Because I used to work in Wal-Mart's IT Security department, news of the phone-taping/eavesdropping scandal reached me just minutes before the story broke. I remember thinking, "this simply can't be happening."
Let me back up for a minute. I worked in Wal-Mart's IT Security team for a number of years and am familiar with the people at the center of this story. To me, Wal-Mart is not a faceless behemoth company. Rather, it is all about faces and relationships. You know -- good people just trying to do their jobs. I think that in many ways, Wal-Mart gets a bum rap and that the public assumes that Wal-Mart is run by a horde of evil drones seeking world domination. This eavesdropping situation will, no doubt, be used to set forth or reinforce such ideas.
So, this is my attempt to make sense of what may have happened. You should note, however, that I have not spoken to anyone at Wal-Mart regarding this. The ideas set forth here are purely based on my perspective as someone who used to work in Wal-Mart's security group and with the people involved.
Human nature run amuck?
As I said earlier, I am reasonably sure that there is no Dr. Evil at work here. Instead, I believe that this incident is a case of human nature running amuck -- a legitimate investigation that got out of hand.
Based on the stories I read, this seems to have two components: 1) monitoring and recording of phone calls between Wal-Mart's PR department and a New York Times reporter; and 2) intercepting message traffic from portable devices.
In my estimation, the initial monitoring of PR calls seems very targeted -- so that may have very well been part of an official internal investigation (though it may or may not have been authorized appropriately). Indiscriminate monitoring of wireless traffic for both employees and non-employees, however, seems to be clearly out-of-bounds. This is probably the result of the "systems technician" being over-zealous.
I believe that what we are seeing here is symptomatic of a larger issue facing the security and privacy community. Let's face it, the cloak-and-dagger aspect of penetration testing and investigation has a certain appeal to it. These jobs attract naturally curious and creative individuals who enjoy the thrill of the hunt and the challenges associated with solving complex problems -- the very essence of the original use of the word 'hacker.' But without proper and strict oversight, the employees engaged in these activities can easily give in to natural human curiosity and step over the line of acceptable and authorized behavior.
How could this have been prevented?
The old axiom "who will watch the watchers?" is valid and applicable here. What seems to have been missing is a system of checks and balances; in short, oversight.
The news reports I read indicated that Wal-Mart's legal team had not signed off on the telephone monitoring. If so, this is an error in process which led to inappropriate monitoring of conversations. Note, however, that Wal-Mart notifies employees in no uncertain terms that it has the ability to monitor telephone and computer traffic. In my opinion, employees should expect it. But in this case, it is apparent that the process for authorizing telephone monitoring may not have been followed.
The second issue is related to the monitoring of wireless traffic. Again, this seems to be related to issues in process/oversight. The reports speak of the monitoring of pages and text messages; I believe that these are most likely blanket terms being used to refer to 802.1x and Bluetooth protocols. If the "systems technician" also engages in penetration testing for the company, he/she would have the tools to intercept this type of traffic.
Just because the tools can be used appropriately in one context does not automatically mean that they should be used in other contexts (i.e. corporate investigations). In this case, it appears that non-employee traffic was intercepted as a result of using these tools. Frankly, in an open area, this would be difficult (if not impossible) to prevent. There should have been processes and procedures in place to address this scenario (for example, purging the data immediately; ceasing the monitoring activity immediately; etc.).
This incident is a good illustration of why some companies conduct routine background checks and audits of their security personnel. "Old school" security concepts such as separation of duties and job rotation are proven and effective ways of helping to prevent these types of situations. Further, security professionals should receive copious training (formal or informal) related to ethical and legal issues which may arise in the course of one's employment.
(Please note: by raising the issue of specific preventative measures, I am not implying that Wal-Mart did not have preventative measures in place. They may have. Another reality that we have to face here is that situations such as these can spin out of control very quickly. There is no substitute for sound judgment and good decision making skills.)
And now?
The world is in a security and privacy renaissance; ethical questions related to government and employer surveillance are being raised and re-raised. Security and privacy advocates exist on both sides of the debate -- such is our post-September 11 society. My prediction is that the Wal-Mart eavesdropping story will be in 2007 what the HP 'pretexting' story was in 2006. The ensuing investigation will likely play out on a grand stage involving governmental agencies, privacy rights advocates, and legislative action.
Perry Carpenter, a Computerworld.com blogger, is an information security and privacy manager with a background in application development, identity management, marketing analytics, and data privacy.