Schneier on Security
A blog covering security and security technology.
« Microsoft and FairUse4WM |
| Land Title Fraud »
September 7, 2006
Spying on the HP Board
Basically, the chairman of Hewlett-Packard, annoyed at leaks, hired investigators to track down the phone records (including home and cell) of the other HP board members. One board member resigned because of this. The leaker has refused to resign, although he has been outed.
Note that the article says that the investigators used "pretexting," which is illegal.
The entire episode--beyond its impact on the boardroom of a $100 billion company, Dunn's ability to continue as chairwoman and the possibility of civil lawsuits claiming privacy invasions and fraudulent misrepresentations—raises questions about corporate surveillance in a digital age. Audio and visual surveillance capabilities keep advancing, both in their ability to collect and analyze data. The Web helps distribute that data efficiently and effortlessly. But what happens when these advances outstrip the
ability of companies (and, for that matter, governments) to reach consensus on ethical limits? How far will companies go to obtain information they seek for competitive gain or better management?
The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director-leaker to CNET through a controversial practice called "pretexting"; NEWSWEEK obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using "false pretenses" to get another individual's personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security number and the like.
EDITED TO ADD (9/8): Good commentary.
EDITED TO ADD (9/12): HP Chairman Patricia Dunn was fired.
Posted on September 7, 2006 at 1:47 PM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The solution is easy: hold companies liable. If Alice pretends she's Bob and tricks CharlieCo into divulging Bob's information, Bob should be able to sue not just Alice but CharlieCo too.
And CharlieCo should absolutely not be allowed to use a defense of, "But she knew Bob's zip code, SSN, and mother's maiden name!" Tough luck, they should have been more vigilant.
If that sounds unfair, consider precedent like child protection and stolen property laws. If you sleep with a minor, it's no defense to say, "But she had a really good fake id!" If you buy stolen property, you might not be guilty of a crime, but you definitely have to give it back, even if you don't get your money back. "But it looked like a legitimate sale, and they had a really well-forged certificate of ownership!" Doesn't matter.
Whoever is responsible for this has to be slapped down, hard, to make it clear to corporations that they cannot do this.
Corporations have all the information they need to "steal the identities" of their employees, ex-employees, and members of the board of directors: they can provide social security numbers, names of family members, addresses, phone numbers, and enough personal information to convince phone company employees that it's a legitimate request for information. It is vital that they do not abuse their power.
For example, if i ran a phone company, and there were a law holding me responsible for damages caused by the leak of someone's phone records, i'd put policies in place that when someone asks for a copy of their records, they can only be (1) mailed to the address they have on file or (2) we'll call you back at the number associated with your account to confirm.
Oh, and on your next bill, there'd be a big notice, "HEY, SOMEONE CLAIMING TO BE YOU ASKED FOR AND RECEIVED A COPY OF YOUR RECORDS. If it wasn't really you, call this hotline immediately."
In a case like this, it seems wrong to hold CharlieCo liable: a determined corporation can pull off a very convincing con: they know vast amounts about their employees, and can even divert work telephone numbers.
Also, holding the corporation liable is the opposite of a deterrent; it just passes the risk on to the stockholders.
On the other hand, if the CEO who orders pretexting goes to jail, you'll see the practice stopped in a hurry (NOTE: in this case I don't know if the CEO ordered fraud to be committed, or if she just gave a bunch of PIs general instructions to find the leaker). Criminal conduct by a corporate officer should be treated as a crime by that officer. Maybe you can punish the company as well, but the threat of criminal prosecution for fraudulently obtaining someone else's phone records will stop this phenomenon in its tracks.
@Joe: The kid at the supermarket knows my name and credit card number. If i buy beer and he asks for my driver's license, he knows my address, zip code, and SSN (which is on the drivers license in many states)
That's more than enough to get my phone records via the existing lackadasical screening the phone company uses before doling them out. The fix is to make the companies that hold my data start guarding it the way they guard their own.
