CIA Corporate Spying

They’re leaving “the Company” to snoop on your company. How C.I.A. agents are pushing corporate espionage to ominous new extremes.

Douglas Frantz


In early September 2006, a vice president of Wal-Mart sent a highly personal email to his boss through what he thought was a safe email account. “My Gmail is secure,” Sean Womack assured Julie Ann Roehm, the company’s senior vice president for marketing communications. “Write to me. Tell me something, anything…. I feel the need to be inside your head if I cannot be near you.”

Roehm had persuaded the company to hire Womack only three months before. “I hate not being able to call you or write you,” she replied. “I think about us together all of the time. Little moments like watching your face when you kiss me. I loved your voicemail last night and love the idea of memory and kept thinking/wishing that it would have been you and I there last night.” Then she signed off, saying she had to take her two children to the park.

Unfortunately for Roehm and Womack, who were both married to other people, their intimate email exchanges would become public in a legal dispute between Roehm and their employer. Wal-Mart learned about the relationship while investigating Roehm for accepting gifts from an ad agency that received a huge contract with the retailer. Ultimately, Wal-Mart fired both execs for violating company policy and later accused them of carrying out a love affair on company time.

Largely overlooked in the furor was the role that Wal-Mart’s internal security department had played in digging up the salacious details. This department, a global operation, was headed by a former senior security officer for the Central Intelligence Agency and staffed by former agents from the C.I.A., the Federal Bureau of Investigation, and other government agencies. (See our Spy Slang guide) A person familiar with the episode said in an interview that an ex-C.I.A. computer specialist was involved in piecing together the email evidence–which included copies of Womack’s private Gmail messages, provided by his estranged wife–and that another former government agent had supervised the overall investigation.

Ex-government agents appear to be Wal-Mart’s investigators of choice. The retailer has emailed job listings to members of the Association for Intelligence Officers as well as posted ads on its site seeking to hire “global threat analysts” with backgrounds in intelligence. The job description for the analysts, who would have reported to a former Army intelligence officer, entailed collecting information from “professional contacts” to gauge threats from “suspect individuals and groups.” In practice, their responsibilities would have extended to gathering information about Wal-Mart employees, suppliers, and customers; Wal-Mart monitors shoppers for suspicious or potentially criminal activity. A Wal-Mart spokesman said the company does not comment on security matters.

Roehm sued the retailer for breach of contract over her firing but dropped her case in November. She has denied all wrongdoing, including the affair.

Sam Morgan, Roehm’s lawyer, declined to discuss the suit. But corporate espionage is becoming almost as sophisticated as government spying. Morgan said, “There is no right to privacy in the private-sector workplace.”

Roehm and Womack were unwittingly drawn into a new world of intrigue in which rivalries between superpowers have been replaced by global competition among the titans of capitalism, where companies use the most advanced techniques available to scrutinize competitors and employees alike. From New York and London to Moscow and Beijing, today’s corporations are venturing into a netherworld populated by former agents who have been schooled in the arts of detection and deception by the C.I.A., the F.B.I., Britain’s secret services, and the former Soviet Union’s K.G.B.  Instead of probing for state secrets or recruiting government ministers as double agents, these latter-day George Smileys are selling their old skills and contacts to multinationals, hedge funds, and oligarchs. They’re digging up dirt on competitors, ferreting out internal corruption, and uncovering secrets buried in the pasts of job applicants, boardroom rivals, and investment targets.

The best estimate is that several hundred former intelligence agents now work in corporate espionage, including some who left the C.I.A. during the agency turmoil that followed 9/11. They quickly joined private-investigation firms whose U.S. corporate clients were planning to expand into Russia, China, and other countries with opaque business practices and few public records, and who needed the skinny on international partners or rivals.

These ex-spies apply a higher level of expertise, honed by government service, to the cruder tactics already practiced by private investigators. One such ploy is pretexting–obtaining information by pretending to be somebody else. While private detectives have long posed as freelance reporters or job recruiters to get people to talk, former agents have elevated pretexting to an art.

