[Senate Hearing 109-452]
[From the U.S. Government Publishing Office]
S. Hrg. 109-452
PROTECTING CONSUMERS' PHONE RECORDS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CONSUMER AFFAIRS, PRODUCT SAFETY, AND INSURANCE
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
FEBRUARY 8, 2006
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
_____
U.S. GOVERNMENT PRINTING OFFICE
27-705 WASHINGTON : 2006
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet: bookstore.gpo.gov Phone: toll free
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001
0SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
TED STEVENS, Alaska, Chairman
JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co-
CONRAD BURNS, Montana Chairman
TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West
KAY BAILEY HUTCHISON, Texas Virginia
OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada BARBARA BOXER, California
GEORGE ALLEN, Virginia BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington
JIM DeMINT, South Carolina FRANK R. LAUTENBERG, New Jersey
DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska
MARK PRYOR, Arkansas
Lisa J. Sutherland, Republican Staff Director
Christine Drager Kurth, Republican Deputy Staff Director
Kenneth R. Nahigian, Republican Chief Counsel
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Samuel E. Whitehorn, Democratic Deputy Staff Director and General
Counsel
Lila Harper Helms, Democratic Policy Director
------
SUBCOMMITTEE ON CONSUMER AFFAIRS, PRODUCT SAFETY, AND INSURANCE
GEORGE ALLEN, Virginia, Chairman
TED STEVENS, Alaska MARK PRYOR, Arkansas, Ranking
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
JIM DeMINT, South Carolina BARBARA BOXER, California
DAVID VITTER, Louisiana
C O N T E N T S
----------
Page
Hearing held on February 8, 2006................................. 1
Statement of Senator Allen....................................... 1
Statement of Senator Boxer....................................... 7
Prepared statement........................................... 8
Statement of Senator Burns....................................... 5
Prepared statement........................................... 6
Statement of Senator Dorgan...................................... 55
Statement of Senator Inouye...................................... 4
Prepared statement........................................... 4
Statement of Senator Bill Nelson................................. 57
Statement of Senator Pryor....................................... 2
Statement of Senator Smith....................................... 9
Statement of Senator Stevens..................................... 3
Prepared statement........................................... 4
Statement of Senator Vitter...................................... 5
Witnesses
Douglas, Robert, Chief Executive Officer, PrivacyToday.com....... 31
Prepared statement........................................... 34
Largent, Hon. Steve, President/Chief Executive Officer, Cellular
Telecommunications and Internet Association (CTIA)............. 22
Prepared statement........................................... 24
Monteith, Kris Anne, Chief, Enforcement Bureau, Federal
Communications Commission...................................... 12
Prepared statement........................................... 14
Parnes, Lydia B., Director, Bureau of Consumer Protection,
Federal Trade Commission....................................... 17
Prepared statement........................................... 19
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center............................................. 27
Prepared statement........................................... 29
Schumer, Hon. Charles, U.S. Senator from New York................ 9
Southworth, Cindy, Director, Technology and the Safety Net
Project, National Network to End Domestic Violence............. 46
Prepared statement........................................... 48
Appendix
Response to written questions submitted by Hon. Daniel K. Inouye
to:
Kris Anne Monteith........................................... 67
Lydia B. Parnes.............................................. 67
Marc Rotenberg............................................... 69
Cindy Southworth............................................. 71
PROTECTING CONSUMERS' PHONE RECORDS
----------
WEDNESDAY, FEBRUARY 8, 2006
U.S. Senate,
Subcommittee on Consumer Affairs, Product Safety,
and Insurance,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:30 p.m. in
room SD-562, Dirksen Senate Office Building, Hon. George Allen,
Chairman of the Subcommittee, presiding.
OPENING STATEMENT OF HON. GEORGE ALLEN,
U.S. SENATOR FROM VIRGINIA
Senator Allen. Good afternoon. I call this hearing of the
Senate Subcommittee on Consumer Affairs, Product Safety, and
Insurance to order. This hearing is going to examine ways to
protect consumers' phone records from being fraudulently
obtained and sold into the public domain. I am pleased to see
the Ranking Member of the Subcommittee, Senator Pryor, here
with us, as well as the Chairman of the Full Committee, Senator
Stevens, and the Ranking Member, Senator Inouye. Senator Vitter
and Senator Burns and other Senators will be appearing.
This is a very serious topic that is disturbing to all of
us, that people can fraudulently obtain someone's phone records
surreptitiously, without their knowledge, and invade their
privacy. We appreciate all the witnesses who will be here
today. We are going to, instead of two panels, have all the
witnesses in one panel, all six, after we hear from Senator
Schumer. We appreciate all of you being here. We look forward
to your testimony.
The impetus, of course, of this hearing today is the
deceptive practice of obtaining and selling confidential phone
records without an owner's consent. I know I probably speak for
all Americans, and Members of the Subcommittee, when I say that
it was important to take action as soon as we heard that these
unscrupulous marketers were obtaining and selling confidential
personal phone billing records. This is fraudulent and criminal
activity that must be prosecuted and must be stopped to protect
innocent people.
Especially of concern to me are the rights of some women,
who have had their privacy violated by stalkers who use the
information to get details of their personal lives--also
harming law enforcement investigations. This fraudulent
activity can be every bit as harmful, and in some cases even
more disconcerting, than when a third party uses false
pretenses to obtain an innocent person's confidential financial
records.
In some cases, even physical harm can result from one's
private phone records becoming a public record. We have a
witness today who will explain how domestic violence can result
if a woman's call records are divulged to an abusive spouse or
an ex-boyfriend. We will also hear how law enforcement can be
hindered if records of an undercover agent are suddenly made
available to a criminal party.
We all feel that we cannot allow these unscrupulous,
deceptive, and fraudulent practices to continue. That is why
Chairman Stevens and I, along with the Ranking Member, Senator
Pryor, decided that we should hold a hearing, listen, learn,
and then craft legislation, effective legislation--do not just
pass a bill, but let us make sure this is effective
legislation--to protect innocent individuals from becoming prey
to conniving people willing to make a quick buck by violating
someone's privacy and security.
Senator Stevens and I and others are working on legislation
to address this issue, but it is important that we listen. We
will hear from our witnesses today regarding a prudent,
balanced perspective on how to ensure that customer phone
records are protected. We hope that our witnesses will offer to
us possible solutions as well. We look forward to hearing from
each of our witnesses on a commonsense and properly focused
solution to avoid any unintended consequences. In fact, any
Federal involvement in addressing deceptive business practices
can harm, obviously, consumers; it does need to be reasonable;
and, it needs to be effective.
