Government-funded P2P surveillance fallout: Tell-all book, lawsuit, FTC complaint

Unsecured medical billing files obtained by government-funded P2P surveillance leads to an upcoming ‘true political thriller novel’ about ‘abusive government shakedowns,’ alleged cyberextortion and psychological warfare, a lawsuit and FTC complaint.

Lawsuits are about a penny a dozen, but this one snagged my attention. In fact, the more I looked into it, the more intriguing it seemed because it deals with peer-to-peer network security breaches, data security standards, the privacy of medical records, identity theft, government-funded surveillance by a cyber-intelligence company, alleged cyberextortion, and an upcoming "true political thriller" novel whose author is being sued "for falsely claiming 'abusive government shakedowns through government-funded data mining and surveillance'." Toss in alleged Homeland Security funding and a newly filed FTC complaint for failing to protect consumers' privacy and I was hooked. Hopefully this won't be tl;dr.

LabMD, unsecured medical billing file, and 'true' political thriller novel

Let's start with Michael J. Daugherty, CEO of LabMD in Atlanta, Georgia, and author of the upcoming "true political thriller" titled The Devil Inside the Beltway. The trailer for the book is embedded below, but kicks off with the phrases "government funded data mining and surveillance, psychological warfare, and abusive government shakedown." The book allegedly "details an extraordinary government surveillance story that compromised national security and invaded the privacy of tens of millions of online users worldwide."

The Devil Inside the Beltway is a compelling true story that begins when an aggressive security surveillance company, with retired General Wesley Clark on its advisory board, magically acquires the private health information of thousands of LabMD's patients. This company, Tiversa, campaigns for a "fee" from LabMD to "remedy" the problem. When Michael J. Daugherty refuses to pay, Tiversa follows up by handing the file over to the FTC. Daugherty reveals that the company was already working with Dartmouth, having received a significant portion of a $24,000,000 grant from Homeland Security, to surveil for files. The reason for the investigation was this: Peer to peer software companies have back doors built into their technology that allows for illicit and unapproved file sharing. When individual work stations are accessed, as in the case of LabMD, proprietary information can be taken. Tiversa, as part of their assignment, acquired over 14 million files, financial, medical and military data during their search.

During an Accuracy in Media (AIM) video interview, when asked if Daugherty sees a parallel with his case to all the controversy surrounding Edward Snowden, he replied, "I see an inverse parallel" because he is "broadcasting their behavior, not broadcasting any of their property—they took mine. It's not about national security, these are medical files." He asked, "What right does the government have to surveil on our property and our information?"

P2P surveillance by cyber-intelligence company & Tiversa's lawsuit

Now that you've glimpsed the book marketing hype and Daugherty's side, let's look at Tiversa. The company overview states, "Tiversa provides P2P Intelligence services to corporations, government agencies and individuals based on patented technologies that can monitor over 550 million users issuing 1.8 billion searches a day. Requiring no software or hardware, Tiversa can locate exposed files, provide copies, determine file sources and assist in remediation and risk mitigation."

For a bit of background into the company, in 2011 Tiversa claimed, "WikiLeaks may be exploiting a feature in peer-to-peer file-sharing applications to search for classified data." The company "is hired by governments and corporations to use the same loophole to find exposed documents and figure out who might be accessing them."

Tiversa is seeking, among other things, a permanent injunction to stop the publication of The Devil Inside the Beltway, according to Courthouse News. Tiversa co-founder and CEO Robert Boback's lawsuit alleges that Daugherty's book defames Tiversa and points at claims in the book's video trailer. "Daugherty's marketing to promote his book includes the statement: "[w]hat began with the unauthorized but government-funded procurement of medical data for 9000+ patients from his medical laboratory turned into a government supported, financially draining, extortion attempt."

There seems to be no dispute that Tiversa found a huge patients' medical billing file over P2P, but the company said it told LabMD about finding the file and offered "remediation services to LabMD to assist it in securing the file and ensuring that no other breaches of confidentiality took place. LabMD requested, and Tiversa provided, a contract regarding the cost of remediation. LabMD did not retain Tiversa's services, and communications between the parties stopped."

Furthermore, the complaint alleges that when the FTC "'learned of the extent and magnitude of security breaches that could occur via P2P,' it sent investigators to Tiversa to look for all such files that contained more than 100 Social Security numbers, Boback says. He says Tiversa provided the federal government those files, '(u)nder threat of federal subpoena,' and that Tiversa never received any payment, in any form, for this."

Tiversa wants the publication of the book, due to launch on Sept 17, to be stopped; plus, according to Courthouse News, "attorneys' fees, disgorgement of profits and punitive damages for defamation, slander, trade libel, abuse of government authority, commercial disparagement, tortious interference with contractual relations, and intentional infliction of emotional distress."

FTC files complaint against LabMD for failing to protect consumers's privacy

Now toss in the FTC filing a complaint against LabMD on August 29 "for failing to protect consumers' privacy based on two separate incidents that allegedly exposed the personal information of about 10,000 people." The FTC says it has a copy of a 1,718-page LabMD billing spreadsheet that contains "billing information for over 9,000 consumers that was found on a found on a peer-to-peer (P2P) file-sharing network."  

Then in 2012, the FTC adds that the Sacramento police found "LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves."  The "documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers." Some of those "Social Security numbers are being or have been used by more than one person with different names."

The FTC complaint "includes a proposed order against LabMD that would prevent future violations of law by requiring the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."

No clue who is right and who is wrong, as the entire situation seems to dwell in shades of gray. It is not right to have unprotected medical records that endanger the privacy and security of consumers, and equally foolish to allow P2P access to everything on a computer, but is it right for a government-funded company to troll millions of PCs via P2P and siphon that unprotected data?

"Inside the Beltway is an American idiom used to characterize matters that are, or seem to be, important primarily to officials of the U.S. federal government, to its contractors and lobbyists, and to the corporate media who cover them-as opposed to the interests and priorities of the general U.S. population." Is this a whistleblower against the Beltway? Or is it a case of two wrongs and no rights?

As Mark Twain once said, "Truth is stranger than fiction," but at least in fiction you can strike out at your "enemies" by basterdizing them. If you do it right, then no one sues you.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.