 |
H.P. Said to Have Studied Infiltrating Newsrooms
Hewlett-Packard conducted feasibility studies on planting spies in news bureaus of two major publications as part of an investigation of leaks from its board, an individual briefed on the company’s review of the operation said yesterday.
The studies, referred to in a Feb. 2 draft report for a briefing of senior management, are said to have included the possibility of placing investigators acting as clerical employees or cleaning crews in the San Francisco offices of CNET and The Wall Street Journal.
It is not clear whether the plan described in the documents, which were read to a reporter, was ever acted upon.
The report was sent on Feb. 1 by Anthony R. Gentilucci, Hewlett-Packard’s Boston-based manager of global investigations, to four others, including Kevin T. Hunsaker, a senior counsel in Hewlett-Packard’s legal department and the company’s chief ethics officer.
“Feasibility studies are in progress for undercover operations (clerical) in CNET and WSJ offices in SF bureaus,” the memo said, referring to two publications in which reports of the company’s board discussions had appeared.
Under a section labeled “Investigation Activity Update,” with the subtitle “Covert Operations,” it also called for examining the use of cleaning employees at those locations.
Another document, undated but said to be a briefing for the company’s chairwoman, Patricia C. Dunn, is less explicit but refers to plans involving “placement of agent in close proximity to person of interest.”
A Hewlett-Packard spokesman had no comment last night when asked about the documents.
The consideration of undercover agents inside news organizations adds a new element to what is known of the Hewlett-Packard investigation, which prominently included the use of subterfuge to gain the phone records of company directors, employees, journalists and others.
An e-mail message obtained by The New York Times from someone with access to the company’s investigative material shows that leading members of the team supervising the investigation knew of the use of the phone ruses at least as early as January 2006 and raised questions about their legality.
The disclosure came as investigators examined the role of a man from the Omaha area who may have obtained private phone records on Hewlett-Packard’s behalf, according to people briefed on the company’s review of the operation.
California and federal prosecutors are exploring whether laws were broken in the investigation, particularly in the use of pretexting — a technique in which an investigator masquerades as someone else to obtain that person’s calling records from a phone company.
Concern over legality was reflected in an e-mail message sent on Jan. 30 by Mr. Hunsaker, the chief ethics officer, to Mr. Gentilucci, the manager of global investigations. Referring to a private detective in the Boston area, Ronald R. DeLia, whom the company had hired, he asked: “How does Ron get cell and home phone records? Is it all above board?”
Mr. Gentilucci responded that Mr. DeLia, the owner of Security Outsourcing Solutions, had investigators “call operators under some ruse.”
He also wrote: “I think it is on the edge, but above board. We use pretext interviews on a number of investigations to extract information and/or make covert purchases of stolen property, in a sense, all undercover operations.”
Mr. Hunsaker’s e-mail response, in its entirety, said: “I shouldn’t have asked....”
It is unclear who, if anyone, in the company was then briefed on what he had been told. People who have seen other material from Hewlett-Packard’s investigation said that Mr. Hunsaker, in supervising the operation, communicated frequently with Ms. Dunn, the chairwoman, about its progress. But they said it was not clear when Ms. Dunn, who ordered the investigation, learned of the methods used.
Mr. Hunsaker did not respond to a request for comment. Mr. Gentilucci referred all inquiries to Hewlett-Packard’s corporate offices, where a spokesman had no comment.
The Hewlett-Packard investigations were initiated in early 2005, around the time of Carleton S. Fiorina’s ouster as chairwoman and chief executive, and then resumed in January 2006. The two phases — each begun after accounts of board members’ discussions appeared in news articles — were code-named Kona I and Kona II, according to several people who saw the company’s investigative records. The names are intriguing; Ms. Dunn’s vacation home is in Kona, Hawaii.
Not all board members were targets in the investigation, according to people who had seen some of the company’s investigatory materials. The detectives seemed to focus on allies of Thomas J. Perkins, Ms. Dunn’s board antagonist.
