Category Corporate governance

Shhh… Lessons Learnt From Investigating the Due Diligence of FTX

You may have read varied analyses and opinions on the recent FTX debacle including the due diligence failures and impacts highlighted in the Intelligence Online snippet captured in the picture below.

The flip side of a coin is the wake up call that pre-transaction due diligence must be more exhaustive and deep-dive to leave no stone unturned, and no longer a stroll-in-the-park, check-the-boxes exercise.

Whether confidence has taken a nosedive or demands (on due diligence) have been boosted depends on who’s talking but to borrow an old adage, if I may: It takes two to Tango. And in this case, the dancers are the investigator/consultant and the client.

The investigator/due diligence specialist brought onboard has a professional duty and obligation to give the best advice to the client. And as much as he/she wants the client to go “all out”, the reality is the client has constraints like budget, time, resources, etc, compliance and regulatory requirements aside. Hence the burden on the investigator is to work closely with the client and find the best cost-effective approach, ie. “according to budget”.

The client simply wants the best solution for what’s on the table, ie. The pivotal findings to decide on whether to proceed or to kill the (pending) transaction. The last thing the client wants is to be in the front page of the newspapers for all the wrong reasons.

Which brings me back to the case of Temasek, the state holding company owned by the Government of Singapore.

I wrote in a previous post how the global investment company with a portfolio of over S$400 billion defended in a statement its “extensive due diligence process on FTX” spanning around 8 months – how it reviewed FTX financials, the regulatory risks, etc, and the “qualitative feedback on the company and management team based on interviews with people familiar with the company, including employees, industry participants, and other investors”.

The statement added:

We recognise that while our due diligence processes may mitigate certain risks, it is not practicable to eliminate all risks.

Reports have since surfaced that customer assets were mishandled and misused in FTX. If these statements are true, then this amounts to serious misconduct or fraud at FTX. All of this is currently being investigated by the regulators.

It is apparent from this investment that perhaps our belief in the actions, judgment and leadership of Sam Bankman-Fried, formed from our interactions with him and views expressed in our discussions with others, would appear to have been misplaced.

The last paragraph above highlights something interesting.

Yes due diligence comes in many favors and the statement suggests Temasek did focus heavily on financial, legal and regulatory due diligence, and they also gathered “qualitative feedback” on the company and management team.

But that paragraph seems more of a defense and pushing the blame on FTX founder Sam Bankman-Fried, and it suggests two things: Temasek and their investigators overlooked Key Man Risk and had the Wrong Focus in their due diligence.

It’s fair to say everyone benefits from hindsight but I have elaborated in a previous post the Key Man Risk involved with a case like FTX.

Yes it takes two to Tango. The investigator and client should have recognized (with experience) from the outstart there is a potential Key Man Risk based on the background materials and knowledge of the FTX setup. That’s not to say financial (and other) due diligence are irrelevant – you may be familiar with the perils of auditing from “second or third” set of accounts?

If the due diligence have paid due attention to Key Man Risk, the public records and open source intelligence (OSINT) research and the human intelligence (HUMINT) gathering (what Temasek referred to as “qualitative feedback”) would have smoked out at least some of the staggering FTX failings that have now emerged – missing funds through “back doors”, imprecise accounting of the value of FTX’s crypto assets, unacceptable management practices, using corporate funds to buy homes in the personal name of employees, etc.

Temasek has seemingly suffered from missing leads and glaring red flags they could have gotten from a due diligence focused on the Key Man Risk with FTX.

Yes the FTX collapse has delivered a blow to the corporate intelligence world. An extensive and expensive due diligence over eight months is a luxury many investors could not afford. Corporate investigators may be happily billing the clients with cookies-cutter approach that serves no purpose if the due diligence has the wrong focus. In the Temasek case, the due diligence approach as they have explained could run well beyond eight months to a year or two and they would still not find any red flags with FTX if they had the wrong focus – for example, what’s the point if exhaustive financial due diligence is examining cooked accounts?

The FTX collapse is a wake up call for all parties involved.

Source: Intelligence Online

Shhh… (FTX) High Returns With No Risk?

Source: Business Times, 16 November 2022

“High Returns With No Risk”. That was allegedly a selling point in the late 2018 – early 2019 promotional materials of Alameda Research, the small hedge fund founded by Sam Bankman-Fried whose cryptocurrency exchange FTX hit every global headlines for all the wrong reasons the past fortnight before filing for bankruptcy last week.

And yet this outright eye-brow-raising preposterous promise was bought by many professional investors including major global financial institutions like Singapore flagship state holding company Temasek Holdings, who is known to have participated in all three rounds of FTX fundraising and now reportedly writing off its entire US$275 million investments (see pic above).

While the loss is pittance and would not cause a noticeable dent to its net portfolio of S$403 billions, many questions were being asked over its leadership and also whether Temasek conducted proper due diligence.

Temasek in its Statement on FTX on 17 Nov defended its “extensive due diligence process on FTX” spanning around 8 months:

During this time, we reviewed FTX’s audited financial statement, which showed it to be profitable. In addition, our due diligence efforts focused on the associated regulatory risk with crypto financial market service providers, particularly licensing and regulatory compliance (i.e. financial regulations, licensing, anti-money laundering (AML)/ Know Your Customer (KYC), sanctions) and cybersecurity. Advice from external legal and cybersecurity specialists in key jurisdictions was sought, with legal and regulatory review done for the investments.

Separately, we also gathered qualitative feedback on the company and management team.

A thorough and proper due diligence? Or yes but with the wrong focus, or oversight, considering what were missed but now emerged: missing funds through “back doors”, imprecise accounting of the value of FTX’s crypto assets, unacceptable management practices, using corporate funds to buy homes in the personal name of employees, etc

Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here

According to court documents filed by the new FTX CEO John Ray III, the administrator brought onboard with some 40 years experience in legal and restructuring experience that included the infamous 2001 collapse of Enron.

Shhh… FTX Crypto Crash and the Perils of Key Man Risk

FTX founder Sam Bankman-Fried

Key Man Risk rings out loud as the world grapple this week with the sudden rapid collapse of FTX, one of the world’s largest cryptocurrency exchanges.

One may argue no amount of in-depth due diligence would have mitigated the risks of investors losing their monies in this crypto equivalent of a classic case of bank run, not till at least after digital currencies news portal CoinDesk raised the red flags , based on leaked financial documents, that the bulk of the assets of Alameda Research are held in FTT, a digital token minted by the former’s sister firm FTX. While FTT and FTX appeared unrelated on paper, Alameda Research is the hedge fund founded by FTX founder Sam Bankman-Fried.

“Today, I filed FTX, FTX US, and Alameda for voluntary Chapter 11 proceedings in the US”, Bankman-Fried tweeted 11 November following his “I *ucked Up” Twitter announcement the day before.

The investors in FTX include institutional investors like major sovereign funds, pension funds, hedge funds, etc. These are major financial institutions who conduct various types of pre-transaction due diligence as part of compliance and regulatory requirements. Often times especially when things turned dire, the key question is not whether they did but what and how much they covered in the risks mitigation process – a mere cursory check-the-box due diligence exercise or one that leaves no stone unturned?

To illustrate, I have once assisted a major hedge fund in investigating a red chip the client was contemplating to position, long or short. Much like FTX the outperforming company was founded by an individual whose background resembles the many rags to riches stories one may doubt but well primed for a Hollywood script. The client’s research team unearthed some but very limited insights with their focus on analysts notes and stock exchange disclosures, ie. Window dressings materials.

With in-depth investigative due diligence through open source intelligence research plus exhaustive cloak-and-dagger like intelligence gathering with well-placed sources, our findings highlighted various serious red flags with roots traced to the founder, including behind-the-curtain transactions between what seemed initially like unaffiliated entities – much like the CoinDesk relevations about FTX and FTT.

Key man risk, that’s the takeaway for the client. The pivotal findings have helped them to manage what could otherwise resemble FTX’s journey from crypto white knight to pariah in a matter of days.

The World of Corporate Sleuths

This article was recently printed in CSuite Magazine published by Asia CEO COMMUNITY and CSuite Xchange.

Sleuth

By Vanson Soo

A corporate investigations specialist and Asia CEO Community member explains how business leaders can benefit from probing into the uncharted through intelligence gathering, investigations and due diligence.

It is not everyday that one would come across someone from my industry. “Not unless one is in deep troubles”, many would tend to wrongly conclude. This is a common and fundamentally flawed misconception. Our services go beyond getting clients out of troubles. The smart and savvy business leaders regularly utilize us for strategic and pivotal decisions, to formulate business plans and negotiations, and to get to the truth and mitigate risks. This is why I was told it would be intriguing to pen this article to introduce my profession to the Asia CEO Community.

A friend who is a seasoned business reporter introduced me to an industry peer several years ago after she learned we were in the same trade. “You guys are so weird” was how she ended the introductory email. Those five words have always left me wondering: if a journalist with the top echelon of global business news gives such a sweeping remark, how can one expect the men in the streets to comprehend what is intelligence, investigations and due diligence in the business world?

“Sounds like serious spook stuff” is one common reaction.

