Former HP Chief Security Strategist: Company's Leak Investigation Crossed The Line

Ira Winkler, a former CSS at HP, talks about the bad decisions the company made in its boardroom leak investigation, where he thinks investigators crossed the line, and how common intelligence schemes are in corporate America.
Q: How far can an investigation go? You're over the line when you start pretending to be somebody else, when you go out and supposedly don't know what methods are being used. If you don't know, you're trying not to know. These people are acting like babes in the woods. ... These are big people running a Fortune 500 company. They should have known. If you're in a Fortune 500 company, you can't act naive and say, "I never thought anybody would do anything illegal."

Q: Where exactly did HP cross the line from legal investigation to unethical or even illegal tactics? Surveillance. It's perfectly legal in theory. You can follow anybody, sadly, as long as you're not harassing them in other ways. You see [companies] monitor e-mail for proper usage. You see them monitor Web usage. They could monitor telephone traffic. There are a lot of things they could do. There's nothing wrong with letting people know you're going to monitor their systems at work--even cell phone usage if the company paid for it. That's all well and good for the company to look at without a problem. Most large companies monitor that kind of thing.

Q: Sure, but when did the trouble start? When you start infringing upon users' private lives, that's another thing. If you have to lie about being that person, then clearly you've stepped over the line. These types of tactics are typically used for competitive data. This was being used to investigate their own people.

Q: Are these all common corporate practices, and it's just that HP was just unlucky enough to get caught, or was what HP did really outrageous? The hiring of private investigators that might in turn hire third parties that commit questionable acts is nothing new. However, these tactics are usually used for competitive purposes. When you're starting to investigate your own employees like that, and you're taking employee records and giving them to private investigators so they can pull phone records, that's well beyond the line. Also, investigating journalists is way over the line. Competition is one thing, but when you're starting to investigate journalists, something is just not right. ... This is an investigation that ran amok.

Q: What should HP have done? When they believed there was this level of investigation required, they should have gone to the FBI and the SEC.

Q: Do you think the competitive environment that HP is working in drove them to dig hard to find this media leak and plug it? If this was such a competitive blow, they should have gone immediately to the SEC or the FBI. This was personal. ... It was a member of their family betraying them. I fully agree that's 100% fully accurate. But do you act like a vigilante or a Fortune 11 company that takes the higher road so your actions don't overshadow the originating actions?

Q: Are you hoping this will have the positive effect of speeding up pretexting legislation? [That] should have occurred a decade ago. We see pretexting on a daily basis where people are being stalked, and it's being used for financial crimes. For that, Congress sits back and does nothing. This is front-page news, and now Congress is calling hearings. ... Hearings have been going on, but how many hearings do you need to understand that pretexting invades the privacy of individuals everywhere, and it's used to further other crimes and cause personal damage. Legislation to prevent pretexting is long overdue.

Q: Will this case change the way companies handle future internal investigations? I think companies will be on a slight notice, especially for internal investigations. I think this will keep them within the lines for the short term and just make them sneakier for the long term. There will be some hesitance up front, but you can bet your bottom dollar that people who tend to contract these types of services will not be long deterred.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing