Sep. 6, 2006 at 7:34 PM ET
Let's get one thing straight, once and for all: Looking at someone else's telephone records without permission is wrong. And illegal.
It is shocking that this basic, obvious conclusion has repeatedly escaped companies, debt collectors, law enforcement officials and, now, one of America's biggest and most respected companies. The story of Hewlett Packard's boardroom intrigue, which includes spying on directors’ phone records, is a window into a dirty world that should have been cleaned up long ago.
To recap, HP Chairwoman Patricia Dunn was frustrated by leaks coming from another board member, evidenced by anonymous comments that were included in a story published by CNET.com back in January. To find the leaker, she ordered a secret review of board members’ private telephone records. The company hired an outside investigative firm to obtain the records, which it did by using a method called “pretexting.” Then, word came that investigators working for HP also obtained reporters' private phone records.
All last week, the story spun wider, with the California state attorney general, the U.S. Justice Department, and Congress all indicating they were investigating. Then on Tuesday, Dunn said she would step down as chairwoman early next year, and apologized for the incident. She indicated she would remain on the company's board of directors.
Dunn's resignation is hardly the end of the affair, however. That will only come when all of corporate America and all of the investigative underground comes to the basic realization that pretending to be someone else to obtain their private information is criminal identity theft.
Reading HP's official explanation for the incident, filed last week with the Securities and Exchange Commission, it's clear that message has not gotten through. The reasoning in the filing is abominable. Let me boil it down for you; Parents will recognize the excuse.
"But he said it was OK."
The twisted logic used to justify phone record theft shows why this decade-long attack on personal privacy, this dirty trick, remains so common after years of congressional hearings, dozens of attempts at legislation and a lot of public embarrassment.
By now, you've probably read several stories about "pretexting." Private investigators impersonate consumers and trick customer service representatives into divulging calling records and other personal information. The calls are placed using a false pretext -- hence the name.
Pretext callers become masters of disguise. Many know how to sound like a young woman, or an old man, in order to fool corporate answer desks. Sometimes, the trick is even easier. They just sign up for online billing access at a Web site. Often, all you need is a name and part of a Social Security Number.
Somehow, people who do this have become convinced that it might not be illegal. Clearly, HP was. Here's what its SEC filing said:
"After its review, the (Nominating and Governance) Committee determined that the third party retained by HP’s outside consulting firm had in some cases employed pretexting. The committee was then advised by the committee’s outside counsel that the use of pretexting at the time of the investigation was not generally unlawful (except with respect to financial institutions)."
I love the phrase "not generally unlawful." I will use that the next time I am pulled over for speeding.
Having written about pretexting for some five years, I know how these things go. Back when the inquisition began, someone at HP turned to a PI, who said he could get telephone records that would enable management to find out who had been talking to reporters. At some point, someone with a smidge of ethics asked, "But how do you get them?" and the investigator answered, "from publicly available sources." The conversation ended there.
Someone with a lot of ethics, however, wouldn't stand for that. Board member Tom Perkins resigned in May when he learned of the tactics used to obtain his phone records. His appeal to AT&T for information regarding anyone who looked at his phone records, and AT&T's response, are fascinating reading - courtesy of The Smoking Gun.
But one has to wonder why he was the only one to stand up at that moment. Kudos to Perkins; shame on everyone else in the room.
Consumers can sometimes be fooled into thinking that pretexting isn't specifically illegal -- that perhaps somewhere there is a legal public source for phone record data -- but the timing of this incident is important. The investigation occurred between January and May of this year. Throughout that time, there were numerous news stories in all the national newspapers and on the TV networks about Congress investigating the very behavior HP paid for. In December, a blogger had purchased Democratic presidential candidate Gen. Wesley Clark's cell phone records, starting a firestorm of news coverage. Nearly a dozen bills were introduced in Congress this spring to deal with the problem. A congressional inquiry uncovered embarrassing evidence that law enforcement officials had purchased records from Web brokers using pretext methods.
All that news makes it impossible to argue that directors at a high-tech firm would have no grasp of the fundamental issues at play.
As for the legal vagaries, there really aren't any. Lying about who you are to get access to computer records is a crime. It's hardly new; it's called social engineering in computer hacker circles. It may be clever, but it's wrong, and it's against the law. Hackers like Kevin Mitnik have been sent to jail for social engineering.
Viet Dinh, a former Bush administration Justice Department official, who has been retained as an attorney by Perkins, said HPs "we didn't know" defense is hard to believe.
"I think the prevalence of third party information often dupes an unwitting consumer to think that pretexted records are legal," he said. "But it is hard to see how HP could be unwitting here, when the company's chairwoman apparently custom ordered the fraud. Whether one analogizes the conduct to receiving stolen property or ordering a hit, it is still illegal."
Specifically, Dinh said he felt pretexting also ran afoul of the nation's Computer Fraud and Abuse Act, which makes computer hacking illegal.
"A pretext to obtain records stored on a computer is unauthorized access to that computer, so I think fits squarely within both the colloquial and legal definition of hacking," he said.
A criminal investigation into HP’s pretexting has been opened, according to the California attorney general’s office. Robert Morgester, deputy attorney general in California, said he couldn’t discuss the case. But he agreed that pretexting is clearly illegal.
"If an individual was able to trick their way into a secure network ... through impersonation ... that's hacking by social engineering," he said. "The general rule of thumb is if you are getting into somebody else's network, you are committing a variety of crimes."
Morgester said pretexting could run afoul of two state laws: California's identity theft statutes, which make it illegal to use someone else's personal information to commit a crime, and the state's computer crime laws, which make unauthorized access to databases illegal.
The continued debate about pretexting's legality frustrates Rob Douglas, who operates PrivacyToday.com. Douglas has testified about a dozen times before Congress since 1998 about the problem of pretexting.
"I have absolutely no doubt that this is far more common than anyone wants to believe," Douglas said.
If there was any doubt about that, consider this: The California attorney general's office tells me it is currently investigating six "major" pretexting cases akin to the HP case. And if there's any doubt about the fragility of your personal information and the willingness of companies to abuse it, this story should relieve you of that doubt. If it can happen to a board member at HP, it can happen to you.