Our industry may sound exotic or unusual to some but this industry has been around and is more common than many would think. And it does not always have anything to do with troubles. On the very contrary, it is very relevant and prevalent in the business world. Consider the following scenarios.

– The Asia CEO of a listed conglomerate has been in lengthy discussions with the founder of a competitor about a potential acquisition but left with nagging suspicions he was not dealing with a decision maker. If the founder is controlled by someone behind the scenes, who is his “puppet master”?

– A global investment bank working on a potential public listing has found social media claims that the listco is running a “ghost factory”, a potential damaging red flag that the real business activities do not match the rosy financial figures submitted to meet the stock exchange listing requirements.

– A hedge fund portfolio manager is contemplating short selling opportunities on a listed entity after hearing some market rumors but he needs to verify the grapevine before placing his bets.

There is no trouble and all business as usual above but potential deep troubles if these parties do not do their homework thoroughly and get to the truth. What the Asia CEO, investment bank and hedge fund manager above need is to mitigate counterparties risks, as often times there is a tendency that one would only paint the bright picture and hide the skeletons in the cupboard.

These situations would call for pre-transaction due diligence, ie. two parties considering a pending transaction and one would want to verify the facts put on the table in case the counterparties were not forthcoming.

The above are just some examples of real and typical cases in need for pre-transaction due diligence, which comes in different flavors such as financial, legal, environmental, human resources, IT, and intellectual property due diligence. The type of pre-transaction due diligence for the examples above is investigative due diligence, ie. to examine the counterparties involved in the pending transaction and look for red flags that could translate into material risks before one signs on the dotted line. The counterparties may not always have dirt but if there is any, it is better to uncover them before committing to the transaction.

Thanks to global headlines of mega corporate failures such as Enron, Worldcom and the likes, which have subsequently led to increasingly demanding corporate governance and related regulations, pre-transaction due diligence have been growing ever rapidly since the turn of the century, and further spurred on by the more stringent financial crime compliance environment. So the corporates and financial institutions would be compelled by regulations to conduct due diligence exercises before signing off on a pending transaction like a merger and acquisition, joint venture, public listing, greenfield operations, etc.

The C-Suite executives, general counsel and key decision-makers of a corporation, investment, private or commercial bank, private equity, hedge fund, and family office, as well as high net-worth individuals are the typical parties to demand for pre-transaction due diligence services. That is why I was disturbed by that passing remarks by my journalist friend.

Now onto the more “sexy stuff”, as one would say.

By that, I am referring to post-transaction cases as per our industry speak. Typically they are undesirable situations stemmed from multiparties business transactions/agreements, leading to allegations that warrant the hire of investigators to provide pivotal smoking-gun evidence for their lawyers to prevail in or out of courts. The investigators would deploy various means of investigations as appropriate, including public records and open source intelligence research, forensic investigations, intelligence gathering, gumshoe leg-works like site visits and surveillance, etc.

At the blink of an eye, many people would often associate my profession with the cloak-and-dagger cases involving or characteristic of mystery, intrigue or espionage, ie. spycraft, that most people would relate from movies and novels. Indeed, post-transaction investigations are often full of twists and turns, involving a lot of hard works in the field, sans the James Bond or Hollywood type glamorization.

There are many different types of post-transaction matters. The following are some of the common ones.

– A company received a whistle-blower letter that its factory in Southeast Asia is bloated with frauds and embezzlement involving many of its current and former employees, contractors, suppliers, distributors and vendors, some of which with ties to the local government and supervisory authorities to run parallel and competing businesses, siphoning clients and resources away from the company. The company hired investigators to examine these allegations with the aim of finding smoking-gun evidence to help the lawyers press criminal charges against the alleged parties.

– The stock exchange suspended trading of a listed company after market rumors sent its share price into a tailspin, which eventually led the company into liquidation and endless lawsuits from shareholders alleging management of frauds and various wrongdoings. One institutional investor hired a law firm to file suit against the board but the lawyers found some of the executives may have fled the country with an array of footprints and assets for investigators to trace globally.

– A high net-worth individual found some of his business associates may have abused their appointment as directors and business nominees to secretly strip and divert his companies interests into the hands of some offshore entities through some fancy paperwork he was never aware of. The business tycoon hired investigators to assist his in-house counsel in a global forensic trail to trace the documents and map out the complex manipulations and misrepresentations responsible for his dire situation and financial losses.

Now it should become obvious that in both pre- and post-transaction situations, the sky is the limit with risks, and the losses can be bottomless. The resources spent on investigative services are often minor relative to what is at stake.

The corporate slogan of my practice sums up nicely what a business leader requires for every business situation:

More truth less risk
Take a closer look.

——–

Vanson Soo is the founder of Vanuscript Consulting, a Hong Kong-based independent practice in intelligence, investigations and due diligence covering the Asia Pacific region with a special focus on Greater China.

Whistleblowing and Internal Monitoring/Investigations

Many thanks again to the Faculty of Law at the University of Hong Kong for hosting my presentation on “Whistleblowing & Internal Monitoring/Investigations” yesterday. It was a really interactive and responsive class. The scheduled three hours was barely enough to cover what I estimated to be an hour plus presentation thanks to all the interesting questions and my sincere apologies to the class for rushing through the latter parts of the slides.

One question at the end of the session, what’s the take-away on the topic.

With and without a poison-pen letter from a whistleblower, a pre-transaction reputation/investigative due diligence should always be conducted ahead of all other types of due diligence. This is not a biased opinion but one proven by real life experience from many past cases whereby some serious and damaging red flags on reputation issues/risks could potentially kill a transaction no matter how good the counterparties emerged in the legal, financial and other due diligence – although in some situations clients took advantage of the negative findings to re-negotiate terms for the pending transaction. Information is power!

In a post-transaction external/internal investigation especially one potentially heading to the courts, with and without a poison-pen letter, it is critical to conduct public records research first as the findings could be documented evidence legally admissible in courts that can help the lawyers and clients win the case. If the public records search turns out futile (a likely scenario in non-transparent and opaque jurisdictions), the findings from intelligence becomes pivotal.

I shared with the class an example of a typical court case whereby the client wins if we can prove two people A & B collaborated on a fraud scheme. No surprise they denied even knowing each other. A barrister once told me how he often receives surveillance photos of A & B say having coffee together as evidence – and how he can easily lose the case with such weak evidence. The best evidence is to prove the two have a long history of relationship – they attended the same school (public records), they were past business partners (public records), their companies were sued (public records), they commented on each other’s FaceBook (could be public records), etc. In the absence of any/sufficient public records evidence, findings from intelligence gathering can potentially turn into public records and important evidence. Consider:

– They not only attended the same school but same class, same computer club and even went on a school camping trip to Nepal when they were 10. The latter are findings from intelligence gathering
as they may be difficult to find in public records but the sources could provide photos as proof.

– They were in the same WhatsApp & WeChat groups? A source from the group could provide a screenshot of group members as proof.

– They were neighbors when they were young? This could be difficult to prove in public records because they don’t own the properties then but if there’s a lead they were neighbors, a search on their parents names could lead to documented proof.

Hence the importance of intelligence gathering. And thinking out of the box.

Shhh… Crafty Hackers Into Insider Trading

The whole purpose of getting inside is to…?

Well, hackers have figured that out: use their hacking skills to grab hold of corporate press releases before they become public and optimize the information for insider trading. Why didn’t anyone think of that earlier?

Find out more about this case from the following New York Times article.

Shhh… The Chinese Version of All the President's Men

(Above) Photo credit: Max Whittaker for The New York Times.

Below is a New York Times article on a China matter widely quoted by the Chinese media.

And here are some additional background coverage on the case:

China Seeks Businessman Said to Have Fled to U.S., Further Straining Ties
By MICHAEL FORSYTHE and MARK MAZZETTIAUG. 3, 2015

LOOMIS, Calif. — China is demanding that the Obama administration return a wealthy and politically connected businessman who fled to the United States, according to several American officials familiar with the case. Should he seek political asylum, he could become one of the most damaging defectors in the history of the People’s Republic.

The case of the businessman, Ling Wancheng, has strained relations between two nations already at odds over numerous issues before President Xi Jinping’s first state visit to the United States in September, including an extensive cybertheft of American government data and China’s aggressive territorial claims.

Mr. Ling is the youngest brother of Ling Jihua, who for years held a post equivalent to that of the White House chief of staff, overseeing the Communist Party’s inner sanctum as director of its General Office. Ling Jihua is one of the highest-profile casualties of an anticorruption campaign that Mr. Xi has made a centerpiece of his government.

The Obama administration has thus far refused to accede to Beijing’s demands for Ling Wancheng, and his possible defection could be an intelligence coup at China’s expense after it was revealed last month that computer hackers had stolen the personnel files of millions of American government workers and contractors. American officials have said that they are nearly certain the Chinese government carried out the data theft.

Mr. Ling’s wealth and his family’s status have allowed him to move freely in elite circles in China, and he may be in possession of embarrassing information about current and former officials loyal to Mr. Xi.

