Open question to Prof. Brandon L. Garrett

Brandon L. Garrett

Roy L. and Rosamond Woodruff Morgan Professor of Law
University of Virginia School of Law
Charlottesville, VA

Re: Too Big To Jail

Dear Professor Garrett:

You have done an immense service with your research and the writing of your 2014 book Too Big To Jail: How Prosecutors Compromise With Corporations.

Your book jacket provides this synopsis:

American courts routinely hand down harsh sentences to individual convicts, but a very different standard of justice applies to corporations. Too Big to Jail takes readers into a complex, compromised world of backroom deals, for an unprecedented look at what happens when criminal charges are brought against a major company in the United States.

Federal prosecutors benefit from expansive statutes that allow an entire firm to be held liable for a crime by a single employee. But when prosecutors target the Goliaths of the corporate world, they find themselves at a huge disadvantage. The government that bailed out corporations considered too economically important to fail also negotiates settlements permitting giant firms to avoid the consequences of criminal convictions. 

Presenting detailed data from more than a decade of federal cases, Brandon Garrett reveals a pattern of negotiation and settlement in which prosecutors demand admissions of wrongdoing, impose penalties, and require structural reforms. However, those reforms are usually vaguely defined. Many companies pay no criminal fine, and even the biggest blockbuster payments are often greatly reduced. While companies must cooperate in the investigations, high-level employees tend to get off scot-free.

The practical reality is that when prosecutors face Hydra-headed corporate defendants prepared to spend hundreds of millions on lawyers, such agreements may be the only way to get any result at all. Too Big to Jail describes concrete ways to improve corporate law enforcement by insisting on more stringent prosecution agreements, ongoing judicial review, and greater transparency.

The problem of corporate wrongdoing looms large for the American people. It spills into the political arena, where there is increasing noise about a "rigged economy" and "corruption of government." and "why aren't corporate officer and director malefactors going to jail."

I think your book is superlative in laying out the great complexity of the corporate wrongdoing problem and the great difficulties encountered by society in lessening the same.

The law, developed in simpler times, has principles that liability or criminality should attach if and when members of society commit wrongful or criminal acts that harm other members of society. The law sometimes ascribes relevance degrees of culpability (e.g., willful, gross negligence, negligence, no fault, etc.), and to the perpetrator of the acts benefitting from the acts that have harmed others. The law, developed in simpler times, carries out two objectives of (i) deterrence through punishment and (ii) justice that those who have been harmed should be compensated by those whose acts caused the harm, which second objective also supports the first objective.

The principles, developed in simpler times, become horrendously muddled in our extremely complex times of corporations.

We sort of know that acts of corporations are done as a result of acts of human beings, deterrence can operate only if those human beings are deterrred from doing the acts, and any relevance of perpetrators benefitting from wrongful acts should properly be traced to the human beings who are benefitted.

I think it is a great understatement to say society is having immense difficulty in figuring this out.

Let's say, however, that  your prescription for "concrete ways to improve corporate law enforcement by insisting on more stringent prosecution agreements, ongoing judicial review, and greater transparency" is the way our country should go regarding this exceedingly difficult problem.

My question for you is, "From whence will come the needed will and motivation for the country to carry out your recommendations?"

First, you are likely to have great difficulty in developing a great consensus of your fellow academics that such is the way our country "should go" on the exceedingly difficult problem at hand. I think that is probably not going to happen, and I am going to jump over what might happen if all of academia agreed with you.

Jumping over that, I wish to turn to consideration of the important actors in our country who have significant powers and influence to act on your prescritpions. These actors  include lawmakers, judges, regulators, state attorneys general, criminal prosecutors, corporate management, ethics and compliance officers, corporation lawyers, plaintiffs' lawyers, defense lawyers, tort reform organizations, and consumer protection organizations.

My experience in dealing with these actors is that they are impaired in their will and motivation for carrying out steps to advance the public interest, because they have private interests relative to the subject matter which prevent them from acting solely with consideration of the public interest.

I learned this, in part, through my efforts at a project which I denominated as Project to investigate diverse perspectives on entity vs. individual liability.

I made an attempt to summarize what I learned at Interim project report (draft).

