If you wish to listen to the HP hearings before the House Energy and Commerce Committee, go here if you have Real Player. It's live. Patricia Dunn and Larry Sonsini are answering questions now.
Dunn, Sonsini, Adler Testimony
Fred Adler, an HP computer security investigator, has just testified that it was his idea to use the tracker email. HP has used it before, but never before in connection with internal leaks. He's been with HP around 3 years, and they've used it maybe two dozen times. Ms. Dunn testified that Adler's email about the matter was not sent to her, and she said, "It is surprising that it is legal."
Sonsini has now testified that when he wrote to Tom Perkins he was doing so after being asked to respond to him by Ann Baskins. When he wrote that HP's investigation was legal and well done, he was relying on HP's representations. He had done no investigation himself at that point. He's not an expert on pretexting. He didn't at that point know about the California statutes. Later, in August, when he did his own investigation, beginning August 9th, he reached a different conclusion.
Dunn says she was not in charge of the investigation. 7 of the 9 board members said to do it. She was briefed three times. She believes pretexting is wrong. She thinks the word pretexting is itself a pretext, meant to confuse. In April or May, she was informed that phone records were obtained by Mr. DeLia.
She is now being asked if she accepts any responsibility. Dunn says her statement says she deeply regrets. But does she accept culpability? Is she at fault? "If I knew then what I knew now, I would have done things differently." But she relied on reasonable representations of management. She says she does not accept responsibility for what happened. She was asked to resign, in her view because the intense press reaction made her a distraction.
There was an email from investigator Vince Nye warning that the tactics used were unethical if not illegal, and it is being read to her. She first heard about concerns from anyone only a week or so ago, she claims. You can read about the email and portions of it here in International Herald Tribune's coverage:
A senior investigator for the company was warning early this year, as the operation entered a crucial phase, that the pretexting techniques being used were "very unethical at the least, and quite likely illegal."
Saying that the practices, even if legal, "could damage our reputation or worse," the investigator, Vince Nye, said in an e-mail message,2 "I think we need to refocus our strategy and proceed on the high-ground course." Mr. Nye worked in the company's global security unit.
Adler knows of no other instance of pretexting. He went to Mr. O'Neill (Mr. Gentilucci wouldn't listen to him, I believe he started to try to say before being interrupted) with concerns when Adler found out.
Sonsini says the press got one thing wrong. He never said pretexting is legal. His email to Perkins was after getting two written reports, from Baskins and Hunsaker, and when he wrote that it "appears" it was legal, it was not his opinion he was offering.
Dunn says Mr. DeLia had worked almost exclusively for HP for 8 or 9 years, but neither she, Sonsini and Adler say they don't know if he ever used pretexting before.
Did HP engage in corporate spying against competitors? None knows of any. Dunn knows nothing about any investigations outside of Kona I and II. Ann Baskins leaves with a $3.6 million umbrella. Here's the 8K. She is asked if HP's 8K filed yesterday1 is accurate. She says it is not and she's asked her attorney to so inform the company. Asked what the evidence against George Keyworth is, she says it's in Kevin Hunsaker's report. Asked to summarize, she says that there were 10 leaks, and 7 of them were eventually linked to Keyworth. So there appears to be a leaker still there, or leakers.
Adler says HP uses tracking email as standard practice. Mr. Sonsini gives his opinion that, given what he knows now, tracking email seems an inappropriate technique. He didn't know about tracking email. He also didn't know HP was investigating family members of board members. He feels it's wrong.
Dunn is shown emails cc'd to her about sending phony tips from a phony employee, "Jacob", and she says she regrets that she called Hunsaker's idea "clever". But she knew about this aspect of the investigation. But she felt she wasn't the right person to approve or not. The "it's not my job" defense. The Colorado Congresswoman, Diana DeGette, says she thinks that, while jail isn't likely in this instance, it could be later for another company, if everyone says, "I'm not responsible, because it's not in my chain of command."
Dunn did ask about the legality about obtaining phone records. But she claims she didn't know that the fraudulent use of identify was used to obtain those records. How did she think they got the records? She thought they were publicly available, due to the administrative sloppiness of the phone companies.
Dunn testified that DeLia told her that it was legal. It was common practice in HP, she says she thought, to obtain the phone records. She and Sonsini disagree about whether she made that statement about sloppiness in the investigative interview done by Sonsini's firm. She says Hunsaker was in charge of Kona II, not her, and Ann Baskins was the final say. And Baskins reported to no one? She reported to Hurd, Dunn testifies.
