An odd subtlety in the facts underlying the criminal “pretexting” case against former Hewlett-Packard chairman Patricia Dunn and others may pose a hurdle to California Attorney General Bill Lockyer’s office as it tries to prove the “computer crime” charge it has lodged in that case.
The statute cited makes it a crime to “knowingly access without permission and take, copy, and make use of data from a computer.” (The provision is California Penal Code Section 502, which can be found be scrolling down the page linked here.) The potential problem is that both Dunn and the H-P inhouse counsel supervising the probe–Kevin Hunsaker, who is also charged as a defendant–appear to have believed that the phone records were obtained entirely through oral conversations between investigators and telephone employees, not through any techniques resembling computer hacking. Dunn got her information largely from Hunsaker, and Hunsaker expresses this misunderstanding repeatedly in the internal H-P memos that were made public last month by a subcommittee of the U.S. House of Representatives Energy and Commerce Committee.
In reality, we now know that the subcontractors who actually did the pretexting resorted to other techniques as well, some of which certainly look like the crime alleged here. To access the phone records of former H-P director Tom Perkins, for instance, a subcontractor (who is also charged) allegedly went online and gained access to his account by entering his phone number and the last four digits of his social security number into a dialog box. Such a procedure looks and feels more like the computer crime described in Section 502 than simply speaking to a live phone company employee over the phone. Of course, even the orally deceived phone employee would presumably then fetch the desired information out of a computer, but that wouldn’t be what we’d typically think of as a computer crime. (Or would it? What do people think?)
(The social security numbers appear to have been gathered mainly by the subcontractors themselves, using what they have called subscription databases available to licensed investigators. In at least one internal memo, Hunsaker admits having known that social security numbers might be used in the process, though he seems to have believed that they would be used verbally. I can’t find any evidence yet in the documents made public by the the House subcommittee that Dunn ever knew that social security numbers would be used.)
To be sure, Dunn, Hunsaker, and their three co-defendants–the outside security contractors and subcontractors who actually carried out the pretexting–are also charged with three other offenses besides the computer crimes provision. But, as has been previously reported to varying degrees, each of those charges also carries its own significant challenges when the attempt is made to bring “pretexting” within its ambit. Attorney General Lockyer’s best bet certainly looks like the charge of “fraudulently obtaining . . . customer records” from a public utility, which is elsewhere defined to include any “telephone corporation.” (California Penal Code Section 538.5 and California Public Utility Code Section 216. Section 538.5 can be found by scrolling down this page.)
Yet there are at least two potential problems with this charge, too. First, Dunn will doubtless argue–as she repeatedly did during her testimony before the House subcommittee on September 27–that she had no idea records were being “fraudulently” obtained, in that she had been repeatedly assured by both senior attorney Hunsaker and H-P’s respected then-general counsel, Anne Baskins, that they were lawful. (Baskins, who resigned and then took the Fifth at the Congressional hearing on September 27, has not been charged.) The other possible problem with the public utilities charge is that, notwithstanding its broad and seemingly applicable language, it appears to have never been designed or used before to catch pretexting. In an interview, Stanford law professor Robert Weisberg says that the 1982 law may not have been intended to protect the privacy of customers, but, instead, to protect public utilities from having their trade secrets–including customer lists–stolen.
The third charge against Dunn, called “using personal identifying information without authorization,” requires that the defendant “willfully” obtain the information “for an unlawful purpose, including to obtain . . . credit, goods, services, and medical information.” Dunn’s purpose was arguably different in kind from those listed in the statute. (This statute, California Penal Code Section 530.5, can be found by scrolling down this page.)
The fourth and final charge is “conspiracy” to commit the other three offenses, so it’s viability depends on the validity of the three underlying offenses.
The reason, of course, that the prosecution’s case faces so many hurdles, is that California did not enact a law specifically aimed at prohibiting pretexting until September 29 of this year–two days after the Congressional hearing. Interestingly enough, this new law only makes the offense a misdemeanor, whereas all the charges Attorney General Lockyer has brought are felonies. What do people think of the fairness of this situation? (I’m putting aside the fact that Dunn has fourth-stage ovarian cancer. That alone, of course, might lead to her acquittal due to jury nullification.)
