HP Scandal Raises Questions About The Twilight World Of Corporate IntelligenceHP Scandal Raises Questions About The Twilight World Of Corporate Intelligence

With Hewlett-Packard insiders facing fraud and conspiracy charges, a spotlight is shining on the shady world of corporate intelligence.

"Because of this, I can almost guarantee that inside boardrooms and conference rooms, executives are asking what their own policies are, if they've ever done this, and how they can deal with [investigations] in the future," says Howard Schmidt, a former White House security adviser and now president and CEO of R&H Security Consulting.

But advanced technology is making it much more tempting for executives to cross ethical and legal boundaries when launching an internal investigation.

Former HP chairwoman Patricia Dunn and four others face charges of fraud and conspiracy stemming from a boardroom leak investigation that involved spying, accessing phone and fax records using false pretenses, and running a sting operation on a reporter. The five face charges for allegedly engaging in fraudulent wire communications, wrongful use of computer data, identity theft, and conspiracy.

The ill-fated investigation, which ended last spring, rocked a company that had long been seen as a leading privacy advocate. But the scandal and the ensuing arrests also trained attention on an industry that has, until now, largely remained hidden.

The temptation to use technologies like Web bugs and minuscule eavesdropping devices can be great, especially when executives are feeling the pressure to get their hands on the source of a company leak or when they take an incident as a personal affront. The technology acts as a sort of protective shield, say investigators, giving users a sense of distance and anonymity when seeking information. Using tracking software can seem much less cloak-and-dagger than physically breaking into someone's office and tearing through desk drawers.

Many companies rely on GPS technology installed in company vehicles, as well as in company-issued cell phones, to make it easier than ever to track employees. "Phone-home" software also can be installed in laptops that will send out a notification of the machine's location every time it's booted up.

Are these tactics legal? Most of the time. Are they ethical? That gets a little murkier, but as long as it's company-owned equipment and networks that are being monitored, employees generally can expect their communications to be monitored.

HP's investigators went a step or two beyond that, concocting an imaginary, disgruntled HP senior manager who was e-mailing fake ''inside information'' to a reporter. The e-mails had tracers, otherwise known as Web bugs, attached. The investigators were trying to find the identity of a reporter's inside source on the board of directors. They hoped the reporter would forward the message to the source, and then the tracer would send the source's IP address back to investigators.

Ken Springer, a 12-year veteran of the FBI and now founder and president of Corporate Resolutions, a New York-based investigative company, calls these kinds of tactics "forbidden fruit."

"It's there, but you can't take it," he says. "You have to make sure that what you do stands up to scrutiny." Springer says HP's investigative tactics, while crossing the line, aren't all that surprising. Over the years, he says many potential clients have told him, "I don't care how you do it, just get me the information." He says he turned them down. But for executives on the prowl for needed information, the temptations are great.

Springer says ever since news of the HP scandal broke, clients have called to make sure their investigations are being handled lawfully, even asking for written assurances that laws wouldn't be broken. "Before, people assumed you were doing it legally, but now they're double-checking," he says.

But written assurance isn't enough, says Scott Christie, a former federal prosecutor who headed up the computer hacking and intellectual property section at the U.S. Attorney's Office in New Jersey. Written assurance can help protect a company against being held responsible if investigators did break any laws. But the written assurance will only protect companies if there's no contrary evidence, says Christie, who now heads up the information technology group at McCarter & English, a New Jersey-based law firm. Letters, memos, e-mails, or instant messages that talk of giving investigators a free rein will contradict earlier written agreements.

Companies need to closely supervise the activities of the investigators they employ, says Richard Edelman, president and CEO of Edelman, a global PR firm.

"Maybe a contract would be a small step, but the real step is what a chairman or CEO asks the investigator to do. It's not just the process, but the asking that gets done," he says. "When you're the boss, you have a responsibility to the firm to be watchful and curious."

Executives need to be constantly aware of how an investigation will look to the public if word of it leaks out. "You can buy somebody's credit history and personal information online for $19.95. But do you want to see your company on the front page of a newspaper or a magazine? Do you want to see that? You've got to think about that," Schmidt says.