated. But after Uber hired a new chief executive, Sullivan was fired and accused of covering up a data breach.
Uber later settled an investigation of the breach and the company’s behavior surrounding the incident for $148 million. The two hackers pleaded guilty last October to charges of computer hacking and extortion.