In the first phase, the targets were Mr. Perkins, George A. Keyworth II and Robert E. Knowling Jr., a director who stepped down last September. Ms. Fiorina was also a target, the documents show.
In the second phase, Mr. Keyworth, his wife, Mr. Perkins and two other directors — Lucille S. Salhany, a former television executive, and Richard A. Hackborn, a former H.P. executive — were targets. Both phases used pretexting, according to documents the company has given various investigators.
Another target was Shane Robison, an executive vice president and chief strategy and technology officer. Mr. Robison is not on the board but was a liaison to its technology committee, on which Mr. Keyworth and Mr. Perkins served. A company memo, described to a reporter, instructs detectives to obtain the records of Ms. Dunn and Mr. Robison for the sake of completeness.
Mr. Perkins resigned in June in protest over the investigation. Mr. Keyworth, identified as having given information to reporters, agreed last week to resign from the board after Ms. Dunn said she would step down as chairwoman in January.
In addition to Hewlett-Packard directors, nine journalists and two employees, those whose phone records were obtained included Larry W. Sonsini, the outside counsel, a spokeswoman for his law firm, Wilson Sonsini Goodrich & Rosati, said yesterday, confirming a report in The Wall Street Journal.
The identification of a man from the Omaha area as a possible participant in the operation provides a potentially critical link in the investigative chain. The man, Brian Wagoner, has spent several years working for the Action Research Group, a Florida detective agency, according to a relative of Mr. Wagoner.
The Florida agency has been identified by people briefed on Hewlett-Packard’s review of its operation as a contractor for Security Outsourcing Solutions, Mr. DeLia’s firm.
An e-mail message to Mr. Hunsaker, the Hewlett-Packard ethics officer, indicates that he was aware of the involvement of the Action Research Group in the operation. On Feb. 7, Mr. DeLia informed Mr. Hunsaker that he had sent an e-mail message to “my source in FL and asked him if there were any state laws prohibiting pretexting telephone companies for call records.”
Mr. DeLia gave the response from that firm, presumably Action Research: “We are comfortable there are no Federal laws prohibiting the practice.” He added that he had been using the firm for 8 to 10 years.
Mr. DeLia did not respond yesterday to requests for comment.
Action Research and Mr. Wagoner, the Omaha man, had been linked before. His name appeared in connection with Action Research in April, when Congressional investigators studying pretexting interviewed James Rapp, a Denver man convicted in 2000 of illegally obtaining phone records. Rob Douglas, an information security expert who was a consultant to the Congressional investigation, said Mr. Rapp had disclosed his employment for years with the Action Research Group.
Mr. Rapp told investigators that after his own conviction, which led to the shutdown of his business, some of his employees went to work for Action. Among them was Mr. Wagoner, whom Mr. Rapp identified as his nephew during the interview with Congressional investigators, Mr. Douglas said.
Mr. Rapp said yesterday that Brian Wagoner split his time between the Omaha and Denver areas. “I know for a fact there’s been correspondence between he and Action for many, many years,” Mr. Rapp said.
Mr. Rapp said he had spoken with Mr. Wagoner twice yesterday. “He keeps trying to tell me that Action doesn’t do that kind of work anymore,” Mr. Rapp said. But he said Mr. Wagoner had told him that he did believe he had worked on H.P. case. “He did do the work,” Mr. Rapp said. “He does remember that.”
Extensive Spying Found At HP
Feb. Report Sent to 4 Senior Executives
By Ellen Nakashima and Yuki Noguchi
Washington Post Staff Writers
Wednesday, September 20, 2006; D01
The Hewlett-Packard Co. spying effort that has sparked criminal investigations was wide-ranging and included physical surveillance, photographs and spyware sent via e-mail, and it also targeted wives and other relatives of HP board members and reporters, according to a consultant's report prepared for the company.
The Feb. 10 report, obtained by The Washington Post, summarized in eight pages how investigators, to identify an internal leak of confidential HP information, surreptitiously followed HP board member George A. Keyworth II while he was giving a lecture at the University of Colorado. They watched his home in Piedmont, Calif. They used photographs of a reporter to see if the reporter met with him. And they tried to recover a laptop computer stolen from him in Italy so they could analyze its contents.