In Sonsini's email to Perkins, who did he consult with in order to answer Perkins? Baskins. He got also a report from Hunsaker. He made no independent judgment, but relied on them. Outside counsell did not research as to whether pretexting was legal at that time. There was a crisis, because leaking from the board room is a crisis. But he wasn't giving his own legal opinion in that email. He was passing on information.
Dunn is asked about Kevin Hunsaker's email of Feb. 24, 2006 to Vincent Nye, Adler, Anthony, DeLia, and Gentilucci, in which he said he had just talked to her and she wanted to know all resources and techniques used by them. Did she have that conversation? She says she can't remember it, but she has no reason to doubt it happened. But in large corporations, sometimes people say things to give their agenda their own momentum. But she doesn't recall.
Dunn is now being asked, "Where does the buck stop in HP?" Where is the person who is saying, "I was in charge." Dunn says some of those people have just declined to testify and that is frustrating to us all."
Was Mr. Hurd aware of the phony tracking email? Did he "That doesn't feel like what happened," Dunn says. The team was devising methods to be confident they had identified the right person. "I don't know how Mark responded per se," she says. She declines to answer whether he was involved in approving the tracking email, because "it would be hearsay. That's a question for him to answer."
Adler says it's not contemporaneous, email tracking, so that's why it isn't like a wire tap. But he describes the system (readnotify.com.), that as soon as the email is opened, a report is sent to the agency that traces. Isn't that contemporaneous? He says no. Would HP send an email to a customer? It was and is HP policy to use this technology, he testifies. HP doesn't send such emails to customers. There is no information derived other than the IP address where the email is sent. They suspected CNET would have sent to Keyworth. The only information they would have gotten back, he says, would be his IP address. Is there an internal policy that prevents sending an email to a customers or partners? Adler says he would think it would violate HP's standards. Which one? He says he doesn't have them in front of him. Sonsini is asked if it is legal to track email like this? Sonsini says the law isn't as clear as it should be, but depending on how it is used, it might have state or federal implications. Should there be legislation? Sonsini believes so. It should be made more clear.
Dunn says becoming a director means you waive some privacy rights. But as to the privacy rights of journalists, she doesn't know who on her level or Hurd's level made the decision to include them, nonHP individuals, in the investigation. Adler is asked how often nonHP individuals have been investigated this way. Two occasions, he answers, one of them being Ms. Kawamoto at CNET. But he knows his coworkers have also used it on nonHP individuals. One or two dozen times, he thinks.
They read an email from Hunsaker in January of this year, in which he asks if they can lawfully get IM records, or whether it is like cell phones. Doesn't that imply that he already knew it was illegal to get cell records. Sonsini says it might mean that. Adler believes it is illegal right now.
Mark Hurd is now called as a witness.
First he reads his opening statement [PDF], which was released yesterday. He is asked who was part of the investigative team in charge? The folks that have resigned. He says Dunn asked if she could use HP resources to investigate, and he said yes, and that is how Kona II came to be. He didn't paid attention to the details. He has to choose where he digs for detail. During his tenure, there weren't many significant leaks, so he wasn't as concerned as some with more history with HP.
He didn't know about digging in people's trash, pretexting family members. He knew about the Jacob plan. He agreed with it, that it was appropriate to find the leak. With the benefit of hindsight, he wouldn't do it again. He never saw any information about that. Dunn never brought any worries about ethics to him. He never got a senior management briefing on the techniques he is shown. Then he is asked about an Ann Baskins email about Jacob. Dunn testified that they'd need to get Hurd approval. Hurd says he possibly could have seen the emails about the Jacob strategy. He remembers the content and did agree with the content. Tab 72, the draft of the investigation report, which he didn't read because it was the day of his shareholder meeting. He didn't read it. He knows that Dunn was concerned about leaks. But Hurd says the leak was not the number one CEO priority.
He is asked if he's seen this kind of investigation before in corporate America. He says he's never seen anything like this. He didn't catch it, despite red flags. Part of it was attention to details. But there's another aspect. They have maybe 150,000 employees. The CEO can't be the backstop for everything that goes on.
Was it Ann Baskin? Hurd? Dunn indicated that. Hurd says he's responsible for the company. Dunn, he says, appropriately was concerned about the leak. She then was "the business owner" to go execute, after he gave her permission to go forward with HP resources.
Did he think anyone could get phone records, the way Dunn says she did? He can't comment, and he never really thought about it. He wouldn't want someone without his permission getting his cell phone records or bills. Then he is directed to Tab 77, where Perkins called him to ask how the investigation was going. Hurd at the time answered that there was a lot of circumstantial evidence but didn't know where it would go. Hurd doesn't remember that phone call. Did he ever ask how they got the information? "I should have." Who should have asked this question and didn't? Nye and Adler said it wasn't right. Hurd admits he should have been able to catch it, but he didn't.