With that, I would now like to turn it over to Senator
Pryor if he would like to make an opening statement, and then
opening statements from--while he was not the next one here, I
will defer to the Chairman and Ranking Member, and then in the
order in which Senators arrived. Senator Pryor.
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Thank you, Mr. Chairman.
The Internet has provided a whole new world of information
services and a vigorous platform to conduct commerce.
Unfortunately, the success of the Internet has also created
problems regarding consumer privacy, which this Committee has
wrestled with for the past several years. There has been spam,
spyware, identity theft, and several other issues we have
tackled with varying degrees of success.
Congress has been addressing issues of privacy in a
piecemeal fashion and this approach, quite frankly, places us
at a disadvantage. There is always a new threat to our privacy
because of the very nature of changing technology and Congress
has to address each threat separately.
Today we face the threat of data brokers selling cell phone
records with $100 in their pocket. Phone records make the owner
of that phone number especially vulnerable. These records show
every incoming and outgoing number, the duration of the call,
and even the location of the numbers called. GPS systems are on
all cell phones now, making it possible for sophisticated
parties to track the person holding the cell phone.
I reviewed the testimony and our witnesses note that some
data brokers have been selling cell phone records for years and
have likely been obtaining these records by legally
questionable practices. There can be only a few ways to get a
cell phone number and record for virtually anyone in the United
States just within a few hours. The sellers either get the
information by fraudulent misrepresentations, or pretexting,
hacking into a phone company database, or bribing a phone
company employee to steal this information.
However this information gets into the hands of data
brokers, it has to stop. The consequences of this type of
information being available to anyone are too severe. As the
Chairman mentioned a moment ago, murderers have been aided by
the information sold by these data brokers and countless others
have been endangered.
The Federal Trade Commission and the Federal Communications
Commission have regulatory responsibility in protecting the
privacy of consumers. The FTC has jurisdiction over the data
brokers and other sellers of this type of information via its
authority from section 5 of the FTC Act. The FCC has
jurisdiction over the telecommunications company via section
222 of the 1996 Telecommunications Act.
We need to make sure that both agencies have the statutory
authority they need to quickly and effectively end this
activity. Most importantly, we must make sure that both
agencies use their authority aggressively and that they are
working together to vigorously protect and prosecute these
cases. I look forward to hearing from today's witnesses and
moving quickly toward a solution that will protect all of
America's consumers.
I would also like to welcome Senator Schumer, wherever he
may be, because he has done some work on this issue and he has
really shown some leadership here.
Mr. Chairman.
Senator Allen. Thank you, Senator.
Now we would like to hear from the Chairman of the Full
Committee, Senator Stevens, who has been working and trying to
address this matter. We thank you, Mr. Chairman, for allowing
the Subcommittee to hold this hearing, and I think it will
allow us to craft workable and effective legislation.
STATEMENT OF HON. TED STEVENS,
U.S. SENATOR FROM ALASKA
The Chairman. Thank you, Mr. Chairman. I would ask that you
put my prepared remarks in the record.
Senator Allen. Without objection.
The Chairman. I am here despite another conflict because I
want to listen to the FCC. I am particularly interested in
knowing why the FCC regulation requires notice to a party
before moving to an enforcement action. In effect, they give
notice to the people that are doing wrong that they are about
ready to look into whether they are doing wrong. So they just
disappear and we never have a real enforcement. So I hope that
FCC can address that.
But please put my statement in the record. Thank you.
Senator Allen. Without objection, the full statement will
be put in the record. If opening statements could be limited to
5 minutes, and full statements will be made part of the record.
[The prepared statement of Senator Stevens follows:]
Prepared Statement of Hon. Ted Stevens, U.S. Senator from Alaska
The recent reports detailing the ease with which third parties can
access private phone records are alarming. These reports have shown us
that it is important that Congress ensure that Americans' phone records
are protected and that there will be severe penalties for invading
phone record privacy.
I have been working on crafting a legislative solution to address
this growing problem and assess the proper role of government. As we
move forward, I look forward to continuing to work with the industry,
the relevant Federal agencies, and other Members of Congress to ensure
that all phone records are kept safe.
This hearing is an important step as this Committee addresses this
issue. But we are not alone in this fight, and I look forward to
hearing the thoughts of the Federal agencies with oversight, the
industry, and concerned public interest groups.
Senator Allen. Now we would like to hear from the Ranking
Member of the Full Committee, Senator Inouye.
STATEMENT OF HON. DANIEL K. INOUYE,
U.S. SENATOR FROM HAWAII
Senator Inouye. Mr. Chairman, I thank you very much and
commend you for convening this hearing. I wish to associate
myself with your remarks, with that of the Chairman Stevens,
and Mr. Pryor as I see what is pending before us, the
horrendous possibility of invasion of privacy. I have got a
cell phone and all of us have cell phones and just the thought
that someone is passing information to others just horrifies
me.
Thank you very much, sir. May I have my statement put in
the record.
Senator Allen. Your full statement will be made part of the
record.
[The prepared statement of Senator Inouye follows:]
Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
It was troubling to learn that unscrupulous data brokers have made
a business of selling consumers' personal phone records. Equally
disturbing is the fact that the Federal Trade Commission (FTC) received
numerous complaints about these egregious practices and refused to act
on them.
While many recent identity theft scams have employed tech-savvy
tactics of hackers, the sale of consumer phone records is simply the
work of swindlers. It is well within the FTC's current authority to
address this problem. I understand the FTC found numerous instances of
cell phone record sales in other investigations related to financial
services and chose to turn a blind eye.
Unfortunately, the FTC's inaction resulted from a lack of
attention, not a lack of authority. Nonetheless, if further clarity and
additional authority are necessary, this Committee should not hesitate
to provide it.
The Federal Communications Commission (FCC) has a key role to play
as well. The FCC must ensure that telecommunications providers are
doing all that is necessary to protect the confidentiality of consumers
phone records, or what is also known as customer proprietary network
information (CPNI). The FCC appears to be taking this matter seriously.
Next week, the FCC will consider ways to strengthen CPNI safeguards
through rulemaking. In addition, FCC Chairman Kevin Martin has
recommended specific Congressional action to address this problem,
including enhancing the FCC's enforcement authority.
