An enhanced vantage
By James Wilson, Richard Milne and Gerrit Wiesmann
Published: August 16 2009 19:21 | Last updated: August 16 2009 19:21
One day this summer, Michael Bohndorf, a 69-year-old Deutsche Bank shareholder, travelled from his home on the Spanish island of Ibiza for a meeting in Frankfurt with one of the bank’s lawyers. There, he recalls, he received a “white gloves” welcome.
“I was treated like the prince of Peru,” he says. “It was all ‘How would you like your tea, Mr Bohndorf?’”
If Mr Bohndorf, a German lawyer, found the deference exaggerated, it was not surprising. As both he and the bank’s own lawyer knew, the meeting was the consequence of much more unpleasant conduct by the bank: the use of private detectives to investigate him. In an operation that could have come from a spy novel, detectives allegedly arranged a holiday rental of the shareholder’s house to try to unearth information. He also claims a woman was sent as a “honey trap” to glean material about him.
Under scrutiny at the time, from the bank’s point of view, had been Mr Bohndorf’s criticism of Deutsche Bank and his potential links to Leo Kirch, a businessman who is one of its most dogged courtroom opponents. The tables are now turned. Germany’s largest bank has had to apologise to Mr Bohndorf (pictured below) – and give some humbling explanations about how it came to be involved in other possible violations of privacy that involved members of its own management and supervisory boards. It is also under investigation from financial and data protection watchdogs, while state prosecutors are considering whether there are grounds for a criminal probe. The bank says it has found four isolated incidents raising concerns but adds that senior executives did not know about the activities.
The bank is far from the only big company to have admitted overzealous surveillance. Deutsche Telekom used an independent security company to comb the phone logs of supervisory board members. Deutsche Bahn’s chief executive quit after the state-owned rail company admitted monitoring contacts between thousands of employees and suppliers. Lidl, a discount supermarket chain, spied on staff at work and logged information about their health.
Germany is not alone in its corporate spying scandals. In the US, Hewlett-Packard used private investigators who obtained the phone records of journalists . Recent UK revelations of methods used by detectives employed by the News of the World, the tabloid newspaper – hacking into voicemail messages – have highlighted ethical lapses in journalism.
But the quantity and seriousness of German cases call into question why Europe’s largest economy seems particularly prone to outbreaks of corporate spying. That, in turn, leads to scrutiny of the country’s attitude to privacy as well as its wider standards of corporate governance.
Moreover, in the German context – only two decades since the fall of the Berlin Wall brought the methods of East Germany’s secret police to light – such practices cause shock. A Deutsche Telekom director says: “Do we want to go back to the days of the Gestapo under Hitler or the Stasi in the DDR? Of course not. That is what makes this whole incident so distasteful.” Mr Bohndorf himself says: “This was not some corrupt little bank – this was Deutsche Bank. This stood for something, like the Bank of England. So could you imagine how disappointed and upset I was that [it] was using methods that we ... thought had been abandoned and did not exist any more. We learnt what happened in East Germany and everyone said that should never happen again.”
That Deutsche Bank should face such charges from an investor is not simply embarrassing. This and other cases have potentially damaging repercussions for the balance of trust between companies and those who have dealings with them.
Deutsche Telekom’s scrutiny of phone records raised doubts for millions of customers about the privacy of their call logs. When Lufthansa data on politicians’ use of frequent flier miles were leaked in 2002, there was shock at their use of such freebies – but also concern at the misuse of customer data. Deutsche Bank, revealing its suspicions about internal breaches, was quick to say no customers were involved, fearing repercussions from worried account holders.
How one company’s misstep led to a change in American law
In recent years great bluster has been generated over accusations that privacy laws or norms were broken by large segments of the US information brokering industry and the anti-terror efforts of the George W. Bush administration, writes Joseph Menn. But one misstep by a single big company produced tangible change.
Hewlett-Packard was engulfed in a spying scandal in 2006, after Thomas Perkins, a veteran HP director and venture capitalist, learnt his phone records had been obtained by private investigators retained by the technology company. Using a set-up similar to that used by Deutsche Telekom unearthed last year, Patricia Dunn, HP chairman, was trying to find out if members of her board had been speaking to the press about company strategy. After conferring with the company’s senior in-house lawyer and chief ethics officer, she signed off on a “pretexting” probe, where outsiders pretended to be the directors they suspected and their possible media contacts. This enabled private eyes to talk phone companies into releasing the calling records of Mr Perkins, director George Keyworth, and reporters for The New York Times and other publications. Ms Dunn got the information she wanted and accused Mr Keyworth, who admitted talking to news site CNet, though he said he revealed no secrets.
Mr Perkins was so outraged over these methods, he resigned. When HP’s regulatory filings claimed his departure had not been the result of a disagreement, he went to the Securities and Exchange Commission and begged to differ. After a cavalcade of investigations and disclosures, Ms Dunn, the senior lawyer and the ethics officer left HP.
The California attorney-general investigated and settled a civil court case over identity theft for $14.5m; the Federal Trade Commission took action against several of the investigators; HP agreed to new practices and paid millions to end shareholder suits last year. Criminal charges against most of those involved, including Ms Dunn, were dropped. Most significantly, her initial contention that pretexting was not illegal exposed it as a widespread practice, sparking a debate that included congressional hearings resulting in a federal law banning it.
“It was a fascinating episode that revealed how far determined board members, with the help of private investigators, could go to dig into the private communications of their colleagues,” says Marc Rotenberg, executive director of the non-profit Electronic Privacy Information Center.
