,
Mark Rasch details the legality of pretexting by putting it in context with how it used, comparing it with legal forms of lying, and by looking at previous court cases involving pretexting in the United States. Hewlett Packard's use of pretexting also brings up potential charges of criminal fraud, violations of consumer protection laws, issues of deception, and the use of spyware. Together these issues make for a very interesting legal situation at HP.
Recently, Hewlett Packard’s management got themselves into both legal and public relations trouble by the manner in which they chose to investigate the source of leaks from their Board of Directors to the news media. The case raises questions about privacy and ownership of personal information, its value and the responsibility not only of those who obtain the information deceptively, but also those who hire them. Finally, it raises questions about how you conduct internal and external investigations in general.Poor Hewlett Packard. First they have a public catfight between their CEO and their Board of Directors. Then, some Board member(s) leak information about the company to the press. In response, HP management hires a law firm, which in turn hires an investigator which in turn hires another investigator to look into the source of the leaks. These investigators turn to a time-honored and ethically dubious practice known as pretexting - because lying is such an ugly word.
Pretexting is essentially lying to get information that you want, or to get someone to do something you want them to do. In this case, it is likely that the investigator called the telephone companies pretending to be the customer (or a close relative) and asked for a copy of the telephone toll records - records of calls made and received.
In its efforts to determine the source of the leaks, HP reportedly went even further, attempting to plant “spyware” onto a CNET reporter’s computer. According to The New York Times, private investigators working for HP, “... [r]epresenting themselves as an anonymous tipster . . . e-mailed a document to a CNET reporter . . . embedded with software that was supposed to trace who the document was forwarded to. The software did not work, however, and the reporter never wrote any story based on the bogus document.”
As a result of their actions, it appears that on September 28, 2006, HP Chair Patricia Dunn, General Counsel Ann Baskins, private investigator Ronald DeLia and outside counsel Larry Sonsini will now be required to either testify or invoke their rights against self-incrimination before the U.S. House Energy and Commerce Committee.
It was reported that HP sought and received a formal legal opinion that its investigative techniques were legal. I’m not so sure about that.
The Pretexting Issue
Pretexting can be used in many ways to obtain all kinds of information - financial and medical records, social security records, Internet and email records, passwords, userid’s, confidential business information, trade secrets - indeed, any information in any database, including information in your head. It can also be used in other situations, such as a YouTube user posing as a lonely girl in middle America instead of a New Zealand actress, in order to generate both a buzz and money for a movie, or a rather belligerent Craigslist poster posing as a 27 year old submissive woman in order to obtain information (eeew!) from a bunch of guys to post online, or groups like Perverted Justice who pose as young girls online to root out potential pedophiles.
Indeed, the US military just approved what are called “false flag” operations, where you falsely represent that you are part of a foreign military service (perhaps one not known for its dedication to human rights) in order to induce detainees to give you information they might not otherwise pony up. Cops also routinely lie to suspects - your know, “your buddy here says that YOU were the one who pulled the trigger...” Government investigators and others use “testers” - people who apply for jobs, housing, or other benefits by giving false names and identities in order to root out discrimination. And all undercover operations - whether conducted by cops, intelligence operations, or journalists, involve deception to induce someone to act in a particular way, or to give information they would not give if they were told the truth.
Do we really want to make all forms of lying actionable?
In the movie Liar Liar, the Jim Carrey character was a lawyer who was forced to tell the truth, the whole truth and nothing but the truth. Imagine that. Indeed, Sissela Bok has made something of a career talking about the ethics of lying. But is the conduct of HP management, their lawyers, and the investigators immoral, unethical, unlawful, criminal or even actionable?
The Gramm Leach Bliley Act (GLBA) and Financial Records
The GLBA makes it a violation, enforceable by the FTC, to “obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed” certain “customer information of a financial institution relating to another person” by using fraud, deceit, trickery, or forged documents. In other words, pretexting. You also can't solicit someone else to get the information for you, knowing that they will get it by false pretense or trickery. It was under the GLBA that the FTC went after online asset locators recently (PDF document).
But this statute only applies to non-public financial records, not the myriad of other records in databases that are routinely bought and sold - you know, your driver’s license records, your phone records, your ISP records, your medical records, - even that dreaded “permanent record” from fourth grade!
