September 6, 2006 4:42 PM PDT

FAQ: The HP 'pretexting' scandal

Just when it looked like Hewlett-Packard had recovered from its missteps of the past few years, a scandal involving its board chairman and investigative firms with questionable techniques threatens to derail the Silicon Valley icon's momentum.

The company has acknowledged investigating its own directors to determine who was leaking company information, after HP Chairman Patricia Dunn was angered by a CNET News.com story about HP's long-term strategic plans.

However, the outside firm used by HP in its investigation appears to have used a controversial tactic called "pretexting" to gain access to its directors' phone records. Pretexting--misrepresenting your identity to gain access to privileged information--is illegal under federal law with regards to financial records, but the law is murkier when it comes to telephone records.

HP claims that pretexting is "not generally unlawful," but that it can't conclusively say that the agencies it employed to track down the source of the leak stayed within the bounds of the law. So what did HP do? What is the law? What penalties might HP face? Here are some answers that help explain the current situation.

How did all of this come to light?
In a filing with the Securities and Exchange Commission on Wednesday, HP acknowledged that it investigated its own board of directors to discover who leaked information that led to a News.com story about HP's future strategic plans. HP also said that the outside firms used to obtain the identity of the source of the leak might have used a technique called pretexting to obtain telephone records of calls made by HP directors from their home phones and cell phones.

What is pretexting and how is it done?
Pretexting involves posing as someone you are not to get information from a company. An individual will call up the phone company, or visit its Web site and attempt to bluff his or her way into obtaining confidential information by pretending to be a certain customer.

In a letter to HP's board (click here for PDF), Tom Perkins said his accounts were "hacked," and attached a letter from AT&T explaining how the breach occurred. Records of calls made from Perkins' home phone were obtained simply with his home phone number and the last four digits of his Social Security number. His long-distance account records were obtained when someone called AT&T and pretended to be Perkins, according to the letter from AT&T.

Is this illegal?
While there is no specific federal law prohibiting pretexting for telephone records, there are some general civil prohibitions that probably apply. When it comes to financial records, pretexting is clearly illegal. Legislation is pending in both the House of Representatives and the Senate that would make pretexting for telephone records a criminal offense, but after a flurry of activity earlier this year concerning companies selling phone records on the Web, not much has happened.

The Federal Trade Commission has tried to prohibit telephone pretexting under Section 5 of the FTC Act, which bars "unfair or deceptive acts" in business practices. It has filed several lawsuits this year against companies that sell phone records on the Internet, an FTC representative said.

But things are different in California. The state is investigating HP's actions under two statutes: one concerning identity theft and one covering obtaining information illegally from a computer system, said Bill Lockyer, California state attorney general, in an interview with CNET News.com.

What are the penalties?
It's usually a misdemeanor in California, but it can be a felony in certain situations, Lockyer said. Under one statute, the misdemeanor can be punishable by up to six months in prison or a $2,500 fine.

Would HP Chairman Patricia Dunn, who initiated the investigation, be subject to the penalties?
It depends how the facts play out. If she specifically authorized the pretexting, she could be, but if she can prove she had no specific knowledge of such acts, she probably wouldn't be prosecuted, according to several lawyers.

Could my employer do this to me?
Not without violating the FTC Act or any specific state laws concerning pretexting. But this episode has demonstrated how very easy it can be to obtain phone records with personal information that every employer maintains, like a Social Security number and a home telephone number.

What can I do to prevent someone from obtaining my telephone records?
Other than encouraging your U.S. representative to vote in favor of stricter privacy laws? Or going back to smoke signals and carrier pigeons?

Phone companies like AT&T are already barred from selling or distributing your customer proprietary network information (CPNI), or the basic-calling information that appears on your bill every month. Pretexting involves the use of duplicitous or sly techniques to obtain that information by individuals pretending to be you, and slick telephone shysters are probably here to stay.

Many believe that the phone companies must do more to protect the disclosure of personal information by strengthening the requirements for the disclosure of that information.

"AT&T has an obligation to put procedures in place to ensure that customer phone information is not disclosed to a third party," said Jason Oxman, a telecommunications lawyer. For example, it could move away from using Social Security numbers as identification numbers, or ask for permission a second time through e-mail every time someone requests CPNI.

In the meantime, ask your phone company to put a password on your account. And don't store the password in your voice mail.

See more CNET content tagged:
pretexting, scandal, law, AT&T Corp., HP

6 comments

Join the conversation!
Add your comment
pretexting = phishing
We are bombarded by tons of phishing emails some offering junk, others posing as trusted sources like our banks. Clearly this was a privacy breach under Patrica Dunn who's no better than the NSA <a class="jive-link-external" href="http://www.iwantmyess.com/?p=37" target="_newWindow">http://www.iwantmyess.com/?p=37</a>
Posted by marileev (292 comments )
Reply Link Flag
Dunno why anyone's surprised
The White House has set the tone. And Congress (and the public) seem to agree with him that privacy goes out the window when "security" or "media leaks" are involved.

Don't agree? Then don't support such activities -- vote for change.
Posted by Rita McKee (27 comments )
Reply Link Flag
Well, you miss the target
Since you are involved in this, your point of view is a little moved aside. The right question is why he told CNET news reporter confidential information? The guy that did it is problem and not the company trying to find out who it was.
Posted by vvlada (4 comments )
Reply Link Flag
no you miss the point
what one director did to feed information to the news media does not justfify multiple cases of identity theft and accessing other people's phone records not even connected to HP. HP is NOT the government, they are a private company who apparently thinks they are God. This is something I would have expected of a company like Microsoft.
Posted by ChazzMatt (169 comments )
Link Flag
No you missed the point!!!
I dont care who did what.The company does not have the right to give out a employees private info so he can be spied upon, and the private "I" doesnt have the right to steel your idenity so he can obtian your records...period. And they did that to more than the one person they feel leaked the story. Sue 'em and shoot'em...now dont get me started on bush!! lol
Posted by FooKBush (24 comments )
Reply Link Flag
So what happens next?
Not a thing.
"Pretexting". So what. We as a society have established that we don't care about the reality of circumstances anymore.
The Monkees and MillieVanilli were crucified. Whitney Houston was blessed as an artistic wonder for lip-syncing the National Anthem at the Superbowl. Packaged Pop-Idols are given the out that their personal sound can't be reproduced outside the studio. PhotoShop, CGI and PSA's are all excepted practices.
The greatest sin in all this is our refusal to except the fact that "the internet" is the National Enquirer of he 21st Century. Why would you believe anything you see on a medium infamous for scams, phishing and 50ish Quasimodos using Brad Pitt's photo on E-Harmony? The cops pose as 14 year old girls to catch pedophiles. "Reality...you can't handle reality".
"Pretexting" will become another new term to review on the What's Hot/What's Not list on E! at New Years but other than that, nothing. By Halloween no one will even remember the story...or it will be revealed as an Illuminati conspiracy by the bloggers.
Posted by byronlord00 (5 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.