[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
INTERNET DATA BROKERS:
WHO HAS ACCESS TO YOUR PRIVATE RECORDS?
HEARINGS
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND
COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
JUNE 21, JUNE 22, AND SEPTEMBER 29, 2006
Serial No. 109-130
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/house
U.S. GOVERNMENT PRINTING OFFICE
31-363 PDF WASHINGTON : 2006
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
JOE BARTON, Texas, Chairman
RALPH M. HALL, Texas
MICHAEL BILIRAKIS, Florida
Vice Chairman
FRED UPTON, Michigan
CLIFF STEARNS, Florida
PAUL E. GILLMOR, Ohio
NATHAN DEAL, Georgia
ED WHITFIELD, Kentucky
CHARLIE NORWOOD, Georgia
BARBARA CUBIN, Wyoming
JOHN SHIMKUS, Illinois
HEATHER WILSON, New Mexico
JOHN B. SHADEGG, Arizona
CHARLES W. "CHIP" PICKERING, Mississippi
Vice Chairman
VITO FOSSELLA, New York
ROY BLUNT, Missouri
STEVE BUYER, Indiana
GEORGE RADANOVICH, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
C.L. "BUTCH" OTTER, Idaho
SUE MYRICK, North Carolina
JOHN SULLIVAN, Oklahoma
TIM MURPHY, Pennsylvania
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee
JOHN D. DINGELL, Michigan
Ranking Member
HENRY A. WAXMAN, California
EDWARD J. MARKEY, Massachusetts
RICK BOUCHER, Virginia
EDOLPHUS TOWNS, New York
FRANK PALLONE, JR., New Jersey
SHERROD BROWN, Ohio
BART GORDON, Tennessee
BOBBY L. RUSH, Illinois
ANNA G. ESHOO, California
BART STUPAK, Michigan
ELIOT L. ENGEL, New York
ALBERT R. WYNN, Maryland
GENE GREEN, Texas
TED STRICKLAND, Ohio
DIANA DEGETTE, Colorado
LOIS CAPPS, California
MIKE DOYLE, Pennsylvania
TOM ALLEN, Maine
JIM DAVIS, Florida
JAN SCHAKOWSKY, Illinois
HILDA L. SOLIS, California
CHARLES A. GONZALEZ, Texas
JAY INSLEE, Washington
TAMMY BALDWIN, Wisconsin
MIKE ROSS, Arkansas
BUD ALBRIGHT, Staff Director
DAVID CAVICKE, General Counsel
REID P. F. STUNTZ, Minority Staff Director and Chief Counsel
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
ED WHITFIELD, Kentucky, Chairman
CLIFF STEARNS, Florida
CHARLES W. "CHIP" PICKERING, Mississippi
CHARLES F. BASS, New Hampshire
GREG WALDEN, Oregon
MIKE FERGUSON, New Jersey
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee
JOE BARTON, Texas
(EX OFFICIO)
BART STUPAK, Michigan
Ranking Member
DIANA DEGETTE, Colorado
JAN SCHAKOWSKY, Illinois
JAY INSLEE, Washington
TAMMY BALDWIN, Wisconsin
HENRY A. WAXMAN, California
JOHN D. DINGELL, Michigan
(EX OFFICIO)
CONTENTS
Page
Hearings held:
June 21, 2006
1
June 22, 2006
923
September 29, 2006
1165
Testimony of:
Yuzuk, Adam, Atlantic Beach, New York
23
Rapp, James, Touch Tone Information, Parker, Colorado
43
Gandal, David, Shpondow.com, Loveland, Colorado
52
Lyskowski, Peter, Assistant Attorney General, Office of Attorney
General, State of Missouri
935
Harris, Julia, Assistant Attorney General, Office of Attorney
General, State of Florida
939
Kilcoyne, Paul, Deputy Assistant Director of Investigations,
U.S. Immigration and Customs Enforcement, U.S. Department of
Homeland
Security
961
Lammert, Elaine, Deputy General Counsel, Investigative Law Branch,
Federal Bureau of Investigation, U.S. Department of Justice
964
Bankston, James J., Chief Inspector, Investigative Services
Division, U.S. Marshals Service, U.S. Department of Justice
967
Cooper Davis, Ava, Deputy Assistant Administrator, Office of
Special Intelligence, Intelligence Division, U.S. Drug
Enforcement Administration, U.S. Department of Justice
972
Ford, W. Larry, Assistant Director, Office of Public and
Governmental Affairs, Bureau of Alcohol, Tobacco, Firearms, and
Explosives, U.S. Department of Justice
976
Ubieta, Raul, Police Major, Miami-Dade Police Department, Economic
Crimes Bureau
1146
Carter, David L., Assistant Chief of Police, Austin Police
Department
1150
Byron, Christopher, Journalist, The New York Post
1188
Meiss, Thomas, Associate General Counsel, Cingular Wireless
1215
Wunsch, Charles, Vice President for Corporate Transactions and
Business Law, Sprint Nextel
1221
Schaffer, Greg, Chief Security Officer, Alltel Wireless
1227
Holden, Michael, Litigation Counsel, Verizon Wireless
1236
Venezia, Lauren, Deputy General Counsel, T-Mobile USA
1247
Boersma, Rochelle, Vice President for Customer Service,
U.S. Cellular
1254
Monteith, Kris Anne, Chief, Enforcement Bureau, Federal
Communications Commission
1276
Winston, Joel, Associate Director, Division of Privacy and
Identity Protection, Bureau of Consumer Protection, Federal Trade
Commission
1285
Additional material submitted for the record:
Lammert, Elaine, Deputy General Counsel, Investigative Law Branch,
Federal Bureau of Investigation, U.S. Department of Justice;
Bankston, James J., Chief Inspector, Investigative Services
Division, U.S. Marshals Service, U.S. Department of Justice;
Cooper Davis, Ava, Deputy Assistant Administrator, Office of Special
Intelligence, Intelligence Division, U.S. Drug Enforcement
Administration, U.S. Department of Justice; and Ford, W. Larry,
Assistant Director, Office of Public and Governmental Affairs,
Bureau of Alcohol, Tobacco, Firearms, and Explosives, U.S.
Department of Justice, response for the record
1157
Kilcoyne, Paul, Deputy Assistant Director of Investigations, U.S.
Immigration and Customs Enforcement, U.S. Department of Homeland
Security, response for the record
1164
INTERNET DATA BROKERS: WHO HAS ACCESS TO YOUR PRIVATE RECORDS?
WEDNESDAY, JUNE 21, 2006
HOUSE OF REPRESENTATIVES,
COMMITTEE ON ENERGY AND COMMERCE,
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:00 a.m., in Room 232
of the Rayburn House Office Building, Hon. Ed Whitfield [Chairman]
presiding.
Members present: Representatives Whitfield, Walden, Burgess,
Blackburn, Barton (ex officio), Stearns, DeGette, Schakowsky,
Dingell (ex officio), and Inslee.
Staff Present: Tom Feddo, Counsel; Mark Paoletta, Chief Counsel for
Oversight and Investigations; Clayton Matheson, Analyst; Matthew
Johnson, Legislative Clerk; John Halliwell, Policy Coordinator;
Chris Knauer, Minority Investigator; Consuela Washington, Minority
Senior Counsel; and Alec Gerlach, Minority Staff Assistant.
MR. WHITFIELD. This hearing will come to order. Today the
Oversight and Investigations Subcommittee will examine issues
surrounding data brokers who operate on the Internet and obtain
and sell personal information about our fellow citizens without
the consent of those people. Documents are sold, such as
Americans' personal cell phone records, their credit card
statements, their bank accounts, their Social Security numbers,
and other very private information.
All of us assume these records are secure. But, unfortunately,
that is not the case.
Earlier this year, the Energy and Commerce Committee reported a
bill out to make it more difficult and to make it explicitly
illegal to obtain, possess, or sell any kind of personal information
without the consent of the person whose information is being sold.
And these hearings stem from work that began in February of this
year and helped that effort.
When the committee wrote to a total of 18 data brokers around the
country, we sought to learn more about this shadowy industry that
buys and sells phone records and other personal consumer
information. How do the data brokers obtain this information?
Who is buying the records and driving the market? How large is
the industry? Who exactly is procuring this information and from
where? It probably comes as no surprise that the vast majority
of the companies we wrote seeking such information were
uncooperative.
Ultimately, Chairman Barton issued subpoenas for records of 12 of
the data brokers to obtain the information that we needed.
Several data brokers failed to comply with the subpoenas. These
individuals and their attorneys should note, however, that we will
encourage this committee to hold all of them in contempt. We will
not permit our constitutional obligations to protect the American
people to be undermined in this way.
In the meantime, despite the delay in unresponsiveness, the
subcommittee has acquired literally tens of thousands of documents.
And what we have found to date has been eye-opening to say the
least.
There are hundreds of data broker companies operating on the
Internet. They offer just about any nonpublic information under
the sun: cell phone and landline call records, bank account
activity, post office box, private mailbox information, blind
credit reports, Social Security records, credit card transaction
histories, e-mail account information, and it goes on and on.
Even cell phone pings or locators are available, providing the
purchaser an almost exact real time location of a cell phone as
long as the phone is turned on.
Most of this information is gathered by a relatively small group of
companies and individuals who primarily use pretext--that is, lies,
deception, and impersonation--to acquire the records they are
seeking. The data broker is often just a middleman who receives a
request from a customer for a piece of information. The data broker
turns to the inner web of pretexters to acquire the information and
then marks up the price when passing the records back to the
customer. The pretexters procure the information from phone
carriers, utility companies, the Post Office, other corporate
and government repositories of personal consumer information.
The primary key that allows pretexters to unlock the doors to
this information is the Social Security number of the victim.
The pretexters will often enhance their impersonation by using
spoofing hardware or software to make their phone number appear
to be any number they desire it to be.
Our investigation has shown that all of this information is for
sale to virtually anyone who wants to buy it.
The data brokers conduct at most superficial due diligence with
respect to either their customers or their third-party vendors
who procure the information.
It is apparent from the records that there are literally tens of
thousands of victims of this industry. And none of these people
know their records have been procured or sold and that their
privacy has been invaded. They do not have the opportunity to
consent to the activity.
This morning we are going to hear testimony from somebody who
discovered that he was the victim of a data broker and what he
did about it. And we appreciate very much his willingness to
testify and tell his story today.
Our second panel will include two individuals who will explain
in detail how pretexting works and what can be done to stop it.
Mr. James Rapp, formerly the owner of Touch Tone Information,
which was a successful data broker company that operated in
Denver, Colorado, during the 1990s. After being convicted for
his activities, Mr. Rapp left the data broker industry.
Earlier this year, committee staff had the opportunity to interview
him at length, and he is here to explain just how pretexting is
accomplished and what kinds of records are vulnerable, and we
appreciate his being willing to do that.
Mr. David Gandal refers to himself as a skip tracer who has been
involved in the automobile repossession industry for much of his
life. When our investigation began, Mr. Gandal contacted the
committee and offered to informally provide us with information
about the data broker industry, its key players, and the practice
of pretexting. His information has been particularly helpful to
our understanding of the industry. And we want to thank him and
appreciate his testimony.
Our last panel today includes 11 witnesses from various data broker
companies to which the subcommittee wrote. All 11 of these
witnesses have informed us that they will invoke their Fifth
Amendment rights against self-incrimination today and refuse to
answer any questions. That is regrettable because we have important
questions to ask them; we would like to have their answers.
The American people whose private records they exploit, the numerous
victims of their profits, deserve answers.
We will give them an opportunity to answer some of our questions
today, and I think that their response will show the American people
and the Congress that this industry needs to be shut down as soon
as possible.
I note that our investigation has also sought to determine who the
customers are that purchase these cell phone records and other
personal information and who drives this multi-million dollar
industry. As one might naturally think, many private investigators,
lawyers, and tabloids purchase these records. But our work has also
discovered that automobile finance companies and repossession
companies and major banks and major corporations around America use
this information.
Americans will also be interested to learn that law enforcement
agencies are sometimes the customers of data brokers.
And in tomorrow's hearing, we intend to explore the issue of Federal
and local law enforcement officials and how they use this
information, and they will be here tomorrow.
These hearings will not mark the end of this work. We have been in
contact with the Nation's major cell phone carriers, and in the
coming weeks, we will be meeting with them to learn what they are
doing to prevent data brokers from obtaining access to private
information of their customers.
Additionally, we intend to meet with some of the major banks and
corporations who are purchasers of these records and other personal
consumer information to learn what they are doing and why they are
buying these records.
I look forward to today's testimony on this very important subject.
I want to thank the witnesses for their attendance. And I now turn
to the distinguished Ranking Member for today, Ms. DeGette of
Colorado, for her opening statement.
[The prepared statement of Hon. Ed Whitfield follows:]
PREPARED STATEMENT OF THE HON. ED WHITFIELD, CHAIRMAN, SUBCOMMITTEE
ON OVERSIGHT AND INVESTIGATIONS
Good morning and welcome. Today, the Oversight and
Investigations Subcommittee will examine the very serious issues
surrounding data brokers who operate on the Internet, and who
procure and sell Americans' personal cell phone call records and
other information. I'm sure many Americans have always assumed -
as I have - that these records are very secure and nonpublic.
Unfortunately, this is not the case, as we will hear today.
Early this year, the Committee began legislative work to
draft a bill that would help to keep call records secure. That bill
was reported out of the Committee with unanimous support, and I
hope that these oversight hearings add new impetus for the Congress
to quickly pass the bill. These hearings stem from work that began
in February of this year, in parallel with the Committee's
legislative efforts, when the Committee wrote to a total of 18 data
brokers around the country. We sought to learn more about this
shadowy industry that buys and sells cell phone records and other
personal consumer information: How do the data brokers obtain
access to private information? Who is buying these records and
driving the market? How large is the industry? Who exactly is
procuring the information, and from where?
It probably comes as no surprise that the vast majority of
the companies we wrote seeking such information were uncooperative.
Many either ignored or partially responded to the Committee's
letters. Many individuals declined to be interviewed. Few data
brokers provided relevant records. Ultimately, Chairman Barton
issued subpoenas for records to 12 of the data brokers, because
this Subcommittee was determined to conduct meaningful oversight
and get answers to its questions. Still, several data brokers
failed to comply with the subpoenas. These individuals and their
attorneys should note that I will encourage this Committee to hold
them in contempt. We will not permit our constitutional obligations
to be undermined in this way.
In the meantime, despite the delay and unresponsiveness,
the Subcommittee has acquired literally tens of thousands of
documents - through the subpoenas and from other sources. The
documents show the pervasive and invasive nature of this market,
and they reveal an amazing picture. What we have found to date has
been eye-opening to say the least. There are hundreds of data
broker companies operating on the Internet. They offer just about
any non-public information under the sun: cell phone and landline
call records, bank account activity, post office box and private
mail box information, "blind" credit reports, social security
records and information, credit card transaction histories, and
email account information. Even cell phone "pings" or "locates"
are available, providing the purchaser an almost exact real-time
location of a cell phone, as long as the phone is turned on.
We have persuasive evidence that most of this information
is gathered by a relatively small group of companies and individuals
who primarily use "pretext" - that is, lies, deception, and
impersonation to acquire the records. In this business, the data
broker is often just a middleman who receives a request from a
customer for a piece of information. The data broker turns to the
inner web of pretexters to acquire the information, and then marks
up the price when passing the records back to the customer. The
pretexters procure the information from phone carriers, utility
companies, the post office, or other corporate and government
repositories of personal consumer information. The primary key
that allows pretexters to unlock the doors to this information is
the social security number of the "victim." The pretexters will
often enhance their impersonation by using "spoofing" hardware or
software to make their phone number appear to be any number they
desire.
Our investigation has also shown that all of this
information is for sale to virtually anyone who wants to buy it.
The data brokers conduct, at most, superficial due diligence with
respect to either their customers or their third-party vendors who
procure the information. It is apparent just from the records that
this Subcommittee has examined that there are literally tens of
thousands of "victims" of this industry. What's more, none of
these people know that their records have been procured and sold,
and that their privacy has been invaded. They did not have the
opportunity to consent to this activity.
This morning we will hear testimony from somebody who did
discover that he was the victim of a data broker. He will tell us
about his outrage, and what he did to put a stop to it. We
appreciate his willingness to tell his story today.
Our second panel includes two individuals who will explain
how pretexting works, and what can be done to stop it. Mr. James
Rapp formerly owned Touch Tone Information, Inc., a very successful
data broker company that he operated in Denver, Colorado during the
1990's. After being convicted for his activities, Mr. Rapp left
the data broker industry. Earlier this year, Committee staff had
the opportunity to interview him at length, and he is here
voluntarily today to explain just how pretexting is accomplished
and what kinds of records are vulnerable.
Mr. David Gandal refers to himself as a "skiptracer" who has
been involved in the auto repossession industry for much of his
life. When our investigation began, Mr. Gandal contacted the
Committee and offered to informally provide us with information
about the data broker industry, its key players, and the practice
of pretexting. His information has been very helpful to our
understanding of the industry, and we appreciate his coming forward
and voluntarily providing that insight to the investigation.
Our last panel today includes 11 witnesses from the various
data broker companies to which the Subcommittee wrote. All 11 of
these witnesses have informed us that they will invoke their Fifth
Amendment rights against self-incrimination today, and refuse to
answer our questions. This is regrettable, because we have some
very important questions to ask about their activities. The
American people whose private records they exploit - the numerous
victims of their profits - deserve answers. We will give them an
opportunity to answer some of our questions today, and I think
their responses will show the American people and the Congress
that this industry needs to be shut down as soon as possible.
I note that our investigation has also sought to determine
who the customers are that purchase cell phone call records and
other personal information and who drive this multi-million dollar
market. As one might naturally think, many private investigators,
lawyers, and tabloids purchase these records. Our work has also
revealed, however, a surprising "who's who" of major corporations -
large banks, auto finance companies, and repossession companies.
Americans will also be interested to learn that law enforcement
agencies are sometimes customers of data brokers. At tomorrow's
hearing we intend to explore this issue with several federal and
local law enforcement officials, and I will have more to say about
that then.
These hearings do not mark the end of our work. We have
been in contact with the nation's major cell phone carriers, and in
the coming weeks we will be meeting with them to learn what they are
doing to prevent data brokers from obtaining access to their
customers' records and to remedy their databases' vulnerabilities.
Additionally, we intend to meet with some of the major banks and
corporations who are purchasers of cell phone records and other
personal consumer information, to learn about why they are buying
these records.
Finally, I would like to thank the Minority and their staff
for working with us shoulder-to-shoulder on this investigation.
Just as the efforts to move meaningful anti-pretexting legislation
have been unified, our investigation has been completely bipartisan
and I commend everyone for working in this spirit to make a
difference for the American people and help keep their personal
records private.
I look forward to today's testimony and I thank the witnesses
for their attendance. I now turn to the distinguished Ranking
Member, Mr. Stupak, for the purposes of an opening statement.
MS. DEGETTE. Thank you very much, Mr. Chairman.
Mr. Chairman, data that is acquired through pretexting is often sold,
and it can be used for many nefarious purposes.
The result of the misuse of this information can range from being a
mere annoyance all the way to creating a potentially life-threatening
situation. Such information, for example, could allow a stalker to
find a victim or a threatening husband to track down a spouse who is
attempting to seek shelter from an abusive relationship.
We will hear today how this practice is often built on a web of
deception. Pretexters will call an unwitting phone company and
cajole information out of customer service. From there, there is
no telling how this information can or will be used or how it will
be sold.
And, Mr. Chairman, everyone on this committee understands about how
dangerous this practice can be because, on March 8th of this year,
this committee unanimously reported H.R. 4943. Here it is. It is
called the Prevention of Fraudulent Access to Phone Records Act,
and on May 2, 2006, this bill was scheduled for consideration on
the floor of the House of Representatives.
But somehow, mysteriously, that bill disappeared from the suspension
calendar never to be seen again.
And, frankly, Mr. Chairman, that bill addresses in large part many
of the problems that we are going to discuss over the next few days.
Now I have been in elected office for 14 years, 4 years in the State
legislature, and I am in my 10th year in Congress. And usually, the
way it goes is you have a hearing, you identify a problem, someone
writes a bill, you do the bill, you pass the bill, and then you
solve the problem.
I can't remember in my 14 years a situation like this where we
passed the bill, then we have the hearing to see how bad the problem
is.
And I guess my question, Mr. Chairman, and I think you probably agree
with me, I don't see the purpose of having a hearing if we pass new
laws and they go nowhere. So I would urge my colleagues to search
with me high and low until we find H.R. 4943 which already passed
the full committee without objection, get it scheduled on the floor
and get it passed to solve this lurking problem.
Now, on May 11, 2006, the Minority members of this committee sent
the Chairman of the full committee a letter asking him to hold a
hearing about the matters that caused the bill to be pulled.
We think that the problems that we are talking about today are
serious. We think they can be solved, and we think that H.R. 4943
would effectively address many of them.
But it doesn't do any good to do this kind of work if we then pass
legislation and it disappears.
And so, Mr. Chairman, I would hope we could work together to get this
bill scheduled if not before the July 4th recess, at least before
the August recess.
And, finally, Mr. Chairman, I would be remiss if I didn't discuss
another important piece of legislation which we also passed in this
committee and which would address the issues we are talking about
today.
As we are all know, pretexting is not always limited to obtaining
telephone records from unwitting carriers, and so, consequently, on
March 29th of this year, the committee voted 41 to 0, again
unanimously, to pass H.R. 4127, the Data Accountability and Trust
Act, which prohibits pretexting of all personal information by data
brokers.
Now, unfortunately, that bill seems to be stuck somewhere, too. So
I would urge us to aggressively follow up on that bill's status as
well and consider sending a bipartisan letter to the Speaker asking
him to make both pieces of legislation a priority, put them on the
floor, and pass them.
Mr. Chairman, thank you for holding this hearing. I know the
witnesses will confirm what a serious problem pretexting is, and I
look forward to working with everyone to ensure these pieces of
legislation get a full hearing on the House floor and wing their way
to the Senate. I yield back.
MR. WHITFIELD. Ms. DeGette, thank you for your opening comments,
and all of us are perplexed that legislation sometimes gets hung up.
And it is our hope that this series of hearings on this very
serious problem will rejuvenate the efforts to get these bills, both
bills, to the floor.
At this time, I recognize the Chairman of the full committee,
Mr. Barton of Texas.
CHAIRMAN BARTON. Thank you, Mr. Chairman.
I have a meeting today at 2 o'clock with the Majority Leader on some
of the issues Ms. DeGette just raised. Sometimes it is not policy
issues that cause a problem; it is committee jurisdictional issues
and stakeholder issues. They don't like the results of this
committee's work, and they try to change it or bottle it up in
other committees.
So, I mean, that is--I didn't hear your whole statement, but--
MS. DEGETTE. You got the gist of it.
CHAIRMAN BARTON. Okay, so I am with you, and we are working to free
some of these bills, and I have got a 2 o'clock meeting with the
Leader to work on that.
Chairman Whitfield, I want to thank you for holding this hearing
today. Americans can and should be proud of the bipartisan work
that this committee has done to put a stop to illegal and unethical
activity in the data broker industry and to better protect citizen's
privacy. Investigations so far have confirmed the truth that we
had earlier just suspected; there is a large and growing market on
the Internet for people's personal cell phone and landline call
records. Buyers want--and they can get--credit card transactions,
employment and salary information, bank account activity, and many
other personal records. For the right price, you can even engage
a data broker to trace the location of a cell phone as the owner
goes about his or her daily life.
I doubt very many Americans know that their personal or professional
lives are this vulnerable to casual examination by strangers even
in the age of the Internet.
Unfortunately, brokers routinely lie to get their hands on this
information and then sell the records to buyers who evidently don't
care. Right now, some of this or maybe even all of it, seems to be
legal. This sort of thing used to be the province of the
neighborhood snoop who gathered gossip by sneaking through a look
at your Venetian blinds. Now anybody can be a private Internet
spy.
What data brokers collect lays bare people's hopes, dreams,
successes, and failures for the curious and the malicious to poke
through. This subcommittee's work, Mr. Chairman, has shown that
data brokers through either in-house efforts or their third-party
vendors gain access to all this information through impersonation
and deceit.
People will likely be shocked at the information that is bought and
sold on the Internet. While shining a light on data brokers through
our oversight work, our legislative efforts have moved forward in
parallel. Crafting the Prevention of Fraudulent Access to Phone
Records Act, H.R. 4943, which was unanimously reported out of this
committee, among other things, that bill would make it illegal to
obtain cell phone records fraudulently as well as to solicit or sell
such records. It would also give the Federal Trade Commission and
the Federal Communications Commission the tools they need to shut
down data brokers and to ensure that the telephone carriers are
doing enough to keep consumer's information and records secure.
Mr. Chairman, what your leadership and this subcommittee's
investigation has made clear is that Congress needs to pass the
Act as soon as possible.
I am also open to the prospect that we may have to take additional
legislative action in order to protect Americans from data brokers
exploiting and selling other personal consumer information besides
telephone call records.
I am glad that this subcommittee has aggressively pursued these
companies and the individuals who operate them to learn as much as
we can about exactly how they acquire the data, to whom it is being
sold. I have heard that data brokers are beginning to say that
this congressional investigation invades their privacy. Can you
believe that? People who cheat and lie for the purpose of making
money are now complaining that they cannot cheat and lie in
private. What delicious irony. The further irony is that many
data brokers or their attorneys have insisted that they have done
nothing wrong and that the brokering of call records and other
information is not illegal. Many of these individuals attempt to
distance themselves from third party vendors who procure call
records and other information by requiring the vendor to sign
disclaimers that they did not violate the law in acquiring the
records.
In spite of this position, I understand that during this hearing,
11 individuals, 8 of whom had to be subpoenaed to appear, may
invoke their Fifth Amendment right against self-incrimination and
refuse to testify when we direct questions to them about their
business activities. They have every right to do so. But let's
be perfectly clear that their silence will not prevent this
subcommittee from doing its job and uncovering the facts.
I understand that one individual, Mr. Carlos Anderson, attempted
to duck service of a subpoena that I had issued for his appearance
before this subcommittee. His attorney, Mr. Hanan Isaacs, declined
to accept service on Mr. Anderson's behalf, and for the last 2
weeks, three U.S. Marshals have been trying to locate Mr. Anderson.
This past Monday, the Marshals served Mr. Anderson. I do not take
the issue of subpoenas lightly. For that reason, I am very troubled
by Mr. Anderson's obstruction. We should not permit people who
have information necessary to accomplish the work of this
subcommittee to avoid legitimate inquiries, and I want to underline
legitimate inquiries.
We certainly respect Mr. Anderson's full constitutional rights and
would work with Mr. Anderson's attorney to protect those rights.
But we also understand the rights of the people of the United States
of America, delegated through the Constitution, through the House
of Representatives, through this committee through this subcommittee
to protect the legitimate rights of the people of the United States.
Let me also echo your comments, Mr. Chairman, about the companies
that have stonewalled or ignored our subpoenas for records. We will
continue to persue the necessary information to develop a full record
of the data broker industry.
Mr. Chairman, I look forward to today's testimony and yield back the
remainder of my time.
[The prepared statement of Hon. Joe Barton follows:]
PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON
ENERGY AND COMMERCE
Thank you, Chairman Whitfield, for holding this hearing today.
Americans can be proud of the bipartisan work we are doing to put
a stop to illegal and unethical activity in the data broker
industry, and to better protect citizens' privacy.
The investigation has confirmed the truth that we had earlier
just suspected. There is a large and growing market on the
Internet for people's personal cell phone and landline call
records. Buyers want, and they can get, credit card transactions,
employment and salary information, bank account activity, and
many other records. For the right price, you can even engage a
data broker to trace the location of a cell phone as the owner
goes about his daily life.
I doubt many Americans know that their personal and professional
lives are this vulnerable to casual examination by strangers, even
in the age of the Internet. Brokers routinely lie to get their
hands on information, and then sell the records to buyers who
evidently don't care. And all of this may even be legal.
This sort of thing used to be the province of the neighborhood
snoop who gathered gossip by sneaking a look through the Venetian
blinds. Now anybody can be a private spy. What data brokers
collect lays bare people's hopes, dreams, successes and failures for
the curious and the malicious to poke through.
Your Subcommittee's work, Chairman Whitfield, has shown that data
brokers - through either "in-house" efforts or their third-party
vendors -gain access to all of this information through
impersonation and deceit. People will likely be shocked at the
information that is bought and sold on the Internet.
While shining the light on data brokers through our oversight
work, our legislative efforts have moved forward in parallel,
crafting the "Prevention of Fraudulent Access to Phone Records
Act," (H.R. 4943), which was unanimously reported out of this
Committee. Among other things, our bill would make it illegal
to obtain cell phone records fraudulently, as well as to solicit
or sell such records. It also gives the Federal Trade Commission
and the Federal Communications Commission the tools they need to
shut down data brokers and to ensure that the telephone carriers
are doing enough to keep consumers' information and records
secure. Mr. Chairman, what your investigation makes clear is
that Congress needs to pass the Act as soon as possible. I am
also open to the prospect that we may have to take other
legislative action in order to protect Americans from data brokers
exploiting and selling other personal consumer information besides
telephone call records.
I am glad that we have aggressively pursued these companies, and
the individuals who operate them, to learn as much as we can about
exactly how they acquire the data, and to whom it is being sold.
I've heard that data brokers are beginning to say that this
congressional investigation invades their privacy. People who cheat
and lie for the purpose of making money are now complaining that
they cannot cheat and lie in private. What delicious irony.
The further irony is that many data brokers or their attorneys have
insisted that they have done nothing wrong, and that the brokering
of call records and other information is not illegal. Many of
these individuals attempt to distance themselves from the
third-party vendors who procure call records and other information
by requiring the vendors to sign disclaimers that they do not
violate the law in acquiring the records.
And yet in spite of this position, I understand that, during this
hearing, eleven individuals - eight of whom had to be subpoenaed to
appear - may invoke their Fifth Amendment rights against
self-incrimination and refuse to testify when we direct questions
to them about their business activities. They have every right to
do so, but let me make clear that their silence will not prevent
this Subcommittee from doing its job and uncovering the facts.
On a related note, I understand one individual - Mr. Carlos
Anderson - attempted to duck service of a subpoena that I issued
for his appearance before this Subcommittee. His attorney,
Mr. Hanan Isaacs, declined to accept service on Mr. Anderson's
behalf, and for the last two weeks three U.S. Marshals have been
trying to locate Mr. Anderson. This past Monday, the Marshals
served Mr. Anderson. I do not take the issuance of subpoenas
lightly, and for that reason I am very troubled by Mr. Anderson's
obstruction. I will not permit people who have information
necessary to accomplish our work to avoid our legitimate inquiries.
Today Mr. Anderson will stand to account for his knowledge before
this Committee.
Let me also echo your comment, Mr. Chairman, about the companies
that have stonewalled or ignored our subpoenas for records - we
will not hesitate to pursue contempt proceedings if necessary.
Mr. Chairman, I look forward to today's testimony and yield back the
remainder of my time.
MR. WHITFIELD. Thank you, Chairman Barton.
At this time, I recognize the Ranking Member, Mr. Dingell of
Michigan, for his opening statement.
MR. DINGELL. Mr. Chairman, thank you, and I commend you for holding
this hearing.
Illegally obtaining or selling telephone records or any other
sensitive personal information poses a serious threat to all
Americans.
It can lead to identity theft, harm to victims of domestic violence
and stalking, and harm to law enforcement and Homeland Security
personnel, especially those operating under cover. This is a crime,
and we need to put a stop to it.
This committee did just that, or so we thought. And I want to
commend our Chairman for his leadership on this matter, because
it was important.
On March 8, 2006, the Committee on Energy and Commerce unanimously
reported H.R. 4943, the Prevention of Fraudulent Access to Phone
Records Act. On May 2, 2006, this bill was scheduled for
consideration on the floor of the House of Representatives. Yet,
for some strange reason, with no notice or explanation, H.R. 4943
mysteriously disappeared from the suspension calendar. And it has
neither been seen nor heard from since. It apparently has fallen
into some kind of legislative black hole.
Members of this committee, and the members of the public at large,
should be told why the Republican leadership yanked this bill which
was passed from this committee unanimously.
I suspect that a clue can be found in the May 11th USA Today article
reporting that the National Security Agency, NSA, had persuaded
AT&T, Verizon, and BellSouth to, quote, "voluntarily," close quote,
hand over their customer records without customer knowledge or
consent so that the agency could analyze calling patterns in an
effort to detect terrorist activity.
The Democratic members of this committee wrote a letter to Chairman
Barton asking for a hearing. We have not had that hearing, and I do
not see any phone companies on the witness list today or tomorrow.
Why would that be?
Also, illegally pretexting, that is, the use of false or fraudulent
statements or representation, is not limited to consumer telephone
records, as our witnesses will testify. With that in mind, on
March 29, 2006, this committee voted unanimously, 41 to nothing, to
approve H.R. 4127, the Data Accountability and Trust Act, which
expressly prohibits pretexting for personal information by data
brokers.
That bill is, again, in some kind of curious legislative limbo with
reports that important consumer protections may be eliminated. I
hope that that is not the case, and I hope that the process on that
matter is open.
I commend you, Mr. Chairman, for your leadership in this
subcommittee for holding 2 days of hearings on this issue. It is
important. But I am concerned that also important witnesses have
not been heard from.
I am deeply concerned by what appears to have befallen both
bipartisan products of this committee's timely legislative efforts
to address serious issues within its jurisdiction. The problem of
pretexting will not go away; neither will consumer demands for
protection. And I suspect as the situation becomes more apparent,
those complaints by consumers in the public at large will grow.
I look forward to the comments of our witnesses today, and I
commend you, Mr. Chairman, for this hearing. Thank you.
MR. WHITFIELD. Thank you, Mr. Dingell.
And I might add that, right before you came in, in my opening
statement, I did mention that we are talking right now to the major
cell phone companies, the major carriers, and that the staff on
both sides of the aisle know that those discussions are going on.
And I agree with you; it is imperative that we bring them in,
because they can play a vital role in this, and I appreciate your
raising that.
At this time, I recognize the Vice Chairman of the committee,
Mr. Walden of Oregon.
MR. WALDEN. Thank you very much, Mr. Chairman.
Mr. Chairman, I appreciate your work and that of our staff and the
Chairman of the full committee and the Minority in trying to expose
this industry, to pull back the curtain on this unnerving process
that is going on in America that I think most Americans aren't aware
of. And I had no idea that people in this audience had the ability
to go out and talk their way through human firewalls if you will,
and get access to people's Visa records, their cell phone records,
their location at any given moment. I mean, I have got a bit of
an engineering background. I know that these cell phones never
stop transmitting; you can electronically triangulate. I didn't
realize you could con people to figure out where somebody is sitting
and, for as little as $50, sell that personal data to anybody, to
law enforcement, to credit bureaus, to jealous spouses or tabloids.
I just think this is atrocious. And yet I know there are many in
this industry who will allege that they are partners with law
enforcement.
If you are a partner with law enforcement in this endeavor, then I
ask the question, why are so many people, leaders in this industry,
taking the Fifth Amendment today and refusing to participate in
our investigation? We do have legislation pending before the full
House. There are jurisdictional issues that will be dealt with.
Mr. Chairman, this issue and this legislation is not going to go
away.
What we are doing here and now is not only educating Americans and
other companies out there who may have been participants in this
process to how abhorrent it is and how at risk their records are;
we are also I think affecting the relationships of some of those
agencies, some of those companies, in how they use these data miners
to access this information.
I dare say that if I were a customer with a company and found out
that that company was willing to engage some of these services, I
would not be a customer with that company long. And I think most
Americans will react that way. So we do see, in fact in the
newspapers and in the media today, companies are ending their
relationships now that we, this committee, under your leadership,
Mr. Chairman, have exposed and pulled back the curtain on this
industry.
So the bill may have temporarily disappeared, I have every confidence
in our full committee Chairman, Mr. Barton, that in his meeting at
2 o'clock today, we will get some answers about how to move it
forward.
There is no hesitation on the Republican side of the aisle not only
to expose this industry but also to do something about it
legislatively. And I commend the work of this committee and I look
forward to hearing from those witnesses who will testify, and I'm
certainly looking forward to hearing from Mr. Rapp, who will be most
helpful in this endeavor. For the public's benefit, this is a book
called "American Information Brokerage Seminar Handbook," that
Mr. Rapp wrote, which is a fascinating read as a teaching tool of
how to go con somebody out of information, your information, your
private information.
And I look forward to learning more from Mr. Rapp about the
behind-the-curtain nature of how this process has worked and how
at risk all of us are for our personal medical records, our Social
Security data. In here, you can even find out how much somebody is
getting paid. Now for Members of Congress, that is public anyway,
but for the rest of America, it should be as private as they want
it to be, just as private as their Visa records or their phone
records or where they are sitting at any given moment, just because
they have a cell phone, should be private unless they want it some
other way.
So, Mr. Chairman, thanks for the work you are doing on this. I
think we are going to change America for the better, legislation or
not, as a result of these hearings.
[The prepared statement of Hon. Greg Walden follows:]
PREPARED STATEMENT OF THE HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
MR. WHITFIELD. Thank you, Mr. Walden.
At this time I recognize Mrs. Schakowsky for her opening statement.
MS. SCHAKOWSKY. Thank you, Mr. Chairman.
And Chairman Barton, I think all of us look forward to getting a
report in tomorrow's hearing on the progress that you are making
today.
I want to congratulate the Chairman and our Ranking Member and this
committee for having really done its job in responding to what is a
growing concern of the American people about the privacy of their
phone records and other records. And what we did was hold hearings.
I am looking at the witness list from February 1st where we had a
hearing on, "Phone Records For Sale, Why Aren't Phone Records Safe
From Pretexting?" I remember it well because my Attorney General
from the State of Illinois, Lisa Madigan, came in and talked about
the pretexting of phone records, talked about how the Chicago
Police Department had to put out a warning to its undercover
officers that drug dealers could use those records to identify
them. And as a consequence of the work we did on the committee,
we did produce the bill that everyone is talking about, the
Prevention of Fraudulent Access to Phone Records, H.R. 4943, which
is now in some undisclosed location that we would like to figure
out, and I hope that you do, Mr. Chairman.
But and while it seemed very mysterious to us that the bill got
pulled on May 2nd, since it passed out of our committee, as has
been mentioned, unanimously, not a single opposition, another
example of how our committee has successfully worked in a bipartisan
fashion, but I felt less confused when, 8 days later, the USA Today
did break the story that Mr. Dingell referred to that the National
Security Agency was acquiring the public's phone records from three
of our major carriers without subpoenas, without warrants or any
approval of the courts and thought, well, maybe because the NSA is
getting these phone records, maybe that is the reason why this
bill became suddenly too sensitive. I hope that is not the issue.
But we did, as Mr. Dingell also mentioned, and Ms. DeGette, send
a letter signed by all of the Democrats on the full committee
asking that we have a full committee hearing on perhaps that
relationship or the reasons why this bill disappeared.
And Mr. Chairman, we didn't get any response that I am aware of to
the letter that we sent on May 11th.
Nevertheless, we also did pass the Data Act out of committee; that
is a little clearer how it has gotten caught in some kind of a
jurisdictional fight. But clearly, this is under the purview of
our committee, and we passed a bipartisan piece of legislation, a
real quality piece of legislation that I hope that we are going to
be able to move forward.
So, in many ways, our committee has done our job. I look forward
to the hearing today because we are going to go as I understand it,
beyond phone records. The Internet has provided all of these
opportunities to peer into the personal lives of Americans, and we
need to address this issue. While it is the Internet that has
provided so many opportunities for entrepreneurs and to stimulate
our economy, it has also provided opportunities for fraudsters who
sometimes are a step ahead of the rest of us. So we need to look
into that.
So I think that our investigations won't end. But in the meantime,
I think it is very important to make sure that the products that
have come out of this committee move forward. We already have two
of them. And I look forward to the day that those become law, even
as we continue to explore the other issues that we are looking into
today.
Thank you, Mr. Chairman.
MR. WHITFIELD. Thank you, Ms. Schakowsky.
At this time, I recognize Dr. Burgess of Texas.
MR. BURGESS. Thank you, Mr. Chairman, and thank you,
once again, to you and the committee staff for having this
important hearing.
This committee has worked diligently to protect Americans and our
private records, and today's hearing will further expand on why
legislation is crucial to solving the problem.
Through investigation by this subcommittee, we have obtained
numerous examples, very troubling examples, of records that are
available for sale to the highest bidder.
Mr. Chairman, I don't mind telling you that I was shocked by some
of the examples that I was shown by committee staff last week in
preparation for this hearing and the fact that these very personal
records can be obtained so easily as people fraudulently
misrepresent themselves to obtain phone records, credit card
statements and even the results of a post mortem examination.
In an age where identity theft can wreak havoc on innocent
consumers, it is my hope that today's hearing will not only help
expose the pretexting problem but also, as so often is the function
of this committee, educate Congress and educate the public of this
situation and the absolute need for legislation to help solve it.
Mr. Chairman, I am a cosponsor of H.R. 4943 as are many people on
this committee, many members on the committee, the Prevention of
Fraudulent Access to Phone Records Act, and I look forward to its
prompt passage in the full House of Representatives. This
legislation is needed to ensure that our constituents' private
phone records are not available to the highest bidder.
Congress expressly prohibited pretexting for financial data under
the Gramm-Leach-Bliley Act. But that law does not preclude
telephone records.
Fortunately, this bill closes that loophole by prohibiting
pretexting for telephone records and strengthens the security
requirement for proprietary customer information, customer calling
information, held by telephone companies. Over the next 2 days,
this committee will have the opportunity to question various parties
connected to pretexting including data brokers, Federal agencies,
and State and local law enforcement officers.
We have been able to identify some of the major data brokers
operating in this country, and today, many of them will have the
opportunity to testify before us and explain the legal reasons for
their business.
One such data broker is located in a small town right outside of my
district in the town of Granbury, Texas.
It is troubling that these companies are prevalent throughout the
country, even in small town Texas.
From my understanding, many of these data brokers have indicated
that they will invoke their Fifth Amendment right and refuse to
answer our questions. Of course, they have the constitutional
right not to incriminate themselves, but it is my hope that they
will cooperate with us to the fullest extent possible so that we
can solve this problem for the American people.
Once again, Mr. Chairman, thank you for your leadership on this
issue. Our constituents and Americans across the country will all
benefit from these new protections of their private records.
MR. WHITFIELD. Thank you, Dr. Burgess.
If there are no further opening statements, then I would like to
call the first witness, Mr. Adam Yuzuk.
Mr. Yuzuk, we appreciate very much your willingness to testify today
and to give us your personal experience of being a victim of the
data brokers. And I will tell you that this is the Oversight and
Investigations Subcommittee, and it is our practice to take
testimony under oath. Do you have any difficulty testifying under
oath?
MR. YUZUK. No.
MR. WHITFIELD. And do you have a legal attorney with you today
that you want to assist in any way?
MR. YUZUK. No.
MR. WHITFIELD. If you would stand, I would like to swear you in.
[Witness sworn.]
MR. WHITFIELD. Thank you, Mr. Yuzuk, you are now under oath, and
you are recognized for 5 minutes for an opening statement.
STATEMENT OF ADAM YUZUK OF ATLANTIC BEACH, NEW YORK
MR. YUZUK. Chairman Whitfield, Ranking Member Stupak, thank you for
inviting me to testify before this subcommittee today.
My name is Adam Yuzuk, and I appreciate this opportunity to explain
what has happened to me and the possible consequences of Steve Kahn
and Michelle Gambino's actions. The fiasco that has unfolded is a
truly sad state of affairs, and I will attempt to explain it.
I apologize, I am a little bit nervous.
On or about June 6, 2006, I contacted Cingular Wireless with a
question concerning my bill. The Cingular rep informed me that I
could get the same information online. And I asked how could that
be possible. She explained by using my online account. I informed
her that I did not have an online account. She was very insistent
that I did have one and that I had just set it up a couple weeks
prior.
She and I proceeded to go through the personal information needed to
set up the online account, as I knew I had not set up such an
account. The personal information matched until we got to the
e-mail address. My e-mail address is [email protected], and the
e-mail address on the account was [email protected]. At this
point, I knew there was a problem. My understanding from the
Cingular rep was that someone set up this online account and had
not made any changes, just viewed my account history.
I couldn't understand how this had happened. Shortly thereafter,
I spoke with a Cingular supervisor. We went through all the
information on the false account again. It became clear that
someone was pretending to be me and reviewing my cell phone record.
I was adamant that I wanted my information protected and this
situation was unacceptable. I wanted the highest level of security
possible. I was assured by putting a password on the account and
having the account flagged, this could not happen again.
On June 2, 2005, I also filed a police report with the Nassau County
Police with an Officer Brennan, and it was assigned to a Detective
Gildbride. Detective Gildbride tried to track down the e-mail
address, [email protected], by subpoenaing the information from
Yahoo!. This turned out to be a dead end. Since we had no other
information, we were stuck.
On September 22, 2005, I spoke to a Cingular employee named Brad to
inquire if anyone had tried to access my account again. He informed
me that someone did try to get in on September 14th but was
unsuccessful. It would appear in retrospect that his information
was wrong. I called him repeatedly as he promised to check and see
if, on the off chance, the phone call was recorded. He was
e-mailing Little Rock, Arkansas, to see if this had occurred. He
would not return my phone calls. I dropped the issue thinking no
harm was done and Cingular had kept whoever it was out.
On September 26th, I called Detective Gildbride back and asked him
to add the September 14th incident to the police report. We also
determined that his spelling of the e-mail address was wrong and we
would resubmit it to Yahoo!. Upon sending Yahoo! the correct
address, they informed me that [email protected] was shut down
2 years ago, and they had no further info.
On October 17, 2005, my lawyers filed a Federal lawsuit/complaint
in the United States District Court for the Southern District of
New York with Judge Karas presiding. The lawsuit alleges fraud by
former partners at Cipriani Accessories, Steve Kahn, Jarrod Kahn,
and Evan Mittman. Also named in the complaint were the accountants
that handled the company's accounting and my own tax returns, Sol
and Mark Karpman of Karpman and Co.
We had started the discovery process and requested, "All documents
concerning any investigator or other investigative service that
performed any investigation of the plaintiff on your behalf." They
initially responded that they objected to this request as it seeks
information which is protected by the work product privilege. We
pushed them, and by mid-April of 2006, we got the documents in
their possession. It was a retainer agreement dated May 9, 2005,
from Gambino Information Services and the Max Leather Group signed
by Michelle Gambino and Steve Kahn. It states that, "cellular
phone records shall be conducted as part of the request by the
client. For the company's fees for this investigation will be
$300." There was a packet of information dated June 9, 2005,
File 9288, stating that they conducted an investigation to my,
Adam Yuzak's, phone records, and following their report, attached
is my cell phone bill with 17 pages obviously printed from my
online account. It was my billing cycle from May 3rd to June
2nd.
On 6/16, there was another invoice for, "2 telephone information";
I am assuming that they broke into someone else's account, keeping
in mind that there might be a different phone company that they
went to, there were canceled checks from Cipriani Accessories and
the Max Leather Group to pay for the invoice that was split between
the two companies. There was my phone bill with the details of
the time period of July 3rd to August 3rd, it was missing pages 1
through 4 and 10 through 14; there was my phone bill for the time
period of August 3rd through September 2nd; there was my phone
bill from September 3rd through October 2nd.
From the paperwork, it is clear that the July and August records
were printed from my online account on September 14, 2005. The
September record was printed on October 12th. This means that
someone broke into the Cingular account two additional times after
my account was password protected and after I was given what I
believed to be the highest level of security.
When I realized the severity of what had occurred, I started
calling Cingular to get explanations and help. This was extremely
frustrating. While the Cingular employees were unfailingly polite,
they refused to push my request any higher up the chain.
In the process, I also spoke to the private investigator--his name
was Robert Douglas--who was extremely helpful in unraveling how this
occurred. He was very familiar with all of these issues. He
actually put me in touch with your committee's staff.
A CNBC reporter also contacted me for a documentary that they would
run in July regarding privacy issues. We conducted the interview
in my lawyer's office on Monday, May 15.
I also spoke with the FTC, who wants me to send them documents, but
they will not tell me what they will do with the documents; who put
me in touch with the FCC, who also asked me to send documents but
won't tell me what they will do with the documents. The FCC gave
me the phone number to a Jim Bugel who is Vice President of
Government Affairs at Cingular. After I had a strong conversation
with him, he in turn put me in touch with Cingular's General
Counsel, Mr. Tom Meiss.
Cingular is now suing Cipriani Accessories and Steve Kahn and
Gambino Information Services in Federal court in the Northern
District of Georgia. They are requesting damages and replevin of
the documents. I will say that Cingular, as soon as they fully
understood the gravity of the problem, because I am involved in a
multi-million dollar lawsuit with these people and their entire
counter claims are based on my stolen cell phone records, which is
utterly ridiculous, ridiculous; once they understood it, they
jumped on it and got right in.
Mr. Meiss at Cingular also ran the fake e-mail address
[email protected] through the Cingular system and found several
more accounts that this e-mail is listed. We can only assume that
all these accounts, these people, have had their information taken.
Additionally, we have gone back to Cipriani, which is the company
I am suing, requesting more documents regarding Gambino that must
exist. We want the invoices and to date haven't received the
information.
So I guess, from a human face, I would like to relay to you guys,
how is it possible that they can open up an account in my name so
easily? How is this possible? How is it possible that after my
account was protected, it happened two more times? After I made
everybody aware of it? Why is it that if you went to my mailbox
and stole my cell phone records or stole anything from my mailbox,
that is clearly illegal, but it is okay to pretend to be me and
print out my information and sell it?
It is crazy.
Why is it so seemingly acceptable that Gambino and Steve Kahn would
enter into a legal contract that I have, a retainer agreement
stating that they will get cell phone records, which invoices
indicate are clearly mine? When you Google this company, Gambino
Information Services, you immediately come up with another name
called Amy Boyer. They were apparently involved in a very similar
thing where they gave information about a woman named Amy Boyer, to
someone who then went and killed her.
So, I find it incredible that these people are still in business.
And now I had to be the--I am just angry. And I apologize. But
I am just really angry that these people steal information, and
now I am caught up in it, and I am defending counterclaims that
are utter nonsense, that the other side has clearly stated that
they have nothing, but now I have to go through and fight over
something like this because the information was stolen, especially
from just my point of view, they could have even gotten the
information legally. But they instead wanted to take an easier
route for $300 and go have my information stolen. And to top this
off, I have spoken to the attorneys general. Nobody knows what to
do with this. I have spoken to law enforcement. Nobody can seem
to figure out where to go with this. It seems clear to me that
they did something wrong, but nobody seems to understand what to
do.
Is it identity theft? What did they take? What did they take from
me? I keep screaming, they stole my cell phone records. My
attorney keeps explaining to me, they didn't steal your cell phone
records; they stole Cingular's business records, but Cingular's
business records are my phone records. But, legally, it is
Cingular's records. So I sit before you, and I'll answer as many
questions as I possibly can.
This is ridiculous. This is really ridiculous. And I am listening
to what you guys are saying, and I am hearing it, but I honestly
don't understand how these people can do this and cause so much
harm. For me, it is monetary harm. It is not physical harm. It
is not just monetary. But it is very intrusive. And it is
allowing--I can keep going.
[The prepared statement of Adam Yuzuk follows:]
PREPARED STATEMENT OF ADAM YUZUK OF ATLANTIC BEACH, NEW YORK
Chairman Whitfield, Ranking Member Stupak, thank you for inviting me
to testify before the Subcommittee today. My name is Adam Yuzuk,
and I appreciate this opportunity to explain what has happened to
me and the possible consequences of Steve Kahn and Michelle Gambino's
actions. The fiasco that has unfolded is a sad state of affairs,
as I will attempt to explain.
1) On or about June 6, 2006, I contacted Cingular wireless with a
question concerning my bill; the Cingular rep informed that I could
get the same info online. I inquired how that would be possible and
she explained by using my online account. I informed her I did not
have an online account. She was very insistent that I did have one
and that I had just set it up a couple of weeks prior.
2) She and I proceeded to go thru the personal information needed to
set-up the on-line account, as I knew I had not set up such and
account. The personal information matched until we got to the
e-mail address. My e-mail address is adam [redacted] @yahoo.com
the e-mail address on the account was [email protected]. At
this point I knew their was a problem. My understanding from the
Cingular rep was that someone set up this online account and had
not made any changes, just viewed my account history.
3) I couldn't understand how this had happened. Shortly
thereafter, I spoke with a Cingular supervisor and as we went thru
all the information on the false account again, it became clear
someone was pretending to be me to review my cell phone records.
I was adamant that I wanted my information protected and that this
situation was unacceptable. I wanted the highest level of security
possible. I was assured that by putting a password on the account
and having the account flagged this could not happen again.
4) On or about June 2, 2005, I also filed a Police report with the
Nassau County Police an Officer Brennan, Case # CK-47835-05. It
was assigned to a Detective Gildbride. Detective Gildbride tried
to track down the e-mail address [email protected] by subpoenaing
the info from Yahoo. This turned out to be a dead end. Since we
had no other info we were stuck.
5) On September 22, 2005, I spoke to a Cingular employee named Brad
to inquire if anyone had tried access my account again. He informed
me that someone did try to get in on September 14, 2005, but was
unsuccessful (it would appear in retrospect his information was
wrong). I called him repeatedly as he promised to check and see if
on the off chance the phone call was recorded. He said he was
e-mailing Little Rock to see if this had occurred. He would not
return my phone calls and I dropped the issue, thinking no harm was
done and that Cingular kept them out.
6) On September 26, I called Detective Gildbride back asking him to
add the September 14 incident to the Police Report. We also
determined that his spelling of the e-mail address was wrong and
that he would resubmit to Yahoo. Upon sending Yahoo the correct
address they informed us that they [email protected] was shutdown
two years earlier and they had no info.
7) On October 17, 2005, my lawyers filed a Federal Lawsuit
/Complaint, in the United States District Court For The Southern
District of New York, Judge Karas presiding, 05 CV 8802. The
lawsuit alleges fraud by former partners at Cipriani Accessories,
Steve Kahn, Jarrod Kahn and Evan Mittman. Also named in the
Complaint were the Accountants that handled the Company's accounting
and my own Tax Returns, Sol and Mark Karpman of "Karpman and Co."
I have additionally filed a complaint against the Accountants with
New York "Office of Professional Discipline" Case #2603687
8) We started the discovery process and we requested "All documents
concerning any investigative or other investigative service that
performed any investigation of the Plaintiff on your behalf" they
initially responded that they "objected to this request as it seeks
information which is protected by the work product privilege"
9) We pushed and got them in mid April of '06 to give us the
documents in their possession, these include
A) a retainer agreement dated May 9, 2005 between Gambino
information Services and The Max Leather Group signed by Michelle
Gambino and Steve Kahn. It states "Cellular Phone records shall
also be conducted as part of the request of the CLIENT, The
COMPANY'S fee for this investigation will be $300.00 (Three Hundred
Dollars"
B) a packet of information dated June 9, 2005 File #9288 stating
that the have conducted an investigation to my (Adam Yuzuk) phone
records and the following is their report. Attached is my Cell
phone bill detail, 17 pages obviously printed from my online
account. Billing Cycle 5/3/05-6/2/05.
C) 6/16/05 invoice #6965, including "2 telephone information," I am
assuming they broke into someone elses account, keeping in mind that
it may be a different phone company.
D) Cancelled Checks from Cipriani Accessories and The Max Leather
Group to pay the invoice, it was split between the two companies.
E) My phone bill with detail for time period 7/3/05-8/3/05, missing
pages 1-4 and 10-14.
F) My phone bill with detail for time period 8/3/05-9/2/05.
G) My phone bill with detail for time period 9/3/05-10/2/05.
10) From the paperwork it is clear that the July and August records
were printed from my online account on 9/14/05.
11) The September record was printed on 10/12/05.
12) This means that someone broke into my Cingular account two
additional times after my account was password protected and I was
given what I believed was the highest level of security.
13) When I realized the severity of what had occurred, I started
calling Cingular to get explanations and help. This was extremely
frustrating, while Cingular employees were unfailingly polite they
refused to push my request higher up the chain.
14) In the process I also spoke with a private investigator who was
very familiar with all of these issues, he put me in touch with
your Committee's staff.
15) A CNBC reporter also contacted me for a documentary they will run
in July regarding privacy issues. We conducted the interview in my
lawyers' office on Monday 5/15/06.
17) I also spoke with the FTC who wants me to send them the
documents (I haven't yet) and the FCC who also wants the documents.
The FCC in turn gave me a phone number to a Jim Bugel who is a Vice
President of Government Affairs at Cingular, he in turn put me in
touch with Cingular's General Counsel, Mr. Tom Meiss.
18) Cingular is now suing Cipriani Accessories/Steve Kahn and
Gambino Information Services in Federal court in the Northern
District of Georgia. They are requesting damages and "replevin
of the documents."
19) Mr. Meiss at Cingular also ran the fake e-mail address
([email protected]) thru Cingulars system and found several more
accounts that this e-mail was listed, we can only assume that all
these accounts (PEOPLE) had their information taken.
20) Additionally we have gone back to Cipriani requesting more
documents regarding Gambino that must exist, we want the invoices
for the 9/14/05 and 10/12/05 incidents. To date we have not
received the requested information.
QUESTIONS
Why is it they so easily opened an on line account in my name ?
Why is it they could so easily break into my account after it was
was protected and Cingular knew of the problem?
Why is it illegal to steal my phone records from my mailbox or my
home but seemingly ok to pretend to be me (pretext) access my
information, print it out and then sell it?
Why is it so seemingly acceptable that they (Gambino & Kahn) would
enter into a legal contract the "retainer agreement" stating they
will get "Cellular Phone Records," which invoices and paperwork
clearly indicate are mine?
After the Amy Boyer murder case in New Hampshire, how is Gambino
still in business and openly selling telephone information?
Respectfully Yours,
Adam Yuzuk
MR. WHITFIELD. Well, Mr. Yuzuk, we appreciate your testimony and
certainly understand your emotional feeling about this and your
intensity in the way you feel about it, and of course, that is one
of the reasons we are having this hearing today. You have heard
that two pieces of legislation have already been reported out of
this committee, but the more we look into it, we certainly
understand the complexity of this. And we recognize that law
enforcement is also having difficulty with the prosecution of a lot
of these cases because the State laws, the Federal law, and the
whole area is sort of murky. And so your testimony, along with
others, can go a long way in helping us try to develop a real
solution to protect the American people.
So I want to thank you for being here. I am assuming from your
testimony that you would not have known anything about this except
that you had a question about your account; is that correct?
MR. YUZUK. Correct. I called up. I was checking something on my
phone bill, and she just suggested, why don't you look at it online?
Otherwise, this could have gone on indefinitely. And I guess what
needs to be made clear is that I then protected the account.
MR. WHITFIELD. When you say protected, you mean a password?
MR. YUZUK. I password protected it, and they red-flagged the
account that you had to be talking to me to get through with a
password, everything; it was very clear. On top of that, I had my
cell phone bill set up so that there was no detail on it because I
was worried whoever it was would steal it out of my mail because,
at the time, I didn't know who it was. So I have no detail on my
cell phone bill, yet they went back in September and October, pulled
it off online with all the detail. So they had more information
about me than my own cell phone bill.
MR. WHITFIELD. Do you have any idea how they obtained your password?
MR. YUZUK. Cingular was suggesting to me that maybe I told somebody
what the password was. And I informed them that not only has it not
been written down, but I am in a pretty nasty fight with these
people.
The last thing I am about to do is hand over my password to them.
And they said, maybe they overheard you or something. It was just,
no real answer. And where we got to was that they believe that
there was something they termed to me as social engineering, that
the private investigator would call back over and over and over
until they found somebody in Cingular who was sympathetic that they
could get through.
MR. WHITFIELD. That is the explanation that Cingular gave to you?
MR. YUZUK. Yes.
MR. WHITFIELD. Now, how would you characterize your relationship
with Cingular as you went through this process? You touched on that
they didn't really become serious about it until they discovered
about the lawsuits, but--
MR. YUZUK. I will tell you that my feelings with Cingular, going
from the bottom up, they would not allow this to go up. I called,
20, 30 times, I begged, for help. I literally begged and said,
could you please put me in touch with the general counsel? Please
put me in touch with somebody in your company that I can talk to
that will know how to deal with this situation. They refused to
push it any higher. They were polite, but they would not push it
any higher. It wasn't until I got the private investigator that
I mentioned, Rob Douglas, put me in touch with the FTC who
was--there was no place to go with that either, which I was kind
of surprised, and then they gave me the FCC, and they gave me
somebody at Cingular. And Cingular from the top down, to be quite
honest, once I ripped into them, he all of a sudden woke up and
then had the general counsel call me.
And to be quite honest, you can see, I am not afraid to come out.
I can't imagine how anybody else would be trying to deal with
this. I can't even get the Attorney General moving on this.
Like, it is just amazing because nobody can figure out, is it an
economic crime? Is it an identity theft? You know, everybody
bounces me from one person to the next because nobody knows what
to do with it.
MR. WHITFIELD. And you live in New York.
MR. YUZUK. Yes, Nassau County.
MR. WHITFIELD. Now let me ask you--if I were you, of course I would
be upset about realizing my private records are out there but then
maybe even more apprehensive when I found out that the name Gambino
was involved in trying to get this information. How did you find
out the name of Gambino?
MR. YUZUK. It was through the discovery process of the lawsuit
because we asked them for any document of any investigations that
were done to me. And this is something, you know, to me is a big
question which I can't get an answer to. They asserted an
attorney-client privilege, and I am curious how their attorneys
are protecting stolen information that any reasonable person would
know is stolen, because I did not give it to them. I obviously did
not call them up and say, here, here are my phone records.
MR. WHITFIELD. But now this agreement between Cipriani
Accessories--that agreement was for $300, and they used that--that
was a contract to obtain your information. And Cipriani, are those
your former partners in business or some other--
MR. YUZUK. Yes.
MR. WHITFIELD. So you all separated and they took it on themselves
to--
MR. YUZUK. They knew that I am alleging fraud against them. They
know that I have everything dead on. They needed something to base
their counterclaims on because they had nothing.
In addition, I just want to add that, besides these stolen cell
phone records, they have nothing for their counterclaims. They have
admitted they have absolutely nothing to base their counterclaims
on other than these cell phone records which to me. Honestly, I
don't even understand the process, how this stuff can be used
against me --
MR. WHITFIELD. Right.
MR. YUZUK. --in this way.
MR. WHITFIELD. Right. But the only way you have really been able
to obtain the specific information to know exactly who requested
this information was through a lawsuit. You were not able to obtain
it prior to that, were you?
MR. YUZUK. No, because I wouldn't have known who was looking at
my information.
MR. WHITFIELD. So you had this lawsuit with your former partners
and, through the discovery process, realized that they were the ones
that did it?
MR. YUZUK. Yes, and once they asserted the attorney-client privilege
over it, we knew something was wrong.
MR. WHITFIELD. Right.
MR. YUZUK. So we just kept digging at it and got the records and
from there--I actually was in a discovery meeting yesterday with
them for about 9 hours, and Cipriani still asserts they did
absolutely nothing wrong, and they can't even understand how this
is a problem because they went legally to somebody and got the
information.
MR. WHITFIELD. Well, the thing that is so perplexing about this,
the average victim out there who may not be involved in a lawsuit
may never be able to find out who is requesting this information.
MR. YUZUK. Once I spoke with the General Counsel over at Cingular,
Tom Meiss, we had the e-mail address that they used on my account,
and when I asked him and pushed him and I said, why don't you run it
through your system because, obviously, there are going to be other
people this happened to, after a little bit of pushing, he did that.
All of a sudden, a bunch of other things popped up; and I don't
think they really wanted to share them with me because that could
put them in a bad position.
MR. WHITFIELD. Now you made one comment in your opening statement,
Gambino, and that was linked with the name Amy Boyer. Now who is
Amy Boyer?
MR. YUZUK. Amy Boyer, from what I understand--and it is only from
newspaper articles, from what I have read--was a woman that was
killed in New Hampshire because Gambino Information
Services--Michelle Gambino had pretexted to get her information.
I guess somebody from her old high school--I am just telling you
what the article says. Somebody from her old high school had
wanted to find this woman, was obsessed with her, had an information
broker find the person and got all the information, called the woman
at work, found out when she worked, all this stuff by pretexting.
The person who bought the information then went to her workplace as
she came out and killed her.
So I just found it very interesting. And I guess the way that I
even got started on this whole thing is, once I Googled the Gambino
Information Service and this came up, I figured they had to be on
somebody's radar. How could it be they are doing this to me and
they have been involved in this and they are not on anybody's radar?
So I called the lead prosecutor in New Hampshire that prosecuted
that case. He, in turn, put me in touch with the private
investigator who led me to you guys.
MR. WHITFIELD. Okay. At this time, I will recognize Ms. DeGette.
MS. DEGETTE. Thank you, Mr. Chairman.
Well, Mr. Yuzuk, you are understandably frustrated. Frankly, I
used to practice law for a long time; and anybody involved in a
lawsuit like you are, it is like double the frustrations. So I can
really understand.
After hearing your testimony and your answers to the Chairman's
questions, it would seem to me that it would be a super good idea to
get the telephone companies in here to talk about how they are
disclosing this information. Wouldn't you agree with that?
MR. YUZUK. Yes.
MS. DEGETTE. If we got Cingular in here under oath, that would be a
good step towards figuring out what they know about how this
information is freely given out about their customers records,
wouldn't it?
MR. YUZUK. I believe that to be true.
MS. DEGETTE. Okay. Have you looked at this bill that we keep
talking about, H.R. 4943, the Prevention of Fraudulent Access to
Phone Records Act?
MR. YUZUK. To be quite honest with you, I have never heard about
it until --
MS. DEGETTE. As a lot of us said, we actually passed this bill
from this committee in May, and then it was supposed to be
unanimously bipartisan, and then it was supposed to go to the
floor, and somehow it mysteriously got pulled. Did you hear that?
MR. YUZUK. Yes, I heard.
MS. DEGETTE. One thing you talked about in your testimony, you
talked about how the problem seems to be no one can quite identify
what the crime is or what the cause of action is as to what has
happened to you. Is it identity theft? Is it other things? Right?
MR. YUZUK. It is exactly it. Now I am embroiled in this lawsuit.
MS. DEGETTE. Right.
MR. YUZUK. So what have they done to me? I am angry at my former
partners for hiring these people to go do this. So what do I go
after them for?
MS. DEGETTE. Right. So I was sitting here while I was listening
to you looking at this bill. Let me just read you a couple of
sections of the bill, and you can tell--I know you are not a legal
or a legislative expert, but just in your layman's view do you think
this might help, if we pass this bill, with your satisfaction?
Section 101. It is called "Prohibition on Obtaining Customer
Information by False Pretenses. It shall be unlawful for any
person to obtain or attempt to obtain or cause to be disclosed or
attempt to cause to be disclosed to any person, customer,
proprietary network information related to any other person by
making a false, fictitious, or fraudulent statement or
representation to an officer, employer, agent of a
telecommunications officer, or providing any document or other
information to these same people that the person knows or should
know to be forged, counterfeit, lost, stolen, or fraudulently
obtained or to contain a false, fictitious, or fraudulent statement
and representation."
That would help, don't you think?
MR. YUZUK. That would be hugely helpful.
MS. DEGETTE. Hugely helpful.
MR. YUZUK. My only question is, because I don't understand and I am
learning, is that also civil and criminal?
MS. DEGETTE. It is civil.
Now let me read you just the first little part of Section 202, which
is called expand--because the section I just read you, it talks
about people who are getting customer information for--so Section
202 talks about expanded provisions for detailed customer records.
And subsection (a)(1) of that says, "privacy requirements for
telecommunications carriers." Then it says, "except as required by
law, permitted by this paragraph, a telecommunications carrier that
receives or obtains individually identifiable customer proprietary
network information, including detailed customer telephone records
by virtue of its provision of the telecommunications service, shall
only use, disclose, or permit access to such information or records
in the provision of such carrier of the telecommunications service
from which information is derived or services necessary to or used
in the provision of such telecommunications services."
That would be helpful to you, too, wouldn't it?
MR. YUZUK. I wish you guys would have done this 2 years ago.
MS. DEGETTE. Well, it would be good if we did it now.
MR. YUZUK. It would help the next person.
MS. DEGETTE. A year ago would have been good, but now--
So those things would directly address what your problem is, right?
MR. YUZUK. Yes, it would directly address what happened to me.
MS. DEGETTE. And have you--in your mission here, have you had the
opportunity to talk to other people or do you have some sense of
how many other people this is happening to?
MR. YUZUK. The best gauge I get of that is by talking to that
private investigator, Rob Douglas. Because he seems to have his
fingers in a lot of pots with this and seems to see a lot of it
going on, and he was the one that sort of connected a lot of the
dots as to what was happening. It was kind of interesting it was
a private investigator that did that. But he seems to understand
that he thinks it is fairly widespread. He informed me that
Gambino Information Services mainly focuses on financial
information, and I was probably more of a fluke that they went
after my telephone stuff.
Now I am also pretty upset that my former company, I am speculating,
gave all my personal information over, my Social Security number,
to these people. Obviously, there is something wrong with that; and
now God only knows what they could be doing with that.
MS. DEGETTE. Right.
MR. YUZUK. So the telephone thing might be the tip of an iceberg
that is going to take years to unravel.
MS. DEGETTE. This is the whole reflection of something this
committee has been looking at, a lot which is what do we do in this
area of technology which helps people to also protect their privacy,
and it seems to me that we need to really pass real laws that deal
with this.
MR. YUZUK. You know, from what I have learned in speaking and
talking to the Attorney General's office numerous times in New York,
everybody is a little confused as to what to do with it. They kind
of think, well, it could fit into this and it could fit into this,
but it is not quite this and not quite that. And I apologize for
being simplistic about it. Why is it clear if you steal it from my
mailbox that is a problem, but if you take it off the Internet
pretending to be me, it is okay?
MS. DEGETTE. Right. That is what this is supposed to address. I
agree with you, and we are going to keep pushing to try to get this
passed.
Thank you, and I yield back the balance of my time.
MR. WHITFIELD. I might say, Ms. DeGette, our staff has
uncovered--we know there are tens and tens of thousands of victims
out there. And I might just say for your benefit, Mr. Yuzuk,
unfortunately, Congress is pretty fragmented and balkanized; and
while this committee can pass legislation dealing with civil
penalties and so forth in the area of jurisdiction when we get
involved in the criminal side of it, then it goes over to the
Judiciary Committee and they work those sides. So that we always
get frustrated by the lack of progress that we are making as well.
MS. DEGETTE. Mr. Chairman, if you would yield. This bill was
scheduled on the floor for at least the civil part, and at least
that would help. Then the Judiciary Committee, if they wanted to,
could do a criminal companion bill.
But it is not like this bill had a referral to the Judiciary
Committee and got stuck there. It was actually scheduled for a
vote on the floor.
MR. WHITFIELD. Absolutely. There was a jurisdictional dispute.
And, anyway, hopefully, that is going to be resolved this
afternoon.
At this time, I recognize Mr. Walden.
MR. WALDEN. Mr. Yuzuk, thank you again. Sorry we have to meet like
this, as they say. But you have really helped us better understand
the plight of an individual who has been victimized by these data
mining companies and apparently by others.
You have mentioned trying to get some action out of an Attorney
General. Who is that? Which Attorney General?
MR. YUZUK. I contacted Eliot Spitzer's office. I went through, I
think, three different attorneys there--I have it all written
down--but three different attorneys there, of which two of them
were civil, one was criminal. After we had gone through and
explained the stories over and over and over--it went from like
an economic bureau to identity theft bureau that doesn't have
jurisdiction because I live in Nassau County but it happened in
Queens where I live. So they couldn't help, and then they sent
me --
MR. WALDEN. So you really got the runaround.
MR. YUZUK. Now I have the Nassau County Attorney General. I spoke
with him 2 weeks ago. I mean, I am happy I got this invitation so I
could fax it to the Attorney General and say hey, wake up, please.
MR. WALDEN. This is the State Attorney General in New York?
MR. YUZUK. Yes.
MR. WALDEN. Just for the record, my understanding is we have
got--our staff has scheduled two interviews for next week with
Telco-Telephone Companies to do the kind of background interviews
I assume they did with you and they are doing with others; and
they are working on scheduling at least three others for the
committee's work. This is going on. We are going to continue.
There is no calling off our investigators there. They are the
best in the country at what they do, and they are not going to
quit until we get all the answers.
I am curious. What else has Cingular done for you since the facts
about the Gambino came to light? Have they worked with you on
establishing a safeguard? What is your trust level now? I can
appreciate your frustration to say I got this fixed, I got
password protection, now things are good to go, and then you
discover they are not.
MR. YUZUK. I got to the point where there is a regional supervisor
that I made be put on the account. The account is red-flagged, that
nobody can go on to that account without first getting approval
from the regional supervisor, which is obviously a little
impractical and silly, but it is the only thing I could possibly
think of to deal with this. Because, obviously, the password was
being bypassed, which--
MR. WALDEN. How did that happen? I know you talked about that you
must--they think you must have given it out or something, but,
obviously, there would be no incentive for you to do that.
MR. YUZUK. If I may speculate--
MR. WALDEN. Sure.
MR. YUZUK. I believe that they called Cingular over and over and
over: "I can't remember my password, I can't remember what
happened, it is me, here is my address, here is my Social Security
number."
MR. WALDEN. So they give them everything else?
MR. YUZUK. This is speculation. It was my former employer. They
gave all of my information over. The investigative service would
know virtually everything about me.
MR. WALDEN. I think we are going to hear from Mr. Rapp later on, he
is one of the masterminds and was in this industry, and I think can
really help us better understand this concept of social whatever--
MR. YUZUK. Social engineering.
MR. WALDEN. --where you work somebody down, you beg, you plead, you
do everything legitimately to get help. Only they are doing it in
a con to get access to somewhere they don't belong.
MR. YUZUK. Correct.
MR. WALDEN. And that some good-intentioned, well-intentioned person
on the other end says, oh, Mr. Yuzuk, okay here, yeah, you have
given me 99 percent. Here is the other one.
MR. YUZUK. They can call on a ton of different pretenses, so to
speak. It is a frustrating process.
MR. WALDEN. What has happened, I am curious, on Detective Gildbride
and the Nassau County police end? Have they been making any
progress?
MR. YUZUK. I realized very quickly this is not something very high.
