By Deb Radcliff
Michael Daugherty has been a fly in the Federal Trade Commission’s ointment ever since his cancer diagnostics company, LabMD, fell into the FTC’s crosshairs in 2008. The case was based on false evidence, he claimed, but his opportunity for recourse was held up until June 2019, when discovery information, including formal depositions related to the case, were filed in the Southern District of New York.
Now, Daugherty has in his possession the depositions and other evidence he needs to take on the FTC, FBI, DOJ, and DHS. On September 4, 2020, Daugherty filed damage claims against all of these agencies on behalf of LabMD and himself, in what he says is the first step of formally filing suit against them.
In their totality, his claims charge that the FBI and DOJ gave a powerful hacking tool to Tiversa (an unreliable source that wasn’t vetted) and covered it up, while the FTC falsified evidence. He claims also that the DHS failed to verify facts and evidence related to the case, and worked with a researcher at Dartmouth College to conceal evidence of wrongdoing.
“I know people didn’t believe me, but this stuff is happening,” says Daugherty. “I myself didn’t truly believe it until I saw the evidence gathered in discovery.”
Daugherty’s claims against these agencies is the culmination of a long and sordid story that goes back to 2007, and is best described in a lengthy and well-researched article in New Yorker Magazine.
Sharing Tools
What’s missing in the New Yorker story is that the FBI gave a powerful spying tool to questionable and sketchy people working at Tiversa, where the founders had no security or technology background, and which itself is now under investigation.
The FBI’s tool, called EP2P, was a modified Peer to Peer networking tool that permitted agents to download a file from a single source, learn the general location of the source, and facilitate the identification of child pornography through hash comparisons and other techniques.
In the discovery files that were produced in 2019, Bob Boback, the Tiversa CEO at the time, said in recorded testimony that FBI agent, Gregg Frankhouser in Pennsylvania, gave EP2P to Tiversa’s CTO on a USB stick in 2007 to use in child porn investigations. Evidence also shows that Tiversa employees used EP2P to reach into the LabMD computer and take sensitive patient data out of the company. This is the sensitive data used in the FTC case that ultimately put LabMD out of business.
Untrustworthy
Daugherty’s claims say that Tiversa was not vetted to be a trustworthy agent of the tool. Tiversa was ultimately raided by the FBI in 2016 after Rick Wallace, Tiversa’s director of special operations, testified that he was ordered by Tiversa’s CEO to falsify records on how the data was collected, changed and stored.
In the testimony recorded in 2019, Tiversa executives hedged and dodged questions but ultimately, their answers reveal that:
- Records were taken off of hundreds of private servers using the FBI hacking tool and keywords specific to the tool.
- Mary Beth Buchanan, attorney for the Western District of Pennsylvania at the time, paid Tiversa’s Richard Wallace to use the FBI’s EP2P tool in search of kiddie porn.
- The agents provided no direction, follow-up or supervision on how the tool was being used by Tiversa.
- Some of Tiversa’s cover up efforts were directed by the FTC, such as setting up a shell company, The Privacy Institute, to park the illegally-obtained data without identifying Tiversa as the source.
Cover Up
By the time Richard Wallace blew the whistle on Tiversa’s malpractice in 2015, Mary Beth Buchanan, U.S. attorney for Western District of PA, had left the government and gone to work for private practice. As a private attorney working for a respected law firm, she talked LabMD’s Daugherty into letting her provide legal counsel in a re-direct examination of the whistleblower, Richard Wallace.
Daugherty says he and his lawyers believed her when she told them that she’d open the kimono and allow Wallace to reveal all evidence during his protected testimony. However, in her redirect, it is plain to read that she omitted questions about the EP2P tools issued by the FBI; and she neglected to bring up Tiversa’s shell company, The Privacy Institute, thus protecting the FTC.
Instead, Wallace was directed to say they were “using a standard, off-the-shelf peer-to-peer client, such as LimeWire or BearShare or Kazaa or Morpheus ...”
“This was a clear case of gaslighting. We trusted that Mary Beth Buchanan would do the right thing, and yet we see that she physically went to the Federal Trade Commission, made a deal, and hushed things up,” Daugherty says.
Impact
In June 2018, Daugherty won his first case against the FTC, which was also a win for businesses. In that case, the judge ruled that the FTC or other government agency cannot dictate private sector security. As a result, however, the FTC this month announced it has recently tightened up its breach and security requirements so that it can dictate security followup in the case of a breach—something Daugherty says organizations should be wary of.
“This is bad news for CSO’s, especially when you consider the criminal case the FTC and FBI are mounting against Joe Sullivan, Uber CSO,” he warns. “You don’t want government agencies dictating the security of your systems when they don’t even know how to secure their own.”
He also cautions that CSO’s should not roll over to aggressive federal actions, especially if the actions are based in faulty evidence. Complacency in cases like these, he says, sets an example to any abusers in these agencies that they can get away with this type of activity against other businesses.
For now, the agencies have six months to respond to Daugherty’s complaints before he files formal suits against them. Meanwhile, Tiversa has disbanded but its employees and founder are still under investigation. And Tiversa executives will still have to answer to Daugherty, who plans to file civil suits against them in the 11th Circuit, which has jurisdiction where LabMD was based.