We also need to keep in mind emerging services, such as Voice over
Internet Protocol (VoIP). They, too, must be subject to the same
privacy requirements. Consumers have every right to expect that their
personal data will be protected regardless of the communications
service they choose to utilize.
It is my hope that the recent press attention to this matter has
served as a wake up call, and that, in the interest of consumer privacy
and public safety, the FTC and FCC do everything they can to eliminate
these egregious practices as quickly as possible. I can assure both
agencies that this Committee will be a willing and cooperative partner
in their efforts.
Senator Allen. Now we would like to hear from Senator
Vitter of Louisiana. Welcome, Senator.
STATEMENT OF HON. DAVID VITTER,
U.S. SENATOR FROM LOUISIANA
Senator Vitter. Thank you, Mr. Chairman, and thank you for
holding the hearing today. It is clearly a very important
issue. I join everybody in expressing my concern and outrage
about data broker companies with fraudulent websites selling
these sorts of records. It is clearly a part of the growing
family of issues like identity theft that we need to get ahead
of the curve on in this Committee, and this Subcommittee is a
big part of that.
I understand, as others have said, that there are many
theories about how these data brokers get this information. It
could come from inside the wireless companies by a corrupt
employee, by hacking into the system, by pretexting. However it
is obtained, we need to do what we can to protect consumers.
My first thought is that all of these practices appear to
be criminal activities already, but because there are loopholes
in the current law and probably even bigger loopholes in the
enforcement, we need to do more. My hope is we will follow up
on this hearing and move legislation that removes all doubt
and, even more importantly, gives relevant agencies the powers
they need to go after this fraud. I believe we should focus on
fraudulent actors and make sure this is stopped.
Again, Mr. Chairman, I want to thank you for calling this
hearing. I look forward to working with you and the rest of the
Subcommittee.
Senator Allen. Thank you, Senator Vitter.
Now we would like Senator Burns, if you would have any
opening remarks and wisdom.
STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. Thank you, Mr. Chairman and Ranking Member
Pryor. I appreciate that, and the Members of this Committee. I
would ask unanimous consent that my statement be made part of
the record today.
Senator Allen. Without objection.
But I just want to bring up--and I am glad to see Senator
Schumer here. We are on a bill right now. We are crafting a
bill. It is the Consumer Telephone Records Protection Act of
2006. We look forward to working with Members on this
Committee, knowing that you are interested in this, and
whenever you get your legislation put back together we can
marry up with those two pieces and I think could come up with a
pretty good bill.
I was appalled when I learned of this, that anybody could
call up a telephone company and, especially with a stolen
Social Security number and your date of birth, you can obtain
the records, and those records were being harvested. Then you
have got people that put up a website that says, we will sell
you that number for 100 bucks or so, whatever. I thought--I
just could not believe it.
I want to applaud first Chairman Martin of the FCC for the
action that he has taken pursuant to the statutory authority to
protect consumers' personal telephone records. If you take
right out of section 222 of the Communications Act and the
Commission's rule will result, I think, in pretty strong
enforcement by the FCC. The FTC also is involved in this.
But we have got to make this fine on those who would
participate in such an action such as this a pretty hefty fine
and with some little jail time behind it, because basically you
are robbing a person's private records. It can be used for a
multitude of things. We all have cell phones.
Now, I would say, today is the tenth anniversary of the
telecom bill of 1996, and I can remember working on that bill a
long time and it took a long time, I think anyways, from 1991
to 1996, to get that changed. We were trying to deal with
1990s' technology with a 1935 law. Now we have got to go back,
because technology moves so fast, and look at that Act again.
How much did we miss the number of prospective cell phone users
by the year 2000? We only missed it 300 percent. I do not think
you want me coming out and estimating what you can produce on
your ranch under those kind of circumstances.
But this is appalling and we must take action. It has to be
now and it has to be stringent. There can be no loopholes in it
like that exist today in the law.
I thank the Chairman for having these hearings.
[The prepared statement of Senator Burns follows:]
Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana
Good afternoon Chairman Allen, Ranking Member Pryor, Members of the
Committee, and distinguished panelists. Thank you for holding this
important hearing on protecting consumers' phone records. First, I am
very disturbed about the disclosure and sale of personal telephone
records through data brokers pretexting or by data brokers obtaining
access to consumers' accounts online by overcoming carriers' data
security protocols.
As an original cosponsor of the Consumer Telephone Records
Protection Act of 2006, I'm proud to say my bill will close existing
loopholes and will make you pay a hefty price in both money and jail
time if you access someone's private records without their permission.
Importantly, this bill criminalizes the act of pretexting, adding a new
violation for fraud and related activity connected with obtaining
confidential phone records from a company that provides telephone
service. Specifically, the Consumer Telephone Records Protection Act of
2006 proposes that for each occurrence the illegal actor can be fined
up to $250,000 and/or imprisoned for up to 5 years. These penalties can
be doubled for aggravated cases. The criminal violations in this bill,
along with action taken by the FCC and further Congressional Action, if
needed, will restore consumers' confidence that their personal
information is safe when they sign up for phone service with a
telecommunications company.
Next, I want to applaud Chairman Martin for the action that the FCC
has undertaken pursuant to its statutory authority to protect
consumers' personal telephone records. Chairman Martin recently
appeared before the House of Representatives and testified that any
noncompliance by telecommunications carriers with the customer
proprietary network information (CPNI) obligations under section 222 of
the Communications Act and the Commission's rules will result in strong
enforcement action by the FCC. Section 222 of the Communications Act
was written to protect consumers' privacy. Specifically, it provides
that carriers must protect the confidentiality of customer proprietary
network information. CPNI includes, among other things, customers'
calling activities and history, and billing records.
Under FTC Law, it is already considered an illegal deceptive
business practice to use false pretenses to gather a consumer's
financial information. The FTC has the power to pursue actions against
phone record pretexters based on its authority to prevent deceptive and
unfair business practices, but without this statutory authority spelled
out in a statute, a question of statutory interpretation regarding FTC
authority could be litigated. Furthermore, even if the FTC's authority
to pursue actions against pretexters of phone records is assumed, the
FTC is not authorized to immediately impose civil penalties against
third party data brokers.
Unfortunately, in today's information age, there are those who are
constantly seeking new ways to navigate the gray areas of our laws in
hopes of finding something they can use to their advantage. My bill
will shine a bright light on this particular gray area, wiping it out,
and protect Americans from these rats who invade someone's privacy.