There wasn't any place to go with it. At the time, we weren't able
to trace back the e-mail address, and we didn't have the discovery
documents available yet. The discovery documents literally in the
last 2 months have come to light.
MR. WALDEN. I know the police agencies are terribly overloaded, but
I think you mentioned something earlier in your comments about an
iceberg, and icebergs aren't very high out of the water. Sometimes
they can run really deep, and perhaps if they looked into your case
as we are doing, they might find this whole other piece of the
iceberg that is affecting a lot more Mr. Yuzuk's out there.
MR. YUZUK. To me, the logical thing to do, which is what I
expressed to Cingular, run that e-mail through your system. I don't
know why Cingular doesn't talk to MCI or Sprint or whatever and say,
guys, look out for this; run it through your system. Because
anybody that gets hit with this e-mail, you know something is wrong.
You could probably ferret out a tremendous amount of these people
very quickly by doing this. At least you would get that first--
MR. WALDEN. A wave of them.
MR. YUZUK. Some of them would be smart enough to go deeper, but you
would get that first shot at them. That is the kind of stuff--I
don't know whether Cingular did advise other phone companies or
anybody--maybe there needs to be a way that they let somebody know
this happened.
MR. WALDEN. That is a good point. I have been in small business
for 20 years in a small town, and our chamber and others have a
checkflash that goes around. When somebody passes a bad check,
they let everybody else in the community know that. So if checks
have been stolen or something, other merchants are made aware right
away. You wonder if there isn't some data mining flash that could
go out to other phone companies. I don't know.
Do you know why the pages were missing from the copy of your July
phone bill that Gambino was able to acquire?
MR. YUZUK. No. After yesterday, I got--when I was in discovery I
made them pull out the records, and mysteriously they reappeared, the
pages reappeared. So it turned out to be just the regular phone
records. So I don't know why they were hiding it to begin with,
but we asked their attorneys three or four times for the missing
pages, and they kept saying that they didn't have it; it was thrown
away. Yet yesterday, literally yesterday, when I went through it
and I flipped through it in their offices, it was there. I think
it was just an oversight.
MR. WALDEN. So you don't suspect anything beyond oversight?
MR. YUZUK. No. But, honestly, they are using the counterclaims.
They are using the cell phone records to give me a hard time, and
it was a further way to make an arc.
MR. WALDEN. I am curious. How did CNBC find out about you?
MR. YUZUK. Through the private investigator.
MR. WALDEN. Mr. Douglas.
MR. YUZUK. He knew a lot of different people who are interested in
this. What was good at least, that they liked and they were able to
use, I had everything documented. I have all of the records; and,
you know, I can definitely explain it and it was still fresh. I
mean, this has happened in the last year. It is still going on.
MR. WALDEN. So you are the possible poster boy for this nonsense.
Did you have something else?
MR. YUZUK. We haven't gone in front of the Federal judge yet, and I
am curious what his take on this is going to be.
MR. WALDEN. I sure appreciate this cooperation with this panel and
your investigation, and we are hopefully going to change this law or
create a new law which protects people like you and other Americans
who have suffered untold hardship from credit issues to literally
perhaps of their own life as a result of what happens here. So we
look forward to that.
Mr. Chairman, I have to go to another committee that is marking up a
bill. I have an amendment on. So I will return as soon as we are
done with that, and I appreciate your leadership on this.
MR. WHITFIELD. Thank you.
At this time, I recognize Ms. Schakowsky.
MS. SCHAKOWSKY. Thank you, Mr. Chairman.
The wonders of the Internet. We just got an e-mail of the article in
the San Francisco Chronicle. Let me read this to you. While it
doesn't directly bear on your case, it is relevant to this issue.
AT&T has issued an updated privacy policy that takes effect
Friday. The changes are significant because they appear to give
the Telecom giant more latitude when it comes to sharing customers'
personal data with government officials. The new policy states that
AT&T, not customers, owns customers' confidential information and can
use it, quote, "to protect its legitimate business interest,
safeguard others or respond to legal process."
Policy also indicates that AT&T will track the viewing habits of the
areas of its new video service, something that cable and satellite
providers are prohibited from doing. Moreover, AT&T is requiring
customers to agree to its updated privacy policy as a condition for
service, a new move that legal experts say will reduce customers'
recourse for any future data sharing with government authorities or
others.
So in order to--you know, you are saying, how could this not be
illegal when someone can't go into your mailbox? At least AT&T,
formerly SBC, is trying to, as a matter of its company policy and
very contrary to the legislation that we are passing, hopefully,
trying to set a policy that says it is just fine. It is not yours
anymore. When you sign the agreement, they own it. They can do
what they want with it.
What is your reaction to that? I am assuming it exacerbates your
frustration.
MR. YUZUK. Ma'am, it is comical. It is absolutely comical. They
are not stealing my records or even your records, so to speak. But
they are stealing AT&T's records or something like that. But this
whole explanation just defies logic of how this is going and how
they can't think that that information is not valuable to whoever
really owns it. It is terrible.
MS. SCHAKOWSKY. I am wondering if you can estimate--I am trying to
imagine your life in dealing with this. How much time have you had
to try and spend on this to rectify that and what kind of costs, if
you care to share that, you have incurred in trying to deal with
this.
MR. YUZUK. Well, we have a--now I have a lawsuit that was clean on
my side, that I was going in and there really was nothing that they
could do; and now they have muddied the water with counterclaims
that are utter nonsense because of these cell phone bills that, if
some craziness occurred, could cost me millions of dollars based on
what their counterclaims are. Which is incomprehensible to me. It
really is--
MS. SCHAKOWSKY. How much of your life is involved now in doing this?
MR. YUZUK. This is daily. It is--and you are talking about the
cell phone part of it. It is dealing with whether it is Cingular
and getting them moving, whether it is who is calling the attorney
generals, whether it is discussing it continually with my own
lawyers. You know, it is getting everybody sort of lined up in
this. It was me getting together with this committee, getting all
of that put to bed, all of these different parts of the puzzle. I
was probably spending an hour or 2 almost every day just dealing
with this.
MS. SCHAKOWSKY. And all of this really gets back to the breach of
your private information, I mean, the problems that you have had.
Obviously, it has gone into some other directions, but it is the
breach of your private information that has led down this path.
MR. YUZUK. Yes. Them having information about me that they--which
is a shame that all of this, which I mentioned earlier, which they
could have legally gotten this and it could have been fine. They
would have just had to wait. And this was a quick fix to creating
counterclaims.
So, you know, while this is not a case like a murder case or
something like that, to me it is very, very personal; and I am sure
all of the people that I have spoken to on the phone were not
thrilled that their phone numbers were now given out to these
people.
MS. SCHAKOWSKY. Has Cingular--they seem to have at least partially
addressed your issue by having it go through, what, this regional
supervisor or whatever. Is there any indication that they have
improved their security for others?
MR. YUZUK. Quite honestly, I wouldn't know. Because I have been
dealing with them strictly on my issue. Obviously, I have had
conversations with them, and I have suggested this is a problem, but
they are a very big company and they --
MS. SCHAKOWSKY. Well, you asked questions at the end of your
testimony. Did Cingular ever give you answers to these questions?
MR. YUZUK. Yes. They said, with my Social Security number, my home
address, with my mother's maiden name, things like that, anybody
could open up the account for me. And to me, the first faux pas,
the first accident was one thing. After I password protected it,
red-flagged it, I don't know what else I should have done, and they
got in again and again. So like on my side of the table, what am I
supposed to do?
MS. SCHAKOWSKY. You may have answered that already. So how could
that have happened? Did Cingular explain that to you?
MR. YUZUK. They didn't have, from my point of view, a very good
explanation. They explained to me that maybe I gave them my
password. I gave the other side my password, the private
investigator my password so they could break in, which I didn't
quite find really believable. They said maybe you were having a
conversation and somebody overheard you say it. I was like, that
there was no way. It was, maybe you wrote it down. I said, no, it
is not written down anywhere. I shred every document. There is no
way it is not possible.
MS. SCHAKOWSKY. So they did not take responsibility and suggested
that you perhaps inadvertently had given the information.
If you were--I mean, I realize this isn't your business--I mean,
your profession--but I am wondering if you had, as a result of
this experience, had any thoughts of what carriers could do to
strengthen their internal controls against this kind of fraud.
MR. YUZUK. Yes. Obviously, just using somebody's Social Security
number and it being a male--like a man on the phone calling, saying
I am this person, is really not acceptable. It can't function like
that. Because these types of things can happen. So that would be
the first thing.
I would also think that they should go after these people rather
harshly. And what was surprising to me was, from the bottom up,
when I was going after Cingular, why I am sure the people who are
sitting here today who do this for a living don't worry about it,
because Cingular didn't move. They didn't want to know from this.
It wasn't from when I went from the top down and I pushed, all of
a sudden they woke up and started moving. Now I will say that they
jumped on it, and they are going full force. But it was not
happening for me as a customer going up the ladder. That did not
happen. Which is why I would imagine so many of these people are so
brazen in what they are doing, because they know nobody is going to
come after them.
MS. SCHAKOWSKY. Thank you very much. Appreciate your testimony.
I yield back.
MR. WHITFIELD. Thank you.
At this time, I recognize Dr. Burgess.
MR. BURGESS. Thank you, Mr. Chairman. I appreciate you being here
today.
I won't take the entire time allotted to me. I guess the
question-- I apologize for being out of the room. How was your
Social Security
number obtained?
MR. YUZUK. At this point, we do not know, until I guess we depose
Michelle Gambino and ask her if my former partners gave her my
information. I speculate that that is exactly what happened.
MR. BURGESS. So they would have had access to your payroll data
because of your prior partnership?
MR. YUZUK. Everything, everything about me.
MR. BURGESS. Now your Cipriani Associates that you are in the legal
dispute with, they said they obtained this information legally.
They went and bought it from a company, and so it is not their
fault.
I guess the question that I would ask, in your opinion, who is really
at fault here for your personal information being divulged to a
party who is opposing you in a lawsuit?
MR. YUZUK. It is a very, very interesting question. Because when
I have asked the attorneys this type of stuff, I get different
answers. Because one of the things that comes up which I have
gotten from some of them is what would a reasonable person assume?
Wouldn't a reasonable person know that you can't go get somebody's
phone records and have my phone records? There is no legal way to
do that because how could you have it if I didn't give it to you?
They didn't steal it. How could you possibly have it?
They seem to think because I went and spoke to this person who spoke
to that person, that now all of a sudden it is okay to get the
phone records. And this is stuff I honestly don't understand.
So, from my point of view, a reasonable person knows if all of
a sudden somebody handed you my phone bill, you would know if I
didn't give it to you, there is a problem.
I apologize if I am not answering.
MR. BURGESS. I think that is satisfactory, and it points to the
fact why they tried to blame you for having perhaps divulged your
Social Security number or your e-mail address in a conversation
that you didn't remember.
Well, let me ask you this--and I think we have been through most of
your story. There is a possibility that we will have some of the
phone companies here to talk to at some point. Is there a question
that you would like us to ask on your behalf of Cingular or the
phone companies in general?
MR. YUZUK. Not from me so much as a person, because the milk is
already spilled. I would tell you that they need to have some
division or something set up within the phone companies so when
this happens there is a path you can go down so it can reach high
up enough in the chain that they address the situation. Because I
can tell you that I was on the phone pounding, and I could not move
it forward. I was not afraid to go in again and again and again,
and I just kept hitting a ceiling over and over.
So if you would ask me one concrete thing that the phone company has
to have is, when somebody calls up with a complaint like this, it
has to have a way of going up the chain.
MR. BURGESS. So they have to assign a much higher priority to this
complaint.
MR. YUZUK. It has to reach a level that they realize it is a huge
jeopardy. In my case, from my personal point of view, it is millions
of dollars at stake; and I can't get them to wake up. I am begging
them on the phone to help me.
MR. BURGESS. But, on the other hand, someone who calls persistently
and drives over and over again to get your information was
apparently successful at doing so.
MR. YUZUK. Because they could get that at the level.
MR. BURGESS. At the other level.
MR. YUZUK. But they were clear they couldn't put things higher.
They could give away my personal stuff, but they couldn't give me
to the next guy up.
MR. BURGESS. Very good.
Mr. Chairman, as always, fascinating and certainly look forward to
hearing the other witnesses.
Thank you, Mr. Yuzuk, for giving us your time.
MR. WHITFIELD. Thank you.
At this time, recognize Mr. Inslee.
MR. INSLEE. Thank you.
I just principally want to thank you for being here in the hopes
that your effort will jog Congress as you have not been able to jog
the phone company.
Mrs. Blackburn and I introduced a bill January 31st of this year.
It is what we call around here a "no-brainer" bill that basically
makes pretext calling a wrongful act to get to the bottom of this.
And Congress is still fiddling around this many months later while
there are thousands of other people we believe in exactly your
condition out there calling their phone companies today trying to
fix this problem.
I want to thank you for coming, and I hope you will light a fire
under Congress by your willingness to come here today that you
couldn't light a fire under your phone company. So I want to thank
you for being here and give you a free thought. If there is
something you want to tell us that you haven't already--
MR. YUZUK. I would like to thank you all; and, as a person on this
side of the table, I need help. And it is not only me. I am sure
there are a lot other people that need help. Whatever the
jurisdiction and fighting that is going on, I just need help.
MR. INSLEE. We would like to have that cry of help answered in
getting this bill on the suspension calendar and pass this. Thanks
for being here.
MR. WHITFIELD. Mr. Yuzuk, I also want to thank you on behalf of
the committee. We wish you the very best in your efforts to get all
of this cleared up; and if you feel any information that you may
come across as you move forward would be helpful to the committee,
we would really appreciate your getting back in touch with us. We
look forward to working with you as we try to pass legislation to
help solve this problem for the American people.
So you are dismissed, and thank you again.
MR. YUZUK. Thank you all. Thank you all for your time.
MR. WHITFIELD. At this time, we will move to the second panel.
On the second panel, we have two people. First of all,
Mr. James Rapp, who is the former owner of Touch Tone Information.
I have read a couple of newspaper articles about Mr. Rapp, and I
would say that he is a real expert at being a data broker in
obtaining information. In fact, the Rocky Mountain News in
Colorado wrote an article about him and said that, at his peak, his
million dollar information broker business was thought to be one of
the largest of its kind in the country.
So, Mr. Rapp, if you would come forward, we appreciate your being
here.
And then Mr. David Gandal, if he would come forward. He is the
owner of Shpondow.com, and I know that his business has been
focused upon helping automobile financiers repossess automobiles.
But, as you gentlemen know, this is an Oversight and
Investigations Subcommittee hearing, and we do take testimony under
oath. Under the rules of the House and rules of the committee you
are entitled to be advised by legal counsel. Do either of you have
legal counsel with you today?
MR. RAPP. No.
MR. GANDAL. No.
MR. WHITFIELD. And you don't have any difficulty testifying under
oath?
MR. RAPP. No.
MR. GANDAL. No.
[Witnesses sworn.]
MR. WHITFIELD. Both of you are now under oath, and we appreciate
very much your cooperating with the committee and being here.
Testimony from people like you who are real experts in this can go
a long way in helping us perfect some of our solutions.
TESTIMONY OF JAMES RAPP, TOUCH TONE INFORMATION, PARKER, COLORADO;
AND DAVID GANDAL, SHPONDOW.COM, LOVELAND, COLORADO
MR. WHITFIELD. So, at this time, Mr. Rapp, I will recognize you for
your 5-minute opening statement, after you have your glass of water
there.
MR. RAPP. Thank you, Mr. Chairman.
MR. WHITFIELD. And if you would be sure to hit the button so the
microphone would be on.
MR. RAPP. All right, sir. Thank you, Mr. Chairman.
Many years ago, back in the early '80s, I discovered a way to
acquire information at that point helping where the--the position I
was in at that point was in an incarceration position back in '82.
Many inmates wanted to contact family members, ex-girlfriends, and
other things; and they had no way to do so. They had no way to get
out to do anything with anybody. And I discovered a way that I
could contact various utility companies, phone companies, or the
relatives themselves and find out where they were and get the
information. The inmates weren't going to do any harm. These were
people at that point that was a platonic relationship or a
lovesick relationship.
Things started from there, and from the '80s it progressed to where
we started a company and had many different companies, my wife and
I did, to the point where, during the '90s, we had many employees
in our office and the ones that I had trained, that were able to,
they went to their own homes and they worked and we provided
information from anybody and everybody consistently throughout the
country.
There were many times that we were contacted by attorneys to try and
track down judgment debtors. The majority of our work dealt with
people that incurred debts such as finance loans or other such debts
that they didn't pay, and we just couldn't do anything. There is
no sense in going through with a process of interrogatories or
discovery after you issue a summons and try to get somebody's money,
try to get a judgment, if you don't know where they are and you
don't know where their money is. That is where we came into play.
We found the people. We tracked them down. We found out where
they banked. We found their account numbers, balance, savings,
checking, money markets, everything, so that they could go ahead
and decide if they wanted to execute a judgment, if the person was
worthwhile to get the money from.
So, to begin with, I think our intentions were somewhat noble with
the aspect of trying to make sure that people that had debts paid
those debts. Bankruptcies were going crazy, and at this point I
know some of the bankruptcy laws have been changed, but there are
so many people out there that can get away with so much, there had
to be some kind of a stopgap. At least that was my initial thought,
and we were that stopgap.
There was nowhere you could run or hide that we couldn't track you
down. There were no moneys that you could put in the Cayman Islands
Barclays Bank that I couldn't find. And that was maybe a little
cocky of an attitude, but that is pretty much how we ran our
business for many, many years and very successfully.
We never dealt with the Internet. The Internet at that point wasn't
that big of an issue, wasn't a necessity for us. The telephone was
my key to the world, and that is everything I needed.
We pretty much tried to tie in with private investigators. I would
go through the phone books in every major city in the United States
and I would contact the PIs and solicit my business to them, say let
me help you provide the information, quick, easy, and for a price
you can afford. That is when we started faxing off our information,
and we got a tremendous amount of response. Business was great.
We had all of the work in the world that we could handle.
Then, during the Clinton era, we were working a lot. I think our
business started to change during that era from the judgment debtors
to more the media issues, the tabloids, entertainment, 60 Minutes,
20/20. People wanted to know, and if they wanted to know the
information, somebody had to provide that information. We didn't
want to be the car that went and ran off Princess Di. We didn't
want to be that aggressive of the paparazzi, but we wanted to
provide the information to the media that needed it.
So, during the Clinton era, we did a lot of the work on the
Monica Lewinsky/Bill Clinton--all of those issues; and that brought
us to light to the FBI. They came out to us, and they wanted to
find out who we were working for. At that point, my wife and I
asked, is there anything illegal that we are doing in any respect?
Here is my complete list of what I do and who I do it for and how
I do it. And we were told by the Federal law at that point
absolutely nothing you are doing is wrong or illegal, so we felt
reassured, and we continued on.
Unfortunately, a few years ago, there was a young lady that
apparently--I don't know if it was a young lady or man--but it was
a client of ours. A private investigator contacted us to break a
pager number, something we had done thousands of times before. The
pager number, unbeknownst to us, went to an undercover Los Angeles
police detective that was then killed at some point once he was
tracked down to his home location.
That is the kind of thing that gives at least my former industry
a tremendously bad name. There are a lot of good aspects to data
brokers. There are a lot of negatives as well. Unfortunately, the
negative is what the press hears, and that is what we are here for
today, because of the negative aspects. We can't allow people to
go around getting into debt, doing things they shouldn't be doing
without something, if the law enforcement isn't going to help, some
kind of a stopgap, and that is what we were.
But it flourished from there, and everybody wanted to know
everything about everybody else. There are no more secrets, and
that is the truth of the matter. We were a big proponent of that
to the extent that we provided anything and everything for anybody,
and we really weren't that concerned with who or why.
When we were brought to D.C. just a few years ago by the law firm
Butera and Andrews, we were brought here because the Federal Trade
Commission said, oh, wait a minute now. You're getting too much
financial information. Too many people are upset about the fact
you were finding their bank accounts.
They are not concerned about the fact they owe tons of money. They
are only concerned that we found out where the money was.
But the Private Investigators Association of America paid for us to
have a good law firm behind us. In such case, they dissolved the
whole matter. Probation. Don't acquire banks, and everything is
fine. So again we were reassured again by another branch of the
Federal government that everything we were doing was okay. Just
don't get banking information.
We continued at that point until such time that we were contacted
by the Colorado Bureau of Investigations after little JonBenet
Ramsey died. We did a lot of work there. They said, you are going
to stop, and we are looking into RICO statutes on you, and that was
pretty much the end. That was back in '99, and I haven't picked up
a phone professionally since that time.
MR. WHITFIELD. Thank you, Mr. Rapp. And that was enlightening
testimony.
[The prepared statement of James Rapp follows:]
PREPARED STATEMENT OF JAMES RAPP, TOUCH TONE INFORMATION, PARKER,
COLORADO
Chairman Whitfield, Ranking Member Stupak, thank you for inviting me
to testify before the Subcommittee today. I appreciate this
opportunity to briefly introduce myself and explain my former role
in the data broker industry, and I ask that my full written
statement be entered into the record.
My name is James Rapp, and I used to own and operate several
companies in the data broker industry, including Touch Tone
Information. Early during the 1980's, I was incarcerated for an
auto theft in the Colorado State Penitentiary, where I discovered
that I was adept at acquiring and providing information. Various
inmates would come to me and ask to find their estranged girlfriends
or wives, or something to that effect, and I would proceed to take
their old disconnected phone number and acquire the new number and
address for these men to make contact with.
One thing led to another and after I was released in 1982, I started
working for various attorneys to provide them with process service
as well as to provide them with the employment and banking
information of the individuals that they had acquired judgments
upon. During that time my business was known as "Mile High
Investigative Service" and as such solicited private investigators
in addition to the attorneys that we mainly worked for.
Things progressed fairly well until 1991 when my ex-wife Holly,
left and I decided to downsize completely and went to Texas to work
for a client in the city of Conroe. After a short time I met my
everlasting wife, Regana and we started up our business again. We
started out to contact our old clientele and arraigned a cross
country trip to do "Investigative Seminars" to teach (for a cost
of course) the "how to's" of acquiring information relevant to the
private investigator realm.
We then moved to Florida, and from Florida we moved to Utah and then
to Montana where we then decided based upon my father's failing
health to move back home to Colorado. The reason for all these
moves was simple; most states required a license to do the
investigative work that we were doing. One problem was that my
felony convection literally shot me out of the water with any
chance to achieve a license in any state that we tried, except for
good old Colorado.
During this time we went through many name changes - Phantom
Investigation, Dirty Deeds done dirt cheap, Scanners, etc. The
lasting name that we kept was Touch Tone Information, which was
initiated once we returned to Colorado.
Our name as well as our success rate drew us national attention,
along with working on such nationally known cases such as Bill
Clinton and Monica Lewinski, Columbine and other atrocities, as
well as various media celebrities and stars around the world.
Our business was constantly changing, for we started out just
working to locate the judgment debtors, but wound up working for
other information brokers throughout the country to provide the
most current and up to date goings on of the media world.
During the 1990's, we were maintaining a staff of over 20 on site
as well as anywhere from 5 to 15 people working from home. Our
yearly billings were over 1 million for the years 1995 to 1998.
Our quantity of clients exceeded 1,500 during our peak. During
that time, we were contacted by such news shows as 20/20 and 60
minutes, all of which our counsel told us the best action was
to say nothing about anything.
I felt good about the good work that we did do, for we assisted in
the locating of many missing children as well as helping many of
the bail bondsman to locate the ones that got away. During this
time our clientele type was as follows:
A. Attorneys
B. Private Investigators
C. Bail Bondsman
D. Information Brokers
E. Investigative contacts for news and media organizations
Unfortunately, the more notoriety that we achieved, the more the
press, both newspaper and T.V., we had on our heels to get whatever
scoop they were chasing. The idea of pretexting or scamming someone
on the phone has been around since the days of the old James Cagney
movies.
I would teach our employees and clients if they wanted to learn,
how to impersonate someone so that the person on the other end of
the line would feel either sympathy or pressure, whatever it took
for them to release to me the information that I needed. Anyone
can impersonate anyone else if they sincerely make an effort, the
person or customer service representative on the other end of the
line truly wants to help, (most of the time anyway) so I use that
to my advantage and convince them that they need to give me certain
specific data. This was how I achieved the majority of all my
information, for back in the 1980's and early 1990's, the Internet
was not that big into personal information.
During the time of the Bill Clinton and Monica scandal, we were
contacted by the F.B.I, I believe from the Baltimore office. The
agent wanted to know specifically who our client was that requested
the information on why the White House was paying for Ms. Lewinsky's
apartment as well as tracking down various cell phone and landline
contacts of Ms. Lewinsky's. After review with our counsel, we made
available all records to that case to the agent who specifically
informed us that we were within the legal limits on all work that
we were doing!
Thus we continued on blindly believing that we were literally
assisting good people with good information. This went on until
the day that the Colorado Bureau of Investigation stepped through
our doors and informed us that they had been tapping our lines and
they believed that they had enough information on us for an
indictment under the charge of Racketeering. Immediately, we shut
our doors, having been advised by our attorney that we should - for
why should we make the case against us any worse than it already was?
We left with a host of clientele still wanting their information on
unsolved cases, as well as a healthy remaining balance in our
"accounts receivable file." During this time I was featured on
"Americas most wanted" as being the #1 con man in America, what a
crock, if they only knew the truth I thought.
The truth was however that we never committed fraud in our own
minds, for we never used the information to steal a single penny,
but only used the information as a marketable product to sell and
distribute.
This, we were informed, was a crime, and since we had done this so
many times over the years, we (Regana & I) were both looking at
doing serious time. The only solution according to our attorney
was to cease all business activities including any additional
efforts at collecting our own past due debts and to walk away
clean.
This we did, for as it turned out the Lord literally freed up our
time for my father got to the point with his cancer that we had to
care for him full time at our house, where 4 months later he died.
The final disposition was only 30 days in work release along with
5 years probation - which was shortened to 3 years due to our
sincere efforts at working elsewhere, not in our business, nor were
we any risk whether flight, or criminal. Then later in 1999 after
my dad died, the lot fell to us once again to care for my mother.
We worked out an arrangement with her and her attorneys so that
we could receive funds from the trust set up by my father's
departure which afforded us the time to care for her.
Earlier this year, the Colorado Bureau of Investigation again
contacted me, but this time they wanted to know if I would sit down
with your Committee's staff to discuss my former business, the ins
and outs of how I achieved the information, and how I targeted my
clientele. This I was more than happy to do, for I hold no
animosity toward any law enforcement agency for our ouster of
the investigative business.
I informed Mr. Brown from the "CBI" as well as your Committee's
staff that I honestly feel that this business is a necessity in our
world, and that as long as people get in debt, there must be people
to help collect that debt.
In addition, the media will always want to know the latest scoop,
whether trivially how drunk the young Ms. Bush got the night before
or any information related to any newsworthy event.
The answer then is NO, the business will never cease, but you as
being the governmental body that can affect the way things are
accomplished, I can tell you that you are having an actual effect
on how the investigative world is handling their affairs today.
This is occurring as we speak, for many data broker agencies that
I have contacted over the past few months, have informed me that
some information is getting tougher to achieve, due to the fact
of the involvement of both state and federal authorities.
The customer service aspects of the Utility Companies such as
Telephone, Electricity, Cable and Satellite, etc. are the only
ones that can make or break most of these attempts to acquire the
information - for without sources to acquire the information, the
quantity of success will go drastically down.
While I personally do not advocate the elimination of either
these investigative techniques or the agencies themselves, I must
admit that many cross the line into the illegal realms, thus giving
a bad name to all investigators.
As of the date of this letter, my mother is also in severe physical
shape to the extent that she is presently in a nursing home and
will be some coming to stay with us until the inevitable occurs.
These are the basic facts of my life from the time of my entrance
to the investigative world in 1982 until the termination of Touch
Tone in 1999. Thank you for your willingness to listen to me
today, and I sincerely hope that my experience and knowledge in
these investigative matters will be of help to you, to further
understand both the good and the bad of my former business, the
acquisition of information.
Sincerely,
James J. Rapp
Former director, Touch Tone Information network
P.S. Please note that I have submitted to the Subcommittee an
original copy of my training seminar handbook. As an attachment to
this testimony, I have included the following pages that outline the
basic list of services that we provided to our clients during the
operation of Touch Tone, and brief outlines of the ways that we
utilized to acquire the requested information. I am happy to
describe for the Committee any of the following methods for
obtaining records and information.
Attachment A (Testimony of James Rapp, Outline of Training Handbook)
Landline telephone numerical investigations
The Local Carrier variations
1. Residential Repair
2. Business Repair
3. Residential Orders
4. Business Orders
5. Residential Billing
6. Business Billing
7. Yellow Pages assistance
8. Utilizing the CNL or CAN bureau of the Local telephone carrier
9. Learning the carrier's terminology, Elmos, Orion, Boss, Premis
etc.
Utilizing the long distance carrier to obtain local information:
1. The infamous "Quickcheck"
2. 800 install assistance
3. Foreign speaking operator assistance
Cellular & Pager numerical investigations:
1. Determining the carrier
2. Identifying the local shop for both the Cellular carrier and the
pager
3. Utilization of trap lines to identify pager ownership
4. Repair and sales of the Cellular company
5. Resellers, the worst nightmare
6. Use the "CAP" code on the pager for assistance, one office
vs. another
Independent Voice Mail number investigations:
1. American voice mail, automated vs. verbal set up
2. Land line direct voice mail accounts
Toll Free & Remote call forwarded number Investigations:
1. Determining the carrier of the initial number
2. Acquiring the ring to number
3. Breaking the ring to number
International number breaks, Cellular and Landline:
1. Breaking down the number into a country and city, determining the
language and time element
2. ATT Language line services
3. Determining the carrier and acquiring their direct dial numbers
4. Knowing your culture, varied holiday and other observances
Physical Location Investigations:
Non published address and telephone number investigation
1. Getting accurate information from directory assistance
2. Utilizing the non-published bureau of the local carrier
3. Getting all your source ducks in a row
4. Local cable company
5. Local gas and electric company, propane if rural area
6. Local newspaper company
7. Local water department
8. Trash service
9. County voters registration
10. County clerk & recorder, property, tax info etc.
11. Local area hospital records
12. Local video and grocery store information
13. Credit Card records
14. Reverse 911 assistance
15. Playing the game to determine the address on file with
information, know the city info as well as numeric basics
Physical address break
1. Getting all your source ducks in a row
2. Local cable company
3. Local gas and electric company, propane if rural area
4. Local newspaper company, circulation & classified
5. Local telephone carrier, your only guarantee
6. Local water department
7. Trash service
8. County voters registration
9. County clerk & recorder, property, tax info etc.
10. Local area hospital records
11. Local video and grocery store information
12. Reverse 911 assistance
Telephone and Credit Card toll records investigations:
Landline toll record acquisition
1. Residential vs. Business
2. Knowing the subjects plan
3. Determining the breakdown of the bill (Custom calling features,
etc.), using the local carrier to get to the long distance
carrier.
4. Finding the long distance carrier, usage of "PIC" numbers
5. Calling the subject to acquire the long distance carrier
6. Acquiring the long distance carriers page numbers
7. Getting the true local calls, determining your subjects mileage
radius
8. Avoiding the dogs of war, the operators noting the account
9. Putting them in a position where they cannot say "NO"
Cellular toll record acquisition
1. Determining the carrier
2. Knowing the subjects plan
3. Customer service vs. the local store
4. Picking up and faxing in
5. Internet usage acquisition
Credit Card statement acquisition
1. Determining the institution
2. Acquiring the statement without the card number
3. Customer service vs. Local bank
4. Getting the breakdown (date, merchant, time & location) then the
charges
Governmental Investigations:
Social Security information
1. Going federal
2. Knowing your subject, what's your goal (SSN, Address,
Banking, etc)
3. Acquiring the number to the local office, get names and address's
4. Knowing the terminology
5. Going local to federal
6. Going local to local
7. Credit headers
8. Creating confusion with similarities
9. Disability, Medicare, Medicaid & Benefit information
10. Utilizing the appeals section of the Social Security
administration
11. Acquiring relative information
The Welfare system:
1. Food stamps
2. A.F.D.C. (Aid to families with dependent children)
3. County assistance
4. L.E.A.P. (Low income energy assistance program)
5. Public housing authority
Military information
1. The standard DD-214 form
2. Determining the whereabouts of any individual
3. Financial aspects, how much, where are the funds deposited or the
check cashed
4. Utilizing the aggressive recruiter to do your search for you
Department of Immigration and Naturalization
1. Alien Identification information
2. Relative status
3. Current location and employment information
Post Office Box breaks, both public and private
1. Determining the type of box
2. Acquiring the names and address on file
3. Utilizing the forwarding information
4. The box clerk vs. the station manager
5. The postal inspector & the receipt of inappropriate materials
6. Getting the private MBE (Mail Box's etc.) to talk to you
Department of Motor Vehicle information
1. License plate information
2. VIN number information
3. Track down through the name alone
4. Going directly in
5. Station to station
6. Dealership and insurance information
Specialized Investigations:
1. Clientele List acquisitions
2. Medical history information
Employment information, both current and past
1. Who does the subject work for?
2. Telephone research vs. surveillance
3. Quantity of the paycheck
4. Self Employment: Determining where the funds are coming from
Financial Investigations:
1. Banking, both Individual and Corporate information
2. Various contacts with the subjects banking information
3. Contact of the subject directly
4. Brokerage house investigations
5. Individually owned stocks, bonds, mutual funds etc.
6. Real estate holdings
MR. WHITFIELD. Mr. Gandal.
MR. GANDAL. We are on the air. Okay, good.
I would like to thank the committee for allowing me to appear before
you. You may already know this, but I want to firstly bring home
the point that I contacted the committee, not the other way around.
I did this almost immediately after the committee sent out the
first group of letters to data brokers and informally provided the
investigation with information and explanations about the data
broker industry. In fact, my name would not have come up along the
avenues the committee used in compiling the data for their
investigation. The reason for this is, I work in a very small
corner in the data broker industry. I work for automobile
financiers and their respective repossession companies. I do not
market or offer any services to the general public.
I have been a skip tracer and an information broker in this small
corner of the data broker industry for more than 20 years. I should
note that, after speaking with a representative of the committee at
great length, I decided to suspend my operations with regards to
cellular call information detail.
A few years ago, I saw these websites popping up which offered
private telephone information to anyone with a credit card. To
begin with, I found this practice terribly irresponsible of the
information brokers involved. They did not control where the
sensitive information was going or what it was going to be used
for. Nor, honestly, did they seem to care. I also felt that
their existence would shake up the wireless companies where skip
tracers had worked quietly for so long.
So I called the committee, and I asked the committee if they were
trying to shut down the repossession industry. And it didn't seem
their focus was really recovery agencies, but without a common
understanding I felt the committee had no chance of seeing a
permissible purpose here. So I wanted to help. I assisted the
committee by helping it understand how pretexting is done and what
clients are soliciting this information for what I see is for
permissible purposes. I drew a line of distinction between the
auto financiers searching for a vehicle and the "plain Joe" who
wants this information for his own personal and possibly dangerous
reasons.
I am proud of my service to dozens of financial institutions for
over two decades, and it shook me to the core that my profession
was to be effectively criminalized. So please allow me to speak of
another profession that I feel should be criminalized before the
only support for every auto financier in America receives this
fate: the professional debtor. This is the individual who uses
true name fraud in order to purchase dozens of vehicles which he
has no intention of paying for. He may give the cars to friends
or family, but, many times, he will sublease the vehicles and
pocket the money that the third-party lessee gives him.
The sweeping changes and credit granting that took place in the
1970s opened new opportunities in the '80s and '90s, these being
the subprime auto lenders. They charge the highest interest rates
allowed by law, and they do this proudly as they keep the mass of
Middle America with dependable transportation.
There was a time not long ago when a consumer with questionable
credit did not get a car loan, plain and simple. Now it is an
educated guess that nearly 50 percent of American consumers have
questionable credit. I have checked this figure with several
experienced managers in lending offices, and they concur. The
subprime lender is the only friend a guy's got after two previous
repossessions and a bankruptcy. He is going to need a car in order
to dig himself out of the hole he finds himself in. And forgive me
for the gender choice. It could have been a single mother as well.
The subprime lender will give that man a second or even third chance,
and they do this because they have the ability to recover the
vehicle should the payments get too far behind. Well, take away
that last tool of their career salvation, the skip tracer at the
repossession company, and you will see those with questionable
credit will no longer be getting cars financed. No longer buying
those cars, nearly 50 percent of America, and it is all on the
coattails of that professional debtor I spoke of. He is the one
who laughs at the repossessor when he is finally located.
So the skip tracer fights back on the only battleground available,
and that is the way it has been for 50 years in this industry. As
an expert skip tracer in the repossession field, I would like to
offer two options to the committee to be considered as solutions
to the problem.
First, allow financial institutions and their agents thereof to
continue the use of pretext in order to garner information otherwise
not available in order to effectuate a legal and timely repossession.
The other option is to create a liaison between the U.S. Government
and the auto finance industry and recovery industry where
information could be relayed to the telephone companies via their
subpoena compliance departments and the needed info forwarded back
to the recovery agency. In fact, to take this a step further, true
name fraud is so prevalent in this day and age that I feel a
liaison representative should be able to contact these debtors and
demand that the cars be returned immediately.
In summary, there is a need for this information, just as there is
a need for the subprime auto financier. I, again, honestly and
humbly thank you for this opportunity today.
MR. WHITFIELD. Thank you, Mr. Gandal; and we appreciate the
testimony of both of you.
[The prepared statement of David Gandal follows:]
PREPARED STATEMENT OF DAVID GANDAL, SHPONDOW.COM, LOVELAND, COLORADO
I would like to thank the committee for allowing me to appear before
you. You may already know this, but I want to firstly bring home
the point that I contacted the committee. I did this almost
immediately after the committee sent out their first group of
letters to data brokers and informally provided the investigation
with information and explanations about the data broker industry.
In fact, my name would not have come up along the avenues the
committee used in compiling data for their investigation. The
reason for this is I work in a small corner of the data broker
industry. I work for automobile financiers and their respective
repossession companies. I do not market or offer any services to
the general public.
I have been a skip tracer and information broker in this small
corner of the data broker industry for more than twenty years. I
should note that after speaking with a representative of the
committee at great length, I decided to suspend my operations with
regards to cellular call detail information. A few years ago I
saw these web sites popping up which offered private telephone
information to anyone with a credit card. To begin with, I found
this practice terribly irresponsible of the information brokers
involved. They did not control where this sensitive information
was going or what it was going to be used for. Nor did they seem
to care. I also felt that their existence would shake up the
wireless companies where skip tracers had worked quietly for so
long. So I called the committee and I asked the committee if they
were trying to shut down the repossession industry and it didn't
seem that their focus was really recovery agencies, but without a
common understanding I felt the committee had no chance of seeing
a permissible purpose here. So I wanted to help. I assisted the
committee by helping it understand how pretexting is done and what
clients are soliciting for this information for what I see as
permissible purposes. I drew a line of distinction between the
auto financiers searching for a vehicle and the 'Plain Joe' who
wants this information for his own personal and possibly dangerous
reasons. I am proud of my service to dozens of financial
institutions over the past two decades and it shook me pretty bad
to find that my profession was to be effectively criminalized.
So please allow me to speak of another profession that I feel
should be criminalized before the only support for every auto
financier in America receives this fate: The Professional Debtor.
This is the individual who uses true name fraud in order to purchase
dozens of vehicles which he has no intention on paying for. He may
give the cars to friends or family but many times he will sub-lease
the vehicles and pocket the money that the third party lessee gives
him.
The sweeping changes in credit granting that took place in the
1970's opened new opportunities in the 80's and 90's, these being
the sub-prime auto lenders. They charge the highest interest rates
allowed by law and they do this proudly as they keep the mass of
Middle America with dependable transportation. There was a time
not long ago when a consumer with questionable credit did not get a
car loan, plain and simple. Now, it is an educated guess that
nearly fifty percent of American consumers have questionable credit.
I have checked this figure with several experienced managers in
lending offices and they concur. The sub prime lender is the only
friend a guy's got after two previous repossessions and a
bankruptcy. He's going to need a car in order to dig himself out
of the whole he finds himself in, and forgive me for the gender
choice; it could have been a single mother as well. The sub prime
lender will give that man a second and even third chance. And they
do this because they have the ability to recover the vehicle should
the payments get too far behind. Well, take away the last tool of
their career salvation, the skip tracer at the repossession company
and you will see that those with questionable credit will no longer
be getting cars financed. No longer buying those cars then...nearly
fifty percent of America, and it's all on the coattails of that
professional debtor I spoke of. He is the one who laughs at the
repossessor when he finally is located. So the skip tracer fights
back on the only battleground available and that is the way it has
been for fifty years in this industry. As an expert skip tracer
in the repossession area, I would like to offer two options to the
committee to be considered as solutions to this problem.
First, allow financial institutions and their agents thereof to
continue the use of pretext in order to garner information
otherwise not available in order to effectuate a legal and
timely repossession.
The other option is to create a liaison between the US government
and the auto finance and recovery industry where information could
be related to the telephone companies via their subpoena compliance
departments and the needed info then forwarded back to the recovery
agency. In fact to take this a step further, true name fraud is so
prevalent in this day and age that I feel a liaison representative
should be able to contact these debtor and demand that the units
be returned immediately.
In summary, there is a need for this information, just as there is a
need for the sub prime auto financier. I again honestly and humbly
thank you for this opportunity today.
MR. WHITFIELD. Mr. Rapp, it is my understanding that you are one of
the, for lack of a better term, leaders of this industry. You are
one of the early data brokers in the country; is that correct?
MR. RAPP. Yes, I was.
MR. WHITFIELD. And you even have a training manual and you went
around the country training other data brokers on the most effective
way of obtaining this information.
MR. RAPP. There was a period of time that I realized that better
funds could be better acquired by me going out and addressing the
issues on how to specifically--breaking it down, showing people how
to acquire the information throughout the country of the clients
we had already established. Thinking at that point--delusions of
grandeur--that I could then leave the business, have enough funds,
and life would be good.
Unfortunately, things don't work out the way you want. And I
trained many, many clients. We made a tremendous amount of money.
But they still continued to use us; and at that point they said,
well, we don't want to do it on our own. We want to understand more
of what you do, but we still want to use you.
MR. WHITFIELD. Okay. During your testimony in articles that I
have read about you, you mentioned President Bill Clinton and Monica
Lewinsky. You referred to an undercover officer out of Los Angeles
who was murdered--
MR. RAPP. Correct.
MR. WHITFIELD. --because of information you were able to obtain.
And you mentioned the National Enquirer, The Globe, and even
indirectly mainstream media. And I would just ask you, were any
of the mainstream media ever your clients in obtaining information
about people?
MR. RAPP. In roundabout ways they were. Such organizations such
as 20/20, Entertainment Tonight, weekly news or nightly news, NBC,
CBS, and ABC, they would have their private investigator on staff;
and those investigators, some of which would contact us relating
to different--small pieces of information they would need. Where
is an individual going to be at a certain time? This individual
apparently is driving a Porsche but works as a busboy at a
restaurant. How come? Where is the money coming from?
MR. WHITFIELD. Right.
Now you also mentioned that at one time you were pretending to be
John Ramsey, the father of JonBenet Ramsey; is that correct?
MR. RAPP. Yes, sir.
MR. WHITFIELD. Now who was your client in that situation?
MR. RAPP. We had many clients, many different clients of ours
that worked with media outlets when anything big were to happen,
whether it was Columbine, whether it was Monica Lewinsky, whether
it was John Ramsey, they would all contact us pretty much for
the same basic information. They would want to know the whos and
the whys. Who did Mr. Ramsey call the minute he found out his
daughter was missing? You know, was it an airline to be able to
get a trip to Michigan?
MR. WHITFIELD. Were these law enforcement agencies?
MR. RAPP. No, law enforcement agencies used us rarely. We
had--apparently, it was an ex-FBI agent out of Texas that utilized
our services and there were other local law enforcement agencies
that would contact sporadically, very, very minimally. I would say
half a percent of our business would have been from law enforcement.
MR. WHITFIELD. Right.
MR. RAPP. The majority was all from the private sectors.
MR. WHITFIELD. The murder of JonBenet Ramsey was such a national
story. So many of the news media used you in that?
MR. RAPP. Correct.
MR. WHITFIELD. And what were you trying to do by impersonating
Mr. Ramsey? You were just trying to find out who he called first
and --
MR. RAPP. Just the basic information: Who he called, why did he go
to a hardware store to buy tape and rope, that apparently tape and
rope were used on his daughter to tie her up. Why was that purchase
made at a hardware store with his credit card?
MR. WHITFIELD. Now you probably heard the testimony of Mr. Yuzuk
earlier today, and we were talking about how in the world can you
obtain a password on an on-line account. So tell us how do you do
that.
MR. RAPP. Persistence. Intelligence of knowing these people, these
customer service reps that are sitting--whether it be for Verizon,
T-Mobile or any cell or local landline carrier, they are in a
position to want to help you. Their job is to satisfy the
customer. Not to spend a lot of time, but when we get our point
across to them, you need to help us, this is what I need, if I
need a breakdown on my bill because I am going to be in a
subcommittee meeting in Congress and I need to get a breakdown of
this bill in the next 20 minutes, what is their option but to say
yes, let's go over your bill. What is your first call?
MR. WHITFIELD. Even though you are not the person you were
representing to be?
MR. RAPP. Yeah. They have no clue. Credit headers are legal. All
credit reporting agencies in this country make headers legal.
Headers being the first part of the information. I can take your
name and your address and put it in and get your Social Security
number without even a problem.
MR. WHITFIELD. It is easy to get my Social Security number legally?
MR. RAPP. Yes, legally through the credit reporting agencies or,
if I wish, utility agencies. The phone company, of course, has it,
that I am going after. But utility agencies, any and all things
pretty much have your Social Security number; and it is a question
of which one is going to give it to me first?
MR. WHITFIELD. What if the numbers are truncated?
MR. RAPP. Truncated?
MR. WHITFIELD. Like the last four numbers.
MR. RAPP. That has no bearing, not to me. When I am going into
these carriers and everything, if I have the majority of it, I am
going to convince them they are wrong and I am right. But if I
have the majority of it when I go in, if I need it all, I am going
to go into a utility department--you have given your Social Security
number, I have no doubt, to the electric company, gas, cable. They
all have it.
MR. WHITFIELD. So if I ask you to get Mr. Inslee's password on his
account at such and such a bank, what is the likelihood that you
would be successful in getting that?
MR. RAPP. Give me an hour, and I am sure we can do that very
successfully. It is not--don't take me wrong. It is not a prideful
issue. It is just a fact. They are there for a resource to help
the people.
My job was to provide information, and we did it very successfully
just because if one option set you down, you didn't sweat about it.
You went right to the next one. Somebody is going to give you the
information you need.
MR. WHITFIELD. Well, in some ways, this is kind of humorous, but,
in other ways, it is not humorous at all; and I think it is important
that the American people recognize that, as you said in your
testimony, there are no secrets. You can find out information
about anybody, about anything.
MR. RAPP. For the most part.
MR. WHITFIELD. And one other part, in this training manual you had,
you mentioned the infamous Quick Check and 800 install assistance.
You mentioned both of those in your testimony. What does that refer
to?
MR. RAPP. Let me give you an example, if I may. Let's assume your
long distance carrier is MCI, for example. I have a listing of
telephone numbers that was a very common form of what we did in
Denver and in Parker and the work we did. Clients would give us
phone numbers to break. They would want a name and an address, what
normally is referred to as a CNA, on a whole host of numbers. This
was before the advent of Google and the two brothers and all of that.
I would utilize and go in--and you can still do this today. Before
I came to the committee I was making a few phone calls to find out
what was still available; and, surprisingly, nothing has changed.
If I contacted MCI saying I was Chairman Whitfield and I said I
had a few questions about my bill, they would be more than happy
to want to help me. At that point, I would take my list of numbers
and I would say, I don't recognize these numbers as being dialed.
And they would respond, well, we don't see those on your bill.
I would say, do you have a page 7, knowing that I have already
gone in before to find out how much you owe and find out you only
have 6 pages on your bill. They would say, no, I only see 6.
I said, well, on page 7, and they are not going to question me
and say, well, apparently we are missing something. What can we
do to help you?
I would give them these numbers, and now they have an automated
system, but, before, they would run those numbers through their
long distance network and bring up who they showed was the name and
address of each and every one of those phone numbers.
That is called the Quick Check. You could utilize that service
prior to AT&T breaking up and still parts of AT&T where it is an
automated system, where you go in and put in your home phone
numbers and you can enter phone numbers you want to have
identified. They make that service available to people because
there might be times on the bill your wife made a phone call long
distance and you want to know who they are going to, and they will
provide that information to people.
So it is not just the numbers on the bill. If you convince them
the numbers are there and they don't see them, they are still going
to give you a listing of whatever numbers you want. That is what
I utilize as a Quick Check.
MR. WHITFIELD. And that is the 1-800-Install Assistance is what you
were talking about?
MR. RAPP. You call an 800 number to reach AT&T or MCI. You have
to understand when I contacted my brokers throughout--the private
investigators that I taught this manual up, they didn't have a
basic understanding or working knowledge of how to acquire
information. That is one of a host of steps, and that is one of
the first steps. It is a quick one, because you get through to
customer service quicker, and they are more apt to want to help you
because they are not the local carrier.
MR. WHITFIELD. My time has just about expired, but before I
recognize Ms. DeGette, I want to ask unanimous consent that we
enter the document binder into the record. So moved.
[The information follows:]
MR. WHITFIELD. At this time, I recognize Ms. DeGette.
MS. DEGETTE. Thank you, Mr. Chairman; and welcome to both
of you.
Mr. Rapp, I want to start with you. We are calling what you did
and I think, Mr. Gandal, what your folks do pretexting, which is
kind of a prettied word for pretending that you are someone that
you are not, right?
MR. RAPP. That is correct.
MS. DEGETTE. Like, for example, in the JonBenet Ramsey case, which
all of us in Colorado are even more familiar with than the Chairman
is, you were not hired by the police officers or the law enforcement
agencies. You were hired by an independent entity, correct?
MR. RAPP. Correct.
MS. DEGETTE. Can you tell us who that was?
MR. RAPP. There were many different agencies at that point.
I don't remember. It has been 7 or 8 years.
MS. DEGETTE. Some of the people who hired you were tabloid
newspapers?
MR. RAPP. They didn't hire me directly. They went through other
private investigators.
MS. DEGETTE. Right, but when you say "agencies," you sort of imply
that it was like a law enforcement agency. Do you see what I am
saying? You were hired by independent investigators, not by law
enforcement agencies.
MR. RAPP. Correct.
MS. DEGETTE. And what you were doing when you, for example, were
trying to go to the hardware store and find out about the rope and
tape and so on. You weren't doing that in the assistance of a law
enforcement agency. You were hired by a private investigator who
then gave that information to others, right?
MR. RAPP. Correct.
MS. DEGETTE. In fact, subsequently, the Boulder--I guess it must
have been the Boulder police, they raided your office, and they said
that you impeded their investigations; is that right?
MR. RAPP. Well, yes, that is the story we heard, too. They did
come in and confiscate the computers.
MS. DEGETTE. Did you ever find out anything that helped to crack
the case?
MR. RAPP. The information that we found out that I have verifiable
facts for apparently never made it to the media, never made it
to--past the law enforcement usage of it for what examples, we have
no idea. We were told that this--
MS. DEGETTE. Now, according to the Rocky Mountain News this is what
they said. So, you know, the press, with all due respect, doesn't
always print exactly what you say, as I know, but what this says is,
Rapp says "he has no regrets about his work which found its way
into supermarket weeklies," is that true?
MR. RAPP. True.
MS. DEGETTE. Now also in that same Rocky Mountain News article you
said there were times when you tracked down phone numbers to battered
women's shelters but you refused to give the information to the
client.
MR. RAPP. That is correct. When it was obvious, at least to me--the
folks on the committee might say, well, it is all obvious, or it
should be. Well, if you are in that business of providing the
basic information to PIs, the majority of which PIs were looking
for people on behalf of their clients and it didn't become media
until--
MS. DEGETTE. It is obvious when you get the phone number of a
battered women's shelter maybe this is not where I should go, but
the rest of the time you don't really know for sure.
MR. RAPP. That is correct.
MS. DEGETTE. So you were a hired gun and getting information and
giving it to whoever paid you.
MR. RAPP. For the most part yes.
MS. DEGETTE. So in your testimony--I mean, this is what we are
trying to grapple with, is--and Mr. Gandal talked about it too,
sometimes there is a legitimate use for this information, but
sometimes there is not. And what it can do is it can wreak havoc
with somebody's privacy, right?
MR. RAPP. It can.
MS. DEGETTE. So you testified that there is a positive use for the
data broker industry, and I am wondering if you can tell me that,
through your years of experience involved in the good and bad parts
of this industry, there would be any way you could differentiate.
MR. RAPP. If I knew that the client was working on behalf of a
judgment debtor, and there were many private investigators who would
work on behalf of clients if they actually had a copy of the
judgment, that to me is a legitimate use to acquire the person's
information if they have gone through the process.
MS. DEGETTE. Right. But that is based on your judgment, right?
MR. RAPP. It is based on the court's judgment.
MS. DEGETTE. You are the private investigator or you are the person
who is doing this technique. You are deciding, okay, I have got a
copy of the judgment that seems legitimate, right?
MR. RAPP. Correct.
MS. DEGETTE. Well, the problem is we are the ones that write the
laws. We can't write a law like that. We can't write a law that
says you can't go in and impersonate JonBenet Ramsey's father, but
it is okay if you use pretexting to enforce a judgment. Do you see
what I am saying?
MR. RAPP. I understand.
MS. DEGETTE. So how do we differentiate?
MR. RAPP. That is a good question. It is a necessary evil that is
going to continue, regardless of the laws that you write.
MS. DEGETTE. Do you think it is a necessary evil? You don't think
there are other ways we can get this information that we need?
MR. RAPP. No. When people don't want to pay their debts, pay
their car notes, or pay other things and want to abscond with the
money and not pay their debts, no. There is no other way that you
are going to get them to pay up unless we physically go in and take
that money from them. If they wanted to pay their bills, they would
pay it, or else bankruptcy courts wouldn't be full.
MS. DEGETTE. So the only way we can get that money is to pretext so
we can get this information so--
MR. RAPP. That is one way, yes.
MS. DEGETTE. That is not the only way.
MR. RAPP. I am sure there are other ways, but they haven't paid
their bills before that.
MS. DEGETTE. That brings me to you, Mr. Gandal. Now these
companies that extend credit for the automobiles, I would assume
that they have written agreements with these, with these, what do
you call--the debtors; is that correct?
MR. GANDAL. Yes, they are signing a security contract.
MS. DEGETTE. And I would assume those contracts include language
that allows the automobile finance companies to get access to certain
information about these debtors, correct?
MR. GANDAL. I have never seen language that would allow the auto
financers to get information that I am getting. Basically, it says,
you pay this much a month; if you don't pay it, we have a right to
go back and get your vehicle.
A lot of people don't like to give back their vehicles. A lot of
people will get downright violent about it.
A lot of people will take off and laugh at you. So will their
entire family, because they were taught by their parents how to do
this.
MS. DEGETTE. So you think the only way to get these cars back is to
pretend, pretexting.
MR. GANDAL. Only way, no. No, ma'am, of course not. There are so
many ways to do so many things.
MS. DEGETTE. Exactly.
MR. GANDAL. This is a way that has worked for a long time because
when you are dealing with a debtor, you don't go above them. You
get down at their level, or you don't work with them; you don't get
anything. There are replevins available, banks don't even look at
them because they are too expensive.
MS. DEGETTE. They don't look at them because they don't have to
because they can hire you, right?
MR. GANDAL. Okay, that is one way to look at it. But it is a much
deeper problem than that in the finance industry.
MS. DEGETTE. Let me ask you the same question I asked Mr. Rapp,
because you are a law-abiding citizen.
MR. GANDAL. Yes, I am.
MS. DEGETTE. What would happen if somebody pretexted your identity
and got all of your information and then used it for an illegal
purpose?
MR. GANDAL. That would be wrong. I don't do that kind of thing.
MS. DEGETTE. The problem is, if we don't pass a law that covers
all of these issues, then we can't pass a law saying you can only
go after the evildoers; and you can still use pretexting, but the
legitimate, law-abiding people, you can't do it. We can't pass
that law.
MR. GANDAL. That is a problem. And that is why I suggest to--
MS. DEGETTE. Do you think it is better that we allow these tens of
thousands of cases where people use pretexting for illegitimate
reasons in order for your clients to be able to repossess those
cars?
MR. GANDAL. No, I don't think it is better. I think there needs to
be control in the entire system, and on the other end also. There
should be laws against professional debtors. There should be laws
against opening a home improvement company, buying 60 cars,
subleasing them and then just doing it again and again and again.
MS. DEGETTE. I completely agree with you. And in most States
there are laws like that, and I think we need to make sure we
enforce them.
MR. GANDAL. Those aren't enforced, just like if there is a law
against me, it is not enforced either.
It seems to me, a brick wall maybe you're taking down.
MS. DEGETTE. I think the brick wall will be torn down, because I
think the consumers of America are getting very concerned about
their privacy, and they are seeing pretexting as just one aspect
of identity theft. And privacy concerns, which the Chairman will
tell you, we are increasingly on this committee feeling those
pressures every day, because it is just getting out of control.
Now, Mr. Rapp, you have been operating in Colorado for quite some
time; is that correct?
MR. RAPP. Yes, ma'am.
MS. DEGETTE. And Colorado has no laws that cover private
investigators?
MR. RAPP. Correct.
MS. DEGETTE. Do you know offhand how many States do regulate
private investigators?
MR. RAPP. The majority of States do. During our early years, we
would move to Utah, Montana, other States because of the fact of the
lax laws.
MS. DEGETTE. And you ended up in Colorado, in part--aside from the
great natural beauty and wonderful aspects of the State, which I
know well, you ended up there, in part, because we have no laws
that cover private investigators?
MR. RAPP. Truthfully, I was born and raised there, so that was
always home. But I wanted to go back there to the extent that we
could do this work always knowing they were a little harder,
however, on the prosecution of people like us, even though there
were no set laws. That is why they charged us with RICO. They
said, we do that when we don't know what to charge you with; we
just don't like what you are doing.
MS. DEGETTE. One last question, Mr. Chairman.
Do you think tougher laws by States regarding private investigators
would help with some of the edgier and even illegal practices?
MR. RAPP. You know, that is a tough question. It is going to keep
the law-abiding people, law abiding; and the ones that are going to
break it are going to do it anyway, regardless of the law.
MS. DEGETTE. Thank you, Mr. Chairman.
MR. WHITFIELD. Thank you.
At this time, I would recognize Mr. Burgess.
MR. BURGESS. Thank you, Mr. Chairman.
Mr. Rapp, your last comment reminded me of what a mechanic told me
one time that an ignition key was just to keep an honest person
from driving off with your car.
This line of questioning has just been fascinating.
Mr. Rapp, you said early in your testimony that your work in this
field actually predated the Internet becoming a big deal.
How--have you thought at all about how the Internet would have
changed your line of business?
MR. RAPP. We have. When it started back in the early 1980s, that
wasn't a big deal, the Internet wasn't. In the 1990s, many of my
employees that went off on their own, and we had trained--many of
which, as people do, went off and got their own clientele and
lived life. They said, it is so easy on the Internet.
But there is always a track back to you; that was my advice back to
them. I would hesitate on using it and never did. Today, when I
go online, there is not much you don't see. But the majority of
it, if you read in the small print, the fine print, they don't
guarantee anything.
When we were in business, guarantee was everything. If I don't get
the information, I don't get paid. Online, if they don't get the
information, you still have to pay a surcharge, which is stupid
enough for them to put it out, but people buy into it.
And, yes, it is available and AT&T, Verizon, all the carriers, have
to make things accessible to people; and if you make it accessible,
there is going to be that element and, I hate to say, the negative
element a lot of us that are in the field go into, and you are
going to tie into it and expand upon it and use it.
MR. BURGESS. So just like everything else, the Internet has the
ability to accelerate the--
MR. RAPP. Absolutely, it is.
MR. BURGESS. --dark side of this process?
MR. RAPP. Correct.
MR. BURGESS. If you don't mind me asking, since 1999, when you left
your profession, what is your line of work currently?
MR. RAPP. Well, at this point--in 1999, my dad developed cancer,
and 5 months later he died; and right after that time, 2 months
later, I started taking care of Mom, who is now living in our
house. So I have been, I want to say "relished to," but at this
point that has been my line of work, as a caretaker.
Fortunately, we have enough funds in savings, and we are okay to
survive. But that is the line of work.
MR. BURGESS. So you have not involved yourself in any of these
activities that you were apparently--you were gifted, as you got
out of your higher education institution in 1982, you were gifted
in this field?
MR. RAPP. I wasn't necessarily gifted. If you do some things
so repetitively, you are going to get good at it, or you are going
to get out of the business and find something else. But I still
train--every now and then, I haven't done it for years, but a client
will fly in somebody and ask me if I will spend a day or two and
train them. Go after the aspects of how do you do it, how do you
find it?
Especially re-po people, when you track down a vehicle, you have to
do it. You want to try and make an effort of get your vehicle back,
or what's the point of the whole game? You have to. So there is
a very legitimate need that is still maintained here.
Yes, I did still do that once in a while. I haven't done that in a
few years, but that is about the extent of it.
MR. BURGESS. Looking through the information provided to us in the
evidence book, under Tab 12, it looks almost like you are giving
directions on how to go through this process. And it looks fairly
well thought out, if you even made--someone made some handwritten
notes here on perhaps how to even improve upon the process.
MR. RAPP. I don't believe Tab 12 is mine. Which are you relating
to, which page in Tab 12?
MR. BURGESS. I beg your pardon, Tips For Performing Pretext,
prepared by James Rapp; would that be yours?
MR. RAPP. Where are you looking at? Again, I apologize.
MR. BURGESS. I thought I was looking at Tab 12, or maybe someone
pretexted it. I don't know; maybe it is in code. In any case,
the actual document is not relevant to the question. Would there
be a role for someone with your facility to work through these
problems, to work on the good side, to help protect from this type
of intrusion into their private data?
Could you put your efforts to good use in society?
MR. RAPP. Absolutely. If you limited phone companies, cellular
companies--you all are very concerned about that--to only speak to
the person on their cell phone, end of story, period, you would
eliminate 95 percent of the issue; the only way that they would
talk to anybody is if they called them at their specific cell
number, and then addressed them and made sure they had all their
individual specs.
The only way--
MR. BURGESS. A representative would have to call back on the cell
phone--
MR. RAPP. Correct.
MR. BURGESS. --to get around the problem of spoofing and putting a
fake phone number into the system?
MR. RAPP. That's correct.
MR. BURGESS. So that is going to--and that may be what they
internally need to do. That obviously increases the cost of their
customer service significantly to add those extra steps, but it is
a valid thought.
I appreciate your sharing it with us.
Mr. Gandal, you heard Ms. DeGette in her line of questioning and I,
you know, being on this side of the equation for the first time in
my life, looking at your business, yes, it is difficult to regulate
what you guys do and, of course, being in government we love to
regulate.
I get the impression that you feel that people who do your type of
work will, of necessity, have to continue--Mr. Rapp alluded to
it--that to get the vehicle repossessed, you have to know where
to go, where to go to find it.
Is that your feeling as well?
MR. GANDAL. Yes, it is. There are a lot of vehicles out there
that are not going to be found unless you go ahead and work the
account in such ways to obtain sensitive information.
MR. BURGESS. So when you initiated your career into this type of
work, you were working for people who were, in fact, law abiding
and trying to keep their legitimate businesses going by locating
vehicles, where people had skipped?
MR. GANDAL. That is correct. I was actually a private
investigator doing workman's comp in Colorado. And we couldn't
find claimants because claimants used the lawyer's address in the
mid-80s--'84-85--and you have to pick up a claimant at a
State-ordered medical appointment in order to follow him and do
a workman's comp surveillance. And those are very difficult to
do because they are in big buildings you don't know where they
parked, et cetera, et cetera.
And I decided, well, you have to learn how to find people. I
developed these ways to find people at that time.
MR. BURGESS. And I appreciate that, but you see our difficulty
now is that the criminal element has adopted some of your
techniques, and some of your ways and some of Mr. Rapp's, so there
has to be a way of putting parameters around it and guarding the
innocent public.
Mr. Rapp had one suggestion. Do you have in your--with your
experience in this industry, do you have ways that you see that
would be at our disposal for putting those barriers, those
boundaries, in place?
MR. GANDAL. Yes, I do. First of all, I agree with Mr. Rapp as
far as telephone companies calling back the cell phones. I said
that a long time ago, and even tried to speak with some wireless
companies about that in the past.
As far as from my angle, the repossession angle, as I said, I
believe there should be some sort of a liaison, some sort of a
person on the repossession and lien holder's side of this dilemma,
because all laws are out there to protect the debtor. There are
no laws to protect the repossessor. They get shot at whatever
happens; they were on the property, whatever happens.
There should be somebody that can circumvent the issue without
waiting 6 months in a court when the vehicle disappears; and even
with replevins, a lot of replevins don't work. You have to bring
them into court and find out where the vehicle is.
If the vehicle is not around, still people have avoided the issue.
And many, many hundreds and thousands of vehicles are actually never
located; and I mean, hundreds and thousands over the years. And
the way to handle that is to have a liaison, or some sort of a
control group that can reach this person and say, look, I have the
authority to force you to tell me where this vehicle is; where is
the vehicle? We will leave you alone; all we want is the car. You
signed a contract. We want the car.
It is a legal contract with a titled vehicle, and everything is
legal, and yet, still, the vehicle isn't there. And, they are
effectively stealing the vehicle.
And I am not talking about the person who gets a couple months
behind. Those are good people, and there's a lot of good people
out there that have to go subprime because they got sick and have no
medical insurance, because they lost their job. There are so many
reasons; now, in this economy, it keeps on going. But those are
not the people I am talking about, because those people call the
bank and say, I can't afford my car; I really need you to come and
get it.
It is the people, the people that I speak of are the professional
debtors, and there are a lot of them out there.
MR. BURGESS. Now, Mr. Rapp says he got into the business, or
concluded his activities before the Internet. You are still
actively engaged in it?
MR. GANDAL. I no longer get cellular telephone records, but yes,
I still locate vehicles and I still assist law--
MR. BURGESS. How has the Internet changed your practice?
MR. GANDAL. The Internet changed my practice completely. Cellular
telephone records and things like that weren't even available until
the Internet. There were ways to pretext, to get calls over the
telephone, but the Internet has changed everything because, as you
said, you have to make it simple for people. And that is what the
wireless companies did is, they said that customer service is more
important than customer security.
Now, I will tell you also at this time that a few of the wireless
companies have made changes, on their own, in the past 6 months,
because they realized what was happening.
And now the information is still available, but you have got to be
very good and you have got to know other things where, if I might
speak about the gentleman that had his records taken from Cingular.
All you need for Cingular is the five-digit ZIP Code and the last
four of the Social Security number and you are in. If you put a
password on there, I can explain what happened there. It wasn't
me that did it, but I know what it does.
When you go into these wireless companies, they have retrained a
lot of their staff--a lot of it, not all of it. So sure you can
keep on going in. A lot of these companies use people in
Thailand or Bangkok. Do you think they care what they are being
told? No, they are just going to answer whatever questions you
want.
But when you really need to get information, you leave Cingular;
and what they did to get that password is, they went to one of the
Cingular stores and called one of the Cingular stores instead of
Cingular wireless and they probably went in as customer service
from Cingular and were able to get that information that way, "Our
system is down right now; can you help us?"
The stores are not regulated nearly as much as customer service, so
just to help that gentleman out, that is probably what happened; and
once they have that password, they quietly went back into the
Cingular Web site whenever they needed the information.
MR. BURGESS. Thank you, Mr. Gandal. That is very thorough and
helpful. We have unfortunately gotten the gavel, so I will yield
back.
MR. WHITFIELD. I recognize Ms. Schakowsky.
MS. SCHAKOWSKY. Mr. Gandal, I am glad you acknowledge at some point
that there are those people who have gotten into financial trouble
not because they are professional debtors. Fifty percent of the
individual bankruptcies are people who have health care debt.
And yet the obvious contempt that you have for some of the people
that you have gone after makes me wonder how much you don't just
believe that the ends justify the means and that you are doing some
sort of a public service.
What I wanted to ask you, though, is, since 1999, when
Gramm-Leach-Bliley passed, pretexting for financial information is,
in fact, against the law. So how do you do that?
MR. GANDAL. I have never picked up financial information. I am a
skip tracer. I am looking for somebody, and that is really all I am
doing. I might use a cell phone record as a tool in order to locate
somebody, or a utility record or whatever, but I have never offered
financial information.
I know how to do it, basically the same way you do anything else,
but I have never been an information broker in that I have always
assisted in looking for vehicles.
MS. SCHAKOWSKY. But you know how to do it in a legal way?
MR. GANDAL. No.
MS. SCHAKOWSKY. Did you do it after--Mr. Rapp, after the law
passed?
MR. RAPP. No, ma'am.
MS. SCHAKOWSKY. I think all of us would be interested--you did--
Mr. Gandal, give an example now of how you can get a password. You
are saying someone pretends they are calling from Cingular to a
Cingular store and ask for some help.
I wondered if you could give us what--Mr. Rapp, what's your rap in
order to get someone to turn over the kind of information that you
need? What does the phone call sound like, to get this sensitive
information?
MR. GANDAL. That one is on you.
MR. RAPP. Thanks. Give an example. If I wanted to find out--if
you are familiar with Cook County, Chicago, Illinois, if I wanted
to find out, let's just take your credit card, and let's say a
client--
MS. SCHAKOWSKY. You know where I live. Now I am nervous about what
else you know. Go ahead.
MR. RAPP. Let's say I want to look at your Visa; your husband was
concerned about some of your purchases that he didn't recognize.
That may be the story that is given to me. We don't know.
We had at one point over 1,500 clients that were private
investigators throughout the country, and they would bombard us
literally with 10 to 20 cases a day, not all of them, but we had a
tremendous amount of work. So we didn't have time to look into each
and every aspect.
But if a case came across my desk from you, and they said, we know
she has a Visa, this is her home address, that is all we have on
her; that is all I need. I don't even need that much. But if I
have your name, your name alone, I have no doubt somewhere there is
a utility, whether it be electric, cable, newspaper, something in
your name, that is going to have your address on file.
I am going to go there and get your address; I am then going to get
your Social Security.
MS. SCHAKOWSKY. Tell me how do you do that?
MR. RAPP. For example, if I call the electric company, and I call
them up and I tell them I am you, and I talk real sweet to them and
explain to them that my electricity is out and there is a fire in
my breaker box, for an example, they are going to have to do
something. They are going to want to help.
I will say--
MS. SCHAKOWSKY. You create a kind of urgent situation? You don't
have time to fool around?
MR. RAPP. Correct. We are talking 10 to 15 minutes per case, on
average, per person.
MS. SCHAKOWSKY. But you convince them that this is urgent.
MR. RAPP. I convince them that there is a situation I need to
address. "Lights out" is the most common, or "I smell gas."
Either way, they will say "what is your address?"
"I am over here at Route 4, Box 18, right here in Cook County."
They will say, "we don't have an address like that."
I will say, "yes, you do. This is one of the new ones; they just
came out and renumbered it with the 911 system out here. We didn't
used to have it; now we do."
They say, "we can't pull it up that way. What is your name?"
You give them your last name, the correct spelling.
They say, "oh, well, we have you over here, 144 Northwest whatever."
And I am saying, "oh, well, it is the same thing."
Now that I've got the address, I will push them a little more, get
your home phone number, whatever they have on file going in; and my
goal--
MS. SCHAKOWSKY. You are calling. Why are they going to give you
your home phone number?
MR. RAPP. Because I am going to explain to them, we run a business
in our home. "We have multiple lines in here, and want to make sure
you can reach me. I have a sick kid upstairs. Do me a favor, do
you have a 4912 or 4913 number?"
"Huh? What are you talking about? This is the number we have on
file."
"Great. Thank you very much."
Then I will do the same basic thing with Social Security number.
When I go back in, at a different point--it may be 5 minutes
later--once I have the exact address and I have verified it, if I
call directory assistance and you are nonpublished, they still to
this day will verify the location of that nonpublished listing,
which they can do with me so I make sure I have the right party,
you, that I am going after.
Once I have that down, and I have acquired the Social Security
number from the same company, or cable or whoever, I go in to
Visa--
MS. SCHAKOWSKY. Is a Social Security number any harder to get than
address or phone number?
MR. RAPP. No.
MS. SCHAKOWSKY. No.
MR. RAPP. Every utility company has it on file. Most now, if you
sign up with a brand-new account--
MS. SCHAKOWSKY. Tell me how you get a Social Security number.
MR. RAPP. I do the same exact thing. If I have gone into the
utility company, I'm going to say, "wait a minute now. You had
a listing on my credit, or Equifax sent me a copy of my credit
report as they do every year. I had a negative report listed from
you folks." I am going to say, "there shouldn't be that."
They are going to take a look. "Well, you have always paid your
bills on time."
"Now, wait a minute, that is correct, but my father and I, Junior
and Senior; I think you may have him confused with me."
They will say, "well, we don't have your father. We have you."
I say, "well, this is my Social."
"No, that is not the one we have. Here is the one we have."
It is just playing the game. And when you convince them that they
are wrong, they want to prove to you that they are right. Or they
want to help.
Once I have your Social, I call in to Visa, and I don't even need
to know the card number, or have it with me; and just calling Visa,
I don't need to know which bank you got your credit card number
from. If I run your name and Social, they are going to tell me
which bank it is that you have an account; and they are going to
want to speak to you because they believe I am a man, which is
fine.
Once I find out which bank it is, I can go back and have a little
more ammunition, and I will have one of my girl operatives be you
and acquire every call, every charge you had the last 90 days
without ever having the credit card number or anything.
But again there is no fraud in the respect that I am not stealing
anything. I am just finding out what is on it.
If you haven't done anything wrong, you have nothing to fear from
me is pretty much how I looked at it to begin with. And I know with
the advent of the media and all the news and magazines we did,
everything went out the window, everything was people just wanting
to know.
MS. SCHAKOWSKY. Mr. Gandal, tell me how you get the information
you need.
MR. GANDAL. Social Security numbers, I already have in almost every
case.
MS. SCHAKOWSKY. Because you are working for--
MR. GANDAL. I am dealing with a financial institution. I probably
have the Social. And once you have a Social, you can get any
information on anybody, pretty much.