In this case, investigators hired by HP used the last four digits of a board member (Perkins) SSN to enable their pretexting. (story is at Forbes.com -- Google is your friend).
This whole episode reeks. As California's Attorney General said, Dunn's action here is, if not illegal "colossally stupid".
The FTC may call it "pretexting," but I call it fraud.
Joe Buck writes, "Corporations have all the information they need to 'steal the identities' of their employees." This seems to me to be a core issue. We know from documents released by Tom Perkins that the pretexter who obtained his call history from AT&T knew the last four digits of his social security number. Where did the pretexter get this information. Did an HP representative make it available? Did board chair Patricia Dunn, who appears to have orchestrated the entire scam, provide it personally? If either of these possibilities is the case, can the company or Dunn be considered criminally complicit under California law?
Poor Bill and Dave must certainly be spinning in their graves over the replacement of "The HP Way" by "The New HP Way"....
we need a corporate death penalty: revocation of its right to do business, and all its patents and trade secrets placed immediately in the public domain.
pending that, we need a way for individuals to protect themselves against pretexting. thomas perkins resigned from the hp board in protest because his records were pretexted. it shapes up as a difficult task if a name partner at kleiner perkins, with his level of savvy, can't do it. unfortunately, he wussed out, no lawsuit, no statement on the record of the reason for resigning.
pending that, reputation may be the best defense. i doubt that anybody who knows me would assume the risk of pretexting my phone records.
I read about this on B2Day
and thought it was ridiculous! Dunn is basically using signature methods that are used by scammers to identify personal information. I think she cost the company a lot of credibility because honestly, the issue at hand here isn't so much catching the "culprit" it's about trying to plug up the data leaks so that it won't happen again. Her actions also raise the issue that just as much as their should be laws around harsher punishments for scammers who use deception and other unethical methods to gain access to data, there should be laws stopping employers/employees from doing this. It's just absurd.
So long as corporate management is required to maximize stockholder value, liability passed on to stockholders is a deterrent, because it reduces stockholder value.
That said, of course the board members who invade other people's privacy and commit fraud, or pay someone to do so, should be personally liable as well. But that doesn't mean the hypothetical CharlieCo should be off the hook for giving away information they should have protected.
"How far will companies go to obtain information they seek for competitive gain or better management?"
.... and how far will individuals go for personal gain?!
Also note: HP also 'sourced' private phone records of reporters, including Dawn Kawamoto of CNet. Ouch.
Story Link: http://news.com.com/...
One of the few vaguely sensible things done recently by the UK government is a proposal to increase the penalties for pretexting from fines to jail:
I say "vaguely sensible" because if a private eye phones up your health insurer and tricks them into reading out your medical records over the phone, it's only the caller that goes to jail - not the insurance clerk and certainly not the insurance company CEO. Still, it's a start
Surely 'pretexting' is nothing more than well-informed social-engineering, something which PIs have been doing for as long as the profession has existed.
Speaking of the reporter's records being hacked:
Isn't this the same tactic that the Justice Department said they would use to find out who leaks details of their own quasi-legal programs? As many of their defenders would say, if you have nothing to hide, why are you afraid of it seeing the light of day?
As was pointed out, the problem is not that PIs and others are using age old techniques in an attempt to acquire information, the real problem is that those with the information are not protecting it properly.
In this case, the phone company should be held 100% liable for leaking customer data. The fact that they have such horrible security practices in place that someone with just basic personal info can get phone records is deplorable.
Holding CEOs or other officers personally liable is a good start, but they generally have substantial insurance coverage (provided by their company, of course) that means that fines and legal fees can wind up just being more losses for the stockholders.
Jail time. Or perhaps a "you can't insure this" law.
Although I *do* like the idea of a death-penalty for corporations. If they want to claim to be legal "persons", they have to take the bad with the good.