Thank you all for your time and concern and I look forward to
working with the Members of this Committee, panel and other interested
parties as this discussion moves forward.
Senator Allen. Thank you, Senator Burns.
Senator Boxer.
STATEMENT OF HON. BARBARA BOXER,
U.S. SENATOR FROM CALIFORNIA
Senator Boxer. Thank you so much, Mr. Chairman. I really
appreciate your having this hearing. The battle to keep
confidential consumer information is never-ending. It seems
like every month we hear of a new way that shady companies are
exploiting the information of consumers for a profit.
The latest example is the sale of phone records by online
data brokers. We have all read that sites like datatraceusa.com
will sell a person's phone records to anyone willing to spend
$100. The time, duration, and number of every call a person has
made from their phone is being made available to the public.
Such information is being purchased by the likes of abusive
spouses, leading to more domestic violence, and stalkers, who
are able to infiltrate the lives of their victims.
It has gotten to the point that the Chicago police and the
FBI are warning their undercover agents that their phone
records may be compromised, which could lead to their cover
being blown. Most of the online data brokers take no steps to
make sure that the information is being used for legitimate
purposes. Moreover, the data brokers themselves are using
fraudulent means to obtain the information from cell phone
companies. In the pursuit of making a few dollars, these
companies are helping criminals and undermining law
enforcement. This must be stopped.
That is why I have cosponsored the Consumer Telephone
Records Protection Act introduced by Senators Specter and
Schumer, and I am so glad that Senator Schumer is here. This
bill will criminalize the sale of phone records without the
consent of the subscriber. Mr. Chairman, it is a very simple
notion and it will work.
I also would urge my colleagues to support another privacy
bill, introduced by Senator Specter and myself, the Wireless
411 Privacy Act, that prohibits the listing of a cell phone
number in any wireless directory unless the subscriber elects
to be included. Again, abused women should not have to worry
that their cell phone number will be listed in a directory
without them knowing about it. More generally, consumers should
be able to keep their numbers private if that is what they
want.
So I would ask unanimous consent that the rest of my
statement be placed in the record, Mr. Chairman. But I do feel
we see this problem; we must act before people are really hurt.
Also, we have a couple of bills out there that are so good, and
they are bipartisan and they make sense. I hope we can move
them quickly, and I think we will be doing something very good
for our constituents.
Thank you.
Senator Allen. Thank you, Senator Boxer. Your full
statement will be made part of the record.
[The prepared statement of Senator Boxer follows:]
Prepared Statement of Hon. Barbara Boxer, U.S. Senator from California
Mr. Chairman, thank you for holding this hearing on the privacy
rights of cell phone subscribers.
The battle to keep confidential consumer information private is
never ending. It seems like every month we hear of a new way that shady
companies are exploiting the information of consumers for a profit.
The latest example is the sale of phone records by online data
brokers. We have all read that sites like datatraceusa.com will sell a
person's phone records to anyone willing to spend $100.
The time, duration, and number of every call a person has made from
their phone is being made available to the public. Such information is
being purchased by the like of abusive spouses leading to more domestic
violence and stalkers who are able to infiltrate the lives of their
victims.
It has gotten to the point that the Chicago police and FBI are
warning their undercover agents that their phone records may be
compromised, which could lead to their cover being blown.
Most of the online data brokers take no steps to make sure that the
information being sold is used for legitimate purposes. Moreover, the
data brokers themselves are using fraudulent means to obtain the
information from cell phone companies.
In the pursuit of making a few dollars, these companies are helping
criminals and undermining law enforcement.
This must be stopped and that is why I have cosponsored the
Consumer Telephone Records Protection Act introduced by Senators
Schumer and Specter, which criminalizes the sale of phone records
without the consent of the subscriber.
I also would urge my colleagues to support another privacy bill I
introduced last session and reintroduced last year with Senator
Specter--the Wireless 411 Privacy Act. This bill prohibits the listing
of a cell phone number in any wireless directory service unless the
subscriber elects to be included.
Abused women should not have to worry that their cell phone number
will be listed in a directory without them knowing about it. And more
generally, consumers should be able to keep their number private if
that is what they want.
This is especially important with respect to cell phone numbers,
because consumers pay for each call they receive.
Last session, a number of wireless carriers objected to certain
provisions of my bill, including the requirement that subscribers opt-
in to being listed. It is my understanding that the major wireless
companies no longer object to this provision.
This is a promising change. It is a sign that companies are
beginning to recognize that it is our responsibility to protect the
privacy of consumers.
In response to press reports, the wireless phone companies are
improving their privacy practices and suing data brokers to prevent the
release of their customers' phone records.
Reacting to revelations in the papers of privacy breaches, however,
is not enough. All companies--not just the wireless operators--should
be proactive in protecting the privacy of their customers. They know
the weakness of their own systems and how to fix those problems.
If companies fail to act, Congress has a duty to step in and
legislate the changes that are necessary to protect consumers.
I look forward to hearing from the witnesses about what is being
done to protect consumers' confidential information and I plan to work
with this Committee to get my Wireless 411 Privacy bill marked-up and
brought to the floor.
Thank you, Mr. Chairman.
Senator Allen. Senator Smith.
STATEMENT OF HON. GORDON H. SMITH,
U.S. SENATOR FROM OREGON
Senator Smith. Thank you, Senator Allen and Chairman
Stevens, for this very important hearing. The deceptive
practice of pretexting has gotten, rightfully, a lot of
attention lately. It is nothing more than lying to get
something you are not entitled to have, and it is currently
illegal. The Federal Trade Commission has the authority to
pursue companies or individuals that engage in pretexting or
other deceptive practices under section 5 of the FTC Act, which
prohibits unfair or deceptive acts or practices in or affecting
commerce.
Using this authority, the FTC has brought civil actions
against U.S. businesses that use false pretenses to gather
information on consumers. Unfortunately, the FTC lacks
authority to pursue bad actors operating overseas. We need to
give the FTC these necessary tools. I sponsored the U.S. SAFE
WEB Act with Senator Inouye, Senator McCain, Senator Nelson of
Florida, Senator Burns, Senator Dorgan, and Senator Pryor. This
is an important bill that will provide the FTC with the tools
to protect consumers from cross-border fraud and deception,
including pretexting. Our bill has already passed the Commerce
Committee. It did so unanimously and I urge quick passage on
the floor of the Senate. It will help solve this problem we are
dealing with.