The report, prepared by a consulting firm in Needham, Mass., hired to investigate leaks to the media, was sent to four HP executives, including HP's ethics director. That suggests that senior HP employees were aware of the spying tactics used as early as February. The report was sent to Kevin Hunsaker, senior counsel and HP ethics director; Frederick P. Adler, an HP information security employee; Vince Nye, a senior investigator; and Anthony Gentilucci, an HP global investigations manager in Boston.
The report, prepared by Security Outsourcing Solutions Inc., detailed extensive efforts it supervised to obtain calling records for home, office and cellphones and fax lines of various HP board members and reporters covering the company.
The report described how investigators sent an e-mail to a reporter for the online technology publication Cnet.com that contained spyware software in an attached file. If opened, the attachment was designed to install itself on her computer and track every keystroke.
The extent to which the Silicon Valley computer company would go to identify the person who spoke anonymously to a reporter about confidential company operations has scandalized corporate America, launched federal and state investigations, and outraged members of Congress, who have called a Sept. 28 hearing on the matter.
Larry Neal, a spokesman for the House Energy and Commerce investigative subcommittee, said yesterday that outgoing HP chairman Patricia C. Dunn, general counsel Ann Baskins and outside counsel Larry Sonsini are expected to testify. Ronald R. DeLia, owner of Security Outsourcing Solutions and the author of the confidential HP report, is also expected to appear but may choose to invoke his Fifth Amendment right against self-incrimination, said Neal, the deputy staff director for the full committee.
Two others asked to appear before the committee -- Gentilucci, the Boston HP global investigator, and Joseph DePante, owner of a private investigative firm in Florida, have not responded to the committee's request, Neal said.
The House committee has also requested that HP turn over documents related to the investigation and has received "several thousand pages" so far, Neal said.
Another document reviewed by The Post revealed that HP's ethics chief in January was plotting ways to obtain information on board members and was being warned off those tactics by a colleague. On Jan. 28, Hunsaker asked Adler whether there was any way to "lawfully get text message content." Hunsaker wrote about HP board member Thomas Perkins, "Apparently, Perkins almost never uses uses his cell phone, and instead does just about everything via text message."
In an e-mail reply, Adler told Hunsaker "[e]ven if we could legally obtain the records, which we can't unless we either pay the bill or get consent, I would highly suspect text messaging records are not kept due to volume and expense. The only other means is through real time interception, an avenue not open to us."
HP has conducted two internal leak investigations in the past two years, the first dubbed "Kona 1" and running from March 2005 through the summer of 2005. The second, "Kona 2," ran from January to May 2006, according to sources familiar with the investigation.
Kona 2 was prompted by a story by Cnet reporter Dawn Kawamoto about the firm's long-term strategy, and from the February consultant's report, it is clear that HP focused fairly early -- by mid-February -- on board members Keyworth and Perkins. Keyworth has since admitted to leaking information and resigned from the board.
According to DeLia's report, investigators obtained subscriber information on at least 240 of more than 300 phone numbers sought, and was in the process of analyzing them, including the records of phone calls from Keyworth's New Mexico house, to and from his fax and cellphone, as well as his new wife's home and cellphones. Similarly, the firm obtained records of Perkins's home phone calls from Jan. 4 to Jan. 26, including 12 U.S. calls, three to Britain and two other international calls.
According to the report, board members, reporters and their spouses, particularly at Cnet, were subject to broad background checks, including details of where they worked, attended school and lived. Investigators hired through DeLia's firm obtained call information on Kawamoto's home phone, cellphone and a cellphone believed to belong to Kawamoto's husband's. They conducted "[e]xtensive Media and Internet Content Research" on Cnet reporter Tom Krazit and his wife.
The call information was obtained by a technique sometimes called "pretexting," or impersonating someone else to obtain their phone records, HP said in a Securities and Exchange Commission filing.
