Thanks to HP, another catch phrase enters the public consciousness. Pretexting. It's a technique of social engineering, or gaining access to systems by manipulating people into divulging information that should remain confidential. Many people never heard of the phrase “pretexting” before private investigators, hired by HP's top manageent, collected the private phone records of its directors and a CNet reporter. Why? Someone on the board of directors leaked information to the reporter and, damn it, HP was going to find out who did it. I won't go into further details here because you can read about the story elsewhere.
The part that interests me is how easily the investigators collected private information. Pretexting is a means of deceiving someone with an untruth. In this case, the investigators pretended to be the people whose records they wanted to retrieve from the phone company. In short, they lied. They also broke the law.
Under federal law — the Gramm-Leach-Bliley Act — it’s illegal for anyone to:
- Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
- Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
- Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.
The Federal Trade Commission Act also generally prohibits pretexting for sensitive consumer information.
According to that third bullet, the HP management who ordered this theft of information may also be at fault under the law. I'm sure they'll claim they never knew the investigators would use illegal means, but I wouldn't buy that if I were sitting in a jury.
Think of the confidential information companies collect about you. They know your name and where you live. Some have your credit card data, and part or all of your Social Security Number. Stores know what you're buying, and when you're likely to buy a product again. Think of your medical records or credit card transactions getting into the wrong hands. Your search engine queries may reveal things that you have a right, and a wish, to keep private.
The problem with raw data is that it provides no context. The records don't say why you purchased a banana and a jar of vaseline at the grocery store last Tuesday. If you were running for election this year, imagine the uncomfortable suggestions that an opposing political rival could make those that tidbit.
We hear about invasions of other people's privacy almost daily, but how often do we make changes to protect ourselves? For example, do you have a GMail or Yahoo Mail account? If so, all of your searches while logged into those accounts trace back to your identity. Even if you don't login with an account, the search engine records the IP address you use for your query. In real world encounters, how much information do you give to an unknown source when you register to win that “free” car sitting in the mall, or answer a telephone survey?
There is always someone who can use your private infomation to their benefit. Only you control how much information you give. Once that information is out of your hands, you have no control over it. We trust certain organizations – banks, insurance companies, phone companies, utilities, blood banks, schools, employers, physicians and hospitals – to keep our information safe and confidential. Some succeed. Some fail. It's up to you to understand the privacy policies of an organization when you provide your information. There are laws to protect us, but laws won't stop criminals.
I believe that the inherent weaknesses of organizations that are vulnerable to pretexting are exactly why we need secure credentials. When you vote or conduct some financial transactions in person, you have to show a photo identification to authorize your access. Why do we not demand authentication for more transactions to retrieve confidential data? It's time for greater use of fully proofed and vetted identification systems to become the standard for personal and electronic interactions. It's too easy to fake your way through an informal interrogation or compromise a password. Identity requires something you know and something you have.