Tuesday, September 19, 2006

The New York Times



September 19, 2006

Fuzzy Laws Come Into Play in the H.P. Pretexting Case

SAN FRANCISCO, Sept. 18 — Despite the California attorney general’s assertion that he has enough evidence to press charges against people inside and outside Hewlett-Packard, a criminal case may be hard to prosecute, legal specialists say.

The California prosecutors are still collecting evidence and have filed no charges. But they think people hired by Hewlett-Packard or a string of subcontractors used fraudulent means to gain access to phone records, thereby violating some or all of four state statutes, Tom Dresslar, a spokesman for Attorney General Bill Lockyer, said Monday.

Those laws are being used to go after people who the prosecutors believe pretended to be someone else to get private phone records, a practice known as pretexting. Hewlett-Packard has acknowledged that the method was used in an investigation of news leaks from its board. Records of directors, employees and reporters were obtained.

Two of the laws the state is considering for criminal charges cover unauthorized access to computer data; one of those also prohibits using that data for fraud. Lawyers call those laws “wobblers” because they can be used for misdemeanors or for felonies that can carry a penalty of up to three years in prison and a fine of $10,000.

Another potentially applicable law covers gaining access to personal identifying information, including Social Security numbers. The attorney general’s office is exploring a fourth law that makes it a crime to gain unauthorized access to customer records from a utility.

“We believe laws have been broken; we’re just trying to figure out who broke them,” Mr. Dresslar said.

Mr. Dresslar said the state believed that the laws covered not just the person who committed the pretexting, but others who authorized, financed or knew of it and let it proceed. “You don’t have to be the person who sat at the keyboard and did the actual pretexting,” he said.

Still, proof is not always easy. Robert Weisberg, a Stanford University law professor, said there might have been “metaphoric violations” of statutes involving computer data, meant to thwart hackers. But if the pretexters were not using a computer, “it’s going to be a stretch,” he said.

Even if prosecutors can show that private detectives hired by the company violated the law, it may be difficult to establish that executives, managers and lawyers at the company’s headquarters were culpable.

If those employees showed “willful ignorance,” that is, they turned a blind eye to the methods used, the prosecutors could get a conviction, Mr. Weisberg said.

But Matthew J. Jacobs, a former federal prosecutor and a partner in the Silicon Valley law firm of McDermott Will & Emery, noted, “Poor supervision is not a crime.” He said prosecutors would have to show that executives turned a blind eye to the methods but did so with knowledge of the probable result.

Ken Sukhia, a former United States attorney who now focuses on internal corporate investigations at the firm of Conwell Sukhia & Kirkpatrick in Tampa, Fla., said prosecutors would have to show that someone at the company intended or expected pretexting to take place.

Mr. Sukhia said the prosecutors could, for example, seek testimony from an accused person’s friends or associates showing that the defendant had mentioned that something seemingly underhanded was taking place to get the phone records.

The United States attorney’s office in San Francisco is also investigating the case, but it might have more trouble bringing a case because federal laws are even less clear about pretexting, Mr. Sukhia said.

Chris Hoofnagle, a senior fellow at the Boalt Hall School of Law at the University of California, Berkeley, said the absence of specific language covering pretexting would not be important since consumer protection laws are designed to cover a range of crimes.

“Consumer fraud is so varied in its circumstances that one often uses broad statutes to pursue wrongdoing,” Mr. Hoofnagle said.

People briefed on Hewlett-Packard’s review of its investigation of news leaks have said the company’s detectives also had people followed and put a piece of software on a document to trail where it went after they sent it to a reporter’s computer. But Mr. Dresslar said the state was not looking at those methods. “We’re focused on the unauthorized access to phone records,” he said.

Law professors in California said there was little illegal about surveillance, and the legality of the computer software would depend on what kind it was and how it was used.

In addition to a criminal case, Hewlett-Packard could face civil suits from those whose records were obtained. And a Congressional hearing has been scheduled for next week at which the H.P. chairwoman, Patricia C. Dunn; the general counsel, Ann O. Baskins; and H.P.’s outside counsel, Larry W. Sonsini, have been called to testify about the use of pretexting.