• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R. K. Raghavan

The `spying' charge faced by Hewlett-Packard brings some key issues into the spotlight.

Computer giant Hewlett-Packard (HP) is very much in the news; but for a change, for the wrong reasons. It has been charged with dubious and illegal methods to investigate leaks from its boardroom, and its Chairperson, Patricia Dunn, will be stepping down from office in January next.

Dunn, and a few others of the company's top brass, are facing a probe by the Congressional Committee on Energy and Commerce that is to meet on September 28 as well as an FBI investigation.

The California Attorney-General has already gone to town saying that there is sufficient material to indict HP officials. I will not be surprised if charges are laid in court by the time this column appears.

If there is evidence to indicate that Dunn was aware of the exact mechanics employed by the investigators, she herself could be in deep trouble. The belief is that while ordering the investigation she was not fully seized of the seriousness of such a probe and that it could go out of her hand.

An e-mail obtained by New York Times, however, suggests that the top-brass were repeatedly posed the question of legality of the whole probe and the need to obtain external opinion on this. To this extent, Dunn and others in the HP Board could be said to have had some knowledge of the ramifications of the operation.

The episode has attracted huge media attention. Not surprisingly because some of those probed by an outside agency hired by HP were pressmen who had been reporting in depth on what was happening inside the company. It looks as if the press is hitting back with a vengeance, evident from the scoops it produces on a daily basis!

Start of trouble

It all started with a Wall Street Journal report in January 2005 that the HP board was not exactly pleased with the company's performance in the PC sector, and that it wanted the then Chairperson, Carly Fiorina, to delegate some of her responsibilities to other executives. Incidentally, Fiorina was fired soon thereafter, but the leaks continued much to the chagrin of her successor, Patricia Dunn.

The latter found the conduct of one of her non-executive Directors, George Keyworth, particularly suspicious. Her preliminary probe confirmed her fears, and she asked Keyworth to resign. The latter refused to oblige, saying that he had been elected by the shareholders and Dunn did not have any authority to ask him to quit. About the same time, another Director, Thomas Perkins, put in his papers, complaining to the HP Board that his phone records had been "hacked" by someone. His innuendo was that this was at the instance of Dunn. To prove this allegation, he attached a letter from his phone operator AT&T. According to the latter, an unidentified individual had used two Yahoo mail IDs to gain entry into Perkins's records. This person had actually set up an online account with Perkins's telephone number and the last four digits of his social security number.

All hell has been let loose with the California Attorney-General disclosing that the HP probe had, apart from its own directors, targeted two reporters, Dawn Kawamoto and Tom Krazit, of ZDNET UK's sister site, CNET News.com., who had reported extensively on a strategy session held by the HP Board in January this year.

Focus on `pretexting'

The company has itself now disclosed in a filing before the Securities and Exchange Commission that nine reporters, including one from The Wall Street Journal, had been investigated. It also conceded that its investigators had possibly used a questionable method that is commonly known as `pretexting'.

In this modus operandus, an agency or a person obtains information that he is not authorised to possess, by passing himself off as a person that he actually is not. This is widely practised by private detective agencies for procuring information of a wide spectrum, including phone records, bank accounts and credit card data, sought by their clients.

It is generally known that HP had used its Global Investigation Group based in Massachusetts, which, in turn, hired a small Boston firm, Security Outsourcing Solutions. The latter assigned the task of going to the bottom of the leaks to an Action Research Group of Melbourne (Florida), a firm that had come to adverse notice in the past for using `pretexting'. It is further conjectured that subcontractors had been employed to procure the relevant phone records.

Scope of spying

According to a very recent New York Times report, one that has to be corroborated, the HP investigation was not confined to extracting information from telephonic records. It went far beyond this, and there was direct surveillance of board members and journalists.

Also, one detective on the job of tracing leaks tried to plant software on the computer of one journalist to facilitate tracing of messages. Worst of all the techniques was possibly the e-mailing of a fake document to a CNET reporter that also carried software that would relay back the identity of the person to whom the document was, just in case, forwarded. But the reporter did not fall for the bait!

The matter did not end there. New York Times has evidence that there were feasibility studies on how to infiltrate the newsrooms of CNET and The Wall Street Journal with plants who will keep HP investigators informed of the goings-on there.

The legal angle

Speculations abound on what exactly will be the laws invoked to proceed against the HP officials and the investigators used by them. While there is no Federal law prohibiting this technique to procure information relating to telephone records, it is believed that some civil prohibitions could apply.

Of course, getting financial data by this method is clearly illegal. Significantly, a Bill prohibiting `pretexting' to obtain telephonic records is hanging fire in the US Congress for quite some time. Against this backdrop, it is possible that statutes that prohibit unauthorised access to computer data and use of such data for committing a fraud will be cited.

In addition, those that define offences of unauthorised access to personal identifying information (such as Social Security numbers) and access to customer records maintained by a utility company could be roped in.

The law enforcement agencies' investigation against HP is not a cakewalk. The prosecution will have to prove that Dunn and others in the company knew that `pretexting' will be employed to get at those guilty of the leak. Further, if a computer was not used by the `pretexters' to procure telephonic records and oral misrepresentation alone was employed, there could again be a problem. One former Federal prosecutor says: "Poor supervision is not a crime"

If convicted, those found guilty may suffer a fine or imprisonment, or both. HP as a corporate entity could also face the music, and there is a chance that a stiff fine may be imposed on it.

Two main issues

There are two main issues here. While a huge corporation such as HP may have a genuine information leakage problem, especially when it is in a highly competitive industry such as computers, is it ethical for it to adopt a dubious method to plug it, instead of moving in to tighten its security?

As against this ethical question, what does it do to protect itself when executives sitting in the boardroom themselves indulge in undesirable tactics that cause immense damage to the corporation? The issue may never be resolved to anybody's satisfaction. The second major concern is the laxity of important agencies such as phone companies and banks in protecting sensitive customer information. AT&T is known to have filed two law suits in the recent past seeking permission to probe the identities of persons who had gained unauthorised access to the records of several thousand customers.

Also, a few months ago, it was reported that there were several Web sites where it was possible to buy information contained in telephone records. The practice is so widespread that a company like Sprint had to settle for a huge payment with a scamster company for the latter to share techniques it had employed to steal privileged information!

In a suit recently filed by Verizon Wireless, the company referred to a scamster seeking information on behalf of a customer with a voice disability. Can there be anything more ingenious? As everywhere else, the weakest link in security arrangements could be call centre employees. The HP episode should send alarm bells to corporations all over the world. It no doubt highlights the perils of doing business in an atmosphere vitiated by cut-throat competition. More than this, it illustrates how even the most innovative of security measures can be defeated by social engineering that subverts the very trustworthy of your employees at the highest level. Ultimately, the task seems to be one of how to fuse ethics into basic canons of corporate governance.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Expanding the footprint...

Copyright © 2006, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line