Mr. Ling appears to have evaded the Chinese authorities. He is now in the United States, according to several American officials and his next-door neighbor here in the foothills of the Sierra Nevada, where property records show Mr. Ling owns a 7,800-square-foot home, which he bought from a professional basketball player for $2.5 million.

The Chinese government in recent months has been raising pressure on the Obama administration to return Mr. Ling, according to the American officials. The officials spoke on the condition of anonymity in order to discuss a delicate diplomatic matter that has already complicated an arrangement made in April between the Department of Homeland Security and China’s Ministry of Public Security.

Under that arrangement, signed during a visit to Beijing by Jeh Johnson, the secretary of Homeland Security, the United States would be able to repatriate many of the tens of thousands of Chinese currently in the United States awaiting deportation, some in American detention facilities. In return, the United States would help the Chinese track down wealthy fugitives from China living in the United States who might also be breaking American laws.

Several American officials confirmed that Mr. Ling is in the United States, but they would not say publicly whether Mr. Ling had applied for asylum or give information about his whereabouts. The Department of Homeland Security, which handles asylum cases, does not comment about specific cases because of privacy laws.

China’s Foreign Ministry did not comment after being sent a faxed request for information on Mr. Ling’s case. Press officers for the White House, State Department and Department of Homeland Security declined to comment.

Three telephone numbers that people in California used to contact Mr. Ling all had Dallas area codes. Mr. Ling, whose English is said to be poor, did not respond to text messages in Chinese requesting an interview. Two of the three numbers are no longer in service, and no one answered the third number.

Christopher K. Johnson, a former C.I.A. analyst focusing on China, said the Chinese leadership might want Mr. Ling’s assistance in prosecuting his older brother. And, Mr. Johnson said, it would want to prevent the “treasure trove” of knowledge he has about Chinese politics from passing to United States officials.

“The leadership would want this guy badly,” Mr. Johnson, now at the Center for Strategic and International Studies in Washington, said in a telephone interview. “There’s no question that he would have access to a lot of interesting things.”

While it is unclear how much Ling Wancheng knows, the Communist Party itself has revealed some tantalizing clues about his brother Ling Jihua’s behavior, claiming that his corruption was a family affair. Last month, the party announced that Ling Jihua — a loyalist to the previous president, Hu Jintao — had been expelled from the party and would be tried, saying that he had “accepted huge bribes personally and through his family.”

Ling Jihua, 58, rose through the Communist Party’s Youth League under Mr. Hu in the 1980s and eventually served as either deputy or chief of the Central Committee’s General Office from 1999 to 2012. He was Mr. Hu’s personal secretary and closest protégé, and his position came with great powers: the ability to control the guards who protected the senior leadership, a significant voice in top personnel appointments and a central role in carrying out policy.

“It’s really the nerve center for the entire system,” Joseph Fewsmith, a professor at the Pardee School of Global Studies at Boston University who focuses on Chinese politics, said of Ling Jihua’s former position. “This is the essence of power politics.”

Ling Jihua was expected to advance to the elite Politburo, as every person who previously held that position since 1942 had done, including former Prime Minister Wen Jiabao.

But on March 18, 2012, Ling Jihua’s son was killed when the black Ferrari he was driving crashed in Beijing. One of two women with him in the car later died.

Ling Jihua’s botched cover-up of the episode helped lead to his political downfall. He was denied a spot on the Politburo, demoted to a less important post and, in December 2014, officially put under a corruption investigation.

But the corruption inquiry into Ling Jihua goes far beyond the Ferrari crash, and his younger brother, Ling Wancheng, may have played an important role.

As a senior official, Ling Jihua had his moves monitored. But his brother, as a private citizen, was far less constrained. He built a fortune as the chief of a Beijing-based investment company, which bought well-timed stakes in companies that went on to hold successful initial public offerings, earning the firm $225 million, according to a report in Caixin, a respected Chinese news media company. A company using the same California address that he used to buy his home in Loomis also bought at least two golf courses, one near Loomis, the other in Carson City, Nev., property records show.

Ling Wancheng is one of several Chinese citizens in the United States whom Beijing has requested be returned to China. A forum has been established to discuss these cases, called the U.S.-China Joint Liaison Group on Law Enforcement Cooperation, where the Chinese regularly press their case to Obama administration officials.

However, Ling Wancheng, who is believed to be in his mid-50s and goes by the name Wang Cheng or Jason Wang, was not on the publicly disclosed list of 40 fugitives believed to be in the United States that was released by the Chinese government this year, indicating how delicate the case may be to the senior leadership.

Marc Raimondi, a spokesman for the Department of Justice, said the department “has repeatedly shown that it will vigorously pursue prosecutions in the United States where there is alleged money laundering or other criminal activity in this country by fugitives sought by China.”

But, he added, “it is not sufficient to simply provide a list of names.” The department has urged China to provide evidence, Mr. Raimondi said.

In late 2013, Mr. Ling, using the name Wang Cheng, and a person using the name Li Ping, the same name as a former presenter on state television whom the Chinese news media have identified as Mr. Ling’s wife, bought a house in a gated community in Loomis from a National Basketball Association player, Beno Udrih, real estate records show.

Ray Matteson, Mr. Ling’s neighbor in Loomis, and his wife soon became friends with the couple next door, who introduced themselves as Jason and Jane Wang. The Mattesons invited them over for dinner or drinks at least three times. Mr. Ling offered gifts, once giving them a bottle of liquor from the family’s home province, Shanxi, and on another occasion two magnums of California wine.

The Mattesons said their neighbor had given no hints about his family’s high-level political struggle, the arrest of Ling Jihua and another older brother or the death of his nephew.

“In my mind, there’s no question he was a gentleman,” said Mr. Matteson, who, along with another person who met him in Loomis, confirmed that Jason Wang was the man identified in the Chinese news media as Mr. Ling. Neither person, however, could match the woman introduced as Jane Wang with pictures of Li Ping, the former Chinese television presenter.

Mr. Ling would send text messages to his next-door neighbors. His English was poor, so he often used emoji, like a thumbs up or a happy face. He would send links to videos he found funny, and he asked for advice on where to find people to clean his windows.

Mr. Matteson said he had not seen Mr. Ling since October, when the two couples had dinner at Mr. Matteson’s home. But if Mr. Ling was in hiding in the United States, the prosaic details of maintaining a California estate kept him tethered to Loomis: There were homeowners association fees to pay, and a gardener had to keep the bushes trimmed and the lawn mowed.

Mr. Matteson’s last contact with Mr. Ling was in May, when the alarm system in Mr. Ling’s house was activated and the security company asked Mr. Matteson to contact Mr. Ling to obtain the code to enter the gate to his home.

The Mattesons said they had never seen any unusual activity in the neighborhood, except for one visit several months ago by officers from the Department of Homeland Security, who said they were trying to contact Mr. Ling.

Ling Wancheng’s visa status is unclear. Christopher Bentley, a spokesman for the United States Citizenship and Immigration Services, a division of Homeland Security, said that it usually took one to three years for an asylum case to be settled. During that period, he said, the asylum seeker is allowed to stay legally in the country.

Michael Forsythe reported from Loomis, and Mark Mazzetti from Washington.

Shhh… US Government Hacks at OPM Exposed More Than 21Million People

It was much worse than previously reported: more than 21 million people were “swept up in a colossal breach of government computer systems that was far more damaging than initially thought”. Find out more from the New York Times.

Shhh… Snowden Supports Apple’s Public Stance On Privacy

Edward Snowden Supports Apple’s Public Stance On Privacy

by Josh Constine (@joshconstine)

Edward Snowden says we should support Apple’s newly emphasized commitment to privacy rather than a business model driven by personal data collection, whether or not Tim Cook is being genuine. Snowden spoke over video conference during the Challenge.rs conference in Barcelona today.

I asked Snowden his thoughts on Cook’s recent acceptance speech for an Electronic Privacy Information Center award, saying:

CEO Tim Cook recently took a stand on privacy and Apple’s business, saying “some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.”

Do you think Cook’s perspective genuine and honest, and how do you think it will play out long-term with regards to it hurting or helping Apple’s business, or whether Apple will keep this promise to privacy?

Snowden responded:

I think in the current situation, it doesn’t matter if he’s being honest or dishonest. What really matters is that he’s obviously got a commercial incentive to differentiate himself from competitors like Google. But if he does that, if he directs Apple’s business model to be different, to say “we’re not in the business of collecting and selling information. We’re in the business of creating and selling devices that are superior”, then that’s a good thing for privacy. That’s a good thing for customers.

And we should support vendors who are willing to innovate. Who are willing to take positions like that, and go “You know, just because it’s popular to collect everybody’s information and resell it..to advertisers and whatever, it’s going to serve our reputation, it’s going to serve our relationship with our customers, and it’s going to serve society better. If instead we just align ourselves with our customers and what they really want, if we can outcompete people on the value of our products without needing to subsidize that by information that we’ve basically stolen from our customers, that’s absolutely something that should be supported. And regardless of whether it’s honest or dishonest, for the moment, now, that’s something we should support, that’s something we should incentivize, and it’s actually something we should emulate.