MS. SCHAKOWSKY. And so you call up, you are that person and you
have the Social Security number?
MR. GANDAL. Yes. Social engineering, I would say, yes, I will use
that many, many times. I will go in as the person just to find out
how much I owe. Once you find out how much somebody owes, you are
in.
MS. SCHAKOWSKY. Thank you. I yield back.
MR. WHITFIELD. At this time, I recognize Mr. Stearns of Florida.
MR. STEARNS. Thank you, Mr. Chairman.
Mr. Rapp, I was just reading through your opening statement, and at
one time, you had indicated, "during this time, I was featured on
America's Most Wanted as being the number one con man in America."
And, of course, you went on to say that you sort of discounted that
a bit.
But have you ever been conned yourself? Has someone ever conned you?
MR. RAPP. I am sure they have. And if they are good, I will never
know it.
MR. STEARNS. Let me ask you a question. In your statement you talk
about during the President Clinton and Monica Lewinsky scandal you
were contacted by the FBI, you say, from the Baltimore office.
"The agent wanted to know specifically who our client was that
requested the information on why the White House was paying for
Ms. Lewinsky's apartment, as well as tracking down various cell
phones and landline contacts of Ms. Lewinsky."
MR. RAPP. Correct.
MR. STEARNS. Did you take that as legitimate? Did you check out
to see if the FBI had a legitimate reason for doing that?
MR. RAPP. If the FBI--
MR. STEARNS. Let me see here, you say the FBI contacted you?
MR. RAPP. Right. They wanted to know why I was looking into, when
you start looking into phone calls on the President, or his
associate, you are going to get contacted by somebody. And I did.
MR. STEARNS. And you felt sure at this point these were the FBI?
MR. RAPP. The gentleman called me. I believe, actually, they
showed up unannounced, but he gave me a number to the Baltimore
field office. And, of course, I never used that number. I called
directory assistance, got the number to the Baltimore field office,
verified the agent and the basic appearance, because anybody could
make up a badge. So, yes, I am pretty confident it was the FBI.
MR. STEARNS. So then you made available all those records?
MR. RAPP. Correct.
MR. STEARNS. And I guess that is the problem, sometimes when you
get that high profile. When you are doing these for different
clients, you sometimes move into areas that perhaps you realize
you probably shouldn't have got into?
MR. RAPP. Correct.
MR. STEARNS. Would you say that in retrospect?
MR. RAPP. You know, in retrospect, the money was enjoyable; the
fame was just part of the job. But a good data broker is very
quiet, underneath the radar. And the committee is not going to
know about him, for the most part; nor is the American public,
because they are utilizing the services for the majority of the
part.
If they haven't done anything wrong, they have nothing to fear from
them. If they owe money, you may wake up one morning and find your
bank account $5,000 less. But again it is because they had a
legitimate judgment.
So, yes, the fame caused a lot of problems. And in retrospect, I
think it turned out to be a good thing and ended when it did, as
things transgressed.
MR. STEARNS. So if you had to do it again, would you do it the
same way?
MR. RAPP. Tough question. Tough question. I definitely--
MR. STEARNS. Think about that for a second and let me go back.
The person who asked you--who was the client, that asked you to
specifically get this information--I am not asking you to reveal
who that client was; but that client, you had to reveal to the FBI,
too, didn't you?
MR. RAPP. Correct, yes.
MR. STEARNS. And did that client immediately tell you to stop and
desist? Or did that client--
MR. RAPP. Oh, no. All my clients understand when law enforcement
is there, we are in business to make money on a grand scale. And
if you shut down one avenue, I am going to concentrate on the
others.
So he wanted to know who the client was, just for national security
reasons, as he said. This has nothing to do with that.
MR. STEARNS. So he wanted to know specifically who was paying
for Ms. Lewinsky's apartment, as well as tracking down various
cell phone and landline contacts of Ms. Lewinsky?
MR. RAPP. That is correct. It was for a news magazine. I don't
know if it was Entertainment Tonight or which one of the news
magazines, but they wanted to know.
MR. STEARNS. And they hired you to do it?
MR. RAPP. Right. They thought it was interesting that the
Government was paying for Ms. Lewinsky's apartment at the Watergate
Hotel. So something like that.
MR. STEARNS. I also read in some of the testimony that both of
you--or you, specifically Mr. Rapp, can find out a post office box.
MR. RAPP. That is correct.
MR. STEARNS. Just briefly tell me how you would find out my post
office box. I have a post office box for business. Tell me,
briefly, how you do it and then tell me what is the reason for
knowing the post office box?
MR. RAPP. To me, it was a case, tracking people down.
MR. STEARNS. What is the reason why? Is it like a banking
institution or a lawyer? Why would they want to know?
MR. RAPP. Somebody wants to track you down.
MR. STEARNS. So they are going to stand there so when I come up to
that post office box they will be able to get me; is that it?
MR. RAPP. No. What it was leading my clients to, the majority
of the time, was to get more information on you, a physical
address. Most of the time you have to actually show an ID to get
a post office--
MR. STEARNS. So if a person doesn't have a physical address, then
you want the post office box.
MR. RAPP. That is right. The idea, to "break" in the Post Office,
it is to get whatever information they have on their hard card.
That is what we are looking for.
MR. STEARNS. So tell me then you want to get my post office box,
and I am in Ocala, Florida. How would you go about it?
MR. RAPP. First of all--I will be blunt.
MR. STEARNS. You had a last name.
MR. RAPP. I don't need that. All I need is the box number.
If I find out who the postal inspectors are for your region,
impersonate one of those postal inspectors; and if I call up and
say, you know, we have had--
MR. STEARNS. So you would use the actual name of the postal
inspector. Let's say his name is Jim Moore.
MR. RAPP. Okay, let's say it is.
I would call up and be Mr. Moore. Or I would be one of his
associates. And I would say, "you know, we have had some child
pornography coming into this box. And we have had some pictures of
kids doing things they shouldn't be doing."
"Now, we have traced it back; we have already identified the box is
on the West Coast. Do me a favor."
Now I am talking to a lowly box clerk, of course, that is bored with
her job, and once I get to build up a 30-second relationship, I am
going to tell them what I need.
"Do me a favor. Take a look at and see if you have"--I will use a
example of a company name-"see if you have Photography Unlimited
listed on the box, or how it is titled."
MR. STEARNS. You would make up something to get some credibility?
MR. RAPP. Correct.
They go in there and they say, "oh, no, it is not a business. It
is a residential box listed as an individual."
"Now, are you spelling his name with an "st" or just a "ph"?"
They will say, "oh, no; "st," what are you talking about? We
have it as a Jim J. Rowe at 134 17th Street."
MR. STEARNS. They continue volunteering information because they
think you are credible?
MR. RAPP. They think you have the authority to be able to acquire
this. That is one of the quickest and easiest ways, as just one
of many examples.
MR. STEARNS. Take me through another quick scenario. You are
trying to find my credit card, and what would you need to find out
like in exhibit--Exhibit Number 3, here you have the credit card
for John Ramsey, and you have a list of all the descriptions, the
places and the amounts. How would you go about getting this
information for--let's say for me, how would you go about getting
it?
MR. RAPP. Mr. Stearns, first of all, I would make sure that my
client at least had given me your full legal name, preferably your
address, preferably something else. Most of the time, the clients
gave us a credit card, they had a Social.
MR. STEARNS. Most the time you had the name of the credit card--you
didn't even have the credit card? Whether it is Bank of America
or Capital One?
MR. RAPP. Again, think global; that is too small.
We are thinking Visa, Master Card, Discover, American Express, or
Diners Club, which isn't used very much--one of those five are the
Big Five. And when a client came to me and said, "we would like to
find out the credit card purchases they made on this date," the
client always seemed to have a necessary--they knew exactly what
they were looking for, but they didn't know how they came to either
get it or how they wanted it broken down. They didn't know exactly
which card the person may have used, but they said, "we know this
person used a credit card on this day."
MR. STEARNS. Invariably you had a date and a description?
MR. RAPP. Something. They gave me something. I would go in and
utilize just what I had, your name--
MR. STEARNS. Where would you go in to do that?
MR. RAPP. I would go into Visa or Master Card and I would make up
a nice little story. I would call them directly and explain to
them "I have a bill in the mail here for $2,418,000 and I don't
understand why, since my wife's homebound and I haven't left the
house in the last 2 months."
MR. STEARNS. And she would tell you, "We don't show in our records
that you have this."
MR. RAPP. To begin with, they would say, "Well, what is your card
number?" And I won't know, of course. And I would know something,
and what I didn't know I would fudge, and I would get them to the
point where they would just look up what I wanted them to do by my
name, tie it in with the address.
And if Visa said--
MR. STEARNS. They would reveal the credit card number to you?
MR. RAPP. Not at that point. At that point they would verify
they did in fact have it.
First of all, it is a process. My first part is to find the
institution that has it. Now, if I know you have a Visa, the idea
now is which agency specifically, or which--again the word "agency"--
but which department issued that Visa, which bank. So they will say
"oh yes you have one here from Capital One."
"Oh, Capital One? Wrong one. Let me look into it."
If I didn't like the way the conversation was going, I will call
them back. Now I know it is Capital One. Now I have other
options. I can find out which bank you utilize it from and go
into the individual branch even. Just like Chase Manhattan, you
can pay your bills at any Chase Bank, I can go into the branch, I
can go into Capital One directly, or I can go back to Visa, and I
would work the people until I would get your complete card number
or not. Most of the time I would solve the case without ever
having the card number. I would go in and find out the basics.
"How much do I owe you?"
Again, then put them in a position where they have to help you, and
if I owe them X amount of dollars, I say, "Do me a favor, break that
down. I am a committee member; I need to get reimbursed, so let's
break it down."
"Okay, well, what do you want to know?"
MR. STEARNS. Then you get them to actually fax you--
MR. RAPP. No.
MR. STEARNS. How would you get all this information? This is just
over the phone?
MR. RAPP. Just over the phone. I would have them go over it, say
"The first purchase last month, what was the date?"
MR. STEARNS. Would you have a phone number that you could be
traced
back to?
MR. RAPP. Most of the time it was just our landlines sitting in
Parker, Colorado, or in Aurora most of the time; and no, I didn't
have a line. I didn't have the new phones and new technology that
was available that showed you were calling from somewhere else.
I didn't worry about it the majority of the time. They don't know
unless you are calling a local carrier what number you are coming
in on. And even if you do, it is easy enough to get them to look
past it.
MR. STEARNS. Mr. Chairman, I want to say I want to commend the
witnesses here, because in their telling these stories, it reveals
to all of us--and I think, hopefully, the consumers too will
understand--how easy it is to get this information. And in a
large sense, they are doing a very good action here and are to be
commended for just trying to help us weed through this.
And so I thank you for getting these two witnesses.
MR. WHITFIELD. Thank you, Mr. Stearns, and I just have a couple
more questions here.
Mr. Rapp, you talked a number of times today about, you had a lot
of clients who were private investigators, and many of these
private investigators represented the news media, whether the
National Enquirer or the Globe or 20/20 or Entertainment Tonight
or whatever. And you established a relationship with them so you
knew who these private investigators were representing, if they
were representing news companies; is that correct?
MR. RAPP. To some extent I did. Some of my clients, they gave
me an indication of who they were working for, but that was
fairly proprietary; they didn't want me subletting them and
going directly to the company itself and, of course, cutting them
out of the profit.
MR. WHITFIELD. Absolutely.
Mr. Gandal, after we release the two of you, we are going to bring
up another panel of witnesses and these are actual data brokers.
And I understand most of them are going to take the Fifth Amendment,
but I would like to ask you a couple of questions about some of
them.
First of all, I ask you, are you familiar with any of the other
witnesses that are scheduled to testify today? The other data
brokers, are you familiar with any of them?
MR. GANDAL. A few of them I know, just a few.
MR. WHITFIELD. Do you know anything about the data brokers Ken
Gorman, Chris Gorman, or Bob Gorman?
MR. GANDAL. I know of them. I have never met them.
I know they were in the business and that they, at one time, were
doing a lot of work; and just shop talk between me and other
people, I would hear that those people, in fact, were getting a
large amount of work.
MR. WHITFIELD. Do you know anything about Mr. John Strange and
Worldwide Investigations?
MR. GANDAL. I know Mr. Strange. I live in Colorado, and we have
talked and we have had dinner.
MR. GANDAL. And what sort of customers would Mr. Strange sell
to?
MR. GANDAL. I believe that Mr. Strange had a Web site that anybody
could go into. And Mr. Strange doesn't get the work, he just
brokers it. He doesn't do the work himself.
MR. WHITFIELD. Do you know anything about Jim Welker and Universal
Communications Company?
MR. GANDAL. Yes, I know Mr. Welker.
MR. WHITFIELD. And what does Mr. Jim Stegner do for the company,
or Larry Clark? Do you know either of them?
MR. GANDAL. Jim Stegner runs the side of the company that I worked
with, and worked for for a short time. Larry Clark does nothing.
MR. WHITFIELD. And does Jim Welker--is he still in the State
legislature in Colorado or--
MR. GANDAL. I believe he is our District 51 representative at this
time. I live in the same city as Mr. Welker so.
MR. WHITFIELD. Has Mr. Welker ever made claims to you that his
company does work for Federal law enforcement agencies?
MR. GANDAL. Yes, and I know it to be a fact. I turned some FBI
agents on to his trap line company several years ago.
MR. WHITFIELD. So do you know anything about Michele Yontef and
her company, TelcoSecrets?
MR. GANDAL. I have never met Michele Yontef, but I've heard of her
throughout my entire career. She is basically a legend; they call
her "Ma Bell."
MR. WHITFIELD. They call her "Ma Bell?" Why is that?
MR. GANDAL. I don't know. She is someone who has been in this
business a long, long time.
MR. WHITFIELD. Do you know her, Mr. Rapp?
MR. RAPP. No, I am familiar with TelScan, which is the name of
Jim Welker's company, which we knew it by and utilized them for
their services, but that is pretty much it.
MR. WHITFIELD. But Michele Yontef is known as "Ma Bell."
What do you know about Global Information Group and Ed Herzog?
MR. GANDAL. I know that I always thought his name was David
Geller.
MR. WHITFIELD. David Geller?
MR. GANDAL. And I know they were a company in Tampa, Florida; and
they also were able to get into a lot of--again, what I feel is
permissible purposes--but the auto financers, gave them a very good
price that nobody could match, so I know that they took a lot of
business from a lot of us.
MR. WHITFIELD. Do you know whether Global is still operating?
MR. GANDAL. Not under Global. I heard that they are under
another name now.
MR. WHITFIELD. Would that be Romano & Simson?
MR. GANDAL. Yes.
MR. WHITFIELD. That is the name they are operating under today?
MR. GANDAL. Again, this is information I hear through talking
with other peers.
MR. WHITFIELD. Have you seen a price sheet from them?
MR. GANDAL. Boy, I think I had one at one time. I think someone
had sent me one, just trying to compare prices, trying to stay
competitive.
MR. WHITFIELD. Do you know Barry Glantz?
MR. GANDAL. Wow. I don't know him, but when I ran a repossession
company in the late '80s in Cincinnati, Ohio, Barry was the person
I would contact in order to get phone information.
But he was very difficult to deal with. And he compelled me to
learn more about this industry so I could do it myself, because I
couldn't deal with him anymore.
MR. WHITFIELD. What about Steven Schwartz of First Source
Information Specialists?
MR. GANDAL. He is another gentleman I believe was doing this for
a number of agencies. I think he was out of Florida at the time.
MR. WHITFIELD. Last question.
Do you know anything about Joe Depante and Action Research Group?
MR. GANDAL. Yes, they were located in the Fort Lauderdale area,
and I used to run a repossession company in that area. And Joe
would supply information to repossession companies the same way I
do; and I patterned some of the things I do after his company.
MR. WHITFIELD. Mr. Rapp, do you know Joe Depante?
MR. RAPP. I do.
MR. WHITFIELD. How do you know him?
MR. RAPP. He was a client of ours and a friend of ours for many
years.
MR. WHITFIELD. Is he a data broker?
MR. RAPP. He was. I don't know at this point. I know things have
changed for him, but I don't know what he does.
MR. GANDAL. He is still running the company, Mr. Whitfield.
MR. WHITFIELD. Did you ever try to sell your client list to Mr.--
MR. RAPP. Oh, yes, when we got out of business in 1999, when we
were forced out, so to speak, I contacted a few of my clients. A
few had expressed interest to take over our clientele list with
recommendations from us; and Action, the company we knew Joe by,
seemed to be the best bet to go. And we agreed upon a price, and
unfortunately, we never received a penny.
Things were going to work out and, as I guess goes with this
business, we were deceived; and so they got the benefit of all the
client lists and all the contacts, and that is fine.
MR. WHITFIELD. They got all the information and you don't get any
of the money?
MR. RAPP. That is correct, not a penny.
MR. WHITFIELD. You were prosecuted under RICO; is that correct?
MR. RAPP. I believe so.
MR. WHITFIELD. And it is your understanding that you were
prosecuted under RICO because they were not clear under what other
specific statute they could prosecute you under?
MR. RAPP. Right. When Mr. Feddo, your counsel, came out, and we
just spoke with Bob Brown, who is the agent of the Colorado Bureau
of Investigation, that was their emphasis to us: We wanted you to
stop, and we didn't know how we were going to force you to do it,
and this is what we charged you with. They took a class 2 felony
all the way down to a couple of years of probation if you would
quit the business.
So it was apparent there was no real teeth behind it; or if there
was, they just didn't exercise them, thankfully. They wanted us
to end, and we did.
MR. WHITFIELD. Can you give us some idea of the gross revenues of
Touch Tone during your peak years?
MR. RAPP. Well, the peak years, our gross, as far as billings out,
were well over a million for the latter half of the 1990s. Prior
to that, it was minimal, anywhere from a couple hundred thousand,
half a million or whatever. But the ability to earn the funds
and the necessity of the information is enormous; given enough
clientele and enough employees, there is no limit.
You know, I appreciate the validity of what your committee is trying
to do, but there is necessity for this. And I understand you can't
regulate it and say, well, this we will allow and this we won't.
I understand that.
But--you are not going to stop it, but hopefully you will put an
end to the people--I don't know about Mr. Gandal, but we have never
committed fraud in the respect of ever taking anybody's privacy and
taking a penny that wasn't ours. We would never do that.
MR. WHITFIELD. You didn't take their money--
MR. RAPP. Just the information, if you haven't done anything wrong.
That was our premise until the media, but--
MR. WHITFIELD. Would you agree with the statement that, maybe if
you had never become involved in JonBenet Ramsey murder case that
you might still be in business?
MR. RAPP. Oh, yes, I definitely. I would believe that, yes.
MR. WHITFIELD. Does anybody else have any questions?
MS. DEGETTE. I do.
Sitting here, it seems to me Colorado is sort of a hotbed of
pretexting, Mr. Chairman, and I am going to talk to some of my
colleagues in the legislature about that.
Mr. Gandal, I asked Mr. Rapp, but I didn't ask you: Do you think
Colorado's lack of laws enable you to do more than you might be
able to do in other States?
MR. GANDAL. No. I live in Colorado because I love it, no other
reason.
MS. DEGETTE. You don't think that if Colorado enacted oversight
on private investigators or data miners or things like that, that
would affect your business?
MR. GANDAL. Well, it would affect my business if I looked at it
and said, gee, everything I am doing is illegal. I would stop,
absolutely; I don't want to break the law. I always believed I was
a law-abiding citizen, assisting banks.
MS. DEGETTE. Great.
Mr. Rapp, now, you told the Chairman that you were charged under
RICO, but then you did plead guilty to a lesser offense, correct?
MR. RAPP. It is possible. I truthfully--
MS. DEGETTE. You are under probation right now, right?
MR. RAPP. No. No. They started out with class 2 felony. They
ended up with 5 years probation of which, after 3 years they said,
you are not a threat to anybody and you are released.
MS. DEGETTE. But you had probation?
MR. RAPP. For 3 years.
MS. DEGETTE. So you must have pled guilty to something--
MR. RAPP. At that point whatever they wanted me to, that was fine.
MS. DEGETTE. We all think you are very good and we would hire you
for any sales position we might have in our organization. But I am
just asking you, if you got 5 years probation that was then reduced
to 3, you must have pled guilty to something.
MR. RAPP. Yes, I did.
MS. DEGETTE. And your--was part of your agreement of probation that
you would never engage in this business again, or--
MR. RAPP. Not during the time of probation.
MS. DEGETTE. So you could go back to this business?
MR. RAPP. Theoretically.
MS. DEGETTE. Do you intend to do that?
MR. RAPP. No, ma'am.
MS. DEGETTE. Why?
MR. RAPP. I can't rationalize like I did at that point. You can
ignore some things so long, and it just got to the point where I
felt guilty.
MS. DEGETTE. What were you ignoring?
MR. RAPP. Lying, conning, scamming.
MS. DEGETTE. So you just decided not to do that anymore?
MR. RAPP. That is not the best way to go.
MS. DEGETTE. What are you doing now?
MR. RAPP. I am a caretaker for the elderly, for my mom--and dad
when he died--now for my Mom until she passes on, and then we will
get back to life.
MS. DEGETTE. And I mean, you understand it is one thing to be doing
what you were doing, which is pretexting, and getting the data,
selling it--not for profit other than getting the data, not to
steal someone's bank account or something.
MR. RAPP. Correct. Correct.
MS. DEGETTE. But you understand the risks when this is done, and I
think both you and Mr. Gandal would agree, it's been made much easier
by the Internet and computerization, correct?
MR. GANDAL. Absolutely.
MS. DEGETTE. So it is not just people who are doing it for
legitimate reasons, like repossessing automobiles, or even
quasi-legitimate reasons like newspaper tabloids. It is being
done by criminals who are stealing people's data and stealing their
identities and their assets, correct?
MR. GANDAL. Yes. That is why I called the committee in the
beginning and talked.
MS. DEGETTE. Now, I think, Mr. Gandal, you testified that you
know Representative Welker, correct?
MR. GANDAL. Yes.
MS. DEGETTE. And you said that you referred some FBI agents to his
company for use of these pretexting services, correct?
MR. GANDAL. Yes.
MS. DEGETTE. What were the names of the FBI agents?
MR. GANDAL. I don't know those names. I know the name of the FBI
agent that was in my office because we worked the case together.
He is in New York City.
MS. DEGETTE. What is that person's name?
MR. GANDAL. His name is Neil Caldwell.
MS. DEGETTE. What office is he with?
MR. GANDAL. He is with Financial Crimes in New York City. We
worked a Nigerian fraud ring together, which he busted and recovered
millions of dollars; and then on September 12, 2001, I assisted him
in learning how to use one of the databases. I had to look at the
terrorists' addresses that were in Newark at the time and determine
who else might still be out there. And at that point I believe the
FBI was given free access to these databases, and they no longer
needed my assistance. In fact, I haven't spoken to these
agencies.
MS. DEGETTE. Was Agent Caldwell, was he the person that you
referred to Mr. Welker?
MR. GANDAL. No. He knew some-- I wasn't prepared for these
questions, as far as having dates, but I would say--
MS. DEGETTE. I am not asking you for a date.
MR. GANDAL. It was a long time ago. Late '90s, I believe, he--I had
shown him.
MS. DEGETTE. This was before September 12th?
MR. GANDAL. Yes. Neil would come in my office and he would watch
me work, and I would help him with information when he needed it.
And he said these trap lines are really important, and I know DEA
guys that could really use this. And I believe he went to a
Chicago office, who then contacted Mr. Stegner who worked for
Mr. Welker.
I don't think Mr. Stegner works there anymore.
MS. DEGETTE. I don't think so either. But you don't know if, in
fact, the FBI ever actually hired Representative Welker's company?
MR. GANDAL. To do trap lines, I know they did.
MS. DEGETTE. Do you know that Mr. Welker's company was compensated
by the FBI for that?
MR. GANDAL. I know that I went to church with Mr. Welker one day,
and they asked everyone in the--it was actually the first
anniversary of 9/11--and they asked everyone in the audience to
stand up who was in the military, and they called out the different
things. When they got to Army, I stood up.
And they said, anyone else that works with the Government, and
Mr. Welker stood up next to me. And I kind of looked at him, and
he said, "I have clients." He said, "FBI is my client;" and that is
why he stood up.
MS. DEGETTE. Mr. Welker said, "FBI is my client?"
FBI told us they never hired Mr. Welker, so I guess that will be
figured out later on.
MR. GANDAL. The information is just what I gave you.
MS. DEGETTE. Do you know any other government agencies who hired
either your firm or these types of firms?
MR. GANDAL. I have done work for law enforcement before, but never
hired. I did favors. I have assisted law enforcement.
MS. DEGETTE. So you are not compensated by a law enforcement
agency?
MR. GANDAL. Right. I had friends that were law officers.
MS. DEGETTE. Which agencies did you do favors for?
MS. DEGETTE. Nassau County Police Department, I had friends that
were detectives with them in the '90s, in 1999 to 2000.
MS. DEGETTE. Did you ever do any favors for Federal, where you
talked about--
MR. GANDAL. Just the gentleman that came into my office; sometimes
he would need an address to a telephone number, and I could get it
for him a lot quicker than anybody else.
MS. DEGETTE. And that was it?
MR. GANDAL. That was it.
MS. DEGETTE. Mr. Rapp, what about you, were you ever hired by my
law enforcement agencies?
MR. RAPP. I believe we were. And I have to apologize; my honesty
here is, hopefully, unquestionable, but my memory may be.
Back during the '80s or '90s there were agencies--when we worked in
Utah, we lived up in Cache County in Logan, Utah; and we did work
for some of the agencies, I believe, there--just basics. There was
a nonpublished listing of a party, and they wanted the address,
something generic to that account.
But for the majority--that is the only one I can think of because
very rarely, I don't think we were ever contacted except by
Mr. Crosby, who was an FBI agent, I believe, at the time out of
Texas.
MS. DEGETTE. This was like the late '80s, early '90s?
MR. RAPP. I believe it was, and at that point--Mr. Feddo has
informed me he was ex-FBI, but that wasn't made clear to me at
that point.
MS. DEGETTE. So you now don't know of any direct hiring by FBI?
MR. RAPP. No, I don't think there ever was.
MS. DEGETTE. And the only other law enforcement agency you can
remember being hired was this Utah--was it a local or State?
MR. RAPP. Local. Local.
MS. DEGETTE. And that's it?
MR. RAPP. Yes.
MS. DEGETTE. I am trying to figure out the scope of law enforcement
agencies that hire these types of firms. It doesn't sound to me to
be very great.
MR. RAPP. No. We were always told--contrary to popular belief,
we were told--and a lot of my information came from Mr. Crosby and
from the FBI agent that came to our office about the Monica Lewinsky
deal, that if the Feds wanted to know something, they would know
it. That is the end of the story. If they want to know it, they
know it, they don't need to utilize any other agency or any other
company to get it.
MS. DEGETTE. Thank you very much.
Thank you, Mr. Chairman.
MR. WHITFIELD. Mr. Stearns, do you or Dr. Burgess have any
additional questions?
MR. BURGESS. Yeah, the issue of the stores being a site for
information transfer: At the retail outlets, are there particular
security measures they take at those stores?
MR. GANDAL. Not that I know of, no. There are not a lot of
security measures that the wireless service companies take in any
respect.
MR. BURGESS. So the sales people in those stores wouldn't have any
special training or expertise?
MR. GANDAL. No. That is the reason they are targeted on a problem
account.
MR. BURGESS. Would you agree with that, Mr. Rapp?
MR. RAPP. Yes.
And if I can, Mr. Burgess, I have taken this cell phone, any cell
phone to any company, I don't have to open it, I don't have to take
out the SIM card inside if I say, "I need to see a copy of my last
month's bill and, by the way, I think I would like to get two or
three additional lines."
They are more than happy to want to help. They say, "what is your
number?"
And I throw out the number.
They are not going to call it and verify it. They are not going to
say, "I need your ID." They believe they see my ID in my hand.
And I say, "You know, when I talked to customer service"--and from
experience I would know the name of their computer system, whether
it be CBIZ or BOSS or Elmo's or whatever--see, they tell me
something like Elmo's is down. They said, "oh, that again; what
do you need?"
I say, "Can you do me a favor and print out the last 3 months from
me?" Never even seen an ID, never seen anything. It is that easy.
And there are so many branch offices, and you can go to any mall
and you will see two or three. It is that easy to acquire the
information, and you don't need to know anything.
MR. BURGESS. So would the kiosks at the malls be the most
vulnerable point, or are the retail stores just as vulnerable?
MR. RAPP. I don't know if the kiosks at the malls could print
out an actual bill, but they can give me the specs on the bill.
They can give me enough information to help me, so I can go back
in to customer service and say, hey, here is my account number
now. Here is this, here is that. So--they are all kids, though;
they are staffed by people that have been there at the most a
couple of years.
MR. BURGESS. Seems like the most basic type of security measures
would at least stop some of that, maybe not 100 percent but some
of that.
Is the cost of those security measures a barrier to those being
implemented?
MR. RAPP. Truthfully, I never ran across any security measures, so
to speak, with any cell companies, landline companies. I had more
security at a cable company than I did at a bank.
It is just the aspect they are not expecting. And even today, even
with all this, they are not prepared for Joe Blow calling in and
saying, "Hey, wait a minute, now I know I got a check into my
checking account. And you guys told me I bounced one."
"What is your account number?"
And I don't know my account number.
"What is your name? I don't know. I don't know. What is your
name? I don't know." It gets to that extent to where, "Did you
spell my name correctly with an "sh" or with a "c"?"
And then once you have them utterly confused they are going to want
to start at the beginning and help you. And it is the same way
with every company out there.
And I would hate for this committee to make it so tough that we
have to sit on hold for 2 hours to get through to AT&T, because they
have got to be so sure of all the security. And I hate the fact I
screwed that up in part.
But it is a fact of the matter, you are going to always have people
like us and you are going to always have people who are going to
give out the information. I would hope they are not going to hurt
anybody with the information. That is my goal.
MR. BURGESS. What about the--you addressed the issue of the
overseas operators. Is that a particular point of vulnerability,
the outsourcing of the call center?
MR. GANDAL. Absolutely. They barely speak English.
MR. RAPP. My wife worked for General Motors for 5, 6 years, and
during that time, they transitioned from America to India to have
all their customer service. I never found it was any easier to
get information out of India than here. I am sure it might be.
But when I reference overseas, clients came to us with overseas
requests.
Now, you try getting information out of a Barclay's Bank from
somebody named Gambino, you are going to run into a little bit of
difficulty just because of the situation, it is international.
That is what I refer to as overseas. That is why a lot of the call
centers now are everywhere in the world.
It doesn't matter except for the fact it takes a little bit more
time and you have to be able to understand their dialect a little
better to get what you want. And it is tougher to be friendly, it
seems like with them, or get them to understand you and what your
needs are. They are in a Third World country. They can't
appreciate what we are going through as far as trying to get the
information.
MR. BURGESS. You are--I am just astounded your degree of
imagination. The fuse box is smoking. The cleverness is just
absolutely astounding.
But I thank both of you for being here and for your candor.
And, Mr. Chairman, I will yield back.
MR. WHITFIELD. Mr. Stearns.
MR. STEARNS. Thank you, Mr. Chairman. I won't take too much
longer.
As I understand it, Mr. Rapp--let me just list some, if I came to
you, if you could provide these.
Could you provide disability benefits for a person?
MR. RAPP. Sure.
MR. STEARNS. Could you determine their Social Security benefits?
MR. RAPP. Yes, where the check is being sent, what bank it is
being sent to, the account number.
MR. STEARNS. Welfare benefits?
MR. RAPP. Sure.
MR. STEARNS. Could you locate where a person used a hospital and
what the expenses were at that hospital?
MR. RAPP. Absolutely, medical records.
MR. STEARNS. Could you find an e-mail for anybody?
MR. RAPP. You know, truthfully, I never had to delve much into the
Internet world, thankfully; and no, I have never really dealt with
e-mails that much.
MR. STEARNS. Mr. Gandal, do you think it is possible for anybody
to find anybody's e-mail?
MR. GANDAL. You have to be much more computer literate than
myself. I'm telephone literate, like Mr. Rapp. That's my tool.
MR. STEARNS. Mr. Rapp, could you find a brokerage account for
anybody in America?
MR. RAPP. Absolutely.
MR. STEARNS. Well, that is pretty clear, Mr. Chairman. I don't
think we have any privacy at all, if these gentlemen could find any
one of those things.
Mr. Gandal, you mentioned in your testimony, you said that "please
allow me to speak for another profession I feel should be
criminalized before the only support for every auto financer in
America receives this fate, the professional debtor. This is the
individual who uses a true name, fraud, in order to purchase dozens
of vehicles which he has no intention of ever paying for. He gives
these cars to his friends or family, but many times he will sublease
the vehicles, pocket the money that the third-party lessee gives
them."
So, tell me what you might reinforce, what you are trying to say
here, and what we should do.
MR. GANDAL. Well, the professional debtor is someone making a lot
of money doing it, and it's--
MR. STEARNS. There are people doing this?
MR. GANDAL. Absolutely. Listen to Sports Talk tomorrow and listen
to their advertisements about the Nevada corporate ideas that they
have got now. Anybody can incorporate in Nevada.
Anybody can incorporate in Nevada and probably other ones. It's
just a commercial that I have heard several time listening to Sports
Talk, and they say you can go ahead and anybody can incorporate and
then get corporate credit which has nothing to do with personal
credit. So these people have already trashed their name. They go
to a subprime or even the C&D paper of a major auto financier which
isn't subprime. They go in as a company, a hearing aid sales
company, any of these things, and all of a sudden they've got 25,
30 vehicles and they are gone. They are gone. Now one way to
find those vehicles --
MR. STEARNS. So simply a corporation of these auto dealers will
lease or sell on credit for somebody who comes in with a corporate
name.
MR. GANDAL. Sure. They are trying to sell cars. And they really,
I believe in the beginning it was looked at like, look, we have got
a giant portfolio here and this little bit is trickling down, is
going to--we are going to lose.
MR. STEARNS. That's a cost of business.
MR. GANDAL. But as time has gone by, it is no longer a little bit
that's trickling down, and a lot of these subprime dealers are gone
because of it, and the ones that are still here are fighting to stay
there to offer the product that has got to be there for a lot of
people.
MR. STEARNS. What would you do besides criminalizing it? What
would you do in terms of legislation in terms of--
MR. GANDAL. Control it. Allow a replevin to be served right in
town within a couple of days, knock on the doors, here's the
papers. I want the car. I want it now without having to play games
and chase people literally down the street like cops and robbers.
Repossessor is a--it's a rough business, and he is doing a service
and a good repossessor is not fighting. A good repossessor does not
carry a gun and get into a shootout over the vehicle. He is
respectful. He talks to the people when he has to. He picks up
the vehicle because that's what is supposed to be done.
Unfortunately, over and over and over again, and it's not a small
problem and maybe the subprime companies don't even want to admit
it. But I have talked to them, and I have talked to a lot of them
and let them know I was going to be here and what I was going to
say, and they said go for it because they know it is true.
There are problems. A liaison would be great. Somebody that has
some power. Repossessors look at that like some fat slouchy guy.
It's not that way. They are professional adjusters. They are
good investigators. They are family men. They are going out
there and they are doing a job and making a little bit more money
than they would if they are working at a toll booth or a body shop.
It is a hard living. There should be some laws to protect them.
That would take away my job, but, you know, take away my job and
I'll apply for a job in the liaison department.
MR. STEARNS. You could be the supervisor.
MR. GANDAL. Absolutely.
MR. STEARNS. Just on another note, could you explain prepaid
calling cards, sir?
MR. GANDAL. Sure. They are a very good and what I would imagine is
a very legal tool. You send out the prepaid calling card to a
target. You don't know their phone number or too much about them
at this point. You send it out. They use the calling card, and
then you have a copy of where they called from and where they called
to, which is a good investigative tool in locating somebody.
MR. STEARNS. And that's used for what purpose?
MR. GANDAL. For skip tracing. One percent of all vehicles are
going to be repossessed this year. Fifty percent of those vehicles
are going to be skips. And half of those, again, you are going to
find the guy and you found him the whole time. Why? Because the
car isn't parked out front because he doesn't have it any more.
They are either straw purchases or whatever. It doesn't mean it's
going to help you. But that is when the call records come into
hand and that is why so many repossession companies and auto
financiers like to look at the call records and see where he's
calling to 10 times a day, 15 times a day. Get a picture of
somebody's life like that and maybe you'll get your car back.
MR. STEARNS. Do you have any idea how the carriers could put a
stop to data broker accessing consumer information? Do you
understand what I am asking?
MR. GANDAL. Stopping my job?
MR. STEARNS. Yes.
MR. GANDAL. It would be very difficult. It is very bureaucratic
and although I've seen some changes in some companies, wireless
companies, you can hang up and call back and get what you want and
eventually I am afraid that the movement that they have made to
secure is just going to fall apart again. Right now it is big.
They are talking about it is something that they want to do. In a
year's time it is all new people doing the job. Most of these
people can't even work 40 hours because they don't want to get
paid for benefits. So they keep everyone in all these companies
underneath it. The managers don't care. The employees don't care.
So the information is still readily available.
MR. STEARNS. Mr. Chairman, thank you. I am done.
MR. WHITFIELD. Thank you, and I want to thank Mr. Rapp and
Mr. Gandal for your testimony. I think we already had an impression
that there were no secrets anymore and now we know for sure there
are not. So with that, you all are dismissed. We appreciate your
cooperation very much.
And at this time I would like to call forward the following
witnesses on the third panel.
Mr. John Strange, the owner of World Wide Investigations.
Ms. Laurie Misner, owner of Global Information Group.
Mr. Jay Patel, owner of Abika.com. Mr. Tim Berndt, owner of Relia
Trace Locate Services. Mr. Ed Herzog, owner of Global Information
Group. Mr. James Welker, owner of Universal Communications
Company. Mr. Skipp Porteous, owner of Sherlock Investigations.
Mr. Patrick Baird, owner of PDJ Services. Ms. Michele Yontef,
owner of TelcoSecrets.com. Mr. Steven Schwartz, former owner of
First Source Information Specialists and Mr. Carlos Anderson, owner
of C.F. Anderson, PI.
All of you know, the subcommittee takes testimony under oath, and I
would like you all to right now raise your right hand and be sworn.
[Witnesses sworn.]
MR. WHITFIELD. You are all under oath now, and under the rules of
the House and the rules of the Energy and Commerce Committee, you do
have the right to be advised by legal counsel as to your
constitutional rights, and I would ask you do any of you have legal
counsel with you today? Okay. All right.
Those that have legal counsel, and we can start with you,
Mr. Strange. Do you have legal counsel with you?
MR. STRANGE. No.
MR. WHITFIELD. Ms. Misner, will you give us the name of your
attorney?
MS. MISNER. Sanford Saunders.
MR. WHITFIELD. Mr. Patel, do you have legal counsel?
MR. PATEL. No, sir.
MR. WHITFIELD. Mr. Berndt?
MR. BERNDT. No.
MR. WHITFIELD. Mr. Herzog?
MR. HERZOG. Timothy Fitzgerald.
MR. WHITFIELD. Mr. Welker?
MR. WELKER. Yes.
Mr. Bearden. Yes, sir. Jim Bearden.
MR. WHITFIELD. Thank you. Mr. Porteous?
MR. PORTEOUS. Yes.
MR. WHITFIELD. Mr. Baird?
MR. BAIRD. No.
MR. WHITFIELD. Ms. Yontef.
MS. YONTEF. No.
MR. WHITFIELD. Mr. Schwartz?
MR. SCHWARTZ. I have legal counsel. He's in the hospital. He
asked that we postpone and reconvene so he can testify and he was
refused.
MR. WHITFIELD. What's his name?
MR. SCHWARTZ. Richard Rosenbaum.
MR. WHITFIELD. Mr. Anderson?
MR. ISSACS. I represent Mr. Anderson. I am Hanan Issacs.
MR. WHITFIELD. Thank you.
Now I'm going to ask all of you, we'll start with you Mr. Strange.
Do you have an opening statement that you'd like to make?
MR. STRANGE. No.
MR. WHITFIELD. Ms. Misner.
MS. MISNER. No.
MR. WHITFIELD. Mr. Patel?
MR. PATEL. No.
MR. WHITFIELD. Mr. Berndt?
MR. BERNDT. No.
MR. WHITFIELD. Mr. Herzog?
MR. HERZOG. No.
MR. WHITFIELD. Mr. Welker?
MR. WELKER. No. Nothing.
MR. WHITFIELD. Mr. Porteous?
MR. PORTEOUS. No.
MR. WHITFIELD. Mr. Baird?
MR. BAIRD. No, sir.
MR. WHITFIELD. Ms. Yontef?
MS. YONTEF. No.
MR. WHITFIELD. Mr. Schwartz?
MR. SCHWARTZ. Yes, I do.
MR. WHITFIELD. You are recognized for 5 minutes.
MR. SCHWARTZ. Up until a couple of years ago, I was listed as a
broker. We sold names. Somebody would call like an ADT company
to find people buying new homes. I was introduced to this business
3 or 4 years ago. And I've been reading the newspapers and I've
been in a lot of articles, and I've only actually owned the websites
for a couple of months. I shut them down 6 months ago when I found
out that this might be illegal. I had no clue that this might be
illegal. But when I first went into the business and I was told
about it, I looked into it and I looked on the Internet. There was
over 2 or 300 companies doing this, okay, and then I looked under
the pretexting laws and it clearly stated that.
MS. DEGETTE. Can I interrupt you? Are you intending to assert
your Fifth Amendment rights against self-incrimination?
MR. SCHWARTZ. Yes, I am.
MS. DEGETTE. Counsel, and I feel like--I am not a practicing lawyer
anymore, but I used to do a fair amount of criminal defense in the
15 years I did practice. By making this opening statement, you are
waiving your Fifth Amendment rights.
MR. SCHWARTZ. I didn't know that.
MS. DEGETTE. Since your attorney is not here, he is in the hospital.
MR. SCHWARTZ. Then I will stop.
MR. WHITFIELD. Okay. Mr. Anderson, do you have an opening
statement?
MR. ANDERSON. No, Mr. Chairman.
MR. WHITFIELD. Since there are no opening statements, what I am
going to do is ask all of you a question. I am going to do it
individually because--depending on the facts of the case. I would
like to start with Mr. Strange first and ask you, Mr. Strange, and
Ms. Misner, if you would mind giving him that document book. If
you could move it down there to him. And under Tab 68 in the
binder, if you wouldn't mind turning to Tab 68 and it is on the
screen, on both screens, if you can see it. It is a price sheet
from your web site, Informationbrokers.net, which you own through
your company, Worldwide Investigations. And the on-line price
sheet offers outgoing cell phone calls, cell tolls without CNA
landline tolls, with or without CNA and post office box
information, among other services. And so Mr. Strange, the question
I would ask you, did you and your company Worldwide Investigations
obtain and sell consumer cell phone records and other non-public
personal information that was obtained through pretext, lies,
deceit, or impersonation?
MR. STRANGE. Mr. Chairman, at this time I would like to assert my
Fifth Amendment right not to testify.
MR. WHITFIELD. Okay. So you are refusing to answer all of our
questions on the right against self-incrimination afforded to you
under the Fifth Amendment of the U.S. Constitution?
MR. STRANGE. Yes, Mr. Chairman.
MR. WHITFIELD. And it is your intention to assert that privilege if
we ask any additional questions?
MR. STRANGE. Yes, sir.
MR. WHITFIELD. Okay. Now I would like to go to Ms. Misner. And
Ms. Misner, if you wouldn't mind turning to Tab 41 in the binder
which I request will be put upon the screen. Now this document is
a listing of the top 20 customers during the year 2005 for your
company, Global Information Group, which you purchased in March
of 2005.
You produced this list as an attachment to your response to the
committee's letter dated March 31st, 2006, which asked questions
about Global's business activities. This list includes many large
bank lenders and auto finance companies. So Ms. Misner, my question
would be did you and your company, Global Information Group, obtain
and sell customer cell phone records and other non-public personal
data by pretexting cell phone carriers and impersonating technical
service representatives, financial service representatives, or
customers?
MS. MISNER. Mr. Chairman, upon the advice of counsel I invoke my
right under the Fifth Amendment under the United States Constitution
not to be compelled to testify against myself.
MR. WHITFIELD. So you are refusing to answer any and all questions
we may ask under your Fifth Amendment privileges of the Constitution?
MS. MISNER. Yes.
MR. WHITFIELD. And it is your intention to assert that right on any
of the other questions we might ask?
MS. MISNER. That is correct.
MR. WHITFIELD. Mr. Patel, if you would look at Tab 97. This is the
same price sheet for Mr. Strange's web site, Informationbrokers.net,
that we saw earlier except that this is tailored for the web site
Abika.com which you own through Accu-Search Incorporated. I think
you could also see it up on the screens as well.
But on this price list, the check boxes designate the services which
Abika.com purchased from Mr. Strange, including outgoing cell phone
calls, cell tolls without CNA, landline tolls, with or without CNA,
and post office box information, among others.
So Mr. Patel, my question is did you and your company, Accu-Search,
obtain and sell consumer cell phone records and other non-public
personal information that was obtained through pretexting, lies,
deceit, or impersonation?
MR. PATEL. Mr. Chairman, I would like to invoke my Fifth Amendment
rights.
MR. WHITFIELD. So you are refusing to answer all of our questions
on the right against self-incrimination afforded to you under the
Fifth Amendment of the U.S. Constitution?
MR. PATEL. Yes, sir.
MR. WHITFIELD. And it is your intention to assert that right on all
future questions?
MR. PATEL. Yes, sir.
MR. WHITFIELD. Mr. Berndt, if you wouldn't mind turning to Tab 100.
In this copy of a chatroom posting, a private investigator named
Damon Woodcock inquires whether someone can obtain for him both
residential and cell phone toll records. In response, on the next
page an investigator named Jim Zimmer states "I use Tim Berndt at
Relia Trace. He is very fast, highly accurate, and his prices are
competitive."
At Tab 98 in another chatroom posting you describe the Relia Trace
difference and state "we will guarantee the accuracy of what you
receive 100 percent with the carrier of record."
So Mr. Berndt, my question to you would be did you and your company
Relia Trace Locate Services, obtain and sell consumer cell phone
records and other non-public personal information that was obtained
through pretext, lies, deceit, or impersonation?
MR. BERNDT. Mr. Chairman, I respectfully assert my privilege
against self-incrimination secured to me by the Fifth Amendment to
the United States Constitution.
MR. WHITFIELD. So you are refusing to answer these questions based
on your Fifth Amendment right, and it is your intention to reassert
that right if we ask additional questions?
MR. BERNDT. Respectfully, Mr. Chairman, that is correct.
MR. WHITFIELD. Mr. Herzog, if you would please turn to Tab 40.
This document also is a price sheet used by Global Information
Group, a company you formerly owned and operated, to advertise the
information it could obtain and sell, including Social Security
benefits, disability benefits, college class schedules, cell phone
and landline calling records.
So my question, Mr. Herzog, to you would be did you and your
company, Global Information Group, obtain and sell consumer cell
phone records and other non-public personal data by pretexting cell
phone carriers and impersonating technical service representatives,
financial services representatives, or customers?
MR. HERZOG. Mr. Chairman, upon advice of counsel I assert my Fifth
Amendment privileges.
MR. WHITFIELD. So you are refusing to answer any questions today
pursuant to your Fifth Amendment protections of the U.S.
Constitution and it is your intention to assert that right on any
future questions we may ask?
MR. HERZOG. Yes, sir. Mr. Chairman.
MR. WHITFIELD. Mr. Welker, if you would not mind turning to Tab
57. This is a price sheet from Universal Communications Company,
which you own, offering post office box breaks, out-of-state toll
calls, including dates, times, and durations, cell tolls and cell
phone breaks, among other services, and I would ask you,
Mr. Welker, did you and your company, Universal Communications,
obtain and sell consumer cell phone records and other non-public
personal information that was obtained through pretext, lies,
deceit, or impersonation?
MR. WELKER. Mr. Chairman, I respectfully invoke my Fifth Amendment
rights under the Constitution and decline to answer any questions.
MR. WHITFIELD. So you are also refusing to answer any questions
under the Fifth Amendment protections that you have, and it is your
intention to assert that right on any additional questions we may
have?
MR. WELKER. Yes, sir.
MR. WHITFIELD. At this time we'll go to Mr. Porteous.
Mr. Porteous, Tab 73. In this copy of a chatroom posting, Ryan
Wroblewski, a former employee of your company, Sherlock
Investigations, offers a special of $200 for unlimited cell
records, all months on bills, with absolutely no add-ons, and at
Tab 74 when asked by Tim Berndt of Relia Trace whether or not the
offer includes business phone accounts, Mr. Wroblewski explains,
"yes, business lines are complex but I do them for $200."
So Mr. Porteous, my question would be to you and your company,
Sherlock Investigations, did you and your company Sherlock
Investigations obtain and sell consumer cell phone records and
other non-public personal information that was obtained through
pretext, lies, deceit, or impersonation?
MR. PORTEOUS. Mr. Chairman, I respectfully invoke my Fifth
Amendment rights under the Constitution and decline to answer.
MR. WHITFIELD. So you're asserting your Fifth Amendment rights
and it is your intention to reassert that right on any additional
questions we may ask?
MR. PORTEOUS. Yes, sir.
MR. WHITFIELD. Thank you.
Mr. Baird, at Tab 19 you will see that on February 14th, 2006, your
attorney, Mr. Brian Corcoran of the law firm Katten Muchin Rosenman,
responded on your behalf to this committee's letter requesting
information about the business activities of PDJ Services, Inc.
In that response, Mr. Corcoran stated, in particular, "the assertion
about PDJ's collection of cell phone call records is false as PDJ
voluntarily ceased gathering information last year." Mr. Corcoran
also stated that, "the information that PDJ obtains from its client
is information that is publicly available to any person willing to
put in the necessary time and effort."
However, if you would turn to Tab 22, this is an e-mail document
dated April 7, 2006, sent by your company, PDJ Services, to one of
its customers and it contains several hundred cell phone calls
from a Verizon Wireless bill. In fact, in response to this
committee's subpoena, you produced tens of thousands of e-mails
reflecting transactions containing cell phone records throughout
this year.
So my question, Mr. Baird, would be did you and your company, PDJ
Services, obtain and sell consumers' cell phone records and other
non-public personal information that was obtained through pretext,
lies, deceit, or impersonation?
MR. BAIRD. Mr. Chairman, I respectfully invoke my Fifth Amendment
rights under the Constitution and decline to answer the questions.
MR. WHITFIELD. So you are invoking your Fifth Amendment rights
and it is your intention to reassert your rights if we ask any
additional questions?
MR. BAIRD. Yes, sir.
MR. WHITFIELD. Ms. Yontef, on Tab 79 of that same book is an e-mail
that you sent to an employee at Patrick Baird's company PDJ
Services, and in the e-mail you wrote "I was shot down four times
on Nextel's CNA. I keep getting Northwestern Call Center and they
must have had an operator meeting about pretexts as every operator
is cued in." You then ask, "Can you guys try this for me? Maybe
you will get another call center that did not have the meetings."
So Ms. Yontef, did you and your company, TelcoSecrets.com, obtain
and sell consumer cell phone records and other non-public personal
information that was obtained through pretext, lies, deceit, or
impersonation?
MS. YONTEF. I respectfully invoke my Fifth Amendment rights.
MR. WHITFIELD. So you are invoking your Fifth Amendment rights
guaranteed by the Constitution, and it is your intention to assert
that right if we ask any additional questions?
MS. YONTEF. Yes, sir.
MR. WHITFIELD. Okay. At this time we'll go to Mr. Schwartz.
And Mr. Schwartz, at Tab 50, there are invoices from First Source
Information Specialists, a company that you and Mr. Ken Gorman own,
submitted to Patrick Baird's company, PDJ Services, in 2004.
The invoices show that during the week ending August 13, 2004, your
company sold to PDJ $720 worth of phone records, including CNAs,
cell tolls, cell tolls with times, and information on nonpublished
numbers.
So Mr. Schwartz, a question I would ask you is did you and your
company, First Source Information Specialists, obtain and sell
consumer cell phone records and other non-public personal
information that was obtained through pretext, lies, deceit, or
impersonation?
MR. SCHWARTZ. I take the Fifth Amendment.
MR. WHITFIELD. So you are asserting your Fifth Amendment right, and
it is your intention to reassert that if we ask any additional
questions?
MR. SCHWARTZ. My lawyer told me to say, since we asked for a
postponement because he is in the hospital, that I can't speak
without him being here.
MR. WHITFIELD. Thank you very much.
Now Mr. Anderson, if you would turn to Tab 88. This is a summary of
invoices, credits, and charges from your account with
Mr. Jim Welker's company, Universal Communications. According to
this summary, the company that you own, C.F. Anderson, made dozens
of requests for phone records in the first 4 months of 2006. These
requests included CNAs, which is listed as item info 1 on the
invoice summary, cell phone breaks, item info 2, cell tolls, item
info 9, and out-of-state tolls, item info 8.
Mr. Anderson, did you and your company, C.F. Anderson, obtain and
sell consumer cell phone records and other non-public personal
information that was obtained through pretext, lies, deceit, or
impersonation?
MR. ANDERSON. Mr. Chairman, with all respect, on advice of legal
counsel I would like to exercise my rights under U.S. Constitution
Fifth Amendment.
MR. WHITFIELD. So you're invoking your Fifth Amendment rights, and
it is your intention to reassert those rights if we ask any
additional questions?
MR. ANDERSON. Yes, sir.
MR. WHITFIELD. Given the witnesses' response, if there are no
further questions from the members, I would dismiss all of you at
this time subject to the right of the subcommittee to recall you
if necessary. So at this time, you are excused.
That will terminate the hearing for today. We will be regathering
tomorrow, I believe at 2:00 o'clock tomorrow, to continue this
hearing with another panel of witnesses. And at this time the
hearing is recessed.
[Whereupon, at 1:35 p.m., the subcommittee was adjourned.]
INTERNET DATA BROKERS: WHO HAS ACCESS TO YOUR PRIVATE RECORDS
THURSDAY, JUNE 22, 2006
HOUSE OF REPRESENTATIVES,
COMMITTEE ON ENERGY AND COMMERCE,
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:11 p.m., in Room
2123 of the Rayburn House Office Building, Hon. Ed Whitfield
[Chairman] presiding.
Members present: Representatives Whitfield, Stearns, Walden,
Burgess, Barton (ex officio), Stupak, DeGette, and Inslee.
Staff Present: Mark Paoletta, Chief Counsel for Oversight and
Investigations; Tom Feddo, Counsel; Clayton Matheson, Analyst;
John Halliwell, Policy Coordinator; Matthew Johnson, Legislative
Clerk; Chris Knauer, Minority Counsel; Alec Gerlach, Minority
Research Assistant; and Consuela Washington, Senior Minority
Counsel.
MR. WHITFIELD. This hearing will come to order, and good
afternoon, and welcome to all of you. This afternoon's Oversight
and Investigations Subcommittee hearing will continue our focus
on data brokers and the procurement and sale of cell phone call
records and other personal and confidential information.
We will hear testimony today from representatives of two State
attorneys general from Florida and Missouri about the actions
those States have taken to shut down data brokers operating on
the Internet, including some of the same brokers who yesterday
asserted their Fifth Amendment rights against self-incrimination.
The State witnesses will also suggest ways that consumers' cell
phone records and other personal information might be better
protected from data brokers.
Our second panel will include representatives from five Federal
law enforcement agencies to speak to the Federal government's use
of data brokers. We have anecdotal information that law enforcement
was an occasional customer of data brokers, and so we sought to
learn of this aspect of data brokers' business activities.
In response to the committee's subpoena for records, one data
broker, Patrick Baird, and his company, PDJ Services, produced
documents showing that a Drug Enforcement Administration Task Force,
the U.S. Marshals Service, and U.S. Immigration and Customs
Enforcement, as well as some local law enforcement, had
occasionally used those services.
In addition, bureau representatives of the Bureau of Alcohol,
Tobacco, Firearms, and Explosives and the FBI will testify today.
My hope with both the Federal and local law enforcement panels is
that the subcommittee may gain a better understanding of exactly
why law enforcement might be turning to these data brokers who
operate on the Internet. In that context, it is important to
understand why they turn, the kinds of information being requested
or purchased. And if law enforcement is turning to data brokers
on the Internet because they lack the necessary tools to do their
jobs under the law, then perhaps Congress should explore additional
action and legislation to ensure law enforcement is adequately
equipped to obtain the investigative leads and information they
need.
I look forward to today's testimony, thank the witnesses for being
here, and at this time, I will recognize the distinguished Ranking
Member, Mr. Stupak, for his opening statement.
[The prepared statement of Hon. Ed Whitfield follows:]
PREPARED STATEMENT OF THE HON. ED WHITFIELD, CHAIRMAN, SUBCOMMITTEE
ON OVERSIGHT AND INVESTIGATIONS
Good afternoon and welcome. This afternoon's Oversight and
Investigations Subcommittee hearing will continue our focus on data
brokers, and the procurement and sale of cell phone call records and
other personal information.
At the outset today, we will hear testimony from
representatives of two state attorneys general, Florida and
Missouri, about the actions those states have taken to shut down
data brokers operating on the Internet - including some of the same
brokers who yesterday asserted their Fifth Amendment rights against
self-incrimination. The state witnesses will also suggest ways that
consumers' cell phone records and other personal information might
be better protected from data brokers.
Our second panel will include representatives from five
federal law enforcement agencies to speak to the Federal government's
use of data brokers. When our data broker investigation began, we
inquired whether law enforcement agencies were among the customers
of the data brokers in question. We had anecdotal information that
law enforcement was an occasional customer of data brokers, and so
we sought to learn more about this aspect of data brokers' business
activities.
In response to the Committee's subpoena for records, one
data broker, Patrick Baird and his company PDJ Services, produced
documents showing that a Drug Enforcement Administration task force,
the U.S. Marshals Service, and U.S. Immigration and Customs
Enforcement all had requested cell phone related information from
that data broker. Each of those agencies will testify today, and
we are pleased to also have representatives from the Bureau of
Alcohol, Tobacco, Firearms, and Explosives, and the Federal
Bureau of Investigation testify.
The records produced by Mr. Baird also showed that several
local police departments around the country were among PDJ's
clients. Our third panel will include representatives of the
Austin, Texas and Miami-Dade, Florida police departments. The
Subcommittee also requested that a third police department
testify - Orem City, Utah - but, unfortunately, Police Chief
Michael Larsen declined our invitation.
My hope with both the federal and local law enforcement panels
is that the Subcommittee will gain an understanding of exactly why law
enforcement officers might be turning to these data brokers who
operate on the Internet. Let me be clear: the data brokers who
invoked the Fifth Amendment yesterday are not necessarily
information sources of "first resort." They are not
subscriber-based repositories of public information like Lexis-Nexis
or Choicepoint. Instead, they procure and sell information that is
not publicly available, and which may have been acquired through
lies and impersonation.
In that context, it is important to understand how often
law enforcement turns to data brokers, the kinds of information
being requested or purchased, whether the use of data brokers is
permitted by statute and regulation in the jurisdiction of the
particular law enforcement agency, and whether the various
departments sanction the use of data brokers. If law enforcement
is turning to data brokers on the Internet because they lack the
necessary tools to do their jobs under the law, then perhaps the
Congress needs to take action and legislate to ensure that law
enforcement is adequately equipped to obtain the investigative
leads and information they need.
I look forward to today's testimony, and I thank the
witnesses for their attendance. I now turn to the
distinguished Ranking Member, Mr. Stupak, for the purposes of an
opening statement.
MR. STUPAK. Thank you, Mr. Chairman, for holding this second day of
hearings related to the privacy of our personal records. These
hearings have been a wake-up call to the American people. They
should be a wake-up call to Congress. It became shockingly clear
yesterday that, in today's Internet age, there is no such thing as
a private personal record. Yesterday, the committee heard two
witnesses nonchalantly describe how easy it is for criminals to
obtain Social Security information, Medicare and other benefits
information, medical records, telephone records, post office box
information and even location, and even an individual's location
at any given time and date. You and I, our most private and
personal information is out there for the world to invade and
steal.
The committee learned the ease with which these criminals can
side-step common security measures put in place by businesses and
agencies. Mr. Chairman, yesterday's witnesses said they believed
that what they were doing was legal. They were even told by law
enforcement that what they were doing was legal. But we know
from the committee's work that the Federal Trade Commission says
their work is illegal. Let's remove any confusion. This Congress
needs to send an unequivocal message that pretexting is illegal. This committee has already done excellent work in drafting two
comprehensive bipartisan bills endorsed by consumer groups to combat
pretexters. Both bills passed the committee unanimously.
Mr. Chairman, Democrats and Republicans need to stand side by side
in saying to the House leadership that these two bills need to go
to the floor as soon as possible. We had them scheduled for the
floor, and suddenly, they were withdrawn from the calendar, so
let's not hold two good consumer protection bills hostage to
politics.
Turning to the topic of today's hearing, I am disturbed that our
committee investigation found several examples of Federal law
enforcement agents using pretexting. As a former police officer
and a Michigan State Trooper, I know that there are adequate means
to conduct an investigation. I am interested in hearing why law
enforcement believes they need to use these pretexters who may use
fraudulent means to obtain information. I look forward to hearing
from the agencies today about the scope of this problem and what
each agency is doing to investigate and stop the use of pretexting
within their agencies.
With that, Mr. Chairman, I will yield back the balance of my
time.
MR. WHITFIELD. Thank you.
At this time, I will recognize the full committee Chairman,
Mr. Barton of Texas.
CHAIRMAN BARTON. Thank you, Mr. Chairman, for holding the second
day of hearings about data brokers and their many nefarious
activities. I look forward to hearing today what some of the
States are doing to tackle the problems in their own jurisdictions
and maybe get suggestions and ideas about what else this committee
and this Congress can do through Federal legislation to put these
companies out of business.
As I mentioned yesterday, this committee's bill making it illegal to
obtain consumers' cell phone call records fraudulently, which has
already passed the committee and is awaiting action on the floor,
is a good and important start. In the meantime, your investigation
has revealed that some law enforcement agencies around the country
use data brokers to acquire cell phone-related information, both
calling records and subscriber information, like the consumer's
name and address.
It is my understanding that when these records and information are
not public, the Government must have a warrant, a subpoena, or an
administrative subpoena to obtain access to such information. If
law enforcement agencies use their existing powers to get these
warrants and subpoenas, it would seem to me they don't have to go
to a data broker. They can legitimately get the information they
need directly from the carriers through normal legal processes.
It is also my understanding that the law enforcement agencies we
have contacted have told staff and will testify to that effect
today that, one, there is no reason for their officers or agents to
use a data broker company like PDJ Services because they already
have the necessary tools to get the information.
Two, the agencies do not sanction or approve the use of data brokers
on the Internet. This makes sense to me because using a data broker
might compromise sensitive law enforcement information, compromise
operational security, or just maybe violate the Constitution and
void the use of certain information as evidence in court.
I don't think anybody on our committee or subcommittee wants to make
law enforcement's job more easy--I mean more difficult, excuse me.
More difficult, and we do want to make it easier.
You all are listening. That is good.
But at the same time, I think we do want to protect the
constitutional rights of our citizens, and you can argue that it is
unfair, the good guys with the white hats at various levels of law
enforcement from the Federal Bureau of Investigation down to the
local police department sometimes do have to fight with one hand
tied behind their back because we have to defend the Constitution,
and all of our citizens whether they be law-abiding or law-breaking
have the same constitutional rights.
So I hope that we can agree, even though it may be tougher, to go
get a warrant, to go get a subpoena; that is the way the good guys
do these things.
While there may be an occasional law enforcement officer or
department who want to cut corners, I just don't think that is
appropriate.
I am very concerned by this week's press reports that some law
enforcement agencies frequently--frequently--use data brokers on
the Internet to acquire nonpublic information. I hope that this
is not a widespread occurrence, and I hope that the law
enforcement agencies here today and the others that are not here
but are paying attention come away from this hearing with the
decision to stay away from these data brokers. Again, I will
stipulate, our law enforcement guys are good guys. They wear white
hats. We are all for them. But there is a little thing called
the Constitution that does give our citizens constitutional
guarantee of due process. And if there is a reason to get
somebody's cell phone record or some of his personal information,
records, you can always go to a judge; you can always go to a
magistrate; you can get the proper warrant, the proper subpoena
to get that information.
I understand that the nature of law enforcement sometimes entails
a close contact with the seedy side of society. I might say I
am very grateful that we have our law enforcement undercover
officers and agents. They are doing that. They protect me.
They protect my family. They protect my children. However, this
business of data brokering is barely this side of legal.
In fact, I think it is in many cases illegal. And it is plainly
wrong, and I hope that our police departments will rule it out of
bounds for their investigators.
I recall this problem first came to light when the Chicago Police
Department discovered that its undercover officers were at risk of
being outed by data brokers to drug dealers. Can you imagine?
When one set of law enforcement officers trying to do their job,
undercover, risking their lives, are outed or threatened to be
outed by data brokers who are selling records to other law
enforcement officers; what kind of a deal is that? It is a bad
deal.
I want to make data brokering illegal, as well as reprehensible.
In the meantime, I hope our friends in the police agencies and the
various law enforcement agencies will find a more efficient way to
go that extra step to get the warrants, to get the subpoenas, to
go to the courts instead of data brokers to get the information
they need. If we need Federal legislation to facilitate that
process, I am sure on a bipartisan basis this committee will work
to make that happen. And if we need to go to other committees of
jurisdiction, we will work with the other committees of
jurisdiction.
Mr. Chairman, thank you for this second day of hearings, I look
forward to the testimony.
[The prepared statement of Hon. Joe Barton follows:]
PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON
ENERGY AND COMMERCE
Thank you, Chairman Whitfield, for holding this second hearing
about data brokers today. I look forward to learning what some of
the States are doing to tackle this problem in their own
jurisdictions, and to maybe get some suggestions and ideas about
what else this Committee and the Congress can do through federal
legislation to put these companies out of business. As I mentioned
yesterday, this Committee's bill making it illegal to obtain
consumers' cell phone call records fraudulently is a good and
important start.
In the meantime, your investigation has revealed that some law
enforcement agencies around the country use these data brokers to
acquire cell phone related information - both calling records and
subscriber information, like the customer's name and address. It
is my understanding that when these records and information are
not public, the government must have a warrant, a subpoena, or an
administrative subpoena to obtain access to such information. If
law enforcement uses these subpoena or search warrant tools, then
they don't have to go to a data broker; they can legitimately get
the information directly from the carriers.
It is also my understanding that the law enforcement agencies we
have contacted have told staff, and will testify today that:
1) there is no reason for their officers or agents to use a data
broker company like PDJ Services because they already have the
necessary tools to get the information; and 2) the agencies do not
sanction or approve of the use of data brokers on the Internet.
This makes sense to me, because using a data broker might
compromise sensitive law enforcement information, compromise
operational security, or violate the Constitution and void the use
of certain information as evidence in court.
Nonetheless, there will be the occasional law enforcement officer
who may cut corners. I am concerned by this week's press reports
that some law enforcement frequently use data brokers on the
Internet to acquire non-public information. I hope that this is
not widespread, and that the law enforcement agencies here today,
and other ones paying attention to this hearing, stay away from
these data brokers.
I understand that the nature of law enforcement necessarily entails
a close contact with the seamy side of society. However, this
business of data brokering is barely this side of illegal, and it
is so plainly wrong that I hope police departments will rule it out
of bounds for their investigators. I recall that this problem came
to light when the Chicago Police Department discovered that its
undercover officers were at risk of being outed by data brokers to
drug dealers. When one set of law enforcement officers are using
and encouraging a service that endangers other officers,
something's very wrong. I want to make data brokering illegal as
well as reprehensible. In the meantime, I hope the police will
find efficient ways to use warrants and courts instead of data
brokers to get at the information they need.
Mr. Chairman, I look forward to today's testimony and yield back
the remainder of my time.
MR. WHITFIELD. Thank you, Mr. Barton.
At this time, I recognize Ms. DeGette of Colorado.
MS. DEGETTE. Thank you very much, Mr. Chairman.
Yesterday's hearing was indeed illuminating and frightening. I was
sort of amazed by the end of the hearing that my bank account
hadn't been cleaned out and all the other committee members,
although I suppose that is yet to be seen. But pretexting as we
learned from the witnesses yesterday can allow somebody to gain
almost any kind of information from folks.
And this ranges from being a mere annoyance to even potentially
a life-threatening situation. A stalker could easily find a
victim. A threatening husband could try to track down a spouse
who is attempting to seek shelter. And Mr. Rapp who was the
investigator who spoke yesterday said that he, most of the time
when he was doing this work, he never bothered to try to figure
out whether the purpose was legitimate or not, other than he never
gave people phone numbers to battered women's shelters which
I thought was kind of a bright line, and I am glad he used that
test. But I was wondering what other information he was giving
to people and for what purpose.
I was horrified to find out that the witnesses yesterday and
several of the other witnesses who asserted their right to Fifth
Amendment privileges were from my home State of Colorado. And I
found out, Mr. Chairman, that five, only five out of 50 States,
including my State, don't supervise private investigators and
oversee them, which is one reason a lot of these nefarious types
have come to States like my State. And I intend to work with my
State legislators before the next session to see if they can put
some laws in place. But there is a broader issue. And the issue
is that there are no clear brightline tests. There is no law
where you can say some of these activities are illegal.
In fact, Mr. Rapp was prosecuted under the RICO statutes, and he
later pled guilty to a much lesser offense. The reason is, it is
almost impossible to convict somebody of a RICO violation, and
that is really an inaccurate, and not a complete fit.
So, I think everybody agrees on a bipartisan basis that we need to
have legislation to prevent this activity.
And of course, we have legislation, as I mentioned yesterday,
H.R. 4943, which passed the committee unanimously on March 8th of
this year and on May 2nd was scheduled for consideration on the
House floor.
And I asked yesterday, and I ask again, what ever happened to this
bill? I was thinking later after the hearing we could have had
Mr. Rapp try to track down the bill, and I bet he could have found
it for us, Mr. Chairman, because it seemed like he could find out
about any information he wanted.
But for whatever reason, whether it was because of jurisdictional
issues or stakeholder issues, as Chairman Barton said yesterday,
or some other issues about news breaking about the same time in
the USA Today story, whatever reason, that bill was taken off the
suspension calendar and we haven't seen it since.
I was hoping that Chairman Barton would tell us today the result
of his meeting yesterday he said he was having to find out the
status of the bill, because I think it is extremely important that
we pass this legislation, and I am hoping that this series of
hearings will give us the impetus to once and for all get this
bill up on the floor and get it passed. And just one last thing.
We also need to pass H.R. 4127, which is an important piece of
legislation, again, also passed by this committee and again in
legislative limbo. And so I think we were all--whenever we have
an investigative hearing like this, Mr. Chairman, we learn so
much, and I am so glad we have them, and I am so glad this lights
a fire to bring these bills up on the suspension calendar to pass
them and to urge the Senate to pass them.
With that, Mr. Chairman, I yield back.
MR. WHITFIELD. Thank you, Ms. DeGette.
At this time, the Chair recognizes the gentleman from Florida,
Mr. Stearns.
MR. STEARNS. Thank you, Mr. Chairman. And I appreciate your
continuing efforts on these hearings.
And I look forward to the witnesses today.
I think, from yesterday, I came away with the impression that these
data brokers are middlemen, and some of the things that they do,
you, it is going to be very difficult to draft up legislation to
stop them.
Some of it is just pure being con artists, but in many ways, this
middleman is a data broker; they are able to help and find evidence
that helps law enforcement. So the question is, what kind of
legislation could be provided to make sure that they don't cross
the line? And for example, when I talked to one of the data
brokers yesterday, we were talking about cell phone records. And
I guess the question I would be asking these folks are, how can
cell phone records and other personal consumer information be
protected from these middlemen or these data brokers who operate
on the Internet?
So this is going to be very difficult to try and come up with
legislation. I think a lot of these data brokers thought they were
operating legally, and they were just ferreting out information by
ingenious methods of conning the corporation's customer service.
I think it is an interesting hearing. And obviously, in some
cases, these data brokers did things which, although appalling,
if the other person is not under evil intent, these data brokers
are helping law enforcement to extricate these people, find them
and put them in jail. So there is a side to this hearing that I
think all of us should realize that there is some aspect about
it that the law enforcement community needs. They use data brokers
to acquire this information, and without a warrant or subpoena to
acquire the records, and the people who do it in many ways do
something they think is legal.
But I notice that the staff had provided that there is an Act
called the Stored Communications Act, lays out specific requirements
for government entities that want access to cell phone call records
and even customer name and address information. I did not know
that. So perhaps this is the vehicle that we should look at more
carefully, Mr. Chairman, if we intend to offer legislation.
Thank you, Mr. Chairman.
MR. WHITFIELD. Thank you, Mr. Stearns.
At this time, I recognize Dr. Burgess of Texas.
MR. BURGESS. Thank you, Mr. Chairman, and again, these have been
enlightening and intriguing hearings, and I am confident our
committee will continue to work diligently to protect Americans
and their private records.
Today, the second part of our hearing on the Internet data brokers
and pretexting begins. Yesterday, our primary focus was on the
victims and on the actual data brokers themselves. And today our
focus shifts to government practices. It will be an interesting
dynamic to not only hear from States' attorneys general and their
efforts to stop the business of data brokers, but we will also be
hearing from the Government agencies that actually do business with
data brokers. There must be a way to better provide law
enforcement agencies with the data needed to fight crime and pursue
justice while at the same time continuing to protect the
constitutional right to privacy of our citizens.
I look forward to discussing this issue in greater detail with the
law enforcement agencies in trying to determine if they need
additional tools, if they need additional Federal legislation or
administrative action to better balance these compelling needs.
During yesterday's hearing, I entered into an interesting and
troubling discussion about the lack of security at telephone
kiosks in shopping malls. According to Mr. David Gandal and
Mr. James Rapp, the security measures at stores, retail outlets,
and kiosks are practically nonexistent. Data brokers, even
those without much sophistication, can easily use the kiosk as
an uncontrolled supply of customer information. I was not even
aware that this was a potential problem.
And I would very much like to hear from the attorneys general on
our panel today whether or not they viewed this as problematic
and, if so, what they are doing to control this as a potential
source of data on American citizens.
Mr. Chairman, again, I thank you for your leadership on this issue,
and I look forward to today's hearing. I yield back.