Why do companies risk such compromising allegations? An inevitable conclusion is that they believe there is something to be gained or important interests to be protected. In the case of Deutsche Bank, whose chief, Alfred Herrhausen, was killed by a bomb in 1989, a desire to protect staff is logical. In one case it has acknowledged, it hired investigators to try to obtain a photograph of someone alleged to have made threats against senior managers.
Yet the instinct to protect led to a more serious privacy violation: security for Hermann-Josef Lamberti, the bank’s chief operating officer, was tested without his knowledge in 2007. Similarly, its anxiety about Mr Bohndorf – who attracted the attention of the chairman, Clemens Börsig, when speaking at the 2006 annual meeting – stems at least in part from its legal battle with Mr Kirch, who blames comments by the company’s former chief executive for the collapse of his media empire. The bank denies any wrongdoing by Mr Börsig.
Several cases are linked by a particularly German thread: the system of Mitbestimmung, or co-determination, under which workers have half the seats on most supervisory boards and a big say in decision-making. Some argue this leads to more leaking of sensitive information than elsewhere, whether by workers or retaliating executives. The former chairman of one of Germany’s largest companies says spying “is all the fault of co-determination”.
Deutsche Bank’s first admitted incursion into questionable surveillance, in 2001, was to try to plug a leak it wrongly thought could have come from a union representative on its supervisory board. Deutsche Telekom, which stepped up surveillance after leaks of planned job cuts, remains steeped in the factional culture of the state-owned monopoly it was: unions have a strong role and the part-privatised company is a popular target for public anger when it acts like a for-profit corporation.
A German director with extensive international experience says companies should be cleverer. “Most of the sensitive information with us is discussed beforehand by the capital side of the board and so we reveal only the absolute minimum needed to workers,” he says. Another former chairman says: “Obviously, co-determination is something we would rather not have. But blaming the workers for these scandals is rather convenient – the real fault lies with those who have ordered something seemingly illegal.”
A more dramatic hypothesis for the spy scandals is that Germany’s cold war divide has left it with thousands of underemployed detectives well schooled in the black arts. Many cases in the public eye involve contracted or subcontracted detective agencies. Deutsche Bank says all its incidents stemmed from “external service providers”: at one stage the bank apparently refused to support a proposal by an investigator to get an intern into a law firm used by Mr Kirch. Deutsche Telekom’s surveillance methods came to light after a security company in Berlin reminded the company that it had run computer checks on employees in 2005 and 2006.
The BDD, a German detective association, says members work to high legal standards and dismisses the idea that private investigators are Stasi throwbacks. But “there will always be a few black sheep”, an official acknowledges, adding that there are few restrictions on who can set up in the business. A US investigator says it is not enough for companies to be able to blame behaviour on outside contractors. “There should be no deniability,” he says.
If the sins of the past are reflected in the present, it could equally be because of how fiercely the concepts of data protection and privacy are defended in today’s Germany. Hesse, Deutsche Bank’s home state, enacted some of the world’s first data protection laws back in 1970. Germans are more hostile than many to the use of relatively commonplace security, such as cameras to monitor city centres.
An official at the country’s federal commissioner for data protection and freedom of information says Germans are more concerned by corporate privacy breaches than by state security measures. “People have realised that in some cases companies know more about them than the state or the police,” she adds. “The recent cases have been a wake-up call.”
The head of a European corporate investigation company says practices seen as reasonable elsewhere, such as background screening of employees, are tricky or illegal in Germany. The US investigator says: “There may well be instances that do not cross criminal or legal lines but are outrageous to the general public.”
Hartmut Mehdorn, Deutsche Bahn’s chief executive, insisted in vain that the company’s monitoring of staff was to fight corruption. A report commissioned by the country’s parliament said many methods used had been illegal and he quit in March.
Having unreasonable limits, the European corporate investigator argues, means some companies may feel it is not worth attempting to stay within them. “It is like setting the speed limit on motorways at 40 miles per hour. Why should people drive at 80 miles per hour if it is reasonable but still illegal? They may as well drive at four times the limit, since it is just as illegal.”
The data commission says most German practices are in line with standards across Europe – but it still sees a need for greater privacy protection in employment law. This is being strengthened from September 1 with a legal amendment but the commission says this will only be the “starting gun” for more changes after next month’s general election.
“We don’t want to stop companies fighting against corruption, for example. But we have seen how mistrustful citizens are about companies’ use of their data. For many companies, it might be better – a competitive edge – to be able to show strong data protection rules and win back trust. We should not see it as a disadvantage,” the official says.
With the BDD saying at least 70 per cent of commissions for its detective agencies are from companies, the balance between corporate security and personal privacy is unlikely to become easier to manage. The European corporate investigator says: “There are things that you need to do that are very difficult, if not illegal, in Germany. I suspect we will see more scandals in the future. The problem isn’t going to go away.”
Deutsche Bank has sacked two people over the spying and promised tougher control over outside security agencies but still faces probes into acts performed on its behalf by the external security providers.
For Mr Bohndorf, it is scarcely credible that top directors – Mr Börsig and chief executive Josef Ackermann (pictured at the top addressing an audience) – should be absolved of responsibility, in spite of the bank’s insistence that they did not know what was going on. “A bank has to rely on trust. What they did was breaking everything,” he says. “In all civilised countries they would resign if they had to admit spying on shareholders.”
Copyright The Financial Times Limited 2009. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.