Thursday, September 7, 2006

With a Little Stealth, Just About Anyone Can Get Phone Records - New York Times

Last November it came to my attention that virtually anyone can purchase your cellphone records.  However, now it is clear that land lines are also not secure.  plk
With a Little Stealth, Just About Anyone Can Get Phone Records - New York Times
Full article available at:
subscription required

SAN FRANCISCO, Sept. 6 --- It may seem surprising that it was so easy for investigators hired by Hewlett-Packard to obtain the calling records of company directors.  In fact, the investigators were just exploiting a commonly used privacy hole.

"It's a huge issue," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, or EPIC.  "It's a problem not just for H.P. directors, but for anyone with a phone."

The protection of phone records falls into a legal gray area, privacy experts say.

Legislators, regulators and the phone industry are all considering ways to clamp down on unauthorized releases of records like those in the H.P. case.  Legislation that is pending in the Senate and House would criminalize what is known as pretexting --- seeking to obtain a customer's phone records under false pretext, typically by pretending to be the customer.

Separately, the Federal Communications Commission is considering new rules that would force phone companies to guard customer records more carefully.

It is not clear how widespread pretexting is, but its perpetrators appear to be mostly private investigators, seeking information for clients involved in divorces or other civil disputes.

Some consumer and privacy advocates say the problem is serious and growing, especially for cellphone records.   EPIC says that as of last year there were around 40 companies using pretexting to help others fraudulently obtain phone records.

The way pretexting typically works is that an investigator who already has some customer information --- like a customer number and billing address --- calls a phone company and impersonates the customer to get more information.

The investigator might also set up an online account with the company to make it easier to gain access to billing records.

In an indication of the scope of the problem, AT&T filed a lawsuit on Wednesday in California against 25 people who it says fraudulently obtained customer records.  The suit seeks to unmask their identities based on the e-mail and computer addresses they used.   AT&T filed a similar lawsuit in Texas two weeks ago seeking information about the same people.

Walt Sharp, a spokesman for AT&T, said the lawsuits were a result of an internal investigation that began in May after company employees noticed a problem with pretexting.

Mr. Sharp said AT&T determined that over the last year, records of some 2,500 customers could have been compromised.

A search warrant filed last week by the California attorney general's office said that AT&T was pursuing its own civil investigation into the release of the H.P. directors' records.

The attorney general was seeking to obtain evidence from Cox Communications, the cable and Internet company.

Federal law makes it illegal to obtain customer records fraudulently over a phone or the Internet, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.
She said the law makes it a crime, punishable by up to 20 years in prison, to use electronic transmissions as part of a scheme to defraud. Granick added that if Hewlett-Packard tried to make the case that it was trying to protect its shareholders --- that, in effect, the end justified the means --- that would not be recognized by the law. "If you're stealing to feed your family, it's still stealing," she said.

But Mr. Rotenberg of EPIC said any effort to use fraud laws to go after pretexters could run into snarls, because seeking access to phone records does not always have an obvious financial motive. "Unlike other kinds of fraud, it's not clear monetary damage," he said. Mr. Rotenberg said this was why EPIC has pushed Congress to adopt more explicit laws governing pretexting, like those that protect financial records.

EPIC has also asked the F.C.C. to further restrict phone companies from disclosing customer information. The F.C.C. said in February that it would take public comments on a proposal suggested by EPIC that would require companies to introduce five new security measures, like protecting accounts with passwords and encrypting customer data.

Summarized by Copernic Summarizer


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.