One last point. Like consumers, phone companies are victims
of fraud perpetrated by pretexters. Additional regulation of
phone companies may not change fraudulent behavior pretexters.
I think it is important to emphasize that enforcement is the
key. If we need more laws, let us get more laws. But let us
enforce the laws that we have.
Thank you, Mr. Chairman.
Senator Allen. Thank you, Senator Smith.
I would like to hear from our first panelist, all by his
lonesome, but not by his lonesome insofar as this issue and
concern. Senator Chuck Schumer has joined us today to discuss
this issue in terms of the law enforcement perspective
proceeding from his viewpoint as a Member of the Judiciary
Committee. Senator Schumer's involvement also extends to a bill
that he has recently introduced.
Senator Schumer, you can go ahead with your testimony. Then
we will hear from the rest of our witnesses. Senator Schumer.
STATEMENT OF HON. CHARLES SCHUMER,
U.S. SENATOR FROM NEW YORK
Senator Schumer. Thank you. Thank you, Mr. Chairman, and I
want to thank you, Senator Pryor, Chairman Stevens, and all the
rest of the Members, for the opportunity to speak to you today.
I know this issue is of great concern to all of us, protecting
the very privacy and personal information that is kept part of
people's telephone records, because when a person talks on the
phone, whether it is their cell phone or their home phone, they
have an expectation of privacy. No one thinks that information
about who they are calling and when they are calling them, as
well as all of the personal information kept by phone companies
for billing purposes, are available for sale to anyone with
$100. But, sadly, that is the case.
The activities of websites such as locatecell.com and other
pretexters who pose as telephone customers to get people's
personal phone record information from the phone companies have
made some of our most personal and confidential information
vulnerable to criminals who want that information for nefarious
purposes.
Even worse, unauthorized access to this information can put
law enforcement officers and victims of domestic abuse in
danger. A former spouse, a stalker, can find out who their
target is calling and intensely personal information, like who
their doctor is, whether the person sees a psychologist.
Targets of criminal investigations can find out if someone is
talking to law enforcement authorities about them. And in a
particularly frightening scenario, the FBI recently was able to
obtain the cell phone records of one of its agents online in
just 3 hours.
Business people too are subject to this. A list of who a
salesperson is calling upon could be available to a business
rival.
So this is a problem that we have to deal with. We already
have a law that protects our financial information. Pretexting
of financial information is illegal per se. That is in the
Gramm-Leach-Bliley Act that many of us supported and worked on
several years ago. But there is no Federal law that makes it a
criminal offense to steal someone's cell phone records. Right
now there are laws on the books, as has been mentioned, but
they are general fraud statutes, far less specific, and not
good tools according to law enforcement for what they need to
go after these illegal acts.
So far the cell phone companies have to go after pretexters
with civil lawsuits or prosecutors have to cobble together a
case from a patchwork of laws. But if all that pretexters
really face are civil fines, they are going to look at this as
the cost of doing business. What these thieves do is a crime
and ought to be treated like a crime.
That is why, along with Senator Specter and many others,
eight Members of this Committee cosponsored legislation that
will do that, make stealing a person's phone records a felony.
It is called the Consumer Telephone Records Protection Act, and
I am happy to report that we have a bipartisan group of
cosponsors, mainly from the Commerce and Judiciary Committees,
which are the two committees of relevant jurisdiction.
In addition, three of the major wireless carriers--Verizon
Wireless, T-Mobile, and Sprint Nextel--as well as consumer
groups like Consumers Union, support the bill.
It is a very simple bill. It makes it a crime to
fraudulently buy someone's phone records. It prohibits the sale
or transfer of those records and specifically prohibits
employees of phone companies from selling this information.
We are also looking at enhanced penalties when the records
are used to commit a crime of domestic violence or if they are
used to harm law enforcement officers. The bill also contains
an enhanced penalty for multiple offenses, aimed at the
websites and companies that make a business out of stealing
records, such as some of them that are on the screen over
there.
All of the bipartisan support, support from industry and
consumers groups, I think shows very clearly the need to do
something now, and I look forward to working with all of you on
the Commerce Committee, which you have jurisdiction, of course,
over FTC and all of that (we have jurisdiction over the
criminal law in Judiciary) to find a quick solution that will
stop pretexters and protect the privacy of American citizens.
Thank you.
Senator Allen. Thank you, Senator Schumer.
We would now like to hear from the rest of the panel. We
appreciate again, Senator Schumer, your willingness to work
with us. We look forward to working on a team effort.
I would like all of the six witnesses to come forward. I
will introduce all of the witnesses. The order that we will go
through the witnesses' testimony will be: first, Ms. Kris
Monteith and Ms. Lydia Parnes, then the Honorable Steve
Largent, Mark Rotenberg, Robert Douglas, and Cindy Southworth.
So if you could--it looks like we are not going to get them in
that order.
As our witnesses are getting seated, let me begin with a
brief introduction of each for those assembled here and for our
Committee. To start, we have Ms. Kris Monteith, the Chief of
the Enforcement Bureau at the Federal Communications
Commission. Ms. Monteith's role at the FCC places her in a
direct role in protecting consumers' phone records. We
appreciate your willingness to discuss the role of the FCC and
what it can play in the safety of consumer phone records. Thank
you for testifying.
Next we will hear from Ms. Lydia Parnes, who is the
Director--she is Director of the Bureau of Consumer Protection
at the Federal Trade Commission. The FTC is at the center of
protecting consumers from deceptive business practices. Ms.
Parnes will be able to give us a better idea of how to deter
this fraudulent behavior and put these bad actors out of
business, and we want to do that for good. Thank you for being
here.
Next we will hear from the Honorable Steve Largent,
President and CEO of the Cellular, Telecommunications and
Internet Association, otherwise known as ``CTIA.'' He is a Hall
of Famer, was there at the Superbowl. The Seattle Seahawks had
a tough game. Still, they made it to the Superbowl. More
importantly, as a Hall of Famer we hope you help bring this
team here together for success in combatting these pretexters.
Next we will hear from Mr. Marc Rotenberg, Mr. Rotenberg,
who has actually been here testifying on several occasions. He
is Executive Director of the Electronic Privacy Information
Center, otherwise known as ``EPIC.'' He has testified on a
variety of issues. We welcome you back. He is here to give us
his suggestions on how to best prevent an individual's phone
records from being compromised.
