This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By David A. Kaplan
Sept 5, 2006
The confrontation at Hewlett-Packard started innocently enough. Last
January, the online technology site CNET published an article about the
long-term strategy at HP, the company ranked No. 11 in the Fortune 500.
While the piece was upbeat, it quoted an anonymous HP source and
contained information that only could have come from a director. HP=C2=92s
chairwoman, Patricia Dunn, told another director she wanted to know who
it was; she was fed up with ongoing leaks to the media going back to CEO
Carly Fiorina's tumultuous tenure that ended in early 2005. According
to an internal HP e-mail, Dunn then took the extraordinary step of
authorizing a team of independent electronic-security experts to spy on
the January 2006 communications of the other 10 directors-not the
records of calls (or e-mails) from HP itself, but the records of phone
calls made from personal accounts. That meant calls from the directors'
home and their private cell phones.
It was classic data-mining: Dunn's consultants weren't actually
listening in on the calls-all they had to do was look for a pattern of
contacts. Dunn acted without informing the rest of the board. Her
actions were now about to unleash a round of boardroom fury at one of
America's largest companies and a Silicon Valley icon. That corporate
turmoil is now coming to light in documents obtained by NEWSWEEK that
the Securities and Exchange Commission is currently deciding whether to
make public. Dunn could not be reached for comment. An HP spokesman
declined repeated requests for comment.
On May 18, at HP headquarters in Palo Alto, Calif., Dunn sprung her
bombshell on the board: she had found the leaker. According to Tom
Perkins, an HP director who was present, Dunn laid out the surveillance
scheme and pointed out the offending director, who acknowledged being
the CNET leaker. That director, whose identity has not yet been publicly
disclosed, apologized. But the director then said to fellow directors,
"I would have told you all about this. Why didn't you just ask?" That
director was then asked to leave the boardroom, and did so, according to
Close to 90 minutes of heated debate followed, but Perkins, the Silicon
Valley venture capitalist, says he was the only director who rose to
take Dunn on directly. Perkins says he was enraged at the surveillance,
which he called illegal, unethical and a misplaced corporate priority on
Dunn's part. In an interview with NEWSWEEK, Perkins says he was
particularly annoyed since he chaired the HP board's Nominating and
Governance Committee and had not been informed by Dunn of the
surveillance, even though, he says, she had told him for months that she
was attempting to discover the source of the leak.
After a divided board passed a motion asking the leaker to resign,
Perkins closed his briefcase, announced his own resignation and walked
out of the room. In media mentions the next day, Perkins's sudden
resignation was noted, but without explanation and without any
indication that his departure was a form of protest. (According to
Perkins, the leaker-director himself refused to resign, saying it was up
to shareholders to make such a decision; that director continues to
serve on the board. ) Thus began nearly four months of warfare between
HP and Perkins about whether the surveillance would ever come to public
Any time a director resigns from a U.S. public corporation, federal law
requires the company to disclose it to the SEC, in what's called an 8-K
filing. If the director resigned for reasons related to a "disagreement"
with the company about "operations, policies or practices," that, too,
is now required. HP reported Perkins's resignation to the SEC four days
after it happened-back in May-but gave no reason for the resignation,
instead including only a press release thanking Perkins for his years of
service. Perkins has twice challenged that omission in e-mails to the HP
board, and he says, received no response from HP.
In early August, Perkins-represented by his own, non-HP lawyer, Viet
Dinh, a former Bush administration official-formally asked the SEC to
force HP to publicly file his written explanation for resigning.
According to a source who requested anonymity because of his closeness
to HP, the company objected on the grounds that when Perkins resigned at
the May board meeting he didn't indicate why. Perkins says his reasons
for resigning were obvious and he stated them at the meeting. Now,
sources say, the company could file such a document with the SEC as soon
The entire episode - beyond its impact on the boardroom of a
$100-billion company, Dunn's ability to continue as chairwoman and the
possibility of civil lawsuits claiming privacy invasions and fraudulent
misrepresentations - raises questions about corporate surveillance in a
digital age. Audio and visual surveillance capabilities keep advancing,
both in their ability to collect and analyze data. The Web helps
distribute that data efficiently and effortlessly. But what happens when
these advances outstrip the ability of companies (and, for that matter,
governments) to reach consensus on ethical limits? How far will
companies go to obtain information they seek for competitive gain or
The HP case specifically also sheds another spotlight on the
questionable tactics used by security consultants to obtain personal
information. HP acknowledged in an internal e-mail sent from its outside
counsel to Perkins that it got the paper trail it needed to link the
director-leaker to CNET through a controversial practice called
"pretexting"; NEWSWEEK obtained a copy of that e-mail. That practice,
according to the Federal Trade Commission, involves using "false
pretenses" to get another individual's personal nonpublic information:
telephone records, bank and credit-card account numbers, Social Security
number, and the like. Pretexting is heavily marketed on the Web.
Typically - say in the case of a phone company - pretexters call up and
falsely represent themselves as the customer; since companies rarely
require passwords, a pretexter may need no more than a home address,
account number and heartfelt plea to get the details of an account.