And if that position comes to be reversed in the future, I think that should be a much bigger hammer that comes against Apple because then that’s a betrayal of trust, that’s a betrayal of a promise to its customers. But I would like to think that based on the leadership that Tim Cook has shown on this position so far, he’s spoken very passionately about private issues, that we’re going to see that continue and he’ll keep those promises.

It’s reasonable to wonder how much of Cook’s chest-beating on privacy is philosophy and how much is marketing. Since the iCloud celebrity photo hack last year, we’ve written about how Apple needs to be more transparent about security and privacy. Snowden seems to agree it could benefit the company as well as society.

Apple’s steps in that direction through press releases and public appearances by Cook have been positively received. They resonate especially well with the public in contrast to other tech giants like Google and Facebook that are aggressively collecting private personal data, and the widespread security breaches of big brands.

Yet while people frequently say privacy is important to them, their unwillingness to stray from products that rely on mining their data seems to suggest otherwise. We’re just at the start of the age of personalized computing, and those that embrace it may get an advantage in the market.

Apple is experimenting with ways to personalize with privacy in mind. Its new Proactive update to Siri scans your email to remind you about events, but only does this on your device rather than copying your data to its servers for processing. To keep up while remaining true to its ideals, Apple will need more creative solutions like this to deliver convenience without being creepy.

Shhh… French Ultimatum Clicking on Google Over "Right to be Forgotten" Ruling

Please check out my two previous columns on this topic – and the latest on the situation from the Bloomberg article below:

Google Faces French Ultimatum Over Right to Be Forgotten

by Stephanie Bodoni
June 12, 2015 — 5:22 PM HKT
Updated on June 12, 2015 — 11:24 PM HKT

Google Inc. risks French fines after being handed a 15-day ultimatum to extend the so-called right to be forgotten to all its websites, including those outside the European Union.

France’s data protection regulator, CNIL, ordered the world’s most-used search engine to proceed with delistings of links across its network, irrespective of the domain name, according to a statement on Friday. CNIL said it received “hundreds of complaints following Google’s refusals.”

The order comes more than a year after a ruling by the EU’s highest court created a right to be forgotten, allowing people to seek the deletion of links on search engines if the information was outdated or irrelevant. The ruling created a furor, with Mountain View, California-based Google appointing a special panel to advise it on implementing the law. The panel opposed applying the ruling beyond EU domains.

If Google “doesn’t comply with the formal notice within the 15 days,” Isabelle Falque-Pierrotin, the president of CNIL “will be in position to nominate a rapporteur to draft a report recommending to the CNIL Select Committee to impose a sanction to the company,” the watchdog said.

“We’ve been working hard to strike the right balance in implementing the European court’s ruling, cooperating closely with data protection authorities,” Al Verney, a spokesman for Google in Brussels, said in an e-mailed statement. “The ruling focused on services directed to European users, and that’s the approach we are taking in complying with it.”

Links Removal

EU data protection chiefs, currently headed by Falque-Pierrotin, last year already urged Google to also remove links, when needed, from .com sites.

Google Chairman Eric Schmidt has argued that the EU court’s ruling in May 2014 — in which it ordered search links tied to individuals cut when those people contend the material is irrelevant or outdated — didn’t need to be extended to the U.S. site.

“It is easy circumventing the right to be forgotten by using the domain Google.com,” said Johannes Caspar, the Hamburg data protection commissioner. “Google should be compliant with the decision and fill the protection gap quickly.”

Google has removed 342,161, or 41.3 percent, of links that it has “fully processed,” according to a report on its website.

‘Right Balance’

The U.K.’s Information Commissioner’s Office said in a statement that its experience with removal requests “suggests that, for the most part, Google are getting the balance right between the protection of the individual’s privacy and the interest of internet users.”

The right-to-be-forgotten rules add to separate demands for curbs on Google’s market power being considered by lawmakers this week. EU antitrust regulators in April escalated their four-year-old probe into Google, sending the company a statement of objections accusing the Internet giant of abusing its dominance of the search-engine market.

The same day, the EU also started a new investigation into Google’s Android mobile-phone software.

Shhh… Fraudulent Practices at Fake Cancer Charities

This is really sick…


Fake Cancer Charities Gave Sick Kids Expired Meds and Little Debbie Cakes

Michael Daly
Only in America05.19.159:39 PM ET

The family behind four so-called cancer charities enriched themselves on donations while giving junk food and bad drugs to sufferers, the feds say—but they’re not facing jail time.

If you think the worst of us are behind bars, consider what you can be accused of doing and not face so much as a minute in jail:

You and your family can run four cancer charities that raise $187 million on false pretenses in the name of kids with cancer and women with breast cancer and the terminally ill of all ages—but spend less than 3 percent of that money on cancer victims.

Meanwhile, you can pay yourself and your relatives big salaries and over-generous bonuses while using donated funds to pay for cars, Disney World trips, jet ski outings, luxury travel, and college tuitions.

And you can use company credit cards for personal expenses, including meals at Hooters, gas, car washes, cellphone apps and games, iTunes songs, and dating website subscriptions, as well as ticket to concerts, sporting events, and movies.

CancerFundUS2

“This is as about as bad as it can get: taking money away from cancer victims,” Jessica Rich, chief of the Federal Trade Commission Bureau of Consumer Protection, told reporters as her agency and the attorneys general of all 50 states brought a complaint against Cancer Fund of America, Cancer Support Services, the Breast Cancer Society, and the Children’s Cancer Fund of America.

To make matters even worse, one of the charities allegedly used some of what little it did spend on cancer victims to furnish sick kids with expired antibiotics that are in fact contraindicated for children.

Another of the charities provided breast cancer victims with drugs that, in the words of a federal complaint, “are not typically used for the treatment of breast cancer and, in some instances, are not recommended for use by persons who have had cancer.”

“Some have even been associated with an increased risk of cancer,” notes the complaint filed this week by the Federal Trade Commission.

The charities are said to have passed along as “direct patient aid” such donated items as adult diapers, sample-size toiletries, and Little Debbie snack cakes.

“They make people happy,” James Reynolds Sr., patriarch of the extended Tennessee family that runs the four charities, is quoted as saying by the complaint.

Reynolds then switched to Moon Pies.

“They make you happier,” Reynolds supposedly said.

And, even though the clan managed to get the Little Debbie snack cakes, the Moon Pies, the adult diapers, and the rest for next to nothing, the charities are said to have claimed the retail amount in financial filings. The idea, apparently, was to make it look like they devoted more of the donations to cancer patients than what little they did.

All the while, the charities are said to have raised ever more money with false and misleading claims, passing themselves off as being “on the forefront for the fight against cancer” and “on the forefront of actually helping needy children with cancer.”

In an alleged effort to squeeze more money out of unsuspecting donors, the charities scripted such telemarketing pitches as, “I understand [your hesitation to give]; however, we never want to have to tell a family that is stretching their finances to the breaking point that, ‘We’re sorry, but the CANCER FUND has fallen short of its fundraising goal, so we won’t be able to provide you with a wig for your child to cover the hair loss due to chemotherapy.’”

Never mind that these charities did not have a program to provide wigs to sick children.

The charities also claimed: “We help cancer patients anywhere in the United States. Men, women, and children with over 240 types of cancer.”

And although they seem not to provide hospice care of any kind, they still claimed: “We also do the hospice care for the terminally ill…We’re the ones that do the hospice care for the cancer patients afflicted with cancer from infants to adults…One hundred percent of our proceeds go to hospice care.”

The complaint notes that in fact “100% of the donations do not go to hospice care.”

On top of all this, the companies allegedly claimed millions of dollars in tax deductions for items delivered to cancer patients—even though the charities purchased nothing but rather served only as a conduit, if the goods existed at all.

And James Reynolds Sr. awarded plum jobs not only to his son, wife, sister-in-law, and mother-in-law, but also to his ex-wife, his stepson, and even a step-nephew.

One of the supposed charities, the Breast Cancer Society, was run by Reynolds’s son, James Jr.; the Children’s Cancer Fund of America was run by Reynolds’s ex-wife, Rose Perkins. Both have agreed not to contest the complaint and to shut those two charities down.

Under the deal they cut with the feds, the son officially faces a judgment of $65 million, but that will be suspended after he pays just $75,000. Perkins is hit with a $30 million judgment, but that will be suspended without her paying a penny due to her supposed lack of funds.

In the meantime, the son is insisting on the Breast Cancer Society’s website that he has not admitted guilt to anything:

“While the organization, its officers and directors have not been found guilty of any allegations of wrongdoing, and the government has not proven otherwise, our Board of Directors has decided that it does not help those who we seek to serve, and those who remain in need, for us to engage in a highly publicized, expensive, and distracting legal battle around our fundraising practices.”

And the patriarch, James Reynolds Sr., is promising to fight the allegations against himself and the other two charities, Cancer Fund of America and Cancer Support Services.

The feds and the combined attorneys general are resolved to press their civil case against him.

But the most Reynolds Sr. presently risks is a monetary judgment that he may escape paying the way his son and his ex-wife did.

He faces not a minute behind bars, where the very worst of us supposedly reside.