MR. WHITFIELD. Thank you, Dr. Burgess.
And there are no further opening statements.
STATEMENTS OF PETER LYSKOWSKI, ASSISTANT ATTORNEY GENERAL, OFFICE
OF THE ATTORNEY GENERAL, STATE OF MISSOURI; AND JULIA HARRIS,
SENIOR ASSISTANT ATTORNEY GENERAL, OFFICE OF THE ATTORNEY GENERAL,
STATE OF FLORIDA
MR. WHITFIELD. I would like to call the first panel and apologize
for the delay in getting started this afternoon. On the first
panel, we are quite fortunate to have Mr. Peter Lyskowski, who is
Assistant Attorney General at the Missouri Attorney General's
Office of Jefferson City, Missouri; and also, Ms. Julia Harris,
who is the Assistant Attorney General from the State of Florida
out of Tallahassee. So if they would please come forward and take
a seat at the table, we appreciate that.
I want to thank you all very much for taking the time to come up and
provide us with assistance on this important subject. We know that
your States have been quite active in this arena, and we are hoping
that maybe we can learn some things from you. And as you may or
may not know, the Oversight and Investigations Subcommittee takes
testimony under oath, and I would ask you, do either one of you
have difficulty testifying under oath today?
MR. LYSKOWSKI. No.
MS. HARRIS. No, Mr. Chairman.
MR. WHITFIELD. And I feel quite confident that you don't need legal
counsel, so if you would stand, I will swear you in.
[Witnesses sworn.]
MR. WHITFIELD. Thank you very much. You are now under oath.
And Mr. Lyskowski, we will start with you if you will give us
your 5-minute opening statement.
MR. LYSKOWSKI. Thank you, Mr. Chairman, for holding this and
yesterday's hearings and the previous hearing held by the full
committee on this important issue. I thank also the Members for
showing the interest in this important law enforcement and consumer
issue.
We have seen in Missouri as in other places that the emergence of
new technologies that increase efficiency and ease of use of basic
services has allowed citizens in our State, Missouri, like all
Americans, to participate in an information revolution.
And while the dramatic changes we have seen in recent years have in
many ways made our lives easier, they have also provided new ways
for wrongdoers to take advantage of our reliance on these new
technologies. The safeguards provided by face-to-face interaction
have been replaced online by a host of authentication measures.
Now, no doubt, most of these measures may be effective in securing
consumers' information, but law enforcement officials at every
level throughout history know that no security system is 100
percent effective, and thieves have adapted so that they can
operate in the information age.
In the attorney general's office in Missouri, we investigate and
prosecute both civilly and criminally those who would seek to
endanger, defraud, and exploit Missouri citizens. Investigators
and attorneys in our office are constantly on the lookout for the
latest methods and practices employed by those trying to take
advantage of Missourians. This is especially true when it comes
to the theft of consumers' private information which, in the hands
of the wrong person, can be put to a number of nefarious uses.
We recently began investigating the practice of selling cell phone
records over the Internet. We discovered that numerous websites
advertised by simply providing a phone number and a fee. Someone
could obtain the account's originating address as well as a list
of the calls placed from and received at that number, sometimes
in a matter of hours.
And so we took action. On January 20th of this year, we filed suit
against the operators of locatecell.com, a site which we believed
to be perhaps the biggest player in this industry. On February
15th of this year, we obtained a court order prohibiting these
defendants from engaging in this practice; this site is currently
not operating. On February 21st, we sued the operators of
completeskiptrace.com and, 2 days later, obtained a court order
prohibiting operators of this site from obtaining or selling cell
phone records. The offensive portions of completeskiptrace.com
are now disabled.
On March 6th, we sued the operators of datatraceusa.com and
obtained a temporary retraining order and then a preliminary
injunction against those operators; datatraceusa.com is no longer
operational.
Just a week ago, on June 15th, a judge in Jefferson City, Missouri,
approved an agreement that we reached with a Joplin, Missouri, man
who was operating a Web site called nainfo.com. This center will
no longer offer for sale or sell consumer cell phone records, and
that portion of the Web site has been disabled.
Mr. Chairman, our cases in this area are based on Missouri's
consumer protection laws which include a prohibition on the use of
practices that are unethical, oppressive, or unscrupulous and pose
a risk or cause substantial harm to consumers. Those laws also
prohibit the concealment, suppression, or omission of a material
fact in connection with the sale of goods or services.
These defendants' conduct violates both of these provisions.
Additionally, some of the sides actually make a misrepresentation
that the information is obtained legally, a statement which is, of
course, completely false and in violation of Missouri law.
Mr. Chairman, we currently have other investigations under way, and
we will not hesitate to take appropriate action to curb violations.
So that is what we have done in Missouri to sort of try to eliminate
some of these sites. We have also asked the question that has been
asked by other participants in this discussion about the role of
the carriers. And on April 28th of this year, we joined with 47
other attorneys general in urging the FCC to require phone carriers
to implement additional and stronger safeguards. We signed on
because we believe phone carriers can and should take the necessary
steps to put adequate safeguards in place to protect the information
they amass on their customers. By most accounts, as has been
indicated, these records are obtained by thieves through pretexting,
a practice which you may have heard has also been called, Dialing
for Dummies, where individuals actually call the carrier of the
number for which he wishes to retrieve records and pose as actual
consumers, the actual customers. These pretexters ask for the most
recent bill of the customer they are impersonating, and if they
fail in any way in providing authentication information, they just
hang up and try again and they bounce back and forth from attendant
to attendant until they succeed. We were shocked to discover the
ease with which they were able to accomplish this.
But we also recognize that putting the operators of these websites
out of business is not a panacea. If carriers are to act to
implement safeguards as we have suggested with the other attorneys
general, the low hurdles that pretexters have to cross will be
replaced by substantial barriers making it far more difficult.
I don't want there to be any doubt that we view the bad actors
here as the operators of these websites. However, we know that the
carriers are in a position where they can either continue being part
of the problem or they can adapt new measures to become part of
the solution.
Thank you again for your time, and we are very pleased to be here
today and I would be happy to answer any questions you may have.
[The prepared statement of Peter Lyskowski follows:]
PREPARED STATEMENT OF PETER LYSKOWSKI, ASSISTANT ATTORNEY GENERAL,
OFFICE OF ATTORNEY GENERAL, STATE OF MISSOURI
The State of Missouri's response to the sale of cell phone records
and personal identifying information on the internet:
I. Missouri's Investigations and Litigation
The emergence of new technologies that increase efficiency and ease
of use of basic services has allowed Missourians - like all
Americans - to participate in an information revolution. And
while the dramatic changes we have seen in recent years have in
many ways made our lives easier, they have also provided new ways
for wrongdoers to take advantage of our reliance on these
technologies. The safeguards provided by face-to-face interaction
have been replaced online by a host of authentication measures.
No doubt most of these measures are effective in securing
consumer's information. But law enforcement officials at every
level throughout history know no security system is 100% effective,
and thieves have adapted so that they can operate in the information
age.
We investigate and prosecute, both civilly and criminally, those who
seek to endanger, defraud, and exploit Missouri citizens.
Investigators and attorneys in our office are constantly on the
lookout for the latest methods and practices employed by those
trying to make money by taking advantage of Missourians. This is
especially true when it comes to the theft of consumers' private
information which, in the hands of the wrong person, can be put to
a number of nefarious uses.
Recently, we began investigating the practice of selling people's
cell phone records over the internet. We discovered that numerous
web sites advertised that by simply providing a phone number and a
fee, someone could obtain the account's originating address as well
as a list of calls placed from and received at that number in a
matter of hours. We quickly took action:
- On January 20 of this year, we filed suit against the
operators of locatecell.com, a site which we to believe to be
perhaps the biggest player in this industry. On February 15, we
obtained a court order prohibiting these Defendants from engaging in
this practice. This site is currently not operating.
- On February 21, we sued the operators of
completeskiptrace.com, and two days later obtained a court order
prohibiting the operators from obtaining or selling cell phone
records. The offensive portions of completeskiptrace.com are now
disabled.
- On March 6, we sued the operators of datatraceusa.com,
obtaining a temporary restraining order and then a preliminary
injunction against those operators. Datatraceusa.com is no longer
operational.
- A week ago, on June 15, a Missouri judge approved an
agreement we reached with a Joplin, Missouri man who was operating
the web site nainfo.com. He will no longer offer for sale or sell
consumers' cell phone records, and that portion of his web site
has been disabled.
Our cases in this area are based on Missouri's consumer protection
laws, which include a prohibition on the use of practices that are
unethical, oppressive, or unscrupulous and pose a risk of or cause
substantial harm to consumers. Those laws also prohibit the
concealment, suppression, or omission of a material fact in
connection with the sale of goods or services. These defendants'
conduct violates both of those prohibitions. Additionally, some
of these sites actually make the misrepresentation that the
information is obtained legally - a statement which is of course
totally false and in violation of Missouri law.
We currently have other investigations underway, and will not
hesitate to take appropriate action to curb these violations.
II. NAAG Sign-on
On April 28 of this year, we joined with 47 other attorneys general
in urging the Federal Communications Commission to require phone
carriers to implement additional and stronger safeguards. We
signed on because we believe the phone carriers can and should
take the necessary steps to put adequate safeguards in place to
protect the information they amass on their customers. By most
accounts, these records are obtained by thieves through
"pretexting" - a practice also referred to as "dialing for
dummies" - where individuals actually call the carrier of the
number for which they wish to retrieve records and pose as actual
customers. These "pretexters" ask for the most recent bill of the
customers they're impersonating, and if they fail in providing
accurate authentication information, they simply hang up and try
again. They bounce from attendant to attendant until they succeed.
We were surprised to discover the ease with which these pretexters
are able to obtain very personal and private information. Putting
these operators out of business is not a panacea. If carriers act
to implement safeguards such as those suggested by state attorneys
general, whether voluntarily or under federal mandate, the low
hurdles that pretexters now must cross will be replaced by
substantial barriers, thus making it far more difficult for them
to ply their craft.
Let there be no doubt that the pretexters and those who employ them
are the bad actors here; they are the ones we have sued and continue
to investigate. But the carriers are uniquely poised to either
continue to be part of the problem, or to adopt new measures that
allow them to be part of the solution.
III. Federal Proposals
We have confidence that the legal theories underlying our state
actions are sound. We would not have brought these cases if that
weren't so.
We in state law enforcement always welcome the assistance and support
of those at the federal and local level. As long as it does not
pre-empt the Missouri statutes we use in pursuing these actors, we
would welcome the strengthening of federal law in this area.
IV. Conclusion
We are pleased with the progress we have made in Missouri, and we
applaud the work of our colleagues in other states in going after
these folks. We will continue to work diligently to protect
consumers' privacy when these and other practices occur. And we
call on those with the capability to do the same.
MR. WHITFIELD. Thank you very much.
At this time, Ms. Harris, you are recognized for your opening
statement.
MS. HARRIS. Thank you, Chairman Whitfield, Ranking Member Stupak,
and members of the subcommittee.
My name is Julia Harris, and on behalf of Attorney General Charlie
Crist of the State of Florida I want to thank you for the
opportunity to address this committee.
Attorney General Charlie Crist has filed two lawsuits against data
brokers in 2006. The first was filed on January 24th of this year
against 1st Source Information Specialists, and Steven Schwartz and
Kenneth Gorman. You may be more familiar with this company as it
operated the websites locatecell.com, celltolls.com, datafind.org,
and peoplesearchamerica.com, and is subject to other litigation
throughout the Nation and by carriers.
This company advertised telephone records over the Internet.
In the course in the investigation, an Internet order was placed for
telephone records, and those records were e-mailed within 24 hours
to the purchaser of those records.
The Attorney General filed a complaint against 1st Source on the
basis that they unlawfully obtained and sold telephone records. The
complaint was based on Florida's Deceptive and Unfair Trade Practices
Act and also alleged violations of Florida's law on criminal use of
personal identification. The complaint also alleged civil
conspiracy.
The websites have since been taken down, but litigation is pending,
and no further comment would be appropriate at this time.
Attorney General Crist's second lawsuit was filed against Global
Information Group on February 23rd of 2006.
The complaint also filed an action against Laurie Misner and Edward
Herzog. These were individuals that appeared yesterday.
The Attorney General's complaint alleged that Global unlawfully
obtained and sold confidential telephone records. Specifically, the
complaint alleged that Global obtained information by impersonating
telephone company employees and customers in order to obtain that
information. In one specific example, Global employees posed as an
employee of a telecommunications carrier who was assisting a
disabled consumer. The complaint also alleged that Global made over
5,000 calls to a telephone company customer service toll free number
in about 1 month period of time.
The complaint also alleged thousands of other calls to telephone
company customer service centers. In April, the Attorney General
obtained a consent judgment and permanent injunction against Global
and Laurie Misner and Edward Herzog. We obtained $250,000 in
monetary relief. However, there are potential penalties of
$2.5 million against any offending individual defendant if certain
conditions are met.
The injunctive relief is broad, because Global participated in a
number of practices and pretexting outside of phone records.
The injunction prohibits all pretexting.
Outside of enforcement, the Florida legislature has been active.
Effective July 1st of this year, Florida specifically criminalizes
the obtaining of telephone calling records through fraudulent means
from a telecommunications company. This will be located at Section
817.484 of the Florida Statutes. The law will prohibit a person
from obtaining or attempting to obtain calling records without
permission, for making a false, fictitious, or fraudulent statement
to a telecommunications company or customer. It prohibits the
providing of a document knowing that that document is forged,
counterfeit, lost or stolen, or fraudulently obtained. It also
prohibits asking another person to obtain, sell, or offer to sell
a call record obtained illegally.
I must point out that we have seen that private investigators have
been a large part of this industry. Private investigators will be
subject to Florida's new law.
In addition, Florida's law provides that voice-over Internet
protocol providers are within the definition of telecommunications
companies. In addition to Florida's new law specifically addressing
telephone records, Florida's existing law, the Criminal Use of
Personal Identification Information Law, is available today, as it
has been, as a felony. Effective July 1st of last year, Florida's
legislators specifically provided that telephone numbers are
protected personal identification information.
Outside of State action, the Federal Communications Commission
through its rulemaking authority and telecommunication carriers
should enhance carrier protections as noted by my fellow assistant
attorneys general. Florida and 47 other attorneys general filed
comments in April to the FCC in response to their notice of
proposed rulemaking strongly encouraging enhanced protections for
consumers. Front-end protections are needed to be implemented by
carriers. They can prevent the pretexters at the outset and
eliminate and reduce the need for back-end investigation and
prosecution well after the harm has occurred.
Why is immediate access to telephone records necessary? That may be
something that should be looked at further. Consumers do need to
have a choice about expedited access to their confidential records.
And telecommunication carriers should voluntarily provide consumers
with this choice. If a consumer does not require or desire
expedited access to their telephone records through phone, fax, or
e-mail, a consumer should be able to require the carrier to secure
the records. For those consumers needing expedited access, they
should be able to direct carriers to permit access with appropriate
checks and balances. Therefore, only consumers who are willing to
assume the inherent risk of that increased access and the
vulnerabilities that go with that should gain the records in that
manner.
This is akin to a security freeze. And consumers now can use that
to protect their credit bureau reports. The recommendations of the
attorneys general and the comments filed to the FCC warrant
additional review by the subcommittee to assist in addressing those
issues involving consumer consent, bolstered safeguards, a revamp
of consumer notices, requiring voice-over Internet providers to
protect consumer information, addressing the release of cell phone
locations, and particular security mechanisms.
We have learned that all consumer records are vulnerable, not just
the phone records. But a cohesive approach is required.
Responsible business practices, consumer education, regulatory
oversight, legislative action, and enforcement all have a role in
addressing the consumer data industry issues. However, Federal
legislation should not impede the efforts of the States under State
law remedies.
On behalf of Attorney General Charlie Crist, I thank you for the
opportunity to address the subcommittee.
[The prepared statement of Julia Harris follows:]
PREPARED STATEMENT OF JULIA HARRIS, ASSISTANT ATTORNEY GENERAL,
OFFICE OF ATTORNEY GENERAL, STATE OF FLORIDA
Chairman Whitfield, Ranking Member Stupak, members of the
Subcommittee on Oversight and Investigations, Committee on Energy
and Commerce, U.S. House of Representatives, I am Julia Harris, and
on behalf of Attorney General Charlie Crist of the State of Florida,
I thank you for the opportunity to appear before the Subcommittee
to address its concerns which resulted in this hearing on Internet
Data Brokers and Pretexting: Who has Access to Your Private Records?
I. Background
I am a Senior Assistant Attorney General with the State of
Florida Office of the Attorney General, Economic Crimes Division.1
I am the attorney who filed litigation on behalf of Attorney General
Charlie Crist against Global Information Group, Inc. on
February 23, 2006 in state court in Tampa, Florida for unlawfully
obtaining and selling confidential telephone records without the
knowledge of the consumers whose records were being sold.
II. Attorney General's Litigation Against Data Brokers
A. State of Florida vs. 1st Source Information Specialists, Inc.,
et al
Attorney General Crist filed Florida's first lawsuit
against data brokers trafficking in phone records on
January 24, 2006 against 1st Source Information Specialists, Inc.
et al, which conducted its Ft. Lauderdale, Florida based operations,
in part, through the websites: locatecell.com, celltolls.com.
datafind.org and peoplesearchamerica.com.2 These websites advertised
the sale of telephone records, including records of outgoing calls
from landline and wireless phones, and accepted orders for telephone
records from any person with internet access, with no questions
asked. In fulfilling orders, 1st Source unlawfully obtained and
sold telephone records without consumer consent.
Through investigative coordination with the Florida Public Service
Commission (the state regulatory authority responsible for
telecommunications providers), a State investigator ordered
telephone records on a Florida telephone number through the internet
website peoplesearchamerica.com with a credit card payment of
$185.00. Before 24 hours had elapsed, the telephone records of the
desired telephone number were e-mailed to the purchaser. The
person subscribing to the telephone number that was the subject
of the purchase did not consent to the sale of records.
B. State of Florida vs. Global Information Group, Inc.,
et al:
The Attorney General sued Global Information Group, Inc.
("Global"), Laurie Misner7, Global's President and majority
shareholder, and Edward Herzog8, a shareholder, officer, and owner
of the predecessor business, alleging that the Global defendants
violated Florida's Deceptive and Unfair Trade Practices Act9,
including the Criminal Use of Personal Identification Information
law10 as per se violations11 of the Deceptive and Unfair Trade
Practices Act.12 The Attorney General alleged that Global
obtained information by impersonating either customers or telephone
company employees in order to obtain consumers' personal calling
information. Exhibits "C" and "D" to the complaint append
transcripts of calls logged to customer service centers, one of
which used the ploy of assisting a voice-impaired customer as a
means to manipulate the release of customer information. In
particular, the complaint alleged that Global made over 5,100 calls
from its Florida-based operations to a telephone company customer
service number in a span of just over a month period. Thousands
of other calls originating from telephone numbers to which Global
subscribed were made to several telephone companies' toll free
customer service numbers.13 Global represented itself as
"a leading provider of skip tracing services, asset recovery and
information research" and that it "serves principally financial
institutions, providing them with information necessary for
recovery of lost assets from delinquent debtors." 14
On April 12, 2006, the Attorney General obtained a Consent Judgment
and Permanent Injunction against Global, and defendants Misner
and Herzog, individually.15 The Attorney General's litigation
constituted civil enforcement, with the judgment providing for
monetary relief of $250,000 and potential penalties of $2.5 million
against an offending individual defendant if certain conditions are
met. The Attorney General required broad permanent injunctive relief
due to the range of Global's conduct involving pretexting. In
addition to procuring a variety of telephone records, Global
marketed, offered and/or provided services facilitated through
pretexting which included:
skip tracing
utility searches
employment
unemployment
p.o. box / pr ivate mail boxes
social security benefits
disability benefits
welfare benefits
child support
social security number trace
school class schedules
cell phone triangulation
with performance of such services without the consent of the
individual about whom an investigation was instituted. As a result
of the terms required by the Attorney General's permanent
injunction, Global ceased operations and the individuals vowed to
leave the phone record and pretexting business practice.16
The Consent Judgment and Permanent Injunction broadly provides
that the following conduct is prohibited:
Defendants are permanently restrained and enjoined from making, or
assisting others in making, expressly or by implication, any false
or misleading oral or written statement or representation in
connection with the marketing, advertising, promotion, offering for
sale, sale or provision of any products or services in any trade or
commerce, as follows (directly from the Judgment17):
A. Initiating, assisting, facilitating, procuring, obtaining,
or engaging, directly or indirectly, in any act or further attempts
to obtain customer information including, but not limited to,
calling or billing records, from any "telephone company" (as defined
in paragraph 3.4 of this Section III) doing business in Florida
through use of a telephone company customer's "personal
identification information"(as defined in paragraph 3.4 of this
Section III);
B. Directly or indirectly using any telephone company
employee's "identity" (as defined in paragraph 3.4 of this Section
III) or purported identity for any purpose, specifically including
any representation that one is a telephone company employee, agent
or independent contractor;
C. Directly or indirectly using any consumer or public utility
customer's identity or purported identity for any purpose,
specifically including any representation that one is a person
other than himself;
D. Directly or indirectly using any identity of a person or a
business or purported identity for any purpose, specifically
including any representation, through any means, that one is a
person other than himself or maintains a telephone number other
than his own number;
E. Directly or indirectly making, or assisting others in
making, expressly or by implication, any false or misleading oral
or written statement or representation, intentional false
statement, misrepresentation or omission of a material fact to
induce reliance on such statement or omission with intent to use
personal identification information of consumers without their
knowledge or consent;
F. Initiating, assisting, facilitating, procuring, or engaging,
directly or indirectly, in any further contact with the customer
service centers of any telephone company doing business in the State
of Florida pertaining to any matter that is not directly related
to Defendant's own account(s);
G. Selling, transferring or disclosing to third parties any
consumer information, including personal identification information
and telephone calling records obtained from telephone companies,
currently in Defendants' possession or under their control;
H. Using confidential consumer information, including personal
identification information and telephone calling records obtained
from telephone companies, contained in any documents, regardless of
form or manner of storage for marketing or for purposes inconsistent
with the terms of this Judgment;
I. Initiating, assisting, facilitating, participating,
procuring, or engaging in any transaction with any other person or
entity engaging in or performing in any of the activities prohibited
by each of the paragraphs A. through G. of this Section III,
paragraph 3.1.; and
J. Forming, controlling, operating or participating in the
control, operation or formation of a business or organizational
identity as a method of avoiding the terms and conditions of this
Judgment.
III. Florida Legislation and Existing Laws
A. Florida's New Law: Effective July 1, 2006:
Obtaining Telephone Calling Records by Fraudulent Means Prohibited
as a Criminal Act
Florida has specifically criminalized the obtaining of telephone
calling records through fraudulent means from a telecommunications
company, as a bill unanimously approved by the Florida Legislature
was signed into law on Friday, June 9, 2006 by Governor
Jeb Bush.18
The new law will be inserted in Chapter 817, Fraudulent
Practices, and will be located at Section 817.484, Fla. Stat. The
content, in pertinent part, provides:
It is unlawful for a person to -
(a) Obtain or attempt to obtain the calling record of another
person without the permission of that person by:
1. Making a false, fictitious or fraudulent statement or
representation to an officer, employee, or agent of a
telecommunications company;
2. Making a false, fictitious or fraudulent statement or
representation to a customer of a telecommunications company; or
3. Providing any document to an officer, employee, or agent
of a telecommunications company, knowing that the document is
forged, is counterfeit, was lost or stolen, was fraudulently
obtained, or containing a false, fictitious, or fraudulent
statement or representation.
(b) Ask another person to obtain a calling record knowing that
the other person will obtain, or attempt to obtain, the calling
record from the telecommunications company in any manner described
in paragraph (a).
(c) Sell or offer to sell a calling record that was obtained in
any manner described in paragraph (a).
Violation of this law carries a 1st degree misdemeanor charge for a
first offense resulting in sentencing up to a year imprisonment and
up to $1,000, but a second or subsequent offense imposes the
heightened charge of a 3rd degree felony, resulting in a sentence of
up to 5 years imprisonment and up $5,000.
Law enforcement agencies are exempt from the provisions of
the new law; but an exemption for private investigators was
eliminated in the legislative process.19 As private investigators
appear to have played significant roles in the procurement of
consumers' private information through unlawful means, they are
clearly subject to the new law.
B. Florida's Existing Criminal Use of Personal
Identification Information law
Existing law including, but not limited to, Section 817.568,
Fla. Stat., addresses the fraudulent conduct encompassing pretexting
and other identity theft related conduct, as set forth in the
Attorney General's complaints and by the Consent Judgment entered
in the Global litigation.
The foregoing specific laws are merely illustrative of one or more
specific laws applicable to such unlawful conduct and other criminal
and civil laws may apply given the circumstances of a particular
course of conduct.
IV. Federal Communications Commission Rulemaking Authority and
Telecommunications Carriers Should Enhance
Telecommunications Carrier Protection of Private Consumer
Information
Florida and forty-seven other state Attorneys General submitted
comments to the Federal Communications Commission ("FCC") on
April 28, 2006, in response to the agency's Notice of Proposed
Rulemaking 20 to strongly encourage enhanced protections for
consumers based on the ample experience of the Attorneys General
in addressing consumer protection issues and employing enforcement
measures.21 The discussion relates to telecommunications
providers ("carriers") disclosure and protection of Customer
Proprietary Network Information ("CPNI"), more generally described
as sensitive personal information, including logs of calls made and
received by telephone customers.
Minimizing the security risks facing consumers, whose information is
released to those skilled in deception, is an important focus
for telecommunications carriers, regulators and legislators at the
federal and state levels. Front-end protections created and
implemented by carriers can prevent pretexters from plying their
trade at the outset and eliminate investigative and prosecutorial
functions deployed after the harm has occurred and the evidentiary
trail compromised or obfuscated and impeded by the fact that a
consumer may not even be able to identify that a compromise of
their personal information has occurred. Deployment and
implementation of heightened front-end consumer protections by
telecommunications carriers as well as prosecutorial zeal are
critical in stemming the tide of this industry. Prosecutorial
resources require prudent use to keep all consumers safe from
physical and economic harm. However, it is also fair and just that a
substantial burden be shouldered by telecommunications carriers and
all businesses subject to vulnerability through pretexting or other
fraudulent conduct. Why is immediate access to telephone records
necessary? This is the real issue underlying access to consumer
phone records. Consumers need to have a choice about access to
their confidential records. Telecommunications carriers should
voluntarily provide consumers with this critical choice. Should
carriers fail to voluntarily provide consumers with an ability to
exercise an informed choice, appropriate regulatory rulemaking or
legislative action may become necessary. For example, if a
consumer does not desire to access their records in an expedited
manner such as by phone, fax or e-mail, they should be able to
require the carrier to secure them appropriately. Alternatively,
consumers desiring to obtain expedited access to their records
could direct the carrier to permit internet or other access with
appropriate checks and balances. Therefore, only those consumers
willing to accept the inherent risks are subjected to increased
vulnerability that a third party posing as a consumer might be able
to access their records.
Akin to imposition of a security freeze on a credit report22 to
protect unauthorized access or placement of a fraud alert on a
credit report if one suspects identity theft, consumers must have a
say in whether their confidential telephone records should be
closed or be kept available for access by the consumer.
The recommendations of the Attorneys General to the FCC warrant
brief reiteration here for further emphasis and consideration of
the responsibilities of telecommunications carriers:
1. Require Consumer Consent: Prior to a carrier's use, disclosure,
or permitting access to a consumer's personal telephone records,
consumers need to "opt-in" with affirmative express consent to
permit their records to be accessed. While the comments address
access to records for marketing, the next step in protecting
disclosure of consumer records even outside of marketing is to
require consumer consent to release the records in an expedited
manner, as articulated above.
2. Bolster "safeguard rules" to adequately protect the
confidentiality of consumer information. While Florida and many
states have enacted security breach notification laws, a breach of
security mechanisms through fraud may not invoke the notification
provisions of the laws and consumers will not be alerted to review
their personal accounts for theft or other wrongdoing.
3. Provide for revamp of consumer notices to permit informed
consumers to make a choice about their personal information.
4. Extend requirements imposed on traditional
telecommunications carriers to VoIP providers or Voice over
Internet Protocol type technology. Florida's new law specifically
provided for this technology.
5. Release of cell phone location should be treated cautiously to
further safety concerns.
6. Engage in further review of the Safeguard Rule promulgated by the
Federal Trade Commission in furtherance of the protections imposed
on financial institutions, particularly information security as it
relates to (a) employee management and training; (b) information
systems; and (c) managing system failures.
V. Vulnerability of Consumer Records Requires Evolving
Strategies
Telephone records cases, including Global and others active in the
consumer information industry, illustrate that the security of
private consumer information beyond telephone records is at risk.
Responsible corporate citizens and responsible consumers all have
a role in protecting information from fraud and security
vulnerabilities. Through responsible business practices, consumer
education, regulatory oversight, as appropriate, and carefully
considered legislation, the services sector and the consumer sector
of the economy can meld to adjust to the changing world of consumer
data. Federal legislation, however, should not impede any action
by the states, pursuant to state law remedies. Congress, the FCC,
state Legislatures and Public Service Commissions, and numerous
others have taken positive steps to assess appropriate actions
necessary to facilitate the process of positive change, as a
cohesive approach will best serve all in the long run.
On behalf of Attorney General Charlie Crist, I appreciate
the opportunity to participate in this hearing to address these
important consumer protection issues and will respond to any further
questions of the Subcommittee.
MR. WHITFIELD. Thank you, MS. HARRIS.
And we appreciate the testimony of both of you.
Mr. Lyskowski, you mentioned in your testimony that 47 State
attorneys general had gone to the, I guess, the FCC and asked them
to adopt regulations putting more safeguards, mandating more
safeguards for phone carriers to protect individual records. And
I was curious, did you all present the safeguards that you suggested
they would need to institute, or did you leave it up to them, or
could you elaborate on it?
MR. LYSKOWSKI. We, in the comments--and I provided a copy of the
comments to staff, but I believe there were six enumerated specific
steps, safeguards changes that should be put in place, all of which
would help in great measure to curb the use of pretexting.
MR. WHITFIELD. All right. And I notice both of you in your
testimony I think referred to Steven Schwartz, at least in one of
them, and maybe Ken Gorman; are those names familiar to the two of
you?
MS. HARRIS. Yes.
MR. WHITFIELD. And you prosecuted both Ken Gorman and Schwartz or
the companies that they own; is that true?
MR. LYSKOWSKI. In Missouri, our case was against 1st Source
Information Specialists, which is a company that ran the Web site
locatecell.com, and that company is owned by Steven Schwartz and
Kenneth Gorman. We also in that same suit filed against a company
called DataFind Solutions out of Tennessee which is formerly run by
a gentleman named James Kester. He sold that company to 1st Source
Information Specialists, so we are certainly familiar with
Mr. Gorman and Mr. Schwartz. That litigation is currently pending
as far as Missouri is concerned.
MR. WHITFIELD. And then Mr. Schwartz sold an interest in one of his
companies or one of his companies to Ms. Misner; are you familiar
with her?
MR. LYSKOWSKI. I am not, Mr. Chairman. I think Ms. Harris spoke to
that.
MR. WHITFIELD. Are you familiar with Ms. Misner?
MS. HARRIS. Yes, I am familiar with Ms. Misner. She is a defendant
in the Global litigation.
MR. WHITFIELD. Could both of you explain quickly or briefly how
this issue came to your attention and what led to your deciding to
prosecute?
MR. LYSKOWSKI. Certainly. In Missouri, we have a team of
investigators who are--it's been a very high priority for our
Attorney General to try to curb identity theft and other similar
practices, and so we have investigators who really look at proactive
ways to try to stop things before they become a huge problem. And
so, quite frankly, one of our investigators came on to us, you know
came across one of those sites just patrolling the Internet and
raised a red flag immediately and got the attention of the attorney
general, and we moved.
MR. WHITFIELD. And what about in Florida?
MS. HARRIS. Likewise, the State of Florida caught wind of the
situation, and through coordination with our Florida Public Service
Commission, the State regulatory authority responsible for telephone
carriers, we coordinated an investigation and actually made an
undercover purchase of telephone records to basically confirm the
suspicions that telephone records were available over the Internet,
and actually tested out the proposition so we could see the speed
at which they provided and exactly what happened there. And that
led to the 1st Source case. And then as a result of other litigation
that was filed by the telecommunications carriers, we became aware
of the Global case. And they have been sued by a number of
telecommunications carriers, and quite honestly, the
telecommunications carriers have been cooperative with us in
bringing that type of litigation.
MR. WHITFIELD. As a result of those suits, have you noticed less
data brokering going on? Or do you think this is a continuing
problem that continues to proliferate and present serious concerns
for all of us, even today?
MS. HARRIS. I do believe that it is continuing. And there are a
lot of people watching these proceedings which I really applaud
what the subcommittee is doing to raise the profile of this type
of conduct. If nothing else comes out of this than to raise the
profile and to absolutely get the word out there that pretexting
is illegal because some of these folks seem to have the misinformed
impression that it wasn't illegal before, and it isn't illegal now.
But I believe that it is continuing to go on. There are
investigations under way both on the civil and criminal side at
this point.
MR. WHITFIELD. Yesterday's hearing we had a victim that testified.
And he explained in some detail everything that he had been through
as a result of the information stolen from him or the carriers
about him, and he noted that some of the law enforcement agencies
had difficulty deciding under which law they would prosecute. And
the impression that we have is its sort of nebulous about which
particular law. But from the testimony you give in both Missouri
and Florida, it is quite clear that there are consumer protection
laws out there that you feel like you can successfully prosecute
under; is that correct?
MR. LYSKOWSKI. Absolutely.
MR. WHITFIELD. Now, is that a criminal law, or would that be a
criminal violation or a civil violation or--
MR. LYSKOWSKI. Our statute in Missouri provides for both. It says,
if we can establish and show the intent to defraud, that it becomes
a class D felony in Missouri. But otherwise, there is a whole host
of remedies that we can seek civilly.
MR. WHITFIELD. And when you say, attempt to defraud, if I am a
pretexter and I am calling some phone company and I am pretending
to be somebody I am not, I am actually defrauding the phone company;
is that correct?
MR. LYSKOWSKI. These are certainly cases which don't fall into the
typical formula for a consumer protection case. If you talk about
somebody who is trying to take, to get an elderly woman to invest
in his phony company, that is a much clearer-cut situation where
we are going to establish that he is trying to defraud her. And
here you have sort of a question of, who is the real victim? Is
it the carrier who has been duped? Or is it the consumer? So you
know, frankly, our laws allow us to move more quickly to obtain
temporary restraining orders and injunctive relief under the civil
side. So we thought it was more important at this point to go
forward and get that injunction active, relief in place.
MR. WHITFIELD. But, in Florida, beginning in July, there will be
a clear criminal statute in place; is that correct?
MS. HARRIS. That's correct, effective July 1st, specific to
telephone calling records. Now in our 1st Source litigation as
well as our Global case, these were both civil enforcement actions,
and we had invoked Florida consumer protection laws, the Deceptive
and Unfair Trade Practices Act as the primary vehicle we had
pursued. However, the other act we had referred to, the Criminal
Use of Personal Identification Information Law is a criminal law;
it is connected with our criminal identity theft laws and has been
on the books for some time. It is only last year that the
definition of personal identification information was expanded to
specifically include telephone records. But this is a criminal
law. It is a third degree felony at the very least, and even last
year, because our State feels so strongly about identity theft,
they once again enhanced the protections on identity theft and even
increased some of the maximum, minimum sentences, excuse me.
MR. WHITFIELD. And have a lot of people been prosecuted under that
criminal statute?
MS. HARRIS. I honestly don't have the statistics to that.
MR. WHITFIELD. But you both talked a lot about phone records. But
we know that credit card statements are being obtained, Social
Security numbers, all sorts of information, which I suppose that
criminal statute is broad enough it would include all of those
things.
MS. HARRIS. Right, specifically that statute makes the felony
offense for any person to willfully and without authorization
fraudulently use or possess with intent to fraudulently use
personal identification information concerning an individual
without first obtaining that individual's consent. And personal
identification information is defined very broadly.
MR. WHITFIELD. Now I notice both of you mentioned injunctions, and
I would ask you, Ms. Harris, about Global and Global's employees.
I don't know if the injunction was against the company or the
individuals, but let's say some employees of Global went out and
started a new company, would they face penalties in violating the
injunction in that way or not?
MS. HARRIS. That conduct is being looked at at this point in time.
There is not a whole lot I can say. The injunction was actually
against the company and two individuals, and it does have an
umbrella effect with the language of that injunction as far as
people who may be acting through them and with them and so forth.
MR. WHITFIELD. Ms. Harris, you specifically stated you hoped the
Federal Government would not intervene in a way that would make
it more difficult to prosecute under State law, but do either of
you have a feeling--would you--could we assist if there was a very
strong Federal law in place that in some way addressed this issue?
Or is there a Federal law in place?
MR. LYSKOWSKI. Mr. Chairman, I am not aware of one. I would echo
what Ms. Harris said, so long as it does not preempt our ability,
our tools that we use, we always welcome the assistance of Federal
law enforcement.
MR. WHITFIELD. Well, my time is expired, so at this time I will
recognize Mr. Stupak.
MR. STUPAK. I thank you, Mr. Chairman.
Let's back up a little here and let's just start with some of the
basic arguments we have heard on both sides of this issue. Who owns
the data? Does the individual provider of the information own the
data, or does the carrier owns the data?
MR. LYSKOWSKI. Well, I think it would depend who you would ask,
Mr. Stupak.
MR. STUPAK. You both represent attorneys general. What would your
opinions be?
MR. LYSKOWSKI. My opinion would be the consumer who provides the
data owns the data.
I know that the carriers would probably argue that they have some
proprietary interest in the data because of its marketability to
other providers of other services, but our opinion would be that
the consumers own the data.
MR. STUPAK. And even if that carrier provides it to a
so-called--another legitimate carrier, it still would be your
opinion that the individual owns that information, not necessarily
the carrier?
MR. LYSKOWSKI. Well, that is correct. But many of the carriers
would say, well, they haven't opted out of this thing.
MR. STUPAK. A lot of us in a long time said it is the individual
who has to opt in, not opt out.
MR. LYSKOWSKI. Right and that was the position taken by the 48
attorneys general in the comments.
MR. STUPAK. Let me ask this question then.
Under your laws, be it Florida or Missouri, is it the false
impersonation which leads to someone giving the information; is
it the obtaining of that information; or is it the use of the
obtained information that is illegal? You actually get three
steps here. Is each steps illegal?
MR. LYSKOWSKI. In Missouri, I would say, yes.
MS. HARRIS. In Florida, likewise. I think you have to look at
putting yourself in the shoes of the consumer whose information is
being taken and that someone is portraying that consumer,
essentially, you might have a carrier possess the physical data
on their computer system, but it is consumers' information, and
the information about that consumer which can be used for harm.
MR. STUPAK. So I hear you both saying the consumer. Carriers
would argue, well, once they give it to us, let's say, like I am
looking at the article here, CNN, a couple of others, others
that, prior to and after yesterday's hearing--and they talk about
phone records, but in here, they mention like, Wachovia, Ford,
Chrysler, Wells Fargo, a lot of the big corporations use this
information, and then they obtain it probably on loan applications
or something, and then they move it to other parties, other business
entities.
Again, you both would be of the impression that that information is
personal and the consumer, if you will, would have to opt to allow
that transaction?
MR. LYSKOWSKI. That would be my opinion.
MR. STUPAK. Ms. Harris?
MS. HARRIS. That is one of the issues that was put forth in the
comments of the National Association of Attorneys General. It
really conducted a review of the opt-out situation and the problems
that we have had as a result of, I will say, the Gramm-Leach-Bliley
consideration. The consumers don't really understand the opt in,
opt out; what do these long forms mean? They don't really
understand the four-page notices you get that is the new privacy
policy. And there are a lot of issues there that need to be fleshed
out and talked about, what we have learned from that situation and
applying it forward to create a workable situation for consumers.
MR. STUPAK. If I am Wells Fargo and I give this information--it
seems that your investigation of prosecutions have only been to
individuals who may have obtained it fraudulently. Have you
prosecuted any legitimate businesses for selling the information
to a pretexter? Let's say, like Wells Fargo--I am not picking on
Wells Fargo. Ford, Chrysler, any of them, it seems like you have
gone after individuals, not necessarily after businesses, who may
be allowing the information of consumers to go to a third party
without any type of consent. Has any business, legitimate
businesses been prosecuted? You said, there were civil laws in
Florida.
Missouri,can you answer that?
MR. LYSKOWSKI. We have not, in Missouri, at this point, taken any
action against any of the--for instance in this particular issue
against any of the carriers for any sort of negligence or other
wrongful conduct associated with the ease with which--
MR. STUPAK. Have you contemplated it in Missouri? Have you kicked
it around?
MR. LYSKOWSKI. Certainly, we have kicked around everything we can
think of to try to get this practice to stop.
MS. HARRIS. In Florida, we have not gone upstream from basically
the purchasers of the information, but we certainly reserve the right
to look at it in an appropriate situation. And as for the carriers,
we believe that, you know strong responsibility lies with the
carriers, and in fact, our Florida Public Service Commission, much
like the FCC, is investigating whether carrier actions are sufficient
and what needs to be done to implement the appropriate procedures.
MR. STUPAK. Do Florida and Missouri, do you license your private
investigators? Do they have to have a State license?
MS. HARRIS. Yes.
MR. LYSKOWSKI. I don't believe they do in Missouri.
MS. HARRIS. And in Florida, by the way, we do have substantial
amount of private investigators that are involved in this practice,
and my understanding is that that is being looked at at this point
in time.
MR. STUPAK. How about, Florida just recently passed this law, have
you looked at, in Florida, local, State, or Federal law enforcement
agencies, and are they using these data brokers to get information
in the operating in the State of Florida or Missouri?
MS. HARRIS. I'm not in a position to speak to that issue.
I'm sorry.
MR. LYSKOWSKI. Sir, I have checked with our agency, the Attorney
General's Office, just to make sure because I had never seen that
happening. And I was able to confirm with our Director of
Investigations that we do not engage in that sort of thing. The
subpoena authority that we have is sufficient to accomplish the
purposes.
MR. STUPAK. So your position in Missouri, it would be improper for
law enforcement to engage these data brokers to obtain information
about suspects or people of interest?
MR. LYSKOWSKI. I wouldn't commit myself to that broad of a
statement. I think it would be inappropriate for an investigator
in the Attorney General's Office in the context of the work we do
to engage those services. It is a high priority of our office to
put these guys out of business, so it would be inconsistent with
that priority to give them business.
MR. STUPAK. Ms. Harris, anything on that?
MS. HARRIS. I would like to clarify because I don't want to give
the misimpression to the subcommittee that we are committed to
using our subpoena power and other law enforcement tool power in
a proper fashion.
MR. STUPAK. The Federal agencies here, could a Federal agent,
whoever it might be--FBI, DEA, anyone working in Florida, if they
used a data broker in Florida, could they under Florida's new law
here, could they be held criminally or civilly liable?
MS. HARRIS. There is an exception for law enforcement for use of
their appropriate agency action. But the law if someone--
MR. STUPAK. The appropriate agency action, would that mean
subpoena?
MS. HARRIS. Lawful subpoena, search warrant, and so forth.
MR. STUPAK. When I was in law enforcement and I went down to
my friendly neighborhood banker and sat down there and said,
hey, I need some information on so and so because I am doing an
embezzlement at the local high school or something, that would
be improper, right, under Florida law to do that without a
subpoena?
MS. HARRIS. I'm not going to speak to that issue. I'm sorry.
MR. STUPAK. Do you care to comment on it?
MR. LYSKOWSKI. I hadn't thought about that either and it would
be premature for me to speak to that at this point.
MR. STUPAK. Thank you.
MR. WHITFIELD. Chairman Barton.
CHAIRMAN BARTON. Thank you. I'm not going to take the 10 minutes
because I think we just had a vote noticed.
I want to ask each of you two, how hard is it for your office or
the law enforcement agencies to go through the process of getting
a warrant or a subpoena to get the type of information that the
data brokers supply? Is that a time consuming, complex problem
or is it pretty routine?
MR. LYSKOWSKI. In Missouri I would say it falls under pretty
routine. The Attorney General has in a variety of contexts subpoena
authority where the subpoenas can originate from our office called
Civil Investigative Demands and we frequently use those in the
course of our investigations to obtain information from telecom
carriers and all sorts of other businesses. And the only resistance
we have ever run into, the only difficulty we have ever run into is
just difficulty processing the request. And I think we typically
find that if we stress to the particular entity the urgency of the
request that they are quick to comply and cooperate.
CHAIRMAN BARTON. What would the normal timeframe be in Missouri
from the time a request was made to get a warrant or a subpoena to
actually having that document or instrument granted? Are you
talking hours, days, weeks, months, years?
MR. LYSKOWSKI. It would depend on the type of information we are
seeking, the amount of information we are seeking and the entity
from which we are seeking it. But considering that our Civil
Investigative Demands can be signed by an Assistant Attorney
General and are valid, they can be oftentimes faxed in to, say,
a telecommunications carrier and we deal enough with
telecommunications carriers and other entities that we have
contacts there. And I have seen it happen as quickly as half
an hour, 45 minutes that we have gotten returns. In other
situations, it has taken days or weeks. But typically we are
able to get what we need to get I would say very quickly.
CHAIRMAN BARTON. Is that similar in Florida?
MS. HARRIS. In Florida we do have a prompt turnaround as far as
issuing our subpoenas. Now, my division is a simple enforcement
division. Perhaps some of the criminal enforcement agencies,
prosecution agencies, investigations might be able to answer
that a little better, but we haven't had that become a hurdle
in our situation. Oftentimes while we are in the process of
preparing the subpoena, we will be in coordination with the
company to alert them of our pending need and type of urgent
circumstances, and so forth, and they are willing to work with
us.
CHAIRMAN BARTON. But again, depending on the urgency of the
situation. If it was something that was vitally important and
it was not the last 10 years or something of records required,
could it normally be done within half a day? Is that a normal--
MS. HARRIS. Most likely.
CHAIRMAN BARTON. Is there any information that it would be
preferable to go through a data broker as opposed to the more
traditional subpoena warrant procedure? Any special kind of
information that, just seems to be, is just the best way to do
it?
MR. LYSKOWSKI. As for Missouri, no.
CHAIRMAN BARTON. What about Florida?
MS. HARRIS. I think Florida is the same answer.
CHAIRMAN BARTON. Is there any Federal legislation that would be
helpful to streamline certain terms and conditions, situations so
that warrants and subpoenas are expedited? Are the current laws
sufficient?
MS. HARRIS. I think I need to defer for Florida to some of the
criminal agencies that are going to be speaking later today.
MR. LYSKOWSKI. Mr. Chairman, as far as Missouri is concerned,
enforcing Missouri law at the level of the Attorney General's
Office I think our laws are sufficient in that regard.
CHAIRMAN BARTON. I do not want to, as I said in my opening
statement, I do not want to make life any more difficult for
our law enforcement agencies than it already is. I know it is
frustrating when you are on the street and somebody that you
really believe is a bad guy can kind of thumb his or her nose
at you because of the procedure you have got to go through to
guarantee their constitutional rights, but having said that
they are constitutional rights, I am very concerned that some
law enforcement officials and departments have decided that
this is an acceptable way to get information. I know it may be
an easier way, and it may be a cheaper way, but I do not think
it is an acceptable way. And I am going to try to come back
and ask some questions of the next panel. But in terms of this
panel, neither one of you see any situation where it would be
preferable to go through a data broker?
MR. LYSKOWSKI. No, Mr. Chairman, I don't. And again that is
based on the investigations and the work that we do in the
Missouri Attorney General's Office.
CHAIRMAN BARTON. And you agree with that?
MS. HARRIS. Yes.
CHAIRMAN BARTON. Thank you.
MR. WHITFIELD. Thank you, Mr. Chairman. At this time I recognize
Ms. DeGette.
MS. DEGETTE. Thank you very much, Mr. Chairman. Ms. Harris, I
would like to follow up on some of Mr. Stupak's questioning because
you had told him that law enforcement agencies were exempt from the
new Florida law with respect to their subpoena power and other
legal powers, but as I am reading your testimony, it looks to me
like the new law exempts law enforcement from all the provisions
of the new law. And so the Chairman--and I am wondering if
anybody has thought about why that provision remains in the law
and if law enforcement in Florida intends to engage in these, with
these data brokers and so on because they do seem to be exempted.
MS. HARRIS. I am going to be honest and tell you that I don't know
the answer to that question. It is something that I would need to
look into with the legislative history, and so forth.
MS. DEGETTE. Mr. Chairman, I would ask unanimous consent that
Ms. Harris be allowed to supplement her answer with that information
because I think that is very important information as we continue.
MR. WHITFIELD. Without objection.
[The information follows:]
MS. DEGETTE. Mr. Lyskowski, in Missouri do you know if law
enforcement agencies are exempted from the provisions of the
Missouri law in terms of not using somebody to use these data
brokers?
MR. LYSKOWSKI. Well, again, our laws that we have in place, we do
not have a law like Florida has.
MS. DEGETTE. Right.
MR. LYSKOWSKI. The laws that we have in place are consumer
protection laws.
MS. DEGETTE. So they are more general laws. What is your view?
Do you think law enforcement could engage in these pretexting
activities or hire other data broker companies to do that in
Missouri?
MR. LYSKOWSKI. Again I can only speak for our agency at the
Attorney General's Office, and I would say as I said earlier, it
is a high priority of our Attorney General to put these data
brokers out of business to the extent that they--
MS. DEGETTE. So it is your policy not to use these businesses,
but you do not know whether the Missouri law would prohibit you
from using these businesses?
MR. LYSKOWSKI. I do not believe there is a Missouri statute on the
books that would specifically prohibit.
MS. DEGETTE. But as far as you know law enforcement does not use
these practices in Missouri?
MR. LYSKOWSKI. Again, just State Attorney General investigators.
MS. DEGETTE. You guys are the bosses. You are the Attorney
General's Office.
MR. LYSKOWSKI. That is correct.
MS. DEGETTE. Do you know whether the other law enforcement is using
these services in Missouri?
MR. LYSKOWSKI. I don't believe that they are. However, again there
could be departments at other levels, at local levels that--
MS. DEGETTE. So you are not aware of any?
MR. LYSKOWSKI. I am not aware of any.
MS. DEGETTE. Just to recap, and of course we have to go vote, but
what both of you are saying is you don't think it is vital for
legitimate law enforcement service to use these data broker
services, correct?
MR. LYSKOWSKI. Again, at the State level in Missouri I do not
believe it is.
MS. DEGETTE. Right. Ms. Harris.
MS. HARRIS. I believe so as well.
MS. DEGETTE. Thank you. Thank you very much, Mr. Chairman.
MR. WHITFIELD. Thank you, Ms. DeGette. We do have a series of four
votes on the floor. So we have completed our questions for the
first panel and, Ms. Harris, thank you, and Mr. Lyskowski, for being
here. We look forward to staying in touch with you as we move
forward on this important issue. Thank you for being here.
When we come back we will immediately call up the second panel,
and I will apologize in advance to the second panel for this delay,
but we will be back just as quickly as possible and move forward.
Thank you.
MR. LYSKOWSKI. Thank you, Mr. Chairman.
MS. HARRIS. Thank you, Mr. Chairman.
[Recess.]
MR. STEARNS. The Subcommittee on Oversight will come to order. I
welcome the second panel: Mr. Paul Kilcoyne, Deputy Assistant
Director of Investigations, U.S. Immigration and Customs
Enforcement; Ms. Elaine Lammert, Deputy General Counsel,
Investigative Law Branch, FBI; Mr. James Bankston, Chief
Inspector, Investigative Services Division, U.S. Marshals Service;
Ms. Ava Cooper Davis, Deputy Assistant Administrator, Office of
Special Intelligence, Intelligence Division, U.S. Drug Enforcement
Administration; and last Mr. W. Larry Ford, Assistant Director,
Office of Public and Governmental Affairs, Bureau of Alcohol,
Tobacco, Firearms, and Explosives. Welcome all of you.
You folks are aware that the committee is holding an investigative
hearing and when doing so has had the practice of taking testimony
under oath. Do any of you have an objection to taking the
investigation under oath? The Chair then advises you that under
the rules of House and the rules of committee you are entitled to
be advised by counsel. Do you desire to be advised by counsel
during your testimony today?
In that case, if you would please rise and raise your hands I will
swear you in.
[Witnesses sworn.]
MR. STEARNS. You are now under oath and we would like each of you
to give your 5 minute opening statement and we will start with you,
Mr. Kilcoyne.
STATEMENTS OF PAUL KILCOYNE, DEPUTY ASSISTANT DIRECTOR OF
INVESTIGATIONS, U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT, U.S.
DEPARTMENT OF HOMELAND SECURITY; ELAINE LAMMERT, DEPUTY GENERAL
COUNSEL, INVESTIGATIVE LAW BRANCH, FEDERAL BUREAU OF INVESTIGATIONS,
U.S. DEPARTMENT OF JUSTICE; JAMES J. BANKSTON, CHIEF INSPECTOR,
INVESTIGATIVE SERVICES DIVISION, U.S. MARSHALS SERVICE,
U.S. DEPARTMENT OF JUSTICE; AVA COOPER DAVIS, DEPUTY ASSISTANT
ADMINISTRATOR, OFFICE OF SPECIAL INTELLIGENCE, INTELLIGENCE DIVISION,
U.S. DRUG ENFORCEMENT ADMINISTRATION, U.S. DEPARTMENT OF JUSTICE;
AND LARRY FORD, ASSISTANT DIRECTOR, OFFICE OF PUBLIC AND
GOVERNMENTAL AFFAIRS, BUREAU OF ALCOHOL, TOBACCO, FIREARMS, AND
EXPLOSIVES, U.S. DEPARTMENT OF TREASURY
MR. KILCOYNE. Thank you very much. Mr. Stearns and other
distinguished Members of the Oversight and Investigations
Subcommittee of the House Committee on Energy and Commerce, my name
is Paul Kilcoyne and I am the Deputy Assistant Director for
Investigative Services Division at the United States Immigration
and Customs Enforcement, also known as ICE. I would like to thank
the subcommittee for their interest in Internet data brokers.
The Internet has a huge depository of information that can be
used by law enforcement agencies at every level. However, care
must be taken to ensure that the information is accurate and
obtained by lawful means. We appreciate the subcommittee's
oversight and opportunities to address this issue.
ICE representatives were contacted by the subcommittee staff in May
of 2006 and were asked to provide a briefing on Internet data
brokers. The subcommittee staff provided some information from
their oversight investigation concerning the ICE Denver field
office's use of a company named Best411.com to obtain subscriber
information on cellular telephones. The ICE Headquarters Office
of Investigations queried the Denver field office about letters
signed by ICE agents that requested subscriber information and
determined that four special agents had requested and received
such information from Best411. The ICE Cyber Crime Center, also
known as C-3, then looked into the website and offered the opinion
that while a law enforcement officer can use public Internet queries
to obtain subscriber and other public information, the identifying
information should be substantiated by the issuance of appropriate
legal process to the company that retains the data in order to
ensure the veracity of the evidence. The ICE Office of
Investigations Headquarters contacted the Denver field office to
recommend that they not use Best411.com and to state that
headquarters was working on a field review and subsequent guidance
to further clarify the issue. Guidance for our field offices is
currently being drafted.
ICE has longstanding robust guidelines in the special agent handbook
to govern obtaining telephone, toll and subscriber information, but
which does not currently fully cover all Internet technology. We
are working diligently to update our procedures.
During a June 5, 2006 meeting, the subcommittee staff raised their
concerns about law enforcement officers using Internet data brokers
to obtain subscriber information on cellular telephones and provided
several letters signed by the ICE employees requesting such
information. ICE agents involved appeared to have used these
resellers to quickly filter out numbers that were not related to
their investigation. The data resellers were able to respond to
these requests for information within a few days where cellular
phone companies typically take several weeks. I would like to
note that the ICE Office of Investigations has recommended that
the SAC Denver office not use these resellers in the future.
Furthermore, we are currently drafting guidance on the issue for
the ICE field offices nationwide. As noted above, we intend to
coordinate this guidance with the Department of Homeland Security
Privacy Office.
Finally, in response to the subcommittee's question on whether the
agents acted improperly in obtaining the information, the ICE
Office of Professional Responsibility reviewed the facts and
circumstances of this situation and determined that the employees
did not act improperly.
Thank you for this opportunity to testify today and I look forward
to the subcommittee's questions.
[The prepared statement of Paul Kilcoyne follows:]
PREPARED STATEMENT OF PAUL KILCOYNE, DEPUTY ASSISTANT DIRECTOR OF
INVESTIGATIONS, U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT,
U.S. DEPARTMENT OF HOMELAND SECURITY
INTRODUCTION
Chairman Whitfield, Ranking Member Stupak and distinguished Members
of the Oversight and Investigations Subcommittee of the House
Committee on Energy and Commerce. My name is Paul Kilcoyne and I
am the Deputy Assistant Director for the Investigative Services
Division at U.S. Immigration and Customs Enforcement (ICE). I
would like to thank the Subcommittee for their interest in Internet
Data Brokers. The Internet has a huge depository of information
that can be used by law enforcement agencies at every level.
However, care must be taken to ensure that the information is
accurate and obtained by lawful means. We appreciate the
Subcommittee's oversight and the opportunity to address this
issue.
BACKGROUND
ICE representatives were contacted by Subcommittee staff in May 2006
and asked to provide a briefing on Internet data brokers. The
Subcommittee staff provided some information from their oversight
investigation concerning the ICE Denver field office's use of a
company named Best411.com to obtain subscriber information on
cellular telephones. The ICE Headquarters Office of Investigations
queried the Denver field office about letters signed by ICE agents
that requested subscriber information, and determined that 4 special
agents had requested and received such information from Best411.com
The ICE Cyber Crimes Center (C3) then looked into the website and
offered the opinion that while a law enforcement officer can use
public Internet queries to obtain subscriber and other public
information, the identifying information should be substantiated
by the issuance of appropriate legal process to the company that
retains the data in order to ensure the veracity of the evidence.
Even if no charge is incurred, the use of private investigators to
obtain subscriber information by Federal law enforcement agents
could compromise sensitive investigations. The ICE Office of
Investigations contacted the Denver field office to recommend that
they not use Best411.com and to state that Headquarters was working
on field guidance to further clarify the issue. Guidance for the
field offices is currently being drafted. We are aware that the
Government Accountability Office has issued a report on the use of
commercial data recommending that the Department of Homeland
Security establish a policy for such use and that the DHS Privacy
Office is currently developing such a policy. ICE intends to work
closely with the DHS Privacy Office on this matter.
ICE has long-standing robust guidelines in the Special Agent
Handbook to govern obtaining telephone toll and subscriber
information but which does not currently fully cover all Internet
technology. We are working diligently to update our procedures
to cover this unforeseen situation.
ISSUES AND RESPONSE
During a June 5, 2006 meeting, the Subcommittee staff raised their
concerns about law enforcement officers using internet data brokers
to obtain subscriber information on cellular telephones and provided
several letters signed by ICE employees requesting such information.
The ICE agents involved appear to have used these resellers to
quickly filter out numbers that were not related to their
investigations. The data resellers were able to respond to these
requests for information within a few days, whereas cellular
telephone companies typically take several weeks.
I would like to note that the ICE Office of Investigations has
recommended that the SAC Denver office not use these resellers in
the future. Furthermore, we are currently drafting guidance on
this issue for the ICE field offices. As noted above, we intend
to coordinate this guidance within the Department with the DHS
Privacy Office.
Finally, in response to the Subcommittee's question of whether
agents acted improperly in obtaining the information, the ICE
Office of Professional Responsibility reviewed the facts and
circumstance of this situation and determined that the employees
did not act improperly.
Thank you for the opportunity to testify today and I look forward
to the Subcommittee's questions.
MR. STEARNS. I thank the gentleman.
Ms. Lammert.
MS. LAMMERT. My name is Elaine Lammert. I am the Deputy General
Counsel for the FBI, Office of General Counsel, Investigative Law
Branch. I want to thank you today for the opportunity to discuss
the acquisition and sale of mobile phone records by online data
brokers.
As the subcommittee is well aware, a significant number of online
companies have openly advertised their ability to obtain and sell
telephone call records. There are compelling reasons for the
Government to believe that these operations violate Federal law.
News accounts as well as expert testimony before Congress reflect
that these records are most often obtained unlawfully through
pretexting or, in courtroom terms, fraud. Numerous data brokers
are suspected of calling up phone companies and intentionally
misidentifying themselves and their purpose by lying about their
identity and purpose. By claiming they are a fellow employee, a
customer or a customer's representative, they manage to acquire
statutorily protected information to which they have absolutely
no right.
As you would expect, the FBI is actively investigating some of
these practices as potential crimes.
It is fair to say that the concern over how customer toll records
are protected is widespread and that protecting such records affect
a wide array of interests. For example, similar to other
individuals and businesses, law enforcement agencies also require
that their call records be protected against unlawful disclosure.
The FBI tested the ability of at least one online broker to gather
information related to one of his own FBI telephone accounts and
the results were unacceptable. They obtained our records.
It is easy to imagine how this type of data theft can negatively
impact ongoing investigations and therefore our ability to enforce
the law and protect the country. And so the FBI is interested in
these activities both in terms of investigating possible violations
of law and in order to protect the integrity of its own operations.
Of course a range of laws already exist to protect the
confidentiality of telephone customer records. The
Telecommunications Act of 1996 generally precludes telecommunication
carriers from using, disclosing, or permitting access to
individually identifiable customer proprietary network information
except as required by law or with the approval of the customer.
The Electronic Communication Privacy Act, ECPA, also provides
important rights for customers and subscribers of telephone
companies, Internet service providers, and e-mail providers.
Under ECPA, for example, there are important restrictions on when
a telephone company may voluntarily disclose customer records to
the Government. ECPA also describes in detail what information
the Government may require a company to provide when the Government
uses a warrant, subpoena or court order.
As the statute relates to telephone records, in response to a
subpoena, a telephone company must provide the Government with the
relevant customer's name, address, local and long distance
telephone connection records, length of the service, types of
services utilized, telephone or instrument number or other
subscriber name or identity, and that customer's means and source
of payment.
The FBI has significant interests in obtaining lawful access to
telephone records in connection with investigations of all kinds,
including terrorism, espionage, drug trafficking, child pornography,
and more. In those cases, our practice is to strictly comply with
ECPA. Indeed, it is part of the FBI's mission to prevent identity
and information theft and to enforce the criminal laws designed to
bring justice to those who do or would violate individual
businesses and privacy.
I also wish to advise the subcommittee that the Department of
Justice has created a Privacy and Civil Liberties Board to ensure
that the departmental programs and efforts adequately considers
civil liberties and privacy.
The Data Committee of this board on which the FBI is represented
was established earlier this year to address issues related to
information privacy within the Department. The Data Committee
members are analyzing the Department's use of all information
reseller data, including Internet data brokers, and will evaluate
potential Department-wide policy with regard to such use.
Specifically, all members of the committee are currently assessing
their agency's use of information reseller data, including
Internet data brokers, identified by the subcommittee as employing
pretexting and fraud to obtain information. While the inquiry is
ongoing to this point there is no evidence of widespread use of
such services.
The Data Committee meets on a monthly basis and expects to
make recommendations to the Attorney General on this issue upon
completion of this review.
Mr. Chairman and members of this committee, the FBI fully supports
the goal of protecting the privacy and security of customer
telephone records from those who would acquire this information
unlawfully. We are committed to enforcing the privacy and fraud
laws aimed at achieving that goal.
I thank you for your time today, and I am happy to answer any
questions.
[The prepared statement of Elaine M. Lammert follows:]
PREPARED STATEMENT OF ELAINE M. LAMMERT, DEPUTY GENERAL COUNSEL,
INVESTIGATIVE LAW BRANCH, FEDERAL BUREAU OF INVESTIGATION,
U.S. DEPARTMENT OF JUSTICE
Good afternoon Mr. Chairman and members of the Subcommittee.
My name is Elaine Lammert and I am Deputy General Counsel of the
FBI's Office of the General Counsel, Investigative Law Branch. I
want to thank you for the opportunity to appear before you today
to discuss the acquisition and sale of mobile phone records by
online data brokers.
As the subcommittee is well aware, a significant number of online
companies have openly advertised their ability to obtain and sell
telephone call records. There are compelling reasons for the
government to believe that these operations violate federal law.
News accounts as well as expert testimony before Congress reflect
that these records are most often obtained unlawfully through
"pre-texting" or, in court room terms: fraud. Numerous data
brokers are suspected of calling up phone companies and
intentionally mis-identifying themselves and their purpose. By
lying about their true identity -- perhaps by claiming that they
are a fellow employee, or that they are the customer, or the
customer's representative -- they manage to acquire statutorily
protected information to which they have absolutely no right.
As you would expect, the FBI is actively investigating some of
these practices as potential crimes, including potential violations
of the wire fraud provisions of 18 U.S.C. � 1343. Under that
statute, it is a felony -- punishable by up to 20 years in
prison -- to falsely or under fraudulent pretenses obtain money
or property by means of a wire communication in interstate or
foreign commerce.
In addition, on May 3rd of this year, the Federal Trade Commission
announced that it filed court complaints charging five Internet
web-based operations with surreptitiously obtaining and selling
confidential customer phone records without the customer's
knowledge or authorization in violation of 15 U.S.C. � 45(a).
The FTC, with the assistance of the Federal Communications
Commission and a number of telephone companies, is seeking to
stop these data brokers in their tracks and have them disgorge
their unlawfully obtained proceeds. The privacy community also
has raised concerns with the practices of these online data
brokers.
It is fair then to say that the concern over how customer toll
records are protected is widespread, and that protecting such
records affects a wide array of interests. For example, similar
to other individuals and businesses, law enforcement agencies
also require that their call records be protected against unlawful
disclosure. The FBI tested the ability of at least one online
broker to gather information related to one of its own FBI telephone
accounts, and the results were unacceptable: they obtained our
records. It is easy to imagine how this type of data theft can
negatively impact ongoing investigations, and therefore our ability
to enforce the law and protect the country. And so, the FBI is
interested in these activities both in terms of investigating
possible violations of law and in order to protect the integrity
of its own operations.
Of course, a range of laws already exist to protect the
confidentiality of telephone customer records. The
Telecommunications Act of 1996 generally precludes
telecommunications carriers from using, disclosing, or permitting
access to "individually identifiable customer proprietary network
information" except as required by law or with the approval of the
customer. 47 U.S.C. 222(c)(1). The Electronic Communications
Privacy Act ("ECPA"), codified at 18 U.S.C. �� 2701-2712, also
provides important rights for customers and subscribers of
telephone companies, Internet Service Providers, and e-mail
providers.
Under ECPA, for example, there are important restrictions on when a
telephone company may voluntarily disclose customer records to the
government. Pursuant to 18 U.S.C. � 2702(c), a telephone company
may voluntarily provide the government with customer records only
if it has the lawful consent of the customer or subscriber; as
may be necessarily incident to the rendition of the service or
to the protection of the rights or property of the service
provider; or, if the provider in good faith believes that an
emergency involving danger of death or serious physical injury to
any person justifies disclosure of the information without delay.
ECPA also describes in detail what information the government may
require a company to provide when the government uses a warrant,
subpoena or court order. As the statute relates to telephone
toll records, 18 U.S.C. � 2703(c)(2) requires that -- in response
to a subpoena -- a telephone company must provide the government
with the relevant customer's name, address, local and long
distance telephone connection records, length of service and types
of services utilized, telephone or instrument number or other
subscriber number or identity, and that customer's means and
source of payment.
The FBI has significant interests in obtaining lawful access to
telephone records in connection with investigations of all kinds --
including terrorism, espionage, drug trafficking, child pornography,
and more. In those cases, our practice is to strictly comply with
ECPA. Indeed, it is part of the FBI's mission to prevent identity
and information theft and to enforce the criminal laws designed
to bring justice to those who do, or would, violate individual or
business privacy.
I also wish to advise the Subcommittee that the Department of
Justice has created a Privacy and Civil Liberties Board to ensure
that Departmental programs and efforts adequately consider civil
liberties and privacy. The Data Committee of the Privacy and Civil
Liberties Board, on which the FBI is represented, was established
earlier this year to address issues related to information privacy
within the Department. Its first task is to respond to
recommendations in the April 2006 GAO report entitled "Personal
Information Agency and Reseller Adherence to Key Privacy
Principles." The Data Committee members are analyzing the
Department's use of all information reseller data, including
internet data brokers, and will evaluate potential Department-wide
policy with regard to such use. Specifically, all members of the
committee are currently assessing their agencies' use of information
reseller data, including the Internet data brokers identified by
the Subcommittee as employing pretexting and fraud to obtain
information. While the inquiry is ongoing, to this point, there
is no evidence of widespread use of such services. The Data
Committee meets on a monthly basis and expects to make
recommendations to the Attorney General on this issue upon
completion of its review.
Mr. Chairman and members of the subcommittee, the FBI fully supports
the goal of protecting the privacy and security of customer
telephone records from those who would acquire that information
unlawfully. We are committed to enforcing the privacy and fraud
laws aimed at achieving that goal. I thank you for your time today
and would be happy to answer any questions.
MR. STEARNS. Thank you.
Mr. Bankston.
MR. BANKSTON. Good morning, Chairman Stearns and Ranking Member
DeGette and members of subcommittee. Thank you for the opportunity
to address the subcommittee on this important technology-related
privacy issue.
My name is James Bankston. I am a Chief Inspector for the United
States Marshals Service, Investigative Services Division. As such
I provide headquarter space, managerial direction, and oversight
for the Service's criminal investigative mission. The Marshals
Service shares the committee's concern over the inappropriate, if
not illegal collection and reselling of personal information by
unscrupulous data brokers. We commend the committee for exploring
ways to ensure that consumers' private information remains private
and secure.
My written testimony, which has been submitted for the record,
addresses three issues: First, the USMS concerns about the
unrestricted and unregulated use of data brokers who use pretexting
and other nefarious means to obtain private records.
Second, the USMS use of legitimate data banks and resellers of
public and open source consumer information is just one of many
investigative tools utilized.
And third, the USMS internal audit to identify any instances where
an employee may have used data brokers who are under investigation
by this committee.
The Marshals Service uses lawfully obtained public and open source
records in order to fulfill our mandate to investigate and apprehend
violent criminals wanted at the Federal, State, and local levels.
We also use this information to investigate threats against
thousands of Federal judges, U.S. Attorneys, witnesses, and other
persons designated by Congress and the Department of Justice. Such
services are only used as needed and pursuant to a specific and
legitimate law enforcement investigative inquiry.
The timely acquisition, analysis, and reduction of voluminous open
source records into actual intelligence plays a significant role in
our swift and unparalleled success in apprehending some of the
Nation's most notorious and dangerous fugitives.
USMS investigators and analysts are trained to keep their information
collection within established legal boundaries. Moreover, the
Department of Justice has created a Privacy and Civil Liberties
Board to ensure that departmental programs and efforts adequately
consider civil liberties and privacy. The Marshals Service
participates on the Board's Data Committee, which was established
earlier this year to address issues related to information privacy
within the Department. The Department-wide inquiry is ongoing, but
at this point there is no evidence of widespread use of such
services.
Mr. Chairman, this concludes my statement. I would be happy to
answer any questions you or other members of the subcommittee
have.
[The prepared statement of James J. Bankston follows:]
PREPARED STATEMENT OF JAMES J. BANKSTON, CHIEF INSPECTOR,
INVESTIGATIVE SERVICES DIVISION, U.S. MARSHALS SERVICE, U.S.
DEPARTMENT OF JUSTICE
Good afternoon, Chairman Whitfield, Ranking Member Stupak, and
members of the Subcommittee. Thank you for the opportunity to
address the Subcommittee on this important technology-related
privacy issue. My name is James J. Bankston. I am a Chief Inspector
for the United States Marshals Service (USMS or Marshals Service),
Investigative Services Division. As such, I provide
headquarters-based managerial direction and oversight for the
Marshals Service's criminal investigative mission.
The USMS shares the Subcommittee's concern over the inappropriate,
if not illegal, collection and reselling of personal information by
unscrupulous data brokers. In an age when consumers must cope all too
often with the loss or mismanagement of their personal telephone,
banking, credit card, and federal benefit information, the
Subcommittee is to be commended for exploring ways to ensure that
consumers' private information remains private and secure.
These efforts should not overlook the value of those reputable
companies that acquire information from public or open sources; have
security policies in place that fully explain the methods of
collection, sale, and dissemination; monitor their security systems
for breaches; and do not engage in "pretexting." Such companies have
proven to be one of many invaluable resources that law enforcement
agencies rely upon when conducting criminal investigations.
My testimony addresses three issues: 1) the USMS' concerns about
the unrestricted and unregulated use of data brokers who use
pretexting or other nefarious means to obtain private records; 2)
the USMS' use of legitimate data banks and resellers of public and
open-source consumer information as just one of many tools utilized
during the Agency's hundreds of thousands of criminal
investigations; and 3) the internal audit conducted by the USMS to
identify those instances where its employees may have used the data
brokers who are under investigation by this Subcommittee.
Data Brokers
Like Congress and many of the consumer groups that have taken an
interest in the commercial use of "data brokers" who claim to have
access to telephone subscriber, call, and cell site usage, the USMS
also is concerned about the unauthorized collection, sale, and
distribution of this type of information. Individually, every USMS
employee, as well as their family members, has expectations of
privacy that mirror those of every other member of the public who
engages in private, lawful conduct. At the same time, each Deputy
U.S. Marshal is entitled to protection from criminal retribution
for the critical law enforcement duties we perform. The USMS is
involved in virtually every federal law enforcement initiative.
As an agency, we are charged with the primary responsibility for
identifying and investigating threats and providing protection to
thousands of federal judges, jurors, U.S. Attorneys, Assistant
U.S. Attorneys, witnesses, and other persons designated by Congress
or the Department of Justice. In addition to protecting the
integrity of the federal justice system, the USMS operates the
Witness Security Program, transports federal prisoners, and seizes
property acquired by criminals through illegal activities. Further,
USMS is the federal government's primary agency for conducting
fugitive investigations. We arrest more than half of all federal
fugitives.
Unregulated access to subscriber information, call detail records,
and the dates and times that individual cell sites are accessed
would wreak havoc on our efforts and ability to assure the
operational security of our protectees and their families,
associates, and routines, as well as our other law enforcement
responsibilities. Restrictions that protect privacy are reasonable
and necessary, and abuses should be thoroughly investigated and
eliminated.