The investigators also began an e-mail exchange with Kawamoto "under the pretext of . . . . develop[ing] a dialogue with the reporter." Then, he noted, on Feb. 9, an e-mail was sent to Kawamoto with an attached file with "tracking capability," or software that logs keystrokes in real time.
Investigators experienced in corporate work said the technique, called "keylogging," was out of bounds in this case. "I've been doing this a long time and I've never heard or seen of investigators doing those nefarious types of tactics," said Robert Seiden, president of Fortress Global Investigations Corp. in New York. "To get access to a reporter's computer raises a whole slew of privacy and legal issues."
Kawamoto did not reply to phone messages and a Cnet spokeswoman declined to comment. Krazit also declined to comment.
HP CEO Allowed 'Sting' of Reporter
Chairman's E-Mails Detail Operation
By Ellen Nakashima and Yuki Noguchi
Washington Post Staff Writers
Thursday, September 21, 2006; A01
Hewlett-Packard Co. chief executive Mark V. Hurd approved an elaborate "sting" operation on a reporter in February in an attempt to plug leaks to the media, according to an e-mail message sent by HP Chairman Patricia C. Dunn.
The document, one of more than two dozen e-mails obtained by The Washington Post, for the first time links Hurd to an internal investigation of media leaks that has led to criminal probes and will be the subject of a congressional hearing next week.
Internal e-mails show senior HP employees who were given the task of identifying anonymous news sources concocted a fictitious, high-level HP tipster who sent bogus information to a San Francisco reporter in an attempt to trick her into revealing her sources.
The e-mail sting operation, which was part of a wide-ranging two-part HP investigation that began in March 2005 and ended in May 2006, is the latest in a series of deceptive and possibly illegal tactics that reveal the lengths to which HP went to spy on people inside and outside the company to protect its image and secrets.
HP's leak investigation involved planting false documents, following HP board members and journalists, watching their homes, and obtaining calling records for hundreds of phone numbers belonging to HP directors, journalists and their spouses, according to a consultant's report and the e-mails.
The e-mail operation demonstrated an intense degree of attention by Dunn, who often sent messages via a BlackBerry device, and by senior HP executives attempting to cultivate and trick a news reporter to find the identity of her source. A Hewlett-Packard spokesman declined to comment on the revelations or make Hurd or Dunn available for an interview.
None of the e-mails reviewed by The Post were to or from Hurd, nor do they detail what information Hurd had when he approved the sting operation.
A corporate spying effort this broad and orchestrated has never before been exposed, experts said.
"If you'd laid this out as a science fiction story, it'd be hard to believe it's true," said Ari Schwartz, deputy director of the Center for Democracy & Technology, a District-based privacy watchdog group.
It was unclear whether the e-mail sting operation involved illegal tactics, experts said, but federal and state authorities have launched probes into the legality of HP's methods.
On Sept. 28, Dunn and several other HP executives are scheduled to testify before the House Energy and Commerce investigative subcommittee about their roles in the spy probe. The hearing is part of an inquiry led by committee Chairman Joe Barton (R-Tex.) into the techniques Hewlett-Packard used.
California Attorney General Bill Lockyer said last week that he had enough evidence to issue indictments against people inside and outside HP. The spying scandal erupted into public view this month after it was revealed that board member Thomas J. Perkins had resigned in protest months ago after learning that his personal phone records had been obtained under false pretenses.
The Hewlett-Packard board of directors is scheduled to meet today, and Hurd is to brief board members about developments in the internal review. Hurd is expected to hold a press conference Friday.
After an emergency board meeting last week, Dunn agreed to resign as the board's chairman in January but she is to remain on the board, handing the top job to Hurd. George "Jay" Keyworth, a board member who said he talked to a reporter, resigned last week.
Though nine journalists were apparently targeted in HP's leak investigation, one in particular drew the scrutiny of Dunn and Hurd, according to a series of internal e-mails. Dawn Kawamoto, a reporter for Cnet.com, wrote a fairly straightforward article on Jan. 23 outlining the firm's long-term strategy after a board retreat.