One should never wish anybody to fall terminally ill, but if Reynolds Sr. does, let him eat Little Debbie snack cakes.

Or, better yet, Moon Pies.

Shhh… New Google Security Chief – In Search of Balance with Privacy

Here’s an insight to one man at Google to keep tab on – see the article below.

New Google security chief looks for balance with privacy
By GLENN CHAPMAN, AFP April 19, 2015 4:55am

MOUNTAIN VIEW, United States – Google has a new sheriff keeping watch over the wilds of the Internet.

Austrian-born Gerhard Eschelbeck has ranged the British city of Oxford; cavorted at notorious Def Con hacker conclaves, wrangled a herd of startups, and camped out in Silicon Valley.

He now holds the reins of security and privacy for all-things Google.

In an exclusive interview with AFP, Eschelbeck spoke of using Google’s massive scope to protect users from cyber villains such as spammers and state-sponsored spies.

“The size of our computing infrastructure allows us to process, analyze, and research the changing threat landscape and look ahead to predict what is coming,” Eschelbeck said during his first one-on-one press interview in his new post.

“Security is obviously a constant race; the key is how far can you look ahead.”

Eschelbeck took charge of Google’s 500-strong security and privacy team early this year, returning to Silicon Valley after running engineering for a computer security company in Oxford for two years.

“It was a very natural move for me to join Google,” Eschelbeck said. “What really excited me was doing security at large scale.”

Google’s range of global services and products means there are many fronts for a security expert to defend. Google’s size also means there are arsenals of powerful computer servers for defenders to employ and large-scale data from which to discern cyber dangers.

Eschelbeck’s career in security stretches back two decades to a startup he built while a university student in Austria that was acquired by security company McAfee.

What started out as a six-month work stint in California where McAfee is based turned into a 15-year stay by Eschelbeck.

He created and advised an array of computer security startups before heading off to Oxford. Eschelbeck, has worked at computer technology titans such as Sophos and Qualys, and holds patents for network security technologies.

Constant attack

He was confident his team was up to the challenge of fending off cyber attacks, even from onslaughts of sophisticated operations run by the likes of the US National Security Agency or the Chinese military.

Eschelbeck vowed that he would “absolutely” find any hacker that came after his network.

“As a security guy, I am never comfortable,” he said. “But, I do have a very strong team…I have confidence we have the right reactive and proactive defense mechanisms as well.”

State-sponsored cyber attacks making news in the past year come on top of well-known trends of hacking expressly for fun or profit.

The sheer numbers of attack “vectors” has rocketed exponentially over time, with weapons targeting smartphones, applications, datacenters, operating systems and more.

“You can safely assume that every property on the Internet is continuously under attack,” Eschelbeck said.

“I feel really strong about our ability to identify them before they become a threat and the ability to block and prevent them from entering our environment.”

Scrambling data

Eschelbeck is a backer of encrypting data, whether it be an email to a friend or photos stored in the cloud.

“I hope for a time when all the traffic on the Internet is encrypted,” he said.

“You’re not sending a letter to your friend in a transparent envelop, and that is why encryption in transport is so critical.”

He believes that within five years, accessing accounts with no more than passwords will be a thing of the past.

Google lets people require code numbers sent to phones be used along with passwords to access accounts in what is referred to as “two-factor” authentication.

The Internet titan also provides “safe browsing” technology that warns people when they are heading to websites rigged to attack visitors.

Google identifies about 50,000 malicious websites monthly, and another 90,000 phishing websites designed to trick people into giving up their passwords or other valuable personal information, Eschelbeck said.

“We have some really great visibility into the Web, as you can imagine,” he said.

“The time for us to recognize a bad site is incredibly short.”

Doubling-down on privacy

Eschelbeck saw the world of online security as fairly black and white, while the privacy side of his job required subjective interpretations.

Google works closely with data protection authorities in Europe and elsewhere to try and harmonize privacy protections with the standards in various countries.

“I really believe that with security and privacy, there is more overlap than there are differences,” he said.

“We have made a tremendous effort to focus and double-down on privacy issues.”

As have other large Internet companies, Google has routinely made public requests by government agencies for information about users.

Requests are carefully reviewed, and only about 65 percent of them satisfied, according to Google.

“Privacy, to me, is protecting and securing my activities; that they are personal to myself and not visible to the whole wide world,” Eschelbeck said. — Agence France-Presse

Shhh… Spy On Spies – A New Breed of Spies

Here’s an interesting story:


Meet the privacy activists who spy on the surveillance industry

by Daniel Rivero | April 6, 2015

LONDON– On the second floor of a narrow brick building in the London Borough of Islington, Edin Omanovic is busy creating a fake company. He is playing with the invented company’s business cards in a graphic design program, darkening the reds, bolding the blacks, and testing fonts to strike the right tone: informational, ambiguous, no bells and whistles. In a separate window, a barren website is starting to take shape. Omanovic, a tall, slender Bosnian-born, Scottish-raised Londonite gives the company a fake address that forwards to his real office, and plops in a red and black company logo he just created. The privacy activist doesn’t plan to scam anyone out of money, though he does want to learn their secrets. Ultimately, he hopes that the business cards combined with a suit and a close-cropped haircut will grant him access to a surveillance industry trade show, a privilege usually restricted to government officials and law enforcement agencies.

Once he’s infiltrated the trade show, he’ll pose as an industry insider, chatting up company representatives, swapping business cards, and picking up shiny brochures that advertise the invasive capabilities of bleeding-edge surveillance technology. Few of the features are ever marketed or revealed openly to the general public, and if the group didn’t go through the pains of going undercover, it wouldn’t know the lengths to which law enforcement and the intelligence community are going to keep tabs on their citizens.

“I don’t know when we’ll get to use this [company], but we need a lot of these to do our research,” Omanovic tells me. (He asked Fusion not to reveal the name of the company in order to not blow its cover.)

The strange tactic– hacking into an expo in order to come into close proximity with government hackers and monitors– is a regular part of operations at Privacy International, a London-based anti-surveillance advocacy group founded 25 years ago. Omanovic is one of a few activists for the group who goes undercover to collect the surveillance promotional documents.

“At last count we had about 1,400 files,” Matt Rice, PI’s Scottish-born advocacy officer says while sifting through a file cabinet full of the brochures. “[The files] help us understand what these companies are capable of, and what’s being sold around the world,” he says. The brochures vary in scope and claims. Some showcase cell site simulators, commonly called Stingrays, which allow police to intercept cell phone activity within a certain area. Others provide details about Finfisher– surveillance software that is marketed exclusively to governments, which allows officials to put spyware on a target’s home computer or mobile device to watch their Skype calls, Facebook and email activity.

The technology buyers at these conferences are the usual suspects — the Federal Bureau of Investigation (FBI), the UK’s Government Communications Headquarters (GCHQ), and the Australian Secret Intelligence Service– but also representatives of repressive regimes —Bahrain, Sudan, pre-revolutionary Libya– as the group has revealed in attendees lists it has surfaced.

At times, companies’ claims can raise eyebrows. One brochure shows a soldier, draped in fatigues, holding a portable device up to the faces of a somber group of Arabs. “Innocent civilian or insurgent?,” the pamphlet asks.

“Not certain?”

“Our systems are.”

The treasure trove of compiled documents was available as an online database, but PI recently took it offline, saying the website had security vulnerabilities that could have compromised information of anyone who wanted to donate to the organization online. They are building a new one. The group hopes that the exposure of what Western companies are selling to foreign governments will help the organization achieve its larger goal: ending the sale of hardware and software to governments that use it to monitor their populations in ways that violate basic privacy rights.

The group acknowledges that it might seem they are taking an extremist position when it comes to privacy, but “we’re not against surveillance,” Michael Rispoli, head of PI’s communications, tells me. “Governments need to keep people safe, whether it’s from criminals or terrorists or what it may be, but surveillance needs to be done in accordance with human rights, and in accordance with the rule of law.”

The group is waging its fight in courtrooms. In February of last year, it filed a criminal complaint to the UK’s National Cyber Crime Unit of the National Crime Agency, asking it to investigate British technology allegedly used repeatedly by the Ethiopian government to intercept the communications of an Ethiopian national. Even after Tadesse Kersmo applied for– and was granted– asylum in the UK on the basis of being a political refugee, the Ethiopian government kept electronically spying on him, the group says, using technology from British firm Gamma International. The group currently has six lawsuits in action, mostly taking on large, yet opaque surveillance companies and the British government. Gamma International did not respond to Fusion’s request for comment on the lawsuit, which alleges that exporting the software to Ethiopian authorities means the company assisted in illegal electronic spying.

“The irony that he was given refugee status here, while a British company is facilitating intrusions into his basic right to privacy isn’t just ironic, it’s wrong,” Rispoli says. “It’s so obvious that there should be laws in place to prevent it.”

PI says it has uncovered other questionable business relationships between oppressive regimes and technology companies based in other Western countries. An investigative report the group put out a few months ago on surveillance in Central Asia said that British and Swiss companies, along with Israeli and Israeli-American companies with close ties to the Israeli military, are providing surveillance infrastructure and technical support to countries like Turkmenistan and Uzbekistan– some of the worst-ranking countries in the world when it comes to freedom of speech, according to Freedom House. Only North Korea ranks lower than them.