Relative to those private interests, here is what I said:

While many interested parties have declined to comment or take a position on the issue, I don't think anyone has taken the position that entity level liability is sufficient by itself for trying to deter corporate wrongdoing and that officer and employee individual liability should be dispensed with as a tool.
There is a constituency in the ethics community that would prefer no intrusion of the law and regulators into corporate affairs and that would like self-policing alone to suffice.  Some of this constituency may have such a strong preference and belief that they would advocate relying entirely on self-policing.  Currently, it seems clear that lawmakers, regulators, prosecutors, judges and others are not going to go along with that.
While no interested party seems to be prepared to take the position that entity level liability is adequate by itself,  there are reputable commentators who are clear in a belief that entity level liability alone is not sufficient and are open advocates of individual  liability.  For example, see the March 21, 2009  email here in response to this email inquiry I made regarding the Vioxx litigation of several years ago.
Gretchen Morgenson, the author of Reckless Endangerment: How Outsized Ambition, Greed and Corruption Led to Economic Armageddon,  has been very vociferous in complaining about officers, directors and employees not being held accountable for things that went on during the financial crisis.  See this entry.
Last May I started raising the question whether the Obama administration was shifting to targeting individuals.  See this entry.  Three Wall Street Journal articles at the time were suggestive that this was the case. See this, this, and this.
The Ethics Resource Center endeavored in 2010 to engage with federal enforcement officials related to the ERC's white paper Too Big To Regulate: Preventing Misconduct in the Private Sector .  This white paper was predicated on a view that recent events had raised "significant" questions about the effectiveness of government regulation and the ability of regulators to prevent misconduct. The paper listed eight such questions, the last of which was one of possible resignation, to wit: "Have we simply reached the point where regulating corporate conduct is an impossible job?"
The paper did a lot of circling around the government's enforcement approach and the corporation's self-regulatory approach. The paper covered numerous points and issues, variously supportive of and questioning of the two sides. The paper acknowledged that differences persisted and called on the two sides to continue to try to bridge the gap.
I wrote this email to the Ethics Resource Center and this email to the government officials that urged consideration of the issue of entity level versus officer and employee liability as means to try to deter corporate wrongdoing.  These emails produced no response.
Generally, I have encountered widespread disinterest. 
In some cases, it seems clear that  parties who should have an interest in my project are not interested in responding to me, because it does not entirely suit their interest to respond or because they have other more important interest.
For example, in the case of state attorneys general, entity level liability has important publicity value to them, and I believe that reduces their interest in determining their position on the issue of entity level liability versus officer and employee individual liability as a means to deter corporate wrongdoing. State attorneys general also have significant "turf" issues vis a vis the United States Justice Department that are of much greater priority for them.  See this link and this link (no response received to the email in the latter link).
Corporate management I am quite sure has little interest in responding to a project like mine that asks questions that may lead to suggestions for altering the legal machinery to increase officer and employee individual liability in connection with corporate wrongdoing.
Plaintiffs' lawyers have a huge financial interest in entity level liability, so much so that, thus far, I have made little effort to contact them regarding my project.  Defense lawyers rake in millions of dollars defending against the plaintiffs' lawyers, and it is not in the interest of the defense lawyers to scrutinize the deterrence value of entity level liability.
I think corporate ethics officers, including the Ethics & Compliance Officer Association, are not able to respond very well, because they cannot diverge publicly from views of their corporate management bosses who, as mentioned above, want to stay away from anything that might lead to increasing officer and employee liability.
Consultants in the business ethics field have been non-responsive to my project. This is probably due to there being little revenue potential for them from my project and follow up that might grow out of my project, such as efforts to educate and persuade lawmakers, judges, and state attorneys general regarding the subject matter.

Back to my question to you:

Lawmakers, regulators, and prosecutors are a chief source of power to implement your prescriptions.

I think they, however, are bought, compromised, or other otherwise impaired, and they will not have the will to exercise their power to implement your prescriptions.

What do you think?

