State’s HP Case May Be Tough to Win
California Atty. Gen. Bill Lockyer may have a difficult time convicting Hewlett-Packard Co. officials involved in the company’s spying scandal because it’s not at all clear that state law will enable him to put anybody behind bars, lawyers and privacy experts said Thursday.
No single state statute specifically outlaws “pretexting,” or the use of deception to obtain a person’s private or personal information. One such measure passed by the Legislature this summer is awaiting Gov. Arnold Schwarzenegger’s approval, but he has not indicated whether he will sign it.
Lawyers in Lockyer’s office say several state laws, especially one forbidding the use of “false or fraudulent pretenses” to obtain confidential information from a public utility, are likely to apply to the case.
“That one is very on point,” Senior Assistant Atty. Gen. Mark Geiger said. “It describes very well what seems to have happened in this case.”
He added, “Further interviews are being conducted and further analysis of electronic records is being done.”
But legal experts say officers and executives at Hewlett-Packard may be insulated from any wrongdoing committed by their investigators, especially if they gave instructions not to do anything illegal in the course of their work.
HP and some of its corporate officers, including Chairwoman Patricia C. Dunn, are under scrutiny for an investigation the Palo Alto-based technology company staged to identify which company director leaked confidential board information to the media. Private investigators working for HP allegedly impersonated HP directors and reporters covering the company to obtain their call logs from phone companies. The investigation eventually identified George A. Keyworth II as the source; he has resigned from HP’s board.
Dunn in interviews has said the HP board was unaware of the privacy breaches. Moreover, an outside lawyer for HP has contended that the investigation did not violate the law. It is unclear whether the lawyer was aware of any pretexting, or whether he regarded it as legal.
The state’s ability to tie HP officials to any alleged crime “will be a question of fact,” says Robert Weisberg, a professor of law at Stanford University and an expert on white-collar crime. Lockyer would need “some information that they were pretty well clued in.”
The case has placed pretexting and its legal implications under a spotlight. The term, a coinage of the private investigation industry, has been used since at least the mid-1990s. Although it carries an air of formality, it was defined in 1998 by then-Federal Trade Commissioner Mozelle W. Thompson as “plain, old-fashioned lies.” In 1999, the federal Gramm-Leach-Bliley Act outlawed using false pretenses to obtain private financial information from a financial institution or a customer of the institution.
The investigation industry defines pretexting broadly as almost any form of deception employed to obtain private information. For a hearing in June, the House Energy and Commerce Committee compiled examples such as the extraction of personal information from utilities, phone companies or banks that included not only posing as the customer but also as a roommate, neighbor, spouse or deliveryman.
A favorite maneuver to obtain an unlisted phone number involved asking an operator to contact the subject regarding an emergency involving a family member and to give the target a number to call (say, the private investigator’s office). When the frantic subject called that number, his or her unlisted number could be read off the investigator’s caller ID screen.
One investigating service’s rate sheet published by the committee listed prices for obtaining unlisted phone numbers, utility records and long-distance calls. The service’s client list included individuals, bail bondsmen, collection agencies and banks.
Federal and state authorities have taken action in numerous cases in which investigators or data collection agencies have obtained information under false pretenses, but those cases seldom involve criminal charges. In May, for example, the Federal Trade Commission filed court complaints against five online firms that offered consumers’ private telephone records for sale to the public. The agency, which contends that the companies obtained the records through fraud, theft or misrepresentation, is asking for a permanent halt to the sales and for the companies to return the money they earned. The agency, however, isn’t empowered to seek further fines in the cases.
In March, Lockyer filed a $10-million lawsuit against San Diego-based Data Trace USA Inc., charging that the company posed as phone customers to obtain their records for third parties. The case is pending.
Because no California law specifically bans pretexting to obtain phone records, Lockyer’s office is trying to cobble together a criminal case from four provisions of the state penal code, each of which designed with other crimes in mind.
“There’s a mix of halfway laws on the subject,” said Chris Hoofnagle, a privacy law expert at UC Berkeley School of Law.
Those provisions include two that bar hacking into computers or computer networks without permission or for the purpose of fraud or theft; another prohibiting the obtaining of “personal identifying information” to commit a crime such as fraud or identity theft; and a fourth prohibiting anyone from obtaining confidential information from a utility through false pretenses. All are potential felonies.
The laws may have to be stretched to apply to the HP case. There’s no evidence that the information obtained by its investigators was used to commit financial fraud, for example. Instead, it was used to expose the leaking of confidential corporate information, which is arguably a legitimate corporate goal and even a management responsibility. Defense lawyers may argue further that pretexting does not fall under any of the laws.
“The language in these statutes is incredibly precise and technical,” Weisberg said. “The defendant will say the Legislature described particularized acts, not [pretexting]. It’s a classic problem of the letter versus the spirit of the law. It will be hard.”
Geiger, the assistant attorney general, noted that it was not unusual to find new ways to apply laws written for other purposes.
“It’s fair to say there is no single statute that’s exactly on point to what happened here,” he said. “But that’s true of just about every law that’s written.”
Still, privacy advocates say pretexting will be hard to stamp out until it is targeted by specific measures.
“It needs to be made very clear that pretexting is a crime,” said Marc Rotenberg, executive director of the Washington-based Electronic Privacy Information Center.
The proposed California law, which passed the Legislature virtually unanimously at the end of August, specifically prohibits obtaining telephone records through fraud or deceit. It further outlaws the purchase or sale of such records without the subscriber’s permission.
The bill’s sponsor, Sen. Joe Simitian (D-Palo Alto), said the legislation would make clear that individuals such as corporate officers who hired others to obtain records could themselves face criminal liability if the records were obtained illegally, even if they claimed not to know how the records were acquired. Simitian declined to comment on the HP case.
He said he originally drafted the bill in 2005 to address the emergence of websites offering private phone records for sale.
“It used to take people a moment to understand just how much of an invasion of privacy this is,” he said. “Finally, I started to point out that your phone records are a road map to your daily life -- who your psychiatrist is, who your broker is, who your girlfriend is. Then you could see people beginning to understand.”