The confrontation at Hewlett-Packard started innocently enough. Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP's chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina's tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors—not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors' home and their private cell phones.
It was classic data-mining: Dunn's consultants weren't actually listening in on the calls—all they had to do was look for a pattern of contacts. Dunn acted without informing the rest of the board. Her actions were now about to unleash a round of boardroom fury at one of America's largest companies and a Silicon Valley icon. That corporate turmoil is now coming to light in documents obtained by NEWSWEEK that the Securities and Exchange Commission is currently deciding whether to make public. Dunn could not be reached for comment. An HP spokesman declined repeated requests for comment.
On May 18, at HP headquarters in Palo Alto, Calif., Dunn sprung her bombshell on the board: she had found the leaker. According to Tom Perkins, an HP director who was present, Dunn laid out the surveillance scheme and pointed out the offending director, who acknowledged being the CNET leaker. That director, whose identity has not yet been publicly disclosed, apologized. But the director then said to fellow directors, "I would have told you all about this. Why didn't you just ask?" That director was then asked to leave the boardroom, and did so, according to Perkins.
Close to 90 minutes of heated debate followed, but Perkins, the Silicon Valley venture capitalist, says he was the only director who rose to take Dunn on directly. Perkins says he was enraged at the surveillance, which he called illegal, unethical and a misplaced corporate priority on Dunn's part. In an interview with NEWSWEEK, Perkins says he was particularly annoyed since he chaired the HP board's Nominating and Governance Committee and had not been informed by Dunn of the surveillance, even though, he says, she had told him for months that she was attempting to discover the source of the leak.
After a divided board passed a motion asking the leaker to resign, Perkins closed his briefcase, announced his own resignation and walked out of the room. In media mentions the next day, Perkins's sudden resignation was noted, but without explanation and without any indication that his departure was a form of protest. (According to Perkins, the leaker-director himself refused to resign, saying it was up to shareholders to make such a decision; that director continues to serve on the board.) Thus began nearly four months of warfare between HP and Perkins about whether the surveillance would ever come to public light.
Any time a director resigns from a U.S. public corporation, federal law requires the company to disclose it to the SEC in what's called an 8-K filing. If the director resigned for reasons related to a "disagreement" with the company about "operations, policies or practices," that, too, is now required. HP reported Perkins's resignation to the SEC four days after it happened—back in May—but gave no reason for the resignation, instead including only a press release thanking Perkins for his years of service. Perkins has twice challenged that omission in e-mails to the HP board and, he says, he received no response from HP.
In early August, Perkins—represented by his own non-HP lawyer, Viet Dinh, a former Bush administration official—formally asked the SEC to force HP to publicly file his written explanation for resigning. According to a source who requested anonymity because of his closeness to HP, the company objected on the grounds that when Perkins resigned at the May board meeting he didn't indicate why. Perkins says his reasons for resigning were obvious and he stated them at the meeting. Now, sources say, the company could file such a document with the SEC as soon as Wednesday.
The entire episode—beyond its impact on the boardroom of a $100 billion company, Dunn's ability to continue as chairwoman and the possibility of civil lawsuits claiming privacy invasions and fraudulent misrepresentations—raises questions about corporate surveillance in a digital age. Audio and visual surveillance capabilities keep advancing, both in their ability to collect and analyze data. The Web helps distribute that data efficiently and effortlessly. But what happens when these advances outstrip the ability of companies (and, for that matter, governments) to reach consensus on ethical limits? How far will companies go to obtain information they seek for competitive gain or better management?
The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director-leaker to CNET through a controversial practice called "pretexting"; NEWSWEEK obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using "false pretenses" to get another individual's personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security number and the like. Pretexting is heavily marketed on the Web.
Typically—say in the case of a phone company—pretexters call up and falsely represent themselves as the customer; since companies rarely require passwords, a pretexter may need no more than a home address, account number and heartfelt plea to get the details of an account. According to the Federal Trade Commission's Web site, pretexters sell the information to individuals who can range from otherwise legitimate private investigators, financial lenders, potential litigants and suspicious spouses to those who might attempt to steal assets or fraudulently obtain credit. Pretexting, the FTC site states, "is against the law." The FTC and several state attorneys general have brought enforcement actions against pretexters for allegedly violating federal and state laws on fraud, misrepresentation and unfair competition. One of HP's directors is Larry Babbio, the president of Verizon, which has filed various actions against pretexters.
