HP Admits Spying on its Directors via
Pretexting to Obtain Confidential Home Phone Records
September 6, 2006. Hewlett Packard Company filed a Form 8-K with the Securities and Exchange Commission (SEC), which belatedly discloses information regarding the resignation of a former Director, Thomas Perkins, on May 18, 2006.
HP filed a Form 8-K on May 22, 2006, that disclosed the resignation, but not the reason for the resignation. The just filed Form 8-K asserts that this was because Perkins "did not provide any written communication to HP concerning the reasons for his resignation". It also asserts that the May filing was "accurate and complete at the time of filing".
The just filed Form 8-K is short, carefully worded, and lacks many of the pertinent details being reported in various publications whose reporters have spoken with various persons involved in this matter.
See for example, September 5, 2006, story in CNET titled "Media leaks prompt HP board shake-up" by Dawn Kawamoto and Tom Krazit, and Newsweek story titled "Intrigue in High Places" by David Kaplan.
HP's just filed Form 8-K states that HP "engaged an outside consulting firm with substantial experience in conducting internal investigations and that this firm had retained another party to obtain phone information concerning certain calls between HP directors and individuals outside of HP". Moreover, this Form 8-K states that "the third party retained by HP's outside consulting firm had in some cases employed pretexting".
Media accounts state that Patricia Dunn announced at a May 18 board meeting that she had outside investigators conduct an investigation of board members to find out who had had conversations with news reporters, particularly at CNET. The accounts add that this investigation involved pretexting to obtain confidential home phone call records, and that Dunn had identified who had spoken with CNET reporters.
These accounts also relate that after a long and stormy debate, Perkins resigned from the board on the spot. Moreover, these accounts relate this his AT&T records had been obtained by pretexting, but that he was not the director targeted by Dunn.
Perkins is also a Partner Emeritus of the venture capital firm of Kleiner Perkins Caufield and Byers.
The HP web page containing Directors' biographies states that Patricia Dunn "was named non-executive chairman of the board of directors of HP in February 2005", and that she has been a "member of HP's board since 1998".
Pretexting is the practice of lying to telecommunications carriers with lax privacy protection policies to obtain by deception the confidential call information of customers.
Legislative Activity. There are many bills pending in the House and Senate that would add further regulation, and create a specific criminal ban on the practice of pretexting.
For a summary of bills, see story titled "Rep. Smith Introduces Bill to Criminalize Pretexting to Obtain Consumer Phone or VOIP Records" in TLJ Daily E-Mail Alert No. 1,308, February 13, 2006, and HR 4709, the "Law Enforcement and Phone Privacy Protection Act of 2006", sponsored by Rep. Lamar Smith (R-TX).
Also, on June 21, 2006, Rep. John Dingell (D-MI), the ranking Democrat on the House Commerce Committee (HCC), wrote in a statement for a hearing on pretexting that "On March 8, 2006, the Committee on Energy and Commerce unanimously reported H.R. 4943, the ``Prevention of Fraudulent Access to Phone Records Act´´. On May 2, 2006, this bill was scheduled for consideration on the Floor of the House of Representatives. Yet, with no notice or explanation, H.R. 4943 mysteriously disappeared from the suspension calendar and it has not been seen or heard from since. Members of this Committee, and the American public, should be told why the Republican leadership yanked our bill."
Rep. Dingell added that "I suspect a clue can be found in the May 11 USA Today article reporting that the National Security Agency (NSA) had persuaded AT&T, Verizon, and BellSouth to ``voluntarily´´ hand over their customer records, without customer knowledge or consent, so that the agency could analyze calling patterns in an effort to detect terrorist activity."
He added that "Illegal pretexting -- the use of false or fraudulent statements or representations -- is not limited to consumer telephone records, as our witnesses will testify. With that in mind, on March 29, 2006, this Committee voted 41-0 to approve H.R. 4127, the “Data Accountability and Trust Act”, which expressly prohibits pretexting for personal information by data brokers. That bill is also in some kind of legislative limbo, with reports that important consumer protections may be eliminated."
HR 4127 has been reported by the HCC, the House Financial Services Committee, and the House Judiciary Committee. However, it has not yet been approved by the full House.
FCC. The Federal Communications Commission (FCC) has announced nothing. It has authority under 47 U.S.C. § 222 to regulate the release by a "telecommunications carrier" of consumer proprietary network information (CPNI). AT&T and the other board members' carriers, but not Dunn or her investigators, are the entities within its jurisdiction in this matter.
In addition, the FCC has an open rulemaking proceeding regarding its CPNI rules. See, story titled "FCC Adopts NPRM Regarding Privacy of Consumer Phone Records" in TLJ Daily E-Mail Alert No. 1,308, February 13, 2006, and story titled "FCC Rulemaking Proceeding on CPNI May Extend to Internet Protocol Services" in TLJ Daily E-Mail Alert No. 1,310, February 15, 2006.
This NPRM is FCC 06-10 in Docket No. 96-115 and RM-11277. The FCC adopted its NPRM on February 10, 2006. It released the text [34 pages in PDF] on February 14, 2006.
DOJ, FTC, and SEC. Neither the U.S. Department of Justice (DOJ), nor the U.S. Attorneys Office for the Northern District of California, have announced any criminal prosecutions or investigations. Nor has the Federal Trade Commission announced any actions or investigations under the civil Federal Trade Commission Act, which prohibits, among other things, unfair or deceptive trade practices affecting interstate commerce. Nor has the SEC announced any action or investigation in connection with this matter.
However, HP's just released Form 8-K states that "HP recently has been informally contacted by the Attorney General of the State of California requesting information" and that it "has received a comment letter from the staff of the Securities and Exchange Commission's Division of Corporation Finance".
HP's stock price opened on September 5 (the day that news accounts of Patricia Dunn's activities were published) at $24.73. It closed at $25.83.
HP has not yet announced the departure of Patricia Dunn.
This matter also has the potential to affect not only HP and Dunn, but also several policy debates in Washington DC. For example, it may provide further debating points for proponents of anti-pretexting bills, and data privacy bills generally. It may similarly affect the FCC's open CPNI rulemaking proceeding.
Also, Attorney General Alberto Gonzales and the DOJ have advocated data retention
mandates. Opponents of such mandates are likely to argue that if more data were
retained by telecommunications carriers and internet service providers, then there would be
more data available for fraudulent or unauthorized access by the likes of HP and Patricia
Dunn.