PI says it used confidential sources, whose accounts have been corroborated, to reach those conclusions.

Not only are these companies complicit in human rights violations, the Central Asia report alleges, but they know they are. Fusion reached out to the companies named in the report, NICE Systems (Israel), Verint Israel (U.S./ Israel), Gamma (UK), or Dreamlab (Switzerland), and none have responded to repeated requests for comment.

The report is a “blueprint” for the future of the organization’s output, says Rice, the advocacy officer. “It’s the first time we’ve done something that really looks at the infrastructure, the laws, and putting it all together to get a view on how the system actually works in a country, or even a whole region,” says Rice.

“What we can do is take that [report], and have specific findings and testimonials to present to companies, to different bodies and parliamentarians, and say this is why we need these things addressed,” adds Omanovic, the researcher and fake company designer.

The tactic is starting to show signs of progress, he says. One afternoon, Omanovic was huddled over a table in the back room, taking part in what looked like an intense conference call. “European Commission,” he says afterwards. The Commission has been looking at surveillance exports since it was revealed that Egypt, Tunisia, and Bahrain were using European tech to crack down on protesters during the Arab Spring, he added. Now, PI is consulting with some members, and together they “hope to bring in a regulation specifically on this subject by year’s end.”

***

Privacy International has come a long way from the “sterile bar of an anonymous business hotel in Luxembourg,” where founder Simon Davies, then a lone wolf privacy campaigner, hosted its first meeting with a handful of people 25 years ago. In a blog post commemorating that anniversary, Davies (who left the organization about five years ago) described the general state of privacy advocacy when that first meeting was held:

“Those were strange times. Privacy was an arcane subject that was on very few radar screens. The Internet had barely emerged, digital telephony was just beginning, the NSA was just a conspiracy theory and email was almost non-existent (we called it electronic mail back then). We communicated by fax machines, snail mail – and through actual real face to face meetings that you travelled thousands of miles to attend.”

Immediately, there were disagreements about the scope of issues the organization should focus on, as detailed in the group’s first report, filed in 1991. Some of the group’s 120-odd loosely affiliated members and advisors wanted the organization to focus on small privacy flare-ups; others wanted it to take on huge, international privacy policies, from “transborder data flows” to medical research. Disputes arose as to what “privacy” actually meant at the time. It took years for the group to narrow down the scope of its mandate to something manageable and coherent.

Gus Hosein, current executive director, describes the 90’s as a time when the organization “just knew that it was fighting against something.” He became part of the loose collective in 1996, three days after moving to the UK from New Haven, Connecticut, thanks to a chance encounter with Davies at the London Economics School. For the first thirteen years he worked with PI, he says, the group’s headquarters was the school pub.

They were fighting then some of the same battles that are back in the news cycle today, such as the U.S. government wanting to ban encryption, calling it a tool for criminals to hide their communications from law enforcement. “[We were] fighting against the Clinton Administration and its cryptography policy, fighting against new intersections of law, or proposals in countries X, Y and Z, and almost every day you would find something to fight around,” he says.

Just as privacy issues stemming from the dot com boom were starting to stabilize, 9/11 happened. That’s when Hosein says “the shit hit the fan.”

In the immediate wake of that tragedy, Washington pushed through the Patriot Act and the Aviation and Transportation Security Act, setting an international precedent of invasive pat-downs and extensive monitoring in the name of anti-terrorism. Hosein, being an American, followed the laws closely, and the group started issuing criticism of what it considered unreasonable searches. In the UK, a public debate about issuing national identification cards sprung up. PI fought it vehemently.

“All of a sudden we’re being called upon to respond to core policy-making in Western governments, so whereas policy and surveillance were often left to some tech expert within the Department of Justice or whatever, now it had gone to mainstream policy,” he says. “We were overwhelmed because we were still just a ragtag bunch of people trying to fight fights without funding, and we were taking on the might of the executive arm of government.”

The era was marked by a collective struggle to catch up. “I don’t think anyone had any real successes in that era,” Hosein says.

But around 2008, the group’s advocacy work in India, Thailand and the Philippines started to gain the attention of donors, and the team decided it was time to organize. The three staff members then started the formal process of becoming a charity, after being registered as a corporation for ten years. By the time it got its first office in 2011 (around the time its founder, Davies, walked away to pursue other ventures) the Arab Spring was dominating international headlines.

“With the Arab Spring and the rise of attention to human rights and technology, that’s when PI actually started to realize our vision, and become an organization that could grow,” Hosein says. “Four years ago we had three employees, and now we have 16 people,” he says with a hint of pride.

***

“This is a real vindication for [Edward] Snowden,” Eric King, PI’s deputy director says about one of the organization’s recent legal victories over the UK’s foremost digital spy agency, known as the Government Communications Headquarters or GCHQ.

PI used the documents made public by Snowden to get the British court that oversees GCHQ to determine that all intelligence sharing between GCHQ and the National Security Administration (NSA) was illegal up until December 2014. Ironically, the court went on to say that the sharing was only illegal because of lack of public disclosure of the program. Now that details of the program were made public thanks to the lawsuit, the court said, the operation is now legal and GCHQ can keep doing what it was doing.

“It’s like they’re creating the law on the fly,” King says. “[The UK government] is knowingly breaking the law and then retroactively justifying themselves. Even though we got the court to admit this whole program was illegal, the things they’re saying now are wholly inadequate to protect our privacy in this country.”

Nevertheless, it was a “highly significant ruling,” says Elizabeth Knight, Legal Director of fellow UK-based civil liberties organization Open Rights Group. “It was the first time the [courts have] found the UK’s intelligence services to be in breach of human rights law,” she says. “The ruling is a welcome first step towards demonstrating that the UK government’s surveillance practices breach human rights law.”

In an email, a GCHQ spokesperson downplayed the significance of the ruling, saying that PI only won the case in one respect: on a “transparency issue,” rather than on the substance of the data sharing program. “The rulings re-affirm that the processes and safeguards within these regimes were fully adequate at all times, so we have not therefore needed to make any changes to policy or practice as a result of the judgement,” the spokesperson says.

Before coming on board four years ago, King, a 25-year old Wales native, worked at Reprieve, a non-profit that provides legal support to prisoners. Some of its clients are at Guantanamo Bay and other off-the-grid prisons, something that made him mindful of security concerns when the group was communicating with clients. King worried that every time he made a call to his clients, they were being monitored. “No one could answer those questions, and that’s what got me going on this,” says King.

Right now, he tells me, most of the group’s legal actions have to do with fighting the “Five Eyes”– the nickname given to the intertwined intelligence networks of the UK, Canada, the US, Australia and New Zealand. One of the campaigns, stemming from the lawsuit against GCHQ that established a need for transparency, is asking GCHQ to confirm if the agency illegally collected information about the people who signed a “Did the GCHQ Illegally Spy On You?” petition. So far, 10,000 people have signed up to be told whether their communications or online activity were collected by the UK spy agency when it conducted mass surveillance of the Internet. If a court actually forces GCHQ to confirm whether those individuals were spied on, PI will then ask that all retrieved data be deleted from the database.

“It’s such an important campaign not only because people have the right to know, but it’s going to bring it home to people and politicians that regular, everyday people are caught up in this international scandal,” King says. “You don’t even have to be British to be caught up in it. People all over the world are being tracked in that program.”

Eerke Boiten, a senior lecturer at the interdisciplinary Cyber Security Centre at the University of Kent, says that considering recent legal victories, he can’t write off the effort, even if he would have dismissed it just a year ago.

“We have now finally seen some breakthroughs in transparency in response to Snowden, and the sense that intelligence oversight needs an overhaul is increasing,” he wrote in an email to me. “So although the [British government] will do its best to shore up the GCHQ legal position to ensure it doesn’t need to respond to this, their job will be harder than before.”

“Privacy International have a recent record of pushing the right legal buttons,” he says. “They may win again.”

A GCHQ spokesperson says that the agency will “of course comply with any direction or order” a court might give it, stemming from the campaign.

King is also the head of PI’s research arm– organizing in-depth investigations into national surveillance ecosystems, in tandem with partner groups in countries around the world. The partners hail from places as disparate as Kenya and Mexico. One recently released report features testimonials from people who reported being heavily surveilled in Morocco. Another coming out of Colombia will be more of an “exposé,” with previously unreported details on surveillance in that country, he says.

And then there’s the stuff that King pioneered: the method of sneaking into industry conferences by using a shadow company. He developed the technique Omanovic is using. King can’t go to the conferences undercover anymore because his face is now too well known. When asked why he started sneaking into the shows, he says: “Law enforcement doesn’t like talking about [surveillance]. Governments don’t talk about it. And for the most part our engagement with companies is limited to when we sue them,” he laughs.

When it comes to the surveillance field, you would be hard pressed to find a company that does exactly what it says it does, King tells me. So when he or someone else at PI sets up a fake company, they expect to get about as much scrutiny as the next ambiguous, potentially official organization that lines up behind them.

