Digg this story   Add to del.icio.us   (page 1 of 4 ) next 
Liar, Liar, and Pretexting
Mark Rasch, 2006-09-19

Mark Rasch details the legality of pretexting by putting it in context with how it used, comparing it with legal forms of lying, and by looking at previous court cases involving pretexting in the United States. Hewlett Packard's use of pretexting also brings up potential charges of criminal fraud, violations of consumer protection laws, issues of deception, and the use of spyware. Together these issues make for a very interesting legal situation at HP.

Recently, Hewlett Packard’s management got themselves into both legal and public relations trouble by the manner in which they chose to investigate the source of leaks from their Board of Directors to the news media. The case raises questions about privacy and ownership of personal information, its value and the responsibility not only of those who obtain the information deceptively, but also those who hire them. Finally, it raises questions about how you conduct internal and external investigations in general.

Poor Hewlett Packard. First they have a public catfight between their CEO and their Board of Directors. Then, some Board member(s) leak information about the company to the press. In response, HP management hires a law firm, which in turn hires an investigator which in turn hires another investigator to look into the source of the leaks. These investigators turn to a time-honored and ethically dubious practice known as pretexting - because lying is such an ugly word.

Pretexting is essentially lying to get information that you want, or to get someone to do something you want them to do. In this case, it is likely that the investigator called the telephone companies pretending to be the customer (or a close relative) and asked for a copy of the telephone toll records - records of calls made and received.

In its efforts to determine the source of the leaks, HP reportedly went even further, attempting to plant “spyware” onto a CNET reporter’s computer. According to The New York Times, private investigators working for HP, “... [r]epresenting themselves as an anonymous tipster . . . e-mailed a document to a CNET reporter . . . embedded with software that was supposed to trace who the document was forwarded to. The software did not work, however, and the reporter never wrote any story based on the bogus document.”

As a result of their actions, it appears that on September 28, 2006, HP Chair Patricia Dunn, General Counsel Ann Baskins, private investigator Ronald DeLia and outside counsel Larry Sonsini will now be required to either testify or invoke their rights against self-incrimination before the U.S. House Energy and Commerce Committee.

It was reported that HP sought and received a formal legal opinion that its investigative techniques were legal. I’m not so sure about that.

The Pretexting Issue

Pretexting can be used in many ways to obtain all kinds of information - financial and medical records, social security records, Internet and email records, passwords, userid’s, confidential business information, trade secrets - indeed, any information in any database, including information in your head. It can also be used in other situations, such as a YouTube user posing as a lonely girl in middle America instead of a New Zealand actress, in order to generate both a buzz and money for a movie, or a rather belligerent Craigslist poster posing as a 27 year old submissive woman in order to obtain information (eeew!) from a bunch of guys to post online, or groups like Perverted Justice who pose as young girls online to root out potential pedophiles.

Indeed, the US military just approved what are called “false flag” operations, where you falsely represent that you are part of a foreign military service (perhaps one not known for its dedication to human rights) in order to induce detainees to give you information they might not otherwise pony up. Cops also routinely lie to suspects - your know, “your buddy here says that YOU were the one who pulled the trigger...” Government investigators and others use “testers” - people who apply for jobs, housing, or other benefits by giving false names and identities in order to root out discrimination. And all undercover operations - whether conducted by cops, intelligence operations, or journalists, involve deception to induce someone to act in a particular way, or to give information they would not give if they were told the truth.

Do we really want to make all forms of lying actionable?

In the movie Liar Liar, the Jim Carrey character was a lawyer who was forced to tell the truth, the whole truth and nothing but the truth. Imagine that. Indeed, Sissela Bok has made something of a career talking about the ethics of lying. But is the conduct of HP management, their lawyers, and the investigators immoral, unethical, unlawful, criminal or even actionable?

The Gramm Leach Bliley Act (GLBA) and Financial Records

The GLBA makes it a violation, enforceable by the FTC, to “obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed” certain “customer information of a financial institution relating to another person” by using fraud, deceit, trickery, or forged documents. In other words, pretexting. You also can't solicit someone else to get the information for you, knowing that they will get it by false pretense or trickery. It was under the GLBA that the FTC went after online asset locators recently (PDF document).

But this statute only applies to non-public financial records, not the myriad of other records in databases that are routinely bought and sold - you know, your driver’s license records, your phone records, your ISP records, your medical records, - even that dreaded “permanent record” from fourth grade!

Story continued on Page 2 



Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 1 of 4 ) next 
Comments Mode:
Update 2006-09-20
Mark D. Rasch
Liar, Liar, and pretexting 2006-09-20
Mark D. Rasch
stolen laptop 2006-09-20
Mark D. Rasch
Liar, Liar, and pretexting 2006-09-21
SNARE IT Security
Liar, Liar, and pretexting 2006-09-25
Michael


 

Privacy Statement
Copyright 2010, SecurityFocus