I feel for HP's reputation. The CEO should resign. If she does not resign, she should be canned. Grossly. As in escorted out the door by security.
There is no moral difference between pretexting and breaking into someone's house. At least going through their trash has some legal basis.
> That practice...involves using "false
> pretenses" to get another individual's
> personal nonpublic information:
Fraud by impersonation? Can you say "identity theft"?
I think y'all are going completely overboard here. Pretexting is not illegal. The chairwoman of the board uncovered gross impropriety by a board member and put an end to the leaks. Serious violations were committed on both sides, but the chairwoman at least has the weak excuse that she took these steps in response to violations by her board.
This is not a boss mistreating her employees, this is strictly a boardroom fight. The chair of the board is not the CEO. The sheer ignorance of corporate governance involved in many of these comments makes it hard to take them seriously.
There are so many aspects to consider:
1. Did the "outed" HP board member who leaked information break his contractual terms? If so, does this lessen his rights to privacy?
2. Did the chairman of Hewlett-Packard know that the PIs hired to investigate the leaks might perform morally questionable, if not illegal, acts during their investigation?
3. I think it is clear that if the chairman of Hewlett-Packard hired PIs in the knowledge that they might perform pretexting then then chairman is morally culpable but is the chairman legally culpable as well?
4. I suspect that the leaker did not appreciate the technical risks of using the same phone for leaking as well as day-to-day purposes. Surely a few basic precautions such as using a pay as you go phone phone not registered to the owner would have hindered the PIs?
5. One of the HP websites, http://www.hp.com/hpinfo/globalcitizenship/... gives "We are committed to uncompromising integrity" as a header. The content of the above URL bears little resemblance an organisation that hires private investigators to spy on their own employees.
Personally, I suggest that HP need to think long and hard about what they stand for. In the long run, failing to maintain an ethical standard will hurt the company.
What a sad story.
The purportedly gross impropriety to which you refer was perfectly legal conduct, and if the reports I have read are accurate, did not reveal privileged insider information. They did, however, reveal details of Board conversations and meetings. In short, supposed confidences were violated, but nobody made or lost any money off of it.
Your categorical assertion that pretexting is not illegal is either wrong, or you are in possession of knowledge which somehow has eluded the Attorney General of the state of California. This issue is complicated, yes, but hyperbole and oversimplification serve no one.
Regardless, Dunn's investigation is itself of questionable wisdom, tactically. Let me ask you -- how would hiring a PI allow the Board to determine the identity of "the leaker" without invading Board members' privacy? Obviously, the culprit won't confess. Any reporter he told wouldn't either. Therefore, one must rely on circumstantial evidence -- a Maitre 'd who saw a Board member with a reporter perhaps. Maybe you tail everyone on the Board. It is obvious, even to someone as dense as Dunn seems to have been on this, that maybe phone records might be looked at. If you have to engage in unseemly and perhaps illegal action like this, perhaps the focus needs to be on prevention, not on finding out who offended in the past.
At best, the fact that the pretexting was done by a 3rd party allows Dunn to say she was ignorant of something anyone else of her stature would have surmised. IANAL, but that smells like willful ignorance to me, and it may well be willful ignorance of a criminal act. We'll know soon enough.
The other day at work, a customer requested a copy of a receipt for a book they'd purchased a month before. They wanted to prove it was a work-related book. We were mildly happy to report that while we could provide a copy of the credit card receipt, our new printer didn't make a carbon copy like the old one did, and while the computer keeps track of all books sold, it doesn't keep track of who bought them. So we couldn't tell him - or anyone else - with any certainty what book(s) he had purchased. I'm personally wondering how long it will be before companies start advertising that they don't track your purchases, so buy from them!
PS Clue: There's a reason that spies in movies use pay phones. :-)
Every member of the board was spied on, and only Tom Perkins stood up, slammed his briefcase, walked out and contacted the authorities.