Then we will hear from Mr. Robert Douglas, Chief Executive
Officer of PrivacyToday.com. Mr. Douglas is a former private
investigator and has testified in front of Congress multiple
times regarding information security. He can provide us with
examples of real-life experiences with pretexting. Thank you,
Mr. Douglas, for coming all the way from Steamboat Springs,
Colorado. I know you once lived in Virginia, but now you have a
farther trek.
Finally, we are going to hear from Cindy Southworth. Cindy
Southworth is the Director of Technology and Director of the
Safety Net Project at the National Network to End Domestic
Violence. Ms. Southworth's testimony can shed light on the
potential ramifications of a person's phone records being
divulged to someone other than the customer. Domestic violence
against women is her area of expertise and she can offer a
perspective on how physical abuse can result if a woman's phone
records are obtained from an abusive husband, ex-boyfriend, or
stalker, and we appreciate, Ms. Southworth, your attendance
today and we look forward to your insight.
Senator Burns. Mr. Chairman, before we go to the witnesses,
can I make an announcement here, because I have got to go to
the floor in about 15 minutes.
Senator Allen. All right.
Senator Burns. Just an announcement to remind everybody.
The Internet Caucus--and what we are talking about is the
Internet here and the Internet business--is tonight, 5 o'clock,
over in Dirksen G-50. We have got a lot of vendors----
Senator Inouye. It is for Members.
Senator Burns. Well, no; for everybody. Everybody can go.
We do not check anybody at the door.
Senator Allen. Open standards.
Senator Burns. Open standards.
I just thought I would remind it to you if you are in the
buildings and want to attend that.
Senator Allen. All right, thank you. Thank you, Senator
Burns.
Now we would like to hear from Ms. Monteith.
STATEMENT OF KRIS ANNE MONTEITH, CHIEF,
ENFORCEMENT BUREAU, FEDERAL COMMUNICATIONS
COMMISSION
Ms. Monteith. Good afternoon, Mr. Chairman.
Senator Allen. I am going to ask, in the event that you
can, I know you all have written testimony. If you can present
it in 5 minutes; if it is longer than 5 minutes you may
summarize, and all of your testimony will be made part of the
record. In the questioning of the witnesses, I would ask that
the Senators also be limited to 5 minutes in their inquiries.
Ms. Monteith.
Ms. Monteith. Good afternoon, Mr. Chairman and Members of
the Subcommittee and the Full Committee. I appreciate the
opportunity to speak with you today about what appears to be an
alarming breach of the privacy of consumers' telephone records.
As Chairman Martin made clear in his testimony last week, the
Commission is deeply concerned about the disclosure and sale of
these records. Determining how this violation of consumers'
privacy is happening and addressing it is a priority for the
Commission.
In my testimony today, I will describe the Commission's
current investigation into this serious issue and then touch on
the legislative proposals Chairman Martin identified as
possible measures Congress might take to prevent data brokers
from selling consumers' phone records.
The Commission is taking numerous actions to combat this
issue. First, we are investigating how data brokers are
obtaining consumers' personal telephone records. Second, we are
investigating whether telecommunications carriers are
adequately protecting the privacy of the personal and
confidential data entrusted to them by American consumers.
Third, we are initiating a proceeding to determine what
additional rules the Commission should adopt to further protect
consumers' sensitive telephone records from unauthorized
disclosure.
The disclosure and sale of consumer phone records was
brought to the Commission's attention late last summer. On
August 30th, the Electronic Privacy Information Center filed a
petition expressing concern over the sale of consumers' private
telephone data by data brokers. The Commission's Enforcement
Bureau began researching and investigating these practices. Its
research culminated in the Commission issuing subpoenas to
several of the most prominent data brokers. When these
companies failed to adequately respond to the subpoenas, we
issued letters of citation and referred to responses to the
Department of Justice for enforcement.
Subsequently, we issued subpoenas to another 30 data
brokers and are awaiting their responses. We also made
undercover purchases of phone records from various data brokers
to assist us in targeting additional subpoenas and to determine
exactly how the consumer phone record data is being disclosed.
In conjunction with our investigation of data brokers, in
December and January the Commission met with the major wireless
and wireline providers to discuss efforts they have undertaken
to protect their confidential consumer data. Formal letters of
inquiry followed that required the carriers to document their
customer data security procedures and practices, identify
security and disclosure problems, and address any changes they
have made in response to the data brokers issue.
In late January we asked the five largest wireline and
wireless carriers to send us their required annual compliance
certificates. In addition, early last week the Enforcement
Bureau issued notices of apparent liability in the amount of
$100,000 against two companies for failure to comply with the
certification requirement. We also issued a public notice
requiring all telecommunications carriers to file their most
recent certification with the Commission.
Throughout our investigation, we have coordinated closely
with the FTC and will continue to share any evidence of
fraudulent behavior that we detect in the course of our
investigation.
Finally, several weeks ago Chairman Martin circulated an
item to his fellow Commissioners granting EPIC's petition and
inviting comment on whether additional Commission rules are
necessary to strengthen the safeguards for customer records.
The item will be acted on by February 10th.
In response to questions about what Congress might do to
prevent data brokers from selling consumers' phone records,
Chairman Martin identified three primary actions. First,
Congress could specifically make illegal the commercial
availability of consumers' phone records. Second, Congress
could overturn the Tenth Circuit ruling that limited the
Commission's ability to implement more stringent protection of
consumer phone record information. This ruling has resulted in
a much broader dissemination of consumer phone records and may
have contributed to the proliferation of the unlawful practices
of data brokers that we are seeing today.
Third, the Commission's enforcement tools could be
strengthened by, for example, eliminating the citation
requirement in section 503(b) of the Act, raising the statutory
maximum forfeiture penalties, and lengthening the applicable 1-
year statute of limitations.
To conclude, the disclosure of private calling records
represents a significant invasion of privacy. The Commission
looks forward to working collaboratively with the Members of
this Subcommittee, other Members of Congress, and our
colleagues at the Federal Trade Commission to ensure that
consumers' personal phone data remains confidential. Thank you
for the opportunity to testify. I would be pleased to answer
your questions.