Birmingham Business Journal

From: RDShatt@aol.com
To: acole@bizjournals.com
CC: jwelker@bizjournals.com, ccrawford@bizjournals.com, constitutentaffairs@ago.state.al.us, jlcarrol@samford.edu, krandall@law.ua.edu, dnabers@samford.edu, tim.mazur@theecoa.org, pat@ethics.org, roy.snell@corporatecompliance.org
Sent: 3/4/2014 6:57:55 P.M. Central Standard Time
Subj: "Experts say more law firm shakeups to come"

Dear Ms. Cole,

Your above news article appearing on page 4 of the February 21, 2014 issue of the Birmingham Business Journal has "offshoots" and "inputs" regarding things going on, which I would like to discuss for your information.

Obviously, as your article suggests, the legal profession is under pressures from an economy struggling to recover from the financial crisis. Professor Strickland refers to "less legal work to go around.." Recent law school graduates are having a tough time in the job market.

Lawyers are hardly the only workers struggling in the United States economy. Millions of Americans are up against the effects of "globalism" playing out in the economy, including job creation and wage levels. Changes in the health care field are causing many doctors to leave their profession early, notwithstanding projected future shortages.

When significant economic dislocations are happening, those who are in good positions under the status quo work to shore themselves up and resist changes that may adversely affect their good positions.

This is going on in the legal field.

An area of law practice I have been interested in as a commentator and critic for more than a decade is that of plaintiffs' lawyers.

That group seems to have well fortified itself, and it seems there is no stopping them.

If that sounds as if I am anti-plaintiffs' lawyers, I am, and I have had a blog called How To Combat Plaintiffs' Lawyers to show for it.

My involvement with the subject has led me down a path for several years in which I have been arguing that plaintiffs' lawyers undermine business ethics and are counterproductive to lessening corporate wrongdoing.

If that sounds as if it cannot be right, and you want to understand why I am saying it, you may start by reading my article Does the Civil Liability System Underrmine Business Ethics?

But I don't what to bog you down, so let me connect up with the aforesaid "offshoots" and "inputs" regarding things that are going on.

I have initiated a proposal that state attorneys general offices should expand and hire more lawyers on a salaried basis to take over legal work being done by plaintiffs' lawyers. The basis for this proposal is that I think society's interest in curbing corporate wrongdoing would be better served if my proposal was followed. I have been making this proposal to the Alabama Attorney General's office for a couple of years. You can see this here.

Notwithstanding numerous communications by me to the Alabama Attorney General's office, I have not received any response from his office about my idea.

An object of the proposal would be to switch excessive riches going into the pockets of a small number of plaintiffs' lawyers, to instead being used by state attorneys general offices to hire and pay salaries to a much larger number of lawyers to carry out society's mission of trying to lessen corporate wrongdoing.

Law schools are struggling, as well as their recent graduates. Law schools should be receptive to ideas that could both employ more of their recent graduates, and also better serve societal interests in lessening corporate wrongdoing. I have written to the dean of the Cumberland Law School (who is quoted in your article) and the dean of the University of Alabama law school (see these emals), but I have not received a response.

The path I have gone down has included trying to enlist the aid of corporate ethics and compliance officers to exert themselves regarding my contentions, but this has had little avail.

Locally, I sent an email to Tthe Honorable Drayton Nabers, former Alabama Supreme Court Chief Justice, who is the newly appointed Director of the Frances Marlin Mann Center for Ethics at Samford University. I asked Justice Nabers how I could more effectively promote my advocacy in Alabama. I haven't received a response.

I can appreciate that my above idea is long range. It entails persuading legislative bodies and judges about my contentions that plaintiffs' lawyers undermine business ethics and are counterproductive to society's mission of lessening corporate wrongdoing, and that legal work of plaintiffs' lawyers should be shifted to salaried lawyers at state attorneys general offices (and the offices of other regulators and prosecutors). Such persuading would need advocates, such as corporate ethics and compliance officers. If persuaded, legislative bodies and judges would then need to act in ways that would work towards effectuating the idea.

Given how daunting the foregoing is, I can understand the lack of response I have encountered, including locally the lack of response from the Alabama Attorney General, the deans of the Cumberland and University of Alabama law schools, and former Chief Justice Nabers.

