Not only were HP board members' phone records accessed in the leak probe, now comes the extraordinary news that so were CNET reporter Dawn Kawamoto's, who wrote the article that angered HP's chairwoman Patricia Dunn.
According to News.com's Jim Kerstetter:
On Thursday, an investigator with the attorney general's office contacted Kawamoto and said AT&T confirmed that her records had, indeed, been accessed. Kawamoto said she never authorized her home phone records to be shared with anyone, and she noted her home phone number is under her husband's name, not her own.
Here's David Berlind's take. It's the first time I've ever known him to be at a loss for words. Having experienced something similar, I just want to say how deeply and intensely I despise and loathe such behavior. Don't people understand that harrassing and intimidating journalists is a very fast way to destroy the United States of America? That isn't overstating it at all. The entire system, as envisaged, was for journalists to play a role in making sure the people know the facts, and leaks are sometimes the only way to get them. If you destroy that balance, just because you can, thanks to technology, what have you done?
Hackers, or really crackers, had to learn that lesson, didn't they? Tech is fun, but the lesson had to be learned that just because you *can* do something technically, it doesn't mean you *should*. It took laws to get that point across to some, and I would expect that we will be seeing laws next about pretexting to rein in these corporate cowboys, and the private investigators they hire, so they understand that there is a line. Because when you can't see the line for yourself, it has a way of rising up and smacking you upside the head, which is what is now happening right now to HP. Was it worth it, just to find a leaker?
One thing is for sure, if this isn't illegal, it needs to be. Pronto. And according to the latest from Bloomberg, CA Attorney General Bill Lockyer is now saying unambiguously that crimes were committed:
California Attorney General Bill Lockyer said crimes were committed in Hewlett-Packard Co.'s investigation of board members, and charges are likely to be brought.
Lockyer said it's too early to determine whether company executives or the investigators they hired would be charged...."It's unclear exactly who is liable and how severe it is and who had specific knowledge."...A key question is whether company executives knew or should have known about the tactics the investigators were using, he said.
It's that "should have known" that would have me up at night if I were the subject of the investigation.
UPDATE: Now the NY Times reports that 9 journalists' phone records were breached, including its own John Markoff. (And may I please be the first to tell
the New York Times in passing how much I despise their requirement that all readers be required to accept cookies, speaking of privacy invasions?) And according to the report, the investigation began in 2005, not 2006, prompting Mr. Perkins' attorney, Viet D. Dinh, to say this:
"If it is true that the pretexting started before January 2006 and dated back to 2005, it would suggest a deeper and more troubling chain of events than the hiring of third-party pretexters and would reach much higher to persons responsible at H.P."
And the Mercury News has info on exactly what laws we're talking about having been broken, straight from the CA AG's mouth:
Lockyer said that although pretexting is not specifically singled out in California's penal code, his office is convinced that the practice violates two statutes, one protecting data and the other protecting privacy. The charges would likely involve gaining unauthorized access to computer data and identity theft through the unauthorized use of personal information. Such violations could be prosecuted as a misdemeanor, which carries a maximum one year county jail sentence, or a felony, which carries a maximum of three years in prison.
Lockyer said it's too soon to say whether his investigation will lead to charges against HP officials or board members, against the investigative company, or that company's subcontractor.
Lockyer said he expected that HP would blame its investigators. "Obviously, their defense is, it wasn't us, it was an agent that broke the law."
HP's Donovan said that at the time of the pretexting, "there were no established laws in the U.S. prohibiting pretexting.'' Since that time, some states have adopted laws prohibiting it, he said.
(In California, a bill to outlaw pretexting is now on Gov. Shwarzenegger's desk.)
And Wired tells us that Perkins' attorney has referred the matter also to the US Department of Justice, the Federal Trade Commission and the FCC. Other laws implicated:
The action also violates an identity-theft law that makes it illegal to use someone's personal information for an unlawful purpose. [CA deputy attorney general Robert] Morgester said using someone's Social Security number to open an online billing account in their name to obtain their phone records would qualify as identity theft.
The federal government could also conceivably go after HP for unfair trade practices and violating the wire fraud act, "assuming that this crossed state lines you could argue that they used electronic communications to commit fraud against another person," said Chris Hoofnagle, privacy expert and senior staff attorney with the Samuelson Law, Technology and Public Policy Clinic at UC Berkeley. Additionally, the board members themselves could seek restitution.
"The board members affected could bring suit against the investigators and Hewlett Packard under tort law for invasion of privacy and theft of data," said Hoofnagle. "But the most effective path would be for the phone carriers to go after them."
UPDATE 2: The Wall St. Journal has emails [PDF] between Tom Perkins and HP's outside counsel Larry Sonsini, in which Perkins tells Sonsini that "the investigation was a Patti Dunn program, 100% -- conceived and managed by her, and unknown to the board, except perhaps in the most vague and imprecise terms, with the possible exception of Mark, who she may have briefed."
We now have two more names of journalists whose phone records were breached. CNET News' Jim Kerstetter reports that in addition to Dawn Kawamoto, Tom Krazit's were also. He cowrote the article that started this saga rolling. The article also mentions that the Wall St. Journal's reporter Pui-Wing Tam was also a target.