High-Tech Company Uses Low-Tech Spy Technique
FindLawBy Kevin Fayle
Anyone interested in technology and the law has probably already heard about HP's spying scandal involving the use of "pretexting" to get information about members of HP's Board of Directors. Pretexting (also known as "social engineering") is a simple, low-tech, and frighteningly common way that data miners and private investigators can gain access to an individual's personal information.
HP hired the investigators to discover the source of a leak within the Board. The investigators posed as Board members in order to obtain their phone records and other personal information about them. The investigation eventually uncovered the member responsible for the leak, but revelations about the methods used by the investigators soon exploded into a far bigger scandal than the corporate leak ever was.
Once reports of the spying surfaced, the California Attorney General, the U.S. Attorney General for Northern California, the FBI and the House Energy and Communications committee all initiated investigations into the imbroglio. At issue is whether the company's pretexting violated any California or federal law.
Essentially, pretexting involves one person contacting a company and pretending to be someone they're not in order to obtain information about a particular customer. Usually, the pretexter will pretend to be the actual customer, but they could also pose as a reporter or family member. This is most often done in an attempt to get information from a telecom, such as phone records or billing information. There are entire companies that survive on mining customer data through pretexting and then selling the information to interested parties.
Portions of the Gramm-Leach-Bliley Act (15 U.S.C. § 6821 through 15 U.S.C. § 6827) make pretexting a crime in the financial services context, and federal wiretapping and illegal computer access statutes may also cover a particular incident, depending on the actual facts of the case. Interestingly, while it may be illegal to obtain records through pretexting, it is not currently illegal to sell those records once obtained. A bill introduced in the Senate by Sen. Charles Schumer proposes to make both practices illegal.
In California, pretexting is a crime covered by the state's identity theft and unauthorized computer access statutes. California Penal Code Section 530.5 makes it a crime to obtain personally identifying information and use it for an unlawful purpose, and California Penal Code Section 502 outlaws unauthorized access to lawfully created computer databases. The California Attorney General, Bill Lockyer, has suggested that HP may have violated one or both of these laws in its spying campaign. His office has subpoenaed the company for more information, and the investigation into the spying is ongoing.
Kevin Fayle is an attorney and Producer in FindLaw's Sunnyvale office.
Hardware
© 2006 FindLaw
