HP’s ELECTRONIC TRAKING TECHNOLOGIES
HP’s ELECTRONIC TRAKING TECHNOLOGIES
2006-10-04 at 11:03:00 am #16636
HP scandal sheds light on electronic tracking technologies
SAN JOSE, Calif. — Hewlett-Packard’s investigation into leaks has put the spotlight on electronic tracking technologies that just about anyone can use to try to spy on people.HP’s investigators acknowledged in a memo that they used an electronic ruse to try to trick CNet’s News.com journalist Dawn Kawamoto into revealing her sources for stories that included HP’s confidential information.It was just one of a variety of electronic information-gathering tactics that have civil libertarians concerned about how easy it is to use technology either legally or illegally to track someone.HP chief Mark Hurd confirmed that investigators used pretexting, or obtaining personal cellphone records by pretending to be the cellphone owners. But technology can be used to track individuals, obtain their passwords, eavesdrop on their wireless networks, or track leaked documents back to certain printers or Word documents.”It is disturbing to say the least,” said Katherine Albrecht, director of Caspian, a privacy-rights advocacy group and co-author of the book “Spy Chips.”"I worry that this is becoming standard operating procedure at companies that have problems with whistleblowers,” she said.
In a memo sent to HP’s top executives by HP ethics chief Kevin Hunsaker, HP said it engaged in a “covert intelligence gathering operation” using an untraceable Microsoft Hotmail e-mail account to send a “legally permissible software-based tracing device in an e-mail attachment sent to Kawamoto.”Mike Holston, an outside lawyer hired to investigate the matter for HP, acknowledged that HP sent a “tracer” to try to discover a journalist’s sources. Hurd said he approved the idea of sending misinformation to a journalist, but did not specifically approve the use of a tracer.Seth Schoen, a staff technologist at the Electronic Frontier Foundation, believes HP planted a “Web bug” — referred to by Holston as a tracer — on Kawamoto’s computer. A Web bug is a link to a graphic image that feeds intelligence back to the sender when the e-mail is opened.The Web bug apparently was sent to Kawamoto in hopes that she would forward the bogus e-mail, supposedly from an HP insider named Jacob, to her confidential sources. Anyone who received the forwarded message would prompt the return message back to HP.From there, investigators could determine the identity of Kawamoto’s sources through their Internet Protocol addresses, or IP numbers.Kawamoto said in an e-mail to the Mercury News, “The tactic was designed to work on myself, as well as anyone who received the message and opened the attachment.”In the case of Kawamoto, the Web bug apparently didn’t work, according to Holston.Richard Smith, a noted privacy advocate and CEO of Boston Software Forensics, said Web bugs occupy a single pixel on a computer screen and so they are invisible to users.
Web bug a legal tool
While Web bugs are relatively benign, there are other, definitely illegal, forms of “spyware” that can be embedded into computers.Those spyware programs, which include “keyloggers” that capture typed characters, can be used to discover from afar everything that the target is doing with a computer, said Kevin Mitnick, a security consultant who was convicted of criminal hacking.While Holston said HP investigators tailed subjects and went through their trash, he said no keystrokes were captured and no wiretaps were used.Laws prohibit the use of such keylogger programs, which are considered the equivalent of wiretaps that require court approval before they can be used by law enforcement. But in some states, the laws haven’t kept up with technology.In the European Union, however, even simple devices such as Web bugs may be illegal, says Patrick Peterson, vice president of technology at IronPort Systems, a security technology company.One of the newest means of tracking what someone does with a computer is to eavesdrop on a Wi-Fi wireless network. Such networks typically reach beyond a home’s walls to the street, so an investigator in a parked car can watch everything that happens on a Wi-Fi network that doesn’t have a secure password.”If I was a sleazy investigator, I might do this,” said Smith, the security expert.
Technology is also useful for tracking leaked documents.
Microsoft’s Word program embeds a serial number in every document, so that document can be traced back to a particular version of Word on a particular computer. Digital “watermarks” can be invisibly embedded into documents as well.Schoen said the Electronic Frontier Foundation is concerned about how many models of color laser printers — including those manufactured by HP — secretly print an identifying mark on every page they print. That mark can be traced to the individual printer, and the Secret Service has used this to track counterfeit currency, Schoen said.”We are concerned and upset about it and are seeking more information on it,” Schoen said.With employees, it takes a matter of seconds to search through a CD of phone records that the phone company sends to large companies along with monthly bills, said Schoen. Hence, it’s easy to search for employees who are talking to reporters without authorization.Robert Holmes, a private investigator in Beverly Hills at IP Cybercrime.com, said that tracking technologies are often used in the workplace, since there is usually no disputing that an employer has the right to know what is being done with company-owned computers, cellphones, office phones and e-mail.
Moving toward ubiquity
In the future, civil libertarians fear that tracking will become ubiquitous, from the radio frequency identification tags that could replace bar codes to more accurate versions of the global positioning satellite systems now built into many cellphones.Mitnick said companies will likely give themselves “plausible deniability” by doing as HP did: outsourcing the investigation to contractors.But in the HP case, the consequences of crossing the line and being overly invasive are clear as the criticism piles up.Holmes believes HP’s security team used clever tricks in their surveillance of directors, employees and reporters, but he said that to discuss these tactics openly in internal company e-mails was the height of “amateurism.”In an ironic twist, HP is a co-sponsor of an award for privacy innovation.