Legal experts vary in their views on the extent to which pretexting is a violation of criminal law. The Gramm-Leach-Billey Act of 1999 bars a range of fraudulent activity related to financial records, but its applicability to phone records is unclear. Experts agree that pretexting is often used to accomplish identity theft—to borrow money or buy merchandise—that clearly is criminal. But the pretexting itself may be harder to prosecute. Civil liability would seem to be much more a risk for pretexters, as they obviously engage in an invasion of privacy, achieved through misrepresentation.
Perkins himself was pretexted as part of Dunn's leaker probe. In the materials he sent to the SEC, Perkins includes an Aug. 11 letter from an attorney at AT&T spelling out to Perkins that he was a victim of pretexting in January 2006; Perkins had requested that AT&T examine whether he had been pretexted. The AT&T letter explains that the third-party pretexter who got details about Perkins's local home-telephone usage was able to provide the last four digits of Perkins's Social Security number and that was sufficient identification for AT&T. The impersonator then convinced an AT&T customer-service representative to send the details electronically to an e-mail account at yahoo.com that on its face had nothing to do with Perkins. Records for Perkins's home AT&T long-distance account in northern California were similarly obtained, except by someone using another yahoo.com e-mail account; both e-mail accounts are registered to the same Internet Protocol address, but for which AT&T says it does not know the identity of the user.
The materials before the SEC indicate that Dunn's consultants used pretexting for her investigation. In mid-June, according to a letter Perkins sent to the full HP board, Perkins contacted HP's outside counsel—Larry Sonsini, of Wilson Sonsini Goodrich & Rosati—and asked him to look into the Dunn investigation. In an e-mail to Perkins obtained by NEWSWEEK, Sonsini acknowledged that Dunn's security consultants "did obtain information regarding phone calls made and received by the cell or home numbers of directors" and that it was "done through a third party that made pretext calls to phone service providers." Sonsini's e-mail emphasized that the security consultants engaged in "no electronic surveillance," "no phone recording or eavesdropping" and "no recording, review or monitoring of director e-mail." His legal defense of the use of pretexting was that it is "apparently a common investigatory method" and that "there was no 'secret spying,' i.e., no electronic gear, listening devices, etc." Perkins quotes Sonsini's e-mail in the materials he sent to the SEC, Sonsini could not be reached for comment.
In the documents before the SEC, Perkins also protests that he was not allowed to review and approve the initial 8-K filing about his May resignation, which he says is required under SEC rules. And he requests that the HP board appoint a special committee to examine the legality and propriety of Dunn's investigation. In the documents before the SEC, after Perkins notes he was not the source of the CNET leak, he excoriates Dunn. "I resigned solely to protest the questionable ethics and the dubious legality of the chair's methods," Perkins writes. In his interview with NEWSWEEK, he added that he believed he was "legally obligated to do so" in his directorial capacity.
Perkins says he has asked other government agencies to investigate the sub rosa surveillance of the HP directors. Those agencies include the California attorney general's office, as well as the FTC, the Federal Communications Commission and the Justice Department.
Dunn, 52, has been on the HP board since 1998, and was elected non-executive chairwoman in February 2005. She was CEO of Barclays Global Investors from 1995 to 2002. Perkins, 74, is the cofounder of Kleiner Perkins Caufield & Byers, the venerable Silicon Valley firm that has bankrolled such venture-capital home runs as Genentech, Netscape, Amazon and Google. Perkins has an on-and-off history with HP that dates almost half a century. On graduating from Harvard Business School in 1957, he worked on a lathe in the company's machine shop. Then he helped launch its computer division in the 1960s, eventually becoming Bill Hewlett's staff assistant when Dave Packard went to Washington to work in the Pentagon as deputy secretary of Defense in the first Nixon administration. Perkins joined the HP board after HP merged with Compaq in 2001, then retired in 2004 and rejoined the board in 2005 when Fiorina was ousted. Perkins alludes to his HP heritage in his letter. "My history with the Hewlett-Packard Company is long and I have been privileged to count both founders as close friends," he writes. It "is a very sad duty," he says, to disclose "probable unlawful conduct, improper board procedures, and breakdowns in corporate governance." It remains to be seen if this final chapter in his relationship with HP changes the company's course.