H-P charges beset with hurdles
An odd subtlety in the facts underlying the criminal "pretexting" case against former Hewlett-Packard chairman Patricia Dunn and others may pose a hurdle to California Attorney General Bill Lockyer's office as it tries to prove the "computer crime" charge it has lodged in that case.
The statute cited makes it a crime to "knowingly access without permission and take, copy, and make use of data from a computer." (The provision is California Penal Code Section 502, which can be found be scrolling down the page linked here.) The potential problem is that both Dunn and the H-P inhouse counsel supervising the probe--Kevin Hunsaker, who is also charged as a defendant--appear to have believed that the phone records were obtained entirely through oral conversations between investigators and telephone employees, not through any techniques resembling computer hacking. Dunn got her information largely from Hunsaker, and Hunsaker expresses this misunderstanding repeatedly in the internal H-P memos that were made public last month by a subcommittee of the U.S. House of Representatives Energy and Commerce Committee.
In reality, we now know that the subcontractors who actually did the pretexting resorted to other techniques as well, some of which certainly look like the crime alleged here. To access the phone records of former H-P director Tom Perkins, for instance, a subcontractor (who is also charged) allegedly went online and gained access to his account by entering his phone number and the last four digits of his social security number into a dialog box. Such a procedure looks and feels more like the computer crime described in Section 502 than simply speaking to a live phone company employee over the phone. Of course, even the orally deceived phone employee would presumably then fetch the desired information out of a computer, but that wouldn't be what we'd typically think of as a computer crime. (Or would it? What do people think?)
(The social security numbers appear to have been gathered mainly by the subcontractors themselves, using what they have called subscription databases available to licensed investigators. In at least one internal memo, Hunsaker admits having known that social security numbers might be used in the process, though he seems to have believed that they would be used verbally. I can't find any evidence yet in the documents made public by the the House subcommittee that Dunn ever knew that social security numbers would be used.)
To be sure, Dunn, Hunsaker, and their three co-defendants--the outside security contractors and subcontractors who actually carried out the pretexting--are also charged with three other offenses besides the computer crimes provision. But, as has been previously reported to varying degrees, each of those charges also carries its own significant challenges when the attempt is made to bring "pretexting" within its ambit. Attorney General Lockyer's best bet certainly looks like the charge of "fraudulently obtaining . . . customer records" from a public utility, which is elsewhere defined to include any "telephone corporation." (California Penal Code Section 538.5 and California Public Utility Code Section 216. Section 538.5 can be found by scrolling down this page.)
Yet there are at least two potential problems with this charge, too. First, Dunn will doubtless argue--as she repeatedly did during her testimony before the House subcommittee on September 27--that she had no idea records were being "fraudulently" obtained, in that she had been repeatedly assured by both senior attorney Hunsaker and H-P's respected then-general counsel, Anne Baskins, that they were lawful. (Baskins, who resigned and then took the Fifth at the Congressional hearing on September 27, has not been charged.) The other possible problem with the public utilities charge is that, notwithstanding its broad and seemingly applicable language, it appears to have never been designed or used before to catch pretexting. In an interview, Stanford law professor Robert Weisberg says that the 1982 law may not have been intended to protect the privacy of customers, but, instead, to protect public utilities from having their trade secrets--including customer lists--stolen.
The third charge against Dunn, called "using personal identifying information without authorization," requires that the defendant "willfully" obtain the information "for an unlawful purpose, including to obtain . . . credit, goods, services, and medical information." Dunn's purpose was arguably different in kind from those listed in the statute. (This statute, California Penal Code Section 530.5, can be found by scrolling down this page.)
The fourth and final charge is "conspiracy" to commit the other three offenses, so it's viability depends on the validity of the three underlying offenses.
The reason, of course, that the prosecution's case faces so many hurdles, is that California did not enact a law specifically aimed at prohibiting pretexting until September 29 of this year--two days after the Congressional hearing. Interestingly enough, this new law only makes the offense a misdemeanor, whereas all the charges Attorney General Lockyer has brought are felonies. What do people think of the fairness of this situation? (I'm putting aside the fact that Dunn has fourth-stage ovarian cancer. That alone, of course, might lead to her acquittal due to jury nullification.)
I am not a lawyer. However, if I were to say to you, "Go get me someone's telephone records," no reasonable person could believe that a private individual's personal phone records can be obtained without their knowledge and consent legally. And to take a shot at how HP's culture has degraded, such information could certainly not be obtained ethically.
I truly believe that the people who committed the offenses were the detectives hired by HP. HP should be chastised for being very stupid for not knowing what these people were doing. Nothing more. The board member who was being investigated should be punished in some way for violating company confidentiality rules he knew were in place. The really sad thing about this is the impact on the HP employees and the fact they believe in the privacy of the people who buy and use the products they sell.
I hope they are all found innocent. Tom Perkins and the HP board are a bunch of jerks, they should all be fired. The Attonery Geneal is doing all this for political reasons, Dunn did nothing wrong.
If you look at the Art of Deception, virtually every attack on computers involves social engineering.
Our intutions about what "computer hacking" means needs to be revised and yes, lying to phone company representatives to obtain information that will later allow one to hack a computer is illegal under the Califorina Code.
Seems to me it's stretching the definition to call a conversation a computer crime merely because the deceived telephone company employee retrieved the info from a computer. Given that phone systems (wired or wireless) are merely computers exchanging data, wouldn't any use of a telephone in a crime be a computer crime?
Leakers need to be severely punished.Corporate leakers should do jail time plus a hefty fine; leakers of highly classified government imfo should get 25 yrs, if imfo leaked can affect thoes fighting the war on terrorism should get executed by firing squad, appeals should be exhausted in 18 mths.
CNNMoney.com Comment Policy: CNNMoney.com encourages you to add a comment to this discussion. You may not post any unlawful, threatening, libelous, defamatory, obscene, pornographic or other material that would violate the law. Please note that CNNMoney.com makes reasonable efforts to review all comments prior to posting and CNNMoney.com may edit comments for clarity or to keep out questionable or off-topic material. All comments should be relevant to the post and remain respectful of other authors and commenters. By submitting your comment, you hereby give CNNMoney.com the right, but not the obligation, to post, air, edit, exhibit, telecast, cablecast, webcast, re-use, publish, reproduce, use, license, print, distribute or otherwise use your comment(s) and accompanying personal identifying information via all forms of media now known or hereafter devised, worldwide, in perpetuity. CNNMoney.com Privacy Statement.