[The prepared statement of Ms. Monteith follows:]
Prepared Statement of Kris Anne Monteith, Chief, Enforcement Bureau,
Federal Communications Commission
Introduction
Good afternoon, Chairman Allen, Ranking Member Pryor, and Members
of the Subcommittee. I appreciate the opportunity to speak with you
today about what appears to be an alarming breach of the privacy of
consumers' telephone records. As Chairman Martin made clear in his
testimony last week, the entire Commission is deeply concerned about
the disclosure and sale of these personal telephone records and will
take strong enforcement action to address any noncompliance by
telecommunications carriers with the customer proprietary network
information (``CPNI'') obligations under section 222 of the
Communications Act of 1934, as amended, (the Act) and the Commission's
rules.
In my testimony, I will describe the Commission's current
investigation into the procurement and sale of consumers' private phone
records and the steps the FCC is taking to make sure that
telecommunications carriers are fully meeting their obligations under
the law to protect those records.
As the Subcommittee is aware, the issue of third parties known as
``data brokers'' obtaining and selling consumers' telephone call
records, which has been widely reported, is a tremendous concern for
consumers, lawmakers, and regulators alike. Determining how this
violation of consumers' privacy is happening and addressing it is a
priority for Chairman Martin and the Commission. As outlined below, we
are taking numerous steps to combat the problem. First, we are
investigating the data brokers to determine how they are obtaining this
information. Second, we are investigating the telecommunications
carriers to determine whether they have implemented safeguards that are
appropriate to secure the privacy of the personal and confidential data
entrusted to them by American consumers. Third, the Commission is
initiating a proceeding to determine what additional rules the
Commission should adopt to further protect consumers' sensitive
telephone record data from unauthorized disclosure.
Background
Numerous websites advertise the sale of personal telephone records
for a price. Specifically, data brokers advertise the availability of
cell phone records, which include calls to and/or from a particular
cell phone number, the duration of such calls, and may even include the
physical location of the cell phone. In addition to selling cell phone
call records, many data brokers also claim to provide calling records
for landline and voice over Internet protocol, as well as non-published
phone numbers. In many cases, the data brokers claim to be able to
provide this information within fairly quick time frames, ranging from
a few hours to a few days.
The data brokers provide no explanation on their websites of how
they are able to obtain such personal data. \1\ There are several
possible theories for how these data brokers are obtaining this
information. These data brokers may be engaged in ``pretexting, `' that
is, obtaining the information under false pretenses--often by
impersonating the account holder. In addition, they may be obtaining
access to consumers' accounts online by overcoming carriers' data
security protocols. To the extent this is the cause of the privacy
breaches, we must determine whether this is in part due to the lack of
adequate carrier safeguards. Finally, various telecommunications
carriers could have ``rogue'' employees who are engaged in the practice
of sharing this information with data brokers in exchange for a fee.
---------------------------------------------------------------------------
\1\ The websites often contain statements that the information
obtained is confidential and not admissible in court, and may specify
that the purchaser must employ a legal avenue, such as a subpoena, for
obtaining the data if the purchaser intends to use the information in a
legal proceeding.
---------------------------------------------------------------------------
The mandate requiring telecommunications carriers to implement
adequate safeguards to protect consumers' call records is found in
section 222 of the Act. Congress enacted section 222 to protect
consumers' privacy. Specifically, section 222 of the Act provides that
telecommunications carriers must protect the confidentiality of
customer proprietary network information. CPNI includes, among other
things, customers' calling activities and history, and billing records.
The Act limits carriers' abilities to use customer phone records even
for their own marketing purposes without appropriate consumer approval
and safeguards. Furthermore, the Act prohibits carriers from using,
disclosing, or permitting access to this information without approval
of the customer, or as otherwise required by law, if the use or
disclosure is not in connection with the provided service.
When it originally implemented section 222, the Commission required
telecommunications carriers to obtain express written, oral, or
electronic consent from their customers, i.e., an ``opt-in''
requirement, before a carrier could use any customer phone records to
market services outside the customer's existing service relationship
with that carrier. The United States Court of Appeals for the Tenth
Circuit (10th Circuit) struck down these rules finding that they
violated the First and Fifth Amendments of the Constitution. Required
by the 10th Circuit to reverse its ``opt-in'' rule, the Commission
ultimately adopted an ``opt-out'' approach whereby a customer's phone
records may be used by carriers, their affiliates, agents, and joint
venture partners that provide communications-related services provided
that a customer does not expressly withhold consent to such use.
The Commission must determine whether carriers are complying with
their obligations under section 222. In order to make this
determination, we are examining the methods that data brokers use to
gain access to consumers' call records, and the methods employed by
carriers to guard against such breaches.
Commission Investigation
The issue of the disclosure and sale of consumer phone records was
brought to the Commission's attention late last summer. On August 30th,
the Electronic Privacy Information Center (EPIC) filed a petition for
rulemaking expressing concern about the sufficiency of carrier privacy
practices and the fact that online data brokers were selling consumers'
private telephone data. At this same time, the Commission's Enforcement
Bureau began researching and investigating the practices of data
brokers. This research culminated in the Commission issuing subpoenas
to several of the most prominent data broker companies. These
subpoenas, served in November 2005, sought details regarding how the
companies obtained this phone record information and contained further
questions about the companies' sale of consumer call records.
Unfortunately, the companies failed to adequately respond to our
request. As a consequence, we issued letters of citation to these
entities for failing to fully respond to a Commission order and
referred the inadequate responses to the Department of Justice for
enforcement of the subpoenas. In addition, we subsequently served
another approximately 30 data broker companies with subpoenas and are
currently waiting for their response. Finally, in support of these
investigations, we have made undercover purchases of phone records from
various data brokers. The purpose of this information is to assist us
in targeting additional subpoenas and in determining the exact method
by which consumer phone record data is being disclosed.
In conjunction with our investigation of data brokers, the
Commission also focused its attention on the practices of the
telecommunications carriers subject to section 222. Specifically, in
December and January, the Commission's Enforcement Bureau staff met
with the major wireless and wireline providers to discuss efforts they
have undertaken to protect their confidential customer data and to
prevent data brokers from obtaining and using such information.
Discussions focused on the specific procedures employed to protect
consumer call records from being accessed by anyone other than the
consumers themselves. Staff also probed who within the companies has
access to call record information and the procedures the carriers use
to ensure that employees and other third parties with access to such
information do not improperly disclose it to others. The carriers
generally expressed their belief that the problems they have
experienced in this area are largely, if not exclusively, related to
attempts by individuals outside the company to obtain information
through pretexting, rather than by ``rogue'' employees selling
information to data brokers.