If people don't stand up for their rights then their rights are meaningless abstractions. All the privacy laws in the world won't fix victim apathy.
>The sheer ignorance of corporate governance involved in many of these comments makes it hard to take them seriously.
The sheer volume of laws broken by corporations makes it hard to prosecute them as they richly deserve.
> Pretexting is not illegal
Please cite your source.
"Pretexting" would be covered by 18 USC 1343 and/or similar state laws. The "pretexter" makes a knowingly and materially false statement in order to obtain something of value. Seems to fit within the statute quite easily.
Chris: "perhaps the focus needs to be on prevention"
How exactly does one prevent this? Prohibit board members from using unmonitored phones or leaving the building? Ultimately these are trust issues, and cannot be solved technologically.
> we need a corporate death penalty
Corporations are owned by shareholders. Think of the Enron case -- it was the employees that were hurt, not the guilty executives.
The right answer isn't a "corporate death penalty," it's accountability of corporate executives and directors. Executive activities need to be reasonably transparent to shareholders, and if executives break the law, they (not the company) need to be held responsible.
Another poster notes that jail time is appropriate, because fines can be insured against. I note (as the executive of a small corporation myself) that directors and officers insurance always explicitly disclaims coverage if the relevant action was knowingly fraudulent or illegal.
I thought the quote in this morning's paper was quite good:
"'I have no settled view as to whether or not the chairwoman's acts were illegal, but I do think they were colossally stupid,' Attorney General Bill Lockyer told the Mercury News in an interview. 'We'll have to wait until the investigation concludes to determine whether they were felony stupid or not.'"
Funny how some people (e.g. Sparohok) might dismiss such a serious issue as "strictly a boardroom fight". That's missing the forest for the trees.
I think this actually has a lot to do with ethics and integrity as a higher standard than the rule of cabal. Tom Perkins is an amazingly talented man who cares deeply for the success of HP. His action has sent a message to a far wider audience than just the boardroom. In stark opposition to unscrupulus leadership by people like the Enron and Worldcom executives, Rove, Rumsfeld, Cheney, Bush, etc. Perkins is a leader with the type of character that America desperately needs to help find its way again.
While I certainly sympathize with a Board's concern over protecting their own privacy, disregard for the principle they are trying to protect makes little/no sense. It will be interesting to see how far Dunn distances herself from the investigators she hired, what she says about their controversial methods, and what she will be willing to do in order to regain the respect and trust of the directors.
Incidentally, anyone else find it ironic that Dunn was herself once a journalist? Her anger over leaks to journalists must have more background to it than this one incident:
"Although the source didn't leak high-level strategic details or say anything inflammatory, the statement [that described a gathering of HP directors at a posh spa in Southern California] angered Dunn..."
Here's the original text that apparently made her so angry:
"In marathon sessions that spanned the course of several days at the posh Esmeralda Resort & Spa in Indian Wells, Calif., HP's leadership hashed out HP's long-term strategy. Those in attendance worked from early morning to late evening, with few breaks given beyond meals, said a source with the company.
'By the time the lectures were done at 10 p.m., we were pooped and went to bed,' the source said. An HP representative declined to comment on the planning sessions. "
The article does seem to reveal strategic information, although not very detailed.
hello, corporate apologist. i stand by my call for a corporate death penalty. why should shareholders be immune from the consequences of criminal acts by their corporations? did they operate in a moral vacuum when they bought the stock, or when they mailed in the proxy form electing those directors? we the people granted you that corporate franchise, and we can take it away, and don't you ever forget it.
What is the difference between "pretexting" and "phishing"? Intent?
@Anon: "The sheer volume of laws broken by corporations makes it hard to prosecute them as they richly deserve."
Of course. I agree.
Also, the sheer volume of laws broken by individuals makes it hard to prosecute them as they richly deserve.
What's your point again?