I doubt that the Birmingham Business Journal can make much of this as a news story, but I don't see any harm in sending you this email, with copies to parties who should be active on this, in order to keep this matter in front of those parties.

By the way, have you noticed an increased number of TV ads soliciting medical patients in umpteen different categories of bad drug reactions and medical treatments and procedures that had adverse ramifications? That's the plaintiffs' lawyers hard at work to shore up their privileged position in the status quo. I have leveled my critique at this as strenuously as I can. When the Alabama Attorney General, and the Alabama legislature, and law schools, and corporate ethics and compliance officers will delve more vigorously into what is going on related to society's effort to lessen corporate wrongdoing (and compensate victims) is something they will face up to when and as they decide to do so.

Thank you very much if you got through this overly long email.

Sincerely,
Rob Shattuck
3812 Spring Valley Circle
Mountain Brook, AL 35223
(205) 967-5586

Another appeal to State Attorneys General

From: RDShatt@aol.com
To: jmcpherson@naag.org
CC: constitutentaffairs@ago.state.al.us, KDarcy@theecoa.org, pat@ethics.org, roy.snell@corporatecompliance.org, inboardroom@nacdonline.org, fja@federaljudgesassoc.org, peter.koelling@americanbar.org, aja@ncsc.dni.us, feedback@naag.org
Sent: 1/19/2014 9:27:00 A.M. Central Standard Time
Subj: Another appeal to State Attorneys General

Dear Honorable State Attorneys General (c/o Mr. Jim McPherson, NAAG Executive Director)

I am sending this email in a continuation of my efforts to influence those who play significant roles in society's efforts to lessen corporate wrongdoing. Those who are copied on this email include the Alabama Attorney General's office, the Ethics & Compliance Officer Association, the Ethics Resource Center, the Society of Corporate Compliance and Ethics, and the National Association of Corporate Directors (which is conducting this Leading The Way national initiative to restore public and investor confidence).

From my perspective, notwithstanding that there is a common goal to lessen corporate wrongdoing, it appears there is a lot of stovepiping that goes on and a slowness to consolidate a moral force.

As an example, the corporate ethics and compliance community has been importuning Federal regulators in a way that I believe is narrowly focused on pet ideas of the former. For elaboration of this, see this entry in my blog.

The corporate ethics and compliance community could make a similar importuning of State Attorneys General. Perhaps that has happened. I think it would be instructive to my point if State Attorneys General considered what they would think about such an importuning by the corporate ethics and compliance community.

Last November I contacted the National Association of Corporate Directors, related to their Leading The Way initiative, and tried to point out the foregoing believed deficiency in how the ethics and compliance community was carrying out its mission. This was intended, among other things, to instigate interchange between the National Association of Corporate Directors and the corporate ethics and compliance community (which serves under corporate directors). I am not aware that any interchange has taken place.

State attorneys general have their own limitations in consolidating a moral force. These include the ongoing turf battle that state attorneys general have with the Federal enforcement and regulatory community, and also the political needs of state attorneys general to have big, publicized cases against corporations (which I contend do not have the best effect for deterring corporate wrongdoing).

Judges are hard to communicate with about lessening corporate wrongdoing, but I try. See, e.g., blog entries that are collected here and efforts I have made to intervene in legal cases such as two large class actions cases against Citigroup and Bank of America a year ago (relevant blog entries collected here).

If all else fails, it is up to Congress and state legislatures to address how society should best try to deter corporate wrongdoing.

I am a mere citizen in trying to persuade those parties with the power and position to respond to my contentions, and I have only my blog and email for doing this. I hope I will be successful eventually.

Thank you.

Sincerely,
Robert Shattuck
Birmingham, AL

More data re ethics and compliance mission program

Business news keeps coming that points out the failure of the mainstream ethics and compliance community to face up to significant questions about the mission program it has been propagating for twenty years.  [Numerous entries in this blog explain and document that failure.  Quick access to these entries may be initiated  by starting with this entry and by following the links.  More in depth access may be achieved by further links in this entry below or navigating through the blog using the labels on the left hand side.]

This entry is prompted by several recent Wall Street Journal articles.  I have posted these articles on the blog, and I will make links to the articles in this entry.