HP is now out that pretexting should be made illegal. It already is unethical.
He is asked about current corporate policy re email tracking of nonHP individuals. Hurd is not intimate with that tracer technology, but he's reviewing such matters now, to go through that in every investigation HP is behving appropriately going forward. He has no knowledge of it being used against any nonHP individuals outside of Kona. HP has been and is a leader in privacy. This was an aberration. The AT&T letter describing what happened was the first time he realized that it was wrong. He didn't know what pretexting was. As of now, no pretexting is permitted. Spyware ... he'll look at every use of send/receive technology to make sure nothing inappropriate happens. HP has terminated all contracts with the outside investigators.
Where did the reports on the investigation go? He says, to the team. He doesn't know of anyone higher. Asked about the tracking email, they knew the reporter would have to verify the false info in the email, so that was the plan. Yet Hurd says he doesn't remember knowing about the tracer aspect of the email. He doesn't recall any discussions.
On the original 8K, Hurd wasn't a party to the Perkins-Sonsini phone call about why he quit, he says. The 8K was based on what happened in the board room and the later phone call. Hurd was at the meeting, but he wasn't a party to the phone call. The 8K was based on those two things. He says HP is going to get this right.
Ed Whitfield, who chaired the hearing, praised Vince Nye, saying he should be rewarded, perhaps with at least the day off.
There will eventually be a transcript available here, in about two months, maybe three.
Update: The Washington Post has a partial transcript available now here.
1The 8K reads like this:
Item 8.01. Other Events.
On September 6, 2006, HP filed a Current Report on Form 8-K to provide information relating to the investigation of leaks of confidential information from meetings of the HP Board of Directors and subsequent events. Since the filing of the September 6th Form 8-K, HP, with the assistance of outside counsel, has conducted an in-depth review of the events surrounding the investigation of the board leaks in order to obtain a more comprehensive understanding of the underlying facts. HP is filing this Form 8-K in order to supplement the disclosures included in the September 6th Form 8-K.
* The first phase of the leak investigation, referred to as Kona I, was commenced in early 2005 in response to a series of leaks of confidential company information. HP Chairman Patricia Dunn contacted Security Outsourcing Solutions, Inc. (“SOS”) to perform investigative work. HP had a longstanding contractual relationship with SOS.
* For the first month or so of the investigation, Ms. Dunn worked directly with Ron DeLia from SOS. The investigation focused on attempting to find the source of the leaks to various Business Week, Wall Street Journal and New York Times journalists.
* Two months after the commencement of Kona I, HP Global Security was brought in to assist with the investigation.
* On June 15, 2005, Ms. Dunn and Ann Baskins, HP General Counsel, attended a telephonic meeting with Mr. DeLia where the term “pretext” was mentioned.
* At a July 22, 2005, meeting, SOS reported on the findings of the investigation. We believe that meeting was attended by Ms. Dunn; Ms. Baskins; Jim Fairbaugh, Tony Gentilucci, and Kevin Huska from HP Global Security; and Mr. DeLia. Mark Hurd, HP CEO and President, also briefly attended a portion of the meeting.
* Kona I concluded in the late summer of 2005 without uncovering the source of the leaks.
* In late January of 2006, there were leaks of confidential information from a January 2006 board meeting that appeared in a January 23, 2006 CNET story. The investigation resumed following these additional leaks.
* The core investigative team behind Kona II was Mr. DeLia, Mr. Gentilucci, Vincent Nye of HP Global Security, Fred Adler of the HP IT Security Team, and Kevin Hunsaker, HP Senior Counsel.
* Mr. Hunsaker directed the Kona II investigation for HP.
* Ms. Dunn, Mr. Hurd, Ms. Baskins and Mr. Fairbaugh were made aware that the Kona II team was assembled and was beginning to identify the source of the leaks.
* Over the next three months, regular updates were provided by members of the investigation team to Ms. Dunn and, to a lesser extent, to Ms. Baskins.
* During the course of Kona II, certain members of the investigation team provided assurances that the techniques being used in the investigation were legal. Those assurances came from, among others, Mr. Hunsaker, SOS and SOS’s outside legal counsel in Massachusetts.
* In March 2006, the Kona II team prepared a draft report of the investigation that was addressed to Ms. Dunn, Mr. Hurd and Ms. Baskins. The report identified the source of the leaking and outlined the investigative techniques employed – including “pretexting” – with assurances that those techniques were lawful.