Implicit in your post is a very reasonable test for when corporations should be held liable and when corporate officers should be held liable. If a sufficiently diligent shareholder could plausibly have reason to belive that laws would be broken, the corporation should answer for the crime. If corporate officers violate laws in a way that is so capricious and well hidden that even the most careful shareholder couldn't possibly have expected or uncovered the violations, then only the officers should be held liable.
I'm not saying this is the actual standard, or that it should be the standard, just that it seems to follow from your train of thought.
In practice, civil liability generally follows the money. Corporations are preferential targets because they have the deep pockets. Criminal sanctions are a different story.
I get your anger, and I'm not saying there shouldn't be tougher regulations/penalties for corporations in some cases, but why should all the hard working employees, their families, people with pensions invested in the company, and the wider economy have to suffer because of the illegal actions of a few senior employees?
So how did this story come to light? Was it leaked?
hey bruce i would really love to see a posting on what the heck pretexting is, where the name comes from, and why it sounds so innocuous when it isn't
> did they operate in a moral vacuum when they bought the
> stock, or when they mailed in the proxy form electing
> those directors?
Mutual funds. Pension plans. Heck, what if you own an index fund? I never get proxy forms on any of those, the fund votes those shares.
I don't think this rates a corporate death penalty, and I'm one who's more willing to use such than most. However, the real problem is simple -- directors are basically immune. Even if you pierce the corporate veil, they're insured six ways to sunday, and have the company's assets to fund the defense.
The answer here is to prevent insuring director liability away, or better, make these criminal matters, not civil ones. All the insurance in the world isn't going to pay off a few years in prison.
Civil action sticks the stockholders with the penalty for corporate misdeeds.
Prison sentences for the guilty -- who had a hand in it, ordered it, approved it, or received the results -- would put a chill on enthusiasm for corporate espionage.
BTW, nix on the corporate death penalty. I own stock in a number of companies but I have no idea what goes on inside, and I have no right to know. The boards certainly aren't going to confide in me. I used to have US savings bonds, but the federal government never owned up to any wrongdoing, at least not to me.
Small business, small problems. Big business, big problems. As a company grows it gets bigger than life at a certain point. Antitrust laws prevent abuses. The HP Compaq merger was a bad deal in my opinion. Now the combination is engaged in questionable activity, which is due in part to the questionable merger which destroyed old relationships for a new corporate vision. Clearly HP has trust issues. The PR machine will explain the problems away. Watch for HP cares or some sort of feel good campaign with slogans and such to launch soon. They'll throw dollars at it and use a move on approach. Maybe Clearly HP would be a good slogan. Put makeup on it, spin it, sell it and forget about it.
Sounds like HP needs a board replacement. I wonder if they are still under warrenty?
I once worked for a company where the vice-president became paranoid and obsessed with the people "out to get them". He hired private detectives to monitor employees and keep an eye on them. Not a fun place to work. And I found about this long after I left or I would have had even more reason to sue them. (And I had plenty of reasons. Others there had more. Double-plus ungood.)
I bet a whole bunch of HP employees are considering other employment at this point.
"why should all the hard working employees, their families, people with pensions invested in the company, and the wider economy have to suffer because of the illegal actions of a few senior employees?"
because the employees and investors possess higher culpability and consequent lower moral standing than the victims, everybody who was overcharged during the phony electricity crisis. it wasn't just a few senior employees, it was the whole energy trading unit. haven't you heard about fat boy, death star and ricochet? sure the death penalty is harsh, it's supposed to be. that's how we incentivize employees and investors to consider the consequences of their choices. since the corporation's assets are just redistributed, not destroyed, i believe the threat to the wider economy is overstated.