No amount of prodding (as best I can tell) has been able to budge the mainstream ethics and compliance community to do crtitical thinking about enity level liability versus individual officer and employee liability for trying to deter corporate wrongdoing.  The nonresponsiveness of the Ethics & Compliance Officer Association, the Ethics Resource Center, and the Society of Corporate Compliance and Ethics, and of many others in the field, is well dcoumented in this blog.  See, e.g., these entries collected under Label F1.

The recent business news of Ex-Banker Gets Prison Term and JPMorgan's huge corporate fines begs again for ethics and compliance professionals to delve into the subject of entity level liability versus individual officer and employee liability to try to deter corporate wrongdoing, and to wrestle with very difficult questions that are presented.  As indicated, thus far there has been virtually no willingness to do that.

As reported in the article, JPMorgan's top lawyer Stephen Cutler has spoken out publicly criticizing what has gone on in the levying of these fines.  One can well ask whether the thoughts of JPMorgan's ethics and compliance officers were sought by Mr. Cutler in formulating and taking his public stance?  Or are they on the sidelines regarding this important JPMorgan corporate matter?  (See my blog entry Are Ethics & Compliance sidelined?)

The article says that Mr. Cutler was chief of enforcement for the Securities and Exchange Commission from 2001 to 2005.  For at least a couple years, the ethics and compliance community has been importuning federal enforcement officials to pay more attention to corporate ethics and compliance programs.  In February, the Ethics Resource Center had a summit in Washington DC about this, entitled  "Improving Corporate Conduct Through Pro-Compliance Enforcement Practices."  I believe the ERC was too narrowly focused on its own agenda and lacked appreciation that the federal enforcement officials had other more important considerations on their mind.  (See this email I sent to the ERC.)

Relating this back to JPMorgan, I don't see from the article that Mr. Cutler was much occupied with whether JPMorgan's corporate ethics and compliance program was or was not adequately considered by the Justice Department, and I conclude that was very minor, or a nullity, in Mr. Cutler's mind, and he had bigger other issues in his head about the way the Justice Department was trying to deal with corporate wrongdoing.

Note further that the article talks about how Mr. Cutler, when he was with the SEC, went after JPMorgan for helping Enron commit fraud.  Up again pops the question about the efficacy and approrpirateness of entry level liability to deter corporate wrongdong.  See my own writing Enron's smartest guys, crooks, victims and other saps.

The Caterpillar news story about possible dumping of train parts in the ocean as part of defrauding railroad owners and operators begs for informaation about whether there will be "discipline" of culpable officers and employees under Sec. 8B2.1(b)(6)  of the Federal Sentencing Guidelines for Organizations. I have tried to inquire in the ethics and compliance community about whether any surveying has been done about the utilization of discipline under Sec. 8B2.1(b)(6),  iin order to try to evaluate its efficacy, but I could not find any interest in the ethics and compliance community about this.  See, e.g., the April 24, 2012, email to Dr. Harned of the ERC that is reproduced in this blog entry.

An interesting contrast is provided by Microsoft deploying corporate assets to combat real criminals and real wrongdoing, as reported in the "Web Fraud 'Botnets'" article, contrasted with this editorial (concerning Facebook), which illustrates how the plaintifffs' lawyers harrass corporations with abusive lawsuits that are ultimately counterproductive to the deterrence of corporate wrongdoing, including that they waste and divert corporate assets (either to fight real criminals on the outside or to improve corporate ethics and compliance programs internally).  For almost ten years I have been trying to purvey to the ethics and compliance community my article Does the Civil Liabilty System Undermine Business Ethics?, but there has been no meaningful response from that community.  

I posted the editorial about Mississippi Attorney General Hood because, on the one hand, I believe state attorneys general are a better societal tool for deterring corporate wrongdoing than plaintiffs' lawyers, and, on the other hand, state attorneys general may get conflicted by their own personal interests and fail to fill their role properly in helping society deter corporate wrongdoning.  

