Proving criminal act is hurdle in HP case

Sep 20, 2006

The New York Times
Damon Darlin and Matt Richtel

Despite the California attorney general’s assertion that he has enough evidence to press charges against people inside and outside Hewlett-Packard, a criminal case may be hard to prosecute, according to legal specialists.

The California prosecutors are still collecting evidence and have filed no charges. But they think people hired by Hewlett-Packard or a string of subcontractors used fraudulent means to gain access to phone records, thereby violating some or all of four state statutes, Tom Dresslar, a spokesman for Attorney General Bill Lockyer, said Monday.

Those laws are being used to go after people who the prosecutors believe pretended to be someone else to get private phone records, a practice known as pretexting. Hewlett-Packard has acknowledged that the method was used in an investigation of news leaks from its board. Records of directors, employees and reporters were obtained.

Two of the laws the state is considering for criminal charges cover unauthorized access to computer data; one of those also prohibits using that data for fraud. Lawyers call those laws “wobblers” because they can be used for misdemeanors or for felonies that can carry a penalty of up to three years in prison and a fine of $10,000

Another potentially applicable law covers gaining access to personal identifying information, including Social Security numbers.

The California attorney general’s office is exploring a fourth law that makes it a crime to gain unauthorized access to customer records from a utility.

“We believe laws have been broken,” Dresslar said. “We’re just trying to figure out who broke them.”

Dresslar said the state believed that the laws covered not just the person who committed the pretexting but also others who authorized, financed or knew of it and let it proceed. “You don’t have to be the person who sat at the keyboard and did the actual pretexting,” he said.

Still, proof is not always easy to find. Robert Weisberg, a Stanford University law professor, said there might have been “metaphoric violations” of statutes involving computer data, meant to thwart hackers. But if the pretexters were not using a computer, “it’s going to be a stretch,” he said.

Even if prosecutors can show that private detectives hired by the company violated the law, it may be difficult to establish that executives, managers and lawyers at HP headquarters were culpable. If those employees showed “willful ignorance,” that is, they turned a blind eye to the methods used, the prosecutors could get a conviction, Weisberg said.

But Matthew Jacobs, a former U.S. prosecutor and a partner in the Silicon Valley law firm of McDermott Will & Emery, noted, “Poor supervision is not a crime.” He said prosecutors would have to show that executives turned a blind eye to the methods but did so with knowledge of the probable result.

Ken Sukhia, a former U.S. prosecutor who now focuses on internal corporate investigations at the firm of Conwell Sukhia & Kirkpatrick in Tampa, Florida, said prosecutors would have to show that someone at the company intended or expected pretexting to take place.

Sukhia said the prosecutors could, for example, seek testimony from an accused person’s friends or associates showing that the defendant had mentioned that something seemingly underhanded was taking place to get the phone records.

The U.S. attorney’s office in San Francisco is also investigating the case, but it might have more trouble bringing a case because federal laws are even less clear about pretexting, Sukhia said.

Chris Hoofnagle, a senior fellow at the Boalt Hall School of Law at the University of California at Berkeley, said the absence of specific language covering pretexting would not be important since consumer protection laws are designed to cover a range of crimes. “Consumer fraud is so varied in its circumstances that one often uses broad statutes to pursue wrongdoing,” Hoofnagle said.

People briefed on Hewlett-Packard’s review of its investigation of news leaks have said the company’s detectives also had people followed and put a piece of software on a document to trail where it went after they sent it to a reporter’s computer. But Dresslar said the state was not looking at those methods.

“We’re focused on the unauthorized access to phone records,” he said.

Law professors in California said there was little that was illegal about surveillance, and the legality of the computer software would depend on what kind it was and how it was used.

Copyright 2006 The New York Times. All Rights Reserved.