Pretexting problem
Private companies like HP want to know reporters’ sources as much as the government does. But their tactics could be against the law.
From the Fall 2006 issue of The News Media & The Law, page 17.
By Elizabeth Soja
Thanks to Judith Miller, the BALCO investigation and a prolonged battle on Capitol Hill, the debate about the need for a federal shield law has gotten a lot of attention lately.
But it’s not just the government that might be going after a reporter’s secrets. What happens when private companies or even individuals want a journalist’s sources or notes?
With today’s technology-driven world, a reporter’s “virtual footprint” and a few phone calls can all but eliminate the need for a subpoena if a company or investigator is willing to break the law. But that doesn’t mean companies won’t face sanctions when they illegally seek out reporters’ confidential sources.
When CNET News.com reporters Dawn Kawamoto and Tom Krazit cited an anonymous source in their Jan. 23 article about the annual Hewlett-Packard Co. management retreat, then-HP Chairwoman Patricia Dunn intensified an already-existing, large-scale private investigation in order to uncover the source’s identity.
The source, eventually identified as HP director George Keyworth, had referred in the article to the company’s acquisition strategy and upcoming product changes.
Dunn had been investigating her board members since early 2005 on leak suspicions, but according to documents released by California Attorney General Bill Lockyer’s office, the leak to CNET reinvigorated her efforts.
HP has admitted its investigators used “pretexting” calling a company and impersonating someone to obtain that person’s records or information to access the telephone records for a group of journalists who regularly covered HP.
HP also admitted accessing the phone records of several HP directors and even the father of one of the journalists. Investigators even e-mailed a reporter a fabricated scoop and attached spyware, hoping to discover her sources when she forwarded the e-mail, according to reports.
On Oct. 4, Lockyer filed felony charges against Dunn and former HP in-house lawyer Kevin T. Hunsaker, along with three contract private investigators involved in the probe Matthew Depante and Bryan C. Wagner of Action Research Group, and Ronald R. DeLia of Security Outsourcing Solutions.
The defendants were charged with fraudulent wire communications for illegally accessing phone records through pretexting; wrongful use of computer data for receiving the journalists’ and board members’ phone records over the Internet; and identity theft for using the journalists’ and board members’ personal information, such as names and Social Security numbers, to access the phone records All five were also charged with conspiracy to commit those crimes.
The three private investigators have entered pleas of not guilty. Dunn and Hunsaker appeared in court in October but had not been arraigned as of late October.
The HP investigation is not the first example of a private company or investigator being accused of using potentially illegal methods to obtain a reporter’s source.
In 2004, Los Angeles Times reporter Anita Busch sued private investigator Anthony Pellicano for, among other things, allegedly hacking into her computer, wiretapping her phone and threatening her. Also, during a House hearing on the HP scandal in September, journalist Christopher Byron testified that his phone records were obtained through pretexting in 2002 after he wrote an unflattering story about a Canadian company for the magazine Red Herring.
In some cases, companies take reporters to court to get their sources. In 2004, Apple Computer sued a group of unknown individuals for leaking trade secrets to reporters. To uncover the identities of those individuals, Apple asked a California court to subpoena the reporters and the Internet service providers that hosted their e-mail.
In the end, Apple dropped the subpoenas after an unfavorable state appeals court ruling. But technology is making it much easier for both private entities and the government to track someone’s “electronic footprints” without a subpoena.
Digital trail
John Markoff, a reporter for The New York Times who was targeted by HP’s private investigators, said his e-mail was also hacked in an unrelated incident while he worked on a story in 1995. He said technology can both help and hurt a reporter dealing with a confidential source.
“It cuts both ways,” he said. “Some technology makes surveillance easier, but other parts of technology make it easier to have secure communications. It’s a real trade-off. There are lots of things now that you can use on the Internet that are at risk, but they’re so convenient that sometimes you use them anyway.”
This was emphasized in July, when the keyword searches of 658,000 America Online subscribers were posted online. Though subscribers’ names were removed, AOL quickly realized that a subscriber’s identity could be revealed through his or her searches.
Although the incident didn’t directly affect journalists, it served as a reminder that computer search logs, e-mail, and wireless cell phone records can function as an open window into a reporter’s day-to-day dealings.
Because of this digital trail that many reporters leave behind, private investigators can more easily avoid going through the court system if they are willing to commit unethical or illegal acts.