@erik v. olson:
"mutual funds. pension plans. heck, what if you owned an index fund?"
your mutual fund should offer sufficient diversification so that a hit on one of its horses won't stop the whole stagecoach. ditto with index funds, if you own, say, a dow 30 fund, even in the unlikely event one of those companies receives the death penalty, 29/30 of your investment will be unaffected. it is the worker's responsibility to see that his pension fund is invested in diverse ways, i understand this didn't happen at enron, but the workers were still in a better position to address these problems than the victims (including 30 million californians). when you put the victims ahead of the players, then it's easier to determine the correct course.
"i own stock in a number of companies, but i have no idea what goes on inside, and i have no right to know."
no right to know? sir, being an ostrich investor is a personal choice, not a legal imposition, and the fact that you shirk your responsibility in no way lessens that responsibility. your reference to u.s. savings bonds exhibits confusion on the difference between debt and equity. stockholders own, bondholders lend, and the bondholders would still get their money back under my proposal. your equity in the united states has nothing to do with how many savings bonds you own, that's just a loan to uncle sam, and he doesn't have to own up to any wrongdoing as long as he makes his interest and principal payments, as he has never failed to do.
@another_bruce: You defend your views well, but giving HP the "death penalty" seems disproportionate for Ms. Dunn's actions .
I agree with your opponents that casual investors (like me and my 401k) would unjustly suffer. Of course it is the board's fiduciary responsibility to look after investors' interests. In this case Ms. Dunn seems to have let shareholder interest take a back seat to her personal career.
The victims here are her fellow board members, for whom I have only mild sympathy, and the journalists, to whom I doff my hat.
>hey bruce i would really love to see a posting on what the heck pretexting is, where the name comes from, and why it sounds so innocuous when it isn't
How about how the FTC defines pretexting.
>As per Gramm-Leach-Bliley Act pretexting is illegal if used to gather financial information.
I need to edit this.
it is illegal if the information gathered is from a financial instution.
When why I wonder about how this will play out in court.
Whoah... slow down here. This is an abomination!
From what little I know, the way these things work is bigwigs hire reputable PI agencies, and those guys outsource to less reputable ones. As with any hierarchy, this diffuses responsibility, intentionally in this case, with the guy at the top saying "I didn't know they were going to do something _illegal_!" and the guy at the bottom saying "I was just following orders". I imagine the bigwigs know better than to ask too many questions, and that the reputable agencies assure them that they won't use any illegal techniques... note the careful wording.
I don't think corporations are going to start advertising that they can't track you. Most consumers are willing to be tracked to save 5-10% using store cards. Numerous schemes for anonymous financial transactions have been proposed and none have really taken off, even for intangibles. Even if a company says it can't, or won't, it's just a code change away from being able to, and their privacy policies aren't worth the paper they're not written on because if the corporation goes under and sold, or gets acquired, previous policies are non-binding, right? And besides, where would big brother be likely to look for suspicious activity? Anonymity is double plus ungoodful wrongthink preferred by commie mutant traitor scum.
i said we needed a corporate death penalty. it is too early to determine if hp should be subjected to this penalty, but it should be on the table. its mere presence would incentivize people in the boardroom to rat out the perps.
the victim class goes beyond the other board members and journalists you mentioned. the spouses and children of these people, who used the same phone, and all their callees whose numbers were disclosed by the phone company to the pretexter.
Isn't it ironic in these days and times of U.S. Constitution's systematic disembowlment of individual rights given the recurrent privacy invasions perpetrated upon citizens by the government, that a corporation is following suite. Tsk Tsk. Yet we seem to think that in the private sector it is so sinister. What a joke. As if the public example which fostered the mimicry activity is somehow benign. Suddenly I feel as though I am in Rome during Nero's reign...
All of you are buying into the perkins misinformation campaign. He didn't resign because of the proceedures used--at the time he resigned, he didn't know what proceedures had been used and neither did anyone else. He resigned because his buddy got fingered and he didn't want to lose a valuable ally on the hp board. He was one of the most hawkish people re the investigation of the leaker--he thought it was someone in upper management.
Ethics? A VCapitalist with ethics? You guys don't understand how the VC game works.
