The HP self-spying story seems to have legs. Some of the stories are spinning it as a personal story about HP’s chair:

Now Dunn faces a furor over her handling of the board. Critics say she could take a fall, possibly losing her role as board chair, for spurring an investigation that spied on her fellow board members and reporters to find out who was leaking information to the press. The outside investigators called telephone companies pretending to be board members and reporters to get telephone records — actions that could be illegal.

California Attorney General Bill Lockyer is investigating and said Thursday that laws have been broken, although it’s unclear by whom. The Securities and Exchange Commission is looking into the matter as well.

HP board chair’s leadership in question, By Michelle Quinn and Therese Poletti, Mercury News, Posted on Fri, Sep. 08, 2006

Easy enough to do, given all the colorful characters: the board member who was the target of the spying refused to resign; one of the most famous and influential venture capitalists resigned instead and took the story public after HP refused to; everybody from ethicists to the California Attorney General is weighing in.

Let’s look at a few perhaps less obvious angles.

It’s interesting how when this kind of thing is about big company insiders it’s much more delicately phrased than in usual press stories. For example:

The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director-leaker to CNET through a controversial practice called "pretexting"; NEWSWEEK obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using "false pretenses" to get another individual’s personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security number and the like…

Intrigue in High Places: To catch a leaker, Hewlett-Packard’s chairwoman spied on the home-phone records of its board of directors. By David A. Kaplan Newsweek Updated: 6:44 p.m. CT Sept 6, 2006

When Kevin Mitnick does that, it’s called social engineering, or reporters call it hacking because they have turned hacking into a curse word. There’s also an element of a topic that’s big in the news in another context: identity theft. Yet when the chair of a major corporation orders the same thing, it’s given a polite euphemism.

In an earlier paragraph of the same story:

It was classic data-mining: Dunn’s consultants weren’t actually listening in on the calls — all they had to do was look for a pattern of contacts.

This is a pretty good illustration of why the NSA blanket surveillance program is a bad idea; that program allegedly doesn’t actually listen to people’s telephone calls, either; it just looks at records of who calls whom. Yet it can be used to track who reporters talk to. A savvy reporter will insist on contacts using phone cards and pay phones. But it’s a sad world in which reporters have to go to such lengths to protect themselves against their own government. And it can just as easily be used to determine who your political associates are; information that could have any number of uses to all sorts of government agencies, not to mention to various private entities with contacts in government.

Further:

Dunn acted without informing the rest of the board.

That seems a bit parallel to the president acting without informing Congress, or, in that case, getting the necessary authorization for such snooping to be legal.

Let’s see what else we can mine out of this story. Tom Perkins, the famous VC who quit the HP board, asked AT&T to find out whether he had been pretexted, and AT&T responded in a letter:

The AT&T letter explains that the third-party pretexter who got details about Perkins’s local home-telephone usage was able to provide the last four digits of Perkins’s Social Security number and that was sufficient identification for AT&T.

Think about that the next time a telephone company asks you for those four digits as identification, or a credit card company, or a car loan company, or….

You may think that other information on file would prevent such a company from sending details to the wrong party, but:

The impersonator then convinced an AT&T customer-service representative to send the details electronically to an e-mail account at yahoo.com that on its face had nothing to do with Perkins. Records for Perkins’s home AT&T long-distance account in northern California were similarly obtained, except by someone using another yahoo.com e-mail account; both e-mail accounts are registered to the same Internet Protocol address, but for which AT&T says it does not know the identity of the user.

Electronic mail address on file? So what! Given four digits that your employer knows, your bank knows, and your government knows, your telco, credit card co., etc. will probably send anything anyone asks anywhere.

This story seems to have several undercurrents.

1. Companies, even CEOs or the chairman of the board, can’t assume that they can get away with whatever they like anymore, not when anyone can take a story public.
2. In this case, one might have thought the sheer size of HP would provide it with enough clout to enforce silence, if not outright omerta, but the bigger the company the more likely it is to have board members who are actually independent, at least when it comes to something that affects them directly.
3. Conversely, no one can assume any longer that they have any real privacy.
4. Moving from social security numbers to some sort of real authentication would help.
5. But even that won’t help as long as the biggest corporations and the biggest governments do it.

And that won’t change unless the public demands it.

-jsq PS: Thanks to Valdis Krebs and Noah Shachtman for the heads-up.