According to the Federal Trade Commission's Web site, pretexters sell
the information to individuals who can range from otherwise legitimate
private investigators, financial lenders, potential litigants and
suspicious spouses, to those who might attempt to steal assets or
fraudulently obtain credit. Pretexting, the FTC site states, "is against
the law." The FTC and several state attorneys general have brought
enforcement actions against pretexters for allegedly violating federal
and state laws on fraud, misrepresentation and unfair competition. One
of HP's directors is Larry Babbio, the president of Verizon, which has
filed various actions against pretexters.
Legal experts vary in their views on the extent to which pretexting is a
violation of criminal law. The Gramm-Leach-Billey Act of 1999 bars a
range of fraudulent activity related to financial records, but its
applicability to phone records is unclear. Experts agree that pretexting
is often used to accomplish identity theft - to borrow money or buy
merchandise - that clearly is criminal. But the pretexting itself may be
harder to prosecute. Civil liability would seem to be much more a risk
for pretexters, as they obviously engage in an invasion of privacy,
achieved through misrepresentation.
Perkins himself was pretexted as part of Dunn's leaker probe. In the
materials he sent to the SEC, Perkins includes an August 11 letter from
an attorney at AT&T spelling out to Perkins that he was a victim of
pretexting in January 2006; Perkins had requested that AT&T examine
whether he had been pretexted. The AT&T letter explains that the
third-party pretexter who got details about Perkins's local
home-telephone usage was able to provide the last four digits of
Perkins's Social Security number and that was sufficient identification
for AT&T. The impersonator then convinced an AT&T customer-service
representative to send the details electronically to an e-mail account
at yahoo.com that on its face had nothing to do with Perkins. Records
for Perkins's home AT&T long-distance account in northern California
were similarly obtained, except by someone using another yahoo.com
e-mail account; both e-mail accounts are registered to the same Internet
Protocol address, but for which AT&T says it does not know the identity
of the user.
The materials before the SEC indicate that Dunn's consultants used
pretexting for her investigation. In mid-June, according to a letter
Perkins sent to the full HP board, Perkins contacted HP's outside
counsel - Larry Sonsini, of Wilson Sonsini Goodrich & Rosati - and asked
him to look into the Dunn investigation. In an e-mail to Perkins
obtained by Newsweek, Sonsini acknowledged that Dunn's security
consultants "did obtain information regarding phone calls made and
received by the cell or home numbers of directors" and that it was "done
through a third party that made pretext calls to phone service
providers." Sonsini's e-mail emphasized that the security consultants
engaged in "no electronic surveillance," "no phone recording or
eavesdropping," and "no recording, review or monitoring of director
e-mail." His legal defense of the use of pretexting was that it is
"apparently a common investigatory method" and that "there was no
'secret spying,' i.e., no electronic gear, listening devices, etc."
Perkins quotes Sonsini's e-mail in the materials he sent to the SEC,
Sonsini could not be reached for comment.
In the documents before the SEC, Perkins also protests that he was not
allowed to review and approve the initial 8-K filing about his May
resignation, which he says is required under SEC rules. And he requests
that the HP board appoint a special committee to examine the legality
and propriety of Dunn's investigation. In the documents before the SEC,
after Perkins notes he was not the source of the CNET leak, he
excoriates Dunn. "I resigned solely to protest the questionable ethics
and the dubious legality of the chair[woman]'s methods," Perkins writes.
In his interview with NEWSWEEK, he added that he believed he was
"legally obligated to do so" in his directorial capacity.
Perkins says he has asked other government agencies to investigate the
sub rosa surveillance of the HP directors. Those agencies include the
California attorney general's office, as well as the FTC, the Federal
Communications Commission and the Justice Department.
Dunn, 52, has been on the HP board since 1998, and was elected
non-executive chairwoman in February 2005. She was CEO of Barclays
Global Investors from 1995 to 2002. The 74-year-old Perkins is the
cofounder of Kleiner Perkins Caufield & Byers, the venerable Silicon
Valley firm that has bankrolled such venture-capital home runs as
Genentech, Netscape, Amazon and Google. Perkins has an on-and-off
history with HP that dates almost half a century. On graduating from
Harvard Business School in 1957, he worked on a lathe in the company's
machine shop. Then he helped launch its computer division in the 1960s,
eventually becoming Bill Hewlett's staff assistant when Dave Packard
went to Washington to run the Pentagon. Perkins joined the HP board
after HP merged with Compaq in 2001, then retired in 2004, and rejoined
the board in 2005 when Fiorina was ousted. Perkins alludes to his HP
heritage in his letter. "My history with the Hewlett-Packard Company is
long and I have been privileged to count both founders as close
friends," he writes. It "is a very sad duty," he says, to disclose
"probable unlawful conduct, improper board procedures, and breakdowns in
corporate governance." It remains to be seen if this final chapter in
his relationship with HP changes the company's course.
Editor's Note: Kaplan is currently writing a book for HarperCollins on
the superyacht that Tom Perkins recently built and launched in Europe.
Content-Type: text/plain; charset="us-ascii"
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/