USMS Investigations and the Use of Open-Source Information
The USMS is a significant consumer of lawfully-obtained public and
open-source records. In order to fulfill our mandate to investigate
and apprehend violent criminals wanted at the federal, state, and
local levels, as well as to investigate threats against the federal
judiciary, the timely acquisition, analysis, and reduction of
voluminous open-source records into "actionable intelligence" has
played, and continues to play, a significant role in our swift and
unparalleled success in apprehending some of the nation's most
notorious and dangerous fugitives.
The USMS, like other agencies, utilizes certain data banks and
commercial sources of information under contractual agreements
sanctioned by the Department of Justice. Such services are used only
as needed and pursuant to a specific and legitimate law enforcement
investigative inquiry. While federal law enforcement agencies like
the USMS now have access to legitimately-collected information that
was previously unavailable from a single-collection point, such
access is absolutely essential to our ability to stay one step
ahead of seasoned and resourceful criminals desperate to evade
justice.
One of the USMS' primary criminal investigative missions involves
locating and apprehending fugitives who are on the run from the
law. Our fugitive mission has a singular purpose - to swiftly
apprehend a known fugitive to answer for the charges. Fugitives
from justice have already experienced varying degrees of due
process, from a grand jury indictment to a trial by peers to
appellate review. Unlike law enforcement agencies that are
responsible for investigating who committed a crime, the USMS
does not seek to build a prosecutorial case against an individual.
In nearly every case, we know exactly who is wanted; our goal is
to end the investigation by fulfilling a court-ordered arrest
warrant and bringing a wanted fugitive to justice.
A violent fugitive - the most common target of a USMS
investigation - is a unique target among law enforcement
investigations in that, at a minimum, an independent grand jury
or a neutral and detached judge already has determined that probable
cause exists to believe that a crime has been committed and that the
named fugitive committed the crime. Many of the individuals whom
the USMS investigates are post-conviction fugitives (such as parole
violators, probation violators, or failure to surrender fugitives)
who have pled guilty or have been found guilty by jury or judge.
The USMS also is responsible for apprehending the most dangerous
class of fugitive - the violent escapee who will do just about
anything to avoid apprehension.
These investigations include not only the tens of thousands of
federal fugitives that the USMS tracks and captures, but also the
many more state, county, and local fugitives we investigate as part
of our six regional fugitive task forces and more than 90
district-based multi-agency task forces. In fiscal year 2005, the
USMS arrested more than 35,500 federal fugitive felons and cleared
38,500 federal felony warrants - more than all other federal law
enforcement agencies combined. Together with our federal, state,
and local partners, U.S. Marshals-led fugitive task forces arrested
more than 44,000 state and local fugitives and cleared 51,200 state
and local felony warrants. These results are unparalleled in law
enforcement.
As of June 13, 2006, the USMS fugitive caseload consisted of 36,464
federal felony fugitives and 13,396 state felony fugitives. On any
given day, USMS employees make hundreds of requests for information
from a variety of sources. Many of those requests involve the use
of data banks and open-source materials as a supplement to basic
police investigative leg-work, and eventually aid in making an
apprehension and taking a violent criminal off the streets. For
example, in the last three months alone, criminal investigators
and intelligence analysts assigned to the Criminal Information
Branch of the Marshals Service's Great Lakes Regional Fugitive
Task Force, based in Chicago, have used commercial databases and
open-source data banks such as Lexis-Nexis/Accurint and ChoicePoint
to obtain critical information that directly led to the arrests of
the following violent fugitives:
Dimitrie Thomas, Sean Everett, and Andre Jones, who were wanted
in Cabell County, West Virginia. Thomas and Jones were wanted for
narcotics violations, while Everett was wanted on federal weapons
charges. Deputies seized two fully-loaded handguns, a revolver and
a shotgun, while searching Thomas' residence after his arrest. All
three were arrested in Detroit, Michigan.
Roberto I. Lopez, who was wanted in Milwaukee, Wisconsin, for
first-degree murder and armed robbery in a drug-related case.
Marshals Service investigators determined that Lopez had fled to his
native Dominican Republic, where he had been using a number of
aliases to avoid detection. Lopez was arrested by local authorities
with the assistance of the USMS Dominican Republic Foreign Field
Office.
Corey Moss, who was wanted in Waukesha County, Wisconsin, for
sexual assault. He was arrested in Milwaukee by Deputies who found
him hiding in a basement of his mother's home.
Open-source information also was critical to the success of the
fugitive investigation of Timothy Berner, who was wanted in Sterling
Heights, Michigan, for the July 2004 murder of Police Officer Mark
Sawyer. Berner had committed several bank robberies with a shotgun,
and he specifically targeted Officer Sawyer so that he could steal
his service revolver and continue his criminal ways. As Officer
Sawyer sat in a shopping center parking lot writing routine police
reports, Berner approached and fired a single shot, killing him.
He then stole Officer Sawyer's handgun and fled the scene. For
three weeks, Deputy U.S. Marshals and task force officers from a
variety of districts tracked Berner to Jacksonville, Florida, where
he was located at the residence of a female acquaintance who was
unaware of his real identity and crimes. As investigators approached
to arrest him, Berner committed suicide.
The cases I just cited are just four of tens of thousands of
fugitive investigations that the Marshals Service undertakes each
year. I could provide hundreds of similar examples where USMS
criminal investigators and intelligence analysts have used these
resources in fugitive investigations and made an arrest.
USMS Data Broker Queries
The Subcommittee has obtained a document signed by a Deputy U.S.
Marshal requesting information from a company currently under the
Committee's scrutiny. After thorough inquiry, we have ascertained
that the Deputy's intent was to obtain subscriber information on
a cell phone number as part of a fugitive investigation. Our survey
of the 94 USMS districts, six regional fugitive task forces, five
Regional Technical Operations Centers, and financial records has
revealed only this isolated instance of use of the data brokers
in question.
While no formal policy currently exists specifically addressing the
use of data brokers of the type under investigation by this
Subcommittee, USMS investigators and analysts are trained to keep
their information collection within established legal boundaries.
Defined legal boundaries of investigative endeavors are present
through USMS policy pertaining to fugitive investigations and
technical operations. Moreover, the Department of Justice has
created a Privacy and Civil Liberties Board to ensure that
Departmental programs and efforts adequately consider civil
liberties and privacy. The Data Committee of the Privacy and Civil
Liberties Board, on which USMS is represented, was established
earlier this year to address issues related to information privacy
within the Department. Its first task is to respond to
recommendations in the April 2006 GAO report entitled "Personal
Information Agency and Reseller Adherence to Key Privacy
Principles." The Data Committee members are analyzing the
Department's use of all information reseller data, including
internet data brokers, and will evaluate potential Department-wide
policy with regard to such use. Specifically, all members of the
committee are currently assessing their agencies' use of information
reseller data, including the Internet data brokers identified by
the Subcommittee as employing pretexting and fraud to obtain
information. While the inquiry is ongoing, to this point, there
is no evidence of widespread use of such services. The Data
Committee meets on a monthly basis and expects to make
recommendations to the Attorney General on this issue upon
completion of its review.
Conclusion
The USMS has a legitimate need to investigate a wide variety of
sources in order to obtain personal information that might lead to
the ultimate apprehension of wanted fugitives. The need to acquire
information quickly is critical to the success of our investigative
efforts. Ultimately, the USMS needs information to locate and bring
the wanted fugitive to justice. Today's fugitive is often a hardened
criminal who has had the benefit of a few years in prison to sharpen
and refine his skills, and is keenly aware of both our capabilities
and our weaknesses.
Just as the electronic age has brought with it great advances in the
speed and accuracy with which information is collected, stored, and
retrieved, so too has it brought increased risk to law enforcement,
particularly agents operating undercover: 1) the virtual
contemporaneous disclosure of investigative techniques; 2) the
detailed disclosure of precisely what records are maintained and,
therefore, available to law enforcement; 3) the disclosure of
investigative technology, capability, and limitations; 4) the
ability to communicate anywhere and anonymously behind "ported"
numbers and prepaid phones with no listed subscribers; 5) off-shore
calling cards obtained either through convenience stores or the
Internet; and 6) point-to-point encrypted packet-data
communications.
Over time, we have had to refocus our investigative efforts and
techniques to address this newly emerging class of experienced
criminal. Access to legitimate resources must be retained in order
to allow law enforcement to stay one step ahead of the individuals
who are all too willing to circumvent the law. Similarly those
would circumvent established legal or ethical principles to obtain
private information must be prevented from doing so.
MR. WHITFIELD. Thank you.
Ms. Cooper Davis.
MS. COOPER DAVIS. Mr. Stearns, Ranking Member DeGette, distinguished
members of the subcommittee, on behalf of DEA Administrator
Karen P. Tandy, thank you for the opportunity to testify before
you today regarding DEA's policy to obtain telephone transactional
records and the use of Internet data brokers.
For nearly the past 3 years I have served as DEA's Chief of
Operations Management. In this capacity I support the operations
of the agency by managing the areas of operational procedures and
policies, State and local programs, liaison with Federal agencies,
and other operational concerns. DEA is a single mission agency
charged with enforcing the provisions of the controlled substances
and chemical diversion trafficking laws and regulations of the
United States. The agency also serves as the Nation's competent
authority with regard to national compliance with provisions of
international drug control treaties.
DEA's investigations are strictly focused on drug trafficking
organizations and their facilitators at every juncture of their
operations. Our investigation strategies seek to disrupt and
dismantle these organizations by identifying and attacking
vulnerabilities in their methods of operation.
DEA shares this committee's concern regarding Internet data brokers
that employ fraudulent means to obtain private records. These data
brokers should not be confused with legitimate commercial resellers
from which DEA obtains available information, such as public records
in furtherance of their investigations.
Even so, DEA recognizes the sensitivity of the data obtained from
legitimate commercial data resellers and has measures in place
intended to safeguard the security of personal information obtained
from them.
The use of electronic surveillance and drug investigations,
specifically telephone wire intercept operations, is an
investigative technique which the DEA uses to decimate drug
trafficking organizations. By linking co-conspirators through their
telephone conversations and physical surveillance, drug trafficking
groups are more susceptible to prosecution than in an undercover
investigation which may yield only a small percentage of the
organization.
When targeting a telephone number for exploitation, investigative
personnel must acquire telephone subscriber information and
telephone toll data records. The Congress granted DEA authority
to issue and serve administrative subpoenas to obtain such data and
DEA is cognizant that its investigations must be conducted within
the constraints of law. DEA has adopted policies and procedures,
implemented practices through our training of investigative
workforce to ensure information and evidence are appropriately
obtained and citizens' privacy rights are not violated.
The DEA Agents Manual requires the use of an administrative
subpoena, grand jury subpoena, or court order or consent of the
subscriber or customer to obtain telephone transactional records,
otherwise known as subscriber and toll information. However, the
DEA Agents Manual does not specifically address Internet data
brokers or their use in criminal investigations. Rather, DEA
policy specifically enumerates the authorized methods for DEA
personnel to obtain telephone subscriber or transactional records
which are limited to the administrative subpoena, grand jury
subpoena, court orders, or consent of the subscriber or customer.
The criminal investigator works directly with the custodian of
records and there is no question as to the authenticity of the data
or how the company acquired the data. Because the DEA conducts
numerous telephone wiretap investigations, our personnel are
cognizant of how and from whom they collect telephone information.
Since this information will ultimately be used in a court of law,
it is not the policy or practice of DEA to obtain unverified
information from unknown and untested open source Internet data
brokers, particularly those that are known to employ pretexting as
a business practice. Rather, DEA policy specifically enumerates
the authorized methods of obtaining subscriber and toll
information. The legality of those methods authorized by DEA has
been clearly established.
In sum, DEA relies upon lawful means to gather evidence regarding
telephone transactional records directly from telephone service
providers.
Mr. Stearns, Ms. DeGette, members of the subcommittee, I want to
thank you again for the opportunity to testify and will be happy
to address any questions you may have.
[The prepared statement of Ava Cooper Davis follows:]
PREPARED STATEMENT OF AVA COOPER DAVIS, DEPUTY ASSISTANT
ADMINISTRATOR, OFFICE OF SPECIAL INTELLIGENCE, INTELLIGENCE
DIVISION, U.S. DRUG ENFORCEMENT ADMINISTRATION, U.S. DEPARTMENT
OF JUSTICE
INTRODUCTION
Chairman Whitfield and distinguished members of the House Energy and
Commerce Committee - Subcommittee on Oversight and Investigations,
on behalf of the Drug Enforcement Administration (DEA), I appreciate
your invitation to testify today regarding Internet Data Brokers
(IDBs).
OVERVIEW
The DEA, in its unique capacity as the world's preeminent drug law
enforcement agency, identifies, investigates, and targets for
prosecution organizations and individuals responsible for the
production and distribution of illegal drugs. DEA's mandate is to
enforce the provisions of the controlled substances and chemical
diversion trafficking laws and regulations of the United States
and to serve as the nation's competent authority with regard to
national compliance with provisions of international drug control
treaties. Further, DEA serves as the single point of contact for
the coordination of all international drug investigations by
providing clear, concise, and dynamic leadership in the national
and international drug and chemical control effort.
Drug syndicates operating today are far more sophisticated and
dangerous than any of the other organized criminal groups in
America's law enforcement history. These new criminals operate
globally by establishing transnational networks to conduct illicit
enterprises simultaneously in many countries. DEA is strictly
focused on the drug trafficking organizations and their facilitators
at every juncture of their operation-from cultivation and production
of drugs, passage through transit zones, to distribution on the
streets of America's communities. Our investigations and strategies
seek to disrupt and dismantle these organizations by identifying and
attacking vulnerabilities in their methods of operation.
POLICY AND PROCEDURE
The DEA Agents Manual is the primary document for operational
policies and procedures governing the conduct of investigative and
enforcement operations. Within this document are the rules and
regulations that guide our Special Agents and Task Force Officers
as they go about the business of disrupting and dismantling drug
trafficking organizations.
DEA Basic Agent Trainees (BATs) receive instruction on policy and
procedure, constitutional law, and the rules of criminal procedure,
during Basic Agent Training. The curriculum is a 16-week resident
program designed to train newly recruited agent-trainees. The
course places a strong emphasis upon leadership and ethics within
the framework of rigorous academic, physical, weapons and
operational training. Throughout Special Agents' careers, the
investigators receive advanced and specialized training to enhance
the knowledge, skills, and abilities necessary to successfully
perform assigned duties.
DEA maximizes its force multiplier effect by managing the State and
Local Task Force Program, whereby almost two thousand State and
local law enforcement officials work as full partners in DEA Task
Forces. Combining Federal leverage and DEA's expertise with state
and local officers' investigative talents and detailed knowledge of
their jurisdiction leads to highly effective drug law enforcement
investigations. Participating state and local officers are deputized
to perform the same functions as DEA Special Agents under the
Controlled Substances Act (Chapter 13 of Title 21 of the United
States Code). Upon entering on duty with DEA, Task Force Officers
(TFOs) attend a two-week TFO school at their respective local DEA
field division. During the two-week school, TFOs learn how to
conduct DEA enforcement operations, prepare investigations for
prosecution in federal court, and DEA operational policies and
procedures. TFOs also work closely with DEA Special Agents and
are normally supervised by a DEA Group Supervisor. For those task
force groups not supervised by a DEA Group Supervisor, the State or
local law enforcement supervisor also attends the TFO School and
the four-week DEA Group Supervisor Institute (GSI). At the GSI,
supervisors are exposed to leadership and management principles,
DEA personnel policy, and are taught how to supervise a DEA
enforcement group.
Telephone Communications
The DEA Agents Manual contains a specific section which details
DEA's policy regarding subscriber/toll information; use of telephone
decoders; consensual monitoring; and nonconsensual monitoring.
These policies have been developed and refined to ensure the
information gathered during the course of an investigations is
collected in a legal manner that will withstand court scrutiny
and to establish adequate, appropriate oversight. The policies
also protect the investigators and the agency from any legal
liability.
The use of electronic surveillance in drug investigations,
specifically telephone wire intercept operations, is an
investigative technique which the DEA uses to decimate drug
trafficking organizations. By linking co-conspirators through
their telephone conversations and physical surveillance, drug
trafficking groups are more susceptible to prosecution than in
undercover investigation which may yield only a small percentage
of the organization. In order to justify the use of a telephone
wiretap, a criminal investigator must be able to articulate his
probable cause in an affidavit to the court. The success of this
affidavit is dependent upon the field work that the Special Agent
or TFO conducts, prior to seeking the courts approval for the
collection of this information.
When targeting a telephone number for exploitation, investigative
personnel must acquire telephone subscriber information and
telephone toll records. The DEA Agents Manual requires the use
of an administrative subpoena, grand jury subpoena, court order, or
consent of the subscriber or customer to obtain telephone
transactional records. Because the DEA conducts numerous telephone
wiretap investigations, our personnel are very cognizant of how and
from whom they collect telephone information. DEA has been granted
administrative subpoena authority for use in drug investigations,
and Special Agents and TFOs are trained to use that authority.
When a criminal investigator acquires a telephone number for which
the subscriber information is not immediately known, the
investigator must first identify the telephone company (e.g.,
Verizon, Sprint, AT&T, etc.) that owns or controls that number.
Once the telephone company is identified, the investigator will
obtain an administrative subpoena, requesting subscriber name,
billing information, and telephone toll records for a specific
time frame. The administrative subpoena must have a DEA case file
number, be signed by the investigator's supervisor, and be given a
sequential number for recording in a log book or computer database
so that a particular field office can track and account for any
administrative subpoenas issued by that office. The telephone
companies are given a period of ten days, from the date of
issuance, to respond with the requested information. Furthermore,
each subpoena usually has an attached letter, signed by the office
head, requesting the telephone company not to disclose the existence
of the subpoena for a period of 90 days; as such disclosure could
possibly interfere with an ongoing criminal investigation. The
investigator also has the option of seeking a court order to
mandate that the telephone company comply with the non-disclosure
request.
The DEA Agents Manual does not specifically address IDBs or their
use in criminal investigations. Rather, DEA policy specifically
enumerates the authorized methods for DEA personnel to obtain
telephone subscriber or transactional records which are limited
to administrative subpoenas, grand jury subpoenas, court orders,
or consent of the subscriber or customer. The criminal investigator
works directly with the custodian of the records and there is no
question as to the authenticity of the data or how the company
acquired the data.
CONCLUSION
In conclusion, the DEA relies upon lawful means to gather evidence
regarding telephone transactional records directly from telephone
service providers. The Congress has granted DEA this authority,
and DEA is cognizant that its investigations must be conducted
within the constraints of law. DEA has adopted policy and
procedures and implemented practices through training of our
investigative and TFO workforces to ensure information and
evidence are appropriately obtained. Moreover, the Department has
created a Privacy and Civil Liberties Board to ensure that
Departmental programs and efforts adequately consider civil
liberties and privacy. The Data Committee of the Privacy and
Civil Liberties Board, on which DEA is represented, was established
earlier this year to address issues related to information privacy
within the Department. Its first task is to respond to
recommendations in the April 2006 GAO report entitled "Personal
Information Agency and Reseller Adherence to Key Privacy
Principles." The Data Committee members are analyzing the
Department's use of all information reseller data, including
internet data brokers, and will evaluate potential Department-wide
policy with regard to such use. Specifically, all members of the
committee are currently assessing their agencies' use of information
reseller data, including the Internet data brokers identified by
the Subcommittee as employing pretexting and fraud to obtain
information. While the inquiry is ongoing, to this point, there
is no evidence of widespread use of such services. The Data
Committee meets on a monthly basis and expects to make
recommendations to the Attorney General on this issue upon
completion of its review.
Thank you for the opportunity to appear before you today to discuss
this important issue. I will be happy to answer any questions that
you may have.
MR. STEARNS. Thank you.
Mr. Ford.
MR. FORD. Good afternoon, Chairman Stearns and Ranking Member
DeGette, and distinguished members of the subcommittee. I am
pleased to appear before you today to discuss the Bureau of Alcohol,
Tobacco, Firearms and Explosives' Internet data broker policy.
In late 2005, the availability of personal information from a
multitude of Internet database sources came to the attention of
ATF offices through field inquiries, the intelligence community,
and the evaluations of operational security issues specifically
related to undercover investigations.
This information included services advertising the sale of
individuals cell phone records, including the cell phone numbers a
particular cell phone has connected to, the duration of call, as
well as other personal subscriber information. ATF headquarters
received a number of inquiries from our field personnel pertaining
to the applicability and legitimacy of such service. As a result,
we issued a notice to all personnel on January 25, 2006, providing
guidance on this issue.
Of paramount concern was the problem data broker services could
present to law enforcement undercover operations and officer safety.
As we noted in our broadcast announcement to ATF employees,
in undercover operations criminals themselves may likely be
checking the undercover agents' cell phone records to determine
whether the agents are who they claim to be, and tracing an ATF
cell phone to a government purchase presents a serious hazard to
agents under these circumstances. In addition, tracing context to
other phones could compromise an investigation, endanger agents and
witnesses.
There is also a question of the appropriateness of law enforcement
agencies using data brokers to obtain subscriber information.
During our review we noted that there were ongoing concerns by
telephone companies regarding methods used by some within the
Internet data broker community to collect data they maintained
and disseminated. The notice we sent to all personnel in January
reminded agents that as law enforcement officers, we have the
ability to subpoena these records, and it instructed them to
continue utilizing this approach. We have no indication that
ATF has requested toll record information from data brokers.
Furthermore, after querying our case management system we could
find no record of the use of any data brokers under the
subcommittee's review.
ATF is committed to preserving the integrity of our operation and
the safety of our agents and to using the best practices and
appropriate tools when conducting investigations. The rapidly
evolving world of information technology will continue to present
law enforcement with new issues and situations that require
careful consideration. We will closely examine each and apply
our high standards and principles when providing guidance to our
agents.
As my colleagues have testified to, the Department has created a
Privacy and Civil Liberties Board to ensure that departmental
programs and efforts adequately consider civil liberties and
privacy, on which ATF is represented. We also welcome and
appreciate any information and views the subcommittee would like
to share on this matter.
Once again, Mr. Chairman and members of the subcommittee, on behalf
of ATF I thank you for the opportunity to testify today and I look
forward to answering any questions you may have.
[The prepared statement of W. Larry Ford follows:]
PREPARED STATEMENT OF W. LARRY FORD, ASSISTANT DIRECTOR, OFFICE OF
PUBLIC AND GOVERNMENTAL AFFAIRS, BUREAU OF ALCOHOL, TOBACCO,
FIREARMS, AND EXPLOSIVES, U.S. DEPARTMENT JUSTICE
Good afternoon Chairman Whitfield, Ranking Member Stupak, and
distinguished members of the Subcommittee. I am pleased to appear
before you today to discuss the Bureau of Alcohol, Tobacco,
Firearms and Explosives' (ATF) policy on the use of Internet data
brokers.
In late 2005, the availability of personal information from a
multitude of Internet-based sources came to the attention of several
ATF offices in various ways. This information included services
advertising the sale of individuals' cell phone records, including
the telephone numbers a particular cell phone has connected to,
the duration of calls, as well as other personal subscriber
information. ATF Headquarters received a number of inquiries from
our field personnel pertaining to the applicability and legitimacy
of such services. As a result, we issued a notice to all ATF
personnel on January 25th, 2006, providing guidance on the issue.
Of paramount concern was the problem data broker services could
present to law enforcement undercover operations and officer
safety. As we noted in our broadcast announcement to ATF employees,
"In undercover operations, criminals themselves may likely be
checking undercover agents' cell phone records to determine
whether [the agents] are who they claim to be, and tracing an ATF
cell phone to a government purchase presents a serious hazard to
agents in these circumstances." In addition, Mr. Chairman, tracing
contacts to other phones could compromise an investigation and
endanger agents and witnesses.
There is also the question of the appropriateness of a law
enforcement agency using data brokers to obtain subscriber
information. During our review we noted that there were ongoing
concerns by telephone companies regarding methods used by some
within the Internet data broker community to collect the data
they maintained and disseminated. The notice we sent to all ATF
personnel in January reminded agents that, "As law enforcement
officers, we have the ability to subpoena these records," and it
instructed them to "continue to utilize this approach."
Mr. Chairman, we have no indication that ATF has ever requested
toll record information from data brokers.
ATF is committed to preserving the integrity of our operations and
the safety of our agents and to using the best practices and
appropriate tools when conducting investigations. The rapidly
evolving world of information technology will continue to present
law enforcement with new issues and situations that require
careful consideration. We will closely examine each and apply
our high standards and principles when providing guidance to our
agents. Moreover, the Department has created a Privacy and Civil
Liberties Board to ensure that Departmental programs and efforts
adequately consider civil liberties and privacy. The Data Committee
of the Privacy and Civil Liberties Board, on which ATF is
represented, was established earlier this year to address issues
related to information privacy within the Department. Its first
task is to respond to recommendations in the April 2006 GAO report
entitled "Personal Information Agency and Reseller Adherence to Key
Privacy Principles." The Data Committee members are analyzing the
Department's use of all information reseller data, including
internet data brokers, and will evaluate potential Department-wide
policy with regard to such use. Specifically, all members of the
committee are currently assessing their agencies' use of information
reseller data, including the Internet data brokers identified by
the Subcommittee as employing pretexting and fraud to obtain
information. While the inquiry is ongoing, to this point, there
is no evidence of widespread use of such services. The Data
Committee meets on a monthly basis and expects to make
recommendations to the Attorney General on this issue upon
completion of its review.
We also welcome and appreciate any information or views the
Subcommittee would like to share on the matter.
Once again, Mr. Chairman, Congressman Stupak, members of the
Subcommittee, on behalf of ATF, I thank you for the opportunity to
testify before you today. I look forward to answering any questions
you might have.
MR. BURGESS. [Presiding.] Thank you, Mr. Ford. I want to thank all
members of the panel. I apologize for being out of the room.
I apologize for Mr. Stearns having to depart.
Ms. Lammert, I didn't get to hear your testimony, but I have your
written testimony. Can I ask you, would there ever be any need for
the FBI to go to one of these data brokers for nonpublic information
like toll records or financial records?
MS. LAMMERT. We strictly comply with ECPA. In our cases we know
that the statute requires the use of subpoena, court order, or grand
jury or administrative subpoena, depending on what criminal
investigation we are conducting. So we always instruct our agents
to comply with the statute.
MR. BURGESS. This week the Associated Press has reported that the
FBI has used Internet data brokers, and yesterday both James Rapp
and David Gandel briefly discussed assisting the FBI, and one of
the companies that the committee wrote to, Advanced Research in
Oregon, stated that it had done work for the FBI in the past. So
I will preface this question by noting that the subcommittee has no
documents in its possession to show transactions between the FBI
and Internet data brokers, but can you tell us in light of the
anecdotal information just referenced whether the FBI used data
brokers to acquire nonpublic information?
MS. LAMMERT. First, addressing what has been reported in the press,
to date we have not developed any information that would support
the use of the particular individuals that you have currently
mentioned. I know there was some testimony yesterday regarding
one particular individual and an agent, and I am willing to respond
to that if you have any questions regarding that particular aspect
of that testimony.
As far as data brokers are concerned, my concern here is that we
do use brokers such as ChoicePoint and LexisNexis and Dun &
Bradstreet, which do collect information from a variety of sources
and we do use that extensively in our investigations.
MR. BURGESS. On the testimony delivered yesterday by Mr. Gandal
and Mr. Rapp, can you expound upon that?
MS. LAMMERT. Sure. Mr. Gandal discussed having had contact with an
agent and providing him phone information, I believe, subscriber
information, and if I am incorrect on that I apologize. I think
that is how I understand the testimony to have been. The agent
was a relatively new agent in the Bureau. He had a one-time
contact in that respect with that information pursuant to an
investigation. He did obtain that information from Mr. Gandal.
When he reported back to his supervisor that he had obtained this
information and this individual was capable of doing that, his
supervisor immediately counseled him that that was not the
appropriate way of obtaining that information, that did not comport
with our policies, and he was to desist from doing that and he has
never done that since then.
MR. BURGESS. To what extent is the FBI investigating or pursuing
data brokers who operate in the manner of the ones who came to
testify yesterday?
MS. LAMMERT. As my written testimony states, we are looking at them
from a perspective of wire fraud, which is Title 18, Section 1343.
Under that statute it is a felony to falsely or under fraudulent
pretenses obtain money or property by means of wire communication
and interstate or foreign commerce. That is sort of the statute
that in consultation with the United States Attorney's office
that we are working with we are pursuing at this time.
MR. BURGESS. Well, in that regard are wire fraud statutes adequate
to pursue the pretexters or does the FBI need a more explicit
statute in making these activities illegal?
MS. LAMMERT. I think that is something we are exploring given the
current investigations that we have. We think that this is a good
statute to work upon but we are looking at whether or not it is
sufficient or that there are other things that we would need.
That is all I can say right now.
MR. BURGESS. There was an individual who came yesterday to testify
before us, Patrick Baird, who is from north Texas, as am I, and he
declined to testify, but do you think if an agent were to share
information related to an investigation with a data broker like
Patrick Baird that there is considerable risk of compromising
operational security?
MS. LAMMERT. I would think it depends on what the relationship is
and why we are talking to Mr. Baird. If you are talking, and I
apologize, I would ask if you could explain sort of more about what
you are trying to determine. I apologize.
MR. BURGESS. Have you got the evidence book at your table?
MS. LAMMERT. Yes, sir.
MR. BURGESS. Under Tab 5 that is referenced, "faxed request from
special agent."
MS. LAMMERT. Tab 5. "I have received a fax from the U.S. Postal
Inspection Service." That one?
MR. BURGESS. Yes. Although they are redacted on the page, they
are disclosing telephone numbers and other information. Now is
that compromising the operational security of an ongoing
investigation?
MS. LAMMERT. Without speaking to what the Postal Service may or may
not have known about Mr. Baird, I think we always have to be
cautious and cognizant that when we are trying to obtain
information from individuals, regardless of what their position in
society is, that we always run the risk that those individuals may
disclose their association with us or provide that information to
others. We try very hard to ensure that our sources of information
or people that we deal with are the type that we can trust and
have credibility and understand the ability to work with us. So
we always have to be concerned about that and recognize that the
risk exists.
MR. BURGESS. On the Stored Communications Act, which is referenced
under Tab 4 in the book, does it require a certain level of process
for government entities to get access to nonpublic subscriber
information like a customer's name, address?
MS. LAMMERT. Yes, it requires a subpoena, whether grand jury or
administrative subpoena, depending if you have administrative
subpoena power, or even a court order.
MR. BURGESS. Even for name and address?
MS. LAMMERT. Subpoena for name and address.
MR. BURGESS. Which would mean in the case of these documents that
the subcommittee subpoenaed from a data broker that show that Federal
agents, not from the FBI, requesting names and addresses associated
with a telephone number should have been acquired through the
subpoena process if that information was not in a public database;
is that correct?
MS. LAMMERT. It is the policy of the FBI to obtain subpoenas to
obtain that type of information, yes.
MR. BURGESS. In the interest of time I will yield to the Ranking
Member, Mr. Stupak of Michigan.
MR. STUPAK. Mr. Kilcoyne, I am curious, your testimony arrived
very, very late last night and there was only three pages. Was
there a problem in clearing the testimony through DMB or OMB or
DHS?
MR. KILCOYNE. Not that I am aware of, no.
MR. STUPAK. Okay. Why did it take so long to get? It is only a
couple of paragraphs. Why did it take so long to get it to the
committee?
MR. KILCOYNE. I don't know, sir.
MR. STUPAK. Were you responsible for clearing it with anyone like
DHS or OMB?
MR. KILCOYNE. Well, the Office of Congressional Affairs and the
Department are responsible for clearing it. I am just the witness
and participated in some of the preparation of it.
MR. STUPAK. Do you know anything about the subject then or are you
just here to recite the testimony?
MR. KILCOYNE. No, I believe I am an adequate witness to address
some of the issues, yes.
MR. STUPAK. Let me ask this question of each of you. There has
been some concern. Back in late April, this committee unanimously
passed out two pieces of legislation, H.R. 4943, Prevention of
Fraudulent Access to Phone Records Act, and H.R. 4127, Data
Accountability and Trust Act.
I will start with you, Mr. Kilcoyne. Does your agency have any
objection or concerns about that legislation.
MR. KILCOYNE. That I don't know, sir. I am not an attorney. We
would have to have our legal staff get back to you with that answer.
MR. STUPAK. Okay. Ms. Lammert.
MS. LAMMERT. The Department of Justice has received the
legislation, is looking at it. We don't currently have an
administrative position on it.
MR. STUPAK. Any idea when you will have one?
MS. LAMMERT. I cannot speak for the Department. I know they are
working on it feverishly to get it done.
MR. STUPAK. Mr. Bankston.
MR. BANKSTON. To the best of my knowledge, I don't know anything
about the bill and we have no objection to it to the best of my
knowledge.
MR. STUPAK. Ms. Cooper Davis.
MS. COOPER DAVIS. Sir, I am aware of the bill. I know it is still
under review by the Department and DEA has not taken a position on
the bill.
MR. STUPAK. Mr. Ford.
MR. FORD. As far as I know, the Department has not cleared an
administrative position on the bill.
MR. STUPAK. When do you expect to take a position? We had the bill
in committee, we had hearings, we had all this and we had it all
primed for the floor. It was scheduled to be on the floor and
suddenly it gets pulled and we are told that law enforcement has
objections. So we would like to know what are the objections?
MS. LAMMERT. If I could speak to that for a moment.
My understanding of what we were at so far in speaking sort of in
these terms are, we obviously--I think the Department of Justice
obviously supports enhanced security of this type of information.
I think it is in the process of clearing it and obtaining an
administrative position on this. Some of the things that we are
looking at that we support and find important to our mission but
have some comments or would like to share some comments have to do
with the sort of the language regarding law enforcement exception.
We would like it to be more akin to the language that is already
occurring in 1030 and not to be in contradiction to ECPA, which
allows exception for this type of disclosures to law enforcement.
MR. STUPAK. You are talking about exceptions to this. Are you
saying law enforcement should be exempt from these pieces of
legislation?
MS. LAMMERT. No, no, no. I apologize if I am not being clear.
MR. STUPAK. We are trying to figure out the concerns. We don't
want like the Internet child pornography where we passed a law in
1998 and you appear before our committee less than a month ago and
say you have concerns 7 years later. We are not going to wait
7 years.
MS. LAMMERT. Then as I said, the position of the Department is we
support the initiative. It is being looked at and it has not been
cleared yet. That is the best we can say right now.
MR. STUPAK. Mr. Kilcoyne. The FBI says in their testimony that they
believe that pretexters might be guilty of violating the wire fraud
provisions under 18 USC 1343. In your testimony it says that your
agency, Office of Investigations only, and I quote now, "recommended
that the SAIC, Special Agent in Charge, Denver office not use these
resellers in the future." That does not appear to be a strong
response.
Can ICE agents use pretexters in the course of one of their
investigations or not?
MR. KILCOYNE. I think we need to be able to take a step back here.
Now that the committee has brought some of the collections methods
and this is coming to light as to how they are getting this
information and we are talking about some individuals, when we
have a new agent or agents in the field that are going to the
Internet, they are evidently, as I was, under the false impression
that you are Googling or crisscrossing or using some sort of
nationwide directory assistance type of a process to filter out
numbers or names to try to point you in the right direction.
MR. STUPAK. Sure. But what is the policy? That is what I am
asking. Can ICE agents use pretexters in the course of their
investigations?
MR. KILCOYNE. Well, certainly we are not going to condone the use
of pretexters. However, open source information--
MR. STUPAK. That is one thing. I agree with you. I am not talking
about going on the Internet and whatever you pull up. I am talking
about paying people, pretexters to help you in your investigation.
MR. KILCOYNE. No, we do not do that, no.
MR. STUPAK. Okay. Let me ask this question. For the record, let
me ask each of you the following question: Yesterday, and I held it
up in my opening right here, CNN reported that Federal law
enforcement agencies such as yourself spent about $30 million a
year on data broker services. The article was discussing mostly
the kind of sketchy operations that were the discussion of
yesterday's hearings, which are the pretexters. Do any of your
agencies spend money on hiring pretexters to find out certain
information? Do you use the services of pretexters?
Let me start with you, Mr. Kilcoyne.
MR. KILCOYNE. I would say no, we don't. We use open source
information that is on the Internet and we pay for that in some
instances.
MR. STUPAK. That is a pretexter then, right? If I am advertising
on the Internet $100 to get you any information you want if you pay
me?
MR. KILCOYNE. We pay for and have negotiated contracts with
LexisNexis, Dun & Bradstreet, ChoicePoint.
MR. STUPAK. Those are not pretexters?
MR. KILCOYNE. Those are the types of companies that we pay.
MR. STUPAK. Did you check before you testified today?
MR. KILCOYNE. Yes, I did.
MR. STUPAK. And you don't use any?
MR. KILCOYNE. That is correct.
MR. STUPAK. Okay, Ms. Lammert?
MS. LAMMERT. No, we do not pay for those individuals that unlawfully
obtain records through pretexting.
MR. STUPAK. Okay. Mr. Bankston?
MR. BANKSTON. Congressman, we do not use pretexter services. There
was one attempt by an employee who sent a letter, that the committee
is aware of, we requested for subscriber information relating to a
telephone number. He was not aware that that company used
pretexting or any other illegal means to maintain that data.
MR. STUPAK. So you only know of one incident?
MR. BANKSTON. Yes, sir.
MR. STUPAK. Ms. Cooper Davis?
MS. COOPER DAVIS. Yes, sir. Since being made aware of this, of
the committee's concern, we quickly canvassed for any contracts
through our financial database to determine if Internet brokers
using fraudulent means, if we had any contract or any payments to
them. Those inquiries yielded a negative result, and as a result
of the information you provided to us, we identified one instance
in which a task force officer made an inquiry from an Internet data
broker.
MR. STUPAK. So you don't have any contracts and as best you can
determine your agents, other than this one task force, those do not
use it.
MS. COOPER DAVIS. Yes, sir.
MR. STUPAK. Mr. Ford.
MR. FORD. Yes, sir. ATF, we queried our case investigative system
and we had a negative reply to those organizations that the
committee had listed. Also, the $30 million figure is derived from
the GAO report entitled "Personal Information."
MR. STUPAK. Okay. Did GAO in that report indicate your agency or
any other agencies were using pretexters? I am not talking about
LexisNexis. I am talking about pretexters.
MR. FORD. Not for ATF, no, sir.
MR. STUPAK. Ms. Lammert, you mention in a question of Mr. Burgess
that although you are having ongoing inquiry and I believe you said
to this point there is no evidence of widespread use of such
pretexting services, and you mention in your statement, to use the
same language, so what is the definition of widespread use? Your
statement says "to this point," and I am quoting now, "to this point
there is no evidence of widespread use of such pretexting services."
So is there a difference between widespread use or one-time use?
MS. LAMMERT. Yes is the short answer. We to this day have not
found that there is a systemic use on the part of our agents in
the FBI to use these type of Internet data brokers. We had the
one incident that was brought to your attention during testimony
yesterday which we provided information regarding. We have checked
our databases for any formal procurement or contract matters
involving the individuals that you are interested in and have not
found any. So that is why to this point we have not seen this. We
are in the process of conducting a further survey to ensure what we
know within our organization.
MR. STUPAK. I do not want to get hung up on contracts here because
that is a pretty formal thing and you would have record of that.
But I am talking about agents or task force or others using it
without knowledge of headquarters.
MS. LAMMERT. Understood, and that is what I am alluding to, that
besides the formal sort of contract we have so far we have no
indication there is a systemic use. We are in the process of
surveying our field offices to ensure what information is out
there.
MR. STUPAK. When you have that information will you provide it to
the committee?
MS. LAMMERT. We will.
MR. STUPAK. Ms. Cooper Davis, you use basically the same kind of
language in your testimony, widespread use. So no widespread use
with DEA?
MS. COOPER DAVIS. No, sir.
MR. STUPAK. Again, what context was that meant in, widespread use?
MS. COOPER DAVIS. Sir, again, I first became aware of this when
the committee subpoenaed these Internet data brokers. DEA has
mandates, policy which enumerates the ways in which our criminal
investigators would obtain this kind of information, and that is
basically to the administrative subpoena, as I said, grand jury
subpoena, the court orders, or the consent of the customer. We
have not to my knowledge found any, other than this one instance.
That is the only one I can speak of.
MR. STUPAK. Mr. Chairman, my time is up. Thanks for the time, but
before we leave this point I would ask that the committee ask
these representatives of the Federal agencies as they continue
their investigation they let us know their findings as soon as
possible so we can see the depth and scope of this issue, and
hopefully it is not $30 million.
MR. BURGESS. Without objection.
MR. BURGESS. Just before going to recognizing Mr. Walden, I do want
to enter the binder Tab 5, that I referenced earlier into the
record, actually the entire binder into the record.
[The information follows:]
MR. BURGESS. I recognize Mr. Walden of Oregon for 10 minutes.
MR. WALDEN. Thank you very much, Mr. Chairman. I appreciate that.
Mr. Kilcoyne, are you aware of how the special agents in the Denver
field office first discovered Best411.com and the service it
provided?
MR. KILCOYNE. Yes, I am. The agents appeared to be through other
law enforcement contacts and networking were made aware of this
website. This is an isolated incident in the Denver field office
amongst a small group of four agents who evidently talked to each
other and talked to some of their counterparts there in Denver.
MR. WALDEN. And I am curious how were they planning to use that
information? Why did they request it?
MR. KILCOYNE. As you would do in a case that has in some instances
thousands and thousands of telephone numbers, they basically would
use this service or the Internet as a way to perhaps filter out or
as a pointer to point them and do through process of elimination
numbers that may come back to public businesses or pay phones or
known numbers or in some instances, with the cellular telephones,
it may only identify who the carrier is, who the issuer of that
particular cell phone is or in some instances where that cell phone
would be carried. For example, if they are prepaid phones, does
Costco sell them, does Wal-Mart sell them, et cetera. So they would
just use it as a pointer and then once they were able to kind of
make a determination that there was connectivity to their specific
investigation, then they would go through the other processes that
we have to ensure the integrity of the evidence and the information
that you would obtain.
MR. WALDEN. Doesn't subscriber information that is not publicly
available still require a warrant? I am not an attorney but what
are your standard procedures? How would this have been handled
pre-pretexting? Is subscriber information that is not public
available to you without a warrant?
MR. KILCOYNE. Yes.
MR. WALDEN. Really?
MR. KILCOYNE. Through telephone companies, through the publications
that they publish, through crisscross directories. You call
Dominoes Pizza and they have everything that you have on your
residence even if you have an unpublished telephone number.
MR. WALDEN. Okay. But is that information that is only in some
sort of public database?
MR. KILCOYNE. Correct.
MR. WALDEN. So information that is not in a public database would
not be available to you absent a warrant?
MR. KILCOYNE. No, the telephone companies print crisscross
directories or backwards directories that will include in some
instances nonpublished telephone numbers.
MR. WALDEN. But if they do not do it that way, wouldn't you have
to get some sort of warrant?
MR. KILCOYNE. Correct. If you got the information back, if there
was no information whatsoever from the Internet, whether you Google
it or whatever, then we have an established process in place to
send a summons or a subpoena, a trial subpoena, a grand jury
subpoena, whatever stage you may be in in your investigation, to
try to obtain that information.
MR. WALDEN. On Page 3, you state that cellular telephone companies
typically take several weeks to provide requested phone records.
Why does it take them so long?
MR. KILCOYNE. Well, the telephone companies, as with the majority
of the people at the table here, have to deal with manpower,
budgeting constraints and everything--and volume. I mean, if
you're dealing with a telephone company in a small town that
services a small town in middle America, chances are your return
is going to be very, very quickly. If you go to some of the larger
cities, your return is going to be 2 or 3 weeks, depending on the
type of summons or subpoena or the urgency that you are explaining
to the telephone company. And they have their own process.
When I was a field agent down in south Florida, Bell South
Mobility--sometimes it would take a month to get just subscriber
information from them. Because when you would go over there, they
had two employees that were handling thousands and thousands--
MR. WALDEN. How long ago was that?
MR. KILCOYNE. That was 15 years ago.
MR. WALDEN. So today you would think with computer technology they
would be able to access it a little quicker?
MR. KILCOYNE. In some instances, the input that we have gotten
back from our field is that the timeframe is about 2 weeks
turnaround for a standard summons or subpoena, depending on what
is used. However, if you are in the middle of a trial and you use
a trial subpoena or you are in the grand jury process, they, being
the service providers, will expedite those requests; and those go
to the front of the line.
MR. WALDEN. I guess I would like to hear from each of you the
answer to two questions. One is your own definition of pretexting.
Is this fraudulent acquisition of otherwise nonpublic data? And
then, what is your training for your agents so that they are not
engaging in this?
Because it looks to me like--I can figure out how to go to Google
and look up my name and figure out things about me--some of which
aren't true, by the way. Can't believe everything on the Internet.
But then there is this next course of action which would be to go
to one of these data mining outfits, and they obviously can get
through faster than your subpoena can, based on testimony we had
here yesterday or during the week, the way they go through their
con. I am amazed that they can get just about anything by just
begging and being very clever. It strikes me as odd that they can
figure out how to get through there quickly and it takes phone
companies a couple of weeks to get back to you.
But tell me what--each of you from your own--do you want me to start
with Mr. Ford, since you have been on the hot seat?
MR. KILCOYNE. I would just as soon finish this.
MR. WALDEN. I have another 2 and a half minutes.
MR. KILCOYNE. I think, like I said previously, is the information
and the evidence that subcommittee investigators have presented for
ICE have identified a new challenge that we are going to have to
look at. I think there are agents in the field, as I am--
MR. WALDEN. They are creative.
MR. KILCOYNE. Very creative in trying to find out and, like I
said, filter out the information. How those people get the
information is what has been surprising to us.
MR. WALDEN. And us.
MR. KILCOYNE. Correct.
MR. WALDEN. Not just agents in the field. We are surprised by all
kinds of private and public sectors that have used it.
MR. KILCOYNE. Certainly we do not condone a strong-arm, fraudulent,
thug approach to getting information from anybody; and I believe
that is--
MR. WALDEN. Is that how you define pretexting?
MR. KILCOYNE. I would think that that is fair.
MR. WALDEN. Let me go to Ms. Lammert.
MR. KILCOYNE. One other issue, I think that is exampled by the fact
that our agents use ICE letterhead. They were--thinking that they
were dealing with a reputable company, so they weren't trying to do
something subversive or something--
MR. WALDEN. Understood.
Ms. Lammert.
MS. LAMMERT. I think in the context of inquiry pretexting is the
use of fraudulent means to obtain information that is statutorily
protected. This is what these data brokers are doing. They are
misidentifying themselves so as to obtain information that has
statutory protections. So that would be my definition for purpose
of this inquiry.
You asked what the training is that we provide our agents. And being
an agent myself as well as a lawyer, the training that we received
and do receive and continue to receive is that, to obtain certain
information, in this particular case phone-related information,
subscriber address, toll records, so forth, we comply with ECPA.
ECPA requires us to obtain certain processes, to obtain certain
levels of information; and that is how we train our agents in our
manual. It is trained while you're in the new agents class, it's
reinforced while you are in the field.
MR. BANKSTON. Congressman, my definition of pretexting would be a
combination of fraud and identity theft. Plain and simple. And
our agency doesn't use pretexting as a means of obtaining
information.
As far as agent training goes, it starts at basic training when we
have rookie marshals going into the training academy; and it goes
throughout refresher training all the way throughout their career,
that they must adhere to the applicable agencies, the departmental
policies and the laws. Pretexting is not specifically defined in
our policy manual, as I stated in our testimony.
And my colleagues here today, the Department's Civil Liberties and
Privacy Office has established a data committee which we are
represented on; and it's ongoing working group established earlier
this year. They met as recently as like June 19th, 16th, something
like that.
MR. WALDEN. Okay, Ms. Cooper Davis.
MS. COOPER DAVIS. Yes, sir. In terms of the definition of
pretexting, again, fraudulent means to gain information, personal
information that would otherwise be protected by law.
In terms of training of DEA agents and task force officers, our
policy strictly identifies the authorities under which you are
going to gain this kind of information; and, as I said, the
administrative subpoena, your court order, the grand jury subpoena
or, again, the consent of the individual.
Through our academy, our agents are given specific--a block of
instruction on how to prepare an administrative subpoena. And,
again, it goes to the authenticity--being able to gain the
information from the right person. Because the information that
you obtain is going to be used in a court of law, and it's going
to have to withstand the scrutiny. So, therefore, that's the only
thing that we use to gain any kind of information; and we teach
the same thing to our task force officers.
MR. FORD. Pretexting is the practice of getting personal
information under false pretenses. As far as ATF agents, they
receive their basic training at the Federal Law Enforcement Training
Center; and during their basic school they are trained on rules of
evidence, search and seizures, use of subpoenas and warrants.
They also are assigned a training officer. Until they demonstrate
that they have practical working knowledge of the laws, they stay
under the guidance of that training officer.
MR. WALDEN. Thank you, Mr. Chairman.
MR. BURGESS. [Presiding.] The gentlelady from California--Colorado
is recognized for 5 minutes.
MS. DEGETTE. Never accuse me of that.
MR. BURGESS. I beg your pardon.
MS. DEGETTE. Thank you, Mr. Chairman.
I want to follow up on something Mr. Ford just alluded to, and I
want to start out asking Ms. Cooper Davis this question, but I want
to ask everybody if you have an opinion on this. All of you have
testified that your agencies do not use pretexting or these data
brokers because the information is gained by using illegal means.
It's gained by getting information that is not in the public domain.
And my question would be, if information like this was gained--and
I think of you, Ms. Cooper Davis, because of the DEA's investigatory
methods where you do get phone numbers for large drug rings
from--well, you used a lot of phone numbers, if one of your agents
was to get these numbers by pretexting, could that potentially
compromise the evidence in a court of law?
MS. COOPER DAVIS. During our investigations, it's imperative that,
whatever number we subpoena, that we do it through the means that
I have already outlined.
A number of things come to mind. One is that going to a carrier and
using your administrative subpoena, there is an authenticity to the
records that you are receiving. So understand how the information
is gained.
MS. DEGETTE. So you can admit it under the rules of evidence.
MS. COOPER DAVIS. Absolutely.
The other advantage, which is huge for us, because in a number of
wiretap investigations what we do is, when subpoenaing a number, we
also add a disclosure statement in our subpoena asking the telephone
company not to release that information to the target of the
investigation.
MS. DEGETTE. I am going to get to that in a minute. But a third
reason would be that if you did go to court with evidence that was
obtained through illegal means, not through a subpoena as the
statute requires, there is a potential that it could be excluded
in court, right?
MS. COOPER DAVIS. I believe if you don't gain it through the means
that I have outlined there is the possibility of that.
MS. DEGETTE. Because, as you said in your testimony, the statute
says you have got to get it through an administrative or a judicial
subpoena.
MS. COOPER DAVIS. Yes, ma'am.
MS. DEGETTE. And that is my next--and would anybody disagree with
that?
Ms. Lammert, would you agree with me that it could compromise the
integrity of the evidence in court if you have agents going around
getting it through these other means other than what is authorized
in the statute?
MS. LAMMERT. I think you're right in the context of, if we want to
obtain subscriber and toll records, the statute requires us to
subpoena it. And if we were to obtain it through some other--if we
were to try to obtain that information in a way to circumvent what
the statute requires, yes, we would have a potential problem in
evidence. And--
MS. DEGETTE. And that is why you tell your agents in training--I am
sure all of you do--that they need to go through the legal methods
to collect their evidence.
MS. LAMMERT. Exactly.
I think my only other comment would be that we are talking about
pretexting in the terms of circumventing statutory requirements.
If someone else has a phone number and an address for an individual
who is not a service provider, is not a phone company, and we are
able to obtain that from them, I don't want to get into too much
investigative technique here--so I just want to make sure that, to
us, pretexting in the context of your inquiry is that.
MS. DEGETTE. That is why I asked the question that way.
Because you mentioned some of these other--LexisNexis and other
legitimate--
MS. LAMMERT. Other phone numbers through other lawful means--
MS. DEGETTE. That is completely legal. I used to practice criminal
law a lot in Federal court, so I know exactly what you are talking
about.
MS. LAMMERT. Thank you.
MS. DEGETTE. I wanted to ask you, Mr. Kilcoyne, the first question
I had, the question related to what these two ladies said is a
question--they talked about the integrity of the investigation
being compromised, and there could also be a risk of witnesses being
in danger or of people being tipped off by using unreliable data
brokers and pretexters, wouldn't that seem that way to you?
MR. KILCOYNE. Yes, I would agree with that.
MS. DEGETTE. Take a look at Tab 7 in the notebook. The Chairman
was talking to someone else about Tab 5, but both of those tabs are
your Department where--and this was the substance of your initial
testimony--where someone was writing to this Best411.com and
giving--writing to a data broker and saying, give me information
on these phone numbers. Do you see that there?
MR. KILCOYNE. Yes.
MS. DEGETTE. Now not only--that could tip this Chris from Best411
off to numbers that were either being excluded or included in an
investigation, and they could--and the agent would have no idea
what was happening with that information. Isn't that right?
MR. KILCOYNE. That is correct, yes.
MS. DEGETTE. So would you agree that that's one of the big
problems with using these third parties to get this information?
MR. KILCOYNE. Well, I think in law enforcement, as far as ICE is
concerned, I think that we walk a very fine line with who we get
information from and the type of information and whether that
information is going to point us in the right direction. Whether
it's informants or someone calling on a tip line or 911 or dealing
with an established company or a company such as Best411, you have
to be able to filter out the type of information and then what it's
going to be used for.
And certainly we would not go into court with the records that were
submitted back from Chris at 411 and expect that to get introduced
as evidence.
MS. DEGETTE. Right. But the additional question is, I would assume
that most of your agents and most of the FBI agents and all the way
through the rest of the agencies that they--I think Ms. Lammert
talked about this in her testimony--is that the agents who are doing
an investigation have to be very careful to preserve the integrity
of the investigation. And what that means, an agent wouldn't go out
to some informant and say, here is a list of telephone numbers--
Can you imagine, Ms. Cooper Davis, in a drug investigation, the
agent goes out and says, here is a list of telephone numbers that
we are interested in to an informant; can you clear these for me?
No one would ever do that in an investigation because it would
compromise the usefulness of those phone numbers as evidence,
right? Ms. Cooper Davis.
MS. COOPER DAVIS. Yes, ma'am. Because--I mean, the information--
having a list of phone numbers--really, what does it mean? In order
for us to serve subpoenas, you've got to have a target that you are
looking at. So it would be a fishing expedition where you are just
putting out telephone numbers at random and not having any
background investigation.
MS. DEGETTE. Maybe I am not being clear.
In addition, if they give this list of phone numbers--Mr. Ford
understands what I am talking about--if they gave a list of phone
numbers out to an informant, then that informant could well turn
around and tip everybody off in the investigation that these were
the phone numbers under investigation, right, Mr. Ford?
MR. FORD. Yes, that is possible. Yes, one of the concerns we had
with it was the fact that it would put our undercover operations in
jeopardy. Other customers could pretext as well and get that
information.
MS. DEGETTE. Why is that your concern?
MR. FORD. Well, as we work different investigative techniques and
make contacts, we have cell phone numbers and different tools that
we will use in our investigation. If that information is disclosed
and shared by a criminal to a data broker, then they can trace that
information back as well.
MS. DEGETTE. And it could endanger people.
MR. FORD. Yes.
MS. DEGETTE. I have one last, ultimate question to all of you; and
that is, none of you feel that we need data brokers or pretexting
for legitimate law enforcement purposes, do you? Yes or no?
Starting with Mr. Kilcoyne.
MR. KILCOYNE. Well, I think you have to be crystal clear on what
your definition of data brokers is.
MS. DEGETTE. I will give you a definition. The definition is the
illegal obtaining of personal data that you could not get through
legitimate means.
MR. KILCOYNE. I would agree with that.
MS. LAMMERT. Agree.
MR. BANKSTON. Agree.
MS. COOPER DAVIS. I agree. And I would also like to take a moment
to just clarify for the committee some discrepancies that have been
reported in the press regarding the GAO report and the $30 million
figure that was supposed to be spent by the agencies on personal
information. The $30 million figure came from a GAO report titled
Personal Information Agency and Resaler Adherence to Key Privacy
Principles.
The GAO report looked at Government relationships with legitimate
brokers to include ChoicePoint, Dun & Bradstreet, LexisNexis. As
Mr. Stupak noted, these services are not considered Internet data
brokers as defined by the committee--
MS. DEGETTE. And they don't obtain their data through illegal
means, correct?
MS. COOPER DAVIS. Yes, ma'am.
I wanted to make sure that there wasn't any confusion that the $30
million in this report was being spent on the Internet data brokers
that we are discussing today.
MS. DEGETTE. Thank you, Ms. Cooper Davis.
And, Mr. Ford, if you can just answer my question.
MR. FORD. Yes, I agree.
MS. DEGETTE. Thank you.
Thank you very much, Mr. Chairman.
MR. BURGESS. Mr. Inslee, you are recognized for 5 minutes--10
minutes, beg your pardon.
MR. INSLEE. Thank you.
You all are on a hunt for miscreants. We are on a hunt for whoever
has their foot on this bill that has would solve this problem. You
may know we have a bill that has been pending for some time. It's
passed the committee on a bipartisan basis. It was on the
suspension bill calendar. We were able to pass it to solve this
problem, to maybe short-circuit this. And, instead of that, someone
got to somebody in the leadership and had this bill pulled from the
calendar that ought to have passed by now.
I want to know, do any of you have any indication that any of your
agencies were responsible for getting the Republican leadership to
pull this bill from the suspension calendar? Any of you?
MS. LAMMERT. No. I can't speak for the FBI, but I don't think
anybody in the Department of Justice is responsible for doing that.
MR. INSLEE. We are most curious. If you get any tips, let us know.
Call 1-800 tips on killing legislation, and maybe we could find out.
I want to ask you about a concern you have all indicated in one form
or another, that you didn't think it was appropriate to use
pretexting services in pursuing your responsibilities or allow for
a lie that had been generated by pretext calling.
But the President of the United States basically has said he is not
bound by the statutes of this country regarding privacy. We have
public information that he has advised the NSA to ignore statutes;
and he, as Commander in Chief, has authority to tell Federal
agencies that they are not bound by the law passed by Congress,
that they are free to ignore the privacy of citizens at this moment
because he is Commander in Chief and he has an inherent authority
to ignore the law.
So I need to ask you, if the President--Ms. Lammert, for instance,
you have told us that you believe that ECPA, the Electronics
Communication Privacy Act, may prevent this pretexting already, in
essence. Let me ask you, in general, do you have an answer to this
yet? Do you know or is that still a question?
MS. LAMMERT. ECPA in and of itself I don't think prevents
pretexting. ECPA was enacted so as to provide certain protection
to these records, not just subscriber but also content and so
forth. It sets forth the ways by which a company may disclose this
type of information.
There are exceptions to requirements of having a warrant. One of
the exceptions is if the company in good faith believes there is
danger to life or physical harm, they can, without delay, provide
that information to law enforcement without a warrant.
There are also exceptions in ECPA that say the phone company can
provide information to a private entity. So I think to us what
ECPA does for us is it tells us how to obtain this information.
MR. INSLEE. Let's assume we have eventually passed this bill that
is now pending that will clearly prevent pretexting and make it
illegal in this country clearly, with no ambiguity whatsoever,
and the President of the United States says, you are free--in fact,
I am directing you to ignore that law. Because I am Commander in
Chief, and you can ignore what those folks did in Congress in
passing that law. Would you ignore that or would you honor this
anti-pretexting law?
MS. LAMMERT. I think I would honor the appropriate lawful
authority to conduct whatever investigation--and, therefore, if
the President of the United States or my immediate supervisors
provide me the authority, the legal authority to do so, I will
conduct my investigations appropriately.
I think the question itself, will the law prevent pretexting, I
think it's--we have--we would follow what the law says. We do
have some comments regarding the legislation that I was talking
about a little bit before so that you understand that we are
looking at this. We are not just logs sitting there.
We do have some concerns with our comments regarding the fact
that you do write law enforcement exception into the statute. We
feel that in Title II it might not be as strong--we would like to
allow phone companies an exception to allow information that we are
trying to protect.
We do have some concerns and some comments regarding customer
notification. As you know, under ECPA, there is an ability to
delay notification to customers, especially if the customers
themselves are subjects of our investigation, and also the sort
of the requirement of noticing customers that their records are
being--there is a breach of their records. We also would like to
have that type of notice provided to us.
So I just want to let the committee know that this bill is being
looked at seriously and there are some comments that are through
the process.
MR. INSLEE. What I want to know is whether the FBI is going to
follow the law or not.
MS. LAMMERT. Of course we will follow the law.
MR. INSLEE. That is important. Because the President is not.
And my question is, if this Congress passes a law that says it's
illegal for the FBI to buy information that has been generated by
a pretext call--that's where someone calls the phone company,
gives a false identification and purloins that personal information--
that it's illegal for the FBI to use that information in its
investigations, but the President just tells you to go ahead and
ignore the law, what are you going to do?
MS. LAMMERT. I will have to follow what is the appropriate way of
conducting the investigation, sir.
MR. INSLEE. And that is determined, I hope you are going to answer,
by what the law is passed by the Congress in statutes to the United
States. Would you agree with that?
MS. LAMMERT. The FBI will follow all laws, all statutes, all
executive orders, all constitutional requirements, yes, sir.
MR. INSLEE. That is great news, and we hope you prevail upon the
White House to stop violating the privacy rights of America.
Because, frankly, it would be a shame for us to pass this
anti-pretexting law, all of these agencies tell us you want to
follow the law, and then the White House tells you to ignore the
law. And, frankly, that is what is going on with the NSA right
now. I hope you will stand up in moments of moral crises to the
White House that is trying to get you all to violate the law, if
that ever happens.
Now if I can turn to a more prosaic question, if I can. You all
indicated in some way you don't want to use the fruits of pretexting
in some fashion. You talked about that. But the question I have
is, how does your agency assure that you are not using the fruits
of pretexting?
In other words, you get information from a whole variety of sources.
Are you intending to adopt regulations that you, for instance,
get affirmative statements from the source of your information that
this has not been obtained through pretexting? Is that going to
be part of your ongoing policies in the future?
It's an open question. I hope all of you will answer yes, but I am
interested in that.
MS. LAMMERT. We are issuing guidance. We are working on it right
now.
I want to premise this with the fact that there's already guidance
out in the field through our manuals and through training as to
the appropriate way of obtaining information such as consumer
proprietary network information. We are issuing guidance on how
to handle data brokers as of the type that is of interest for the
committee, and we will have that out shortly.
MR. INSLEE. Well, I am hoping that you can tell me that when you
deal with data brokers you're not just going to take a "see no evil"
approach, meaning, I buy this stuff from a data broker and as long
as they didn't tell me affirmatively they did pretexting I will go
ahead and buy it and I will hope they didn't. I hope you are going
to tell us it's part of your regulation in dealing with data brokers
you are going to obtain a--if you get this information in any event,
you will obtain an affirmative representation by the broker that
this was not obtained through a pretext situation.
MS. LAMMERT. Our guidance, as in all our guidance, will always
advise our agents that they have to ensure the information they have
received is lawful, is credible, and is, as you know, the type of
information that will withstand scrutiny.
MR. INSLEE. Any other agencies want to comment on that?
MR. BANKSTON. Congressman, that is a good suggestion we
will pass to the newly created office in the Department that was
created earlier this year. As a representative from the Marshals
Service, I will certainly convey that as a suggestion to recommend
to that committee.
MR. INSLEE. And when you do that, which lawful code will you be
referring to? State law, your law, the Congress' law or what the
President of the United States has--his own laws, as far as we can
tell? Which one are you going to pick?
MR. BANKSTON. Applicable law, fraud, identity theft.
MR. INSLEE. Anyone else like to add anything?
MS. COOPER DAVIS. Yes, sir. Again, we are working--we are also a
member of the Privacy Civil Board that--under the Department of
Justice and will ensure that the information will be passed on as
well as we're working with our agents--we have the information
available through our manuals on what the policy is and, again,
working with the department through the committee to either issue
guidance--
MR. INSLEE. I have a real quick question I want to make sure I get
in here.
Ms. Lammert, the issue of whether or not the Electronic
Communications Privacy Act will already be an efficient tool to
stop this pretexting is an important one I think. My sense is
since we have had this sort of epidemic of pretexting that has
been in wide use in the commercial field and, in fact, has even
been used in at least limited circumstances by several Federal
agencies, that clearly we need additional legislation to remove
any ambiguity that pretexting is illegal and that we don't have
to worry about whether, quote, "property includes intangible
information," which it apparently may be the issue, whether ECPA
applies.
Would you agree that it really makes sense for us to have that
absolutely nailed down through clear legislation so that we don't
have to have lawyers arguing about that?
MS. LAMMERT. I think that it is always important and helpful to
find ways where we can clearly define what is an unlawful activity,
not only obviously for the benefit of law enforcement so they know
how to proceed but also for the benefit of the public. So any
legislation or proposals this committee would like to put forward
on that we would gladly work with you in trying to resolve this
particular issue which we all find to be very serious and needs
to be addressed.
MR. INSLEE. Thank you very much.
MS. LAMMERT. Thank you.
MR. WHITFIELD. [Presiding.] Thank you. I might say to the
gentleman from Washington that it may be your opinion that the
President is violating the law, but I am not aware of any judicial
decision that has agreed with that. I am not aware of any criminal
investigation that is suggesting that or any indictments about that
relating to this issue, relating to counterterrorism and
counterintelligence.
So we are all entitled to our opinions, and that is where we are.
MR. STUPAK. Since it's concerning this subject matter, maybe we
should have him in and ask him questions and see where it goes.
That way, we get a clear understanding of the law and what law
enforcement needs to do their job and what the American public
knows would be their protection. So I suggest we bring the
President in or his representatives in and let's talk about it,
have a hearing on it.
MR. INSLEE. Mr. Chairman, may I ask a query?
MR. WHITFIELD. Absolutely.
MR. INSLEE. I do think this is an important issue, and I don't know
if the Chair is thinking about having any of the other Federal
agencies, particularly the NSA, which there are arguments, as you
have indicated, about the legality of some of their activities.
I think it would be helpful if at some point in this inquiry we
ask some of these same questions to the NSA, to some of the
defense intelligence agencies. That might have to be in closed
session, but I think it would be helpful to us in this regard.
I hope you might consider that at some point.
MR. WHITFIELD. I appreciate that very much, and I appreciate the
gentleman's concern about the issue and its importance.
Are there any additional questions of this panel?
Since I just arrived, I have one question at least.
I would like to ask Ms. Cooper Davis--this relates to you,
Ms. Cooper Davis--when our committee issued subpoenas, certain
documents came in from a data broker, PDJ Services, and specifically
Mr. Patrick Baird; and it showed that a DEA tri-State task force
used Baird's company to acquire customer name and address
information. And I would ask if you could describe the facts
and circumstances surrounding those documents, if you have
familiarity with that.
MS. COOPER DAVIS. Yes, sir. As you said once, the committee
issued the subpoena, and the inquiry was made of DEA headquarters.
Working in conjunction with the task force parent agency, what we
found out was the task force office assigned to DEA was contacted
by one of his department's officers who had stopped and arrested
an individual who was trafficking in methamphetamine.
The task force officer then--the target that had been arrested
decided to cooperate. He had a phone number of where the
methamphetamine was supposed to be delivered to, had no additional
information--which is very common in our investigations--contacted
the task force officer to see if he could help him identify who the
subscriber was for that telephone number.
The task force officer then attempted to obtain the information
through the telephone company. When he called the telephone
company, he was told that the information would not be available
because it was around the holiday time, it was around Christmas
time, and they would not be able to get that information back to
him.
The task force officer then, on his own, went to the Internet, found
the site, clicked on a site, found a phone number and made contact
with the Internet data broker and asked whether or not he could
obtain that information. He was told they could get him the
information in about 3 hours at no cost, and all they needed was
something on a letterhead. The task force officer then took a
fax cover sheet, wrote down what he requested, which was only the
name and address on that telephone number, and shortly thereafter
that received information.
I must add that nothing came as a result of receiving that
information. The investigation by that task force officer's
department ended at that time.
Since then, we, working in conjunction with the parent agency, have
advised the task force officer not to use Internet data brokers to
obtain that information. We have the ability, through our
administrative subpoena, grand jury subpoena, or court order, to
obtain the same information.
MR. WHITFIELD. Thank you, Ms. Cooper Davis.
Mr. Kilcoyne, you had said earlier that your ICE agents learned
about PDJ Services through another law enforcement agency or
group. Which agency was that?
MR. KILCOYNE. I believe in one of the references it was in a
generic conversation with somebody from the Postal Service and
perhaps FBI, but I am not 100 percent on that.
MR. WHITFIELD. Any names?
MR. KILCOYNE. As far as who? No, unless it's referenced in these
documents that I missed, but I don't believe so.
MR. WHITFIELD. I want to thank this panel for being here with us
this afternoon. I'm sorry for all the delay. You are excused.
We have one other panel, I believe, of two witnesses; and I would
like to just go on and call this panel now.
That would be Mr. Raul Ubieta, who is the Police Major for the
Miami-Dade Police Department, and Mr. David Carter, who is the
Assistant Chief of Police in Austin in the Austin Police Department.
If you all would not mind coming forward, then I will swear you in.
Mr. Ubieta and Mr. Carter, as you know, this is an investigative
and oversight hearing. We like to take testimony under oath. Do
either of you object to testifying under oath?
MR. UBIETA. No, sir.
MR. CARTER. No, sir.
MR. WHITFIELD. Do you have legal counsel with you?
MR. UBIETA. No, sir.
MR. CARTER. No, sir.
[Witnesses sworn.]
MR. WHITFIELD. You are now under oath.
TESTIMONY OF RAUL UBIETA, POLICE MAJOR, MIAMI-DADE POLICE DEPARTMENT,
ECONOMIC CRIMES BUREAU; AND DAVID L. CARTER, ASSISTANT CHIEF OF
POLICE, AUSTIN POLICE DEPARTMENT
MR. WHITFIELD. I tell you what. I would like to get one opening
statement in before we adjourn. So, Mr. Ubieta, if you would give
us your opening statement, 5 minutes, please, sir.
MR. UBIETA. Yes, sir.
Mr. Chairman, Ranking Member, and distinguished members of the
committee, good afternoon and thank you for the opportunity to
testify on this important issue before you. I also thank the
committee for their leadership in guarding our privacies.
My name is Raul Ubieta. I am a police major with the Miami-Dade
Police Department in Miami, Florida. I have been in law enforcement
23 years. Eleven of those years have been in conducting,
supervising, and managing investigations.
I am currently in charge of my department's Economic Crimes Bureau.
My duties include the criminal investigations that inflict serious
financial hardship on a community. Typically, these crimes
involve sophisticated theft schemes that include organized criminal
groups that commit mortgage fraud, identity theft, bank fraud, and
credit card fraud.
I first became of aware of the committee's work last month when I
was contacted by Mr. Thomas Feddo, Majority Counsel for the
committee. We spoke about the existence of the Internet data
brokers and the means by which they obtain their information.
More importantly, we spoke about how law enforcement, and in
particular my department, obtains phone and subscriber records
during the course of an investigation.
Mr. Feddo also showed me documentation that a detective from my
department had utilized PDJ Services, an online data broker from
Texas, to obtain cellular phone information several times last
year. The usage of that service is not in line with established
departmental practice and is not condoned by the Miami-Dade Police
Department.
In response to this information, a memorandum was prepared for my
Director's signature, reminding our personnel of the proper
procedures for obtaining such information. The memorandum also
cautioned that the use of confidential information obtained from
Internet data brokers could place a criminal investigation in
jeopardy.
Our position is clear. The Miami-Dade Police Department is governed
by Florida State statutes and internal policies that confer law
enforcement the authority to utilize subpoenas to obtain
confidential information from the official custodian of
records. Information such as subscriber data, customer service
records, and incoming and outgoing phone calls from either a
traditional landline or a cellular phone can be obtained through
the subpoena process.
A typical request for confidential information is handled in the
following manner: An investigator obtains a telephone number that
is relevant to his or her investigation. That investigator then
meets with an Assistant State Attorney to verbally present a
synopsis of the case as well as an explanation as to why the
telephone record is essential to the investigation.
If the case is approved by the State Attorney's Office a subpoena
duces tecum is prepared by the Assistant State Attorney and provided
to the investigator. The investigator then presents a subpoena
to the official custodian of record who is directed to provide the
requested information.
The ability of the State Attorney's Office to deny an investigator's
request for this information and to ask that additional
investigation be conducted before a subpoena is granted creates a
systems of checks and balances that helps to ensure the integrity
of this process.
I want to emphasize that our established procedures do not impede
our ability to accomplish our job. Even during a life-threatening
emergency when cellular or traditional telephone number information
must be obtained, the official custodian of records will provide
law enforcement with the necessary information; and a subpoena or
court order will be provided within 48 hours.
Online data brokers openly advertise on the Internet that they can
obtain confidential records. This practice is of concern to the
public and law enforcement in many ways.
Information such as Social Security numbers, banking records, and
personal financial records can be obtained for as little as $100
and can be used to commit identity theft and schemes to defraud.
Not only is this a threat to our citizens' privacy, but the
availability of this information is an officer safety concern.
The ability for criminals to obtain confidential information on
an undercover officer and utilize that information to harm an
officer or his family poses a serious threat to law enforcement.
These Internet brokers might state they are a service to law
enforcement, but, as testified here today, they are not. There
is no compelling law enforcement need to obtain confidential
records from Internet data brokers.
According to the Federal Trade Commission, in 2005, 9.3 million
Americans were victims of identity theft, with a loss of $52.6
billion. Your attention and investigation into the practices by
which Internet data brokers obtain their information is vital to
our citizens' ability to protect their confidential and personal
information.
I can attest that the primary source of most criminal fraud cases
begins with some type of identity theft. The access to confidential
data provided by Internet data brokers can easily become a conduit
for white collar criminals to further their schemes to defraud.
I thank the distinguished committee for allowing me to address
this important issue. I want to assure you that the Miami-Dade
Police Department takes the privacy of our citizens very
seriously. Procedures and safeguards are in place to ensure
that law enforcement personnel comply with applicable laws
regarding private information.
MR. WHITFIELD. Thank you very much.
