Pretexting used by HP to find internal leaks

[Adam Shand]

This is a fascinating description of HP's recent fiasco.  Definitely  
worth a read if you are interested ...

Adam.
Source: http://www.msnbc.msn.com/id/14687677/site/newsweek/

Intrigue in High Places
By David A. Kaplan
Newsweek
Sept. 5, 2006 - The confrontation at Hewlett-Packard started  
innocently enough. Last January, the online technology site CNET  
published an article about the long-term strategy at HP, the company  
ranked No. 11 in the Fortune 500. While the piece was upbeat, it  
quoted an anonymous HP source and contained information that only  
could have come from a director. HP’s chairwoman, Patricia Dunn, told  
another director she wanted to know who it was; she was fed up with  
ongoing leaks to the media going back to CEO Carly Fiorina’s  
tumultuous tenure that ended in early 2005. According to an internal  
HP e-mail, Dunn then took the extraordinary step of authorizing a  
team of independent electronic-security experts to spy on the January  
2006 communications of the other 10 directors—not the records of  
calls (or e-mails) from HP itself, but the records of phone calls  
made from personal accounts. That meant calls from the directors’  
home and their private cell phones.

It was classic data-mining: Dunn’s consultants weren’t actually  
listening in on the calls—all they had to do was look for a pattern  
of contacts. Dunn acted without informing the rest of the board. Her  
actions were now about to unleash a round of boardroom fury at one of  
America’s largest companies and a Silicon Valley icon. That corporate  
turmoil is now coming to light in documents obtained by NEWSWEEK that  
the Securities and Exchange Commission is currently deciding whether  
to make public. Dunn could not be reached for comment. An HP  
spokesman declined repeated requests for comment.

On May 18, at HP headquarters in Palo Alto, Calif., Dunn sprung her  
bombshell on the board: she had found the leaker. According to Tom  
Perkins, an HP director who was present, Dunn laid out the  
surveillance scheme and pointed out the offending director, who  
acknowledged being the CNET leaker. That director, whose identity has  
not yet been publicly disclosed, apologized. But the director then  
said to fellow directors, “I would have told you all about this. Why  
didn’t you just ask?” That director was then asked to leave the  
boardroom, and did so, according to Perkins.

Close to 90 minutes of heated debate followed, but Perkins, the  
Silicon Valley venture capitalist, says he was the only director who  
rose to take Dunn on directly. Perkins says he was enraged at the  
surveillance, which he called illegal, unethical and a misplaced  
corporate priority on Dunn’s part. In an interview with NEWSWEEK,  
Perkins says he was particularly annoyed since he chaired the HP  
board’s Nominating and Governance Committee and had not been informed  
by Dunn of the surveillance, even though, he says, she had told him  
for months that she was attempting to discover the source of the leak.

After a divided board passed a motion asking the leaker to resign,  
Perkins closed his briefcase, announced his own resignation and  
walked out of the room. In media mentions the next day, Perkins’s  
sudden resignation was noted, but without explanation and without any  
indication that his departure was a form of protest. (According to  
Perkins, the leaker-director himself refused to resign, saying it was  
up to shareholders to make such a decision; that director continues  
to serve on the board.) Thus began nearly four months of warfare  
between HP and Perkins about whether the surveillance would ever come  
to public light.

Any time a director resigns from a U.S. public corporation, federal  
law requires the company to disclose it to the SEC in what’s called  
an 8-K filing. If the director resigned for reasons related to a  
“disagreement” with the company about “operations, policies or  
practices,” that, too, is now required. HP reported Perkins’s  
resignation to the SEC four days after it happened—back in May—but  
gave no reason for the resignation, instead including only a press  
release thanking Perkins for his years of service. Perkins has twice  
challenged that omission in e-mails to the HP board and, he says, he  
received no response from HP.

In early August, Perkins—represented by his own non-HP lawyer, Viet  
Dinh, a former Bush administration official—formally asked the SEC to  
force HP to publicly file his written explanation for resigning.  
According to a source who requested anonymity because of his  
closeness to HP, the company objected on the grounds that when  
Perkins resigned at the May board meeting he didn’t indicate why.  
Perkins says his reasons for resigning were obvious and he stated  
them at the meeting. Now, sources say, the company could file such a  
document with the SEC as soon as Wednesday.

