Carolyn Said, Chronicle Staff Writer
Tuesday, September 12, 2006
Hewlett-Packard Co.'s use of undercover skullduggery to track down the source of a leak has generated outrage and attention since it became public last week. The outcry might make you think that cloak-and-dagger activities at major companies are out of the ordinary. But corporate espionage is a fact of life. Some form of snooping is relatively commonplace at all kinds of companies, experts say. And in the electronic age they are becoming even more so.
There are extreme examples, such as Oracle Chairman Larry Ellison hiring private investigators to spy on Microsoft allies, including pawing through their garbage. "I feel very good about what we did," Ellison told reporters in June 2000, when the activities came to light.
Back in the 1960s, General Motors, rattled by Ralph Nader's expose of safety defects in its Corvair, hired private eyes to dig up dirt on the consumer activist. Not only did the investigators fail, but GM paid $280,000 to Nader after he sued and the president of GM had to testify to Congress about the harassment and apologize to Nader.
This summer, the FBI nabbed three Coca-Cola employees who, rather ineptly, allegedly tried to sell the secret formula for Coke to archrival PepsiCo.
Corporate spying may be as simple as a company president visiting competitors' stores to see what's on sale, as elaborate as engaging outside experts to learn about a rival's business or as high-tech as hiring a hacker to try to breach a company's own security measures to identify weaknesses.
"I think corporate investigations are common these days because corporations have an obligation to follow up on allegations of improper behavior," said Kirk Hanson, executive director of the Markkula Center for Applied Ethics at Santa Clara University.
He and others said they think HP was entirely correct in trying to find the leak. "I would argue it was (HP Chairwoman) Pattie Dunn's responsibility to set an investigation in motion to try to identify the source of the leak," Hanson said.
The problem is the techniques used. HP has acknowledged that a contractor hired by its outside investigators used pretexting to obtain private phone records of board members and journalists.
In its broadest sense, pretexting simply means misrepresentation. Specifically, HP's outside agents evidently masqueraded as the people they were investigating, including using parts of their Social Security numbers, to obtain their phone records.
Pretexting to obtain financial records is banned by federal law. California Attorney General Bill Lockyer says HP's agents committed the crime of identity theft.
Several laws introduced in Congress this year would prohibit pretexting to obtain phone records. The HP scandal is likely to accelerate their passage.
But some experts in corporate security defend pretexting and other forms of subterfuge.
"Pretexting sounds like a bad word, but it's not," said R. Mark Halligan, a Chicago attorney who chairs the American Bar Association committee on trade secrets. "It simply means that a person represents himself in such a manner that the person that is suspected of a crime makes a certain admission or makes certain statements the investigator would not otherwise have obtained. Now this (HP) case involves access to telephone records, so it's complicated." He emphasized that he doesn't know all the facts in the HP case.
Halligan said he thinks that ferreting out trade-secret theft or unauthorized disclosure of proprietary information could merit some forms of deception.
For example, a client once hired him to find out whether a former employee who was starting a rival business planned to illegally copy the firm's manufacturing techniques. Halligan hired an investigator who befriended the former employee at a trade show and worked to develop a relationship. After several weeks, the two men went on a fishing trip together, during which the former employee offered the investigator a job with his new firm and revealed that he had his former employers' trade secrets. The company used that information to sue the former employee with the investigator as the star witness.
The National Council of Investigation and Securities Services, which represents 1,100 heads of investigation agencies and security firms, opposes use of pretexting to obtain phone records. But it worries that the HP backlash might cause Congress to ban all forms of pretexting, wiping out a key tool of investigators.
"If you were to outlaw pretexting, an unintended consequence would be outlawing the use of undercover investigators to detect theft in the workplace or seek out identities of drug dealers," said Bruce Hulme, legislative director for the Baltimore trade group and president of New York investigation firm Special Investigations.
"Undercover investigation (involves use of) pretense, subterfuge or pretext. To locate a suspect, one might use a subterfuge rather than identify oneself as an investigator," he said. "Pretexting is a recognized investigative tool used by both public and private sectors in law enforcement and public safety."
Hulme said his group and other trade organizations for security specialists had made sure their members knew that pretexting to obtain phone records was a gray area and on the verge of being outlawed.
"Anyone who was a member of an organization like (the National Council of Investigation and Securities Services) was made aware of the fact that, 'Folks, this is a problem, and if it isn't illegal it's going to be illegal really soon,' " he said.
Companies that want to delve into James Bond territory have several types of activities to choose from, including competitive intelligence, security and private investigation. Major corporations generally have in-house specialists in at least the first two of those areas. All of those professions draw some personnel from the worlds of law enforcement, military intelligence and even the CIA.
Competitive intelligence means collecting information about rivals. Competitive intelligence firms and their trade group say they collect information through public sources and never conceal their identities.
"Any time we've ever been hired by a large corporation, including corporations like HP, we have been asked to certify that we would not do anything along the lines of misrepresentation," said Michel Sandman, senior vice president of Fuld & Co., a competitive-intelligence company in Cambridge, Mass.
HP's Standards of Business Conduct, a 30-page brochure available on its Web site, says that employees may not enter into any contract that violates the law, nor engage in illegal activities involving industrial espionage against competitors.
Hanson, the ethics expert, said the HP case may be the tip of the iceberg.
"I think this is a hint that corporate investigative procedures may have gotten out of hand in other companies," he said. "If the HP officials failed to see the privacy issue, it seems like to me that other companies are even less likely to see it."
E-mail Carolyn Said at firstname.lastname@example.org.
Copyright © 2018. Owned and Operated by InfoBureau.net Co. All Rights ReservedBack to top