[The prepared statement of Raul Ubieta follows:]
PREPARED STATEMENT OF RAUL UBIETA, POLICE MAJOR, MIAMI-DADE POLICE
DEPARTMENT, ECONOMIC CRIMES BUREAU
Introduction
Mr. Chairman, ranking member, and members of the Committee, good
afternoon and thank you for the opportunity to testify on this
important issue before you. I also thank the Committee for their
leadership in guarding our privacies. My name is Raul Ubieta and
I am a Police Major with the Miami-Dade Police Department in Miami,
Florida. I have been in law enforcement for 23 years; 11 of those
years have been in conducting, supervising or managing
investigations. I am currently in charge of my Department's
Economic Crimes Bureau. My duties include the criminal
investigations that inflict serious financial hardship on our
community. Typically these crimes involve sophisticated theft
schemes that include organized criminal groups that commit mortgage
fraud, identity theft, bank fraud, and credit card fraud.
Testimony:
I first became aware of this Committee's work last month, when I was
contacted by Mr. Thomas Feddo, Majority Counsel for this committee.
We spoke about the existence of Internet Data Brokers and the means
in which they obtain their information. More importantly, we spoke
about how law enforcement, and in particular, my Department, obtains
telephone and subscriber records during the course of an
investigation. Mr. Feddo also showed me documentation that a
detective from my department had utilized PDJ Services, an online
data broker from Texas, to obtain cellular telephone information,
several times last year. The usage of that service is not in line
with established Departmental practice and is not condoned by the
Miami-Dade Police Department. In response to this information, a
memorandum was prepared for my Director's signature, reminding
our personnel of the proper procedures for obtaining such
information. The memorandum also cautioned that the use of
confidential information obtained from Internet Data Brokers could
place a criminal investigation in jeopardy.
Our position is clear. The Miami-Dade Police Department is governed
by Florida State Statues1 and internal policies that confer law
enforcement the authority to utilize subpoenas to obtain
confidential information from the official custodian of records.
Information such as subscriber data, customer service records, and
incoming and outgoing phone calls from either a traditional
landline or a cellular telephone can be obtained through the
subpoena process.
A typical request for confidential information is handled in the
following manner: an investigator obtains a telephone number that
is relevant to his/her investigation, that investigator then meets
with an Assistant State Attorney to verbally present a synopsis of
the case, as well as an explanation as to why the telephone record
is essential to the investigation. If the case is approved by the
State Attorney's Office, a Subpoena Duces Tecum is prepared by the
Assistant State Attorney and provided to the investigator. The
investigator then presents the Subpoena to the official custodian
of records who is directed to provide the requested information.
The ability of the State Attorney's Office to deny an investigator's
request for this information and to ask that additional
investigation be conducted before the subpoena is granted creates
a system of checks and balances that helps to ensure the integrity
of this process. I want to emphasis that our established
procedures do not impede our ability to accomplish our job. Even
during life-threatening emergencies when cellular or traditional
telephone number information must be obtained, the official
custodians of records will provide law enforcement with the
necessary information and a subpoena or court order will be
provided within 48 hours.
Online Data Brokers openly advertise on the internet that they can
obtain confidential records. This practice is of concern to the
public and law enforcement in many ways.
Information such as social security numbers, banking records and
personal financial records can be obtained for as little as $100
and be used to commit identity theft and schemes to defraud. Not
only are these "Internet Data Brokers" a threat to our citizens
privacy, but the availability of this information is an officer
safety concern.
The ability for criminals to obtain confidential information on an
undercover officer and utilize that information to harm the officer
or their family poses a serious threat to Law Enforcement. These
Internet Data Brokers might state that they are a service to law
enforcement, as I have testified today, they are not. There is no
compelling law enforcement need to obtain confidential records
from Internet Data Brokers.
According to the Federal Trade Commission, in 2005, 9.3 million
Americans were victims of identity theft with a loss of
approximately $52.6 billion dollars. Your attention and
investigation into the practices by which these "internet data
brokers" obtain their information is vital to our citizens' ability
to protect their confidential and personal information. I can
attest that the primary source of most criminal fraud cases begins
with some type of identity theft. The access to confidential data
provided from Internet Data Brokers can easily become a conduit
for white collar criminals to further their schemes to defraud.
I thank this distinguished Committee for allowing me to address
this important issue. I want to assure you that the Miami-Dade
Police Department takes the privacy of our citizens very
seriously. Procedures and safeguards are in place to ensure
that law enforcement personnel comply with applicable laws
regarding private information.
MR. WHITFIELD. Mr. Carter, we have a vote on the floor; and we are
going to go over there. There are going to be three of them. We
will be right back.
As I said earlier, I really apologize for all the delays today, but
we do look forward to your testimony, and we will be right back.
Thank you.
[Recess.]
MR. WHITFIELD. Mr. Carter, I apologize once again, but I would like
to recognize you now for your 5-minute opening statement.
MR. CARTER. Thank you, Chairman Whitfield.
I am David Carter, Assistant Police Chief for the City of Austin,
Texas. I have been with the police department 20 years and am
currently Chief of the Investigations Bureau. During the course of
my law enforcement career, I have served in capacities relating to
homicide investigations, internal affairs, and a SWAT commander.
I am pleased to appear before you today to discuss the issue of
Internet and data brokers and pretexting.
The members of the Austin Police Department are committed to
providing excellent law enforcement to the nearly 700,000 citizens
of Austin, Texas. The Austin Police Department has nearly 300
detectives and investigators who work on roughly 80,000 cases per
year. Like other police departments around the country, we often
utilize modern technology to enhance our ability to fight crime.
Technology, when used appropriately and effectively, not only
helps us make the most of limited police resources but also
provides us with crime-fighting tools that are not otherwise
available. When conducting investigations, law enforcement
officers will use many sources of information that run the gamut
from confidential informants to personal interviews to public
data sources and the Internet. As technology evolves, prudent
police forces would be remiss in not availing themselves of
powerful search engines and public data sources when such sources
would help solve crimes.
Commercially available databases of public records are a
powerful investigative tool for local police forces. These
databases typically contain information that is readily available
in the public domain from various sources.
The utility of these Internet databases is that they consolidate
public information into one database that can be quickly and easily
searched by an investigator. As such, these commercially available
databases provide local police departments with critical information
in a manner that not only saves time and money but also alerts us
to other potential leads that help achieve successful prosecution
of criminal offenses.
Of course, our police officers recognize that we are bound in such
matters by the protections afforded by the Constitution, various
statutes, and case law. We strive to gather information by legal
means with the ultimate goal of achieving successful prosecution of
criminals.
Failing to do so would not only undermine the public trust of our
department, but would also risk having evidence excluded at trial.
To that end, I commend the members of the subcommittee for their
efforts on this issue and am pleased to provide them with an
overview of the measures undertaken by the Austin Police Department
to ensure that we meet that standard.
First, in light of the recent media focus on the issue of
illegitimate data brokers who obtain personal information using
false pretexts, the department has recently initiated an internal
review of its officers' use of data brokers. Although the
investigation is still ongoing, we found no evidence to date
that our detectives have engaged in illegal investigatory
practices. In addition, we have found no evidence to date that
the department has paid for any services provided by data
brokers or that individual call records were received from
data brokers.
Given the ongoing nature of the review, I will respectfully
refrain from disclosing more detailed information until the
investigation is completed so that I do not convey inaccurate
or incomplete information.
Our department is comprised of officers committed to carrying out
their duties with the utmost integrity, and I would be very
surprised if any of my detectives intentionally and knowingly
purchased phone records from data brokers who gained such records
through pretexting.
Second, because of the ambiguity that exists on the Internet and
sometimes misleading claims that are made by illicit online data
brokers, I have issued a directive that makes clear that the Austin
Police Department employees shall not purchase or access telephone
records or personal information from data brokers unless they have
been vetted by the Department.
We currently have contracts with five data providers that we
believe are committed to protecting individuals' privacy by
following all relevant laws in this area.
Of course, our officers will continue the practice of acquiring
investigatory information from multiple sources and, when
appropriate, obtain the proper legal authority--specifically being
court orders, subpoenas and warrants--to do so.
Finally, we will continue to present all discovered information
to the appropriate criminal courts which vet the information and
ultimately advise us on its admissibility as evidence.
Mr. Chairman, information and technology are powerful tools for
good; and, as noted in the committee report that accompanied
Chairman Barton's legislation, they can also be powerful tools for
those who wish to commit harm. I commend the efforts of this
committee and the efforts by the House to address the issue of
pretexting by cracking down on those who illegally obtain
citizens' personal information and try to profit from it.
It is important that, as Congress focuses on the problems
associated with those profiting from illegally obtained
information, that it set clear guidelines to govern the ability
of law enforcement to utilize technologies in an appropriate and
lawful manner in order to aid our ability to fight crime.
In closing, the Austin Police Department shares the concerns of
the members of this subcommittee with respect to pretexting; and
I thank the subcommittee for providing me an opportunity to
testify today before you. I will be happy to answer any
questions.
MR. WHITFIELD. Thank you, Mr. Carter; and we certainly appreciate
the great job that you all do in Austin and also in Miami in the
area of law enforcement. It's a difficult profession, and we
certainly applaud you for the job that you do.
[The prepared statement of David L. Carter follows:]
PREPARED STATEMENT OF DAVID L. CARTER, ASSISTANT CHIEF OF POLICE,
AUSTIN POLICE DEPARTMENT
Chairman Whitfield, Ranking Member Stupak and Members of the
Subcommittee:
I am David L. Carter, Assistant Police Chief for the City of Austin,
Texas and I am pleased to appear before you today to discuss the
issue of Internet Data Brokers and "Pre-Texting".
The members of the Austin Police Department are committed to
providing excellent law enforcement to the nearly 700,000 citizens
of Austin, Texas. The Austin Police Department has nearly 300
detectives and investigators who work on roughly 80,000 cases per
year. Like other police departments around the country, we often
utilize modern technology to enhance our ability to fight crime.
Technology, when used appropriately and effectively, not only helps
us make the most of limited police resources, but also provides us
with crime-fighting tools that are not otherwise available. When
conducting investigations, law enforcement officers will use many
sources of information that run the gamut from confidential
informants to personal interviews to public data sources and the
internet. As technology evolves, prudent police forces would be
remiss in not availing themselves of powerful search engines and
public data sources, when using such sources would help solve
crimes.
Commercially available databases of public records are a powerful
investigative tool for local police forces. These databases
typically contain information that is readily available in the
public domain from various sources. The utility of these internet
databases is that they consolidate such public information into one
database that can be quickly and easily searched by an investigator.
As such, these commercially available databases provide local
police departments with critical information in a manner that not
only saves time and money but also alerts us to other potential
leads that help us achieve successful prosecution of criminal
offenses.
Of course, our police officers recognize that we are bound in such
matters by the protections afforded under the Constitution, various
statutes and case law, and we scrupulously strive to gather
information by legal means with the ultimate goal of achieving
successful prosecution of criminals. Failing to do so would not
only undermine the public trust in this police department, but
would also risk having evidence excluded at trial. To that end,
I commend the members of the Subcommittee for their efforts on this
issue and am pleased to provide them with an overview of the
measures undertaken by the Austin Police Department to ensure that
we meet that standard.
� First, in light of the recent media focus on the issue of
illegitimate data brokers who obtain personal information using
false pretexts, the Department has recently initiated an internal
review of its officers' use of data brokers. Although the
investigation is still on-going, we have found no evidence to
date that our detectives have engaged in illegal investigatory
practices. In addition, we have found no evidence to date that
the Department has paid for any services by data brokers or that
individual call records were received from data brokers.1 Given
the on-going nature of the review, I will respectfully refrain
from disclosing more detailed information until the investigation
is completed so that I do not convey inaccurate or incomplete
information. Our Department is comprised of officers committed
to carrying out their duties with the utmost integrity and I would
be very surprised if any of my detectives intentionally and
knowingly purchased phone records from data brokers who gained such
records through pre-texting.
� Second, because of the ambiguity that exist on the internet and
the sometimes misleading claims that are made by illicit online
data brokers, I have issued a directive that makes clear that
Austin Police Department employees shall not purchase or access
telephone records or personal information from data-brokers unless
they have been vetted by the Department. We currently have contracts
with five data providers that we believe are committed to
protecting individuals' privacy by following all relevant laws in
this area.
Of course, our officers will continue the practice of acquiring
investigatory information from multiple sources and when appropriate
obtain the proper legal authority (court orders, subpoenas or
warrants) to do so. Finally, we will continue to present all
discovered information to the appropriate criminal courts which
vet the information and ultimately advise us on its admissibility
as evidence.
Mr. Chairman, information and technology are powerful tools for good,
and as noted in the Committee Report that accompanied Chairman
Barton's legislation, they can also be powerful tools for those who
also wish to commit harm. I commend the efforts of this committee
and the efforts by the House to address the issue of pre-texting by
cracking down on those who illegally obtain citizens' personal
information and then try to profit from it. It is important that
as Congress focuses on the problems associated with those profiting
from illegally obtained information, that it set clear guidelines to
govern the ability of law enforcement to utilize technologies in
an appropriate and lawful manner in order to aid our ability to
fight crime.
In closing, the Austin Police Department shares the concerns of the
members of this Subcommittee with respect to pre-texting, and I
thank the Subcommittee for providing me with the opportunity to
testify before it today.
MR. WHITFIELD. Now, Mr. Carter, in your opening statement, you
mentioned that you issued a directive recently, I assume, to not
use data brokers anymore unless it had been vetted with the
department.
MR. CARTER. That's correct, sir. As soon as we became aware of
this issue--and, quite frankly, I wasn't aware of the issue of data
brokers. But when your subcommittee brought it to our attention, we
had great concerns.
MR. WHITFIELD. And when you say "vetted with the department," what
does that actually mean?
MR. CARTER. What we are looking for is, basically, we currently
have five data sources that we currently use, and some of those
have been mentioned today as far as LexisNexis and ChoicePoint and
others. What we wanted to do is immediately suspend the use of any
of these practices.
Our first concern was we are detectives possibly violating the law.
We didn't find anything to that effect.
Second, we looked for possible policy violations, or did we have to
develop policy because this is an area that is somewhat new to us.
MR. WHITFIELD. Right.
At first when you said vetted, I thought perhaps there may be
some circumstance where it would make sense and it would be your
view that maybe it was legal to use a data broker, even using
pretexting, but I am assuming that you were talking about vetting
and if it's necessary going to obtain a subpoena.
MR. CARTER. Mr. Chairman, let me make it clear one of the problems
that we've had when we listened to the testimony over the past 2
days is what a clear definition of data brokers is. Actually, as
of today, I understand what your definition is; and that basically
is somebody that uses pretexting. So, therefore, we don't consider
LexisNexis or ChoicePoint to be data brokers based on your
definition. Maybe that would help a little bit. I am not sure.
MR. WHITFIELD. Right. I think all of us are becoming aware of
data brokers. It's not something I had really focused on until
maybe a month or so ago.
I know you've just issued your directive, and I am assuming that in
Miami you all have the same directive. Would that be correct,
Mr. Ubieta?
MR. UBIETA. Ours was more of a reminder because our policies were
clear that for confidential information, we use subpoena or search
warrants, what the law dictates.
MR. WHITFIELD. As I had said earlier, during the course of this
hearing, through anecdotal information as well as evidence, we know
that local law enforcement as well as some Federal law enforcement
have used data brokers periodically and before, maybe it was clear
that it was illegal or not, but for example, in--do you all have our
evidence binder on the table there?
MR. UBIETA. No, sir.
MR. WHITFIELD. Okay. Well, before he brings it to you I know in
Tabs 21, 23, 24, 25, 28 and 30, which you don't necessarily have to
turn to, but it makes several requests for number checks, and I am
assuming a number check is simply where you're verifying that the
person that you're looking at actually that number is registered in
his or her name. Is that what a number check is Mr. Carter?
MR. CARTER. That would be my interpretation yes.
MR. WHITFIELD. Now, Tab 21 through 30 in the document binder it
does show several instances of the Austin police officers and
department employees using PDJ services to obtain phone records.
And are you personally familiar with those instances?
MR. CARTER. I am personally familiar with a couple. I would have
to look at all of them to see if I am familiar with all of these.
MR. WHITFIELD. Now I'm assuming that--I probably should ask you
the question--but I'm assuming the one reason that officers would
go to data brokers is, you can obtain the information quickly.
You don't have to wait as long as you would on a--
MR. CARTER. I don't know that that is the case, Mr. Chairman.
I think that we also expect and train our investigators to use
the process, specifically grand jury subpoenas, to get
confidential information. I think there is a lot of
misunderstanding with regard--in this particular area. When we
have initiated our investigation into our internal practices, one
of the things that we found so far, and it certainly is not
complete or an investigation has not been concluded yet, is that
detectives went, as it was discussed by some other witnesses,
operated exactly in the same manner, believing they were getting
open record public data type information from open sources,
believing they were legitimate.
MR. WHITFIELD. Have either one of you had evidence excluded by
court because it came from a data broker?
MR. UBIETA. No, sir, not that I am aware of.
MR. CARTER. I am not aware of any case.
MR. WHITFIELD. Mr. Ubieta, in Tabs 15 to 20 of this document, it
shows several instances of a Miami-Dade detective requesting
phone-related records from Chris Garner who we now know is Patrick
Baird, who is the owner of PDJ services. As you look at those
documents, are you familiar with them? Have you had an opportunity
to look into that at all or--
MR. UBIETA. Yes, I am familiar with him, and no, we have not had
the opportunity to look into it. First time I saw them was for
about 10 minutes when the majority counsel showed them to me in
Miami. At that time, I requested that he go back and seek
permission to release those documents to me, at which time I would
present them to our Professional Compliance Bureau for an
internal investigation. So that is the only dealing I have had
with the documents.
MR. WHITFIELD. You all are doing an investigation about that at
this time?
MR. UBIETA. As soon as these documents are in my possession without
the redacting, obviously, we can see case numbers and other
information; yes, sir, it will be.
MR. WHITFIELD. Okay. I was curious, under the training procedures
both at Miami and in Austin, how much emphasis is placed on this
issue of evidence and using data brokers and the necessity of
subpoenas and things like that?
MR. UBIETA. An officer, when he comes into the department, receives
training through our Training Bureau. A major block, and I don't
have the exact number right now, but a major block of training is
in legal--all legal aspects--which includes search and seizures
and subpoenas and search warrants and so forth.
MR. WHITFIELD. So how long would a training period be for a
beginning officer?
MR. UBIETA. Our training period right now is about 9 months.
MR. WHITFIELD. Nine months.
MR. UBIETA. Yes, sir.
MR. WHITFIELD. What about in Austin?
MR. CARTER. Austin, the initial training that an officer receives
is approximately 6 months in duration, but what I would say is,
detectives--detective is actually a rank. And an officer must
promote, and so they have to study to become a detective. And once
they are promoted to detective, they actually go to an
investigation class that we put on, an in service class specifically
for new detectives. And at that time, there is more focus on issues
of search and seizure, proper investigative methods, such as getting
grand jury subpoenas and recognizing what confidential information
is and the, as far as the public databases, the issue on data
brokers--when I checked shortly before coming to this hearing,
asking our training section exactly what we are teaching now is
that what we train that is you are not to use illegal websites.
Well, one of the issues that has kind of like come to light here
in your hearing is also the difficulty in having police departments
recognize what are legitimate sources of information versus
illegitimate. We would actually recognize if there were, if it
is confidential information, for example, getting specific call
records and trying to purchase that, that would be overtly illegal
and wrong in our opinion.
But the problem is, with the several hundred websites that are out
there that some of these detectives have used thinking they are
open-record sources like a phone book or something like that or a
criss-cross, that is an issue that we hope we can get this guidance
and assistance from you on.
MR. WHITFIELD. I would like to ask both of you in the case of an
emergency and this, I assume, would relate to your relationship
with local phone carriers, do you find them cooperative in times
of emergencies or do you have to take special steps to obtain the
records that you need? Or how do you deal with that?
MR. UBIETA. Yes, sir, we have an excellent relationship. I have
no knowledge of any time when a carrier has refused us in an
emergency situation. We do have provisions for that. There is a
form that we fill out that basically says, these are exigent
circumstances, and we elaborate as much as we can because it is
obviously a life-threatening investigation or case at that point,
as much as we can. Most carriers will provide us the information
immediately, at which point it is to be followed up 48 hours with
a proper subpoena.
MR. CARTER. I would likewise say, if we have situations like a
hostage barricade type of incident, that we have no trouble usually
getting cooperation from the phone company.
MR. WHITFIELD. What would be the length of time for just an
ordinary investigation where you send in a request for numbers from
a local phone carrier? Does it take 1 day or 6 hours or--
MR. UBIETA. Unless we specifically--if it's something that we need
to obtain relatively quick, we can get the State Attorney's office
in Florida to actually put in a timeframe on the subpoena, and then
they would have to adhere to that. But for the most part, on just
a typical run of the mill investigation from my unit, the fraud
unit, anywhere between 3 to 7 days, maybe 2 weeks, depending on the
amount of information that we are looking for.
MR. CARTER. In Texas, we usually--in Austin--we usually go the
route of the grand jury subpoena. And we can turn that around
fairly quickly. In some cases, it's a half day depending on the
situation at hand. Sometimes there is a longer delay, but it's--we
don't consider it inordinate.
MR. WHITFIELD. But from your experiences, you have all the tools
necessary to obtain evidence and leads that you need basically
without using data brokers I am assuming?
MR. UBIETA. Yes, sir. As far as we're concerned in my department,
yes, we are fine.
MR. CARTER. Yes, sir. I will agree with that.
MR. WHITFIELD. And in your view, is there anything that needs to be
done at the Federal level to assist in any way, or do you think
things are going pretty good for you right now?
MR. UBIETA. As far as the State of Florida, they pretty well take
care of us. I just got notified this morning just like you did
with Ms. Harris saying we are getting a new statute on July 1st,
and that's great. There are more tools in our toolbox.
MR. CARTER. I can't answer that question as to what kind of
statutory action that the legislature in Texas is taking. I do
think that it's pretty clear that there needs to be some kind of
action taken against pretexters, and some clarity brought would
certainly help us.
MR. WHITFIELD. I know that in the leadership of the local police
departments, you all have annual meetings or State meetings in
which all of the leaders of the various police departments come
together. I was just curious, is there any discussion at those
meetings about the use of data brokers?
MR. UBIETA. I am not aware of it. It would be the International
Association of the Chiefs of Police. They are holding their
meeting coming up next year in Boston, but I am not aware of--
MR. WHITFIELD. There hasn't been any discussion recently. When I
say, the use of them, I don't mean encouraging people to use them
but that this is an issue and we have got to be careful about the
legal ramifications of using those kinds of--
MR. UBIETA. No. Not to my knowledge.
MR. CARTER. I am not aware of any.
MR. WHITFIELD. I was curious, do you all have a legal counsel in
your police department, or do you work through the local
commonwealth's attorney or--
MR. UBIETA. No. In Miami-Dade, we do have a legal unit.
MR. CARTER. We have a legal adviser, yes.
MR. WHITFIELD. Well, I really want to thank you all very much for
taking time to come up here. Your testimony has been quite helpful
to us, and we do thank you for your testimony. And we are going to
leave the record open for the appropriate number of days and would
like to maintain contact with you all if we have additional
questions or comments and so thank you very much. And at this
time, I would conclude the hearing.
Thank you.
[Whereupon, at 6:20 p.m., the subcommittee was adjourned.]
RESPONSE FOR THE RECORD OF ELAINE LAMMERT, DEPUTY GENERAL COUNSEL,
INVESTIGATIVE LAW BRANCH, FEDERAL BUREAU OF INVESTIGATION, U.S.
DEPARTMENT OF JUSTICE; JAMES J. BLANKSTON, CHIEF INSPECTOR,
INVESTIGATIVE SERVICES DIVISION, U.S. MARSHALS SERVICE, U.S.
DEPARTMENT OF JUSTICE; AVA COOPER DAVIS, DEPUTY ASSISTANT
ADMINISTRATOR, OFFICE OF SPECIAL INTELLIGENCE, INTELLIGENCE
DIVISION, U.S. DRUG ENFORCEMENT ADMINISTRATION, U.S. DEPARTMENT
OF JUSTICE; AND W. LARRY FORD, ASSISTANT DIRECTOR, OFFICE OF
PUBLIC AND GOVERNMENTAL AFFAIRS, BUREAU OF ALCOHOL, TOBACCO,
FIREARMS, AND EXPLOSIVES, U.S. DEPARTMENT OF JUSTICE
RESPONSE FOR THE RECORD OF PAUL KILCOYNE, DEPUTY ASSISTANT DIRECTOR
OF INVESTIGATIONS, U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT,
U.S. DEPARTMENT OF HOMELAND SECURITY
INTERNET DATA BROKERS: WHO HAS ACCESS TO YOUR PRIVATE RECORDS?
FRIDAY, SEPTEMBER 29, 2006
HOUSE OF REPRESENTATIVES,
COMMITTEE ON ENERGY AND COMMERCE,
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in Room 2123
of the Rayburn House Office Building, Hon. Ed Whitfield [Chairman]
presiding.
Present: Representatives Whitfield, Stearns, Bass, Walden,
Blackburn, Barton (ex officio), Stupak, DeGette, Schakowsky,
Inslee and Baldwin.
Staff Present: Mark Paoletta, Chief Counsel for Oversight and
Investigations; Tom Feddo, Counsel; Peter Spencer, Professional
Staff Member; Clayton Matheson, Analyst; Matt Johnson, Legislative
Clerk; John Halliwell, Policy Coordinator; Chris Knauer, Minority
Investigator; Consuela Washington, Minority Senior Counsel; and
Chris Treanor, Minority Staff Assistant.
MR. WHITFIELD. Good morning, and I would like to call this hearing
to order this morning. And yesterday this subcommittee examined
how Hewlett-Packard Company hired an investigative consulting firm,
who, among other things, turned to a data broker to obtain
individual phone records.
Today we return to the broader issue of Internet-based data brokers,
picking up where we left off in June when we held our first two
oversight hearings on the issue.
The Hewlett-Packard scandal and the eye-opening testimony we heard
yesterday again brings home the fact that pretexting is a significant
problem that must be fought on multiple fronts.
One way to improve the security of phone records is to enact
legislation. And last March, the Prevention of Fraudulent Access
to Phone Records Act was unanimously reported out of this committee.
H.R. 4943 would make it illegal to obtain cell phone records
fraudulently as well as to solicit or sell such records. It also
gives the FTC and FCC further tools to shut down data brokers, while
forcing phone companies to be more accountable for the security of
their customers' data.
Even with the new law, however, testimony in June and the
interviews conducted by staff demonstrate that the demand for such
records will not disappear, and many data brokers will continue to
procure and sell the information. They may charge more as
a result.
We know that wireless phone records are some of the most highly
sought-after types of private data. We have seen that the vast
majority of business of the data brokers involves procuring and
selling consumers' calling records and unpublished address
information. So today we are delighted that we have a panel of
representatives of the carriers with us, and we are anxious to hear
how they are taking steps to ensure that the information is not
being sold on the black market by the hundreds of data brokers.
I would like also like to welcome today representatives from the
Federal Trade Commission and the Federal Communications Commission,
who are here to speak to their respective agencies' efforts at
combating Internet data brokers.
Before we hear from the carriers and the independent agencies,
however, we will hear from Mr. Doug Atkin, a private investigator,
who was a frequent customer of Patrick Baird and PDJ Services, a
data broker whose records the committee subpoenaed last April.
The committee obtained dozens of e-mails showing that Mr. Atkin
requested and received other people's private phone records from
Mr. Baird, who asserted his Fifth Amendment privilege against
self-incrimination at our hearing on June 21st.
I also want to note that Mr. Atkin has refused to produce any
documents in response to the committee's subpoena for records, and
we expect that he is going to assert his Fifth Amendment rights.
I would like to enter into the record and would ask unanimous
consent a letter from Mr. Atkin's attorney explaining his refusal
on that basis to produce responsive documents.
[The information follows:]
MR. WHITFIELD. We will also hear today from Christopher Byron, a
reporter for the New York Post who is here to discuss how in 2002 he
learned that his records were obtained by a data broker, not at all
unlike those of nine journalists who were investigated by
Hewlett-Packard. His testimony is especially intriguing and
further evidence not only of the prevalence of pretexting, but
also of the threat that data brokers pose to our Nation's
journalists and the confidentiality of their sources.
Now, Mr. Byron's story is significant because the pretexter who
obtained his records had to make over 50 calls to AT&T before he
found a customer care representative willing to verbally walk
through Mr. Byron's call activity details over the phone. So a
persistent data broker calls 50 times, and finally he gets the
information.
I look forward to what promises to be an enlightening day of
testimony. We want to thank all of you for participating in this
hearing today, and at this time I would like to recognize
Ms. DeGette, who today is our Ranking Member.
[The prepared statement of Hon. Ed Whitfield follows:]
PREPARED STATEMENT OF THE HON. ED WHITFIELD, CHAIRMAN, SUBCOMMITTEE
ON OVERSIGHT AND INVESTIGATIONS
Good morning. Yesterday, this Subcommittee examined how
Hewlett-Packard Company hired an investigative consulting firm
who, among other things, turned to a data broker to obtain
individuals' private phone records. I was shocked and dismayed to
see some of the top officers at one of our nation's largest
companies take advantage of data brokers to conduct a sophisticated
year-long effort to spy on Board members, employees, and reporters.
Today we return to the broader issue of Internet-based data
brokers, picking up where we left off in June when we held our
first two oversight hearings on the issue. The Hewlett-Packard
scandal and the eye-opening testimony we heard yesterday again
brings home the fact that pretexting is a serious problem that must
be fought on multiple fronts.
One way to improve the security of phone records is to enact
legislation. Last March, the "Prevention of Fraudulent Access to
Phone Records Act," (H.R. 4943) was unanimously reported out of
the full Committee. H.R. 4943 would make it illegal to obtain cell
phone records fraudulently, as well as to solicit or sell such
records. It also gives the FTC and the FCC further tools to shut
down data brokers while forcing phone companies to be more
accountable for the security of their customers' data. I think
that the Subcommittee's June oversight hearings made clear that
H.R. 4943 would help bolster the security of Americans' private
information.
Even with a new law, however, testimony in June and the interviews
conducted by staff demonstrate that the demand for such records
will not disappear, and many data brokers will continue to procure
and sell the information. They will just charge more.
The carriers will therefore have to play an important role in
solving this problem and better protect the information. This
Subcommittee's work over the last eight months has demonstrated
just how easily people can con a phone company's customer service
representatives into giving up calling records, unpublished
address information, and other personal data.
So, it makes perfect sense to me to invite testimony from some of
the country's largest wireless phone carriers, as we have today.
Based on the Subcommittee's investigation, we know that wireless
phone records are some of the most highly sought-after types of
private data. We have seen that the vast majority of the business
of data brokers involves procuring and selling consumers' calling
records and unpublished address information. The detailed
calling records from our cell phones, which we take with us
everywhere and use constantly, can provide a very detailed picture
of who we are and how we spend our time.
How are the carriers - the custodians of those calling records -
ensuring that the information is not being sold on a black market
by the hundreds of data broker Web sites on the Internet? I am
interested to hear what the wireless carriers have done in response
to this threat to privacy, and I thank them for appearing before us
today.
I also welcome representatives from the Federal Trade Commission
(FTC) and the Federal Communications Commission (FCC) who are here
today to speak to their respective agencies' efforts at combating
Internet data brokers. I want to commend the FTC and FCC for their
aggressive approach to this issue, and look forward to an update
on progress made since last February when they testified about this
issue as the Committee began its work on legislation to combat the
fraudsters who obtain others' private records.
Before we hear from the carriers and the independent agencies,
however, we will hear from Mr. Doug Atkin, a private investigator
who was a frequent customer of Patrick Baird and PDJ Services, a
data broker whose records the Committee subpoenaed last April. The
Committee obtained dozens of emails showing Mr. Atkin requesting and
receiving other people's private phone records from Mr. Baird, who
asserted his Fifth Amendment privilege against self-incrimination
at our hearing on June 21st.
While I suppose it should come as no surprise that Mr. Atkin is
expected to also invoke his Fifth Amendment rights, I am disappointed
that the Subcommittee will not get some answers. I also want to
note that Mr. Atkin refused to produce any documents in response
to the Committee's subpoena for records, again relying on his Fifth
Amendment right against self-incrimination. I would like to enter
into the record, when appropriate, a letter from Mr. Atkin's
attorney explaining his refusal on that basis to produce responsive
documents.
We will also hear from Mr. Christopher Byron, a reporter for the
New York Post, who is here to discuss how in 2002 he learned that
his phone records were obtained by a data broker - not at all unlike
those of the nine journalists who were investigated by
Hewlett-Packard. His testimony is especially intriguing and further
evidence not only of the prevalence of pretexting, but also of the
threat that data brokers pose to our nation's journalists and the
confidentiality of their sources.
Mr. Byron's story is also significant because the pretexter who
obtained his records had to make over 50 calls to AT&T before he
found a customer care representative willing to verbally walk
through Mr. Byron's call activity details over the phone. Even
after three dozen failed attempts, the pretexter kept making
calls, the reality of which reminds us how persistent and determined
these thieves of personal information are.
I look forward to what promises to be an enlightening day of
testimony, and I want to thank all of our witnesses for being
here.
I now recognize the Ranking Member of the Subcommittee, Mr. Stupak.
MS. DEGETTE. Thank you very much, Mr. Chairman, and good to see
you again this morning.
Yesterday's testimony I thought was really illuminating. It pointed
out a couple of issues. The first issue was even though most
experts agree that pretexting is illegal under several Federal laws
and a number of State laws, there seems to be confusion in the
highest echelons of corporate America and among their legal counsel
as to whether, in fact, pretexting, which, of course, is pretending
to be someone you are not in order to get confidential personal
information, is illegal.
And what this says to me is that we really do need to pass
legislation. And in particular, we need to pass H.R. 4943, which
was unanimously passed on a bipartisan basis by this committee,
sent to the floor, scheduled for a vote on May 2nd of this year,
and then fell into a black hole.
It is clear to me that this bright line rule on pretexting will be
necessary so that people will have no doubt that it is not just
unethical, but also illegal to try to obtain this information.
And with that, Mr. Chairman, I would ask unanimous consent to place
a letter dated September 27th, 2006, from the Democratic members of
this Committee to the Speaker and the Majority Leader asking them to
call this legislation up.
MR. WHITFIELD. Without objection.
[The information follows:]
MS. DEGETTE. Thank you.
The second issue and that--and by the way, as the Chairman and I
were discussing, we now hear we may be here through tomorrow and
even Sunday, so there should be ample opportunity for us to bring
up what should be a relatively noncontroversial bill on the
suspension calendar before we leave.
The second issue I really want to talk about briefly is the issue
that I have been concerned about for quite a number of years ever
since this subcommittee had hearings on corporate responsibility
with Enron, WorldCom, Qwest, and so many other corporate evildoers.
The issue really is how do we, and how does corporate America,
break this ethos that if someone thinks that illegal or unethical
activity in a corporate context is acceptable, that everybody else
in that corporation goes along with it?
What we saw yesterday was the Chairman of the Board, the CEO, the
legal counsel, and the investigative body of HP all just going along
with an investigation that their outside counsel, Mr. Sonsini,
admitted was unethical at best, and parts of it illegal at worst;
practices like spying on your Board members by going through their
garbage, putting Board members and their board members' families
under surveillance, finding phone records by pretexting, creating
false entities to try to get information unwittingly from newspaper
reporters, and on and on.
Some of that is illegal, most of it is not, but it certainly is not
the best way to conduct an investigation into leaks from corporate
members. Yet nobody at Hewlett-Packard stepped back and said, wait
a minute, is this a way we should be acting as one of the preeminent
corporate citizens in our country?
I continue to be concerned about this issue. I was terribly
embarrassed by Hewlett-Packard, and I was gratified to see that they
are now beginning to put some procedures in place to hopefully stop
this kind of activity. But I think the CEOs and the board chairmen
of every major corporation need to look inside their corporation to
see how they can put mechanisms in place to stop this kind of
conduct, which ultimately hurts a very good corporate citizen and a
model in the high-tech community.
And so, Mr. Chairman, I am intending to look over the recess to see
if there is something we need to do with Sarbanes-Oxley to beef up
the obligations of corporate boards and directors. And beyond
that, I think corporate America really needs to take this as a
wake-up call.
With that, I look forward to the testimony today, and I yield back
the balance of my time.
MR. WHITFIELD. Thank you, Ms. DeGette. At this time I recognize
Mr. Walden for his opening statement.
MR. WALDEN. Mr. Chairman, good morning, and we appreciate your work
on this issue again, and like I think everybody on this committee,
we are all hoping that H.R. 4943 can be brought to the floor and
passed.
I had a personal conversation with the Majority Leader myself
yesterday to raise this issue, so I don't think there is any debate
about the need to pass legislation, and I think we are all doing
everything we can to get it passed, and I commend the Administration
for its work to try to deal with this issue regulatorily.
I know we are going to hear from both the FTC and the FCC about
efforts they are taking in rulemakings to try and deal with this
issue. So I think the Bush Administration is stepping up to the
plate as well.
I think what we learned out of yesterday is that the only thing
worse in corporate America than leaks is unethical ways to try and
plug the leaks. And I think the message went out loud and clear
that pretexting is no way to go about solving boardroom problems
and leaks. And I hope that we can pass legislation, draw a clear
line; but even if we haven't been able to do that yet, the spotlight
that has been shown on the activities of those who go out and
collect these data illegally has gone a long way.
We saw that yesterday morning when 10 individuals took the Fifth
Amendment, most of whom prior to yesterday had led others to want
to believe that this was a legal course of action or right course
of action. And so I think this subcommittee has done good work in
that respect.
I am looking forward to today hearing what the phone companies are
doing to address this, and I know some of them have stepped up to
the plate. I am encouraged by the fact that some of these companies
have litigated, already filed suit, against the bad actors out there
who will stop at nothing, certainly nothing legal or ethical, to
try and fool people to give them information.
I am disturbed that pretexting is not only occurring toward the
phone companies, but toward the customers, and I think for the
average American out there who still believes that their records
are a matter of their personal privacy, it is even more disturbing
to know that some of these pretexters and some of these investigative
agents out there are trying to track down people's physical
location--physical location--based on triangulating where they are
on their cell phone right now, pretending to be the company, calling
you on your cell phone once they have gotten your number and then
say, gee, we are trying to shut down another phone here because
somebody is using your account illegally, but we don't want to shut
yours off, where are you? And then they turn that data over to
others, whether it is somebody trying to collect from you, a jealous
lover perhaps, or who knows what.
And so, Mr. Chairman, I appreciate what we are doing here. I think
the American public is appreciative of our efforts as well, I hope,
and we can put an end to the illegal gathering and unethical use of
private data that should remain private.
And so I appreciate the opportunity to be here today, and I look
forward to hearing from those witnesses who will be forthcoming.
And unfortunately, I guess we are not going to get an inside look
from the investigator types because they are going to take the
Fifth.
MR. WHITFIELD. Thank you, Mr. Walden. At this time I recognize
Ms. Schakowsky for her 5-minute opening statement.
MS. SCHAKOWSKY. I thank you, Chairman Whitfield and Ranking Member
DeGette, for holding today's hearing on pretexting.
Because of the seriousness of this issue, our committee has
devoted significant time into examining its various facets over
the last 8 months. In fact, we actually unanimously passed a bill
that by now, except for unknown reasons, would have been law,
I hope.
In February, we held a hearing that mostly focused on the legality
of pretexting. Our witnesses, including the Federal Trade
Commission and Illinois Attorney General Lisa Madigan from my
State, explained how they believe pretexting was illegal already
under general consumer protection statutes, but that it would be
helpful to emphasize that point by passing explicit Federal
legislation.
In March, our committee did just that by passing H.R. 4943, the
Prevention of Fraudulent Access to Phone Records Act, which
not only prohibited pretexting from phone records, but would
require phone companies to better protect their customers'
records.
In June, just 1 month after H.R. 4943 fell to extraordinary
rendition and disappeared from the floor schedule, we held another
hearing that looked into the methods pretexters use to get phone
records.
Yesterday we focused on how HP's zeal to plug a leaking board led
them to pretexting to get board members' and journalists' personal
phone records. And now today we are focusing on the phone
companies and how easy they have made it for scam artists to get
the personal phone logs for others.
Before we began our work, before the Federal Trade Commission filed
complaints against five Web-based operations, and before three State
attorneys general, including Ms. Madigan, brought suits against
pretexters, there were over 40 websites offering phone call logs.
With just a click of the mouse and about $100, anyone could get
their hands on a month's worth of someone else's phone records.
The only way that ill-gotten phone records could be such a
lucrative business is if the phone companies did not have enough
protection in place to stop pretexters in their tracks. Although
most of the websites dedicated to selling phone records have since
been shut down, the HP scandal shows that phone companies still
have serious security problems. HP's investigative team should not
have had such quick access and easy access to board members' and
journalists' phone records.
There is a lot more than disgruntled board members and public
embarrassment at stake. Pretexting violates innocent consumers'
privacy. Stalkers can buy phone records to keep tabs on their
targets. Abusive spouses can use pretexting to track their victims.
As Mr. Barton pointed out yesterday, the Chicago Police Department
recognized the dangers of it and warned that drug dealers can use
pretexting to identify undercover cops. The FBI also issued a
warning to its agents, personal and public safety should not be
for sale.
Despite strong bipartisan agreement that we should make it
abundantly clear that pretexting for phone records is illegal,
H.R. 4943 is still being held at an undisclosed location. What
we do know about its detention is that 8 days after it was pulled
from the floor schedule, USA Today broke the story that the National
Security Agency was acquiring the public's phone records from three
of the major carriers without subpoenas, warrants, or any approval
from the courts.
I must point out that I am disappointed that we do not have any of
those three carriers with us today, AT&T, BellSouth, and Verizon,
and I hope that we will have an opportunity to hear from them.
However, we do know where they stand. A number of the phone
carriers, including some of those with us today, have made it clear
that they oppose title 2 of the bill, which requires them to better
protect their customers' personal private phone records. While the
carriers have been more than happy to have us go after the
pretexters who dupe them, many--most--have been fighting our
efforts to require them to correct their security problems.
We know that the phone companies have made sure that their
resistance to stronger consumer protections were heard. With
today's hearing, we are saying loud and clear that it is time for
the phone companies to guard their customers' information. I ask
our witnesses, can you hear us now?
Thank you.
MR. WHITFIELD. Thank you, Ms. Schakowsky. At this time I recognize
Mr. Stearns of Florida for his opening statement.
MR. STEARNS. Thank you, Mr. Chairman. I would just comment on what
my colleague and Ms. Schakowsky mentioned. Why don't we have the
land lines, particularly AT&T and Verizon? As I understand it
from staff, one of the reasons is that predominantly the efforts
with pretexting have come from the wireless and cell phones, and
this hearing is particularly centered on these. And, of course,
we do have Verizon here. We have T-Mobile, we have U.S. Cellular,
Alltel, Sprint, and Cingular. So the hearing is concentrating on
that, and I think that is good.
I think what we saw yesterday is the--sort of the comment is if
I--dealing with Hewlett-Packard and pretexting, if I don't see it
or if I don't hear it, then it didn't happen. That is how I sort
of felt after this hearing.
You know, a major question would be, Mr. Chairman, for these
wireless carriers, why couldn't they institute, initiate themselves,
a security system that prevented this information going to all these
security people who were hired by Hewlett-Packard? This widespread
use of pretexting to fraudulently obtain someone else's personal
data is a case of fraud, and these wireless companies should
understand that it wouldn't have been hard for them after one of
these to occur to initiate the procedures.
Just for fun I went into the computer this morning and put into
Google private personal information, and it came up with thousands
of results. So the stark reality is that there will always be con
artists and cyberthieves to keep the enforcement community busy.
So we here in Congress can pass all the legislation we want, but
we have had a hearing and oversight under Mr. Whitfield where we
even brought in a person from prison to talk about how he was able
to obtain this information. So I think legislation is important.
We should do it. But I think the responsibility, fiduciary
responsibility, of these wireless carriers that I mentioned, six
of them, they have to institute these procedures themselves. And
they can come up here and say we were conned by these cyberthieves
and con artists, but that is going to be there all the time,
tomorrow and the next day, no matter what we do here.
So we can talk about Hewlett-Packard, but there is a certain amount
of culpability dealing with these individuals, too, and it would
be interesting to see what they feel and what they have instituted.
Are the wireless companies doing their best to protect the
consumers? And then maybe we can get their suggestions. Maybe
the pretexting bill that we passed out of this committee should be
amended, and in the lame-duck session we should try to change it
based upon what they recommend.
So I think the whole idea, Mr. Chairman, is a commendation to
yourself for moving it beyond just looking at Hewlett-Packard, but
also contacting under panel three all these wireless companies and
seeing what they have to say here, too. They have an interest,
obviously, in protecting consumers and private information.
I mentioned yesterday I have a data security bill that passed out
of my subcommittee that I chair and out of the full committee and
that puts in place protection within corporate America for
protecting that security with audits to make sure there is a chief
security officer and of records so that people can determine whether
they are meeting the standards.
So, Mr. Chairman, I commend you for moving this beyond just
Hewlett-Packard, but trying to get to the larger issue of pretexting
and how to stop it and have corporate America take responsibility,
too.
Thank you, Mr. Chairman.
MR. WHITFIELD. Thank you, Mr. Stearns. And at this time I
recognize the gentlelady from Wisconsin, Ms. Baldwin.
MS. BALDWIN. Thank you, Mr. Chairman.
Many of the witnesses today represent wireless phone companies and
Federal agencies that have appeared before this committee on the
same topic not too long ago. Indeed the committee has held a
series of hearings over the past year examining the practice known
as pretexting and the shadowy industry that has grown from such
unscrupulous trafficking of personal information.
After seeking input from industry players, consumer groups, and
Federal agencies, we developed strong bipartisan legislation back
in March that passed the committee unanimously. While this
legislation has stalled for reasons unknown to me, our
committee's investigation has prompted many industry and government
actions.
And I am heartened to see from the submitted testimony of several of
today's witnesses that wireless phone companies have taken new
measures to strengthen privacy policies and improved customer
service personnel training regarding phone service requests.
The Federal Communications Commission has initiated a proposed
new rulemaking process to implement industry-wide security
standards, while the Federal Trade Commission has filed more
lawsuits against pretexting companies under Section 5 of the FTC
Act prohibiting unfair or deceptive practices in commerce. We are
making progress, although everybody in this room would probably
agree that much more needs to be done.
Stories of pretexting by data brokers will continue to surface.
Just yesterday the committee held a hearing on the Hewlett-Packard
scandal, which has ushered the word "pretexting" into everyday
American lexicon.
A lawsuit brought by the State of Florida against a pretexting firm
has alleged that major banks such as Wells Fargo and Citigroup
regularly hire investigators to obtain pretexted phone records for
collection purposes. The practice of pretexting may be far more
widespread among corporations than previously thought, and we may
be seeing just the tip of the iceberg.
Going forward, phone companies, Federal agencies, and Congress must
work to restore public confidence that their boundaries of privacy
will not be violated, this time by big corporations.
HP witnesses yesterday complained that there was not enough clarity
in existing statutes to determine whether the highly unethical
behavior of pretexting was, in fact, legal or illegal. In fact,
they claim that armies of corporate lawyers were misled into
believing that pretexting was legal. Congress should grant their
wish by passing legislation already approved by this committee and
offer them a bright line rule on pretexting.
As I stated yesterday, Congress should also consider passing
legislation that would encompass the full spectrum of
telecommunications and communications services.
Wireless phone companies should not only work to improve their
customer service training to screen out data brokers, but also
seriously consider steps to improve the privacy of customer
proprietary network information, such as voluntarily adopting
an opt-in regime that would more adequately inform consumers about
their privacy options.
The FTC and the FCC should continue exercising their enforcement
authority and work to adopt rules that would, for example, enhance
CPNI's security.
Finally, I want to thank Mr. Christopher Byron for testifying today.
You were a victim of pretexters, and I understand you had
difficulties uncovering how your records could have been
compromised. But I believe there is also a larger issue here;
since you are a reporter, freedom of the press was at stake. And
I am very disturbed that corporations would target journalists
through pretexting, which also took place in the HP scandal. I
hope that the committee will consider future hearings that would
address the specific form of attack on journalistic
confidentiality.
Mr. Chairman, I thank you, and I yield back my remaining time.
MR. WHITFIELD. Thank you.
I just want to comment, I really appreciate you all advertising
the Gone with the Wind movie in H.R. 4943.
MS. DEGETTE. Mr. Chairman, I was thinking we might enter it into
the record.
MR. WHITFIELD. I recognize the gentlelady of Tennessee,
Mrs. Blackburn.
MRS. BLACKBURN. Thank you, Mr. Chairman. I want to thank you for
the hearing today to follow up on yesterday's hearing, and again
thanks to the staff for the great work they have done on this issue.
Yesterday we talked a good bit about, and the committee noted
and everybody admitted, pretexting is a problem. It is a growing
problem at that. And today's inquiry we hope will help the
committee determine that the private sector companies are vigilant,
and that they are working to help combat the rise of pretexting.
We all know the law regarding pretexting is ambiguous, and obviously
some are taking advantage of that ambiguity. Yesterday it was a
bit disturbing to hear from board members and employees and
corporate legal counsel who claim they didn't know what pretexting
was or what spyware was or what tracers were, but that they had
approved their use, and they did it because the law was ambiguous,
and it was our fault.
So if you want to have a tough law, we can give you a tough law, and
that is probably what we need to do, draw some bright lines.
And yesterday several times Representative Inslee and I mentioned
the bill that he and I had introduced, the Consumer Telephone
Records Privacy Act of '06. We introduced it in January, and it
had both civil and criminal penalties in that bill, obviously
something we need to continue to look at when we have people,
Mr. Chairman, who choose to come before us and take the Fifth,
which leads us to believe that they know what they are doing is
wrong. And if they need more stringent guidelines, then so be it.
We also hope to hear from today's panel on several points,
including when they first noticed that some were using illicit
means to gain access to their consumers' records, and then what
means did they put in place to address the problem, and how have
they continued to adapt.
Also I hope we will hear how they, as private sector companies, are
dealing with some of the bad actor companies who continue to use
their product to break the law.
Thank you, Mr. Chairman. I yield back.
MR. WHITFIELD. That you, Mrs. Blackburn. And that completes the
opening statements of any Members present.
[Additional statement submitted for the record follow:]
PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON
ENERGY AND COMMERCE
Thank you, Chairman Whitfield, for all your work on this issue. Back
in June of this year, the Subcommittee held hearings that threw
open the doors of the Internet-based data broker industry.
Yesterday's oversight hearing about Hewlett-Packard's pretexting
scandal continued to highlight the problem of pretexting and the
vulnerability of Americans' phone record to such practices. The
testimony about the events at H-P vividly demonstrated just how
private phone records can be exploited. I'm glad we're back today
to continue exploring how phone records can be protected and kept
private.
Of course, one way to keep pretexters and data brokers out of
Americans' phone records is for the Congress to pass this
Committee's legislation regarding phone record pretexting and
data security. I am hopeful that our legislation will get a vote
soon, perhaps in November. Mr. Chairman, one point your
Subcommittee's investigation makes very clear is that Congress
needs to pass these bills. I am also open to the notion that we
may need to take further legislative action to protect Americans'
privacy from identity thieves and data brokers.
As you mentioned, the wireless carriers and the phone companies can
also take steps to make it harder for data brokers to obtain
consumers' confidential records. I understand that many of the
wireless carriers have been making an effort to better protect
phone records. I welcome their testimony today, and look forward
to learning about what progress they have made.
I also appreciate the FTC and the FCC taking the time to testify
today. I have been told that these agencies have been aggressively
working on this issue with the tools currently at their disposal,
and I anticipate learning what the Federal government has been
doing to tackle this problem over the past year.
Welcome to Mr. Christopher Byron, a journalist from the New York
Post, who came forward to the Committee earlier this year to share
his story about his telephone records being stolen by data brokers.
And one last note, Mr. Chairman. One of our witnesses today is a
private investigator, Mr. Doug Atkin from Los Angeles. Earlier
this year, when we subpoenaed records from a data broker named
Patrick Baird, we learned much from those records about how the
data broker industry operates and who purchases consumers'
personal information. Mr. Atkin, it turned out, is a frequent
customer of the data broker, PDJ Services. According to
Mr. Baird's records, Mr. Atkin was the 12th largest customer of
Mr. Baird's company - out of nearly 1,100 clients.
When we sought information about Mr. Atkin's use of data brokers
and telephone records, Mr. Atkin refused to answer questions,
either informally or in response to a letter that you and I wrote.
Afterward, I issued a subpoena compelling the production of
documents, as well as Mr. Atkin's appearance today. Mr. Atkin
refused to produce any documents whatsoever, relying on his Fifth
Amendment right against self-incrimination. It is my understanding
that Mr. Atkin will invoke the Fifth Amendment again today and
refuse to testify.
While I certainly don't begrudge him his constitutional rights,
I am disappointed that the Committee will not get some answers.
One thing I will say, however: on June 21st we had 11 data brokers
invoke their Fifth Amendment rights against self-incrimination;
yesterday, several more individuals in the Hewlett-Packard scandal
did the same; and today, Mr. Atkin, a private investigator follows
suit.
My point is - going forward, I don't think anyone ought to be able
to claim that they thought there was a perfectly legitimate way to
get someone else's phone records without that person's consent,
other than a subpoena. I also hope that, based on the groundwork
this Subcommittee has laid and the information it has made public,
that the U.S. Justice Department starts making that point as well.
I yield back the remainder of my time.
MR. WHITFIELD. We do have two votes on the House floor. There are
4 minutes left in the first vote, and then we will do the second
one. So I apologize to all of you. And, Mr. Atkin, we will be
back. We are going to recess, and we will reconvene at about 5
minutes to 11:00. So I apologize to all of you, but we will be
back in just a minute. So we are recessed.
[Recess.]
MR. WHITFIELD. The hearing will reconvene, and since we have
finished all of the opening statements, we will now call the witness
for the first panel, and that is Mr. Doug--is it At-kin or Ate-kin.
MR. ATKIN. At-kin.
MR. WHITFIELD. Atkin.
Mr. Doug Atkin who is with Anglo-American Investigations, Playa del
Rey, California. And as you may or may not know, Mr. Atkin, this
is an Oversight and Investigations Subcommittee hearing, and we do
take testimony under oath, and I would ask you, do you have any
objection to testifying under oath?
MR. ATKIN. No, Mr. Chairman.
MR. WHITFIELD. Would you turn the microphone.
Okay, if you would please stand and raise your right hand.
[Witness sworn.]
MR. WHITFIELD. Thank you very much.
You are now under oath, and I would ask you, under the rules of the
House and the rules of the Committee, the witnesses are entitled to
legal counsel, and do you have legal counsel with you today?
MR. ATKIN. Yes, Mr. Chairman.
MR. WHITFIELD. Okay. Would you introduce him to us, please?
MR. ATKIN. Mr. Breuer.
MR. WHITFIELD. What's his full name?
MR. ATKIN. Lanny Breuer--
MR. WHITFIELD. Lanny Breuer?
MR. ATKIN. --and Ben Razi.
MR. WHITFIELD. Lanny Breuer. Okay. Okay.
Well, Mr. Breuer, thank you for being here.
Now, Mr. Atkin, is there an exhibit book or a document book on the
table with you?
MR. ATKIN. No, there is not.
MR. WHITFIELD. Okay. Let's get this document book over there. I
am going to ask you to please turn to Exhibit 2. Exhibit 2 is a
request made by you on February 2nd of this year for personal phone
records that you submitted to Mr. Chris Garner, which we know as the
alias of Mr. Patrick Baird, the owner of PDJ Services. The e-mail
also includes the reply from PDJ Services with the requested phone
calls listed. According to the client list provided to the
committee by Mr. Baird, between 2000 and 2006, you were the 12th
largest purchaser of information from PDJ Services out of almost
1,100 clients that he had.
So, Mr. Atkin, did you or your company, Anglo-American
Investigations, Inc. request and obtain from Mr. Patrick Baird of
PDJ Services personal phone records that were obtained through
pretext, lies, and deceit or impersonation?
MR. ATKIN. Mr. Chairman, based on the rights and protections
afforded me by the Fifth Amendment to the Constitution, I
respectfully decline to answer that question.
MR. WHITFIELD. And is it your intention to assert that right for
any additional questions that we may have for you?
MR. ATKIN. Yes, sir. It is.
MR. WHITFIELD. Then if there are no further questions from any
of the committee members at this time, we will dismiss you subject
to the right of the subcommittee to recall you, if necessary. And
at this time, you are excused.
MR. ATKIN. Thank you.
MR. WHITFIELD. Now, at this time, I would like to call the second
panel. And on the second panel, we have Mr. Christopher Byron, who
is a journalist with the New York Post in New York.
So, Mr. Byron, we appreciate you being with us today, and as you
know, we take testimony under oath, and I would ask you, do you have
any objection testifying under oath?
MR. BYRON. No, sir.
[Witness sworn.]
MR. WHITFIELD. Thank you very much, and you are now under oath. I
would also remind you that, under the rules of the House and the
rules of this Committee, you are entitled to legal counsel, and I
would ask do you have legal counsel?
MR. BYRON. No, sir.
MR. WHITFIELD. Okay.
MR. BYRON. I have my wife. That's even better.
MR. WHITFIELD. Well, what is her name?
MR. BYRON. Maria, right behind me here.
MR. WHITFIELD. Maria, thanks for being with us today. It's good to
have someone here besides a lawyer.
MS. DEGETTE. Especially the wife, Mr. Chairman.
MR. WHITFIELD. Especially the wife. Absolutely.
So, Mr. Byron, you are recognized for 5 minutes.
TESTIMONY OF CHRISTOPHER BYRON, JOURNALIST, THE NEW YORK POST
MR. BYRON. Well, Mr. Chairman, I want to thank you very much and the
other committee members for inviting me to be here and listening to
what I have to say. This is a subject that is really important to
me personally and professionally, and I am glad for an opportunity
to discuss it in public, which I haven't really had before.
As my written statements say, I am a working journalist.
MR. WHITFIELD. Excuse me. Would you mind just moving your mic a
little bit closer, please?
MR. BYRON. Sure. It's okay now? Okay.
As I said in my written statement, I am a working journalist. I
have a degree from Yale College and a law degree from Columbia
University School of Law, and I have been in the business that I am
now in for over 30 years.
I was a victim of pretexting 4 years ago, and I've paid an awful lot
of attention to this subject from that moment on. I didn't know
it to be known as "pretexting" then. Yesterday, several of the
committee members asked how widespread a practice phone records
theft actually is in American business, because of the
Hewlett-Packard matter. And I can answer from my personal
experience, anecdotally, that 4 years ago my phone records were
stolen by agents that my own research has now connected to
another corporation. There is proof of this theft that ties it
directly to the former outside director of the board of directors
of a public company in the U.S., and that proof lies in the internal
case files of the Securities and Exchange Commission's district
office in Boston.
I filed a complaint there, and in the course of bringing a case
against this individual, these investigators from the SEC obtained
his phone records and found among them phone calls from him to my
sources in connection with research he was doing to find out where
I had been getting information about him.
The SEC has done nothing with this information. Neither has the
FBI. They just sat there. What they have done and what they
haven't done is all spelled out in my written statement here.
What I can say, just for summary purposes, is that their attitude
from the start seemed to me at least to be that phone records
thievery was no big deal. It went on all the time. It certainly
wasn't something that they needed to be involved in in a crisis
environment that faces law enforcement in this country today.
Well, I have to tell you it was a big deal to me, and now that the
same kind of thievery involving the same, exact sort of pretext
lying has become a big, huge scandal for Hewlett-Packard, phone
records thievery has suddenly become a big deal for the SEC and
the FBI, too.
When the same situation happened to me, the position of the SEC was,
"We don't have jurisdiction." How did they acquire it between then
and now so that they've been able to assert a role in the
Hewlett-Packard case? I don't know. I think they had it then.
They just didn't want to pay attention to it.
The evidence is really clear that my phone records were stolen to
aid a company called Imagis Technologies, publicly traded in the
United States on the Over the Counter Bulletin Board, in pursuing a
defamation lawsuit that it had filed against me for a story I had
written about the company. The story was 100-percent accurate, and
eventually the case was abandoned; but before they abandoned it,
they wanted to find out who my sources for the story were. And to
do that, agents acting for them stole my phone records.
The details of that are all in my written statement, too. And as I
said, the lawsuit itself, I think, was baseless and it certainly
wasn't something that they wanted to pursue in court, and they
didn't. It just went away.
I think it was filed entirely for the purpose of chilling press
freedom for follow-up stories on this company. That was certainly
the effect that would have resulted had it become widely known that
my confidential sources had been compromised by the theft of my
phone records, and the Government wasn't going to do anything
about it.
The damage that this thievery did to my family, professionally and
personally to me, it was huge. It was huge. My wife works as my
research collaborator. She is exposed day and night to the stresses
of a journalistic environment. My oldest daughter is a lawyer on
Wall Street. My middle daughter is a news editor at CNN. My
youngest son is still in college, so we'll let that go at that,
but I'll say that this is not something that I wanted my family to
grow up with, the experience of having your skin crawl every time
the phone rings at an unexpected hour, wondering if your mail is
being read, if your phone is tapped, if there's a bug in your
bedroom.
All these kinds of questions automatically flow out of the
environment created by the theft of your phone records. To a
journalist, this is the basic tool he's got is his phone. How can
you possibly do your job without being able to have the confidence
of sources that you won't divulge their identity if people ask
where you got that information, and you promise that, and the
promise has no credibility whatsoever because your phone records
identify him, and they're stolen?
For 4 years we worked really hard to find out who these people were
and parade their names before the public, because we wanted our
sources to know that our promises of confidentiality were extended
seriously. Otherwise, such a promise would be meaningless.
Look, in my case, my stolen phone records were used by the
perpetrators to track down two of my confidential sources, one of
whom was subpoenaed in the SEC investigation by mistake and had
nothing to do with this case at all. The other one, his phone
records were stolen to find out who he was talking to. It was
like a virus that broke loose in my life. Details of all of that
are in my written statement, too.
MR. WHITFIELD. Mr. Byron, you are about 2 minutes and 30 seconds
over the 5 minutes.
MR. BYRON. Am I way over? Okay. I beg your pardon.
MR. WHITFIELD. No. No. Your testimony is important, and we do
have the full statement, but if you want to summarize--
MR. BYRON. Okay. I will say that my phone records were stolen
through persistence; 2-1/2 months of relentless impersonation over
the phone to an AT&T call center finally produced somebody dumb
enough to spend an hour on the phone, believing they were me, and
then my wife and read out 96 of my phone calls during the period
in question when I was researching this story. This is known
as "dialing for dummies."
The internal case file at AT&T, which we finally obtained under
threat of a civil rights lawsuit, shows that AT&T logged 46 of these
calls in over a 10-week period before they even realized something
was wrong. When they called us up, they thought we were the ones
who were calling, saying--and they asked us, "Well, is there
something wrong with your phone bill, Mr. Byron?" and then told
us that we called 46 times. We hadn't called once.
The committee has the results of their investigation into it.
I have provided that to you, and you will see that it was content
free. It was the same thing with the FBI. They did not do any
meaningful investigation into this matter.
Lastly, I would really call your attention to a point toward the
end of my written statement where we talk about outsourcing and
the capacity of individuals to acquire entire companies filled
with phone records from AT&T, Verizon, and the rest of them and
use those--
MR. WHITFIELD. Okay.
MR. BYRON. --as the basis for whatever they want to do with these
numbers. I'm sorry I ran over my time.
[The prepared statement of Christopher Byron follows:]
PREPARED STATEMENT OF CHRISTOPHER BYRON, JOURNALIST, THE NEW YORK
POST
Mr. Chairman and members of the Subcommittee: It is an honor and a
privilege to appear here today in support of H.R. 4943
("The Prevention of Fraudulent Access To Phone Records Act), which
makes acts in furtherance of so-called telephone records pretexting
an explicit offense enforceable by the Federal Trade Commission.
I suggest only that the act of pretexting for phone records should
carry the heavier sanction of the federal criminal law, as
embraced in the Senate side bill introduced in March of this year
as S.2178 ("The Consumer Telephone Records Protection Act of 2006.)
Absent that, the Committee might want to consider expanding the
scope of the civil sanctions in the current bill to embrace private
rights of action, including class action law suits, by victimized
citizens.
I make these suggestions solely because of the first-hand
experiences both I and my family have had as victims of this
nefarious practice. Though I alone was targeted by these so-called
pretexters (I prefer the more accurate and less sanitized phrase,
"criminal impersonators") the activities they set in motion quickly
enveloped my wife and our three children as well as myself. And
during the four years that have followed, our lives have been
convulsed in ways that set our nerves on edge even now, whenever
the phone rings unexpectedly or at an odd hour in my home office.
To discover that someone has spent weeks trying to obtain access
to you and your family's most personal and private records, and
finally succeeded at it, is like learning that a Peeping Tom has
been spending weeks on end hovering at night outside your bedroom
window, watching and videotaping everything that goes on inside.
And it doesn't end there. When a pretexter goes unpunished, his
victims can easily enough start to worry about things that never
before concerned them - things they can ultimately do nothing
about except worry even more, until all of life becomes a parade
of imagined cvatastrophes. Is someone reading my mail? Is there a
tap on my phone line? A bug in my bedroom?
These are not the sorts of questions that law-abiding Americans
should be asking of themselves, but they arise easily enough when
the digital Peeping Tom is discovered with his eye to the bedroom
window, and a combination of weak laws, public apathy, and
conflicted law enforcers allows him to escape.
In the 2003 U.S. Supreme Court case of Lawrence et al v. Texas,
which overturned a Texas sodomy law, Justice Kennedy wrote,
"Liberty presumes an autonomy of self that includes freedom of
thought, belief, expression, and certain intimate conduct." But
no such freedom can prevail in a world in which the theft of a
person's telephone records is viewed as routine day-work by the
private eyes who steal them, and is simply ignored by law
enforcement.
Pretexting for financial records has already been outlawed by the
Financial Services Modernization Act of 1999 (aka the
Gramm-Leach-Bliley Act), which carries heavy criminal penalties
for violators of certain of its provisions. The principles of law
and privacy imbedded in that Act need now to be extended to the
the booming new business of digital Peeping Toms and phone records
thieves.
My name is Christopher Byron, I am 61 years of age, and I have been
a working journalist my entire professional life. I am a graduate
of Yale College and the Columbia University School of Law. I have
worked as a foreign correspondent and editor for Time Magazine,
and as assistant managing editor for Forbes Magazine.
I have authored six books, one of which (Martha Inc.) was a New
York Times bestseller and was made into an NBC Movie of The Week.
A Russian language translation of my latest book, Testosterone
Inc., Tales Of CEOs Gone Wild is scheduled to go on sale worldwide.
For most of the last twenty years I have also written weekly
commentary columns on Wall Street and business for a variety of
publications. It was in connection with one such column, written by
me for Red Herring magazine and published in September of 2002, that
I became the victim of a pretexting conspiracy to obtain my
telephone business records.
The story that led to all this concerned a company in Vancouver,
Canada called Imagis Technologies Inc., which claimed to be in the
facial recognition software business. In the wake of the attacks
of 9/11, the company began issuing press releases promoting its
software products as weapons in the fight against international
terrorism, and one of those press releases eventually crossed my
desk.
Looking further, I learned that the chairman of the company was the
recently retired deputy chief of the F.B.I., Oliver ("Buck")
Revell, whose name I recalled from his involvement in the Pan Am
103 story, about which I had written extensively some years
earlier.
Yet aside from the presence of Revell on the board, the Imagis
operation seemed unimpressive in every way - a typical Vancouver
penny stock featuring limited revenues along with a history of
large and continuing losses, and a shaky balance sheet.
Two of the company's top officials particularly troubled me. One
was the company's controlling shareholder - an individual named
Altaf Nazerali -- who had already been linked in the Canadian
press to the European operations of a notorious U.S. stock swindler
named Irving Kott in the 1960s. Two decades later Nazerali's name
surfaced as an alleged money courier in the infamous BCCI scandal.
When I asked Revell in an interview in late July of 2002 why he
had agreed to serve as chairman for a company controlled by a man
like Nazerali, he said he had arranged to have Nazerali "vetted"
and that the man "had never been involved in unethical or illegal
activity."
Revell was even more enthusiastic about the bone fides of an
individual named Treyton Thomas, whom Revell had appointed to the
Imagis board only weeks earlier, on July 9th. Thomas enjoyed
bombarding the press with self-celebratory publicity releases
about himself. In them he claimed to be the head of a $600 million
offshore hedge fund called the Pembridge Group, to hold a degree
from Harvard and so on and so forth. In an interview with one
gullible reporter, he even boasted of having back-channel lobbying
access to the White House and the Bush Administration.
Revell told me he had vetted Thomas as well, just as he had vetted
Nazerali. But he certainly couldn't have done a very good job
since utterly nothing Thomas claimed about himself was true. The
so-called Pembridge Group hedge fund was nothing but a creature
of Thomas's imagination. In short, it did not exist.
To help fool Revell into thinking otherwise, Thomas had leased
some swanky Boston office space from a company that rents space
by the day to traveling salesmen. But he needn't have bothered
because Revell never visited the premises. And it's just as well
for Thomas that he didn't because this was a $600 million hedge
fund with no employees, no back office, not even any Bloomberg
terminals.
It struck me as impossible for Revell not to have known all of
this - especially when Thomas, just prior to being appointed to
the Imagis board, orchestrated a much-publicized, but entirely fake
buyout offer for Imagis through press releases issued by the
non-existent Pembridge Group, then made a killing illegally from
the resulting run-up in the shares that followed.
Weighing these facts, I wrote a fair but distinctly negative story
on Imagis, asking why Revell, trained as he was in the dark arts
of the FBI investigator, had permitted such things to unfold right
under his nose. Two weeks later, both Red Herring and I were sued
for libel by Imagis in a Vancouver court.
Being sued for libel is a traumatic experience for anyone, and this
situation was even worse since the suit had been filed in a
Canadian court, where libel laws are different from those in the
U.S., thus affording defendants none of the normal Constitutional
protections available to defendants in U.S. actions.
Bad as that was, it got unexpectedly and immeasurably worse when,
several weeks later, in the late afternoon of October 16, 2002, my
home office telephone rang and my wife, Maria, who works as my
research assistant and office manager, answered it and thereupon
found herself in conversation with a person who purported to be
a customer service representative from AT&T, our long distance
phone carrier.
Sitting at my desk nearby and absorbed in my own work, I paid no
attention to the conversation that followed - though I did detect a
certain wariness begin to creep into her voice as the conversation
continued. A moment or two more passed and then suddenly she shrieked
into the phone: "What?" and began stammering, "That's a lie! I've
done no such thing!"
It seemed that the AT&T Customer Service rep had called up to check
on some problems we were apparently having obtaining copies of our
July 2002 phone bill. In fact, we had been having no such problem
and had never contacted AT&T about it at all.
Yet AT&T's computer logs appeared to show otherwise. The logs
showed that, beginning on August 1, 2002 - mere days after I had
interviewed Revell and finished writing my story, and twelve days
before Red Herring received its first law suit threat-letter from
Imagis - AT&T's Customer Service Dept. began receiving telephone
calls from persons claiming to be the AT&T customer for the account,
seeking information of one sort or another about the account.
Sometimes the caller would impersonate either me or my wife
directly; on other occasions the caller would use a fake name such
as "Jackie Byron" or vaguely, "Lynn."
These calls went on without letup for 10 full weeks, sometimes at
a rate of two and three a day, until they totaled an incredible 48
different contacts. Yet it wasn't until October 15 when the
impersonator/pretexters at last hit pay-dirt and got what they were
after: access to our office phone records for the July 2002 billing
period. That of course was the month during which I had interviewed
Revell, submitted requests for interviews with Thomas and Nazerali
(which were declined), and conducted other interviews for the
story.
From research developed by the Subcommittee for these hearings, we
now know that this practice is referred to among phone records
thieves as "dialing for dummies," and basically amounts to a kind
of craps shoot in which the pretexter phones up Customer Service
"800 numbers" of telephone companies over and over again, trying
one ruse after the next until he or she finally connects with a
service rep gullible enough to swallow the bait and provide the
information being sought.
In our case, the pretexting payoff came on Oct 15th when AT&T's
internal log file of incoming calls to its customer service help
number shows that a female impersonator claiming to be "Mrs. Byron"
succeeded in convincing a customer service rep named Shakela Felton
who was employed by an Irving, Tex-based AT&T subcontractor called
Aegis Communications Inc., to pull up our July 2002 phone record
to her computer screen and read aloud from it, one after the next,
each and every one of 94 separate phone calls made from the
phone during the month of July - a task that took more than a
hour.
The AT&T log shows that soon afterward, a male impersonator claiming
to be "Mr. Byron" called back, reached the same Aegis Customer
Service Rep, Shakela Felton, who had answered the earlier call,
and got that person to repeat the entire exercise all over again,
which went on for yet another hour.
When I learned of all this I filed an immediate complaint with the
FBI field office in Bridgeport, Conn., and simultaneously, a
complaint with the FBI's financial crimes unit at the Bureau's
national office in Washington. The officials with whom I spoke
at both locations expressed immediate interest in the matter. But
as soon as I mentioned my suspicion that a recently retuired top
FBI official named Revell might be implicated, their eagerness to
help seemed to dissipate and they stopped returning my calls.
Officials at AT&T, where I also filed a complaint, expressed
equally sincere-sounding interest in what had transpired. But
they too subsequently proved to be persistently unhelpful, routinely
providing evasive, non-responsive (and sometimes even contradictory)
answers to my questions. For months I was kept in the dark as to
what information they were even coming up with.
In May of 2003, -- and acting in response to the threat of a
federal civil rights suit to be filed on my behalf by News Corp.,
owner of the New York Post where I am a columnist -- AT&T's chief
counsel for consumer marketing, Michael C. Lamb, disgorged to me
what he represented to be the internal investigative case file that
AT&T had given to the FBI six months earlier in November of 2002.
I have provided a copy of those documents to the Subcommittee.
The case file AT&T gave me was clearly sanitized when I received
it, and was missing information vital to identifying the pretexter.
An accompanying cover letter from Lamb brushed aside the missing
materials as basically a clerical error and promised to pass them
along to me subsequently, but he never did. Lamb has since left
AT&T, and he has not been replaced. I have since requested the
documents from AT&T directly, but so far the company has produced
nothing.
