Former Tiversa employee at center of House probe of Pittsburgh firm

Andrew Conte
Monday, June 1, 2015 8:23 p.m. | Monday, June 1, 2015 8:23 p.m.

Submitted

Rick Wallace, 40, of Harmony, receives the FBI Director’s Community Leadership Award from FBI Director Robert Mueller in 2013. Wallace, who said he received the award at Downtown-based Tiversa Inc. for his work identifying online child pornographer, has turned into a whistleblower against the company, which denies that it did anything wrong.

A Pittsburgh cybersecurity company that collects millions of files shared on global networks has become embroiled in a congressional investigation supported by a former employee-turned-whistleblower.

Richard Wallace, 41, of Harmony, Butler County, said he never wanted to speak out against Downtown-based Tiversa Inc., but he was in danger of contempt charges if he refused to cooperate with congressional investigators. He is represented by Mary Beth Buchanan, the former U.S. Attorney for Western Pennsylvania who works for the Bryan Cave law firm in New York.

“I didn't go looking for a fight,” Wallace told the Tribune-Review in his only interview since testifying last month before the Federal Trade Commission. “I only responded to subpoenas, and I had not said anything to anyone outside of my counsel. I didn't want to say anything, but I didn't have any choice.”

The House Oversight and Government Reform Committee is investigating claims by Georgia-based cancer screening company LabMD that Tiversa accessed confidential information from its computers through an employee's inadvertent file-sharing and sought to provide cybersecurity protection for LabMD to stop the data from being dispersed. LabMD sued Tiversa in 2011.

“Rather than the cyber ‘white knight' Tiversa purports to be, the company often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks,” the Oversight Committee reported.

Tiversa denies the allegations and has filed a civil suit against LabMD, Wallace and others in Allegheny County Common Pleas Court.

“Tiversa is an innovative and successful Pittsburgh-based company that protects individuals and organizations from cyber threats,” the company said in a statement to the Trib. “The charges in the (House Oversight) staff report are 100 percent false.”

Tiversa said Wallace's statements cannot be trusted, citing among other things multiple arrests for driving under the influence. In the last case, Wallace pleaded guilty in February, court records show, and he confirmed to the Tribune-Review.

People typically use peer-to-peer networks to share music, movies, software and other large files. Occasionally, they end up sharing personal data and other secrets by accident.

Touted as the Google search engine of file-sharing, Tiversa collects almost all of that data — connecting to millions of computers per second across 2,800 global networks, the Trib reported as part of its ongoing, award-winning CyberRattling investigative series . The company searches for information about its clients to protect their data and prevent personal identity theft.

The Oversight Committee report cites information from Wallace and raises concerns about how Tiversa uses the information it finds about companies that are not its clients. The committee withheld its report from the public until Wallace testified before the FTC.

Wallace worked at Tiversa from 2007 to early 2014.

When Tiversa found information on HIV/AIDS patients at a Chicago clinic, the report says, the company called the patients to try to get the clinic to hire Tiversa. When the clinic refused, Tiversa gave the information to a lawyer who filed a class action lawsuit, Congress reported.

In the LabMD case, the committee report says, Tiversa found information on 9,000 patients and reported the findings to the FTC. Tiversa also had information about a breach at the House Ethics Committee on investigations into members of Congress, the report says, adding that Tiversa sought media publicity for the leak.

“In order to protect clients from cyber risks, security companies like ours search the Web to be sure none of our client information has leaked,” Tiversa told the Trib. “While searching, it's not uncommon to find sensitive or confidential information that belongs to people who don't even realize their information has leaked.”

There's nothing legally or ethically wrong with anyone using publicly available information to identify a computer breach or vulnerability and then to ask for money to fix it, said Michael Shamos, a lawyer and professor at Carnegie Mellon University's School of Computer Science. Such so-called “white-hat hackers” make a living by finding software problems and then contacting companies for a fee to fix them, he said.

“It's difficult for me to see what the wrong thing is here,” Shamos said. “It's not a shakedown. It's an offer of a service. That's possibly unwanted, but because there's not a threat there, I don't see anything wrongful in it.”

It might be a valuable function to discover that a company's secret information has been disclosed, but it's harder to make a case for what to do with that information, said Brian Nussbaum, a cybersecurity professor at the University of Albany in New York.

“There is clearly often a difference between what is legal and what is ethical,” he said, “and between what is profitable and what is ethical.”

Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or andrewconte@tribweb.com.