Stopping the Sale of Cell Phone Records

Information Management Journal, May/Jun 2006 by Swartz, Nikki

Several Internet sites that sold customer information pertaining to calls made to and from cellular phones are now the targets of lawsuits from cell phone providers as well as of federal and state legislation aiming to ban the practice.

In recent months, wireless providers Cingular Wireless, Verizon Wireless, Sprint Nextel Corp., and T-Mobile have filed separate lawsuits against data brokers that operate websites they say illegally obtained customer phone records.

For a fee of $100 or less and a provided cell phone number, such Internet operations will disclose subscriber name and address or a record of calls made.

Wireless executives and federal regulators contend that the data brokers - eFindOutTheTruth.com, Data Find Solutions Inc., and 1st Source Information Specialists Inc., to name a few - rely on illegal tactics to obtain the information. One suspected method is to pose as customers seeking information about their own accounts.

In some cases, the people buying call records may have a legitimate need for them. Lawyers, for instance, may need records as part of an investigation. But privacy experts said the companies obtaining and selling the records do not have systems in place to confirm that the person requesting the information has a right to it.

"People who sell this data need to have a verification system, and they don't," John Pescatore, a Gartner security analyst, told the New York Times. "The enforcement is lax."

Wireless companies also support legislation proposing increased criminal and civil penalties against companies that fraudulently obtain and sell wireless phone customer records.

The Consumer Telephone Records Protection Act of 2006 (S. 2178), introduced by senators Arlen Specter (R-PA), Bill Nelson (D-FL), Charles E. Schumer (R-NY), Harry Reid (D-NV), Conrad Burns (R-MT), and John Cornyn (R-TX), would make stealing and selling cell phone, landline, and voice over Internet protocol records a felony.

The legislation would make it a federal offense to obtain customer information from a telephone service provider by false pretenses or access a customer account on the Internet to obtain billing information without authorization. The bill also would make it a crime for phone company employees to sell customer information without proper authorization.

The bill would impose a fine and/or imprisonment for up to five years for violators. Penalties would be doubled for violations occurring in a 12-month period involving more than $100,000 or more than 50 customers of a covered entity.

Michigan Gov. Jennifer Granholm has called for the state legislature to enact new criminal laws to prohibit the unauthorized sale of telephone records. She also asked the Michigan Public Service Commission to begin an investigation as to whether any Michigan Internet service providers allowed the unauthorized use and release of telephone records.

The Federal Trade Commission's (FTC) Bureau of Consumer Protection is also investigating companies that sell consumer telephone records.

"Companies that engage in pretexting - the practice of obtaining personal information, such as telephone records, under false pretenses - not only violate the law, but they undermine consumers' confidence in the marketplace and in the security of their sensitive data," said Lydia Parnes of the FTC, in testimony before a subcommittee of the Senate Committee on Commerce, Science, and Transportation. Parnes said the practice is not new and that the FTC has been attempting to combat it for years. According to her testimony, the Gramm-Leach-Bliley Act (GLBA) includes anti-pretexting provisions that provide for criminal penalties, and the FTC could bring law enforcement actions against telephone record pretexters for deceptive or unfair practices under Section 5 of the GLBA.

According to officials, the Federal Communications Commission (FCC) is conducting yet another investigation into cell phone data sales. The FCC is focusing on three areas: investigating the data brokers to determine how they are obtaining the information; investigating the telecommunications carriers to determine whether they have implemented safeguards that are appropriate to secure the privacy of their customers' personal and confidential data; and initiating a proceeding to determine what additional rules the commission should adopt to further protect consumers' sensitive telephone record data from unauthorized disclosure.