[ISN] Intrigue in High Places

From: InfoSec News (alerts@private)
Date: Tue Sep 05 2006 - 23:09:16 PDT


http://www.msnbc.msn.com/id/14687677/site/newsweek/

By David A. Kaplan
Newsweek
Sept 5, 2006

The confrontation at Hewlett-Packard started innocently enough. Last 
January, the online technology site CNET published an article about the 
long-term strategy at HP, the company ranked No. 11 in the Fortune 500. 
While the piece was upbeat, it quoted an anonymous HP source and 
contained information that only could have come from a director. HP’s 
chairwoman, Patricia Dunn, told another director she wanted to know who 
it was; she was fed up with ongoing leaks to the media going back to CEO 
Carly Fiorina's tumultuous tenure that ended in early 2005.  According 
to an internal HP e-mail, Dunn then took the extraordinary step of 
authorizing a team of independent electronic-security experts to spy on 
the January 2006 communications of the other 10 directors-not the 
records of calls (or e-mails) from HP itself, but the records of phone 
calls made from personal accounts. That meant calls from the directors' 
home and their private cell phones.

It was classic data-mining: Dunn's consultants weren't actually 
listening in on the calls-all they had to do was look for a pattern of 
contacts. Dunn acted without informing the rest of the board. Her 
actions were now about to unleash a round of boardroom fury at one of 
America's largest companies and a Silicon Valley icon. That corporate 
turmoil is now coming to light in documents obtained by NEWSWEEK that 
the Securities and Exchange Commission is currently deciding whether to 
make public. Dunn could not be reached for comment. An HP spokesman 
declined repeated requests for comment.

On May 18, at HP headquarters in Palo Alto, Calif., Dunn sprung her 
bombshell on the board: she had found the leaker. According to Tom 
Perkins, an HP director who was present, Dunn laid out the surveillance 
scheme and pointed out the offending director, who acknowledged being 
the CNET leaker. That director, whose identity has not yet been publicly 
disclosed, apologized. But the director then said to fellow directors, 
"I would have told you all about this. Why didn't you just ask?" That 
director was then asked to leave the boardroom, and did so, according to 
Perkins.

Close to 90 minutes of heated debate followed, but Perkins, the Silicon 
Valley venture capitalist, says he was the only director who rose to 
take Dunn on directly. Perkins says he was enraged at the surveillance, 
which he called illegal, unethical and a misplaced corporate priority on 
Dunn's part. In an interview with NEWSWEEK, Perkins says he was 
particularly annoyed since he chaired the HP board's Nominating and 
Governance Committee and had not been informed by Dunn of the 
surveillance, even though, he says, she had told him for months that she 
was attempting to discover the source of the leak.

After a divided board passed a motion asking the leaker to resign, 
Perkins closed his briefcase, announced his own resignation and walked 
out of the room. In media mentions the next day, Perkins's sudden 
resignation was noted, but without explanation and without any 
indication that his departure was a form of protest. (According to 
Perkins, the leaker-director himself refused to resign, saying it was up 
to shareholders to make such a decision; that director continues to 
serve on the board. ) Thus began nearly four months of warfare between 
HP and Perkins about whether the surveillance would ever come to public 
light.

Any time a director resigns from a U.S. public corporation, federal law 
requires the company to disclose it to the SEC, in what's called an 8-K 
filing. If the director resigned for reasons related to a "disagreement" 
with the company about "operations, policies or practices," that, too, 
is now required. HP reported Perkins's resignation to the SEC four days 
after it happened-back in May-but gave no reason for the resignation, 
instead including only a press release thanking Perkins for his years of 
service. Perkins has twice challenged that omission in e-mails to the HP 
board, and he says, received no response from HP.

In early August, Perkins-represented by his own, non-HP lawyer, Viet 
Dinh, a former Bush administration official-formally asked the SEC to 
force HP to publicly file his written explanation for resigning.  
According to a source who requested anonymity because of his closeness 
to HP, the company objected on the grounds that when Perkins resigned at 
the May board meeting he didn't indicate why. Perkins says his reasons 
for resigning were obvious and he stated them at the meeting.  Now, 
sources say, the company could file such a document with the SEC as soon 
as Wednesday.

The entire episode - beyond its impact on the boardroom of a 
$100-billion company, Dunn's ability to continue as chairwoman and the 
possibility of civil lawsuits claiming privacy invasions and fraudulent 
misrepresentations - raises questions about corporate surveillance in a 
digital age. Audio and visual surveillance capabilities keep advancing, 
both in their ability to collect and analyze data. The Web helps 
distribute that data efficiently and effortlessly. But what happens when 
these advances outstrip the ability of companies (and, for that matter, 
governments) to reach consensus on ethical limits? How far will 
companies go to obtain information they seek for competitive gain or 
better management?

The HP case specifically also sheds another spotlight on the 
questionable tactics used by security consultants to obtain personal 
information. HP acknowledged in an internal e-mail sent from its outside 
counsel to Perkins that it got the paper trail it needed to link the 
director-leaker to CNET through a controversial practice called 
"pretexting"; NEWSWEEK obtained a copy of that e-mail. That practice, 
according to the Federal Trade Commission, involves using "false 
pretenses" to get another individual's personal nonpublic information: 
telephone records, bank and credit-card account numbers, Social Security 
number, and the like. Pretexting is heavily marketed on the Web.

Typically - say in the case of a phone company - pretexters call up and 
falsely represent themselves as the customer; since companies rarely 
require passwords, a pretexter may need no more than a home address, 
account number and heartfelt plea to get the details of an account.  
According to the Federal Trade Commission's Web site, pretexters sell 
the information to individuals who can range from otherwise legitimate 
private investigators, financial lenders, potential litigants and 
suspicious spouses, to those who might attempt to steal assets or 
fraudulently obtain credit. Pretexting, the FTC site states, "is against 
the law." The FTC and several state attorneys general have brought 
enforcement actions against pretexters for allegedly violating federal 
and state laws on fraud, misrepresentation and unfair competition. One 
of HP's directors is Larry Babbio, the president of Verizon, which has 
filed various actions against pretexters.

Legal experts vary in their views on the extent to which pretexting is a 
violation of criminal law. The Gramm-Leach-Billey Act of 1999 bars a 
range of fraudulent activity related to financial records, but its 
applicability to phone records is unclear. Experts agree that pretexting 
is often used to accomplish identity theft - to borrow money or buy 
merchandise - that clearly is criminal. But the pretexting itself may be 
harder to prosecute. Civil liability would seem to be much more a risk 
for pretexters, as they obviously engage in an invasion of privacy, 
achieved through misrepresentation.

Perkins himself was pretexted as part of Dunn's leaker probe. In the 
materials he sent to the SEC, Perkins includes an August 11 letter from 
an attorney at AT&T spelling out to Perkins that he was a victim of 
pretexting in January 2006; Perkins had requested that AT&T examine 
whether he had been pretexted. The AT&T letter explains that the 
third-party pretexter who got details about Perkins's local 
home-telephone usage was able to provide the last four digits of 
Perkins's Social Security number and that was sufficient identification 
for AT&T. The impersonator then convinced an AT&T customer-service 
representative to send the details electronically to an e-mail account 
at yahoo.com that on its face had nothing to do with Perkins. Records 
for Perkins's home AT&T long-distance account in northern California 
were similarly obtained, except by someone using another yahoo.com 
e-mail account; both e-mail accounts are registered to the same Internet 
Protocol address, but for which AT&T says it does not know the identity 
of the user.

The materials before the SEC indicate that Dunn's consultants used 
pretexting for her investigation. In mid-June, according to a letter 
Perkins sent to the full HP board, Perkins contacted HP's outside 
counsel - Larry Sonsini, of Wilson Sonsini Goodrich & Rosati - and asked 
him to look into the Dunn investigation. In an e-mail to Perkins 
obtained by Newsweek, Sonsini acknowledged that Dunn's security 
consultants "did obtain information regarding phone calls made and 
received by the cell or home numbers of directors" and that it was "done 
through a third party that made pretext calls to phone service 
providers." Sonsini's e-mail emphasized that the security consultants 
engaged in "no electronic surveillance," "no phone recording or 
eavesdropping," and "no recording, review or monitoring of director 
e-mail." His legal defense of the use of pretexting was that it is 
"apparently a common investigatory method" and that "there was no 
'secret spying,' i.e., no electronic gear, listening devices, etc."  
Perkins quotes Sonsini's e-mail in the materials he sent to the SEC, 
Sonsini could not be reached for comment.

In the documents before the SEC, Perkins also protests that he was not 
allowed to review and approve the initial 8-K filing about his May 
resignation, which he says is required under SEC rules. And he requests 
that the HP board appoint a special committee to examine the legality 
and propriety of Dunn's investigation. In the documents before the SEC, 
after Perkins notes he was not the source of the CNET leak, he 
excoriates Dunn. "I resigned solely to protest the questionable ethics 
and the dubious legality of the chair[woman]'s methods," Perkins writes. 
In his interview with NEWSWEEK, he added that he believed he was 
"legally obligated to do so" in his directorial capacity.

Perkins says he has asked other government agencies to investigate the 
sub rosa surveillance of the HP directors. Those agencies include the 
California attorney general's office, as well as the FTC, the Federal 
Communications Commission and the Justice Department.

Dunn, 52, has been on the HP board since 1998, and was elected 
non-executive chairwoman in February 2005. She was CEO of Barclays 
Global Investors from 1995 to 2002. The 74-year-old Perkins is the 
cofounder of Kleiner Perkins Caufield & Byers, the venerable Silicon 
Valley firm that has bankrolled such venture-capital home runs as 
Genentech, Netscape, Amazon and Google. Perkins has an on-and-off 
history with HP that dates almost half a century. On graduating from 
Harvard Business School in 1957, he worked on a lathe in the company's 
machine shop. Then he helped launch its computer division in the 1960s, 
eventually becoming Bill Hewlett's staff assistant when Dave Packard 
went to Washington to run the Pentagon. Perkins joined the HP board 
after HP merged with Compaq in 2001, then retired in 2004, and rejoined 
the board in 2005 when Fiorina was ousted. Perkins alludes to his HP 
heritage in his letter. "My history with the Hewlett-Packard Company is 
long and I have been privileged to count both founders as close 
friends," he writes. It "is a very sad duty," he says, to disclose 
"probable unlawful conduct, improper board procedures, and breakdowns in 
corporate governance." It remains to be seen if this final chapter in 
his relationship with HP changes the company's course.

Editor's Note:  Kaplan is currently writing a book for HarperCollins on 
the superyacht that Tom Perkins recently built and launched in Europe.



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 05 2006 - 23:30:25 PDT