But even though private companies and investigators often have the capability to illegally invade a reporter’s privacy, lawmakers and law enforcement officials are working to make sure that there will be consequences.
Thomas Dressler, spokesman for Lockyer’s office, said in addition to the state criminal charges that have already been filed, HP’s actions may have violated unspecified federal laws as well. An investigation is currently under way.
A group of HP executives, including Dunn, Chief Executive Officer Mark Hurd, and former general counsel Ann Baskins, appeared before a House panel in September. They were questioned by lawmakers about their knowledge of the probe, although some, including Baskins, refused to answer and asserted a constitutional right against self-incrimination.
Outdated laws
Despite the charges in California, the scandal has left some journalists wondering whether more laws are needed to address the type of wrongdoing that occurred.
But a major problem, experts say, is that technology is changing faster than the law.
On Sept. 29, California Gov. Arnold Schwarzenegger signed into law a bill that specifically prohibits pretexting and the buying and selling of phone records over the Internet. The bill, which will take effect Jan. 1, was not drafted in response to the HP scandal but has since gained attention. However, it will not apply to the HP case because it is not retroactive.
Interest in a similar federal bill that would outlaw pretexting has been rekindled as well.
If passed, the law would also impose harsher penalties on phone companies when they fail to protect their customers’ information. The House’s Energy and Commerce Committee passed the bill unanimously in March, but disagreements between House Republicans and Democrats over its scope have since stalled the bill.
Although any federal pretexting law would not be passed in time to be applicable to HP, there are some current federal laws that might apply.
Nancy King, a business and law professor at Oregon State University, said it is possible that the federal Computer Fraud and Abuse Act could apply to the pretexting aspect of the case because investigators were gaining unauthorized access to the journalists’ phone records.
The act was passed in 1985 to prosecute hackers who access private data from computers, but King was unsure whether it would apply to using pretexting to gain access to these kinds of records. Since the journalists’ phone records are private computer data retained by the phone companies, she said, applying the law is a possibility.
“That law is really designed to deal with hackers, but it’s worded very broadly,” she said. “If information like a phone record is password-protected, or if the information is digital information in a computer, it seems like [the law] could apply. But again, we’re dealing with things that haven’t been litigated in civil court or prosecuted under criminal law.”
King said many people think the computer fraud law is “ambiguous” and advocates passing a federal law that would specifically protect phone records and punish the placement of spyware on computers.
There is currently no federal law that deals directly with spyware. However, King said cases involving spyware might be punishable under the Electronic Communications Privacy Act, which was originally passed in 1986 to extend anti-wiretapping laws to computer communications.
As for any potential civil lawsuits, King said that traditional invasion of privacy laws which allow plaintiffs to recover monetary damages in a civil court if their privacy is unreasonably invaded are not enough in this digital age.
“Privacy laws would apply in any context where someone’s privacy was invaded by another and it was an unreasonable intrusion into their seclusion, but there haven’t been any cases dealing with this kind of intrusion,” she said, referring to the HP investigation. “Also, many of these actions seem like they need a criminal penalty attached, because suing doesn’t seem like enough.”
Cingular Wireless has already filed a civil lawsuit against one of the private investigation firms in federal court in Georgia. Verizon has filed a similar suit against undisclosed individuals as well, according to news reports.
‘Extra careful’
Despite the threat of corporate spying, most newsrooms are carrying on business as usual, but with a bit more wariness.
George Freeman, vice president and assistant general counsel of The New York Times, said journalists at his newspaper haven’t changed their tactics or newsgathering procedures under the threat of private spying, but he said reporters are more aware that private companies or individuals might be after their sources and materials.
“I can’t say we’ve specifically taken steps in light of the HP situation regarding the way that we gather news, but everyone is all the more vigilant about possibility of people taking unorthodox and illegal steps,” he said. “That just means journalists have to be extra careful and think about what the other alternatives might be if they are in a situation where someone wants their information.”
BusinessWeek reporter Ben Elgin, who was one of the journalists targeted by HP’s private investigation, said that the case is “just a reminder that everyone always has to be on guard all the time.”
Markoff, the Times reporter, doesn’t think tougher laws will stop some companies and investigators who are after a reporter’s source.
“What came to light in the HP investigation was that people have full-time jobs conducting these kinds of investigations, and I imagine that they don’t work full time for HP,” he said. “You have the ‘big brother,’ the government, keeping track of things, but there are there are lots of ‘little brothers’ largely corporations that are collecting information as well.”