Not only does the GLBA only cover a narrow scope of records, it also has some exclusions which are, well bizarre. It excludes law enforcement agents acting within the scope of their duties. This suggests that if the cops want your financial records, rather than going down the hall to the prosecutor to get a subpoena (or issuing an administrative subpoena, getting a search warrant, a FISA warrant, a FISA order, a National Security Letter, the consent of the bank, or any of the myriad legal ways to get your information) it would be permissible for the cops to simply call the bank, pretend to be you (or anyone else) and trick the bank into ponying up your records. Pretty cool. And if you challenge the legality of the search as a violation of your privacy, a court might very well conclude that these records about you aren’t your records, but rather records of the financial institution. Therefore, even if the search is unreasonable, you don’t have what the law terms standing to challenge it. Lovely.
Other exclusions allow insurance investigators to get your records by pretext if they are investigating insurance fraud (do two wrongs make a right?) and licensed private investigators to use trickery rather than legal subpoenas to get financial records from you or from your bank if they are trying to enforce a delinquent child support order. I am all for enforcing child support orders, and for getting accurate financial records to do so - but I am at a loss to see why you would ever need to use deceit to do so. You already have a court involved and a judgment. Just subpoena the damned things! If a PI thought that some deadbeat dad was using my name for some reason, this suggests that he could call my bank and pretend to be me, and get my bank records with no showing of reasonableness. I don’t think so.
Consumer Protection Laws
The GLBA would be of little help to either the Hewlett Packard Board, or to the journalists whose records were examined by the investigators. Other than GLBA, there are a few laws in the United States that outright ban pretexting, although legislatures in California, (AB 1891, SB 1665), Georgia (HB 1290, SB 455), Kentucky (HB 543), Hawaii (HB 2818, HB 2841) and New Jersey (AB 2105, AB 2539, AB 3008) are considering such laws.
Thus, State Attorney’s General and prosecutors, as well as consumer protection agencies, generally rely on Federal and state consumer protection laws, such at the Federal Trade Commission Act, which prohibit both deceptive and unfair trade practices. And lying is generally considered a deceptive practice.
To use these consumer protection laws you would have to show a few things - first, that you are in some trade or business (as liberally interpreted by the FTC and the courts). Thus, social lying (like the kind you might do at a bar, or what happens in Vegas stays in Vegas...) and some forms of social engineering might not be covered by the law. Second, you would have to show that the actions are generally considered to be either deceptive or unfair. Well, duh. Pretending to be someone else to get their information is, well, deceptive.
Some of the cases brought by the government under consumer protection statutes have been downright nasty. In 1999 for example, the FTC fined James and Regena Rapp $200,000 for pretexting after James Rapp reportedly wrote a 1000 page book about how to obtain information, and reportedly obtained private information on people like Monica Lewisnky, the Ramsey family, and others - usually at the behest of private investigators.
In another case in 2003, a man contacted an Internet based company called Docusearch.com to find out information about his former girlfriend. He purchased various services from the online company, including her address, social security number, employer information including employer’s address. Docusearch hired an investigator, Michele Gambino to find this information, which she did by “pretexting” the ex-girlfriend. For a few hundred dollars, the ex boyfriend located his ex-girlfriend, found her, and killed her, before killing himself. Her estate sued Docusearch, and the court found that the pretexting was a deceptive trade practice.
In another case, Massachusetts v. Source One, Source One advertised in a bunch of legal periodicals that it would conduct “asset searches” for a fee. Lots of lawyers used their services to find out whether people they were suing (or about to sue) had any assets worthy of attachment - after all, you don’t want to sue unless you can collect, right? Problem was, as everybody knows (or should know) financial records are presumably secret. A host of government regulations, including the Gramm Leach Bliley Act (GLBA), and Office of the Comptroller of the Currency and other financial regulations prohibit financial institutions from disclosing this information except under certain circumstances - and helping out private investigators ‘aint one of those recognized exceptions (that is, without a subpoena). After hearing the testimony, the court concluded that, “. . . the only way that information brokers can obtain private financial information from banks is through the use of deception and trickery, including impersonation of account holders.” Well, either that or the less deceptive practice of dumpster diving. Therefore, the court concluded that Source One violated the Massachusetts deceptive practices law.
Finally, California has also gone after a company called Trace Data USA for pretexting people’s cell phone records.
Pretexting and Deception
Okay, so making a business out of pretexting to get someone’s information is a deceptive trade practice, right? Um... not so fast. Remember our Insurance agents, child support detectives and cops? If they are permitted to use pretexting (a deceptive trade practice) under GLBA, but prohibited under the deceptive trade practice law, what’s the point of the exception? What if you tell the truth about who you are, but lie about the reason you want the non-public information?