Health care ethics and compliance officers

From: RDShatt@aol.com
To: rdshatt@aol.com
BCC:
Sent: 12/18/2013 8:24:09 A.M. Central Standard Time
Subj: J&J $2.2B fine; ethics and compliance 20 year mission program

To: Ethics and compliance officers in health care industry

This email is being sent to the health care industry ethics and compliance officers who are listed in this online document.

I think the recent $2.2 billion fine that the Justice Department imposed on Johnson & Johnson is an example that is supportive of my contention that there is a serious shortcoming in how the mainstream corporate ethics and compliance community has been pursuing and implementing its mission program for the past twenty years.

If you are interested in what I have to say, please read this letter I have sent to Ms. Kris Curry, Vice President, Health Care Compliance, of the Johnson & Johnson Pharmaceuticals Group, and follow the links to other entries in my blog.

If you would like to discuss this subject with me, please write me back.

Thank you.

Sincerely,
Robert Shattuck
Birmingham, AL

How Lawsuits Fund Lobbyists

The Wall Street Journal

INFORMATION AGE

How Lawsuits Fund Lobbyists
Facebook pays millions in class actions to privacy groups. Facebook users may get nothing.

Nov. 10, 2013 6:39 p.m. ET

The Supreme Court last week set a record for the gap between innovative technology and hidebound regulation. The justices upheld a settlement against Facebook FB -2.39%based on a legal concept created by ecclesiastical courts in the Middle Ages to ensure that promises of charitable gifts made to secure entry into heaven would be carried out.

The good news is that the court said it would look for a new case to get Silicon Valley out of the purgatory of having to pay legal settlements to the very lawyers and advocacy groups whose mission is to regulate high-tech firms.

Enlarge Image

Reuters

The case of Marek v. Lane arose after Facebook launched its Beacon program in 2007. Beacon automatically posted announcements when Facebook users bought a new product. It turned out that many users preferred confidentiality for surprise gifts and potentially embarrassing purchases. User complaints led Facebook to end Beacon after just a month.

That would have ended the matter except for the inevitable class-action lawsuit. Facebook eventually agreed to pay $9.5 million, but not to its hundreds of millions of users. The lawyers who brought the case got $3 million, and Facebook agreed to donate $6.5 million to create a new nonprofit group focused on privacy issues.

The legal basis of the settlement was a doctrine borrowed from trust law called "cy près," a French term that means a close enough use of funds. That makes sense when a charitable gift can't be carried out as intended, but not in a case that is supposed to compensate people who've suffered harm.

In an opinion accompanying the denial of review, Chief Justice John Roberts wrote that the court will look for a "suitable case" to "clarify the limits" on funding nonprofits instead of compensating victims. "This court has not previously addressed any of these issues," he wrote, "including when, if ever, such relief should be considered; how to assess its fairness as a general matter; whether new legal entities may be established as part of such relief; if not, how existing entities should be selected; what the respective roles of the judge and parties are in shaping a cy pres remedy; how closely the goals of any enlisted organization must correspond to the interests of the class and so on."

Privacy lobbying groups such as the Electronic Frontier Foundation and the Center for Democracy and Technology get significant funding from class-action settlements. No wonder they advocate for more lawsuits. In 2011, the Electronic Privacy Information Center even went to court complaining when it wasn't among the advocacy groups sharing in a $10 million settlement from Google. GOOG +1.39%

The GigaOM technology news site discovered that one of the groups selected to share in another Facebook settlement—for $20 million relating to Facebook publicizing user "likes" in ads—had no idea why it was included and rejected its allotted $500,000. Representatives of the MacArthur Foundation said they "did not ask to participate" and don't work in online privacy.

"Under the current model, the legal process serves to stoke privacy panic while also failing to explain to consumers the basic nature of the contract they undertake when they sign on with Facebook or Google," reported GigaOM. "Consumers receive an incredibly useful product for no money, but pay instead with personal information which the companies collect for advertising."

The law is a clumsy tool to regulate fast-changing technology. Indeed, under the Beacon settlement, Facebook could relaunch the program under another name even though, as Chief Justice Roberts noted, the settlement by Facebook "insulated itself from all class claims." Ted Frank, a critic of the class-action system, has written that "a lawsuit where the cost of litigation is greater than the benefit to the class suggests the social costs are greater than the social benefits."

