Hewlett-Packard fraudulently obtained private phone records of its own board members while trying to trace a media leak, according to a former trustee who resigned when he learned of the action.
Tom Perkins, one of the founders of Silicon Valley venture capital giant Kleiner Perkins Caufield and Byers and an HP board member until May, resigned after learning that HP consultants posed as Perkins and other board members to obtain their confidential telecommunications records -- a tactic known as pretexting.
The investigation was intended to uncover the source of a CNET News.com article published in January describing a confidential planning session among board members that took place over several days at a California resort spa.
"This is the corporate governance equivalent of using an elephant gun to shoot a butterfly in a gun-free zone," said Perkins's attorney, Viet Dinh, a former Justice Department attorney and author of the Patriot Act who now teaches at Georgetown University law school. "The unfortunate truth is that one of the world's largest and most respected corporations may have used fraudulent practices to spy on its own directors."
Pretexting is a method whereby a third party calls a phone company and poses as a specific customer of the phone company in order to request records of the customer's phone calls. Such records generally contain the phone numbers of people called, the date and time of the call and the duration of the conversation.
Phone-record pretexting is not specifically covered by a federal law, although a federal law against pretexting financial records exists and there are some federal laws under which it conceivably could be prosecuted. Several states have passed laws that could cover pretexting as well. California, where Hewlett-Packard is based, is one state that has computer-crime and identity-theft laws under which pretexters can be prosecuted.
Perkins was not fully apprised of the extent of HP's investigation of board members or the methods being used until May 18, Dinh said. In a board meeting on that date, Patricia Dunn, chairman of the board of directors, announced that investigators had discovered the identity of the source for the CNET story.
After revealing the source's identity to the board, Dunn asked the individual to resign, although he refused to do so. (According to The Wall Street Journal, HP plans to publish a Securities and Exchange Commission filing Wednesday announcing that George Keyworth was the source, and that he will not be re-elected to the board because he disclosed confidential information to the press.)
Concerned about the methods that might have been used to discover the source's identity, Perkins contacted Larry Sonsini, long-time outside counsel for HP, who confirmed that outside investigators had used pretexting to obtain both cell-phone and landline records of board members, Dinh said. This led Perkins to contact his own phone carrier, AT&T, to discover whether his records had been obtained through pretexting.
According to a letter from AT&T to Perkins, on January 30th of this year, someone using the e-mail address Mike@yahoo.com set up an online billing account through the internet for Perkins' home phone number, using the last four digits of Perkins' Social Security number. Once the online billing account was established, the party had access to billing records for Perkins' local calls for December 2005 through January 2006. According to the AT&T letter viewed by Wired News, the party only looked at the bill for January 2006, the month the CNET story was published.
Around the same time, someone also made a failed attempt to set up an online account for Perkins' long-distance billing records. When that didn't work, the party called AT&T's customer care unit, which helped set up the online account while the party was on the line.
Although records for Perkins's long-distance calls were available through that online account for the months November 2005 through January 2006, that party viewed only the January 2006 billing period, according to the AT&T letter. The party who viewed the records used the e-mail address email@example.com for reference to set up the account, although AT&T said the party who set up this account had the same IP address as the person who set up the account for the local billing records and used the e-mail address firstname.lastname@example.org
Dinh said he did not know how many board members were the victims of pretexting. It's also unclear whether HP used pretexting to obtain the phone records of the CNET reporters, Dawn Kawamoto and Tom Kravitz.
Perkins, a former member of the board of directors at Compaq, joined the HP board of directors after HP merged with Compaq. He retired from the board, but rejoined it shortly before HP CEO Carly Fiorina was fired in 2005.
Perkins resigned from the HP board three months ago, but the significance of the separation has not been made public until now. In his resignation letter to HP's board of directors, a copy of which Wired News obtained, Perkins said he was resigning "to protest the questionable ethics and the dubious legality of the chairman's methods."
Hewlett Packard did not respond to a call for comment.
Attorneys general in a number of states have brought suit against data brokers and private investigators who engage in pretexting. Dinh said he has referred the HP matter to the California Attorney General's office of special crimes, which investigates computer fraud and identity theft, as well as to the U.S. Department of Justice and the enforcement branches of both the Federal Trade Commission and the Federal Communications Commission.
Robert Morgester, California deputy attorney general in the special crimes division, would not comment on whether he was working on a case with regard to Hewlett Packard, but said in general that pretexting violates the California computer-crime statute for unlawful entry to a computer.
"Whether I trick a company into getting into an account or brute force my way into it, I've hacked my way into the system," Morgester said. "I am accessing the computer without the permission of the accountholder."
The action also violates an identity theft law that makes it illegal to use someone's personal information for an unlawful purpose. Morgester said using someone's Social Security number to open an online billing account in their name to obtain their phone records would qualify as identity theft.
The federal government could also conceivably go after HP for unfair trade practices and violating the wire fraud act, "assuming that this crossed state lines you could argue that they used electronic communications to commit fraud against another person," said Chris Hoofnagle, privacy expert and senior staff attorney with the Samuelson Law, Technology and Public Policy Clinic at UC Berkeley. Additionally, the board members themselves could seek restitution.
"The board members affected could bring suit against the investigators and Hewlett Packard under tort law for invasion of privacy and theft of data," said Hoofnagle. "But the most effective path would be for the phone carriers to go after them."
Several phone carriers, including AT&T and Verizon have recently brought suit against pretexters to bar them from contacting the phone companies again and have won those suits.
AT&T would not comment about the allegations against HP specifically, but the company recently filed suit in Texas and will soon file an additional suit in California "to seek the identities of perpetrators who have wrongfully accessed our business records containing private customer information -- including calling records," wrote spokesman Walt Sharp in an e-mail. "AT&T will pursue damages and injunctive relief against those imposters who we are able to identify, and will take appropriate actions against anyone identified as directing such activities."