Collectively, PI has been blacklisted and been led out of a few conferences over the past four years they have been doing this, he estimates.

“If we have to navigate some spooky places to get what we need, then that’s what we’ll do,” he says. Sometimes you have to walk through a dark room to turn on a light. Privacy International sees a world with a lot of dark rooms.

“Being shadowy is acceptable in this world.”

Edward Snowden & Hervé Falciani Knew Each Other Before Their Respective Exposé?

As it so happened, everything started and ended in Geneva…

It was a cold morning in mid-December 2008. Hervé Falciani has just finished packing his favorite black Rimowa luggage and a small handy leather bag with his five precious CDs safely tucked to the bottom.

“Mate I’m getting ready to leave for Nice for a few days, to do you know what,” he wrote on his encrypted email.

“Good luck mate. That’s the spirit. Am actually planning to get myself out of Geneva and home for good shortly after the New Year. Keep those stuff safe,” the reply promptly appeared on the computer screen.

“Will do. Thanks so much for all the guidance. Take care!” Falciani penned off, half-wishing his pal Snowden was not serious about leaving Geneva.

Well, that was probably how John le Carré approached his next best-selling spy novel but this opening scene may not be too far from the truth.

Falciani was widely dubbed the Snowden of the banking world when the HSBC exposé stole global headlines early this week. According to his profile, the then-36-year-old dual French-Italian national joined the British banking giant HSBC in 2000, in Monaco where he grew up, and was transferred to HSBC Private Bank (Suisse) in Geneva, Switzerland in 2006.

That was the same year Edward Snowden joined the CIA and the now famous whistleblower behind the NSA revelations was posted to Geneva the following year under diplomatic cover, where he admitted having grown disillusioned with American spy craft. He left Geneva and the agency in 2009.

And as an undercover CIA operative based in Geneva, Snowden probably knew some bankers as The Guardian once reported:

He described as formative an incident in which he claimed CIA operatives were attempting to recruit a Swiss banker to obtain secret banking information. Snowden said they achieved this by purposely getting the banker drunk and encouraging him to drive home in his car. When the banker was arrested for drunk driving, the undercover agent seeking to befriend him offered to help, and a bond was formed that led to successful recruitment.

The possibility that Snowden and Falciani knew each other may be a novelist’s creation and a trivial even if it’s true. But nevertheless, it would open up many possibilities.

Consider, for example, both claimed to have reported to their superiors, who ignored their respective complaints and warnings. Both became whistleblowers and accused for their actions. The two IT experts stole and released troves of internal data to the media – Falciani, the systems specialist of the HSBC Private Bank in Geneva now under the global spotlights, reportedly met French tax investigators at a cafe in Nice airport before Christmas of 2008 and handed them five CDs worth of confidential data pertaining to some 130,000 clients and 300,000 private accounts from 200 countries – which eventually reached then Finance Minister of France Christine Lagarde, who subsequently shared it with other countries.

And the rest was history as we know today.

Snowden is scheduled to speak via video-conference this Friday to the International Students For Liberty Conference in downtown Washington, D.C. Would be interesting to hear what he has to say about the HSBC exposé and… his friend Falciani.

The Rafael Hui Case Amplifies Flaws in Hong Kong's Background Checks & Vetting System

Photo above: Rafael Hui (right) and Donald Tsang (left)

My last post of the year below and also in AsiaSentinel.

RafaelHui

Photo above: Rafael Hui

Why Didn’t the HK Vetting System Find Raphael Hui?

Former chief secretary, on his way to jail for 7-1/2 years, should have been spotted by background checks

Written by Vanson Soo
WED,24 DECEMBER 2014

The Hong Kong High Court delivered a landmark ruling Tuesday that brought an end to a chapter of one of the highest-level corruption trials in the city’s history with the conviction of former Chief Secretary Raphael Hui for bribery, along with the two executives who bribed him. But one serious question lingers.

Hui was handpicked by then Hong Kong chief executive Donald Tsang to return to the civil service as chief secretary. Why didn’t the background checks turn up what was obviously a grotesquely opulent lifestyle?

The 131-day high-profile trial involving Hui, effectively the number two in the Hong Kong government hierarchy, and two tycoons of Sun Hung Kai, the world’s second-most valuable real estate company according to Bloomberg, drew effective closure with Hui receiving seven and a half years behind bars for five charges including taking HK$8.5 million (US$1.1 million) in bribes from Sun Hung Kai co-chairman Thomas Kwok, who was given a five-year sentence and fined HK$500,000 for conspiring to corrupt the former chief secretary.

But who would have dared to oppose Hui’s appointment during the vetting process if Tsang wanted him? Apparently nobody. And shouldn’t Tsang be held responsible for overlooking Hui’s (known) vices? Shouldn’t the system have counted on the chief executive as the last line of defense to be absolutely clean?

If pre-employment background checks found a lavish opulent lifestyle and a high-spending propensity that were well known among Hui’s peers, who cast aside the potential red flag as merely a private and personal matter? Wasn’t it a colossal mistake that nobody asked the very simple question, if he was spending well beyond his means, where was he getting the money? Who then should be responsible for the gross oversight?

Details of Hui’s high life, including the showering of expensive gifts on his high-maintenance young mistress, came to light during the trial but it also emerged that his tilt towards the material world was no secret among his associates.

In light of Hui’s case, the government has defended its system of background checks, insisting there were adequate checks in place prior to slotting civil servants into their appointments. That defense highlights one gross, systematic problem, such as pre-employment background checks, in both the civil and commercial sectors alike: a check-the-box mentality instead of a serious investigation.

Pre-employment background checks are an exercise to ensure someone is properly, thoroughly and systematically vetted before an official undertaking, such as employment or appointment, to the extent that the person doesn’t become a potential liability and cause embarrassment sometime down the way.

These checks have both quantitative and qualitative elements. On the quantitative side, the checks include paper trials to confirm (thus the tag “check-the-box”) personal details, educational background, career history and highlight any potential conflicts and red flags found – for example, any record of bankruptcy, insolvency, sanctions, political affiliations, criminal history, etc.

In the civil service, all those checks extend to the subject’s next-of-kin. In commercial background checks (for example, banks in some jurisdictions are required to conduct these checks on all new hires), any personal stake and interest in other companies would also be material information.

The qualitative checks refer to efforts to find, as the wording suggests, any non-quantitative (i.e. non-documented) facts that could potentially cause trouble. In some commercial checks I have done for my clients, for example, someone found to have a high gambling propensity, or another with a history of sexual harassment in the workplace, were duly noted and accounted for in the process. In the political sphere, for example, anyone found to have employed undocumented immigrants would be promptly flagged in the United States and has been, ending the careers of several high-level appointees.

The check-the-box exercise underscores the very bureaucracy of the civil service as these background checks are designed to be “on the safe side,” documenting only those facts that are “traceable and reliable,” according to a source, a former senior Hong Kong government official familiar with the background checks and vetting processes within the civil service.

Beyond these quantifiable facts, the source told me any adverse comments – such as reports of one’s character, much like Hui’s high life – would rarely be passed on in the reports because they would be easily challenged. In several instances, troubles emerged later precisely because these omitted qualitative red flags came back to haunt both the employers and the newly employed.

The point then is, so what if Hui is known to have those vices? The government can boast all they want about their rigorous system of checks, including having two referees to evaluate the candidate but what use is it when the referees were appointed by the candidates themselves?

In Hui’s case, he was handpicked by Tsang to return to the civil service as chief secretary. But it has been widely reported that Tsang himself could face criminal prosecution on charges of improper conduct in office although the city’s anti-graft body – the Independent Commission Against Corruption (ICAC) – only says its investigation is still underway.

So, was it not a colossal mistake by the civil service to assume poor Hui and companies wouldn’t be singing Christmas carols behind bars, this and several more Christmas ahead?

Shhh… WikiLeaks' Cousin AfriLeaks – A New Anonymous Whistleblowing & Open Data Platform for Africa

AfriLeaks, a brand new anonymous whistleblowing platform, will be launched end November but unlike the renowned and established WikiLeaks, this African cousin will not be releasing secret information directly to the public.

“[AfriLeaks will] provide a secure tool for connectivity between the whistleblowers and the media who then investigate the substance and character of the leak,” according to Khadija Sharife of the African Network of Centers for Investigative Reporting (ANCIR) – the organization that will host the platform – in a Deutsche Welle report earlier this week

According to Deustche Welle, unlike WikiLeaks’ aim to publish and disclose information, “AfriLeaks will be there to provide leads for stories to media and research organizations. The new platform will allow whistleblowers to choose the media or research organization to which they want to send the information”.

Assange-Bio

WikiLeaks founder Julian Assange may be smiling. According to a biography (above), Assange described “going to Africa and testing my ground” in the early days of WikiLeaks where one of the very first story his whistleblowing platform broke was on Kenya – which was then fed to The Guardian who ran “The Looting of Kenya” as a front-page story. The article was subsequently picked up by the Kenyan media.

“From our point of view, the leak supported the idea that oppressed media organizations could suddenly be freed when a story that mattered to them – and which they couldn’t reveal on their own – was given legitimacy and the oxygen of international exposure first,” according to the book.

