In 2006-7, officers and/or agents of Hewlett Packard were separately charged under California and federal law for their role in a “pretexting” scandal, a scandal in which an investigator impersonated HP directors and reporters in order to establish responsiblity for leaks of non-public information that appeared to originate from company directors.
Gleick’s impersonation of a Heartland director was a form of “pretexting”, though his alleged forgery and public dissemination of documents go well beyond the HP incident. On the other hand, Gleick’s fraud did not involve public utility records or use U.S. federal identification numbers; as a result, some counts in the HP case do not apply to Gleick, though most do (plus some others).
Most of the limited discussion of Gleick’s conduct has been based on federal law, but state criminal law is very much involved. Hewlett Packard is based in San Francisco and is subject to the same state law as Gleick’s Pacific Institute, located across the bay. In addition, identity theft offences can be charged in the state of the person impersonated.
Once the HP pretexting facts became public, state and federal investigations were quickly launched (as well as congressional hearings.) The dilatory response of authorities in the Gleick case stands in remarkable contrast.
I had noticed the Hewlett Packard case very early on (prior to Gleick’s confession) from googling “pretexting”. I had discussed it with Mosher at length. In addition to HP and the Pacific Institute both being Bay-area institutions, the Hewlett Foundation and the Packard Foundation were both important donors to the Pacific Institute. We concluded that Gleick was probably familiar with the general circumstances of the case from the extensive contemporary news coverage in the Bay area, particularly because the involvement of such an important donor. We concluded that Gleick would thus be familiar with at least the idea of “pretexting” – one of a number of tells that were “consistent” with Gleick, but not “proving” Gleick.
HP had first tried to pin down corporate leaks in 2005 without success. In January 2006, Patricia Dunn, HP Chair, instigated a second attempt to pin down the source of the corporate leaks. In this attempt, one of the investigators, Bryan Wagner, several layers removed from Dunn, impersonated various HP directors and various news reporters, thereby obtaining telephone records that identified George Keyworth, one of their directors, as the source. Dunn denied condoning or knowing of subsequent illegality and, although she lost her job, charges against her were eventually dropped.
Tom Perkins, the chair of HP’s corporate governance committee, had opposed Dunn’s inquiry. In May, he learned that Dunn had proceeded with the investigation anyway and resigned in protest. In its original SEC filing, HP recorded Perkins’ resignation as due to personal reasons. Perkins formally objected to this and formally objected to the minutes of the meeting at which he resigned. (His correspondence is here.) On Aug 11, Perkins received confirmation from ATT that his personal telephone records had been obtained by an investigator who had impersonated him and on August 18, formally complained once again to HP about their 8-K filing. On Sep 6, HP filed a revised 8-K (reported by CNET here). By this time, the state Attorney General had begun an investigation and had “informally contacted” HP.
The story quickly sparked a feeding frenzy with almost daily statements over the next few weeks from the California state investigators and the company. Five days later (Sep 11), both the U.S. attorney and the House Energy and Commerce Committee announced investigations. Joe Barton stated:
The Committee is troubled by this information, particularly given that it involves HP–one of America’s corporate icons–using pretexting and data brokers to procure the personal telephone records of the members of its Board of Directors and of other individuals without their knowledge or consent
Barton’s statement came about 6 weeks after the hearings of the same committee (and subcommittee) into the hockey stick affair. On Sep 12, Dunn announced plans to resign. The U.S. Attorney’s Office issued a statement as follows:
“The U.S. Attorney’s Office and the FBI in the Northern District of California are investigating the processes employed in an investigation into possible sources of leaks of Hewlett-Packard Company confidential information,
A broader SEC inquiry was announced on Sep 21. On Oct 4, California filed. (Charges here; see discussion below.) On Dec 7, in exchange for a $14.5 million payment to the state, California dropped criminal charges against HP and its officers. The proceeds were supposed to go to “finance a new law enforcement fund to fight violations of privacy and intellectual-property rights.”
On Jan 12, 2007, federal charges were laid against Wagner. Wagner pleaded guilty but his sentencing is still pending five years later (apparently investigations of his higher-ups are still ongoing.)
California charges provide a precedent for the form of state charges that potentially apply in the Gleick case. California charges against Dunn and four others were laid under sections 538.5 (Fraudulent Wire Communication), 530.5 (Using personal identifying information of another to obtain credit, goods, or services in another’s name), 502(c)(2) (Wrongful use of computer data) and 182 (Conspiracy). A copy of the affidavit is here.
California section 538.5 does not appear to apply in the Gleick case since an essential element of the offence is obtaining data from a “public utility”, but the elements of the other offences appear to carry over. In addition, the Gleick case appears to meet the elements of state sections 528.5 and 530.