Dunn definitely gets integrity points for resigning. She arguably did nothing wrong, certainly nothing unethical.
Perhaps she showed poor judgement and should have first threatened to investigate if the leaks did not stop.
Contrast with Keyworth who leaked, denied leaking, and then leaked some more. When confronted with proof he finally confessed but refused to resign.
"Dunn definitely gets integrity points for resigning. She arguably did nothing wrong, certainly nothing unethical."
I think what she did was both wrong and unethical, and certainly pretexting is illegal.
And I'm not sure she resigned. I think she was tossed out on her ear, but that it's being called a resignation to save some face.
"I think what she did was both wrong and unethical, and certainly pretexting is illegal."
How do you come to this conclusion? Do you not accept the 8-K report that she was not informed of the methods used to obtain the information? According to the 8-K (which is signed off by all the board members), dunn and the board were ASSURED that all methods used to obtain information were legal and ethical. Are you ASSUMING that she (and the other board members) are lying in the 8-K.?
By contrast all the reporters say for a fact that Perkins resigned in protest over the methods used. Not true. Read the 8-K.
Either believe the 8-K or believe Perkins spin. Given who he is, I'll choose the former.
HP Board lacks integrity
The spying scandal is a sorry comedown for a company that HAD a reputation for excellence and integrity.
The board's actions have been more of the CYA variety than of truthfulness.
* WHAT PHONE RECORDS? The board played dumb when they realized that directors' phone records were used in the leak investigation. No one asked, "How did we get these records?"
* BOARD MEMBER RESIGNED FOR "PERSONAL REASONS": Perkins resigned in May. HP resisted proper reporting to the SEC of the reasons for Perkins' resignation until the past few days.
* STONEWALLING: Dunn and Hurd have made only weak apologies. Dunn has been far more strident about tracing the leaks from an individual than about the corporate breech of integrity in fraudulent investigations.
* PROTECTING CRIMINALS: HP has refused to identify the private investigation firm or the third party investigators who are suspected of doing the pretexting.
* WEAK APPEASEMENT: Recent announcement of Board changes are weak.
1. Dunn remains chair for 4 MONTHS.
2. She remains on the Board.
3. She will be replaced by Mark Hurd, who is also CEO and President.
4. The Board will backtracking on its new rule, that the Chair and CEO would be different people. This weakens HP's Corporate Governance.
If the Board had any integrity, it would have acted...
* immediately, upon learning of wrong doing
* without coverup, without excuses
* without compromise to the offenders
The Board must demand Dunn's resignation from the Board. (There will be more legal fallout for HP if she remains, than if she leaves and HP cooperates fully with the California State, Federal, Congressional, SEC and FBI investigations).
The Board needs to have a non-executive Chair. There needs to be a check on the CEO.
The Board must make a public statement, repudiating in the strongest terms, the tactics used by its private investigators, and reiterating its stand on corporate integrity.
The Board must take ACTION to convince the business and investment community that it is determined to regain the mantle of integrity and excellence it once had under Hewlett and Packard.
The issue ,is less of who pretex whom or what sneaky ways the corportation invades our privacy, but rather has any one in our ,techno world, yet found any means to positively identify individuals in a consistantly safe and secure manner?
The shocking part of this is that pretexing is so low tech, organizations as large as HP could certianly have been more technicaly creative in its persuit of finding the board leak and certainly has the resources to do so.
Once the dust has settled on this it does raise a few questions in regard to how the information was obtained.
Ignoring HP's trangressions, the better question to my mind is what are the telcos doing in regard to cleaning up their own back yards?
In a story of this magnitude, the companies that have provided the information seem to have been overlooked. Is anyone reviewing the processes that led to the provision of information?
Big company or not, the processes employed are no different to those used in hacking or the commission of fraud. Given that these evils have been with us for many years now, how is it that major corporations have fallen for them so easily?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.