Governments Sanction Hacking When It's In Their Favor

By Larry Walsh  |  Posted Wednesday, February 20, 2008 18:02 PM

Jerome Kerviel's scheme that cost France's Societe Generale more than $3.5 billion has captured the world's attention to the threat of insider hacking, but it's the case of Heinrich Kieber that should get people's attention.

Kieber, a former employee of LGT Group, the largest bank in Liechtenstein, is suspected of leaking financial and banking data of people using the tiny country as a tax shelter. Worse, governments around the world may be paying this hacker for the information that could net tax evaders.

Germany reportedly paid Kieber for the data, which sparked a rapidly expanding tax scandal that has already caught several high-profile corporate and governmental officials suspected of evading the country's high taxes.

Several other governments, including the United States, are reported to be in possession of the data. It's unclear if any paid Kieber for it.

Liechtenstein, the tiny principality wedged between Switzerland and Austria, remains one of the few remaining tax havens in the world for the rich and famous. Along with Monaco and Switzerland, Liechtenstein is a "non-cooperative" country when it comes to foreign tax investigations. In other words, if you park your money there, they won't tell anybody.

Kieber was accused of real estate fraud several years ago. At the time, he claimed to sensitive banking records and threatened to release them if the charges weren't dropped. Prosecutors reportedly agreed to drop the charges if he returned the information. According to published reports, authorities now suspect that Kieber retained copies of the records.

This is yet another example of the insider threat. Trusted employees who require access to sensitive information always hold the potential of a serious--if not grave--compromise. However, how does this jive when it comes to whistle blowing?

In 2002, an employee at a government data center in New Mexico tipped off the plaintiffs in a multibillion-dollar lawsuit against the Department of the Interior that the sensitive Native America data was being insecurely transferred to a new facility in Virginia. Lawyers for the plantiff, Eloise Cobell, sought and received an injunction against the government which resulted in the Bureau of Indian Affairs being disconnected from the Internet for several years until the government could prove its data was secure. The data center worker was protected against retribution under government whistle blowing laws.

If governments like Germany are willing to pay hackers such as Keiber for information that leads to criminal prosecutions, what's to stop others from tapping valuable data for potential rewards? Are they whistleblowers?

Jonathan Zittrain, co-founder and co-director of the Berkman Center for Internet and Society at Harvard Law School, says confidentiality and contractual agreements may expose those who leak sensitive data to criminal and civil penalties. "I imagine that someone whose data has been leaked by a private party may still find him or herself in legal trouble even if the data establishes wrongdoing," he said.

In other words, the ends don't justify the means or provide a shield against retribution.

If Keiber manages to stay free and unscathed by selling financial data to sovereign governments, there will undoubtedly be more that follows in his footsteps. And, I suspect, they'll mount a vigorous whistleblower defense if they're prosecuted for hacking. How do you think a jury will rule on that?