[216] in Privacy_Forum
[ PRIVACY Forum ] Hewlett-Packard's Privacy Nightmare
daemon@ATHENA.MIT.EDU (privacy@vortex.com)
Sat Sep 9 19:20:24 2006
Date: Sat, 9 Sep 2006 15:26:29 -0700 (PDT)
Message-Id: <200609092226.k89MQTZB003978@chrome.vortex.com>
To: privacy-list@vortex.com
From: privacy@vortex.com
Reply-To: PRIVACY Forum Digest mailing list <privacy@vortex.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: privacy-bounces+privacy-forum=mit.edu@vortex.com
Content-Transfer-Encoding: 8bit
Greetings. This story hasn't been getting all that much play in the
mainstream non-business media, buried as it is among
9/11-anniversary political posturing and related shenanigans.
As summarized in:
http://abcnews.go.com/Business/wireStory?id=2413427
Hewlett-Packard has yet another problem on their hands (and
Chairwoman Patricia Dunn is in the middle of this one as well).
In an attempt to discover who was leaking company information that
she felt to be of concern, she (or entities working under her
direction) reportedly hired a private detective firm. This
organization then used likely illegal methods to obtain the private
phone records of HP board members and -- as if that weren't bad
enough -- outside reporters as well, including the esteemed John
Markoff of the New York Times.
The gumshoes apparently used the time-honored technique of "pretexting"
(aka "fraud") to convince AT&T that they were the phone subscribers
themselves, and asked for copies of related phone records.
Dunn claims that she'd never heard of pretexting and that she didn't
authorize such methods -- but one does have to wonder where the
blazes she thought the private phone records were coming from -- the
phone fairy, perhaps?
AT&T doesn't appear to be blameless, either. As I've reported many
times in the past, major firms' lax security policies, depending on
widely available information such as social security numbers, zip
codes, or the like as security firewalls for personal information,
are incredibly ineffective and just short of criminal themselves.
Even worse, if you try to establish passwords or other additional
security on your accounts, it's often easy for interlopers to bypass
them simply by claiming that they are you, and that you "forgot your
password" or the like.
At least two key points can be derived from the current situation.
First, HP's dedication to privacy -- judging by this series of
events anyway -- is somewhere south of picayune. You might want to
keep that in mind the next time you're pricing out notebook
computers or other privacy-sensitive equipment.
Secondly, companies like AT&T who make "pretexting" so easy need to
be soundly penalized (in ways not passed on to subscribers) when
this occurs, and must be forced to take strong steps to prevent
repeat performances. They certainly shouldn't be rewarded for these
continuing gaffes with total residential services deregulation -- as
the California Public Utilities Commission granted them recently.
Nor should they be allowed virtually unfettered access to the cable
TV marketplace, as provided by newly passed California legislation.
But then again, money talks, and bul... well, you know.
Take care, all.
--Lauren--
Lauren Weinstein
lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
- International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com
_______________________________________________
privacy mailing list
http://lists.vortex.com/mailman/listinfo/privacy