* In April 2006, HP provided a copy of the draft report to its outside corporate counsel for review and comment. The results of the investigation were reported at the May 18, 2006, board meeting. On May 24th, Mr. Hunsaker produced a final report of the investigation.
Investigative techniques used
* Four principal methods were used to conduct the investigation: obtaining telephone and facsimile call information through “pretexting;” the use of social security numbers to obtain phone call information through “pretexting;” sending an e-mail that had an attached tracing mechanism; and the surveillance of individuals.
* These techniques were used in addition to traditional investigatory techniques, such as the review of other articles written by the journalists with access to the source of the leak and a search of HP internal records.
Obtaining telephone call information through “pretexting”
* Information regarding hundreds of telephone calls was obtained through “pretexting.”
* We believe that SOS, directly or indirectly, obtained telephone (landline or cell) or facsimile call information through “pretexting” for two current HP employees, seven former or current HP board members (or their family members), and nine journalists (or their family members of some journalists). We believe that this activity was conducted by an outside investigator.
Use of social security numbers in order to obtain records and the involvement of HP employees in the “pretexting”
* In January 2006, a member of the core investigation team -– Tony Gentilucci –- provided an HP employee’s social security number to SOS. We believe this was done for the purpose of obtaining telephone call information through “pretexting.”
* In addition, in January 2006, SOS obtained and transmitted social security numbers to Action Research Group (ARG), the subcontractor SOS used to assist it in the investigation. We believe this was done for the purpose of obtaining telephone call information through “pretexting.” We have not yet ascertained what involvement, if any, HP employees had in obtaining and/or transmitting these social security numbers to SOS.
* At this point in our investigation, we believe that social security numbers were used for three journalists, three current or former HP board members, and one HP employee.
* We believe that, in March of 2006, SOS obtained and transmitted the social security number of one other journalist for the express purpose of obtaining telephone call information. We have not yet ascertained what involvement, if any, HP employees had in obtaining and/or transmitting this information to SOS.
* In January 2006, the investigation team created an e-mail account with a fictitious name and used that e-mail account to send an e-mail containing a “tracer” to a journalist (a tracer can be used to obtain other information, such as IP addresses, of persons who download the tracer). The objective of the investigation team was to determine whether the journalist would forward the e-mail to her source and ultimately to determine the source of the leaks of HP confidential information.
* The investigation team prepared the e-mail account and message so that the message appeared to be coming from a disgruntled senior executive who was willing to share information with the journalist. The e-mail to the journalist provided what appeared to be confidential information.
* At this point in our investigation, we believe the evidence suggests that the investigation team never received any confirmation that the tracer was activated, even though it did receive e-mail messages from the journalist.
* The concept of sending the misinformation to the reporter and the content of the misinformation to be contained in the message of the e-mail was approved by Mr. Hurd, but we do not believe that Mr. Hurd approved the use of the tracer.
* Members of SOS engaged in physical surveillance.
* In January 2006, SOS had an investigator conduct surveillance of a board meeting to determine if any journalists were seen at or around the site of the board meeting.
* In late January into early February of 2006, SOS had an investigator conduct surveillance of an HP Board member. These efforts included conducting surveillance of the Board member during his trip to Boulder, Colorado, where he was a keynote speaker at an event. SOS also conducted surveillance of him, his spouse and potentially other family members who were at the Board member’s residence in California at the time.
* In February 2006, SOS had an investigator conduct surveillance of a journalist and her residence.
* We also believe that, in February 2006, third party investigators may have conducted a search of individuals’ trash. However, at this time, we have been unable to identify the individuals targeted by these efforts.
2 "HP Whistelblower Foresaw Scandal," AP's Michael Liedtke, on Chron.com :
"This could be a 'smoking-gun' memo," said James Post, a Boston University professor specializing in corporate governance and business ethics. "There are red flags being raised all over it."
The next big question that needs to be answered is whether Nye's concerns were ever passed along to HP's leadership, Post said. HP's now-deposed Chairwoman Patricia Dunn and Chief Executive Officer Mark Hurd have maintained they didn't learn about the extreme measures that the company's detectives were deploying until recently.
Nye, a senior investigator for HP's Boston-based security unit, could help criminal investigators connect the dots as they try to figure out how much HP's leadership knew about the skullduggery, said Todd Bailey, a business law professor specializing in ethics at Miami University in Ohio.
"As sure as night follows day, the investigators are going to be lining up to talk to this guy," Bailey predicted.