The recent movie The Black Dahlia relates to a real murder case of Elizabeth Short. In 1949 reporters working on the case called Short’s mother after the murder, not telling the mom that her daughter had been murdered. Instead they used the ruse that she had won a beauty contest in order to get information about the deceased. A deceptive trade practice? What if you don’t affirmatively lie, but merely mislead - allow the recipient of the information to believe that you are someone else, or need the information? Is anything less than the truth, the whole truth and nothing but the truth actionable?
Remember, the deceptive trade practice rules are not designed to be a protection of the privacy of non-public personal information. They are intended to make people in business play nicely and be honest. Thus, the victim of the deception is not you - it’s the phone company, the credit card company, the bank, etc. - the person whose putatively owns the information.
Criminal fraud
In addition to the deceptive trade practice statutes, the actions of the HP officers, their lawyers and investigators may also violate various fraud statutes, like the mail fraud (18 USC 1341), wire fraud (18 USC 1343) and computer fraud (18 USC 1030) statutes, as well as various state criminal fraud and larceny by trick statutes. These statutes generally prohibit the use of false or fraudulent statements, or even material omissions in furtherance of a “scheme or artifice to defraud” someone out of “money or property.”
So is your personal information “property” and if so, whose “property” is it? What about other kinds of information? The law is very weird on this idea of information as property. Some kinds of information, like properly protected trade secrets, patents, copyrights and trademarks, clearly have recognized property interests - some with respect to confidentiality, some with respect to misuse. Other types of information have recognized confidentiality interests, but not necessarily a “property” interest. This would include things like credit information, some criminal history information, information protected by a court order, information classified for national security or foreign relations purposes, and health care information. But confidentiality and property are not the same thing. Clearly, your physical records - the dead trees and ink - are property for someone. If I waltzed into your doctor’s office and stole your records (remember Daniel Ellsberg?) I would be guilty of both burglary and theft. But if I just called the attending nurse and cajoled the info? Invasion of privacy sure, but theft? Not so clear.
Even if your telephone toll records are considered “property,” are they your property? And do you have any expectation of privacy with them? The U.S. Supreme Court appears to suggest that the answer to these questions is no.
In 1999, in Smith v. Maryland, the Court stated that, “... we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills.” ... “it is too much to believe that telephone subscribers, under these circumstances, harbor any general expectation that the numbers they dial will remain secret.”
The court went on to say that even if you did think your phone records were private, at least for Fourth Amendment search and seizure purposes, your expectation of privacy is just not reasonable, since they aren't your records. The Court said, “When he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and 'exposed' that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed.”
While California law generally prohibits telephone companies from disclosing your records without your consent (save subpoenas or other process) it’s not clear that it prohibits others from attempting to induce a phone company from thinking that they do have your consent. Thus, the phone company may take the risk that these records are inadvertently disclosed.
In order for the information to be considered “property,” not only must it be non-public, but it must have “value.” Sure, HP paid the lawyers, who paid the investigators, who expended some time and effort to obtain the information by fraud and deception. And sure, the phone company spent some time and effort to create these records, but does this mean that the information itself is “property” with value? Hard to say.
The fraud laws speak of obtaining a “thing of value” and there is no doubt that the HP management thought the records were of value to their investigation. But if you falsely tell a woman you love her to induce her to spend the night, do you obtain a “thing of value?” Sure. Did you do it by fraud or deception? Let’s assume so. Is that a criminal offense? I am not going near that question with a ten foot pole.
Virtual Pretexting
While we don’t know the exact manner in which the pretexting occurred, it is likely that the investigators did not just pick up the phone and call AT&T, claiming to be the HP Board member or journalist about whom they were seeking information. Rather, with access to the databases they already had, they likely learned the names, addresses, social security numbers, and other personal information about their targets (for the Board of Directors, this information was probably in HP's human resources or similar files.)