The entire episode—beyond its impact on the boardroom of a $100  
billion company, Dunn’s ability to continue as chairwoman and the  
possibility of civil lawsuits claiming privacy invasions and  
fraudulent misrepresentations—raises questions about corporate  
surveillance in a digital age. Audio and visual surveillance  
capabilities keep advancing, both in their ability to collect and  
analyze data. The Web helps distribute that data efficiently and  
effortlessly. But what happens when these advances outstrip the  
ability of companies (and, for that matter, governments) to reach  
consensus on ethical limits? How far will companies go to obtain  
information they seek for competitive gain or better management?

The HP case specifically also sheds another spotlight on the  
questionable tactics used by security consultants to obtain personal  
information. HP acknowledged in an internal e-mail sent from its  
outside counsel to Perkins that it got the paper trail it needed to  
link the director-leaker to CNET through a controversial practice  
called “pretexting”; NEWSWEEK obtained a copy of that e-mail. That  
practice, according to the Federal Trade Commission, involves using  
“false pretenses” to get another individual’s personal nonpublic  
information: telephone records, bank and credit-card account numbers,  
Social Security number and the like. Pretexting is heavily marketed  
on the Web.

Typically—say in the case of a phone company—pretexters call up and  
falsely represent themselves as the customer; since companies rarely  
require passwords, a pretexter may need no more than a home address,  
account number and heartfelt plea to get the details of an account.  
According to the Federal Trade Commission’s Web site, pretexters sell  
the information to individuals who can range from otherwise  
legitimate private investigators, financial lenders, potential  
litigants and suspicious spouses to those who might attempt to steal  
assets or fraudulently obtain credit. Pretexting, the FTC site  
states, “is against the law.” The FTC and several state attorneys  
general have brought enforcement actions against pretexters for  
allegedly violating federal and state laws on fraud,  
misrepresentation and unfair competition. One of HP’s directors is  
Larry Babbio, the president of Verizon, which has filed various  
actions against pretexters.

Legal experts vary in their views on the extent to which pretexting  
is a violation of criminal law. The Gramm-Leach-Billey Act of 1999  
bars a range of fraudulent activity related to financial records, but  
its applicability to phone records is unclear. Experts agree that  
pretexting is often used to accomplish identity theft—to borrow money  
or buy merchandise—that clearly is criminal. But the pretexting  
itself may be harder to prosecute. Civil liability would seem to be  
much more a risk for pretexters, as they obviously engage in an  
invasion of privacy, achieved through misrepresentation.

Perkins himself was pretexted as part of Dunn’s leaker probe. In the  
materials he sent to the SEC, Perkins includes an Aug. 11 letter from  
an attorney at AT&T spelling out to Perkins that he was a victim of  
pretexting in January 2006; Perkins had requested that AT&T examine  
whether he had been pretexted. The AT&T letter explains that the  
third-party pretexter who got details about Perkins’s local home- 
telephone usage was able to provide the last four digits of Perkins’s  
Social Security number and that was sufficient identification for  
AT&T. The impersonator then convinced an AT&T customer-service  
representative to send the details electronically to an e-mail  
account at yahoo.com that on its face had nothing to do with Perkins.  
Records for Perkins’s home AT&T long-distance account in northern  
California were similarly obtained, except by someone using another  
yahoo.com e-mail account; both e-mail accounts are registered to the  
same Internet Protocol address, but for which AT&T says it does not  
know the identity of the user.