In any event, the case file documents I did receive show AT&T's
so-called investigation into my complaint to be haphazard, casual
and effectively little more than a go-through-the-motions white-wash
in which preposterously contradictory statements from those
questioned in the probe were simply ignored - after which the
whole file was tossed like a hot potato to the FBI and AT&T's own
involvement in the affair ended.
For example, on November 8, 2002, AT&T's chief counsel, Lamb,
participated in a lengthy three-party conference call involving
himself, myself, and the AT&T security official who had been assigned
to conduct the investigation, David Lankford. The purpose of the
call: to keep me updated on the progress of the investigation.
In that call the question of AT&T's policy regarding the use of
password protection on customer accounts came up. That policy is
muddled and confusing and differs in several respects depending
upon whether a person is trying to access phone records information
online via the internet or orally over the phone with a customer
service rep.
Because of the way the internet itself operates, in order to gain
online access to the information in an AT&T customer's account it is
necessary to know the secret customer-assigned password that
supposedly protects the account from the snooping eyes of
intruders.
But passwords are less important when it comes to protecting
customer accounts from intrusion over the phone. That's because
the customer service rep who winds up fielding the request can
easily establish the identity of the caller by accessing the account
and then asking the caller to answer questions related to
information on the account itself.
As a result, AT&T leavers it the customers themselves to decide
whether they want to add an additional level of protection to their
phone records by using passwords to restrict access to them over
the phone as well as via the internet.
In the November 8th conference call both Lamb and Lankford were
emphatic and categorical that no customer service rep would provide
account information over the phone to a caller by asking the person
for the account's online password in order to establish his or her
bone fides. "We would never ask for a password," said Lankford.
`'It would not have been consistent with our practice," added Lamb.
But when Lamb finally surrendered AT&T's case file to me the
following May, it contained a handwritten statement from the
service rep in the matter, Shakela Felton, revealing at a minimum
that she had done precisely that.
In her statement Felton said that on October 15, 2002 she had read
aloud the details of the July phone bill to the caller because that
person had first provided her with the password to the account. Yet
our account contained no such password for over-the-phone access at
that time, and one wasn't added until late the next day
(October 16th) when the theft was discovered and an AT&T official
advised us to do so.
Two days later, on Oct. 18th, the service rep., Felton, gave the
first of three statements on the matter, followed by a second one
on November 5th and a third on November 7th. In each statement she
stuck by her story of having given the information to the caller
only after the caller had provided her with the password to the
account - a password that did not yet even exist.
Shakela Felton's shaky password story was only one of many things
AT&T failed to pursue. They never addressed the utterly implausible
coincidence whereby Felton received two back-to-back calls from the
same pretexters on October 15th, each lasting more than an hour,
and each concerned with the same subject (my July 2002 phone calls).
Nor did AT&T ever produce a satisfactory explanation as to why the
company, with all its claimed cutting edge technology, proved unable
to trace either call -- each lasting more than an hour -- back to
its originating telephone. Week after week of insistent pressuring
brought little beyond tech-world doubletalk and foot-dragging,
ending finally when Lamb told me the company had traced one of the
calls to the town of Alba, Texas, some 30 miles east of the Irving,
Tex facility of AT&T's subcontractor, Aegis Communications, Inc.,
where Shakela Felton worked.
It took months and even years of nonstop investigation on my part
before it became possible to glimpse even the outlines of what I had
become caught up in, and many questions remain unanswered to this
day. But the key facts are by now clear.
For starters, with the passage of time it has become increasingly
obvious that the facts I had reported about Imagis Technologies Inc
were all 100% true and accurate, and that the company's libel suit
against me had been inspired entirely by the desire to discourage
either Red Herring or any other publication from pursuing the matter
any further.
The judgment of the market regarding this atrociously run company
has been devastating. Since my article first appeared in September
of 2002, Imagis's share price has fallen from $4 per share to a
current price of less than 20 cents per share. Meanwhile, the
company's revenues, never strong to begin with, have flat-lined
while losses have soared out of sight. In June of 2005 the company
changed its name to Visiphor Corp.
In the aftermath of the theft of my phone records, and with the FBI
seeming to show no interest in the case, I filed a complaint against
Imagis's rogue board member, Treyton L. Thomas, with the Enforcement
Div. of the U.S. Securities and Exchange Commission's district
office in Boston, where Thomas had run his pump-and-dump scam out
of a rented office near Boston Harbor.
By August of 2003, the SEC had opened an investigation into
Thomas's activities and begun seeking his books and records as well
as those of a woman he was living with in Boston named Cheryl Stone.
On August 28, 2003, I reported this fact in the New York Post along
with much else of what I had learned about Thomas since my original
story on the man had first appeared in Red Herring a year earlier.
Among the new revelations, which Revell had somehow managed to miss
in his own vetting of the man, were these:
That Thomas's so-called $600 million offshore hedge fund was
actually nothing more than a six-employee electrical equipment
supply shop that Thomas had been running as a sideline business
in Atlanta, Ga. while he bounced from one brokerage firm job to
the next.
That Thomas had precipitated the breakup of the marriage of a
well-known Atlanta, Ga. plastic surgeon and had run off with his
wife, with whom he was now living in Boston.
That for most of his life Thomas had been known as Tracey Lee
Thomas and had traveled the world under a U.S. Passport that
identified him as a woman.
That while serving as an enlisted man in the U.S. Marines in
Kenitra, Morocco in the 1970s, Thomas had carried on a torrid
two-year love affair with an underage junior high school girl
who was living with her family on the base, and finally
That Thomas had previously been arrested (though not convicted)
on felony fugitive charges in Georgia, and finally,
Soon after the New York Post reported these facts, Thomas's career
as an outside member on Imagis's board of directors came to an
abrupt end - without any public explanation for his departure.
One reason for the lack of disclosure may be the SEC investigation
itself. In the course of the Thomas probe, SEC investigators had
obtained Thomas's telephone records for the period that covered
the autumn of 2002, and had thereafter issued a document production
request to a Wall Street stockbroker whose own phone number had
appeared as an outgoing call from Thomas's phone.
The broker was in fact a long-time confidential source of mine and
I had spoken with him regularly over the years in the course of
researching various Wall Street-related subjects. The broker did
not know Thomas and had said so when I had mentioned Thomas's name
to him during a phone call I had placed to him while preparing my
September 2002 story for Red Herring.
So, when the broker received a letter a year later, in August of
2003, from the Boston District office of the SEC asking him to turn
over all account records, trading tickets, statements and whatnot
regarding one "Tracy (Treyton) Thomas ," the broker telephoned
the Boston district office to ask why since he had no idea who
the Thomas person even was. The investigator explained that the
broker's phone number in New York had been called from Thomas's
own phone in Boston, and the broker thereafter relayed that
information to me.
This of course led to only one conclusion: Thomas had either
obtained my purloined phone records himself, or someone else had
given them to him. Either way, he had apparently gotten his hands
on them somehow and had set out to phone up the numbers on the list
to see who my sources for the Red Herring story had actually been.
As any journalist will tell you, the most valuable assets a reporter
can have are his confidential sources, and to have the names of
dozens of them suddenly drop into the lap of someone like the
scruple-free Thomas was an appalling thought to say the least.
What if the word began to get around that even Byron's most
confidential sources risked turning up on the receiving end of
a document production letter from the SEC? Who would return my
phone calls then?
Obviously this was something I wanted to keep as tight a lid on as
possible. But trying to do so seemed futile when, a week or so after
the theft of my records, I received a telephone call from a
top - though highly confidential - source in the hedge fund world.
The source knew nothing of what was going on between AT&T and me,
and had phoned up to discuss something else entirely. Yet just as
I had done with the Wall Street broker, I had also spoken with my
hedge fund source about Thomas for my Red Herring story the year
before, so his phone number had appeared on my July 2002 phone
records.
As a result, one may easily enough imagine my alarm when the man
proceeded to mention, in the course of our conversation, that he
had recently experienced the oddest thing - then went on to describe
how someone from AT&T had phoned his home only a day or two earlier
to ask whether he had been having trouble accessing his phone
records.
One does not need to behold the rotting corpse of Jimmy Hoffa to
accept that Hoffa is actually dead, so I will say on the basis of
all the foregoing that I do not need to possess a signed confession
and a Polaroid snapshot showing Treyton Thomas caught in the act
of pretending to be me to believe that he was mixed up one way or
another in the theft of my phone records. And I also don't need
any more than is already available on the public record to suppose
that Revell either had a hand in it himself or chose to look the
other way.
By the start of 2004 Thomas had left the Imagis board, and eleven
months later, in in November of 2004, the SEC filed civil fraud
charges against him for orchestrating his pump-and-dump scam in
Imagis's stock. Eighteen months later, in May of this year,
Thomas pleaded the civil law equivalent of nolo contendere and
agreed to pay $282,400 in assorted fines and penalities, and
promised never again in his life to serve as an officer or
director of a public company, or to engage in or promote a
securities offering.
Unfortunately, the SEC chose not to proceed against Thomas in the
phone records matter, claiming the Commission lacked jurisdiction,
and advised me to approach the FBI instead. Yet as we have seen,
the FBI has done nothing either, and I doubt it will without
aggressive pressure from the Congress.
There are plenty of reasons for the FBI to want to steer clear of
this case, and the apparent involvement of Revell is only one of
them. During a portion of the time that Revell served as a top
official at the FBI, eventually acquiring the title of Associate
Deputy Director, his counterpart at the Drug Enforcement Agency
was an individual named Terrence M. Burke. Beginning his government
career as a CIA intelligence officer in Southeast Asia in the
1960s, Burke moved later to the DEA where he eventually acquired
the title of Deputy Administrator of the entire Agency. In that
capacity he was in frequent collaborative contact with Revell,
and the two men were regarded in law enforcement circles as
friends.
In 1991 Burke left the government, joined a Washington D.C. firm
of private investigators (The Investigative Group Intl.) and
eventually left to launch his own firm, T.M. Burke International,
in Colorado, at the end of the 1990s. In that capacity he turned
up in Vancouver in the summer of 2002, where he tried to gain the
confidence of a local business reporter by claiming that he had
been hired by an unidentified client in Europe who was "seeking
revenge" on Imagis's controlling shareholder, Altaf Nazerali - not
revealing of course that Burke himself was a long-time, top level
associate of Revell's in U.S. law enforcement and that Revell was
presumably privy to vastly more dirt on Nazerali than was a local
business reporter who had never even met Nazerali.
Beyond the apparent involvement of Revell and the possible
involvement of Burke looms a vast array of other matters that
would help discourage an FBI investigation into the theft of my
phone records.
The AT&T subcontractor where Shakela Felton worked - Aegis
Communications Inc. - is in the so-called outsourcing business,
which means it handles back-office matters such as customer
accounts management and the staffing of call centers for well-known
corporate clients ranging from AT&T to American Express, Discover,
and others.
Over the years, Aegis has figured in several high-profile identity
theft cases, including a much-publicized case in which a ring of
Detroit area identity thieves paid Aegis phone reps to steal the
credit card information of more than 2,300 American Express
cardholders, then used the information to bilk Detroit area
merchants out of an estimated $14 million in merchandise charged
to the accounts then sold on the black market.
As the Subcommittee's research has revealed, many in law
enforcement at every level of government now routinely obtain
the telephone records of investigative targets, while keeping
their own fingers clean by hiring pretexters to do the dirty work
for them. Companies such as Aegis are an attractive place for
pretexters to go fishing, and because of that fact alone it seems
unlikely that federal investigators would eagerly embrace the
idea of digging into the sieve-like nature of Aegis's security
procedures on behalf of corporate clients whose computers bulge
already with the accumulated personal and financial records of
virtually the entire American public. No one welcomes investigating
a former colleague, in government or anywhere else - and that is
certainly true when an investigation can undercut post-government
business opportunities for the retired investigator.
Outsourcing shops like Aegis are one of the weakest links in the
chain of custody over the financial and personal records of the
American people. It is fine to stress the importance of the U.S.
Patriot Act and the need to crack down on financial fraud in the
war on terrorism. But that is hardly enough when any enterprising
group of terrorists with the desire to do so could quietly acquire
control of an outsourcing shop like Aegis, move it abroad to a
place like India, where operational oversight of such companies
by the government is limited at best, and then begin the wholesale
downloading of America's consumer records database.
This is no idle speculation either. In September of 2003, at just
the time the SEC had begun pursuing its investigation of Thomas, a
U.K.-based outsourcing company called Allserve Systems Ltd.
announced plans to acquire Aegis from the Washington D.C. investment
fund that was Aegis's controlling shareholder, Thayer Capital
Partners. But who owned Allserve? Not even the top officials at
Aegis seemed to know.
Yet by this time I was deeply immersed in researching everything
possible regarding Aegis and the theft of my phone records, and by
tracing out the evolution of the U.K.-based company in business
databases around the world, I was able to establish that the man
behind the planned purchase was an financier named Dinesh Dalmia,
who was busy building up a Calcutta-based outsourcing business for
corporate clients in the U.S., the U.K. and elsewhere.
But there was more to Dalmia than just that. Further research
revealed that Dalmia was actually an international financial
fugitive, who had recently fled India and was now roaming the earth
with a worldwide Interpol "Red Corner" arrest notice over his head
for crimes that ranged from money laundering and forgery to stock
market fraud.
And there was more. From a confidential source in India I obtained
e-mail traffic between Dalmia and an associate in the United Arab
Emirates in the days following the terrorist attacks of 9/11. In
those e-mails Dalmia and his man in the Gulf discussed plans to
sell the Iraqi Ministry of Defense an array weapons-related
computer programs, including a package of software tools for
managing a biological warfare campaign.
Before publishing these facts I asked a spokesman for Thayer Capital
just how thoroughly the investment group had checked out Allserve
Systems Ltd. before agreeing to sell it majority control of an
outsourcing company that enjoyed routine access to some of the most
sensitive and private consumer information in the country. I was
told that Allserve was a fine company and basically to mind my own
business.
I also got no where when I asked for interviews with anyone on
Thayer's blue-ribbon "advisory board," which boasted names like
those of former Secy. of Defense William Cohen, Clinton
Administration adviser Vernon Jordan, ex-head of Housing and Urban
Development Jack Kemp, and the former chairman of American Express
James Robinson.
I explained to the Thayer spokesman that I wanted to know if any of
these luminaries had heard of Dinesh Dalmia and whether they were
aware that he was behind the Allserve acquisition and that he planned
to hold the Aegis shares in an anonymous nominee account in the
tax haven island nation of Tortola. To these questions I received
no answers at all.
I published these facts in the New York Post and the deal quickly
fell apart - though not before both the newspaper and I received a
retraction demand and libel lawsuit threat letter from a lawyer in
New Jersey who claimed to represent Dalmia. The lawyer asserted that
it was libelous to have reported that Dalmia had tried to negotiate
the sale of a germ warfare software package to Iraq because, as the
lawyer put it, "no such contract was ever executed."
The Post's general counsel replied in a rebuttal letter that we
intended to retract nothing, and that was the last we heard from
this particular lawyer regarding Dalmia.
Two years later Dalmia resurfaced, once again hidden behind his
Allserve Systems mask and further protected this time by what
amounted to a new defensive perimeter of offshore shell companies.
Dalmia's goal, once again, was to take over control of a U.S.
outsourcing company - in this case employing a convoluted scheme
involving an array of companies in New Jersey that he secretly
controlled and intended to merge with a NASDAQ-listed outsourcing
company called the A Consulting Team Inc.
Extensive reporting by the Post caused this deal as well to fall
apart. And when the Post reported, based on a search of public land
records in New Jersey, that this international fugitive, presumably
hunted by Interpol wherever he went, was in fact living the life of
Riley in a Fort Lee, N.J. mansion overlooking Manhattan, we received
a second libel threat letter.
This time the threat came by way of a lawyer better known for his
criminal defense work than for his acumen in the law of defamation
and libel: Atty. Lawrence Barcella of Washington. Barcella claimed
the Post's coverage of Dalmia was a tissue of lies and distortions
but failed to cite any evidence to support the assertion. Once again
the Post replied that we would retract nothing, and it was the last
we heard from Barcella as well.
In January of 2006 Dalmia fled the U.S., one step ahead of the FBI,
leaving behind a trail of personal aliases, false and forged
financial statements, fake invoices, and bogus bank accounts in the
names of non-existent companies. He had used these tools to swindle
some of the most prestigious - and presumably savvy --financial
institutions in America out of an estimated $130 million in computer
leasing deals.
When Dalmia defaulted on his loan payments in the deals and the
creditors moved to repossess the computer equipment that
collateralized the leases, they discovered that the equipment had a
lready been shipped to India and sold. When they demanded to see
the supporting paperwork they were told they could not. Reason: a
sinkhole had opened in downtown Calcutta and swallowed up all the
records.
Dalmia's network of fraud - all of it based on front companies in
the outsourcing business - stretched from Singapore to the U.S. to
London and beyond. And it all ran the same way, at the same time
in one country after the next. When Britain's Serious Frauds Office
arrived at the doorstep of Dalmia's front operation in London to
ask some questions, they found the offices deserted and the files
in a shambles. Reason: the staff had headed for Heathrow airport
and returned to India.
Much as Dalmia's creditors may have felt they had been dealing with
a ghost, the Indian swindler was real enough, and in early February
of this year he was arrested by Indian government agents who had been
tipped that he had reentered the country by crossing over from Nepal
and was staying with relatives in New Delhi.
Dalmia's arrest and subsequent detention, which continues to this
day, proved a sensation in India, with the media exploding in
seemingly nonstop coverage of each new charge the authorities have
lodged against him - most of which relate to his role in a series of
late 1990s stock swindles that climaxed in the collapse of the
Calcutta and Bombay Stock exchanges.
Yet except for coverage in the New York Post, Dalmia's three-year
crime spree has received almost no attention at all in the U.S. -
highlighting another of the many ways in which phone records
thievery imperils all Americans. Dalmia didn't simply try to steal
the phone records of one or two individuals, he tried to steal an
entire company stuffed to the gills with the phone and financial
records of Americans by the millions... and he nearly succeeded.
So I commend the Subcommittee for its efforts on behalf of H.R.
4943, and urge only that you stay mindful of the broad and
encompassing risks posed by phone records thievery in all its
many forms. Stealing one person's phone records is bad enough.
This nation should not be at constant risk from scoundrels eager
to steal the phone records of everybody, all at once.
Thank you for your time. Respectfully, Chris Byron
MR. WHITFIELD. No. That's fine.
Now, Mr. Byron, it's my understanding that you now know that this
pretexting of your phone records was initiated because of an article
that you wrote, what, in Money Magazine?
MR. BYRON. I wrote it in Red Herring Magazine. It appeared in the
September 2002 edition. That's right.
MR. WHITFIELD. And it was entitled "Feds Face Recognition in a
Fishy Fund?"
MR. BYRON. That's correct. It dealt entirely with a company called
Imagis Technologies, which was publicly traded and which seemed to
me, based on the research that I was able to obtain from the EDGAR
Data System at the SEC, to be a very shaky company. It had on its
Board of Directors at least one very high-profile name in Washington
at that time, and that was Oliver "Buck" Revell, who was the former
head of counterterrorism for the FBI.
MR. WHITFIELD. And he was the Chairman of the Board of that
company?
MR. BYRON. That's correct. And I believe one of the principal
reasons that the FBI never acted on my complaint is because they
didn't want to entangle themselves with a problem that might either
directly or indirectly have involved this Revell man.
MR. WHITFIELD. Now, in this article, another article that you wrote
in the New York Post, "The Phone Thieves," which I guess was written
after you found out about the pretexting--
MR. BYRON. Yes.
MR. WHITFIELD. --you referred to Treyton Thomas as a "pump and dump
swindler."
MR. BYRON. Correct. That's exactly what he was. It was the
allegations of that and the documentation that we provided for that
that led to this lawsuit in the first place.
Following a complaint to the SEC, they examined the information we'd
published and brought charges against this Thomas man, and this was
a civil case--they don't have criminal enforcement powers at the
SEC--but he was fined not long ago, a few months ago in fact, and
has been banned for life from the securities industry.
MR. WHITFIELD. And this company went bankrupt; is that correct?
MR. BYRON. I don't know if it went bankrupt. It changed its
name. After all of these events, it changed its name to a company
called Visafor--
MR. WHITFIELD. Okay.
MR. BYRON. --and it is still in business. I think it sells for 17
cents a share or something like that.
MR. WHITFIELD. Yeah, but they subsequently did file a lawsuit
against you--
MR. BYRON. Yes.
MR. WHITFIELD. --and that was dismissed.
MR. BYRON. It wasn't dismissed. They just never pursued it.
MR. WHITFIELD. Oh, they never pursued it.
MR. BYRON. Right.
MR. WHITFIELD. But you never would have known anything about this
pretexting of your phone records unless AT&T had called you one
day; is that correct?
MR. BYRON. That's correct. My wife took the call. We weren't
expecting it, and they asked us over the phone what kind of trouble
were we having with our phone bill because we had been asking to get
copies of it for so long now.
MR. WHITFIELD. Yeah.
MR. BYRON. And when my wife got that message, she shrieked into
the phone, "What?" Because we hadn't been asking them for anything.
MR. WHITFIELD. Now, I think a lot of people that were victims like
you and your wife probably would have just dropped the matter.
MR. BYRON. Yeah.
MR. WHITFIELD. But it looks like you all became pretty persistent
in trying to find out what was going on.
MR. BYRON. We never let up. We never let up--
MR. WHITFIELD. Yeah.
MR. BYRON. --and we found out the essential outline of it.
MR. WHITFIELD. And tell me a little bit about that. The New York
Post had to--did the New York Post file a lawsuit against AT&T to
find out--
MR. BYRON. They threatened to. This event involved a magazine
article that was not published in the New York Post. It was
published in Red Herring Magazine. Red Herring Magazine soon went
bankrupt itself because of the drop in advertising post-9/11, and I
was a columnist, and still am, at the New York Post, and had been
writing on this subject. And what had happened at the Post--
MR. WHITFIELD. Right.
MR. BYRON. --was a year of stonewalling led the General Counsel of
the Post in exasperation to threaten these people with a civil
rights suit, and it was based on those threats that they turned over
their case file on this matter to us.
MR. WHITFIELD. And in that case file, what sort of information was
there that was helpful for you to identify who did the pretexting?
MR. BYRON. I had already figured that out before.
MR. WHITFIELD. Okay.
MR. BYRON. What the case file showed me is that they had been lying
to me for the last year, the previous year.
MR. WHITFIELD. Now, who had been lying?
MR. BYRON. They had been--I beg your pardon, AT&T.
MR. WHITFIELD. Okay.
MR. BYRON. And they had been assuring us that they were continuing
to investigate this matter, and they took it seriously and all of
those kinds of confidence-inspiring gestures. And they were all
baseless because what that case file, in fact, showed was that weeks
after I had filed this complaint, they had gone through a pro
forma investigation that was full of internal inconsistencies
that were not pursued. And then the whole thing was dished off to
the FBI, and they washed their hands of it. And during all of the
subsequent period of time when we were calling up, saying, "How's
that investigation going, folks?" "Oh, it's fine, MR. BYRON.
It's going right along," there was no investigation. They handed
it to the FBI. They were doing nothing.
MR. WHITFIELD. Okay. Now, you are an attorney as well as a
journalist, and you probably have done some research.
Do you feel that under existing Federal law that pretexting is
illegal today or not?
MR. BYRON. Yeah. I think that it's illegal in a variety of ways,
and I was stupefied to hear the testimony that came out yesterday
and the previous facts that have been developed in the press on this
Hewlett-Packard thing.
I mean anybody--you don't have to be an attorney to know that this
is wrong. And from my perspective, looking at it from the point of
view of the law, there was a massive conspiracy here that went on
for 10 entire weeks. It involved international transactions from
Canada to the United States, interstate communications over the
wires. There's a huge fraud that went on here, and any one of
those things could have been criminally pursued.
MR. WHITFIELD. But you feel that this activity would be illegal
under the existing Federal Wire Act?
MR. BYRON. What happened to me? Absolutely.
MR. WHITFIELD. Okay. Are you aware of any Federal prosecutions
for anyone who has been arrested for pretexting?
MR. BYRON. None. None. We've looked as hard as we could.
We haven't found any.
MR. WHITFIELD. Yeah. And what are your unique concerns about
journalists being singled out by people for pretexting?
MR. BYRON. If the word gets around that you can do this kind of
thing with impunity--and it seems that it is now--the ability of
a journalist to do his job will be fatally compromised. If you
can make promises of confidentiality that have utterly no meaning
at all and the sanction that would protect you is not enforced by
law--
MR. WHITFIELD. Yeah.
MR. BYRON. --you're dead in the water.
MR. WHITFIELD. Now, after yesterday's Hewlett-Packard hearing,
I went over on the House floor, and two Members came up to me, and
they said, "You know, if you all are going to do anything about
these corporate leaks and the pretexting of board members"--these
two Members said--"you've got to be really careful, because we
think that the corporate boards should have a right to determine
who's leaking information from their board," and--but--I mean my
reply is that if it's illegal, it's illegal--
MR. BYRON. You bet.
MR. WHITFIELD. --and I would assume that you--
MR. BYRON. I would agree with both statements.
Now, if you're the Chairman of the Board of a company, and leaks are
coming out of that boardroom, you're bound. You have a fiduciary
responsibility to shareholders to find out what's going on.
MR. WHITFIELD. Right.
MR. BYRON. But you don't have the power to break the law to do
it.
MR. WHITFIELD. Right.
MR. BYRON. Period.
MR. WHITFIELD. Right. Right.
MR. BYRON. Case closed.
MR. WHITFIELD. At this time, I'll recognize Ms. DeGette for 10
minutes.
MS. DEGETTE. Thank you so much, Mr. Chairman. And, Mr. Byron,
thank you so much for coming and sharing the other side of what
happens with pretexting with us. I just have a few questions for
you.
One of them is what I understand about this terribly botched
investigation that AT&T did after you learned about the pretexting.
What I want to know is if you have some views on what phone
companies can do to prevent the pretexting in the first place,
things that weren't done in your case and that aren't being done
now.
MR. BYRON. Well, I'm not entirely certain that--I don't know who
owns phone records. It's a little unclear to me. From what I've
read, is the phone record owned by the phone company or is it owned
by the person who uses that account? I don't know. And there may
be a very clear answer to that, but I just don't know it. If the
phone company owns the record, it gets a little bit more confusing
as to what that company can do with that record. If you own the
record, then they don't have the right to do anything with it
without checking with you.
And I guess what your question goes to is how could they establish
it's you that they're talking to. Well, short of going in there
with--insisting, well, let's see your driver's license, I don't
know what they can--what you could ask them. I think what the
best thing to do is simply say, "That's your problem. But if you
don't handle it properly, you're going to be in trouble with these
sanctions." And to the degree that my opinion means anything in
this, I would say the tougher the penalty--put this thing into
criminal law, and you'll get their attention.
MS. DEGETTE. To criminalize release of the records by the phone
companies?
MR. BYRON. Yeah. Sure. Sure.
MS. DEGETTE. That probably would get their attention.
MR. BYRON. Absolutely. And end the problem.
MS. DEGETTE. A second question I have for you is, as a newspaper
reporter, how widespread is the fear of pretexting among your
colleagues; because, as we heard yesterday with the Hewlett-Packard
situation, reporters were targets of that investigation as well,
and are people quite concerned that this is going on?
MR. BYRON. Oh, yeah. Sure. And more today than the day before
yesterday. And already this was a significant worry on the part
of people in my line of work. I think not long ago, a couple of
weeks ago, The New York Times undertook some reevaluation of what
its own editorial staff should be doing with its notes, with its
phone records, and all the rest of it because of these kinds of
compromised privacy questions. If somebody can come and grab
your phone records and nobody cares, there's a big problem here--
MS. DEGETTE. Yeah.
MR. BYRON. --a big problem.
MS. DEGETTE. And have you talked to colleagues who have had this
happen to them?
MR. BYRON. Yes. And I know a number of them.
After this happened to me, I got calls from reporters all over the
country, some of whom I knew, some of whom I now met for the first
time, who had the same experience, not necessarily because of a
lawsuit or something else, but because of something that somebody
wanted to know about their line of work that the reporter didn't
want to tell them.
MS. DEGETTE. Right.
MR. BYRON. So they'll just go steal it.
MS. DEGETTE. Yeah. Okay. Last question.
Now, I presume that you still support H.R. 4943, which is the
legislation that's mysteriously disappeared. Counsel says maybe
we could enlist your services as an investigative reporter. But
you still support that bill, right?
MR. BYRON. Absolutely. I mean I think if after all of this, if
that at least doesn't become law, that sends a signal, too.
MS. DEGETTE. Even though it is already illegal under other
statutes, you think that would be helpful to have?
MR. BYRON. Absolutely. I think it would just be a per se statement
if this time we really mean it.
MS. DEGETTE. It would be that bright light cast that Ms. Dunn kept
talking about?
MR. BYRON. Yes.
MS. DEGETTE. Thank you.
Thank you, Mr. Chairman. I yield back.
MR. WHITFIELD. I just have to ask one question that we were just
discussing.
If you heard the testimony yesterday, the Chairman of the
Hewlett-Packard Board made the comment that she thought
everyone's phone records were available to the public, that anyone
would have access to anyone's, and that she wouldn't object to
anyone having her phone records.
Did you hear that comment?
MR. BYRON. I didn't hear her say that.
What I read was the same thing in her written statement, and
it amazed me. I couldn't believe what I was reading, and that
woman has a degree from Berkeley as a journalist. It's a joint
journalist-economics degree. I know she reads and writes English--
MR. WHITFIELD. Right.
MR. BYRON. --and she said in her written statement that she thought
all of this was fine--
MR. WHITFIELD. Right.
MR. BYRON. --because the private eye, this DeLia guy, had said to
her he knew where you could get private phone records--I think I've
almost got this memorized by now--where you could get private phone
records legally from a public source.
MR. WHITFIELD. Yeah. I wish we had had you here as a witness
yesterday. You could have been on the panel with Ms. Dunn.
MR. BYRON. Well, I mean--
MR. WHITFIELD. Okay.
MR. BYRON. --just by the nature of it--
MR. WHITFIELD. Yeah.
MR. BYRON. --if private phone records are deposited in a public
source, they're not private phone records.
MR. WHITFIELD. Yeah. Yeah.
I yield back the balance of my time and recognize the Chairman of
the full Energy and Commerce Committee, Mr. Barton of Texas.
CHAIRMAN BARTON. Well, thank you, Mr. Chairman. I'm not going
to take the full 10 minutes. I would like to make a report to
the subcommittee.
I see our poster over there "Gone With the Wind," H.R. 4943. It's
been found. It's not gone. It's awaiting floor action, and
there's a good chance it might pop up today. We may actually get
to vote on it. It may be midnight tonight, I'm not guaranteeing
it, but it has been found. The bill is alive and healthy, and--
MS. DEGETTE. Mr. Chairman, maybe you can autograph the poster
for us.
CHAIRMAN BARTON. I'd be happy to do that.
The concern about it--and this is serious. It goes to one of the
comments that our witness made. H.R. 4943 requires the phone
company to get the permission of the individual who has the
telephone number before their records are released to anybody,
whether they're sold or whatever.
So we asked all the phone companies at the hearing, the legislative
hearing on the bill, whether they thought the phone records were
the company's property or the individual's property, and the
companies all answered--or the witness who represented the
companies said that it was the individual's property. And I think
it is. I think your phone number is yours, and the phone log--I
don't see a real reason to keep a phone log unless it's for
billing purposes. And as we all know, with a lot of our telephone
numbers today and telephone billing systems, you don't pay per
minute or per call. It's just a flat rate. So there's an argument
to be made that you don't even need to keep a phone record any time
at all, but the concern that's kept the bill off the floor is that
there are people who think the phone record is not your personal
property, it it is the company's property. And I think these
hearings are highlighting the fact that our bill is not "Gone
with the Wind." It's more like "Mr. Smith goes to Washington."
It's good government, and we need to move it, and so there's a
reasonable chance--I'm not guaranteeing it, but we may get it
out today.
I do want to comment, Mr. Chairman, how odd it is that all of these
people who claim what they're doing is legal continue to invoke
the Fifth Amendment against self-incrimination. I think your
hearings have set a record for self-incriminating individuals who
were afraid they may self-incriminate themselves, protecting
themselves by the tremendous Fifth Amendment to our great United
States Constitution. If what they're doing is so legal, they
shouldn't have to be afraid to talk about it in public before your
committee.
The only question that I have for the witness here is, what was the
final resolution of the pretexter who stole your phone records
without your permission?
MR. BYRON. There has been no resolution. There have been no charges
filed or civil complaint anywhere. To this hour, nobody has been
brought to justice on this thing. And as I said at the opening
here, a 4-year thing accumulates a really confusing, long,
complicated record trail; and with the passage of time, it gets
harder and harder to follow this. But the evidence of who did
what, who shot John, sits in the SEC Enforcement Division district
office files in Boston, Massachusetts. And I've asked them in the
past, "Well, if you're not going to act on it, why don't you make
a criminal referral? Can't you give it to the FBI?" "Well, we'll
get back to you on Monday on that, Mr. Byron," and 6 months later,
I call again and get the same answer.
CHAIRMAN BARTON. Well, we do have a bill that has passed the House.
It's a Judiciary bill which I support--it's in the Senate
somewhere--that clearly makes pretexting illegal and sets criminal
penalties at the Federal level for pretexting. So we have got one
House bill that's gotten to the Senate. Our bill has not yet gotten
to the floor.
And before I yield back, since the Chairman of the Board of
Hewlett-Packard yesterday indicated she didn't know what
"pretexting" was and had never heard of it until June the 6th, I
want to repeat what it is in case there's anybody here that doesn't
know today. Pretexting is pretending to be somebody you're not,
to get something you probably shouldn't have, to use in a way
that's probably wrong. That's what pretexting is, and that's what
this committee wants to make illegal. We also want to make sure
that your phone record is your phone record and cannot be used
without your explicit permission.
With that, Mr. Chairman, I yield back.
MR. WHITFIELD. Thank you, Mr. Barton.
At this time, I recognize Mr. Walden of Oregon.
MR. WALDEN. Thank you, Mr. Chairman.
Mr. Byron, like you, I too have a journalism degree, and I was
astounded when I pressed Ms. Dunn yesterday as to whether or not she
really believed and seriously believed that these records were
available publicly. And I have to confess, like you, I was amazed
at the response. It just was unbelievable.
In your testimony, you say you initially discovered your records
had been invaded when an AT&T representative called your wife--
MR. BYRON. Yes.
MR. WALDEN. --as I recall.
Would you elaborate on this? Was AT&T at that point investigating
a problem? Why would they call your wife?
MR. BYRON. What happened was, over the previous 2-1/2 months,
unknown to my wife, myself, and anybody in our family, and
apparently unknown to AT&T as well, criminal impersonators were
calling up day after day, pretending that they were me or that
they were my wife and asking for the July 2002 phone bill.
MR. WALDEN. Right.
MR. BYRON. And they kept getting one explanation as to why they
wanted it after the next, and they never surrendered it to these
people. After 2-1/2 months of this, they finally hit pay dirt, and
in the course of "dialing for dummies," they got one. And this
person sat there in her cubicle and read over the computer screen
to these people, 96 phone calls that consisted of my office phone
number, outbound from my phone during the month of July.
Then, minutes later, another party called back and asked this
person--this definitely retires the cup for being a dummy--if she
could take the time to read again the same list because he wanted
to check it. And she did, and he did, and the computers now show
2 full hours with going over one person's phone bills. This came
to the attention of this person's supervisor, who called us and
said--
MR. WALDEN. What's the problem with your phone bill.
MR. BYRON. --"What's the problem with your July
phone bill?" We didn't know there was a problem. Well, then we
found out. That's how we found these things out.
MR. WALDEN. And after you had that conversation with AT&T, what
was their response to you once, this triggered that something was
up here?
MR. BYRON. Oh. Well, I mean we received an urgent and immediate
and apparently heartfelt expression of "ain't it awful, and we'll
get on this right after lunch," and that was pretty much it. The
next day, having gotten nothing more than that, I called AT&T, and
couldn't even find the person we had spoken to, and just started
pushing--
MR. WALDEN. Right.
MR. BYRON. --and I finally got the General Counsel on the phone at
corporate headquarters, and told him, and he basically tried to put
this off on his secretary.
At that point, I called the FBI district office in Bridgeport,
Connecticut, filed a complaint with them. They said, "Well, this
sounds serious. You'd better take that down to Washington and give
it to the national office." I did. We never heard anything more of
it ever, and I--
MR. WALDEN. From the--
MR. BYRON. From the FBI. And with AT&T, when I called back,
eventually I made myself such a pest that they assigned some guy who
was like their privacy Assistant General Counsel, and he dealt with
me and with the New York Post, which took an active interest in this
thing continuously from that moment on.
The file that he eventually turned over to us that you now have was
sanitized of the information in it that was the only really
important information that we needed, which was to be able to
identify who the pretexters were.
MR. WALDEN. Did they have in their file what number the person was
calling in from as you?
MR. BYRON. Oh, yeah. Oh, yeah.
MR. WALDEN. Did they ever go back and trace who that phone number
was from?
MR. BYRON. They have a code number.
In the materials you have--I could show one of your investigators
or staff people, if you'd be interested--is the code number that
identifies the two back-to-back, 1-hour calls that they said--
MR. WALDEN. Right.
MR. BYRON. --they could not trace.
MR. WALDEN. Why?
MR. BYRON. That will make you leave the room, it's so confusing.
I can't answer that question, and they couldn't either. I think
the answer is because they didn't want to.
What I finally got from them was the packet of information they sent
to the FBI, absent the phone calls--the enumerate--the sources of
the phone calls that would have tied this information to the
pretexters, and they promised to give that to me the day they
sent it to us.
MR. WALDEN. But they never did?
MR. BYRON. Not only did they not--I just tried again the other day.
Now, the guy who I was assigned to, he's gone. He's not there
anymore, and I've got a new person there who's going to hold the
pity party for me. And I'm sure that we won't get what we need.
I'm sure of it.
MR. WALDEN. Well, maybe after today, you will.
MR. BYRON. I hope so.
MR. WALDEN. It's very frustrating being on that end of it. I've
dealt with some issues involving phone bills in my company where
charges have been added to lines by third-party billers that we
never asked for service.
MR. BYRON. Right.
MR. WALDEN. And I think that's going on all over America right
now.
MR. BYRON. Yeah.
MR. WALDEN. And there's a float out there of bad actors that I hope
we take a real serious look at.
MR. BYRON. I'm very sorry that I ran out of time and was unable to
call the committee's attention to what I think ultimately is the
most expansive problem at risk here.
It's terribly destructive to somebody to have his personal or
business phone records stolen in this way, and it upends your life
and causes all kinds of heartaches and miseries for you. But
it's a much worse problem and gets into national security areas
when you have the possibility that somebody will wind up in control
of an entire company filled with these phone records of millions
of people, and that possibility is evident; it exists. And a
series of stories we wrote related to one such company identified
an individual, an international bunco artist who was wanted by
Interpol on a "red corner" notice, using nominees to try and
acquire and then move to Chennai, India, the outsourcing company
handling AT&T's phone records.
MR. WALDEN. So your concern is that the outsourcing to the
customer service facilities opens the door in foreign countries--
MR. BYRON. Yes.
MR. WALDEN. --to espionage activities, in fact, both economic and
security.
MR. BYRON. Absolutely. This particular individual had an enormous
track record that was easily obtained before getting into
negotiations to sell this company to him. We had obtained e-mail
traffic showing that this guy, right after 9/11, sent his sales rep
from Dubai into Baghdad to negotiate the sale of germ warfare
software to the Iraqi Ministry of Defense. Now, come on. That's
the guy who's trying to buy the outsourcing company for AT&T and
move it to India.
MR. WALDEN. Because he wants to provide really good customer
service?
MR. BYRON. Well, he fled the country after we wrote a series of
stories about him. He was on a worldwide arrest-on-sight notice
from Interpol. Although he was living the life of Riley in Fort
Lee, New Jersey, it didn't seem to stop anybody; but he left, and
he's now under arrest and in detention in India, and he's having to
answer for some huge array of swindles he was involved in there.
But there will be more like that is what I'm saying. More of that
is coming.
MR. WALDEN. It's very disturbing, very disturbing.
Mr. Byron, thank you, and we appreciate your testimony and
willingness to come before the committee today.
MR. BYRON. Thank you.
MR. WHITFIELD. Mr. Stearns, you're recognized for 10 minutes.
MR. STEARNS. Thank you, Mr. Chairman.
Mr. Byron, I guess you were in the latter part of your conversation
with my colleague, you were talking about the Delmi- --
MR. BYRON. Dalmia.
MR. STEARNS. Dalmia.
MR. BYRON. Yes.
MR. STEARNS. Who was this individual who was trying to control the
U.S. outsourcing company--
MR. BYRON. Yes.
MR. STEARNS. --and in so doing, he was attempting to merge it with,
I guess, NASDAQ-listed companies.
MR. BYRON. Yes.
MR. STEARNS. And I guess they tried to call you up. It was one of
the attorneys for him that tried to call you up and actually
intended--Lawrence Barcella of Washington.
MR. BYRON. Yes.
MR. STEARNS. Barcella claimed the Post's coverage of Dalmia was a
tissue of lies and distortions but failed to cite any evidence.
MR. BYRON. Right.
MR. STEARNS. And then you were able to respond to him, and then he
backed off.
MR. BYRON. Yes, that's exactly what happened.
He was not the first lawyer we heard from from that guy. I've been
writing about him for 2 years, and prior to the Barcella letter, we
heard from another guy he had hired locally in New Jersey, and he
threatened to sue us for libel and defamation based on our reporting
that this man had tried to sell a germ factory software package
to Saddam Hussein. And his defense in the letter to us that said
this was defamatory to have published that, was that the contract
never actually got signed. Hello? I mean, the point was not that
he succeeded. The point was that he tried, and the man's lawyer
sent us a letter.
The lawyers for the New York Post responded, "Read what you said in
your own letter. You've confirmed the accuracy of the story."
That's the last we heard from him.
MR. STEARNS. What was the connection between this guy and the
outsourcing company in Texas?
MR. BYRON. The outsourcing company where my phone records were
stolen was called--is called Aegis Communications, Inc.
MR. STEARNS. Right.
MR. BYRON. It is an outsourcing company that at that time had major
back-office, records-keeping contracts with a whole array of very
large U.S. companies, including AT&T, Discover Card, American
Express, all of that.
When you pick up the phone and call to ask for the 800 help number
and somebody says, "American Express. May I help you?" it's not an
American Express person at all most times. It's somebody from one
of these outsourcing companies.
MR. STEARNS. Which could be anywhere.
MR. BYRON. Absolutely, and a lot of them are now located in
Punjab. They're in India and in Ireland and in southwest Asia,
elsewhere. The connection is that this Dalmia fellow has a large
and growing--or had until he went to jail--a large and growing
presence with an outsourcing network based in Chennai, India, and
tried to buy this Aegis Company in Texas. Right at the time I was
trying to get the FBI to investigate where my phone records--who'd
stolen them--he was trying to buy the company, and he was using
anonymous shell companies in Tortola and nominees and front men in
London to pretend so that he was not--they had a beard and mustache
on him, these guys, and so you couldn't see him, but we were able
to trace--to peel back the mask.
MR. STEARNS. So you wrote the expos� about Dalmia.
MR. BYRON. Yeah.
MR. STEARNS. You wrote it, and that's what got Barcella to call you.
MR. BYRON. That's correct.
MR. STEARNS. So it's really a tribute to your persistence and
tenaciousness that this fellow was exposed in the United States and
eventually had to flee, and eventually, I guess, he was arrested in
India, and he's in jail now.
MR. BYRON. He is. He is, indeed.
I would also have to say that I think that a lot of the credit is due
to the Post, because there's not a lot of papers that would publish
something like that. He had not been arrested or charged with
anything in this country, and the Post was publishing stories saying
that he was an international criminal.
MR. STEARNS. Yeah. What I don't understand is the Post stood in
the gap there for you--
MR. BYRON. Yes.
MR. STEARNS. --with Barcella and handled that.
Why doesn't the Post help you in civil suits to try and get
defamation or damages or civil--why haven't you taken that route?
MR. BYRON. Well, the events that we're talking about here related
to the theft of the phone records occurred with a story that was not
published in the Post.
MR. STEARNS. Okay. Okay.
MR. BYRON. I had written that as a freelance piece--
MR. STEARNS. Okay.
MR. BYRON. --for another publication which subsequently went
bankrupt, Red Herring Magazine.
MR. STEARNS. Right.
MR. WHITFIELD. Would you excuse me, Mr. Stearns?
MR. STEARNS. Sure.
MR. WHITFIELD. I was just curious. Did you consider a civil suit
yourself?
MR. BYRON. It was not my idea. It was the General Counsel of the
Post. She said that--
MR. STEARNS. What the Chairman is saying is you could--for example,
you could take a civil suit against AT&T for them. In your estimation,
they broke the law--
MR. BYRON. Yes.
MR. STEARNS. --when this woman sat in this cubicle, as you say, and
spent 2 hours giving out all of this information. I mean, surely
the case could be made in a court that what AT&T did was against
the law.
MR. BYRON. I believe it could be. But to me, right now, that sounds
like--with all I've been through, that's like saying, "Byron, go
fight a land war in Asia." I'll never come back.
MR. STEARNS. Yeah. So it's just another aggravation you don't want
to deal with.
MR. BYRON. Yeah.
MR. STEARNS. Okay.
MR. BYRON. I mean, to sue AT&T on my own, my God. I would not want
to undertake that. I'm just--it's not that I would--I just--I'm
already 61, you know?
MR. STEARNS. Has AT&T ever explained why the security measures in
place at Aegis Communication Corporation, a third-party contractor
to run some of AT&T's customer care call centers, failed to protect
your records? Have they at this point given you a definite written
response?
MR. BYRON. No. Never.
MR. STEARNS. Okay.
MR. BYRON. Never. We've received nothing.
MR. STEARNS. We'll ask them that question when they come up for
you.
What has AT&T done for you since the facts about pretexting have
occurred? Have they worked to establish any additional safeguards
to--
MR. BYRON. Well, my wife called them the other day because we were
just doing fact-checking for my written testimony and wanted to
refresh our memories on how their password/coding rules work.
MR. STEARNS. Yeah.
MR. BYRON. And the person she got on the phone with accused her of
being paranoid. So that's what they've done for us since then. In
other words, nothing.
MR. STEARNS. Nothing.
So here we are after the fact, and you're here. Are you able to
establish your career to go forward now and--
MR. BYRON. Oh, absolutely.
MR. STEARNS. --essentially reestablish the links with the people who
are giving you information?
MR. BYRON. Yes. And I had to do it on a kind of case-by-case basis,
because I just didn't know how broadly anything was actually
compromised.
What I knew is that all of my phone records for the month of July of
2002 were gone. They have gone into the hands of these people, and
some of those phone numbers tied to sources in law enforcement and
the Government related to entirely different issues or other
stories, nothing related to this.
MR. STEARNS. So you don't feel intimidated at this point to write
another expos� on a Dalmia-type of individual?
MR. BYRON. No.
MR. STEARNS. Good. So I mean, notwithstanding all that you went
through, you've come through this, you and your wife, that you
feel comfortable--you can continue your career and go forward and
not have any trouble?
MR. BYRON. Yes. Yes. Yes, definitely.
MR. STEARNS. All right. Thank you, Mr. Chairman.
MR. WHITFIELD. Thank you, Mr. Stearns;
And I suppose, Mr. Byron, as you move forward, of course, it would be
great if there was some sort of device that you could obtain so that
you would know if your records were being pretexted. But I mean,
that pretexting could be going on right now in your records, and
you wouldn't know it either, so--
MR. BYRON. Exactly.
MR. WHITFIELD. But we genuinely appreciate your being here today and
for your time and your testimony, and even though we didn't allow you
to complete all of your opening statement, we do have it, and we've
looked at it and all of the documents that you've provided.
So, thank you very much.
MR. BYRON. Thank you.
MR. WHITFIELD. And we hope to see you again soon.
MR. BYRON. Thank you.
MR. WHITFIELD. At this time, I'd like to call up the third panel
of witnesses.
On the third panel, we have Mr. Thomas Meiss, who is the Associate
General Counsel for Cingular Wireless from Atlanta, Georgia;
Mr. Charles Wunsch, who is the Vice President for Corporate
Transactions and Business Law for Sprint Nextel, Reston, Virginia;
Mr. Greg Schaffer, Chief Security Officer for Alltel Wireless,
Little Rock, Arkansas; Mr. Michael Holden, Litigation Counsel
for Verizon Wireless in New York, New York; Ms. Lauren Venezia,
Deputy General Counsel for T-Mobile USA, Bellevue, Washington;
and Ms. Rochelle Boersma, Vice President for Customer Service,
U.S. Cellular, Chicago, Illinois.
I want to welcome all of you. We thank you for joining us today
and providing us with your views on this important issue. As you
know, this is an Oversight and Investigations hearing, and I'm
assuming that none of you have any objection to testifying under
oath. And if that's the case, if you would, raise your right hand,
and I'd like to--
[Witnesses sworn.]
MR. WHITFIELD. Thank you so much.
In the rules of the House and the rules of the committee, you're
entitled to legal counsel. I'm assuming that none of you have legal
counsel with you today; is that correct?
MR. MEISS. That's correct.
MR. WUNSCH. That's correct.
MR. SCHAFFER. That's correct.
MR. HOLDEN. That's correct.
MS. VENEZIA. That's correct.
MS. BOERSMA. That's correct.
TESTIMONY OF THOMAS MEISS, ASSOCIATE GENERAL COUNSEL, CINGULAR WIRELESS; CHARLES WUNSCH, VICE PRESIDENT FOR CORPORATE TRANSACTIONS AND
BUSINESS LAW, SPRINT NEXTEL; GREG SCHAFFER, CHIEF SECURITY OFFICER,
ALLTEL WIRELESS; MICHAEL HOLDEN, LITIGATION COUNSEL, VERIZON
WIRELESS; LAUREN VENEZIA, DEPUTY GENERAL COUNSEL, T-MOBILE USA;
AND ROCHELLE BOERSMA, VICE PRESIDENT FOR CUSTOMER SERVICE, U.S.
CELLULAR
MR. WHITFIELD. Well, Mr. Meiss, we'll start with you, and you're
recognized for 5 minutes for your opening statement.
MR. MEISS. I'll turn this on. Now is it on? Can you hear me?
Okay, great.
Good morning, Mr. Chairman and members of the committee. My name
is Tom Meiss. I'm from Cingular Wireless. I'm Associate General
Counsel. Thank you for investigating this troubling matter and
thank you for inviting Cingular to talk about it.
The title of today's hearing includes a question: "Who Has Access
to your Call Records?" The only right answer to that question would
be you, the customer. Unfortunately, that has not always been the
case, and that's why we're here today.
It would be hard to find somebody today who hasn't heard about
pretexting for call records; but a year ago, that was far from the
case. It would be helpful--in fact, it's necessary to put things
in perspective by looking at a timeline of pretexting for call
records over the past years to the present. But before I do that,
I want to make one point. We're using the terms "pretexters"
and "data brokers" a lot today. That's for convenience. These
people are thieves, plain and simple. They're not data brokers;
they're data burglars, and the word "pretexter" is just far too
innocuous for what these people do.
As early as 2005, the practice of Web-based data brokers pretexting
for call records had received little notice. In spring and early
summer of last year, Cingular began to hear that some customers'
records had been obtained from websites. Around the same time,
stories were beginning to appear in the press that suggested that
pretexting could be a growing problem for businesses. Cingular
notified its customer service representatives to be on the lookout
for pretexting and also to be especially diligent in verifying
customers seeking account information. But by midyear, we'd only
received a handful of complaints about this. We had 50 million
customers. The numbers just did not suggest that pretexting for
call records was a widespread problem at that time. However, near
the end of the summer, a series of events changed all of that
completely. EPIC, a leading privacy organization, notified the
FTC and the FCC that they had identified more than 40 websites
that were offering to sell phone records for a fee. Soon a few,
and then dozens of newspaper and television stories appeared,
reporting that it was indeed possible to obtain records easily
from these websites for a fee.
At the same time, Cingular Wireless was investigating to see how
this could possibly be happening. We looked for internal leaks
because how else could you explain the absolute certainty with
which these websites offered to get your records. It just did
not seem possible that pretexting could be the foundation for so
many Web site businesses.
Without yet knowing exactly how they were obtaining records, we
changed our policies such that no call detail could be given out
over the phone to anybody, even a verified caller. At the same
time we filed lawsuits, first against LocateCell.com then,
against, E-findoutthetruth.com. We've since filed a total of
6 lawsuits against more than 30 corporate and individual
defendants, including 5 of the data brokers who appeared before you
in June.
By the end of 2006 our litigation was beginning to give us some
insight into how the pretexters were operating. We hired an ex-data
broker to come to Atlanta, we got a firsthand account of specific
ruses that had been used to pretext against us. We used that
information to create very real examples and a newly revamped
training course for our service reps.
A few months ago we engaged an ethical hacking firm to conduct
planned pretexting attacks against us so we could evaluate the
efficacy of that training, and we used the results of that to
improve our training.
Cingular has always been aware of and focused on its obligation to
protect the privacy of customer records. To secure information we
employ a wide variety of technological, procedural, and physical
safeguards to protect it, and we design them to be appropriate for
the sensitivity of the information that's at hand.
We have a privacy team that monitors new legislation and designs
compliance programs, we have a physical security organization, we
have an IT security organization. We have a cross-departmental
organization that looks at every aspect of security across the
company. It evaluates procedures and processes, then recommends
improvements where it's needed. Our internal audit department
regularly performs audits of specific channels in the company
that have sensitive information.
As we continue to evaluate, refine, and improve our services,
our security, we are mindful not only that it must be appropriate
for the sensitivity but also we have to balance it with customers'
convenient access to their own information, enable them to continue
to get good customer service, and not, for example, hamstring
them with another password that many would rather do without, a
mandatory password.
We know that this fight will never be over. The data thieves will
always be out there and continually evolving their methods of
getting at our records. We will be continually evolving our
defenses to protect our records. Cingular will always be committed
to protecting the privacy of its customers' information. Thank
you.
MR. WHITFIELD. Thank you, Mr. Meiss.
[The prepared statement of Thomas Meiss follows:]
PREPARED STATEMENT OF THOMAS MEISS, ASSOCIATE GENERAL COUNSEL,
CINGULAR WIRELESS
MR. WHITFIELD. Mr. Wunsch, you're recognized.
MR. WUNSCH. Chairman Whitfield, Ranking Member DeGette.
MR. WHITFIELD. Be sure and turn your microphone on.
MR. WUNSCH. Thank you for the invitation to testify before the
subcommittee today. My name is Charles Wunsch and I'm the Vice
President for Corporate Transactions and Business Law for Sprint
Nextel Corporation. I ask that my full written statement be
entered in the record.
I oversee Sprint Nextel's Office of Privacy. We are proud of our
privacy accomplishments at Sprint Nextel, given the difficulties of
balancing the interests of customer privacy and customers' desire
for easy access to their account information.
Sprint Nextel devotes substantial resources to protecting the privacy
of its customers' confidential information. Consequently, Sprint
Nextel views the stealing of customer information through
pretexting as a wrong that should be stopped. Sprint Nextel takes
protecting customer information seriously.
Providing protection for customer information is made difficult,
however, by the need to balance the protection of the information
against the customer's desire for ease of access to the information,
all in a dynamic environment of technological and competitive
change.
Sprint's day-to-day practices reflect our commitment to protecting
the security of our customers' private account information. We
understand that good information security cannot be achieved with
any one safeguard, as human ingenuity is limitless. This is why we
are vigilant on all fronts.
For instance, we retain customer information necessary for us to
communicate with and bill our customers behind a series of firewalls
and other intrusion protection systems. We require our employees
and contractors to abide by a code of conduct that requires them
to safeguard confidential customer information. Our thousands of
care representatives who handle millions of transactions every
month must constantly be on guard to distinguish genuine customer
requests from efforts to steal information.
Consequently, our representatives are trained to follow detailed
authentication procedures when responding to customer requests
relating to their accounts. It is important to keep in mind that
most customers demand fast and efficient customer service, yet
customers often do not remember their pass codes. Thus, Sprint
Nextel's authentication procedures are designed to protect privacy
while providing reasonably fast and efficient customer service.
When it comes to call detail records or other customer proprietary
network information, our company's policy is to allow access only
to those Sprint Nextel employees or agents with a need to know.
We continually modify our systems in response to changes in the
industry and technology. Right now we are in the process of
combining our customer data bases into a new integrated billing
platform, one that will include new, more robust customer
authentication capabilities. This is a massive undertaking.
We believe the new system will be the single most important step
to better protect confidential customer information while still
meeting our customers' need for efficiency and convenience.
Sprint Nextel encourages its customers to take specific precautions
such as regularly changing their pass codes to protect their
personal information from being accessed by others without their
permission. Despite all of these protections and the deterrent
effect they produce, pretexters still try to obtain information by
pretending to be people they are not. They are skilled con artists
who go to great lengths to circumvent carrier protections in their
efforts to obtain personal information on their targets.
We should all be clear on this point: What pretexters are doing is
wrong. They should be stopped and punished. To that end, Sprint
Nextel has devoted substantial resources to combat the pretexters.
We have taken aggressive legal action against companies we believe
have fraudulently obtained, sold, or distributed our customers'
personal account information. Sprint Nextel filed lawsuits against
three companies including former principals and employers of those
companies that fraudulently obtained and sold customer information.
In addition, Sprint Nextel has sent numerous cease and desist
letters to other entities who have advertised their ability to
obtain call detail records or other private customer information.
We believe our efforts and those of other carriers and government
agencies are helping to stop pretexting. I appreciate the
opportunity to appear before you today to share Sprint Nextel's
perspective on its ongoing efforts to protect customer privacy and
its efforts to combat the pretexting problem. I would be happy to
answer any questions.
[The prepared statement of Charles Wunsch follows:]
PREPARED STATEMENT OF CHARLES WUNSCH, VICE PRESIDENT FOR CORPORATE
TRANSACTIONS AND BUSINESS LAW, SPRINT NEXTEL
Summary of Major Points
1. Sprint Nextel appreciates the opportunity to share its views on
protection of customer information and the problem of pretexting.
2. Sprint Nextel views pretexting as a wrong that should be
stopped.
3. Sprint Nextel takes protecting customer information seriously
and has received an award for its efforts.
4. Protecting customer privacy must be done in the context of
customer demands for reasonable access to their account information.
5. Sprint Nextel protects customer information by implementing
system protections combined with privacy training for appropriate
employees.
6. Sprint Nextel encourages its customers to take actions to protect
their information, such as frequently changing passcodes.
7. Sprint Nextel constantly reviews its privacy protections with
the view to improving them.
8. To that end, Sprint Nextel has actively and successfully
confronted pretexters through litigation and cease and desist
letters.
Chairman Whitfield, Ranking Member Stupak, thank you for the
invitation to testify before the Subcommittee today. I appreciate
this opportunity to represent the third largest carrier in the
wireless industry, Sprint Nextel Corporation. I ask that my full
written statement be entered into the record.
My name is Charles Wunsch, and I am the Vice President for
Corporate Transactions and Business Law at Sprint Nextel. I oversee
Sprint Nextel's Office of Privacy. We are proud of our privacy
accomplishments at Sprint Nextel given the difficulties of balancing
the interests of customer privacy and customers' desire for easy
access to their account information.
Sprint Nextel devotes substantial resources to protecting the
privacy of its customers' confidential information. Our Corporate
Security, Legal and Customer Care teams regularly evaluate existing
safeguards to protect confidential customer information. My
testimony today is intended to condemn the activities of pretexters
and tell you about some of the ways we protect our customers'
privacy while still rendering quick and convenient service to our
customers. Providing additional protection for customer information
is not difficult: the difficult part is balancing protection and
the customer's desire for convenience in a dynamic environment
of technological and competitive change. The task is made more
difficult by the ingenuity of those who would steal our customers'
private information.
For example, hypothetically we could implement an eighteen - digit
passcode requirement before customers could access their calling
records. This act would make customer account information very
secure --if anybody could remember and use it -- but I doubt anyone
would. Therefore, this extremely secure passcode would not serve
the interests of many, if any, of our 50 million plus wireless
customers and millions more of our wireline customers. At Sprint
Nextel we have sought to strike the proper balance between
effective privacy protections and ease of access.
Sprint Nextel has been recognized for having first-in-class data
security. In a June 2005 research report, the Aberdeen Group
identified Sprint Nextel as the only telecommunications firm
employing "Best Practice in Security for Governance in 2005." This
award was based on Aberdeen Group's research involving 200 companies
from various industries, known to be operating at best-in-class
levels.
Sprint Nextel's day-to-day practices reflect our commitment
to protecting the security of our customers' private account
information. We understand that good information security cannot be
achieved with any one safeguard, as human ingenuity is limitless.
That is why we are vigilant on all fronts. For instance, we retain
customer information necessary for us to communicate with and
bill our customers behind a series of firewalls and other intrusion
protection systems. Our certified information security specialists
constantly work to enhance our information protection system as
technology evolves.
We work hard to address the human element: customer care
representatives are there to serve the customer's desires, so our
thousands of care representatives must constantly be on guard to
distinguish genuine customer requests from efforts to steal
information. We know from information obtained in litigation
against data brokers that our efforts to train our customer care
representatives to be on guard are effective. We require our
employees and contractors to abide by a Code of Conduct that
requires them to safeguard confidential customer information. We
follow up by requiring them to take mandatory training on the
protection of that information in accordance with the FCC's CPNI
rules. This training is required of all employees, including
senior management.
We publicize through our website how we collect, use and
secure customer information, to whom we disclose that information,
and why (http:// www2.sprint.com/mr/consumertopic.do?topicId=680.).
We regularly update our privacy policy and the consumer resources
pointers on our website to answer frequently asked questions,
address new issues, establish effective information protection
practices, and advise customers how they can better protect their
information. We do the same thing through other channels, such as
bill inserts.
Our customer service agents are trained to ask for passcodes
and follow detailed authentication procedures when responding to
customer inquiries or requests relating to their accounts. It is
important to keep in mind that most customers want fast and
efficient customer service. That is their primary concern. Yet,
customers often do not remember their passcodes. Sprint Nextel's
authentication procedures are designed to protect privacy while
providing reasonably fast and efficient customer service.
When it comes to call detail records or other Customer
Proprietary Network Information (CPNI), our company's policy, which
goes beyond FCC requirements, is to allow access to the information
only to those Sprint Nextel employees or agents with a "need to
know." For example, customer service agents need to view this type
of information in order to service accounts or answer billing
questions. Customer service agents are trained to ask for a
passcode during inbound calls. If a passcode has not been
established or the customer does not remember the passcode, the
agent must obtain customer specific information before answering
questions about the customer's account.
We also contractually require our contractors and third
party vendors to protect our customers' information, require them
to take the same training our employees must take to protect
customer privacy, and have threatened to terminate contracts for
violation of those requirements.
We continually modify our systems in response to changes
in the industry and technology. Given heightened recent concerns
over privacy, we've made data security a priority in our merger
integration process. In the process of combining our customer
databases into a new, integrated billing platform, we're building
new capabilities into that platform for authenticating persons who
seek access to sensitive customer information. Not only will we
employ password protection for all customers, we will ask customers
who forget their passwords to use shared secrets like "who was your
second grade teacher?" We will no longer employ private personal
information that has become far too easy to obtain as one fall-back
method to authenticate their identity and allow access to their
confidential information.
This is a massive undertaking that we will achieve through
comprehensive systems. We believe that those capabilities will be
the single most important step to better protect confidential
customer information while still meeting our customers' need for
efficiency and convenience. These changes, we believe, will give
consumers the convenience they want while also providing the robust
security they should have.
Sprint Nextel also encourages its customers to take
specific precautions to protect their personal information from
being accessed by others without their permission. For example,
Sprint Nextel's website recommends that customers regularly change
passwords used to access account information on the Sprint.com web
site or when calling customer care, and to select unique passwords
to access voicemail messages on Sprint Nextel phones.
Despite all of these protections and the deterrent effect
they produce, pretexters still try to obtain information by
pretending to be people they are not. They are skilled con artists
who go to great lengths to obtain personal information on their
targets in order to attempt to circumvent carrier protections. We
should all be clear on this point: What pretexters are doing is
wrong. They should be stopped and punished.
Our Corporate Security department has never found it
necessary to engage in pretexting, nor has it ever engaged others
to pretext on Sprint Nextel's behalf. We also do not believe that
most pretexting is the result of dishonest employees. Our Office
of Privacy has found that instances of such activity are extremely
rare, and when they have occurred, the employees involved have been
disciplined or fired.
In addition to system and employee efforts already
mentioned, Sprint Nextel has devoted substantial resources to combat
the pretexters. We have taken aggressive legal action against
companies that we believe have fraudulently obtained, sold or
distributed our customers' personal account information. Sprint
Nextel filed lawsuits against three companies and an individual
engaged in fraudulently obtaining and selling customer information
and is actively considering additional lawsuits. The three lawsuits
filed are:
In January 2006, we sued 1st Source Information Specialists. This
company engaged in the practice of pretexting for quite some time,
and refused to stop selling Sprint Nextel customers' call detail
records even after being sued by others. We ultimately obtained a
permanent injunction against 1st Source, under which the company
agreed to never again acquire, offer, sell or advertise the ability
to obtain Sprint Nextel customer account information. Just last
month, we reached a settlement with 1st Source and one of its
principals. Although this settlement closes the case with respect
to the corporate entity and one of its officers, the case continues
against individual defendants who are also believed to be
responsible for pretexting.
Also in January 2006, we sued All Star Investigations, Inc. in
Florida state court. Sprint Nextel quickly obtained a permanent
injunction and reached a settlement with this company in June.
Both parties are in the process of implementing this settlement
now, and the defendant has turned over useful information
concerning the pretexting business, information which we are using
to improve our information security.
In March 2006, Sprint Nextel sued San Marco & Associates, another
Florida-based firm. This case is pending.
In addition to these lawsuits -- which have required us to expend
substantial time and money- Sprint Nextel has sent scores of cease
and desist letters to other entities who have advertised their
ability to obtain call detail records or other private customer
information. While we continue to identify companies engaged in
pretexting, our experience is that the problem is less widespread
today than it was one year ago even as reports of past pretexting
continue to arise. Together with Congress, the Federal Trade
Commission, the Federal Communications Commission, state Attorneys
General, and the rest of the telecommunications industry, we have
sent a message, loud and clear, that this fraudulent behavior will
not be tolerated.
I appreciate the opportunity to appear before you today and share
Sprint Nextel's perspective on its on-going efforts to protect
customer privacy and its efforts to combat the pretexting problem.
I would be happy to answer any questions.
MR. WHITFIELD. Mr. Schaffer, you're recognized for 5 minutes.
MR. SCHAFFER. Thank you, Chairman Whitfield.
Chairman Whitfield and members of the subcommittee, thank you for
the opportunity to address this critically important topic of
protecting customer information. I commend you for your
leadership in addressing the problem that jeopardizes the privacy
of your constituents and our customers.
My name is Gregory Schaffer and I am the Chief Security Officer at
Alltel. I joined the company in 2004 with substantial experience
in information security issues. Not only have I served as a
director in the cyber crime prevention and response practice at
PriceWaterhouseCoopers, but I previously prosecuted computer hacking,
illegal wiretaps, and economic espionage while at the Department of
Justice. I was recruited by Alltel to organize and expand existing
security resources into an enterprise security operation.
Before I discuss how we protect our customers' records let me
briefly tell you about Alltel. Alltel is headquartered in Little
Rock, Arkansas, and owns and operates a wireless network that covers
more than half of the continental United States. Our base of
approximately 11 million customers, located primarily in rural
America, is smaller and more diffuse than the national carriers.
Nonetheless, Alltel faces the same security challenges that confront
our competitors. We have chosen to address those challenges
aggressively by implementing strong data security policies,
procedures and technologies. Alltel takes the threats presented by
pretexters very seriously.
Although actions by the FCC, FTC, and the State attorneys general
have caused some data brokers to close up shop, others continue to
try to find ways to gain access to customer records. But data
brokers are not the only ones doing this. Pretexting by ex-spouses,
hackers, or so-called friends continue to be problematic.
Alltel spends considerable time focusing on and understanding,
anticipating, and attempting to prevent current and future threats
to customer data. To that end Alltel constantly evaluates its data
security and customer validation methods to balance the data
protection with our commitment to providing consumers with timely
access to their account information, wherever they are, and however
they contact us. However, if our security measures become too
complicated, it may cause real customers to be denied access to
their information when they need it.
As subcommittee staff knows, Alltel adopted an enterprise information
security policy framework that establishes both the chief security
officer position and the enterprise security office. That office
has over 100 full-time employees and is Alltel's one-stop shop for
security and privacy issues. It is responsible for defining and
executing Alltel's enterprise information security program.
By creating a senior executive position and a special office to
focus exclusively on security and privacy issues, Alltel has shown
its commitment to give data security the highest level of attention
and resources. Alltel also invests in technology to ensure that it
protects customer data not just from pretexters but also from hackers
and other threats. For example, we are in the process of
implementing, at substantial cost, security solutions that will
encrypt data stored on laptops and on backup tapes to protect
against theft or accidental loss.
Many of the security measures that we use to verify customer
identity were deployed well before the recent publicity about
pretexters. Indeed, we continuously refine our processes to respond
to new threats. For example, in 2005 we prohibited our call
centers and retail stores from faxing call detail records
internally. Likewise, Alltel does not provide call detail
information over the phone or by fax in response to a call center
request. We have also implemented strict authentication procedures
for customers, employees, and agents. Finally, Alltel offers
password protection for home access to customer billing information.
Of course our employees are still our first line of defense in
defeating pretexting; therefore, we have taken steps to prevent
employees from deliberately or accidentally releasing records to
unauthorized persons.
First, an employee's network access is restricted to the
applications and customer information necessary for job
performance.
Second, all Alltel employees and agents receive information security
training, including training on identifying pretexting tactics.
Third, customer service supervisors randomly monitor customer
service calls to ensure that proper security procedures are
followed.
Fourth, we make our employees aware of pretexting methods by placing
notices on our intranet net portal and through e-mails. Employees
who are found to have violated Alltel policies are disciplined and
may be terminated.
In conclusion, although carriers must take steps to prevent
pretexting, we cannot completely eliminate the practice without
making it extremely difficult for real customers to obtain their
account information. Therefore, Alltel strongly supports
Congress' effort to criminalize the fraudulent actions of the
pretexters.
Alltel remains committed to protecting customer information while
providing the highest levels of service. I look forward to
continuing to work with the members of the subcommittee to combat
the security threats posed by pretexters.
Thank you for the opportunity to testify today.
MR. WHITFIELD. Thank you, Mr. Schaffer.
[The prepared statement of Greg Schaffer follows:]
PREPARED STATEMENT OF GREG SCHAFFER, CHIEF SECURITY OFFICER, ALLTEL
WIRELESS
MR. WHITFIELD. Mr. Holden, you're recognized for 5 minutes.
MR. HOLDEN. Chairman Whitfield, members of the subcommittee, I am
Michael Holden, Senior Counsel from Verizon Wireless. I thank you
for the opportunity to appear before this subcommittee to address
your concerns about data pretexting. I cannot emphasize enough how
seriously Verizon Wireless takes the issue of consumer data theft
and fraud. The protection of our more than 54 million customers'
private information is extremely important to us and we are doing
all that we can to protect this data from those who seek to steal
it.
What we have done falls into three basic categories:
First, we have sued and obtained injunctions against pretexters and
so-called data brokers. In fact, we were the first to sue a
pretexter over the theft of cell phone records in a case we filed
over a year ago. These lawsuits are important. Not only do they
target the bad guys but they also allow us to obtain information
that helps us learn more about the fraudulent and deceptive
techniques used against us and thereby improve our defenses against
these attacks.
Just yesterday we filed the John Doe complaint in Federal court in
New Jersey to determine who pretexted Verizon Wireless customers in
connection with the HP matter. After we identify them we will
seek an injunction against any further attacks, as well as monetary
damages. This is exactly how we have responded to other pretexting
attacks against Verizon Wireless and our customers. We identify the
bad guys and then we go after them.
The second thing we do is team with many law enforcement agencies,
from State attorneys general to Federal prosecutors, to combat data
thieves. We have taken the lead role in partnering with law
enforcement.
Third, we have taken a hard look at our own internal safeguards to
protect customer information and we have made improvements. We
train our employees, especially our customer service representatives
on the importance of protecting customer data and on the
sophisticated schemes used by data thieves to prey on them.
This training takes many forms--face-to-face, online training
modules, e-mail messages, alerts and so on--but all of it is
designed to raise awareness and prevent our reps from being the
next victim.
We also have rules in place to make it harder for thieves to
steal information. No faxing or e-mailing of phone records, no
disclosure of particularly sensitive information such as Social
Security numbers, credit information to anyone, even the verified
account holder; and customers have the option of placing a billing
system pass code on their account which will then be required for
access to the account over the phone, in the store, or online. We
have also upgraded the security of our online system.
Now, in addition to the normal verification process, whenever an
online account is established, or if the customer forgets the
password, a temporary password is sent to the customer and that
password must be input into the Web site to gain access, and a
challenge question such as "Who was your favorite high school
teacher?" Is associated with online accounts.
Data thieves prey on the instinct of wireless carriers to help
customers and to provide the best possible customer service. They
use trickery, deceit, and cunning to steal our customers' private
information. That is why Verizon Wireless has gone to such great
lengths to educate its reps about data theft and improve the
security of its online systems. That is why we have taken
aggressive legal action against the bad guys.
In the end, our challenge is to screen out the relatively few
pretexting calls to customer service while providing the best
customer service to the over 100 million legitimate customer service
calls we receive each year. We share your concerns about this
problem and are doing all that we can each day to prevent these
thieves from stealing our customer data.
Thank you for the opportunity to appear before you today and I'm
happy to answer any questions.
MR. WHITFIELD. Thank you, Mr. Holden.
[The prepared statement of Michael Holden follows:]
PREPARED STATEMENT OF MICHAEL HOLDEN, LITIGATION COUNSEL, VERIZON
WIRELESS
MR. WHITFIELD. Ms. Venezia, you're recognized for 5 minutes.
MS. VENEZIA. Thank you, Mr. Chairman.
Good afternoon, Mr. Chairman, and distinguished members of the
subcommittee. My name is Lauren Venezia and I am Vice President and
Deputy General Counsel of T-Mobile USA, Inc. Thank you for the
opportunity to appear today.
