Anyone interested in technology and the law has probably already heard about HP's spying scandal involving the use of "pretexting" to get information about members of HP's Board of Directors. Pretexting (also known as "social engineering") is a simple, low-tech, and frighteningly common way that data miners and private investigators can gain access to an individual's personal information.
As reported in the Washington Post and elsewhere, HP hired the investigators to discover the source of a leak within the Board. The investigators posed as Board members in order to obtain their phone records and other personal information about them. The subterfuge also apparently targeted journalists and family members. The investigation eventually uncovered the member responsible for the leak, but revelations about the methods used by the investigators soon exploded into a far bigger scandal than the corporate leak ever was.
Once reports of the spying surfaced, the California Attorney General, the U.S. Attorney General for Northern California, the FBI and the House Energy and Communications committee all initiated investigations into the imbroglio. At issue is whether the company's pretexting violated any California or federal law.
What is Pretexting?
Essentially, pretexting involves one person contacting a company and pretending to be someone they're not in order to obtain information about a particular customer. Usually, the pretexter will pretend to be the actual customer, but they could also pose as a reporter or family member. This is most often done in an attempt to get information from a telecom, such as phone records or billing information. There are entire companies that survive on mining customer data through pretexting and then selling the information to interested parties.
Portions of the Gramm-Leach-Bliley Act (15 U.S.C. § 6821 through 15 U.S.C. § 6827) make pretexting a crime in the financial services context, and federal wiretapping and illegal computer access statutes may also cover a particular incident involving pretexting, depending on the actual facts of the case. Interestingly, while it may be illegal to obtain records through pretexting, at this time, it is not currently illegal to sell those records once obtained. A bill introduced in the Senate by Sen. Charles Schumer known as the Consumer Telephone Records Protection Act of 2006 proposes to make both practices illegal. A House bill, the Telephone Records and Privacy Protection Act of 2006 ultimately accomplished that goal when it became law in 2007.
In California, the act of pretexting can be a crime covered by the state's identity theft and unauthorized computer access statutes. California Penal Code Section 530.5 makes it a crime to obtain personally identifying information and use it for an unlawful purpose, and California Penal Code Section 502 outlaws unauthorized access to lawfully created computer databases. According to the Washington Post article, the California Attorney General, Bill Lockyer, has suggested that HP may have violated one or both of these laws in its spying campaign. His office has subpoenaed the company for more information, and the investigation into the spying is ongoing.