The HP story just grew again. This is the worst yet. Now it's being reported in the New York Times in an article titled
Hewlett Review Is Said to Detail Deeper Spying [sub and cookies req'd] that pretexting isn't the only issue:
A secret investigation of news leaks at Hewlett-Packard was more elaborate than previously reported, and almost from the start involved the illicit gathering of private phone records and direct surveillance of board members and journalists, according to people briefed on the company’s review of the operation.
That's not even the worst of it. Here's the worst:
Those briefed on the company’s review of the operation say detectives tried to plant software on at least one journalist’s computer that would enable messages to be traced, and also followed directors and possibly a journalist in an attempt to identify a leaker on the board.
Somebody needs an ethics transplant.
Here's what else the Times reports:
Detectives working for HP tried to plant the tracking software by sending an anonymous "tip" along with some tracking software attached to the email that failed to work, as it happens. I hope it didn't work because the reporter used Linux, and so it was ineffective. But maybe it just malfunctioned. Or maybe their hope that she'd mail it to the leaker was foiled because she never sent it. In any case, it didn't work. Also no story was written using the bogus tip. That is because reporters are not stupid. It's a job requirement. Here's an example of tracking software, which can not only inform as to whom an email is forwarded, but it also tracks Microsoft Word and Excel documents. Parts of it are designed to work with Windows specifically and have to be manually set up for other systems. Update: This article explains web bugs.
- Someone gave them photos so they'd be able to identify the reporter(s) they were to follow.
- Security Outsourcing Solutions, the Boston investigations firm, hired Action Research Group, a FL PI firm, and then the dirty work was subcontracted out. One subcontractor was supposedly in Omaha. So we're talking at least five states now. California, Florida, Massachusetts, Nebraska, and New York. Maybe New Mexico, I would assume.
- The investigation was authorized by Dunn and had some measure of supervision by her but was "put under the supervision of Kevin Hunsaker, a senior counsel who is the company's director of ethics." Oh me, oh my. The degree of his supervision, they say, is unknown. The director of ethics.
- HP didn't ask Larry Sonsini's firm for advice in advance. It asked the firm in Boston affiliated with Security Outsourcing, Bonner Kiernan Trebach & Crociata. At least they share a phone number, according to the report. [ Update: Corporate and Securities Law Blog's Alex Simpson points out that in effect instead of hiring its own outside counsel to represent HP's interests, it relied on the lawyer for Security Outsourcing. This is pretty certainly going to end up in the shareholder litigation, I think, too, because there's a conflict of interest there. The question becomes, did HP do all it should have done? Simpson: "I speculated in an earlier post that HP may have turned to a law firm specializing in privacy matters for an opinion on this matter, but I assumed (wrongly, apparently) that they would turn to somebody they were hiring and who was looking out for their interests, rather than some firm that is looking out for the other guy. ...In any event, it's unbelievable that they wouldn't have run the specialist's opinion by their main counsel, Wilson Sonsini, because of the serious corporate governance, securities and public relations issues involved."]
- HP's execs and legal beagles were not clued in about the pretexting, as the reports on the investigation didn't tell them. The reports did mention call records though. It wasn't until Tom Perkins insisted on an investigation that they found out.
Not to be mean, but isn't being smart also a job requirement to be an executive at a major corporation any more? A board member? And if this was going on for such a long, long time, how is it possible no one ever asked where this juicy info was being obtained? Well, it seems somebody did ask.
But the review reveals that the investigation by its detectives was notable for a lack of close supervision by company officials.
Those briefed on the internal review said that at various times, questions were raised about the legality of the methods used. They did not identify who raised the questions, when, or to whom they were addressed.
Both of those details raise serious problems, I would think. If questions were raised about the legality, who provided the answers? And why wasn't there closer supervision? Like *after* somebody asked about the legality, at least?
The Wall Street Journal's Peter Waldman and Don Clark raise another issue:
Hewlett-Packard Co.'s leak investigation appears to have continued for several weeks this spring after the source of leaked information from its board of directors was identified, according to people familiar with H-P's probe.
H-P has said Mark Hurd, the company's chief executive, received results of the investigation in March. But further work on the investigation may have continued into April and possibly May, these people said.
So the question of who knew what and when is now being addressed, I gather.
Update: This is information worth highlighting, some corporate governance principles from Douglas M. Branson, W. Edward Sell Professor of Business Law at the University of Pittsburgh School of Law, on Jurist:
On a more modest level perhaps then criminal prosecutions, this whole mess teaches us several things about corporate governance.
1. Neither Board of Director Deliberations Nor Board Minutes Are Confidential.
Even material, non public investment information (inside information) is not per se confidential. The law prohibits trading on such information or tipping others to do so. Communication of such information to persons who will neither trade nor tip is perfectly permissible....
3. Chairman of the Board is an Empty Vessel into Which Various Corporations Pour Various Things.
....Unless there had been a board delegation, Patricia Dunn had no power to do what she did as board chair, let alone as a rank-and-file director.
Update: PC World fills in one blank, reporting on at least one individual who questioned the legality:
Although HP has claimed that its legal advisors told it that the pretexting was within the law, an HP security specialist reportedly questioned its legality earlier this year.
Fred Adler, a computer-crimes specialist within HP's global security division, and a former U.S. Federal Bureau of Investigation agent, notified his supervisors that acquiring people's phone records under false pretenses could be against the law, The Wall Street Journal reported Tuesday.