“We kept at it, kept publishing stuff that the African papers were too frightened to publish…”

Shhh… The BBC "Forgotten" List (& Forgotten Company Directors?)

The BBC plans to publish a regularly updated list of articles removed from the search engine Google following the controversial “right to be forgotten rule”.

Google has so far received some 153,000 requests which have involved about half a million different link and 40 percent of these links have been removed. However, according to associate professor David Glance, director of the Center for Software Practice at the University of Western Australia:

… there is a great deal of concern about the sorts of things that are being removed. So, for example, information about former company directors have been removed. So various people are now asking for that type of information to be restored because it’s part of the public record and important information when you are considering the effectiveness or the background of a company or the directors.”

Shhh… The Secret Tapes of Goldman Sachs by Carmen Segarra

In what could be equivalent to a nuclear bomb on Wall Street, former New York Federal Reserve Examiner Carmen Segarra has released some 46 hours worth of voice recordings, secretly taped with a small recorder on her keychain in 2012, that purportedly show bank regulators going soft and cozy with banking giant Goldman Sachs at a time when the New York Fed was expected to become a stronger regulator after the financial crisis of 2008.

To demonstrate a case in point from the recordings: “We’re looking at a transaction that’s legal but shady,” according to a New York Fed staffer in reference to a proposed Goldman Sachs financial transaction.

The secret recordings – released to both a reporter for ProPublica and radio program This American Life – show an unwillingness among some Fed supervisors to both demand specific information from Goldman about a transaction with Banco Santander and to strongly criticize what Segarra concluded was the lack of an appropriate conflict-of-interest policy at Goldman.

Segarra, who later suited the New York Fed for wrongful termination after her refusal to alter a critical examination of Goldman’s legal and compliance units, said her colleagues were too soft on those kinds of transactions and the banking industry in general.

The Perilous Job of Auditing China

Sometimes Auditors Have to Flee for Their Lives

Who should be most afraid of auditing in China – a US examiner, the Chinese regulators or the companies being audited? Pick those doing the examining. For all of the accounting profession’s image as a dull and boring occupation, in China it isn’t. Sometimes it can be downright dangerous.

You can find the entire column here.

Tinker Data Bankers Spies

Hong Kong Tightens Rules on IPOs – The Territory Gets Tough on Regulating Domestic and International New Listings

Starting Oct. 1, in a worst-case scenario, bankers and listing professionals could be put behind bars for their role in public listings in Hong Kong, up till recently a top capital-raising center and magnet for initial public offerings from Chinese companies. To top it off, the current clampdown on data and corporate investigations in mainland China further complicates the situation.

The controversy stems from measures announced by the Hong Kong Securities and Futures Commission in December 2012 to step up the regulatory regime for listing sponsors, including clarifications of their liabilities – up to civil and criminal liabilities – to be put into effect Oct. 1 this year, and will apply to all public listings filed from that date. These measures supplement the new listing rules previously announced by The Stock Exchange of Hong Kong to promote more extensive and thorough due diligence of listing candidates.

You can find the entire column here and there.

For Whom the Whistle Blows

That Whistle Could Have You Behind Bars

For Whom the Bell Tolls was a 1940 novel by Ernest Hemingway about an American in the International Brigades who blows up a bridge during the Spanish Civil War with death the ultimate sacrifice.

But what about For Whom The Whistle Blows? That informs the current debate about Bradley Manning and Edward Snowden, two Americans who risked their lives by leaking documents on US foreign policy and covert cyber-snooping activities during the US war on terrorism. Are they prisoners – one in a US army stockade and the other in exile in Moscow – of conscience?

In contrast to the contemptuous labels and espionage charges the US government slapped on the two, one a US Army private first class and the other a former government intelligence contractor, both claimed their motive was to spark public debate and promote greater transparency in US government conduct. Whistle-blowers in general have all along been quite rightly championed and heralded by the authorities, media and the general public – at least by those whose oxen are not being gored from the revelations. Such are the dichotomies of modern history.

You can find the entire column here and there.

The Importance of Being Eliot

The Former Sheriff of Wall Street is Back

Wall Street – and some of Asia’s markets as well – should really panic if New York’s voters give Eliot Spitzer (again) to troll through corporate records looking for wrongdoing – and if the name Jesse M. Unruh rings a bell.

Spitzer, the disgraced former New York governor and attorney general best remembered for his forced resignation five years ago after being revealed as “client #9” in the wake of a prostitution scandal, announced last week his return to the political spotlight by running for office – as the New York City Comptroller.

One would be forgiven for thinking the Harvard-trained lawyer – once considered in some quarters to be on his way to the White House – has gone low and cheap to run for a backwater auditing office best associated with pallid career politicians. But no, Spitzer the corporate scourge has other ideas.

You can find the entire column here.

The State of Cyber-War

In Spies We Trust

The two-day private talks between the US and Chinese Presidents Barack Obama and Xi Jinping this weekend in Rancho Mirage, CA are expected to include, among other thorny issues, the dwindling trust between the two countries following the recent spate of cyber intrusions the US have repeatedly alleges to have originated from China.

In the first diplomatic efforts to defuse chronic tensions, the two have also agreed to launch regular, high-level talks next month on how to set standards of behavior for cyber security and commercial espionage. But don’t expect anything concrete from these meetings. The state of cyberspace diplomacy is heading only south.

Please read the full column here.

The Spying Game

Spies in the newsroom? Or spying on newsrooms? There’s far too much of both

(The Inside Story of the Bloomberg Spying Scandal – and Snooping on the Associated Press – and Some Remedies.)

I often get strange, tough questions from the clients of my business intelligence and commercial investigation firm, but the recent bombardments highlight a new trend: bloated or irrational paranoia, depending on your take.

Should I stop using emails? Would you recommend a personal VPN? Is it safer to discuss in person than over an electronic device?

Just last week, one client pondered whether he should be using the Bloomberg terminal and another questioned if his phone, video and Skype calls were safe. I can’t blame them. Just look at the headline news the past week alone…

Please read the full column here.

The Genesis of Hong Kong´s Company Law Fuss

The Companies Ordinance review has been years in the making

A recent hotly debated topic in Hong Kong relates to the government’s attempt to rewrite the Companies Ordinance, spurred largely by the sudden public realization that the resulting new Companies Bill was already passed in the local legislature without much media attention and the rude awakening to the subsequent impacts.

Much of the current media focus and public debates have been placed on only one aspect of the many proposed changes: to withhold from the public parts of the identification numbers and details of the residential addresses of company directors found in the Hong Kong company registration records.

The lightning rod for public concern has struck many a wrong cord, including outcries about the suppression of transparency and apprehension over possible government submission to China’s will.

This column looks at the roots of the situation and puts the fuss in perspective.

Please read full article here.

Hong Kong Considers Freedom of Information Act

While Attempting to Suppress Transparency

Paradoxically, even as the Hong Kong government is proposing far-reaching changes to the Companies Ordinance that would bring due diligence and investigations to a stop, officials are also quietly studying the possibility of introducing a Freedom of Information Act.

If that seems a contradiction, that’s because it is.

The Companies Ordinance amendments, either missed or ignored by the mainstream media when it was passed through the legislature earlier last year, will result in withholding from the public parts of the identification numbers and details of the residential addresses of company directors found in the Hong Kong company registration records – the very thing a freedom of information act is designed to facilitate.

Please read the full column here.

Shhh… How to Beat the CIA and Protect Your Data

Business travel is a nightmare these days, especially when one visits a country known for high espionage/ corporate espionage activities or active government eavesdropping and wiretapping.

So what if you need to transmit confidential data, sensitive business information and trade secrets via emails or the cloud? Or simply access your online banking account?

Public wifi pose significant risks. The Internet connection in your hotel room is not any better. And you can forget the Internet cafe.

No worries, there’s a solution and I will soon be posting a column on this matter. Watch this space.

When the Boss is Always Right

No fingerprints in rigging the Libor rate?

Let me start with a familiar scene. Suppose the boss says “I don’t like his face.” His sidekicks exchange quick looks and leave the room without a word. They clearly understand what their boss means and promptly kill the guy in cool mafia fashion.
You probably relate this scene to classic Hollywood mafia movies, in which the sidekicks usually flee the scene right after the murder. When the police show up to find whodunit, nobody including the boss remembers what happened.Unconventional corporate governance combined with plausible deniability.
That is exactly what seems to have happened at the British banking giant Barclays
(Read the entire column here).

Terrorists and Rogue Traders

Banks haven’t learned anything about risk management

Who would have thought that someone would actually be crying “terrorist attack” from of all places, Switzerland? Well, hardly. In Asia, we know about these “terrorist attacks.” The first one occurred in Singapore in 1995 when a 27-year-old former derivatives broker named Nick Leeson caused the collapse of Barings, the United Kingdom’s oldest investment bank.

What Leeson did to Barings bears considerable resemblance to what a senior UBS management executive called, with considerable hyperbole, the “terrorist attack” that sank the bank’s former CEO Oswald Grubel in early September after the discovery of a US$2.3 billion trading scandal (Read the entire column here and there).