Calif. top cop on HP, privacy and 'pretexting'

Attorney General Bill Lockyer discusses the controversial practice of pretexting and how his office is dealing with the problem.

Tom Krazit Former Staff writer, CNET News
Tom Krazit writes about the ever-expanding world of Google, as the most prominent company on the Internet defends its search juggernaut while expanding into nearly anything it thinks possible. He has previously written about Apple, the traditional PC industry, and chip companies. E-mail Tom.
Tom Krazit
3 min read
The state of California wants to know if Hewlett-Packard's board chairman went a little too far investigating new media leaks.

Attorney General Bill Lockyer confirmed Wednesday that his office has issued subpoenas to determine whether HP broke any laws by hiring an investigator who used "pretexting" techniques that are illegal in California. HP acknowledged Wednesday that it investigated its own board of directors at the bequest of HP Chairwoman Patricia Dunn in hopes of learning who leaked information to CNET News.com in January about the company's strategic plans.

Pretexting involves duping a company in order to obtain confidential information from that company. Tom Perkins, a former member of HP's board of directors, quit in protest after learning of the methods used to investigate the board, which included obtaining records--without his permission--of calls made from his home telephone.

Lockyer spoke with CNET News.com to shed more light on the relevant California statutes and the practice of pretexting in general. An edited transcript of that conversation follows.

Q: What is covered under California law with regard to pretexting?
Lockyer: There are two relevant statutes that may provide for criminal liability to someone who does pretexting. There's an identity theft statute, and there's a law that was designed to mostly address computer hackers, but it's getting information illegally from someone's computer system. Essentially it's pretending you're some other person to get a business that has a lot of personal information about a customer, to get that information disclosed by pretending you're that customer.

This practice is not illegal under federal law with respect to telephone records, correct? But from what I understand, that's not the case in California.
Lockyer: Yes, we have a stronger California law than the federal statute.

It's probably the large-volume privacy invaders that are actually going to wind up being prosecuted.

What exactly does that cover?
Lockyer: The law could cover anyone. It's unlikely to be enforced because it's so common unless there are egregious violations of people's personal privacy. I think a lot depends on the volume of pretexting, and that would certainly include data miners, and others who do it in a regular way.

This law is unlikely to be enforced unless it's something that's being done in large volumes?
Lockyer: Anyone that does this might be prosecuted, but with constraints on resources, it's probably the large-volume privacy invaders that are actually going to wind up being prosecuted.

What are the penalties for this act?
Lockyer: They are generally misdemeanors, but there are circumstances in which they could be a felony.

Have you recently prosecuted any individuals or organizations under these pretexting laws?
Lockyer: Yes we have, and we also have six active investigations currently, including the HP investigation. We have six of them with rather egregious facts.

What's going on at the federal level? Do you think a federal law is required to stop this from occurring?
Lockyer: California tends to lead in many of these policy areas; this is another example. But I'm hopeful there will be federal legislation or national standards in this area. I hope it's a significant consumer protection enactment if they adopt federal law. We've had this problem in other instances, financial privacy, do-not-call, and other things, where the federal law was significantly weaker than our state law.

In terms of the people who actually commit the pretexting acts versus those who hire them to do these acts, how does the liability work in these cases? If the organization was unaware that their agent was using pretexting techniques in order to gather information are they subject to any liability?
Lockyer: It depends on what the specific facts are, and what the expectations of the employer were when they hired an agent in the circumstance. It's very facts-based; it can result in both the third party as well as the employer being criminally liable.