The materials before the SEC indicate that Dunn’s consultants used  
pretexting for her investigation. In mid-June, according to a letter  
Perkins sent to the full HP board, Perkins contacted HP’s outside  
counsel—Larry Sonsini, of Wilson Sonsini Goodrich & Rosati—and asked  
him to look into the Dunn investigation. In an e-mail to Perkins  
obtained by NEWSWEEK, Sonsini acknowledged that Dunn’s security  
consultants “did obtain information regarding phone calls made and  
received by the cell or home numbers of directors” and that it was  
“done through a third party that made pretext calls to phone service  
providers.” Sonsini’s e-mail emphasized that the security consultants  
engaged in “no electronic surveillance,” “no phone recording or  
eavesdropping” and “no recording, review or monitoring of director e- 
mail.” His legal defense of the use of pretexting was that it is  
“apparently a common investigatory method” and that “there was no  
‘secret spying,’ i.e., no electronic gear, listening devices, etc.”  
Perkins quotes Sonsini’s e-mail in the materials he sent to the SEC,  
Sonsini could not be reached for comment.

In the documents before the SEC, Perkins also protests that he was  
not allowed to review and approve the initial 8-K filing about his  
May resignation, which he says is required under SEC rules. And he  
requests that the HP board appoint a special committee to examine the  
legality and propriety of Dunn’s investigation. In the documents  
before the SEC, after Perkins notes he was not the source of the CNET  
leak, he excoriates Dunn. “I resigned solely to protest the  
questionable ethics and the dubious legality of the chair’s methods,”  
Perkins writes. In his interview with NEWSWEEK, he added that he  
believed he was “legally obligated to do so” in his directorial  
capacity.

Perkins says he has asked other government agencies to investigate  
the sub rosa surveillance of the HP directors. Those agencies include  
the California attorney general’s office, as well as the FTC, the  
Federal Communications Commission and the Justice Department.

Dunn, 52, has been on the HP board since 1998, and was elected non- 
executive chairwoman in February 2005. She was CEO of Barclays Global  
Investors from 1995 to 2002. Perkins, 74, is the cofounder of Kleiner  
Perkins Caufield & Byers, the venerable Silicon Valley firm that has  
bankrolled such venture-capital home runs as Genentech, Netscape,  
Amazon and Google. Perkins has an on-and-off history with HP that  
dates almost half a century. On graduating from Harvard Business  
School in 1957, he worked on a lathe in the company’s machine shop.  
Then he helped launch its computer division in the 1960s, eventually  
becoming Bill Hewlett’s staff assistant when Dave Packard went to  
Washington to work in the Pentagon as deputy secretary of Defense in  
the first Nixon administration. Perkins joined the HP board after HP  
merged with Compaq in 2001, then retired in 2004 and rejoined the  
board in 2005 when Fiorina was ousted. Perkins alludes to his HP  
heritage in his letter. “My history with the Hewlett-Packard Company  
is long and I have been privileged to count both founders as close  
friends,” he writes. It “is a very sad duty,” he says, to disclose  
“probable unlawful conduct, improper board procedures, and breakdowns  
in corporate governance.” It remains to be seen if this final chapter  
in his relationship with HP changes the company’s course.

Update: HP filed a document with the SEC before dawn Wednesday that  
confirmed it had hired an outside consultant to perform "pretexting"  
as part of a leak probe. HP also disclosed to the SEC that the  
California attorney general had begun an investigation into the  
pretexting and that the company had pledged its cooperation. NEWSWEEK  
has learned that the attorney general has issued at least one search  
warrant in connection with that investigation. Signed Aug. 31 by a  
California Superior Court judge, the warrant allows the state to  
search the records of a communications company. The warrant, a copy  
of which was obtained by NEWSWEEK, is an attempt to discover the  
identity of the pretexter who obtained Perkins's telephone records.  
The warrant may be just one of many issued in the attorney general's  
investigation.  HP's filing also names the leaker-director, George  
(Jay) Keyworth II and states that the HP board of directors has  
concluded that he should not be nominated for another term. In the  
filing, HP noted that it had hired outside counsel to review its leak  
investigation.  According to the filing, outside counsel concluded  
that the use of pretexting "was not generally unlawful (except with  
respect to financial institutions)," but that counsel "could not  
confirm that the techniques" used by pretexters doing the HP  
investigation "complied in all respects with applicable law."

Editor's Note: Kaplan is currently writing a book for HarperCollins  
on the superyacht that Tom Perkins recently built and launched in  
Europe.