Determined to ferret out the source's identity, HP senior counsel Kevin Hunsaker, who led the HP investigation ordered by Dunn, and an HP colleague in Boston created a fictitious persona, "Jacob," who would pose as a disgruntled HP "senior level executive" and cultivate Kawamoto by saying he was "an avid reader of your columns."
The idea, evidently, was to induce Kawamoto to open an e-mail attachment with a "tracer" in it that would allow them to see who she forwarded it to. They hoped it would pinpoint board member Keyworth as her source, according to the documents.
On Feb. 2, Hunsaker made a PowerPoint presentation to Dunn, called Project Kona II, in which she was shown the "covert" e-mail sent to Kawamoto on Jan. 26. In it, "Jacob" wrote that "tired of broken promises, misguided initiatives and generally bad treatment," he had information to pass on to her.
The computer-generated presentation included a proposed " 'next step' covert e-mail" in which "Jacob" would establish his insider bona fides with Kawamoto by telling her that, contrary to an article she wrote, a potential HP deal with "CSC," or Computer Sciences Corp. was "definitely on HP's radar . . . I know because I was involved in preparing the briefing documents."
After the presentation, Hunsaker sent Dunn an e-mail thanking her for "taking such a big chunk of time" to meet with his team. Dunn replied with an e-mail to Hunsaker, saying that she was "encouraged that this effort is on the right track."
As the project evolved, Hunsaker and Anthony Gentilucci, an HP global investigations manager in Boston, began to refine Jacob's character. "I think we have to figure out who Jacob is, weak, strong, vindictive, a Bill and Dave fan, possibly lower level employee . . . will dictate the tone of the e-mail," Gentilucci wrote on Jan. 28.
Over the next week, HP investigators designed a plan to give Kawamoto a "[small] accurate piece of advance information" about a new handheld product, before they would "spring the false one," referring to a fabricated news tip about HP opening a computer data farm. That first tip, about the handheld device, would be sent in an e-mail that would include the tracking software.
On Feb. 5, Dunn sent an e-mail to Hunsaker: "This sounds promising. I will be in contact with Mark and come back to you with an indication of joint approval as soon as we connect."
Sending someone an e-mail file, even under false pretenses, and then tracking whether it was forwarded may violate confidentiality policies, but is probably not illegal, said Robert Seiden, chief executive of Fortress Global Investigations Corp. If the company used its program to try to access other information from Kawamoto's computer, however, that would be a violation of federal law, he said.
A Feb. 8 e-mail from Ronald DeLia, a Boston security contractor hired to work on the HP leak investigation as part of Hunsaker's team, suggested "a more elaborate sting" involving "electronic bugs" that would allow the tracking of calls between Keyworth and Kawamoto.
If the team wiretapped the calls of Keyworth and Kawamoto, that too would be illegal, Seiden said.
On Feb. 9, in an e-mail to Hunsaker and general counsel Ann O. Baskins, Dunn wrote: "I spoke with Mark and he is on board with the plan" and that "he also agrees that we should consider doing something with" the data-farm tip.
On Feb. 16, Kawamoto sent an e-mail to "Jacob" that she would be on vacation the next week. DeLia forwarded her e-mail to his colleagues, saying: "Team, We're alive and kicking." He also noted that, based on her cellphone call records, she was going to Disneyland. "She has made numerous calls to a hotel in Disneyland," he wrote.
On Feb. 22, Hunsaker e-mailed Dunn and Baskins with a copy of a slide showing the bogus handheld product to be launched. "I made up everything in the slide, trying to make it at least somewhat feasible," Hunsaker wrote to Dunn and Baskins. "I won't quit my day job, but hopefully neither will the name nor the information on the slide are terribly off-base."
Dunn replied: "Kevin, I think this is very clever. As a matter of course anything that is going to potentially be seen outside HP should have Mark's approval as well."
On Feb. 23, Hunsaker sent an e-mail to Dunn. "FYI, I spoke to Mark a few minutes ago and he is fine with both the concept and the content."