At Diligence, a New York private-investigation firm founded by former C.I.A. and British agents, ex-intelligence officers have taught newcomers how to construct false identities by using fake business cards, creating phony websites, and directing incoming calls to cell phones reserved for each separate identity. “You are establishing a cover, like in the C.I.A.,” said a former Diligence employee, adding that there are people who know investigators only by their phony identities.

Similarly, ex-agents have helped popularize the use of G.P.S.-based monitoring devices and long-range cameras for following people around. One corporate-espionage technique comes straight from the C.I.A. playbook. In the constant search for the slightest edge, some hedge funds and investment companies have turned to a handful of private-investigation firms for a tactic that seems to fall between science and voodoo. Called tactical behavior assessment, it relies on dozens of verbal and nonverbal cues to determine whether someone is lying. Signs of potential deception include meandering off topic rather than sticking to the facts and excessive personal grooming, such as nervously picking lint off a jacket. This method was developed by former lie-detector experts from the C.I.A.’s Office of Security, which administers polygraph tests to keep agents honest and verify the stories of would-be defectors.

Don Carlson is the former chief executive of a Boston research-and-analysis firm, Business Intelligence Advisors, where ex-C.I.A. agents have turned the human-lie-detector technique into a business tool. Carlson said hedge fund managers have hired ex-C.I.A. polygraphers from B.I.A. to sit beside them as a company executive delivered a rosy business forecast. The former agents were supposed to signal the manager if they sensed that the executive was dissembling. Carlson said he is convinced that human lie detectors work, though others scoff at the notion.

B.I.A. did not return calls. But I was told that Cascade Investment, the vehicle set up by Microsoft founder Bill Gates to handle his wealth, was among the B.I.A. clients resorting to the human lie detector. Gates relied on B.I.A. investigators to analyze security risks in foreign countries that he and his wife, Melinda, plan to visit. Gates also employs a former C.I.A. agent as head of his personal security team.

Most of the ex-agents’ activities, from surveillance to lie detection, are perfectly legal. In the wake of the 2006 Hewlett-Packard scandal, detectives used pretexting to obtain the private telephone records of company directors, employees, and journalists. In an effort to track leaks to the media, federal law was tightened to prohibit using fraudulent means to obtain telephone records. Financial records were already off-limits. But federal law doesn’t forbid assuming a false identity to get other information–an area that ex-spies exploit.

Still, a few techniques favored by the spies-for-hire do appear to violate privacy statutes. One of these involves using “data haunts,” extreme methods of electronic monitoring such as tracking cell-phone calls and gathering emails by relying on secretly installed software to record computer keystrokes. An ex-C.I.A. agent described a group of his former colleagues who set up shop offshore so that they could tap into telephone calls–a practice prohibited by federal law–outside U.S. jurisdiction. “They call themselves the bad boys in the Bahamas,” he said.

Even some of the legal methods are controversial within the industry. Certain old-school firms won’t stoop to dumpster diving or stealing garbage–which is usually legal as long as the trash is on a curb or other public property–because they consider it unethical. They say that the prevalence of former intelligence agents in the field and the rise of unscrupulous tactics have tarnished a business that often struggles with its reputation. One longtime investigator complained that he recently lost business to some ex-C.I.A. officers who promised a potential client that they could obtain the phone and bank records of a target–something that is illegal in most cases.

The investigator told me that nearly every major security firm employs ex-agents, though most don’t break the law.
“But plenty of people are worried about the potential damage to all of us when someone gets caught,” the investigator says.

Penetrating the secret world of corporate espionage has never been easy, and spies are trained to leave no tracks. Still, when disputes like the Wal-Mart case become public, it’s increasingly likely that former intelligence officers are lurking in the background. For instance, in March 2007, Oracle, the software company, filed suit in San Francisco federal court against German rival SAP, accusing it of systematically and illegally downloading thousands of pieces of proprietary software. According to a source involved in the case, Oracle’s documentation featured an analysis by forensic computer experts who used to do top-secret work for the federal government. SAP’s chief executive, Henning Kagermann, acknowledged in July that “inappropriate downloads” had occurred, although he maintained that Oracle was not seriously harmed. The suit is pending.