Wednesday, April 04, 2007


Wall Street Journal

Inside Wal-Mart's 'Threat Research' Operation
April 4, 2007; Page B1

The Wal-Mart Stores Inc. worker fired last month for intercepting a reporter's phone calls says he was part of a larger, sophisticated surveillance operation that included snooping not only on employees, but also on critics, stockholders and the consulting firm McKinsey & Co.

As part of the surveillance, the retailer last year had a long-haired employee infiltrate an anti-Wal-Mart group to determine if it planned protests at the company's annual meeting, according to Bruce Gabbard, the fired security worker, who worked in Wal-Mart's Threat Research and Analysis Group. The company also deployed cutting-edge monitoring systems made by a supplier to the Defense Department that allowed it to capture and record the actions of anyone connected to its global computer network. The systems' high-tech wizardry could detect the degree of flesh-tone on a viewed Internet image, and alerted monitors that a vendor sharing Wal-Mart networks was viewing pornography.

Wal-Mart has since disconnected some systems amid an internal investigation of the group's activities earlier this year, according to an executive in the security-information industry.

The revelations by Mr. Gabbard, many of which were confirmed by other former Wal-Mart employees and security-industry professionals, provide a rare window into the retail giant's internal operations and mindset. The company fired Mr. Gabbard, a 19-year employee, last month for unauthorized recording of calls to and from a New York Times reporter and for intercepting pager messages. Wal-Mart conducted an internal investigation of Mr. Gabbard and his group's activities, fired his supervisor and demoted a vice president over the group as well.

Mr. Gabbard says he recorded the calls on his own because he felt pressured to stop embarrassing leaks. But he says most of his spying activities were sanctioned by superiors. "I used to joke that Wal-Mart paid me to be paranoid and they got their money's worth," Mr. Gabbard says.

Wal-Mart says it permitted recording employee calls "only in compelling circumstances and with written permission from the legal department." But because pager messages were sent over a frequency that was not secure, Mr. Gabbard inadvertently intercepted pages from non-Wal-Mart employees as well. A U.S. attorney is investigating whether any laws were violated as a result of the phone and pager intercepts.

Aside from that possible infraction, Wal-Mart's surveillance activity appears to be legal. U.S. courts have long held that companies can read employee emails, and Wal-Mart employees are informed they have "no expectation of privacy" when using company-supplied computers or phones. The surveillance of people in public places is also legal.

Wal-Mart has always placed tight limits on what its employees can do while at work. For instance, it bars store employees from using personal cellphones on the job. Managers receive a list of email addresses and phone numbers their employees have communicated with, and a list of Web sites visited, according to current and former employees. And the company limits Internet access, blocking social-networking and video sites.

But Wal-Mart appeared to go beyond most companies in its sleuthing. It didn't just scan emails written on the corporate email system. Technology it was helping develop allowed it to view emails that employees sent to or received from private accounts such as Hotmail or Gmail whenever the employees were hooked into the Wal-Mart computer network, according to Mr. Gabbard and others with knowledge of the system.

The security operation and its surveillance technology "seems Orwellian," says Robert K. West, founder and chief executive of Echelon One, a security research and consulting firm composed largely of former corporate chief information officers. Other activities, like infiltrating critics' groups, went "beyond the scope of the typical information security organization," he says.

Wal-Mart declined to give details about its surveillance activities. A company spokeswoman, Sarah Clark, characterized its security operations as normal: "Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network and our intellectual property so we can protect our sensitive business information," she said. "It is also standard practice to provide physical and information security for our corporate events and for our board of directors and senior executives."

According to several former Wal-Mart employees, the company's roughly 20-person Threat Research and Analysis Group hunts computer hackers through cyberspace, trolls colleagues' emails looking for misbehavior or proprietary-data theft and tries to plug damaging information leaks. Members work on the third floor of the Wal-Mart's Bentonville, Ark., technology offices. They enter a separate glass-enclosed structure by holding the palm of their hand to a biometric reader that grants them access to a dimly lit work area. Colleagues call it the "Bat Cave."

The group "is no longer operating in the same manner that it did prior to the discovery of the unauthorized recording of telephone conversations," said Wal-Mart's Ms. Clark. "...We have strengthened our practices and protocols."

