By Marie Cocco
Hewlett-Packard used a digital snooping method known as “pretexting”—aka lying—to finger its directors who were leaking to the press. It just goes to show: When it comes to safeguarding the populace against such attacks, we’re still in the Wild, Wild West.
WASHINGTON—We were probably the last yuppies in America to get a VCR.
More than a decade after the electronic combat between Sony’s Betamax and competing VHS models inaugurated the era of home entertainment, my husband and I hooked up the new gizmo to our 19-inch television and watched—well, we watched some tapes he needed to review for work.
Comfortable in my low-tech world, I would shake my head in amazement as work colleagues would point-and-click through their holiday shopping lists, blithely offering up to cyberspace their credit card numbers, home addresses and even their kids’ names. I was still catalog shopping by toll-free number, convinced that anything imbedded in the electronic memory of a computer was easily accessible to everyone who was better at math than me, and so earned fabulous salaries in the technology industry. Belatedly, it occurred to me that operators who so helpfully took my credit card number were merely typing them into a computer. Now I live uneasily with the convenience of computer-assisted shopping and communication by e-mail, knowing that I’m part of a huge database of insecure information ripe for plucking by government, corporate data-trackers and precocious teenagers.
So I admit to inordinate curiosity about the case of Hewlett-Packard, the information-age giant that’s enmeshed in the latest corporate scandal because it used information-age methods to finger its own directors who were leaking to the press. In truth, the practice HP used to find the leakers—“pretexting’’—has a high-tech name that, suitably enough, is misleading. Pretexting is plain old lying. Or as Sherwin Siy of the Electronic Privacy Information Center puts it, “a social engineering attack.’‘
Pretexters, who advertise their services—where else?—on the Internet, merely pretend to be someone they are not, to obtain information they are not supposed to have. Pretexters often falsely represent themselves as a customer and use a variety of ruses to get unsuspecting clerks to hand over information. Pretexters can obtain a record of all your telephone and cellphone calls, as well as account balances, home addresses, all or part of your Social Security number—you name it. This is where the low-tech lie can morph into high-tech surveillance: “Each piece of information that you gain on somebody allows you to get more,’’ says Siy.
The Hewlett-Packard scandal has captured headlines, but Congress has uncovered similar hair-raising abuses. The House Energy and Commerce Committee held a little-noticed hearing in June at which 11 data brokers who allegedly made millions selling phone records and other private information invoked their Fifth Amendment rights and refused to testify. Nonetheless, lawmakers compiled a fat dossier of records that detail the deceptions: One is a step-by-step guide for pretexters who try to trick phone company representatives, suggesting the imposter ask such questions as “what address did you send my bill to?’’ and instructing the pretexter to “use voice accent appropriate for the calling area.’’ Another detailed the existence of “spoofing’’ companies, which market the means to foil caller-ID. A fake phone number is created “so that the person on the other end of your call will think you are ‘somebody else.’ ”
Committee Chairman Joe Barton (R-Texas) was incensed to discover that some local law enforcement officials, circumventing the requirement that they use subpoenas or warrants to obtain phone records, were using data brokers instead. Abusive ex-spouses, stalkers and child predators could easily use information from brokers to track their targets.
There ought to be a law. Right now, there isn’t.
The American approach to privacy protection is peculiarly fragmented, even in the face of an integrated threat. California may prosecute in the HP case, because it has its own law against pretexting. Movie-rental records are safeguarded under federal law, the result of a controversy that arose during confirmation hearings for doomed Supreme Court nominee Robert Bork. Medical records are covered by a 1970s-era law. Illicitly obtaining and selling financial records is barred—the outgrowth of a “pretexting’’ suit brought by the Federal Trade Commission in 1999. Broader bills against obtaining phone records and other data through pretexting are pending on Capitol Hill.
Still, I have the uneasy feeling that no matter what lawmakers do, the public’s privacy will continue to be stripped by wicked manipulation of the very technology that is supposed to make our lives so wonderful. It doesn’t make me long for quill and parchment. Typewriters and carbon paper would do.