We at T-Mobile take seriously the protection of our customers'
information. Pretexters exploit what we have worked hard to
achieve: award-winning customer service. Pretexters defraud us
and our customers. We are determined to combat pretexting through
legal action and our internal policies, practices, and training.
As the fourth largest and one of the fastest growing wireless
carriers in the United States, T-Mobile has distinguished itself
in the marketplace by dedicating itself to excellent and responsive
customer service. We are proud that JD Power and Associates
recognized us four times in a row for the highest-ranked wireless
customer service performance.
In the highly competitive wireless industry, premier customer
service, including the protection of customer information, is
essential to retaining and attracting customers. Consumers expect
and deserve a high standard of care in the treatment of their
private information.
We agree with the subcommittee, the FCC, and the FTC that fraudulent
data brokers must be stopped. We have taken decisive action against
these unscrupulous data brokers in several ways. We investigate,
pursue, and sue data brokers to force them to cease their
fraudulent activities. When we determined that data brokers were
preying on us and our customers we issued cease and desist demands.
When data brokers failed to comply with those demands, we took them
to court and obtained restraining orders and permanent injunctions
against five data brokers and their owners or principals.
In the course of these lawsuits we learned firsthand how pretexters
work, and we share that hard-won knowledge with our service
representatives to help them defeat pretexters.
We also have in place multiple internal mechanisms, policies, and
safeguards designed to protect customer information. From our most
senior executives to our service representatives, we are committed
to the privacy of customer information. We have an Information
Security and Privacy Council that consists of some of our most
senior executives, including several chief officers of T-Mobile.
The Council provides overall direction and guidance for T-Mobile's
information, security, and privacy protection strategy. Reporting
to the Council is a leadership team that includes our principal
privacy officer and leaders of our information security units.
This leadership team works with managers from across T-Mobile's
technical and business units to implement privacy and security
policies in a unified and consistent way.
Let me give you an example of how this Council and its leaders work
to address issues relating to pretexting. Following the recent
pretexting activities of data brokers, we strengthened our policies
prohibiting our customer service representatives from providing
detailed call record information over the phone, even to those
callers who properly authenticate themselves. Instead, these
records are sent only through the mail to the billing address on
file for the customer.
More generally, we use an array of technical, procedural, and
physical tools to safeguard our customers' information. We actively
audit our privacy measures and investigate alleged violations of
those measures. We also train all of our more than 30,000 employees
on privacy and security policies. We have expanded our training on
security and privacy to meet the challenges that pretexters and
other fraudsters impose. Employees face disciplinary action up
to and including termination for failing to follow those policies
and procedures.
This training is especially important for T-Mobile's customer
service representatives. T-Mobile's customers should continue to
have convenient and easy access to real people, our service
representatives, for assistance with their accounts. We train our
service representatives to provide outstanding service while
protecting customers' information.
Mr. Chairman, legislation to criminalize the activities of pretexters
and those who hire them is essential to stopping pretexting. We will
continue our effort to stamp out pretexters but, without legislation
to deter them, these fraudsters likely will continue inventing new
schemes to try to circumvent our efforts.
We have publicly enforced Federal legislation that would create
tough new laws directed at the pretexters to criminalize the sale
or acquisition of wireless phone records without a customer's
consent. We at T-Mobile share the committee's concerns about
pretexting activities of data brokers. We look forward to working
with Congress, the FCC, and the FTC to stop these pretexters.
This concludes my statement, Mr. Chairman and members of the
subcommittee. Thank you, again, and I would be happy to answer
any questions that you may have.
MR. WHITFIELD. Thank you, Ms. Venezia.
[The prepared statement of Lauren Venezia follows:]
PREPARED STATEMENT OF LAUREN VENEZIA, DEPUTY GENERAL COUNSEL,
T-MOBILE USA
MR. WHITFIELD. Ms. Boersma, you're recognized for 5 minutes.
MS. BOERSMA. Good afternoon, Chairman Whitfield, Ranking Member
DeGette, and members of the subcommittee. On behalf of U.S.
Cellular, thank you for the opportunity to appear before you today
to discuss our company's effort to prevent the theft and illegal
sale of phone records by data brokers.
I am Shelly Boersma, Vice President of Customer Service at U.S.
Cellular. One of my primary responsibilities is to make sure that
all of our customer service associates are committed to and
effective at safeguarding our customers' privacy in every
interaction. U.S. Cellular is a Chicago-based wireless carrier
serving more than 5.7 million customers in 26 States. While we
are clearly not the largest company to address you today, we are
pleased to participate on this panel because customer satisfaction
is the basis of everything we do at U.S. Cellular. We have a
longstanding belief that our customers' experience is truly more
important than the products that we sell, and this belief is
instilled in every one of our associates.
At U.S. Cellular a key component of customer satisfaction is earning
and maintaining our customers' trust. We, like the wireless
industry in general, take this responsibility very seriously and go
to great lengths to protect our customers' privacy.
The recent increased attention to pretexting has clearly underscored
the responsibility wireless carriers face when maintaining customer
records. In fact, our home State of Illinois enacted a new law this
past July making it a criminal offense to use identification
information of another person pretending to be that person for the
purpose of gaining unauthorized access to personal information. We
hope the new Illinois law will significantly deter pretexting by
criminals, data brokers, and other miscreants.
As a wireless carrier we recognize our obligation to implement
safeguards to protect our customers' call records, a mandate found
in Section 222 of the Communications Act. We take this obligation
to heart and address it in our Business Code which all associates
are required to live by.
We further reinforce the importance of privacy in regularly
scheduled training sessions with associates. In fact, we
specifically instruct our associates to protect the customers'
information the way you would want your own to be protected. Our
policy requires our associates to screen all individuals requesting
records or other personal information to verify that the person is
in fact the account holder or an authorized party by the account
holder.
We offer our customers the option of establishing a unique password
to protect their account data. I should emphasize that any
associate who fails to adhere to U.S. Cellular's customer privacy
and verification policy is subject to immediate termination.
At the present time U.S. Cellular does not provide online access to
accounts, so digital pretexting, the process of illegally accessing
customer information online, has not been an issue for us. We are,
however, actively exploring offering such electronic access as an
added convenience to our customers. If and when we do establish
online accounts, we will do so only by implementing safeguards
consistent with best industry practices.
In January of this year, addressing media reports about the improper
brokering of cell phone records, U.S. Cellular's Executive Vice
President and Chief Operating Officer took immediate action to
reaffirm the companywide commitment to data security. A memo
entitled "Protecting our Customers' Privacy" was issued to all
customer associates, reminding them of their obligation to protect
customer private information.
In addition, since January of 2006, U.S. Cellular has implemented
the following safeguards to protect customer privacy:
We have ceased providing consumers with copies of past due bills by
fax.
We have ceased the practice of allowing associates to disclose their
company ID number to outside callers.
And effective October 2nd, U.S. Cellular will no longer provide any
call detail information over the phone.
I should also mention that U.S. Cellular does not currently use CPNI
for any purpose requiring customer notice or consent under FCC rules.
We do not at present engage in any out-of-category marketing.
Finally, while U.S. Cellular has not today filed suit against
data brokers that may have engaged in unlawful pretexting, we have
not ruled out doing so in the event that it appears necessary or
appropriate to take legal action of that kind to protect the privacy
of our customers' personal information.
On behalf of U.S. Cellular, thank you for the opportunity to appear
before you today. I would be pleased to respond to your questions.
MR. WHITFIELD. Thank you, Ms. Boersma. Thank you for all of your
testimony.
[The prepared statement of Rochelle Boersma follows:]
PREPARED STATEMENT OF ROCHELLE BOERSMA, VICE PRESIDENT FOR CUSTOMER
SERVICE, U.S. CELLULAR
Good morning Chairman Whitfield, Ranking Member Stupak and members
of the Subcommittee. On behalf of U.S. Cellular, thank you for the
opportunity to appear before you today to discuss our company's
efforts to prevent the theft and illegal sale of phone records by
data brokers.
I am Rochelle Boersma, Vice President of Customer Service at U.S.
Cellular. One of my primary responsibilities is to make sure that
all of our customer service associates are committed to and
effective at safeguarding our customers' privacy in every
interaction.
U.S. Cellular is a Chicago-based wireless carrier, serving more
than 5.7 million customers in 26 states. We were established in
1983, and last year reported service revenues of $2.8 billion.
While we are clearly not the largest company to address you today,
we are pleased to participate on this panel because customer
satisfaction is the basis of everything we do at U.S. Cellular.
We have a long-standing belief that our customers' experience is
truly more important than the products that we sell, and this
belief is instilled in every one of our associates.
At U.S. Cellular, a key component of customer satisfaction is
earning and maintaining our customers' trust. We, like the wireless
industry in general, take this responsibility very seriously and
go to great lengths to protect our customers' privacy.
The recent increased attention to "pretexting" has clearly
underscored the responsibility wireless carriers face when
maintaining customer records. In fact, our home state of Illinois
enacted a new law this past July, declaring that a "pretexter"
commits the criminal offense of identity theft if he or she uses
the identification information of another person to pretend to be
that person for the purpose of gaining unauthorized access to
personal information.
We believe and hope the new Illinois law will significantly deter
pretexting by criminals, data brokers and other miscreants.
As a wireless carrier, we at U.S. Cellular are of course already
obligated to implement safeguards to protect our customers' call
records - a mandate found in section 222 of the Communications Act.
Section 222 specifically provides that telecommunications carriers
must protect the confidentiality of customer proprietary network
information - known as CPNI. As all of you are surely aware, CPNI
includes, among other things, customers' calling activities and
billing records. We believe that existing FCC customer privacy
rules are appropriately stringent, and that they require carriers
like U.S. Cellular to uphold their customers' privacy.
We take this obligation to heart, and address it in our Code of
Business Conduct - which all associates are required to live by.
We further reinforce the importance of privacy in regularly
scheduled training sessions with associates. In fact, we
specifically instruct our associates to, "Protect the customer's
information the way you would want yours to be protected."
Our policy requires our associates to screen all individuals
requesting records or other personal information to verify that
the person is, in fact, the account holder or a party authorized
by the account holder. We offer our customers the option of
establishing a unique password to protect their account data.
Similar procedures exist for business accounts.
I should emphasize that any associate who fails to adhere to U.S.
Cellular's customer privacy and verification policy in accessing a
customer's account and disclosing personal information is subject to
immediate termination.
At the present time, U.S. Cellular does not provide online access to
customer accounts, so digital pretexting - the process of illegally
accessing customer information online - has not been an issue for
us. We are, however, actively exploring offering such electronic
access as an added convenience to our customers. If and when we do
establish online accounts, we will only do so by implementing
safeguards consistent with best industry practices.
In January of this year, addressing media reports about the improper
brokering of cell phone records, U.S. Cellular's Executive Vice
President and Chief Operating Officer emphatically reaffirmed our
company-wide commitment to data security by issuing a memo to
associates titled "Protecting our customers' privacy."
The memo noted that U.S. Cellular "always had security measures in
place to protect our customers' privacy, [but] recent events
present . . . an opportunity to review our Customer Service
Verification Policy."
The memo further notes that "Our customers depend on us to be their
first line of protection, so it is important that everyone, whether
in Customer Service, Sales or Financial Services, be thoroughly
aware of these safety measures, [and] follow them consistently."
In addition, as of January 2006, U.S. Cellular ceased providing
consumers with copies of their past bills by fax - even if the
customer persistently requests them. Instead, if a consumer
requests past copies of his or her bill, we would only mail the
records to the billing address listed on their account.
U.S. Cellular has also ceased the practice of allowing employees
to disclose their company ID number to outside callers. We
discontinued this practice in order to prevent pretexters from
obtaining customer information by pretending to be authorized
representatives of the company.
One further change, effective October 2, 2006, U.S. Cellular will
no longer provide any call detail information over the phone, even
if a customer's identification is fully verified. Such information
will only be mailed to the existing billing address.
I should also mention that U.S. Cellular does not currently use CPNI
for any purpose requiring customer notice or consent under FCC
rules. We do not, at present, engage in any "out of category"
marketing.
Finally, while U.S. Cellular has not to date filed suit against data
brokers that may have engaged in unlawful pretexting, we have not
ruled out doing so in the event that it appears necessary or
appropriate to take legal action of that kind to protect the
privacy of our customers' personal information.
On behalf of U.S. Cellular, thank you for the opportunity to appear
before you today. I would be pleased to respond to your questions.
MR. WHITFIELD. Ms. Boersma, what is out-of-category marketing?
MS. BOERSMA. In category would mean talking to our customers about
the wireless services that we have available for them, so educating
them to the services that we have. We specifically talk to our
customers only.
MR. WHITFIELD. Okay. I'm sure all of you heard the testimony of
Mr. Byron on the second panel. What is your policy--I mean, if you
notice some irregular activities, a lot of calls about one
particular account, and you call Mr. Byron--would most of you call
him and ask what's the problem here? Or once you discover there is
problem, what is your specific procedure in dealing with that
customer when it's clear that someone has been involved in
pretexting their account?
Would anyone like to respond? Do you have a specific procedure in
place to deal with Mr. Byron's situation?
Mr. Meiss.
MR. MEISS. I have to say in every one of our cases where it has
been detected, it has been the customer that's told us. We can do
an investigation.
MR. WHITFIELD. What do you all normally do when a customer calls
you and says we have a problem?
MR. MEISS. When we have a problem with pretexting?
MR. WHITFIELD. If they called and said someone has been trying to
get my records.
MR. MEISS. We investigate that and if the record indicates that it
looks like that's what was happening, we file suit; we find out who
did it, if we can find out. In every case to date, where we have
been able to find out who did it and whose records were taken, we've
filed a lawsuit.
MR. WHITFIELD. How do you find out who did it?
MR. MEISS. The cases where we found out, we've been told who did
it. We got an indication from yesterday's hearings who got one of
our records and we filed a lawsuit against them this morning.
MR. WHITFIELD. If I'm a pretexter--and we've had some pretexters
testify and they're all quite good at what they do. They're very
good; I mean very good. When they call in, most of them will talk
to a customer service representative and they just get the
information. Do you have any technology in place that would be
able to track where the call is coming from?
MR. MEISS. We're looking into that now. Technologies are different
at every company and it depends on how the call comes in, whether
it goes through a call router or through an IVR. That can make it
virtually impossible to track the number.
MR. WHITFIELD. I get the sense, I mean I know you're focused on
prevention which we commend you for, I get the sense that once it's
occurred, there's not a lot of effort made or not a lot of resources
available to assist the customer who's had the problem. Is that a
fair characterization of the situation?
MR. MEISS. I wouldn't say it's fair.
MR. HOLDEN. Mr. Chairman, when we at Verizon Wireless have become
aware of instances where there's possibly unauthorized access, a
possible pretexting attack, we have been able to track down who
the pretexters were.
MR. WHITFIELD. You have been able to.
MR. HOLDEN. We are often able to capture the caller ID of the
person making the phone call, and sometimes we can make a connection
between the caller ID and the person who is making the call because
it's publicly available. Sometimes we need to serve subpoenas on
another phone company to determine who it is. But we have in the
past been able to track down with law enforcement.
MR. WHITFIELD. When you track them down, what happens next?
MR. HOLDEN. Then we gather as much information as we can on that
particular pretexter. We have in the past sent out notices to our
representatives to be aware of particular types of schemes if they
see it, or be aware of particular caller IDs if they see it; to
record the call and to bring it all to our attention. We then have
a package of information that we have. We have the calls we're
getting from a particular caller ID. We will have recordings of
those phone calls at times, and then commence civil suits and work
with law enforcement to go after these guys.
MR. WHITFIELD. My understanding is your companies perhaps--and many
companies today do outsourcing to India and elsewhere--and these
customer representatives calls, customer service calls, go into
these centers; and it would appear to me it may be more difficult
to train someone in India to deal with pretexting perhaps.
Am I accurate in that? Or do you have outsourcing of your customer
service business, or is it done here in the U.S.? Mr. Meiss, what
about your company?
MR. MEISS. We have both, and they get the exact same training. We
have no evidence that there's any difference between the two.
MR. WHITFIELD. Mr. Wunsch.
MR. WUNSCH. We have third-party vendors, primarily in the United
States, that we provide training to; and they have contractual
obligations and system protections on how we protect the
information.
MR. WHITFIELD. How many of you outsource this outside the country
to deal with this issue?
MR. HOLDEN. At Verizon Wireless we do not.
MR. WHITFIELD. I'm not saying there is anything bad, I'm just
curious.
MS. VENEZIA. At T-Mobile USA, we do have some outsourcers located
in both the United States and in Canada.
MR. WHITFIELD. Right. Now it seems to me the most effective way to
deal with this, since most of this pretexting is done on the phone
talking to a customer service representative, is just refuse to
send out any records or give out any records; just mail it to the
address. How many of your companies take that position?
Okay. So on this panel no one will give out verbally anything
about phone records over the phone except Mr. Holden's company;
is that correct?
MR. HOLDEN. Yes, we do continue to give out some information on
phone records over the phone, to answer a customer's questions on
a particular phone bill.
MR. WUNSCH. Mr. Chairman, we will not voluntarily give out
information about the record, but if the customer raises a dispute
on a specific item we will discuss that information over the phone
with the customer. But in terms of a request, as happened to the
gentleman on the prior panel requesting all that information, it
would be mailed to his address of record and would not be disclosed
over the phone.
MR. SCHAFFER. That's consistent with what Alltel does.
MR. WHITFIELD. So there's no chance any of your customer service
representatives would sit there for an hour and talk and give phone
numbers out to some person.
MS. VENEZIA. We have a strict policy against that.
MR. WHITFIELD. So it would never happen then, right?
MR. MEISS. I would never say that.
MR. SCHAFFER. It would be a violation of policy.
MR. WHITFIELD. It would be a violation of policy because you're not
supposed to do it. You're supposed to mail it if it gets into that
situation, correct. Now, if you do not do it on the phone and you
only mail it to the address of the phone holder of these calls, what
are some other schemes that pretexters can obtain this information,
or is there any other scheme?
MR. WUNSCH. One of the things we've become aware of is pretexters
will pretext the customer at home and pretend to be an industry
representative and get the person to reveal who their phone company
is, and then go through a series of questions designed to elicit
all of the pass codes and other information necessary to then dial
into that carrier's system and look exactly like a legitimate
customer and get the records; and either do that through an online
access or even go so far as change the billing address if they get
all the information necessary.
MR. WHITFIELD. So they are now pretexting the individual.
MR. WUNSCH. They are pretexting the individual, then using that
information to then come to us and, from our standpoint, it looks
like a perfectly legitimate call into our systems.
MR. WHITFIELD. And are they exploiting Internet accounts as well; or
do we know?
MR. WUNSCH. Yes, they are.
MR. HOLDEN. They certainly have in the past.
MR. WHITFIELD. Just one other question. Quickly. How many of you
have filed lawsuits against some pretexters as a result of the
Hewlett-Packard case? And what was the legal theory for the
lawsuit?
MR. HOLDEN. The Computer Fraud and Abuse Act, because that was the
principal basis; also common law fraud and trespass and other
theories. We've never had a problem filing our complaints and
alleging that this activity is illegal, at least on the civil side
of things.
MR. WHITFIELD. You said computer fraud?
MR. HOLDEN. The Federal Computer Fraud and Abuse Act, because our
investigation has revealed that in the HP instance, or in the
instance of the pretexting relating to the HP investigation--
MR. WHITFIELD. The remedy you were seeking was simply an injunction?
MR. HOLDEN. And damages.
MR. WHITFIELD. My time has expired. I recognize Ms. DeGette for 10
minutes.
MS. DEGETTE. Thank you, Mr. Chairman. I just want to clarify for
the record and also for your edification the status of the law right
now. Currently under the Federal Trade Commission regulations,
folks can file a civil suit seeking injunctive relief, which many
of you had testified that your companies do. H.R. 4943, the missing
bill referenced in our "Gone with the Wind" chart which apparently,
according to the Chairman, has now been found and may be voted on
today or tomorrow, allows also civil damages to be obtained by
pretexters.
H.R. 4709, the Judiciary bill we have been talking about the last
few days, which passed the House last spring, is a bill that sets
up criminal penalties as well as the civil penalties. So I just
want to ask all of you a little bit about this. Do all of you think
that it would be helpful to have legislation that allowed damages
to be obtained, as well as injunctive relief, specifically for
pretexting? I understand you can seek damages for fraud and other
causes of action, but specifically for pretexting?
If we can have a show of hands. Everybody. Do all of you also
think that it would be helpful to have criminal penalties?
Everybody. Good. Excellent.
So I'll just ask you, Mr. Meiss, because you're at the end, so you
would think that this would add a tool to the arsenal that the
companies have. Why would that be?
MR. MEISS. Two things. One is that when we sue somebody in a civil
matter, the only people we can stop them pretexting against is us.
That means that Verizon has got to sue, Sprint has got to sue,
T-Mobile has got to sue. You have before you the six largest
companies, but there are hundreds of small rural carriers and
they've got to do the same thing. We have such efficiencies that
they don't, and it uses up a lot of resources.
The other thing is I don't trust these people at all. We sue them
in civil court, we win, they're going to do a shell game, set up
new corporations, move over there and continue it. They need to be
in jail.
MS. DEGETTE. So if they have the criminal penalties as well, you can
go after the individual who is doing the pretexting as well as any
corporate entity.
MR. MEISS. Right.
MS. DEGETTE. Now Mr. Meiss testified that the problems that they've
seen with pretexting at his company have been identified by the
consumers. And in the previous panel what we had heard from
Mr. Byron is that the company identified the problem for him.
So I'm wondering if we can briefly have each of you talk about,
has your company been able to identify pretexting or attempted
pretexting?
Mr. Wunsch.
MR. WUNSCH. I don't have personal knowledge if our customer care
reps have identified it. I know they are trained to, and if they
do detect it or if a customer reports it, then we investigate it
through our Office of Privacy and through our internal security
people.
MS. DEGETTE. You're not aware of any kind of standards that you
have in place for your customer service representatives to identify
certain patterns that would help them.
MR. WUNSCH. I know they look for those things. I don't know what
they are, personally.
MS. DEGETTE. Mr. Schaffer.
MR. SCHAFFER. We collect information from our customer service reps
who think that there may be an issue, and my team in security
investigates those matters and tries to figure out if in fact
there was pretexting occurring. Obviously, when it's successful
pretexting, it means that the customer service rep was defrauded
and usually those don't come to our attention. But sometimes the
customers do report them, and we learn about most of the cases
that we know because the customer has reported an issue.
MR. HOLDEN. We have absolutely identified on our own, pretexters
who are attacking us. A good example is Global Information Group,
who I know was before this committee back in June, where you tried
to have a closed committee back in June. We noticed a certain
pattern of suspicious calls that were coming in from a particular
number in Tampa, Florida. We sent out a notice to our customer
reps to be aware, bring it to our attention. We got recordings of
the calls, we looked into the volume, we traced who it was, and
we sued them.
MS. DEGETTE. Did you then also notify your customers about the
attempted pretexting?
MR. HOLDEN. Well, once we learned--eventually we did, because once
we obtained discovery from Global Information Group, we sent out
notices to our customers as to those customers whose confidential
information was in the hands of Global Information Group.
MS. DEGETTE. Ms. Venezia.
MS. VENEZIA. We've had both instances where customers have come
to us and told us that they believe that their information may
have been pretexted, and in those instances we commenced an
internal investigation. We have an internal investigations group
that falls under the law department, and they work closely with
the principal privacy officer to understand how it may have
occurred. And if that leads us to sufficient information, then
we will issue a cease and desist letter and initiate litigation
against the data broker in that case.
We also have had instances wherein our customer service
representatives have identified suspicious activity in accounts, and
they use the same path. They will send information up into the
investigations group, and the investigations group will look at
the account activity to see if that is suspicious.
The way that our customer representatives are able to do that is
through our training program. We have given them scripts that we
have obtained through the litigation against data brokers so that
they would be able to see the tactics that are used by these
fraudsters, so that they would be able to identify, if they did
see it, when they receive a call.
MS. DEGETTE. Do you have any idea of how many instances where that
has happened?
MS. VENEZIA. I really don't have numbers with me but I know of a
couple instances personally.
MS. DEGETTE. Ms. Boersma.
MS. BOERSMA. We have not detected any on our own at U.S. Cellular,
any pretexting. But we have had a few complaints that have come in
from customers and they have been--it's a small number of accounts
and generally it has been someone else who is also on the account
but potentially not authorized for that level of information to
be provided.
MS. DEGETTE. I guess what concerns me is the case of Mr. Byron who
testified, who would have had no idea that he was being pretexted.
He might have maybe found out by accident down the road, but at
the time he would have had no idea that his records were being
sought and given to somebody if the company hadn't caught that.
It would seem to me, and perhaps--we have such a short period to
question, but it would seem to me that would be an area that
customer service telephone companies could really beef up their
techniques because we have the scripts being given to the customer
service representatives by Ms. Venezia's company. That's good.
But it would also seem to me you could put some precautions in
place; for example, if you saw a number of inquiries coming in
from a certain phone number--I think it was Mr. Holden or
Mr. Schaffer who talked about that.
I'm wondering if any of you could give an opinion to me as to
whether you think that techniques could be developed that are better
for identifying pretexting from a company perspective instead of
waiting for the consumers to come up with it.
MR. MEISS. We're working on them. It's like fraud detection; you
analyze pattern.
MS. DEGETTE. Mr. Schaffer, you're nodding.
MR. SCHAFFER. Same here. We have done some searches through our
system to see if we can identify patterns within the traffic.
Most of those searches haven't yielded the kind of information
that would suggest that there was a problem, but there are some
ways that you can search through the data that you have in an
attempt to identify patterns: lots of calls coming from the
same number or lots of Internet traffic coming from the same IP
address.
MS. DEGETTE. Thank you. Now, I think it was Mr. Holden's company
that still continues to give out information on the telephone; is
that correct?
MR. HOLDEN. That is correct.
MS. DEGETTE. What's the rationale behind continuing that policy,
given that most of the pretexters are getting their information
in this manner?
MR. HOLDEN. And we are continuing to look at whether we should be
doing that, but here's where we are right now. We will give out
information over the phone on a particular bill, because a customer
often has questions about their bill. Our customers, a lot of our
customers don't receive detailed billing anymore, and they may have
questions about why their bill is $55 instead of $50. We feel we
need to be able to answer those questions.
That said, we have sent out numerous, numerous warnings and messages
to our reps, and really trained our reps to watch out for the kind
of behavior that pretexters engage in; which is, can you tell me
the last hundred numbers that were called on this number? That's
a different story.
MS. DEGETTE. Right. So at least for Verizon, you wouldn't assume
that the kind of call that we heard about from Mr. Byron would be
information that would come out.
MR. HOLDEN. Today it should not.
MS. DEGETTE. Thank you.
MR. WALDEN. [Presiding.] I have got some questions I want to ask
each of you and they shouldn't take too long.
One is following up. Mr. Holden, you talked about how customers may
have a no-detail bill, basically. Is that an option all of you
provide to your customers, no detail on the bill? Does anybody
not? That's probably easier.
All right. So I could call my provider and say I would like no
detail on my bill and you'd do that. Would that be flagged then,
so--
MR. WUNSCH. One clarification. We offer plans that have no detail.
I'm not sure on every one of our billing plans you could ask for
the no-detail option. I would have to check on that.
MR. WALDEN. All right. That would be helpful. In your customer
service organizations, have any of you ever discovered an insider
who is working for one of these pretexters, or somebody sort of
bought off by one of these pretexters? Anybody?
MS. VENEZIA. Not that I'm aware of.
MS. BOERSMA. No.
MR. SCHAFFER. We had one instance of an individual that we have
now terminated and sued, who sent some very small number of customer
records to a fax number that we did not know where that fax number
was. We have not yet gotten even an answer in that complaint.
MR. WALDEN. It's an issue you're pursuing. You said earlier--
does anybody on the committee--or, I'm sorry--anybody on the
panel, none of you fax out billing data; correct?
MS. BOERSMA. Correct.
MR. WALDEN. You mail it out. Now, I'm a wireless subscriber, I
have got one on each hip. What if I call in and say gosh, I just
moved, I meant to tell you that, I need you to change the address.
And I'm actually pretexting. What happens? How do you know it's
me?
MS. BOERSMA. I can tell you what we do at US Cellular. What we are
doing now is in going through the verification process upfront,
one of the things we ask for is the zip code. They provide the
zip code to us and after that we say: And can you tell us, have
you moved in the last 30 days? Once they say no--and we move on
with the call. And then if someone were to say to us, "And can
you send me the call detail?" we say, we'll provide you with that
but it's going to go to the account holder on record.
MR. WALDEN. What if I said yes, I have moved in the last 30 days?
MS. BOERSMA. If you said you had, we would change the address.
Yes, we would, and also send a letter out that would indicate the
address has been changed as a confirmation.
MR. WALDEN. Right. If I'm pretexting Greg Walden and I say hi,
I'm Greg Walden and I just moved, I need you to send my bill, must
have gotten lost at the old address, forgot to put a forwarding
statement in the mail, and gee, I just moved from Hood River,
Oregon, I'm using a P.O. Box now, could you send me last month's
bill, I don't want to lose my service.
MS. BOERSMA. What we have trained our associates to do is think
that through. We would say on the phone to them, "We would be
happy to send that to you." We would then confirm with the
account owner we could get on the phone.
MR. WALDEN. But I am the account owner.
MS. BOERSMA. We could confirm with you that you had moved in the
last 30 days.
MR. WALDEN. If I'm a really good pretexter, which I want to put on
the record I'm not and don't intend to be, can I convince you my
cell phone is dead, I don't want my cell phone to get cut off,
here's my new address, call back the number, it's 202 whatever?
MS. BOERSMA. Certainly I can't say that that would never happen,
but we have educated our associates so that they feel comfortable
questioning and knowing that they should not be sending out any
call detail records without confirming the address information.
MR. WALDEN. So when I sign up for an account, do I give you some
sort of password or PIN number that would help?
MS. BOERSMA. What we use is the last four digits of the Social
Security number and we also suggest that a customer also have a
password associated with them. And they can have multiple
passwords on the same account so people have different authority
levels. Different passwords can be associated.
MR. WALDEN. How about the rest of you? I don't have a ton of
time. Tell me how that scenario would play out in your companies.
MS. VENEZIA. For the bill?
MR. WALDEN. I'm pretexting; the whole process.
MS. VENEZIA. A customer would call in, it would need to be fully
authenticated, so they would need to provide us with two pieces
of information about themselves; for example, their name and their
mobile number. And they would also have to provide either the
password on the account, which is optional, or their default
password.
MR. WALDEN. Odds are I might have already gotten the cell phone
number and I know the name on the account.
MS. VENEZIA. You need those two pieces of information to look up
the account in the first instance, so that's why--
MR. WALDEN. Seems like it would be a hole in the process. I don't
want to give pretexters any ideas.
MR. SCHAFFER. Very similar response. But we would not send any
information to the new address, even if the customer was verified
based on that call. The customer would have to call back at a
subsequent time. We would only send it to an address on the
account when the call comes in.
MR. WALDEN. But if I'm a pretexter, that's not a problem. I called
Verizon, what, 5,000 times?
MR. SCHAFFER. A little extra deterrence never hurts. Passwords
are available too.
MR. WALDEN. But it's optional.
MR. WUNSCH. On address changes there's an authentication
procedure. You have to give us the appropriate authentication
answers, and then the address would get changed.
MR. WALDEN. Mr. Meiss.
MR. MEISS. The same. There is an authentication procedure which
would include a password, but on the mandatory password--we've had
lots of discussions about this because we've been looking at this
problem for a long time. I often hear people say, I have a boring
life, I don't care if somebody looks at my call records. It's not
like the conversation that happened yesterday here. But it's the
fact that they don't want another password. They're going to stick
it on the yellow sticky thing on the computer with the other 28
of them.
MR. WALDEN. Let me ask you each one other question before my time
runs out. You have heard yesterday and today a lot of discussion
on this committee about the legislation that is so beautifully
portrayed on the poster. I want to ask you if your companies
support or have any objection to any portions of H.R. 4943.
Can we just go down?
MR. MEISS. We support a law that would criminalize it, and I'm not
familiar with the laws because I'm not in legislative.
MR. WUNSCH. We support the criminalization of the pretexting, but
as far as the specifics of any bill, my government affairs group
can handle that.
MR. SCHAFFER. We support the criminalization of pretexting and,
again, the particulars of the rest of the bill.
MR. HOLDEN. We support the criminalization of pretexting.
MS. VENEZIA. I can save you some time, Chairman Whitfield.
MR. WALDEN. It's actually Walden. I'm pretexting.
MS. BOERSMA. Same thing; we support it, the criminalization, and
the sale of records as well.
MR. WALDEN. So do you all have your government reps here today
behind you? I wonder if they--well, all right. It will be on the
floor anyway, hopefully soon.
I don't think I have any other questions at this time. So I would
yield now to my friend and colleague from the what used to be
Oregon, Mr. Inslee.
MR. INSLEE. It has improved substantially.
I wonder if each of you would provide us your company's position on
H.R. 4943. And the reason I say that is this has been a mystery for
some period of time. I have been working on this since January.
I introduced a bill at the end of January. We passed it here in
March. It has been in this abyss, this black hole, since then.
And we are trying to figure out who has their foot on it. And I
think it would be helpful if your companies could provide us in
writing your position on that bill so that when we pass it and it
goes over to the Senate, we can see who doesn't have their foot on
it. And I think it would be helpful.
Would any of you be unwilling to provide us your company's position
on H.R. 4943? I will just ask it that way. So everyone has
volunteered, and I would ask in the next week or so if you could
provide us with, Chairman, and your company's position on that bill.
That is something we do want to get done.
Let me ask you, does anyone have any concerns or comments about
that? I want to be fair to everybody.
Okay, Mr. Meiss and Mr. Holden, you have indicated you have brought
lawsuits in the recent past. Could you tell us how your resistance
were penetrated in those cases, if you know?
MR. MEISS. There was social engineering. There was no hacking.
So it was social engineering and it looked like it involved social
engineering--it is probably changing over time. Originally it was
social engineering to get call details. Since we don't do that
anymore, now what they try to do is use social engineering to
change passwords or remove passwords. So that is, I think, the
new tack.
MR. INSLEE. So you think that what they accomplished in the case
that gave rise to the lawsuit you would stop now with your new
procedures? Is that what you think?
MR. MEISS. Right. Right. It should be stopped with those
procedures. I mention in my comments they are constantly going to
be evolving and changing. One silver lining to this whole thing is
that as we are looking at new security measures to put in place,
we bat back and forth, what are the pretexters going to do? What
are they are going to tell us? What is their ruse? How are they
going to get around it? This is something, awareness we didn't
have a year ago we have now. So I think that is good.
MR. INSLEE. Mr. Holden, can you give us any thoughts?
MR. HOLDEN. Sure. I can think of two separate sets of examples,
both of them somewhat historical, because even the pretexting suit
we filed yesterday in connection with the HP investigation is still
somewhat historical. It is looking at activity in 2005 and in
early 2006.
In the HP investigation, it looks to, our investigations revealed
that the pretexters made some calls to customer service, and then
ultimately obtained unauthorized access on-line. And that, for
us, is the first time we have seen people obtain unauthorized
access on-line.
MR. INSLEE. So the key that got it is some identifiable information
to go on-line then through a different on-line system?
MR. HOLDEN. That is right. My sense is that they were missing some
key component, maybe the mobile number or something and they were
trying to make pretexting phone calls to obtain that additional
information, and then you know, obtain access on-line.
MR. INSLEE. I may put you all in a little bit of a spot here, but
give you a chance to brag too. Which of you thinks they have the
best anti pretexting system? And tell me why you think it is the
best? You have heard your competitors tell us. Who thinks they
have the best system and what advantage their system has over
others?
It is not a time to be humble. We are looking for good ideas
here. No takers?
MR. HOLDEN. I will start with at least one aspect. I think we,
all the carriers have their way of doing it. And we do learn from
each other. I actually think a panel like this is very helpful
too, you sort of see what everybody is doing. I think we have made
some nice improvements to our on-line access system that have made
it much, much, much more difficult for pretexters to get through.
As an example, we, if you are registering for that system,
after you put in the verification information, we then send a
temporary password text message to the hand set and then that needs
to be put into the Web site. I think that makes it very difficult
for somebody that doesn't have access to the handset to actually
obtain on-line access.
MR. INSLEE. Got you. I just want to make a closing comment. We
are putting obligations on you to protect our constituents'
privacy. And it is a little bit like requiring a thicker steel
on the doors of the banks against criminals who want to do bank
robbery. But I think it is entirely appropriate. And I look
forward to your companies' helping us to get this bill through to
have a more uniform system so that we can have the highest level
of anti pretexting technologies in use.
I think that is a fair obligation on the industry. It does involve
costs. It does involve management challenges. But it is a fair one
given the fact of how important privacy is to get into the
interconnected world. So good luck. Thank you.
MR. WHITFIELD. Gentleman from Michigan is recognized.
MR. STUPAK. Thank you, Mr. Chairman. We were told that one of the
ruses used by the HP's investigators involved pretending not to be
a customer but to be sales representatives from the company. And
the person posing as a sales representative then called company
headquarters to ask that the customer's password be deleted. What
safeguards have you instilled to prevent this technique from working
again in the future? Mr. Holden, do you want to start?
MR. HOLDEN. We had seen that as a pattern as well, in other words,
a pretexter pretending to be a fellow employee and so we have
really emphasized in our training of our customer service reps and
other customer facing employees that they need to fully authenticate
that customer and not to rely on the authentication of a fellow
employee, because often they call up with somebody--they have all
the information they need on the fellow employee, if you looked
them up on an org chart or something, the person would like
genuine.
MR. STUPAK. Anyone else want to comment on that? Mr. Schaffer?
MR. SCHAFFER. We actually have authentication requirements, not
just for customers, but also for employees and for agents. So when
there are calls intra-company that involve getting access to call
detail records, there needs to be authentication of the employee
as well.
I have not, however, heard of this attempt to try to get a password
changed rather than trying to get at the records themselves. So we
will now go deal with that situation.
MS. VENEZIA. For T-Mobile if a customer says they have forgotten
their password or lost their password, they need to go into a
T-Mobile store and show photo ID before that password can be
changed.
MR. STUPAK. They would have to physically go into the store?
MS. VENEZIA. Yes.
MS. BOERSMA. At U.S. Cellular as well, they have to show proof of
photo ID to make that change.
MR. STUPAK. Okay. Let me ask you this one. I have heard, the
little bit I have been able to be here the last 2 days, that it is
a violation of your company policy, and that people can be
terminated for violating your company policy if they give out
information unauthorized, correct?
MS. BOERSMA. Yes.
MS. VENEZIA. Correct.
MR. STUPAK. Can you tell me what remedy does the customer have who
was pretexted? What remedy would I have? What remedy would an
American citizen have if you knew one of your employees gave out
information wrongly? You provide the customer with a remedy then?
I didn't expect complete silence.
Do you offer the customer anything? This is basically identity
theft. I have heard you file lawsuits. You seek injunction. You
seek civil damages. What do you do for the customer? What do you
do for the American people?
MS. VENEZIA. We have provided our customers with information about
how best to protect their account. We have provided them with
information about identity theft in the event that were to occur,
we have given them phone numbers for the credit bureaus, major
credit bureaus to assist them, should they want to take a look at
their credit reporting, again, all in the interests of protecting
their information.
We also have a lot of discretion in terms of our customer service
representatives, that they are able to assist a customer in any way
with respect to giving a customer some credits or making other
adjustments to the account. We also can put a password on that
account if the customer would like to have that done.
MR. STUPAK. But that is all after. Back home when we talk
about--when I say pretexting, they don't get it. When I talk about
identity theft, they get it. And they tell us--at least they have
told me, at least in Drummond Island, that it costs thousands and
thousands of dollars to get your identity back.
So if you are complicit--not voluntarily--so if your information
leads to that identity theft, I would think there would be some
kind of remedy available there for the customer then who has to go
through all this, not only time consuming hassle and changing
everything they have, but also the cost involved, and it is quite
expensive with lawyers and everything else involved.
MS. VENEZIA. Really the issues that we have seen have to do with
call detail records. We provide that information to the customer
as an abundance of caution, because we want to be a full service
provider to that customer. Using the call detail information
really isn't an indicator as far as we have seen for identity
theft. We just have not seen that happen. What we have seen is
call detail.
MR. STUPAK. I was trying to use a logical one, but what remedy
does the family have where they have got the cell phone number of
the young lady, and the stalker stalked her down by using the phone
number and killed her? What remedy do they have? I mean, it is
much more than just some phone numbers once in a while.
I am not trying to put you on the spot. When we are back home in
our districts, this is what people are asking us about. I think
The Washington Post had the article about the boyfriend girlfriend,
and he stalked her and had their phone numbers, cell phone numbers
and killed her. What remedy do they have? Not that--I hope that
doesn't happen, but we know it happens in the real world, and I
guess when I was on Drummond Island, a couple of people who had
their identities stolen, it started with phone numbers. That is
how it started. And then it just keeps going.
So that is what I was wondering.
How about the FCC's proposed rule-making on implementing
industrywide security standards. Do you all support them and which
do you oppose?
They are the next panel, right?
MR. MEISS. We are on the same side of this fight, obviously with
the FCC against the data brokers. And we would support certainly
sort of the safe harbor approach in the Gramm-Leach-Bliley Act
that has a good overview and good structure for it, and it seems
to work there and we think that would be good. I think I
mentioned earlier that we don't support mandatory passwords for
those customers who just don't want it and just don't care. That
should be their choice.
One thing ironically is that the stronger you make the security,
the more likely it is that people are going to get locked out and
there is going to be a lot more people claiming they are locked
out, which could play into the data brokers', the pretexters'
plans.
The encryption of on-line stuff to us doesn't make sense because
that just doesn't go to the problem that has been happening. It
would slow things down. It would slow customer service. We
encrypt in transmission, but they have to access the records to
help the customer.
MR. STUPAK. Mr. Wunsch.
MR. WUNSCH. That is something I am going to have to refer to our
government affairs people to get back to you on.
MR. STUPAK. Mr. Schaffer.
MR. SCHAFFER. Very similar answer with respect to mandatory
passwords. We think that the pretexters will quickly go to the
password reset functionality. And so as a practical matter, we do
make them available to our customers, but having them be mandatory,
we think probably doesn't solve the problem, but does slow down
the vast majority who are legitimate requests to get access to
information.
Similarly, encryption and audit trails are of concern because of
the way our systems work. That encryption is very difficult to do
in all of the systems for CPNI as are audit trails. But we are
using encryption in places that it makes sense, and it really
provides additional protection like Enterprisewide for laptops,
Enterprisewide for backup tapes.
So we are trying to deploy those technologies where they are
effective means of providing protection. But mandatory deployment
in a wholesale way we are concerned about.
MR. STUPAK. Mr. Holden?
MR. HOLDEN. Our specific responses to the FCC's proposals are
beyond my expertise, really my expertise is kind of what we have
done in response to the data brokers, how we have gone after the
data brokers and what we have done in response. So I would have
to also defer, and be happy to, my FCC group, and be happy to get
back to you.
I do know that our position is that some of the proposals don't
really address the pretexting issue as we see it. An example is
document retention. They have requirements about how long you
can retain documents. I just have not seen that in my experience
with pretexters and data brokers. They always want the last bill
or the bill before that. You know, the bill that is a couple of
years old I think is of no use to them. So that is an example
of one where I don't really see a connection to the pretexting
issue.
MR. STUPAK. Ms. Venezia.
MS. VENEZIA. I generally would defer as well to the folks closer
to this on our term in terms of the legislative group, but a few
general comments. One would be maintaining a certain level of
flexibility in how we change our policies and practices in systems
I think is going to be important because this is an evolving
process. It is a learning process. And we are going to continue
to get better and better and better. And unfortunately, so are
the data brokers.
So, we really need to find ways where we can stay nimble and
flexible and not have a situation where rules are static and then
those rules are learned and the data brokers just go around us.
So that is just by means of a general principle.
I agree with the other comments about encryption and document
retention. I think document retention really is an essential issue
when it has to do with pretexting and some of us have requirements,
government requirements, to maintain documents for a certain amount
of time so we certainly wouldn't want to be in violation of a rule
or have conflicting rules in some areas.
MR. STUPAK. Ms. Boersma.
MS. BOERSMA. I would have to defer as well, I can say but, we do
believe strongly in customer-set passwords. We are doing a lot of
work around encryption right now as well, investigating things
there. But in general, it is the same comments that everybody else
has spoken to already.
MR. STUPAK. Thank you.
MR. WHITFIELD. Yes, sir, Mr. Stupak. I would like to ask one final
question. We have had a number of hearings on this subject and
these so-called data brokers, pretexters, whatever we want to call
them, frequently, make the case and advertise that they are able
to locate physically where a cell phone is. I guess they refer to
it as cell phone pinging or cell phone locating.
And I would ask you all, is that technically possible to do?
MR. MEISS. No, at least with respect to our phones, we filed a
lawsuit against one of those companies and we can't even locate the
slime balls. But we will and we will get them.
Those people claim, well, I just get that information from a third
party. So now we are trying to track down that third party. They
give us information about their Web site where they have a diagram
of a GPS satellite talking to your phone.
We don't use that technology. It is absolutely false. And I said
we have got to sue these people because they are putting an alarm
out there, getting people upset about something that is not real.
That bothers me.
MR. WHITFIELD. Okay. I am glad we got you excited.
Well, if there are no further questions, I would remind you all, I
think you all agree that you would get back to the committee, and
Mr. Inslee's request on your position on H.R. 4943, so if you would
do that, we would appreciate that.
Thank you very much for your testimony. We look forward to working
with you as we continue to move forward.
And at this time, I would like to call the fourth and last panel of
witnesses. And that is Mr. Joel Winston, Associate Director,
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, and Ms. Kris Monteith,
Chief, Enforcement Bureau at the Federal Communications
Commission.
TESTIMONY OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF PRIVACY
AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, FEDERAL
TRADE COMMISSION; AND KRIS MONTEITH, CHIEF, ENFORCEMENT BUREAU,
FEDERAL COMMUNICATIONS COMMISSION
MR. WHITFIELD. Thank you all for being with us today.
As you know, this is the Oversight and Investigations Subcommittee.
We take testimony under oath. And I am assuming Mr. Winston, that
you and Ms. Monteith do not have any difficulty with that. So if
you would please stand and raise your right hand.
[Witnesses sworn.]
MR. WHITFIELD. I am assuming you do not have legal counsel today,
so Ms. Monteith, if you would, you are recognized 5 minutes for your
opening statement.
MS. MONTEITH. Thank you very much, Chairman Whitfield and members
of the subcommittee. I appreciate the opportunity to speak with
you today about the ongoing investigation of the Federal
Communications Commission into the issue of the unauthorized
disclosure of consumers' call records.
As FCC Chairman Martin testified before the full Committee on
Energy and Commerce in February, the Commission is deeply concerned
about this issue and is taking a number of steps to address it.
First, we are investigating data brokers to determine how they
are gaining access to confidential call records.
Second, we are investigating telecommunications carriers to ensure
that they are fully meeting their obligations under the law.
And third, we have initiated a rule-making proceeding to determine
what additional rules the Commission should adopt to further
protect consumers.
Since we initiated our investigation in the summer of 2005, we have
issued subpoenas to over 30 data brokers seeking details regarding
their methods of obtaining phone record information.
We issued citations to those data brokers who failed to fully
respond to our subpoenas, a notice of apparent liability against one
of these companies for its continued failure to respond adequately,
and referred the matter to the Department of Justice for
enforcement.
Although the data brokers almost universally denied any wrongdoing,
our investigations revealed that data brokers routinely engage in
pretexting, often by impersonating the account holder or a telephone
company employee.
Data brokers are also obtaining access to consumers' accounts
on-line by overcoming carriers' data security protocols. And we
have seen some limited instances of carrier employee misconduct.
We also have focused our attention on the practices of
telecommunications carriers to determine whether they have
implemented safeguards that are adequate to secure the privacy of
consumers' confidential data. The Commission's Enforcement Bureau
has had numerous meetings with the major wire lines and wireless
providers to discuss efforts they have undertaken to protect
customer call data.
The Commission has also issued formal letters of inquiry to these
carriers. These letters require the carriers to document their
customer data security procedures, detail employee access to call
records, identify security problems and breaches, and address any
changes they have made in response to the data broker issue.
We have also issued supplemental letters of inquiry to the largest
carriers and our in-depth analysis is ongoing.
Most recently, we issued letters of inquiry to a number of carriers
asking for information related to whether any CPNI was disclosed
without authorization in connection with Hewlett-Packard's
activities.
In January, we issued a public notice requiring all
telecommunications carriers to submit their most recent annual
certificate attesting to compliance with the Commission's CPNI
rules.
As a result of our investigations into carrier compliance with the
annual certification requirement, we issued three notices of
apparent liability for failure to comply with these important
rules.
We have reached consent decrees on CPNI issues with two of these
carriers totaling $650,000.
During the course of our investigations, we have learned that
several carriers have taken further steps to protect the privacy
of customer account information. These steps include using better
security and authentication measures with respect to on-line
accounts, notifying customers of password or account changes,
and greater monitoring of employee activities to detect breaches
of corporate policies.
Lastly, the Commission initiated a proceeding to determine what
additional rules it should adopt to further protect consumers'
telephone records from unauthorized disclosure. The notice of
proposed rule making, which grants a petition filed by the
Electronic Privacy Information Center, seeks comment on five
proposals to address the unlawful and fraudulent release of CPNI.
These include customer-set passwords, audit trails, encryption,
limiting data retention, and notice procedures to the customer on
release of CPNI data. The record in this proceeding closed in June.
Chairman Martin intends to bring an order before the full commission
for its consideration this fall.
In conclusion, the disclosure of consumers' private calling records
represents a significant invasion of personal privacy. The
Commission is acting to eliminate this troubling practice and give
American consumers the privacy protections they expect.
We look forward to working collaboratively with the members of
this subcommittee, other Members of Congress, our colleagues at the
Federal Trade Commission and other law enforcement authorities to
ensure that consumers' personal phone records remain confidential.
Thank you for the opportunity to testify, and I would be pleased to
respond to your questions.
MR. WHITFIELD. Thank you, Ms. Monteith.
[The prepared statement of Kris Anne Monteith follows:]
PREPARED STATEMENT OF KRIS ANNE MONTEITH, CHIEF, ENFORCEMENT BUREAU,
FEDERAL COMMUNICATIONS COMMISSION
MR. WHITFIELD. Mr. Winston, you are recognized for 5 minutes.
MR. WINSTON. Good afternoon, Mr. Chairman and members of the
subcommittee. I appreciate your invitation to appear today to
discuss the privacy and security of telephone records.
Although my written statement is that of the Commission, my oral
testimony and responses to questions reflect my own views and not
necessarily those of the Commission, or any individual commissioner.
Protecting the privacy and security of consumers' sensitive and
personal information is one of the Commission's highest priorities.
And we have addressed this issue on many fronts, ranging from spam
and spyware to data security and identity theft.
Today, I will discuss the FTC's recent enforcement efforts against
those who use fraud or other illegal means to obtain consumers'
telephone call records and other confidential information.
I will also provide some comments on possible legislation to stop
this troubling practice.
On May 1st of this year, the Commission filed lawsuits in Federal
courts across the country against five companies and their
principals for allegedly selling consumer call records that were
obtained through fraud.
The complaints charged that these practices violate Section 5 of the
Federal Trade Commission Act which prohibits unfair or deceptive
practices.
In each of these cases, the defendants advertised on their websites
that they could obtain confidential customer phone records from
telephone carriers for fees ranging from $65 to $180.
What we have since learned is that the data brokers, like these,
often rely upon third parties who carry out the actual pretexting.
Four of these five cases are pending in court. In the fifth case,
we will be releasing next week a settlement with the defendants
that contains both injunctive and monetary relief.
In addition to these cases, FTC staff continues to aggressively
pursue investigations of both pretexters and the data brokers who
purchase their services for resale. We have been aided in these
efforts by the FCC, State law enforcement, and several telephone
carriers.
Although many purveyors of consumer telephone records seem to have
gotten the message and have moved on to other lines of work, there
is still much work left for us to do. The Commission has been
aggressive in prosecuting those who pretext and sell financial
records as well as telephone records. We filed our first case in
1999 against a company that offered to provide consumers' bank
account numbers and balances to anybody for a fee.
As you know, Congress later enacted the Gramm-Leach-Bliley Act,
which expressly prohibits pretexting for financial records. And
the FTC has followed up with more than a dozen cases.
But pursuing the fraudsters is only part of the solution. It is
equally important to send a message to the business community that
it has a legal obligation to protect sensitive consumer
information.
Now, the Commission has conveyed this message in many ways, but most
directly through 13 data security cases we brought over the past
few years, against such prominent companies as Microsoft, Tower
Records, ChoicePoint, and DSW Shoe Warehouse.
I would like to turn briefly to the subject of legislation.
Of course, earlier this year, the full committee approved H.R. 4943,
a bill that would ban pretexting to obtain phone records and would
authorize the FTC to bring civil actions against violators. The
Commission believes that a civil law that specifically prohibits
telephone record pretexting would be useful in clarifying the
illegality of this practice.
In addition, I would recommend that any such legislation address
three issues.
First, the law should apply not only to pretexters, but to those who
solicit their services when they know or should know that fraudulent
means are being employed.
Second, if the law provides for FTC enforcement, it should grant
the Commission the power to seek civil penalties against violators,
a remedy that the FTC does not currently have in cases like this.
In this area, penalties generally are the most effective civil
remedy.
Third, Congress should consider an appropriately tailored exception
for law enforcement.
I would also note that our investigations have revealed that some
sites offering pretexting services are registered to foreign
addresses.
This underscores the importance of the Commission's previous
recommendation that Congress enact cross border fraud legislation.
This proposal, called the U.S. Safe Web Act, would overcome many
of the existing obstacles to information sharing in cross border
investigations.
Again, thank you for the opportunity to testify today. We look
forward to working with this subcommittee and its staff on this very
important issue. And I would be happy to answer any questions you
may have.
MR. WHITFIELD. Well, thank you, Mr. Winston, and we certainly
appreciate the work you all are doing at FTC and at the FCC on this
issue and for taking time to be with us today.
[The prepared statement of Joel Winston follows:]
PREPARED STATEMENT OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF
PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION,
FEDERAL TRADE COMMISSION
MR. WHITFIELD. I would like to just clarify for myself this
seemingly confusion over the enforcement rights of the FTC on this
issue and specifically as it relates to Section 5, because you made
the comment that in this legislation, any legislation hopefully would
make it clear about civil penalties.
And I thought that you had authority to have civil penalties today
on pretexting. But could you elaborate on the existing law as it
is today?
MR. WINSTON. Certainly. We have civil penalty authority for certain
kinds of cases in certain circumstances.
We do not have civil penalty authority for violations of Section 5,
such as the sorts of pretexting violations that we have brought cases
against.
We also don't have civil penalty authority under the
Gramm-Leach-Bliley Act. So in cases such as these, we are limited
to remedies that are injunctive. In some cases, we can require
companies to give back their ill-gotten profits. But we do not have
penalty authority.
MR. WHITFIELD. Okay, so the 4 out of 5 lawsuits that are still
pending in court right now, there are no civil penalties involved
in those at all?
MR. WINSTON. Correct. We are seeking, again, return of ill-gotten
profits. But in cases like this having that penalty authority is
frankly much more effective.
MR. WHITFIELD. Okay. Okay. And, Ms. Monteith, you had mentioned
in your testimony that you, the FCC had recently issued three
notices of apparent liability for forfeiture under Section 222
of the Communications Act and that some companies were fined a
total of $650,000.
Could you elaborate on this a little bit? Specifically what is
this apparent liability for forfeiture?
MS. MONTEITH. The notice of apparent liability for forfeiture is
the first public type of enforcement action that the Commission
takes in response to an investigation and an internal finding of
a violation of our rules of the law.
And this requires the company to respond to us and demonstrate to
us in its response that it has or has not violated the law.
In these particular cases, the notices of apparent liability were
filed for violations of our annual certificate requirement,
requiring the company to keep in place an annual certificate
signed by a corporate officer that attests to their compliance
with our rules.
MR. WHITFIELD. And so that was the only violation, not filing
this certificate in a timely manner? Is that right?
MS. MONTEITH. Yes, thus far. We have ongoing investigations of
other aspects of the CPNI rule, but to date, those are the
violations.
MR. WHITFIELD. How many carrier certificates are filed each
year?
MS. MONTEITH. The certificates, heretofore, have not been required
to be filed with the Commission. But in January, we issued a
public notice upon inspecting several certificates and ascertaining
that there may be some compliance issues.
We required all of the carriers to file their certifications with
us. We have over 2,000 certificates on file that we are in the
process of reviewing.
MR. WHITFIELD. And how did you determine the $650,000 figure? How
is that determined?
MS. MONTEITH. The Commission has discretion in terms of its
forfeitures to determine the amount of forfeiture. Here we thought
that the type of violation was very significant, involving personal
information and privacy types of rights and issued forfeitures
accordingly.
MR. WHITFIELD. Now, Mr. Winston, you talked about H.R. 4943 and you
talked about 4 points necessary to really make this law effective
and from your perspective, do you all support H.R. 4943? Or are you
taking a position on it?
MR. WINSTON. The Commission has not taken a formal position, but
H.R. 4943 contains the elements that I identified--
MR. WHITFIELD. All 4.
MR. WINSTON. It has the three elements that I mentioned. It does
not have obviously the cross border fraud aspect. But in terms of
penalties and other authority, it delivers what we need.
MR. WHITFIELD. Okay. I yield back the balance of my time and
recognize Mr. Stupak.
MR. STUPAK. Thank you. Ms. Monteith, you are currently undertaking
the anti trust review of the proposed merger between AT&T and
BellSouth, and earlier the FCC fined AT&T for failing to have
adequate consumer protections and safeguards in place. Do you
think it would be reasonable, in light of the hearings we have had
in the last few days, for the Commission to condition approval of
that merger on a clear and effective policy by the company that
protects consumers' privacy from pretexters or other fraudulent
methods for breaching customer's privacy?
MS. MONTEITH. With all due respect, Mr. Stupak, I am not involved
in the merger that is pending before the Commission. I would be
happy to take that question back to the folks that are and have
them look at it.
MR. STUPAK. Would you have them get back with us in writing then
if you would on that question?
MS. MONTEITH. Sure.
MR. STUPAK. Can I ask you this question, our bill there, the Rhett,
Scarlett Butler is that what they call it, H.R. 4943, does the FCC
take a position on that? Are they supportive of the bill?
MS. MONTEITH. We have not taken a position on it, but Chairman
Martin has been very clear that he does endorse in his testimony,
he testified that he would support actions to prohibit, to ban
outright the pretexting and the sale of consumers' phone
records.
MR. STUPAK. In his statements, has he had any suggestions that
we could improve it, like Mr. Winston, you said there was one part
we should look at a little closer?
MS. MONTEITH. The legislation? No, he has not.
MR. STUPAK. I believe you mentioned that on pretexting, of course,
you said that it is either customers or people posing as customers
or telephone company employees that are involved in the pretexting.
How often is it if you can give me a percentage, is it customer,
I mean, excuse me, telephone company employees? Is that a
complaint you have had fairly often?
MS. MONTEITH. We don't know. I don't have those figures in front
of me. I think the responses that we have gotten from the companies
that we have investigated have indicated that it is both. But I
couldn't tell you on balancing.
MR. STUPAK. Equal or hard to say.
MS. MONTEITH. I really do not have that information.
MR. STUPAK. Mr. Winston could you add anything to that on company
employees or individuals posing as customers? Do you get a sense,
is it equal, more or less, one over the other?
MR. WINSTON. We don't have any data, but the sense I have gotten is
that it is more from people posing as customers and calling rather
than some sort of insider fraud.
MR. STUPAK. FTC issued a report January 23, 2001, you mentioned on
page 7 of your testimony in which you were surfing the Net, you
found more than 1,000 websites and reviewed more than 500
advertisements and print identifying firms offering to conduct
searches for customers' financial data. Have you gone back any
more searching? That was like 5 years ago. Has it increased?
Decreased? Can you give us any sense of that?
MR. WINSTON. We do periodically go back and search and monitor.
And I think, both in the case of financial pretexting and telephone
record pretexting, the numbers of perpetrators have gone down
substantially. Now, how much of that is people actually abandoning
the business versus going underground is hard to tell, but just
looking at the websites, most of them have disappeared.
MR. STUPAK. In your settlements--I asked the question of the
earlier panel, what about the victims of the identity theft that
were pretext? Is there any of that financial settlement that goes
to the victims, the individuals? I notice you had ChoicePoint
where you were going to settle for, like, 10 million, and I thought
5 million may go to individuals who have been pretexted?
MR. WINSTON. Yes, in cases where we found tangible consumer harm
like being a victim of identity theft, we have tried to give money
back to consumers who were the victims. In the ChoicePoint case,
we will be returning $5 million to those consumers.
In the pretexting cases, we have not come up with a way of actually
getting money back to people and having them be able to kind of
quantify what their harm was.
Instead, we focused on taking the profits away from the company that
engaged in it. I think that is the most effective deterrent,
although, again, if we had penalty authority, I think we could
get substantially more money.
MR. STUPAK. So without the FTC stepping in on behalf of the
American consumer, there would be no way, really, there is no cause
of action then for the American people to recover their damages?
MR. WINSTON. I think there may well be private causes of action.
MR. STUPAK. But nothing statutorily?
MR. WINSTON. Nothing statutorily that I am aware of.
MR. STUPAK. Do you think there should be a separate remedy
provision or something for consumers or families in H.R. 4943?
MR. WINSTON. That is something worth considering. One issue
that we have been thinking about is whether victims of identity
theft should have the opportunity to get restitution from the
perpetrators for the time they spend in repairing the damage.
So in the identity theft situation, we are looking at, at the
analog, is there a way of allowing victims to recover from
perpetrators? The same sort of thing might work here at as
well.
MR. STUPAK. Let me ask this question, if you can answer it. We
mentioned a 2001 study you did where you had a thousand websites
and 500 advertisements and approximately 200 firms that offered
to obtain and sell asset or bank account information to third
parties.
And you said that has, that number has gone down since you have
stepped up the enforcement actions, or gone underground, as we
have seen in our child pornography hearings they oftentimes go
offshore to other countries or multiple sites to do it. Are you
finding that same thing here with pretexting?
MR. WINSTON. Yes. We have discovered, as I mentioned earlier,
that some of these pretexters, some of these data brokers are
associated with foreign criminal rings or other foreigners, and
our ability to cooperate with the foreign authorities to go after
these people is really hampered by existing law. And that is why
U.S. Safe Web Act is so critical to allowing us to be more
effective.
MR. STUPAK. In your position, have you seen any other countries
who have addressed this more aggressively, pretexting and the
problem of obtaining false information in a different way or
manner that would be helpful to us as a committee to--
MR. WINSTON. I am not aware of any. I suspect that law
enforcement in the United States is probably about the most
effective in the world at this point.
MR. STUPAK. I have no further questions, Mr. Chairman. Thank you
both for your testimony.
MR. WHITFIELD. Thank you, Mr. Stupak. Chair recognizes Mr. Walden
for 10 minutes.
MR. WALDEN. Thank you very much, Mr. Chairman. And I don't know
that I am going to take the full 10 minutes, but I do have a couple
of questions. What have you seen in terms of changes in data
broker activity? What have you noticed since all of this has been
in the public?
MR. WINSTON. Well, I think, again, there has been some movement to
at least stop the most blatant practices, which even as recently as
several months ago, we were seeing advertisements on the Internet
saying we can get anybody's telephone record. We can get Social
Security numbers. We can get account information. We can get
credit card statements for a fee.
MR. WALDEN. And they could?
MR. WINSTON. And in some cases, they could, and in some cases,
they were engaged in false advertising, which is its own problem.
But that seems to have really, if not dried up, at least dissipated
to a substantial extent.
What we need to learn, and our investigations are continuing is,
are these people really gone or are they just being more subtle
and more careful about what they say?
MR. WALDEN. Did the lawsuits you filed recently, involve
pretexting indirectly?
MR. WINSTON. In each of the cases, I believe the ones who actually
engaged in the pretexting were not the people who were advertising
and selling the records. Like in the Hewlett-Packard case, there
was a middle man.
MR. WALDEN. There was a middle person?
MR. WINSTON. Yes, we believe in each case, there was pretexting that
went on.
MR. WALDEN. And what have you been learning about pretexting in the
course of these recent investigations? What should we know we
haven't already heard about?
MR. WINSTON. Well, you probably already heard how ingenious these
criminals are, and despite all of the protections that the phone
companies may have put in place, ultimately, it is social
engineering. It is a matter of somebody convincing somebody else
to give up records that they shouldn't.
And they have a lot of different techniques that they have used.
We have learned about some of those. But ultimately, they have
been successful.
MR. WALDEN. You heard the testimony from the panel of telephone
folks, and you have probably observed what we went through
yesterday with HP. What is your counsel to phone companies? What
should they be doing they are not doing or haven't thought about
doing and what about the consumers?
MR. WINSTON. Well, from the consumer standpoint, it is a little
frustrating because ultimately, they can't prevent their records
from being released.
MR. WALDEN. How?
MR. WINSTON. I think putting a password on is important. It is
not foolproof, but it is important.
Also, consumers need to be aware of the possibility that they
themselves might get pretexted. We have seen instances where the
pretexters will call the consumer and pose as the phone company
or someone else and get their information. "Phishing" is the
common term for it. We have been trying very hard to educate
the public to not give up that information themselves.
MR. WALDEN. What is the next scam on the horizon? What are you
seeing that you are beginning to see little rays of light that
are out there that we need to be aware of, consumers need to be
aware of?
MR. WINSTON. There are so many. I don't know where to begin.
MR. WALDEN. We will have lots of opportunities to get together
here with other players.
MR. WINSTON. I plan on remaining gainfully employed for a while.
I think more broadly what we are seeing is this kind of seamy
cottage industry of information brokers. And it is not just
phone records anymore. It is not just financial records.
MR. WALDEN. What is it?
MR. WINSTON. It is Social Security numbers. It is any kind of
information that you might have that you don't want other people
to get. There are people out there on the Internet who are
selling it. And it is something that we have been trying very
hard to get a handle on. As our economy becomes more high
tech, so are the criminals.
MR. WALDEN. Should phone companies, phone carriers, be using
Social Security numbers?
MR. WINSTON. Well, phone companies typically, if you want to
open a phone account, the first thing they are going to do is pull
your credit report. In order to pull your credit report, you have
got to give them your Social Security number. So to that extent,
yes, the phone companies need your Social Security number.
MR. WALDEN. Should they be using that as part of their data
for authentication purposes?
MR. WINSTON. One thing we are looking at, there is a
government-wide task force right now or identity theft that
President Bush set up back in May. And I have been serving on
that. And one of the things we have been looking at is are there
gratuitous, unnecessary uses of Social Security numbers both in
government and in the private sector? And the answer is yes.
There are a lot of people who are using Social Security numbers.
MR. WALDEN. Is that what consumers should look at first to
minimize the use of is Social Security numbers? Is that the most
important number we should keep secure?
MR. WINSTON. Absolutely. You know, 42 million Medicare cards in
this country that consumers have, have their Social Security number
on it and they carry it around in their wallet. That is just a
recipe for disaster.
MR. WALDEN. What about when all this moves offshore? You know, we
wrestle in this committee and the telecom subcommittee I am on with
dealing with issues involving the Internet, and then you say we can
do that here, but how do we get at it when it is offshore? In this
context? What are you seeing in terms of foreign involvement and
our ability to get at it? Are we just going to drive this whole
problem offshore and out of reach?
MR. WINSTON. I think that is a good point and a real concern.
Certainly in the identity theft area, more and more we are seeing,
mainly out of Eastern Europe, organized criminal rings that are
hiring people to get this information and then selling it, so that
is a problem.
MR. WALDEN. One way to be to get it would be that when we engage in
treaties and trade agreements, that somehow we also lock down
provisions to protect consumers and their identity?
MR. WINSTON. Absolutely. And a lot of that work is ongoing.
MR. WALDEN. Do you do that now?
MR. WINSTON. We do some of that now. And as part of our task force,
we are going to be pushing for additional opportunities to do that.
MR. WALDEN. And Ms. Monteith, are carriers better protecting
their CPNI?
MS. MONTEITH. I think we have seen, as a result of our
investigations, that carriers are moving to take some additional
safeguards, yes. Certainly with respect to the kinds of information
they require for access to accounts, we heard today that carriers
are moving to not give information out over the telephone. Those
kinds of things, yes.
MR. WALDEN. Okay, well, I really appreciate your assistance to our
efforts today. I appreciate your comments your answers to our
questions and that of the other panelists who have been willing to
actually talk to us. Are we batting 50-50 on panelists invited
who talk us versus panelists who are invited who have decided not
to talk?
MR. WHITFIELD. It is about 50-50.
MR. WALDEN. Well, thank you all very much, Mr. Chairman and I yield
back the remainder of my time.
MR. WHITFIELD. We have had so many hearings on pretexting, we have
given some thought to just going around and taking somebody by
random and bringing them in and talk to them about it.
But we genuinely thank you all for being here and for the work you
are doing in this area and for your testimony. And you all are
dismissed and we look forward to continue to working with you.
Without objection, we are certainly going to enter into the record
our document book, which we have not done yet. So with that, this
hearing is adjourned, and thank you all so much.
[The information follows:]
[Whereupon, at 1:50 p.m., the subcommittee was adjourned.]
1 The views expressed in this statement represent the views of the
Attorney General. My oral testimony and responses to questions
reflect my own views and do not necessarily represent the views of
the Office of the Attorney General.
2 State of Florida v. 1st Source Information Specialists, Inc. et
al, Case No.:06-CA-234, Leon County Circuit Court (Honorable Lindy
Lewis, Circuit Judge). Steven Schwartz and Kenneth Gorman were
also named as defendants in the action. A default has been entered
against defendant Gorman.
The 1st Source Complaint is available at:
http://myfloridalegal.com/webfiles.nsf/WF/MRAY-6L8KGC/$file/1stSource_Complaint.pdf
The Subcommittee on Oversight and Investigations requested and
subpoenaed documents from Steven Schwartz and subsequently subpoenaed
Mr. Schwartz's appearance before the Subcommittee on June 21, 2006.
7 Laurie Misner purchased the business known as Global Information
Group, Inc. from Edward Herzog in 2005, with Mr. Herzog remaining an
integral part of the business. The Subcommittee on Oversight and
Investigations requested information from Laurie Misner as part of
its investigation. Representatives from the Subcommittee have
represented that Ms. Misner will appear before the Subcommittee for
testimony on June 21, 2006.
8 Representatives from the Subcommittee have represented that
Mr. Herzog has been subpoenaed to appear before the Subcommittee for
testimony on June 21, 2006.
9 Chapter 501, Part II, Florida Statutes (2005).
10 Section 817.568(2), Florida Statutes (2005)
11 Section 501.201(3)(c), Florida Statutes (2005)
12 The Complaint is available at: http://myfloridalegal.com/webfiles.nsf/WF/MRAY-6M9RY3/$file/Global_Complaint.pdf
Press Release: Crist Charges Second Data Broker Over Sale of Phone Records - Global Information Group, Inc. Provided Private Telephone Records To Third Parties
http://myfloridalegal.com/__852562220065EE67.nsf/0/5DEE071447E329878525711F0051E195?Open&Highlight=0,global
13 In addition to Florida's action, Global has been sued by three telecommunications providers (Verizon Wireless, T-Mobile, and Cingular Wireless) as well as by an individual, Charles Jones, Sr., in Jones v. Global Information Group, Inc., et al in Indiana Federal court. The providers have all obtained injunctions to date, specific to their entities. The private cause of action is active and ongoing.
14 Cellco Partnership d/b/a Verizon Wireless v. Global Information Group, Inc, et al; Case No.: 05-09757; Hillsborough County Circuit Court; Motion to Dismiss Complaint Against Edward Herzog, filed Dec. 2, 2005
15 The Consent Judgment and Permanent Injunction is available at: http://myfloridalegal.com/webfiles.nsf/WF/MRAY-6NSLD8/$file/Global_Settlement.pdf
Press Release: Crist: Judgment to End Data Broker's Business
http://myfloridalegal.com/__852562220065EE67.nsf/0/F677BFA978E00C938525714E0059D49C?Open&Highlight=0,global
16 As a criminal investigation is underway, the Attorney General
or his representative may be unable to address certain inquiries to
avoid compromising the ongoing investigation.
17 The term "telephone company" is defined to specifically include Voice
Over Internet Protocol (VoIP) and similar technological advancements; "Personal identification information" is defined to include the
statutorily defined categories of information in section 817.568(1),
such as telephone number, date of birth, etc; "Identity" is defined
to include, inter alia, employer issued identification and individual
access codes for computer interaction with accounts.
Certain language introducing the prohibited conduct has been paraphrased, and the foregoing definitions are paraphrased for convenience, but does not constitute an interpretation contrary to the Consent Judgment and Permanent Injunction entered by the court or an interpretation for substantive purposes as may be required at some future date.
18 2006-141, Laws of Florida, codified HB 871.
19 House of Representatives Staff Analysis dated April 10, 2006 (noting Justice Council Amendment removing exceptions contained in the original bill including activities of private investigators) http://www.flsenate.gov
http://www.flhouse.gov/Sections/Documents/loaddoc.aspx?FileName=h0871d.JC.doc&DocumentType=Analysis&BillNumber=0871&Session=2006
20 RM-11277 relating to Telecommunications Carriers Use of Customer Proprietary Network Information (CPNI), CC Docket No. 96-115 (FCC NPRM)
21 The referenced comments submitted by the Attorneys General are available electronically at : http://www.naag.org/news/pdf/20060509-FinalCPNICommentstoFCC.pdf. The comments address, generally: enhanced security and authentication standards; existing privacy protections of CPNI; effectiveness of notices to customers regarding use of CPNI; extension of CPNI requirements to VoIP providers; wireless customers' privacy expectations; adequacy of existing protections for privacy of CPNI; and the States recommendations.
22 A security freeze will be an available option for Floridians effective July 1, 2006 as Governor Bush signed HB37 into law on June 9, 2006. 2006-124, Laws of Florida, codifies HB37.
1 Florida State Statues Chapter 27.04 and Chapter 934.23
1 Call records contain such information as dates calls were made, numbers called and the duration of such calls. This type of information is provided to law enforcement by telephone companies upon service of a subpoena. This type of information should not be available in the public realm, unlike names, matched with telephone numbers and addresses.