California Section 530.5 (one of the HP state charges) states:
530.5. (a) Every person who willfully obtains personal identifying information, as defined in subdivision (b) of Section 530.55, of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medical information without the consent of that person, is guilty of a public offense, and upon conviction therefor, shall be punished by a fine, by imprisonment in a county jail not to exceed one year, or by both a fine and imprisonment, or by imprisonment pursuant to subdivision (h) of Section 1170
Personal identifying information “as defined in subdivision (b) of Section 530.55” is defined very broadly and includes a person’s name (i.e. in the Gleick case, than name of the Heartland director that he impersonated.)
530.55(b) (b) For purposes of this chapter, “personal identifying information” means any name, address, telephone number,….
Section 502(c) (also used in the HP charges) prescribes an offence when computers are used to “wrongfully obtain” data:
(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
Section 528.5(a) defines an offence for impersonating another person for the purpose of harming or defrauding another person:
a) Notwithstanding any other provision of law, any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a public offense punishable pursuant to subdivision (d).
California section 530 is another impersonation offence in which property is received by the impersonator that is intended for the use of the person impersonated:
Every person who falsely personates another, in either his private or official capacity, and in such assumed character receives any money or property, knowing that it is intended to be delivered to the individual so personated, with intent to convert the same to his own use, or to that of another person, or to deprive the true owner thereof, is punishable in the same manner and to the same extent as for larceny of the money or property so received.
California Section 530.6(a) sets out procedures under which the impersonated Heartland director can initiate an investigation by a report to his local police. (Despite the “federalization” of much crime in the U.S. – certainly relative to Canada-, it appears that US states can work with one another.)
(a) A person who has learned or reasonably suspects that his or her personal identifying information has been unlawfully used by another, as described in subdivision (a) of Section 530.5, may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence or place of business, which shall take a police report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts. If the suspected crime was committed in a different jurisdiction, the local law enforcement agency may refer the matter to the law enforcement agency where the suspected crime was committed for further investigation of the facts.
Illinois State Law
In addition to California state law, Gleick’s identity theft may give rise to state offences in Illinois, where both Heartland and most of its directors are located.
Illinois Section 16G-15 (Identity theft) states:
(a) A person commits the offense of identity theft when he or she knowingly:
(1) uses any personal identifying information or personal identification document of another person to fraudulently obtain credit, money, goods, services, or other property,
(7) uses any personal identification information or personal identification document of another for the purpose of gaining access to any record of the actions taken, communications made or received, or other activities or transactions of that person, without the prior express permission of that person.
Recall that one of Gleick’s requests was for the re-transmission of the Board package sent to the Heartland director that he was impersonating. The previous email was forwarded to Gleick in its entirety, together with the packages, an event that would seem to fall rather squarely within the Illinois offence.
Illinois Section 16G-35 states that a proper venue for identity theft is the county where the impersonated person resides or has a place of business:
Venue. In addition to any other venues provided for by statute or otherwise, venue for any criminal prosecution or civil recovery action under this Law shall be proper in any county where the person described in the personal identification information or personal identification document in question resides or has their principal place of business.
Once an identity theft has been reported, Illinois Section 16G-30 requires law enforcement to either investigate the matter themselves or to seek the assistance of (California) law enforcement:
Mandating law enforcement agencies to accept and provide reports; judicial factual determination.
(a) A person who has learned or reasonably suspects that his or her personal identifying information has been unlawfully used by another may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence, which shall take a police report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts or, if the suspected crime was committed in a different jurisdiction, refer the matter to the law enforcement agency where the suspected crime was committed for an investigation of the facts.
Again, the charges against HP investigator Bryan Wagner provide precedent for the sort of liability that Gleick is exposed to. Federal charges against Wagner (see here) included 18 USC 371 (conspiracy); 18 USC 1028 (identity theft [with federal document]) and 18 USC 1343 (wire fraud). Wagner pleaded guilty to both charges though he has not yet been sentenced.
Federal section 1028 appears to require the use of a federal document or identification as an element of the offence. In Wagner’s case, he had used federal Social Security numbers, whereas Gleick simply used the director’s name. It doesn’t appear to me that the elements of federal section 1028 are met in Gleick’s case.
However, 18 USC 1343 does appear to apply to Gleick’s case, as I discussed in an earlier post in connection with Gleick’s obtaining of documents through identity theft, and additionally to Gleick’s dissemination (and likely authorship) of the fake memo, which Gleick falsely attributed to Heartland Institute. Both counts appear to fulful the elements of section 1343 (wire fraud):
Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both….
Wagner’s conviction under 18 USC 1343 in a pretexting case is a definite and relevant precedent.
The HP pretexting scandal offers an interesting precedent to Gleick’s case. Because Gleick’s case did not involve information from a public utility and did not use U.S. federal identification documents or numbers, some counts do not apply. But a number of offences charged in the HP pretexting appear to carry over with relatively little modification to Gleick’s case and, in addition, the elements of some other offences closely related to the HP offences appear to be satisfied in the Gleick case.