During a grueling all-day hearing of a House oversight committee, individuals from inside and outside HP were grilled, as Congressmen sought to figure out how far up the chain of command knowledge of the fraudulent pretexting attacks went.
HP general counsel Ann Baskins, a 24-year HP veteran, resigned from the company shortly before the hearing started, her fall cushioned by a $3.6m golden parachute, then exercised her Fifth Amendment right to not answer Congress’s questions.
Dunn, under questioning, later pinned ultimate responsibility for overseeing the Kona I and Kona II investigations on Baskins, saying that as chairperson, she did not see myself at any point as having a role in approving the methods used.
Baskins, through an attorney’s letter to the panel, said she always believed the investigative methods used were lawful.
The two probes, which sought to smoke out a director who was leaking information to the press, involved third-party investigators pretexting, basically hacking the phone records of seven HP directors, two employees and nine reporters and their families. They also went through the trash of their targets, tried to trace emails, and had at least two people followed.
Dunn said she knew phone records we being obtained as early as June 2005, but denied all knowledge of the methods used to obtain them. She said she thought details of who called whom – essentially other people’s itemized phone bills – were obtained from publicly available sources, when asked by a Congressman.
A handful of states, including HP’s native California, have laws forbidding pretexting. The nationwide law is currently fuzzier, agencies are also investigating whether any federal laws were broken.
With this in mind, during the first part of yesterday’s hearings, witnesses all plead the fifth. Baskins declined to talk, as did Ron DeLia, the investigator from Security Outsourcing Solutions Inc, the Boston-based security firm that HP had for several years contracted with for investigative work.
Dunn, who resigned last week under pressure from the media intense enough that the rest of the HP considered too big a distraction, was more vocal, but plead ignorance on key matters: I had no reason to think anything was illegal going on and I had batteries of experts advising me that it was not going on.
When asked why emails from DeLia indicated that she did know what was going on, she replied: I am here testifying under oath. He is not.
Nobody ever described to me that the fraudulent use of identity was part of the HP way of conducting investigations, she said. My understanding was that these records were publicly available.
Pressed by an incredulous Greg Waldon, a Republican congressman from Oregon, whether she really believed that anybody could call up the phone company and get somebody else’s phone records without their permission, she said that she did.
Representative Cliff Stearns, a Florida Republican, noted when he questioned Dunn: Conspicuous by absence is any degree of contrition or responsibility… there’s no suggestion you’re going to accept any responsibility or any sense you think what you did was wrong.
He then asked if she had considered resigning, to which she replied, in one of the hearing’s few humorous moments, that she had already, once from the chairmanship and once from the board, but would be quite happy to resign again if he wanted.
CEO Hurd was arguably more contrite in his testimony, although he also pleaded ignorance of all the investigative methods that could be considered illegal.
While Dunn admitted she had initiated the leak investigations, even suggesting the name Kona to DeLia over the phone while vacationing in Hawaii, she passed off responsibility for overseeing the details of the probes to HP employees, with Baskins ultimately accountable.
That neatly avoided the suggestion that the buck may have stopped with Hurd. He also chose to answer at length Congress’s questions yesterday afternoon, taking general responsibility for what went on but denying that he knew any of the potentially illegal methods used.
Hurd’s description of his involvement in Kona was one of a busy chief executive who was generally aware of the investigation, but, perhaps due to his relatively recent arrival at HP, did not consider it a priority worth drilling deep enough into to uncover details that could have raised red flags.
I pick my spots to dive for details, and this was not a priority, he said. During my time as CEO we were not encountering a significant number of leaks. I was probably not as concerned as some.
From a checks and balances perspective in a company of our scale – we have 150,000 employees, we’re basically a small city — the CEO cannot be the backstop for every process in the organization, he said. The processes have to be pushed into the organization with clear checks and balances and clear accountability. We broke down on both.
He specifically denied that he knew investigators had been through the trash of their marks and that he knew directors and reporters families had been targeted, but he did admit that he knew about and partly authorized the plot to feed CNet New.com reporter Dawn Kawamoto with leaked false information earlier this year.
That part of Kona saw HP creating a fictitious disgruntled executive, Jacob, who would leak purported HP documents to Kawamoto. The documents would be sent through ReadNotify.com, an email proxy service that records the IP address of anybody who opens a file, and the length of time it is open.
The idea was that Kawamoto would forward the document to her source, ultimately revealed to be HP director George Keyworth, which would provide evidence identifying the leaker. Hurd said he approved the content of the email, the phoney information that would be leaked, but not the tracer element.
I definitely knew about the content of the email, he said. At the time I agreed of content of email, it was appropriate to find the leak. With benefit of hindsight I wouldn’t do it again.
I agree there’s a difference between legal and ethical, he added.
Some Congressmen were particularly interested in this aspect of the Kona investigations, but recording the IP address of somebody who opens an email is not generally considered illegal. Images hotlinked from HTML email are common methods used by marketers (and spammers) to verify delivery.
I don’t want to hide behind the lack of clarity because there’s a difference between legality and ethical behavior, Hurd said later.
It was clear that at least one person at HP knew what methods were being used and had internally questioned both the ethics and the legality of the pretexting activities.
Vincent Nye, from HP’s investigations department, was quoted from an email saying the methods were unethical at the least, and probably illegal, presciently noting that they could tarnish HP’s reputation if uncovered.
There is currently at least one federal bill that would outlaw pretexting. It has passed through the committee stage, but is caught up in red tape has not yet come up for discussion by the full House.
HP leading legislative efforts to stop this problem is the next step that I would encourage you to consider, said one Congressman, to which Hurd replied: I couldn’t agree with you more. We want to be that leader, Congressman.
