Who’s bugging you? What You Need To Know About Workplace Electronic Eavesdropping.
By Frank Faulk IV, CPP
Manager of Technical Services at Diversified Risk Management, Inc.
It’s especially daunting when the private communication was with those you trust unconditionally. You must then wonder whether your communication was bugged.
We all watch movies and television; bugging seems commonplace in many crime and detective shows. They always make it seem much easier on TV. The plot of a show such as CSI Miami might include a forensic test or run a bug sweep in one or two minutes that, in reality, would have taken hours or even days to complete.
We frequently perform Technical Surveillance Counter Measure (TSCM) sweeps to detect electronic eavesdropping devices, or “bugs” for our clients around the world.
A host of covert technologies now provide corporate spies many ways to initiate illegal eavesdropping. Many years ago, the “phone bug” was literally one of two such technologies. Eavesdroppers were once limited to (1) either a miniature transmitter installed in a telephone, powered by the telephone itself and monitored by a receiver somewhere in relatively close proximity, or (2) a traditional “wire tap” which used a direct connection or inductance loop to monitor the actual phone wire that connected your telephone to the phone utility provider, usually outside your building. The latter could be installed at the phone company, on a telephone pole, on the exterior of a building where phone lines enter your facility (aka “Demark”), or anywhere within the building where your phone lines are routed.
Recent advances in illegal eavesdropping devices make their detection much more challenging.
When we conduct TSCM sweeps, we have a list of basic questions and procedures with which to start the process. We initially discuss with our client all aspects of their concerns, to narrow the search to the most likely places where leaks of information may have occurred. These could have been from a particular office or group of offices or a certain room. They also could have been caused by someone accessing email. We first focus on, and attempt to eliminate or illuminate, the most probable technologies that could be violating the security of your company.
Next, we cover the basics of wire taps, radio frequency (RF) transmitters, inductance modules, microphones and even, sometimes, covert cameras. (While covert cameras are easy to hide, they don’t often provide the echelon of confidential information normally the target of eavesdroppers.)
Because of the Internet and all its capabilities, we evaluate your Local Area Network (LAN) and Internet access to identify any potential vulnerabilities; this is a multi-level process. When we first begin electronic counter-surveillance, we monitor RF signals from various points around the perimeter of your building. Depending on line-of-sight from the structure, this could be immediately in the street and rear alley adjacent to your building or from hundreds of feet away. This is done so we can first identify and make a record of any radio frequency traffic being transmitted as we arrive, to obtain a picture of your normal, existing ambient radio-wave traffic and RF signal strengths from outside your building. Therefore, if we later detect a matching radio frequency from within, at higher signal strength, we have quickly identified a “hot” transmitter.
When we meet with clients, we try to assess the potential sophistication of those suspected of eavesdropping. Sometimes, very simple devices are used; any number of eavesdropping and recording devices can be purchased online or in electronic stores. Legal to buy, these are usually illegal to use unless done so with openly displayed disclaimers giving informed implied consent to all those in their proximity. Many states have laws similar to the following:
California Penal Code §§ 631, 632: It is a crime in California to intercept or eavesdrop upon any confidential communication, including a telephone call or wire communication, without the consent of all parties.
It is also a crime to disclose information obtained from illegal eavesdropping. However, an individual can be convicted without disclosing any information, whatsoever. The simple act of intercepting or recording private information meets the standard for prosecution. Two appellate courts have held there is neither a disclosure nor publication requirement for violation of the Privacy Act (in California) by recording confidential communications without consent.
Coulter v. Bank of America, 28 Cal. App. 4th 923 (Cal. Ct. App. 1994).
Marich v. MGM/UA Telecommunications, Inc., 113 Cal. App. 4th 415 (Cal. Ct. App. 2003).
The more professional the breach, obviously, the harder it is to locate the devices.
The more sophisticated planters of bugs usually place multiple bugs. First, they want to ensure they will get every bit of any conversation and, secondly, they expect someone to “find a bug” and then quit further searching Therefore they install one that is relatively easy to locate, then one much better hidden, and then one that is extremely hard to find; a rule of thumb is that the amateur eavesdropper plants one or two, and professionals, three or more.
With all of the technologies available today, illegal bugging has a host of options that make eavesdropping relatively simple for determined perpetrators.
What should do you do if you believe your company is being bugged? Start with what you know, and analyze why you have such suspicions. Try to identify if the information leak could have been a simple “slip of the tongue” or if too much confidential information has, indeed, made its way to the wrong people. Next, try to remember where the information (conversation or data) was when it may have been intercepted. If you can narrow the breach to a particular office or group of offices, look for anything that is new, recently repaired, or out of place.
If you do not find anything in your initial cursory search of the area, and you believe you are being bugged, you should leave the building, borrow someone else’s cell phone and call a competent, professional firm with the capability to immediately ferret out your problem. At the risk of verbalizing the obvious, we ask that you never discuss your suspicions of eavesdropping in any of the suspected areas, on any of the telephones in your company’s buildings or on your own cellular telephone, and do not use your home phone.
What happens when we do locate a bugging device on your property?
For one thing, we can become creative. If we identify specific bugs, we can then determine how they are being monitored: live, recorded, locally, or remotely; at that point, we will be prepared to discuss options with you (and, to provide the important shields of “attorney work product” and “attorney client privilege”, we recommend involving in this discussion your labor and employment attorney). Sometimes the best course of action may be to immediately involve the police; other times, we may wish to continue the investigation ourselves with your attorney at the controls; we could input specific and erroneous information in a way that would possibly illuminate the user. All your options, all your potential remedies should be carefully considered. A successful case often involves prosecution of the perpetrator.
Remember, if you or your associates are discussing confidential information, remind them that the conversations are indeed confidential and proprietary business information, and make every attempt treat it carefully. Make sure your email is kept secure; log-off your computer when you leave your office space (it only takes a few seconds to read your email) and keep close track of who is, and who is not, privy to any confidential or proprietary information. Make sure trusted associates understand the sensitivity of the information and that they too, are charged with the responsibility of making every effort to kept it privileged and secure.
It is our sincere hope that your firm never has an electronic eavesdropping event, but if you suspect this may be the case, don’t hesitate to call professionals with the equipment, know-how and ingenuity to solve your problem by not only finding the object, but also apprehending the criminal who put your firm’s assets and security at risk.
About the Author:
Frank R. Faulk, IV, CPP is board certified in Security Management; as Certified Protection Professional (CPP) by ASIS International (formerly the American Society of Industrial Security) and is a Computer Forensics Expert. As Manager of Technical Services at Diversified Risk Management, Inc. Mr. Faulk is responsible for conducting comprehensive forensic computer investigations, and performs physical security surveys. He is a longstanding member of the Security Analysis & Risk Management Association and is currently a Board member of the San Fernando Valley ASIS Chapter. Mr. Faulk can be reached at 800.810.9508 or by e-mail.