These kinds of lawsuits create the illusion that judges determine appropriate uses of technology. But people are still learning how much information they want to share online. It's becoming increasingly clear that users are the "product" being sold; the paying customers are the advertisers who want information allowing them to deliver personalized advertising.

A new novel ridicules companies like Facebook and Google for promoting openness without making clear why this is so basic to their advertising business. "The Circle" by Dave Eggers features an imaginary Silicon Valley company that takes these ideas to an extreme with rallying cries such as "Secrets are lies. Sharing is caring. Privacy is theft."

People should be free to choose the online services they want to use and how much personal information they will share. Markets, not lawsuits or lobbyists funded by lawsuits, are the most efficient way to monitor business practices affecting privacy. If companies such as Facebook and Google go too far, competitors will step in promising to be more user friendly.

Web Fraud 'Botnets"

The Wall Street Journal

TECHNOLOGY

Inside the Effort to Kill a Web Fraud 'Botnet'

Working With Law Enforcement, Team Cuts Off Servers for Zombie Computers

By CHRISTOPHER S. STEWART and MERISSA MARR

Updated Dec. 5, 2013 8:55 p.m. ET

For months, investigators at Microsoft Corp. MSFT -0.03% hunkered down in front of their computer monitors, patiently stalking the shadowy figures behind what the company says is a major Web ad-fraud machine.

View Graphics

Then, on Thursday, they pounced. Armed with a court order and law enforcement help overseas, the team took steps to cut off communication links to European-based servers considered the mega-brain for an army of zombie computers known as ZeroAccess.

Criminals for years had used the ZeroAccess "botnet," which combines the power of more than 2 million hijacked computers—or bots—around the world, to fraudulently bill some $2.7 million a month from online advertisers, company investigators say.

Microsoft doesn't know precisely who is behind ZeroAccess, nicknamed after code in the malware, but suspects the operators are based in Eastern Europe. Last week the company filed a civil suit in federal court in Texas, where there is high concentration of bots. It got authorization to knock out connections between infected computers in the U.S. and the European-based servers linked to a core of 18 IP addresses. The unit said it also worked with the European law enforcement agency Europol to seize the computer servers, located in Latvia, Germany, Switzerland, Luxembourg, and the Netherlands.

The coordinated attack reflects increasingly aggressive efforts by businesses to police a largely unpoliced world, where hackers are scheming to grab some of the money flowing into digital ads.

Microsoft has good reason to finance its own digital detectives. It owns multiple targets for infection, including the Bing search engine; the Bing Ads exchange; and the Windows operating system, which runs on many of the Web-enabled computers around the world. Going after ZeroAccess helps defend its brand and reputation, the company said.

Microsoft's Digital Crimes Unit recently moved into a new 16,800 square-foot headquarters in Redmond, Wash., to wage its war. Touch-screen monitors detailing the workings of suspected cybercriminals blink on the walls. The team, which numbers more than 100, juggles around five malware cases at a time, among other digital crimes.

This year, digital-ad spending in the U.S. is expected to rise 14.9% to $42.3 billion, according to eMarketer. Security company Solve Media Inc. estimates that digital losses world-wide for display advertising alone could run as high as $10 billion this year.

As the industry has ballooned online, so has its complexity, creating a labyrinth of openings for criminals. The growing automation of stock-market-like advertising exchanges, where fast-paced trading in ad space between multiple parties is hard to track, has opened up a particular vulnerability in the ecosystem, security firms say. An explosion in websites and many layers of new middlemen has made it easy for fraudsters to hide out, the firms say.

At its most basic, digital ad fraud involves generating fake traffic. It works because marketers pay websites for advertising space, with the payments typically determined by the number of people who are supposedly clicking on the site and able to see the spot.

A popular scam involves gaming that basic business model. Hackers build websites and direct hijacked computers to them, to give the appearance of real Web traffic. Advertisers' pitches, drawn by the traffic, then appear on the fake sites where there is no real audience. Sometimes the advertisers pay directly and other times through middlemen.

