HP case raises questions o "pretexting" legality

By Michael A. Hiltzik
(c) 2006, Los Angeles Times

Friday, September 15, 2006 11:02 AM CDT

Although California Attorney General Bill Lockyer has said he has “enough evidence to indict” people inside Hewlett-Packard Co. in connection with its corporate spying scandal, lawyers and privacy experts say it’s not clear that state law will enable him to put anybody behind bars.

That’s because no single California statute specifically outlaws “pretexting,” or the use of deception to obtain a person’s private or personal information. One such measure passed by the California legislature this summer is awaiting Gov. Arnold Schwarzenegger’s approval, but he has not indicated whether he will sign it.

Still, lawyers in Lockyer’s office say several California laws, especially one forbidding the use of “false or fraudulent pretenses” to obtain confidential information from a public utility, are likely to apply to the case.

“That one is very on point,” Senior . Assistant Attorney General Mark Geiger said. “It describes very well what seems to have happened in this case.”

Geiger, head of the special crimes unit in Lockyer’s office, said he had no timetable for bringing charges.

“Further interviews are being conducted, and further analysis of electronic records is being done,” he said.

Hewlett-Packard and some of its corporate officers, including Chairwoman Patricia C. Dunn, are under scrutiny for an investigation the Palo Alto, Calif.-based technology company staged to identify a company director who leaked confidential board information to the media. Private investigators working for HP allegedly impersonated HP directors and reporters covering the company to obtain call logs from phone companies. The investigation eventually identified George A. Keyworth II as the source; he resigned from HP’s board earlier this month .

Legal experts say officers and executives at Hewlett-Packard may be insulated from any wrongdoing committed by their investigators, especially if they gave instructions not to do anything illegal in the course of their work.

Dunn in interviews has said the HP board was unaware of the privacy breaches. An outside lawyer for HP has contended that the investigation did not violate the law

Whether HP officials can be tied to any alleged crime “will be a question of fact,” says Robert Weisberg, a professor of law at Stanford University and an expert on white-collar crime. Lockyer would need “some information that they were pretty well clued in.”

The case has placed the term “pretexting” and its legal implications under a spotlight. The term, a coinage of the private-investigation industry, has been used since at least the mid-1990s. Although it carries an air of formality, it was aptly and concisely defined in 1998 by then-Federal Trade Commissioner Mozelle W. Thompson as “plain, old-fashioned lies.” In 1999, the federal Gramm-Leach-Bliley Act outlawed using false pretenses to obtain private financial information from a financial institution or a customer of the institution.

The investigation industry defines “pretexting” broadly as almost any form of deception employed to obtain private information. For a hearing in June, the House Committee on Energy and Commerce compiled examples of pretenses used to extract personal information from utilities, phone companies or banks that included not only posing as the customer, but also as a roommate, neighbor, spouse or deliveryman.

One investigating service’s rate sheet published by the committee listed prices for obtaining unlisted phone numbers, utility records and long-distance calls. The service’s client list included individuals, bail bondsmen, collection agencies and banks.

Federal and state authorities have taken action in numerous cases in which investigators or data-collection agencies have obtained information under false pretenses, but those cases seldom involve criminal charges. In May, for example, the Federal Trade Commission filed court complaints against five online firms that offered consumers’ private telephone records for sale to the public. The agency, which contends the companies obtained the records through fraud, theft, or misrepresentation, is asking for a permanent halt to the sales and for the companies to return the money they earned. The agency isn’t empowered to seek further fines in the cases.

In March, Lockyer filed a $10 million lawsuit against San Diego-based Data Trace USA, charging that the company posed as phone customers to obtain their records for third parties. The case is pending.

Because no California law specifically bans pretexting to obtain phone records, Lockyer’s office is trying to cobble together a criminal case from four provisions of the California penal code, each designed with other crimes in mind. “There’s a mix of halfway laws on the subject,” says Chris Hoofnagle, a privacy-law expert at the University of California, Berkeley.

These provisions include two that bar hacking into computers or computer networks without permission or for the purpose of fraud or theft; another prohibiting the obtaining of “personal identifying information” to commit a crime such as fraud or identity theft; and a fourth prohibiting anyone from obtaining confidential information from a utility through false pretenses. All are potential felonies.

The laws may have to be stretched to apply to the HP case. There’s no evidence that the information obtained was used to commit financial fraud, for example. Instead, it was used to expose the leaking of confidential corporate information, which is arguably a legitimate corporate goal, even a management responsibility. Defense lawyers may argue further that pretexting does not fall under any of the laws.

“The language in these statutes is incredibly precise and technical,” Weisberg says. “The defendant will say the legislature described particularized acts, not (pretexting). It’s a classic problem of the letter versus the spirit of the law. It will be hard.”

Geiger, the assistant attorney general, noted that it’s not unusual to find new ways to apply laws written for other purposes. “It’s fair to say there no single statute that’s exactly on point to what happened here,” he said. “But that’s true of just about every law that’s written.”

Privacy advocates say pretexting will be hard to stamp out until it is targeted by specific measures. “It needs to be made very clear that pretexting is a crime,” said Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center.

A bill the California legislature passed virtually unanimously at the end of August specifically prohibits obtaining telephone records through fraud or deceit. It further outlaws the purchase or sale of such records without the subscriber’s permission.

Special Offer: Get 5 Weeks of the Journal Times for $7!