As a convenience, my bank, insurance company, 401(k) manager, cable TV provider, and yes, telephone company, all allow me to access my documents electronically. Let’s face it, it’s cheaper and easier for all of us when I can get a copy of my bill and statements electronically. But this convenience comes at a price. Making this personal information web accessible dramatically increases the likelihood that the database can be hacked, or that the password and/or userid can be guessed or social engineered. Even if I pick hard to guess passwords, and the site has good security, there is still a major flaw. You see, the security helps me only if I know that an account has been set up. The HP investigators may have created online accounts for the HP Board members and journalists using the information they already knew from the databases. While the access to the databases would be clearly unauthorized, it’s not clear whether the userid and password is a key making the resulting access a trespass, or whether it is an ID card, making the resulting access false personation. Court and prosecutors both have gone both ways on this issue. What is clearly needed is much stronger authentication at the account formation stage, but alas, this might discourage use and cut into convenience.
The Spyware Problem
It addition to pretexting, it appears that the lawyers and investigators also tried to find the source of the leaks by sending reporters documents embedded with spyware. Presumably, the document had some sort of executable in the file which, when the document was opened, would “ping” a particular IP address (probably that of the investigator) with the IP address from which it was opened. Presumably, the “spyware” also did nothing else. We can also assume that the reporter knew nothing about this, and did not consent to the executable.
In the 1980’s, the Soviet Union used a technique where they would place chemicals like nitrophenyl pentadien (NPPD) and luminal on doorknobs or documents in order to trace who had accessed particular documents or locations. This “spydust” could then be tracked. One variant of what the HP investigators did would be to have sent the “spyware-laden” documents to the Board members, with directions that it “ping” the investigators when it is opened from an IP address other than an internal HP address. So is this legal? Like everything else in the law, it depends.
State spyware laws tend to focus not only on the surreptitious installation of programs onto a computer but on what that software does. Prohibited activities tend to include things like sending back personal information, like name, address, Internet activities, and similar things. Also prohibited are things like gumming up your computer, and making the software difficult or impossible to remove. In the HP/CNET case, the “spyware” did install itself surreptitiously, and was designed to send information back to the originator. But the information sent was not necessarily the kind of “personal” information protected under the law. Plus, there is the issue of which law applies. Presumably the California law or at least some form of conspiracy to violate the California law could apply.
This statute, like other spyware laws, protects only “personally identifiable information” with things like first name (or initial) and last name, or business or home address. The HP/CNET “spyware” might have revealed this, but it is doubtful. More likely, it just revealed the IP address of the CNET reporter as the reader of the document - the name of the individual reporter would be inferred. By “business address,” it is doubtful that the California legislature meant “IP address.” So the activity of installing this “spy dust” might not violate the spyware laws. Of course, the investigator’s Trojan horse probably went much further than sending the reporter’s IP address - it may have scanned the entire hard drive, or more.
Go Directly to Jail
What about other laws, like computer crime statutes? Almost every state has a computer crime statute, one that generally prohibits making an “unauthorized access” to a computer, or “exceeding the scope of authorization” to access a computer. Several issues apply here. First, is simply sending mail (or worse, just embedding the executable in a document and leaving it around to be accessed) “accessing” a computer? In the ancient days of the Internet (that is, 1988), Robert Morris, a 22 year old graduate student released a computer worm through, among other mechanisms, a Sendmail vulnerability. The worm “damaged” the computers by essentially slowing them down, making and sending copies to others. In that case, the exploiting of the mail vulnerability by sending what might amount to a “mail bomb” was considered to be an “unauthorized access” or at least “exceeding the scope” of authorized access. But in the HP case, the executable probably did no “damage” or had any discernible effect on the infected computer. Whether it “accessed” a computer may turn on exactly what it did and how it worked.
As noted, it is unlikely that the HP executable merely pinged HP with the IP address of the recipient. You see, at least according to press reports, the investigator directed the tainted letter to a specific reporter (and probably more than one). Thus, the program, once surreptitiously installed, probably scanned the reporter’s hard drive for information about HP (or other information) and tried to send the results back to the investigator. This may have included the contents of the reporter’s in or out boxes, or the files and documents. If only Nixon’s plumbers had this technology, Woodward and Bernstein would have been a footnote.
Alternatively, the executable could have opened a back door to the reporter’s computer, or acted as a key logger. Any of these activities would likely violate the federal computer crime statute, 18 USC 1030. Federal conspiracy law would allow civil or criminal charges to be filed not only against the persons who caused the program to be sent, but also those who approved or solicited the activity.
All of this is important for IT security professionals because it not only affects how you can conduct investigations and your use of deception and ruse, but also deals with sensitive issues like when is information property, and when is it protected by law? And after all, computer crimes are not crimes against computers, they are crimes against information. All I can say is, I wouldn’t like to be in HP management’s shoes right now.