Those briefed on the internal review said that at various times, questions were raised about the legality of the methods used. They did not identify who raised the questions, when, or to whom they were addressed. But a crucial legal opinion, its origins previously undisclosed, was supplied by a Boston firm that shares an address and phone number with a detective firm on the case.
At least one reporter, Dawn Kawamoto of the online technology news service CNET, may have been followed as part of the 2006 investigation, said a person briefed on the investigation. Ms. Kawamoto was a co-author of an article on a senior management meeting in January.
The detectives also tried to plant software in the computer of an unspecified CNET reporter that would communicate back to the detectives, people briefed on the company review said. Ms. Kawamoto said in an interview this month that prosecutors had told her that such a ploy may have been used, but said she was not aware of any surveillance.
Representing themselves as an anonymous tipster, the detectives e-mailed a document to a CNET reporter, according to those briefed on the review. The e-mail was embedded with software that was supposed to trace who the document was forwarded to. The software did not work, however, and the reporter never wrote any story based on the bogus document.
On Saturday, the company identified one of two employees who it said had been a target of scrutiny in the internal operation. It said the private phone records of the employee, Michael Moeller, director of corporate media relations, were taken.
Within 60 days [of the second leak], the investigation into the leaks was up and running, according to those briefed on the company review. Responsibility for the investigation was delegated to the company’s global investigations unit, based in the Boston area. Those company officials turned the effort over to Security Outsourcing Solutions, a two-person agency that hires specialists for investigations.
That firm hired Action Research Group, an investigative firm in Melbourne, Fla. The actual work of obtaining the phone records was given to other subcontractors, one of which is said to have worked in or near Omaha. The methods were said to have included the use of subterfuge, a practice known as pretexting, in which investigators pose as those whose records they are seeking.
People briefed on Hewlett-Packard’s review of its internal investigation say that it was authorized by Ms. Dunn, the chairwoman, and put under the supervision of Kevin Hunsaker, a senior counsel who is the company’s director of ethics. But it is not clear what level of supervision he gave to the project.
At at least one point, the company’s lawyers sought a legal opinion. But it did not come from Hewlett-Packard’s own outside counsel, Larry W. Sonsini of Wilson Sonsini Goodrich & Rosati, an eminent Silicon Valley law firm.
Instead, the company asked one of its contractors, Security Outsourcing Solutions, which turned to a Boston lawyer, John Kiernan of Bonner Kiernan Trebach & Crociata, for the opinion. Mr. Kiernan’s office shares a Boston address and phone number with Security Outsourcing Solutions.
It is also not clear whether company lawyers were aware of the close business and personal ties between Mr. Kiernan, Ronald R. DeLia, the owner of Security Outsourcing Solutions, and Anthony R. Gentilucci, the Boston-based manager of global investigations for Hewlett-Packard.