According to Mr. Gabbard, Wal-Mart began beefing up its electronic call surveillance after the Sept. 11, 2001, terrorist attacks in response to government requests to employers in general to help find terrorist cells. Mr. Gabbard says he was directed by two former FBI agents working for Wal-Mart to set up a system that could track any calls to and from Syria, Yemen and Iran, among other countries. The search was unsuccessful, only flagging an apparent call from Iran that turned out instead to be from an Indian jeweler, according to Mr. Gabbard.

Later, he says, he used the same equipment to intercept and record calls from the New York Times.

The electronic surveillance accelerated in October 2005 when confidential company memos began appearing on the Web site of a union-backed anti-Wal-Mart group, Wal-Mart Watch, according to Mr. Gabbard. One such memo suggested that because of rising costs and criticisms of its worker health insurance, the retailer should revise its policies by hiring healthier workers and requiring all jobs to perform physical activity, such as retrieving shopping carts.

Concerned about the leaks, Wal-Mart began working with Oakley Networks Inc., a developer of "insider threat management" gear to track employee and suppliers computer usage over its network, according to Mr. Gabbard and an industry source. One Oakley system is able to record an employee's computer keystrokes and deliver a TiVo-like replay of his or her computer activities, according to Tom Bennett, Oakley's vice president of marketing.

Oakley Networks confirmed the advanced capabilities of the system but says it doesn't identify customers apart from the U.S. Defense Department. The system goes beyond keystroke capture products and email filtering packages by "providing a view of content moving over your network," says Oakley's Mr. Bennett.

Protesters blasting Wal-Mart's health-care policies during the company's annual meeting last year.

Suspecting that the leaks of confidential memos might have come from McKinsey employees who had been working on a health-care project at Wal-Mart's Bentonville, Ark., headquarters at the time of the leaked memo, Wal-Mart's security experts used an Oakley device to monitor the McKinsey Internet activities, according to Mr. Gabbard and others.

Wal-Mart ultimately took no action. "We continue to work closely with McKinsey, and we have no evidence that anyone there ever inappropriately shared confidential information," Wal-Mart's Ms. Clark said Monday. McKinsey declined to comment.

Wal-Mart also used an Oakley product to monitor suppliers' use of the Wal-Mart network. Mr. Gabbard says that using the program that can monitor flesh tones on a computer screen, his team found a vendor downloading pornography and reported it to Wal-Mart and the vendor's executives. He doesn't know the outcome. Wal-Mart declined to comment on the incident.

Mr. Gabbard says he also used his computer skills to find information on Wal-Mart critics. In March 2006, he searched a South Carolina Democratic Party Web site for information on Nu Wexler, the spokesman for the anti-Wal-Mart group Wal-Mart Watch. Wal-Mart knew that Mr. Wexler planned to be in Northwest Arkansas during an annual company conference. Mr. Gabbard said he found personal photos of Mr. Wexler stored on a publicly available folder on the party's computer, which allowed Wal-Mart security to identify Mr. Wexler.

"Wal-Mart has far bigger concerns than my vacation photos," said Mr. Wexler, after being informed of the surveillance. "Someone would have had to dig for quite a while to find that link."

In late spring 2006, Wal-Mart learned that several anti-Wal-Mart groups might protest at the annual shareholders meeting in June. Company executives were concerned the civil-rights group Acorn (the Association of Community Organizations for Reform Now) and local Up Against the Wal members would disrupt its meeting. Wal-Mart sent a long-haired employee wearing a wireless microphone to Up Against the Wal's Fayetteville, Ark., gathering, and eavesdropped from nearby, says Mr. Gabbard. "We followed around the perimeter with a surveillance van," he says.

"It is not the company's policy to infiltrate organizations or events, and we would not condone any associate engaging in such activity," said Wal-Mart's Ms. Clark.

Wal-Mart also directed its surveillance operations at critical shareholders. According to a January 2007 memo reviewed by The Wall Street Journal, security units were asked to "do some preliminary background work on the potential threat assessment" of those submitting proposals to its June shareholder meeting, particularly those whose resolutions the company was trying to block. The list included proposals from a Boerne, Texas, religious group; the New York City Controller's office; and Sydney Kay, an 85-year-old, retired science teacher who submitted a resolution requiring that board nominees own at least $5 million in Wal-Mart stock, and his 93-year-old sister Hilda Kaplis.

"It is standard business practice to do an overall assessment for potential disruptions at a major event like our shareholders' meeting involving 20,000-plus people," said Ms. Clark.

Reached at his Dallas home, Mr. Kay scoffed at the notion he posed a threat to Wal-Mart's annual meeting. "I am a nobody," he said.

No comments: