Robert Lemos

Many in the mainstream media continue call the alleged offense in the HP board investigation “pretexting.” It’s no such thing. It’s not surprising, however, even private investigators are still getting it wrong, because their mindset is still in the pre-computer age. Here’s why the HP case is no longer about pretexting, but about computer hacking.

Pretexting is lying–it’s that simple. Private investigators even tell me that’s so. Every industry has its own term for deception. Whether it’s “spin” in politics or “social engineering” in computer security. Occasionally, there are legitimate reasons to lie, but many times, the act is a crime. Ethical private investigators, just like ethical journalists, don’t do it. (Undercover work as a journalist has a whole set of ethical guidelines to go with it that continue to be debated.)

In the past, pretexting has been about lying to get information or access to something. It became well known in popular parlance to mean lying specifically to get access to phone records. That’s as much of a misnomer as saying that hacking is only about circumventing a computer’s defenses. Just like hacking originally meant–and still means–gaining knowledge or creating something by circumventing a standard process (whether security or societal), pretexting means lying to get something that you want.

In the past, pretexting may have been a legal gray area in certain cases, because it could fall afoul of consumer protection laws. These laws may apply because the business practice is deceptive (though, the laws are generally aimed at heading off deception in a business transaction, not in a query for information). This case is different because the end result was that the person used false credentials to log onto a system that they were not authorized to use. Thus, this is no longer pretexting but hacking.

Under USC Title 18 Section 1030(a)(4):

Whoever, … knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

Under California Penal code 502(c):

(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:

1. Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
2. Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.

So we are no longer talking about pretexting some data from a person, but hacking into a computer server with false credentials and stealing data.

UPDATED: The entry was updated to mention the case of undercover journalism work.