On October 4, 2006, the California Attorney General filed a felony complaint in Santa Clara Superior Court against former HP Chairwoman Patricia Dunn, former HP senior legal counsel Kevin Hunsaker, and three individuals hired by HP to investigate leaks by HP boardmembers to the press. News reports described HP’s tactics in investigating the leaks as “pretexting,” which was defined in very different ways. One reporter defined pretexting as “impersonating someone else as a means of getting access to confidential computer data.” Another described pretexting as a means “for data miners and private investigators [to] gain access to an individual’s personal information.”
Such broad definitions obviously raised concern among private investigators and those who hire them to obtain information from third parties. In fact, California law and the California Penal Code provisions underlying the Attorney General’s complaint are much narrower and limited in scope than our media pundits would have us believe.
The Attorney General’s Declaration in Support of its Complaint against the HP representatives and third party investigators described “criminal pretexting practices” as “third parties falsely representing themselves as AT&T customers in order to obtain account access and/or information relating to legitimate customers without the customers’ consent or knowledge.” The Declaration explained HP’s pretexting practices as having involved three methods by which HP’s investigators created on-line AT&T accounts for AT&T customers without their consent or knowledge, in order to access the customer’s telephone records. Those methods are:
1) An account can be created by the customer by calling AT&T’s automated system that automatically recognizes the customer’s telephone number (similar to caller I.D.). HP’s investigators allegedly called in to AT&T’s automated system and, through a technique called “spoofing,” were able to trick the automated system into believing that the customer’s telephone was being used to open the account.
2) An account can be created by the customer on-line, by providing the telephone number and last four digits of the customer’s social security number. The investigators allegedly obtained this information to open the account.
3) An account can be created by using a multi-digit code that is found on the customer’s paper bill. The investigators simply called AT&T and tricked a customer service agent into revealing this code. A common tactic employed is to pretend to be a customer who lost his billing statement and who needs to make an on-line payment.
I. California Penal Code Sections Used In The HP Pretexting Complaint
The October 4 complaint filed by the Attorney General against the HP representatives and third parties had four counts. As described in the Complaint, those counts were:
1) conspiracy to commit a crime, in violation of Penal Code section 182(a)(1);
2) fraudulent use of wire, radio or television transmissions, in violation of Penal Code section 538.5;
3) taking, copying, and using computer data, in violation of Penal Code section 502(c)(2); and
4) using personal identifying information without authorization, in violation of Penal Code section 530.5(a).
Penal Code section 538.5 covers transmissions by means of wire, radio, or television for the purpose of furthering or executing a scheme to obtain from a public utility confidential information (as set forth in the section, including trade secrets, trade lists, customer records, and billing records) by means of false or fraudulent pretenses. The Penal Code’s requirement that the information be sought from a public utility is very clear and would certainly exclude many of the practices ordinarily used by private investigators.
Penal Code section 502 relates to computer crimes. Subsection (a) states that the Legislature’s intent is “to expand the degree of protection . . . from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.” In a declaration of findings and purpose accompanying a 1984 amendment to section 502, the Legislature further stated that one of the section’s purposes is “to deter and punish browsers and hackers – outsiders who break into a computer system to obtain or alter the information contained therein.”
Subsection (c) provides nine separate bases for criminal and civil liability, most of which relate expressly to accessing and without permission altering, damaging, or deleting data on a computer. Subsection (c)(2), for which the HP representatives and third parties were charged, prohibits “knowingly access[ing] and without permission tak[ing], cop[ying], or mak[ing] use of any data from a computer, computer system, or computer network, or tak[ing] or cop[ying] any supporting documentation . . .”
Penal Code section 530.5 relates to the unauthorized use of personal identifying information; i.e., identity theft. The section prohibits obtaining by willful means “personally identifying information” and using the information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medical information in the name of another person without their consent. “Personal identifying information” is specifically defined in section 530.55(b) with a very long list, including an individual’s name, address, telephone number, health insurance identification number, taxpayer identification number, school identification number, state or federal driver’s license number, social security number, place of employment, employee identification number, date of birth, mother’s maiden name, demand deposit account number, savings account number, and credit card number.
In March 2007, a California judge dismissed the charges against Dunn; three others pleaded no contest to the felony count for fraudulent wire communications and were required by the court to complete 96 hours of community service, at which time the court said it would dismiss the case against them. Although the individuals escaped potentially greater criminal penalties (they were facing up to three years in prison and fines of up to $10,000 for each felony charge), federal prosecutors have stated that their investigation of HP continues. Additionally, in December 2006 HP entered into an agreement with the California Attorney General to resolve civil claims against the company with a payment by HP of $14.5 million to fund a Privacy and Piracy Fund to assist California state prosecutors in investigating and prosecuting consumer privacy and information violations, for statutory damages, and to reimburse the Attorney General’s office for the costs of the HP investigation. A spokesperson for Attorney General Jerry Brown said that court’s resolution of the criminal charges “affirms that pretexting is illegal.” Thus, although there should be some comfort from the review of the Penal Code provisions and their application to the facts presented in the HP pretexting case, as well as from the resolution of the criminal prosecution, private investigators subject to California law — and those who hire them — should exercise extreme caution when attempting to obtain information by pretending to be someone (or something) they are not.