ZeroAccess specialized in "click fraud," where it directed each of its almost two million bots to click on as many as 48 ads an hour—all day long, according to investigators. Another of its schemes was "search hijacking," where a user's search results from, say,Google GOOG +1.39% or Bing, were redirected to websites connected to the alleged criminals, according to the Microsoft civil complaint.

In one case, Microsoft investigators said ZeroAccess directed a hijacked computer through six suspicious-looking websites, with little useful content, before landing on something called search.lookcastle.com. There, an ad was delivered for the credit company creditrate.com—which the zombie computer clicked on. This all happened in the blink of eye, unbeknown to the computer owner. Had Microsoft not caught it, creditrate.com would have been billed.

"These aren't just kids operating in their parent's basement," said Steve Sullivan, vice president of advertising technology at the Interactive Advertising Bureau, or IAB, an industry group, speaking about digital ad fraud. "What we have here are organized crime groups in foreign countries targeting the ad world."

With fraud becoming more sophisticated, the ad industry has started to fight back. While some companies hire outside security experts, many of the major players in the industry have their own security forces. The ad exchange AppNexus more than doubled its investigations unit in the past year. Google Inc.'s DoubleClick, one of the industry's largest exchanges, employs a geek squad of more than 100 quants, engineers, and Ph.D.s just for security purposes.

Scott Spencer, DoubleClick's product management director, said some days his team kills off as much as 10% of the exchange's traffic, using filtering techniques. Last year, they rejected about a million suspicious websites from the exchange. "It's as if you have thousands of people pick-pocketing, all orchestrated by one mastermind," Mr. Spencer said of each fraud operation.

The IAB trade group this week published a playbook for the industry, giving advertisers and websites tips on how to avoid fraud. An IAB-backed initiative is meanwhile working on a system for buyers and sellers to share intelligence on alleged fraudsters by flagging them in real-time on the exchanges.

Authorities and Internet-security companies estimate that there are perhaps thousands of botnets. The more sophisticated bots act like humans, clicking on ads, playing videos and moving products into shopping carts.

Taking out a botnet isn't easy. Hackers build them with encryption and passwords and many times control them from far-flung locations, where law enforcement is more lax.

Microsoft said it has taken action against seven other botnets in the past three years. Over the summer, Microsoft teamed up with the FBI to attack the "Citadel" botnet that allegedly stole bank account information. It isn't clear who is behind the operations of Citadel, which is being investigated by law enforcement.

Throughout its investigation, the Microsoft unit examined ZeroAccess in its lab, setting up its own infected computers to study how the botnet worked. It kept the operation secret, said Richard Boscovich, assistant general counsel of the Microsoft investigative unit. "If the bad guys sense us monitoring them, they will change," he said, or "start cleaning" their digital trails.

Unlike many botnets, ZeroAccess didn't have a single central server controlling it. Instead, the operators had the ability to use any infected computer in the botnet to distribute commands to commit crimes, making it hard to kill off, Microsoft said.

In its civil suit, the company alleges ZeroAccess "profited unjustly." Notices of the suit were sent to the hosting companies where the 18 IP addresses are located, as well as to the registered owners of 49 domains, which are thought to part of a backup mechanism for the botnet, and were also taken offline. Microsoft demanded they respond, or risk a default judgment.

The big question is whether Microsoft's assault on ZeroAccess will have enduring impact. ZeroAccess came back to life once before after an attack on it. Earlier in the summer, the software company Symantec Corp. SYMC +0.87% disrupted the botnet, but it persisted, enlisting new computers into its zombie web of crime.

Eight hours into the operation on Thursday, Microsoft investigators said there were no signs that the operators behind ZeroAccess were responding to the shutdown action, and that they had seen a "dramatic" drop in the click fraud committed by the infected computers.

Having blocked ZeroAccess' servers, Microsoft wants to begin answering some of the mysteries behind the crime machine, including the identities of its backers. Details of the operation have been passed over to the FBI, Mr. Boscovich said.

"If we can't put the bad guys in jail," said Craig Schmidt, senior manager of investigations at the Microsoft unit, "at least we can take away some of their money."

Write to Christopher S. Stewart at christopher.stewart@wsj.com and Merissa Marr atmerissa.marr@wsj.com