In order to have the carriers' responses in written form, last
month, we sent formal Letters of Inquiry to these carriers. Inquiry
letters are formal requests for information from carriers that may
trigger penalties if not answered fully. These letters require the
carriers to document their customer data security procedures and
practices, identify security and disclosure problems, and address any
changes they have made in response to the data broker issue. In
addition, under the Commission's rules, a telecommunications carrier
``must have an officer, as an agent of the carrier, sign a compliance
certificate on an annual basis stating that the officer has personal
knowledge that the company has established operating procedures that
are adequate to ensure compliance'' with the Commission's CPNI rules.
In late January, we asked the five largest wireline and wireless
carriers to send us their CPNI certifications. Early last week, the
Enforcement Bureau issued Notices of Apparent Liability in the amount
of $100,000 against both AT&T and Alltel for failure to comply with the
certification requirement. We also issued a public notice requiring all
telecommunications carriers to submit their most recent certification
with us. To the extent that carriers are unable to do so, or do not
respond adequately, we are prepared to take appropriate enforcement
action against them as well.
Coordination with the FTC and State Attorneys General. Because this
problem implicates the jurisdiction of both the FCC and FTC, we have
coordinated with the FTC throughout our investigation. Beginning last
summer, Commission staff and FTC staff have been in regular contact
regarding the sale of phone records by data brokers. In addition,
Chairman Martin met with Chairman Majoras late last year and discussed
this issue, among others. Commission staff will continue to coordinate
closely with the FTC staff and share with them any evidence of
fraudulent behavior that we detect in the course of our investigation.
The FCC has also responded to several inquiries and provided
guidance to individual state Attorneys General, and the National
Association of Attorneys General (NAAG). As you are aware, a number of
states, including Florida, Illinois, and Missouri have taken recent
legal action against data brokers.
Commission's Efforts to Strengthen Existing CPNI Rules
As I mentioned previously, EPIC filed a petition with the
Commission raising concerns about the sale of call records.
Specifically, EPIC petitioned the Commission to open a proceeding to
consider adopting stricter security standards to prevent carriers from
releasing private consumer data. Several weeks ago, Chairman Martin
circulated an item to his fellow Commissioners granting EPIC's petition
and inviting comment on whether additional Commission rules are
necessary to strengthen the safeguards for customer records.
Specifically, the item seeks comment on EPIC's five proposals to
address the unlawful and fraudulent release of CPNI: (1) consumer-set
passwords; (2) audit trails; (3) encryption; (4) limiting data
retention; and (5) notice procedures to the customer on release of CPNI
data. In addition to these proposals, the item also seeks comment on
whether carriers should be required to report further on the release of
CPNI. Further, the item tentatively concludes that the Commission
should require all telecommunications carriers to certify on a date
certain each year that they have established operating procedures
adequate to ensure compliance with the Commission's rules and file
these certifications with the Commission.
As Chairman Martin has indicated, the item has been distributed to
the Commissioners for their consideration and will be acted on by
February 10, 2006.
Legislative Assistance
In addition to the Commission's actions, several members have asked
for the Commission's views on any potential changes to the law that
could help combat this troubling trend. Chairman Martin has identified
three primary actions that Congress could take to prevent data broker
companies from selling consumers' phone records. First, Congress could
specifically make illegal the commercial availability of consumers'
phone records. Thus, if any entity is found to be selling this
information for a fee, regardless of how it obtained such information,
it would face liability.
Second, Congress could overturn the ruling of a Federal court that
limited the Commission's ability to implement more stringent protection
of consumer phone record information. Specifically, when the Commission
first implemented section 222, it required carriers to obtain express
written, oral, or electronic consent from their customers, i.e., an
``opt-in'' requirement before a carrier could use any customer phone
records to market services outside the customer's existing service
relationship with that carrier. The Commission held that this ``opt-
in'' requirement provided consumers with the most meaningful privacy
protection. In August of 1999, the 10th Circuit struck down these rules
finding that they violated the First and Fifth Amendments of the
Constitution. Required by the 10th Circuit to reverse its ``opt-in''
rule, the Commission adopted an ``opt-out'' approach whereby a
customer's phone records may be used by carriers, their affiliates,
agents, and joint venture partners that provide communications-related
services provided that a customer does not expressly withhold consent
to such use. This ruling shifted the burden to consumers, requiring
them to specifically request that their personal phone record
information not be shared. This ruling has resulted in a much broader
dissemination of consumer phone records and thereby may have
contributed to the proliferation of the unlawful practices of data
brokers that we are seeing today.
Third, Chairman Martin has recommended that the Commission's
enforcement tools be strengthened. For example, the need to issue
citations to non-licensees before taking any other type of action
sometimes hinders us in our investigations, and allows targets to
disappear before we are in a position to take action against them.
Eliminating the citation requirement in section 503(b) of the Act would
enable more streamlined enforcement. In addition, I believe that
raising maximum forfeiture penalties, currently prescribed by statute,
would assist the Commission in taking effective enforcement action, as
well as act as a deterrent to companies who otherwise view our current
forfeiture amounts simply as costs of doing business. Further, the one-
year statute of limitations in section 503 of the Communications Act
for bringing action has been a source of difficulty at times. In
particular, when the violation is not immediately apparent, or when the
Commission undertakes a complicated investigation, we often run up
against the statute of limitations and must compromise our
investigation, or begin losing violations for which we can take action.
Conclusion
The disclosure of consumers' private calling records is a
significant privacy invasion. The Commission is taking numerous steps
to try to address practice as soon as possible. We look forward to
working collaboratively with the Members of this Subcommittee, other
Members of Congress, as well as our colleagues at the Commission and at
the Federal Trade Commission to ensure that consumers' personal phone
data remains confidential. Thank you for the opportunity to testify,
and I would be pleased to respond to your questions.
Senator Allen. Ms. Monteith, thank you very much for your
testimony and your very specific ideas of what we can do to
strengthen the enforcement capabilities of the FCC. You will
undoubtedly have some questions posed to you later, as will all
the witnesses.
Now we would like to hear from Ms. Parnes with the Federal
Trade Commission. Please proceed.
STATEMENT OF LYDIA B. PARNES, DIRECTOR, BUREAU OF CONSUMER
PROTECTION, FEDERAL TRADE COMMISSION
Ms. Parnes. Good afternoon, Mr. Chairman and Members of the
Subcommittee. I too appreciate the invitation to appear today
to discuss the important topic of the privacy and security of
consumers' telephone records. My oral testimony and responses
to questions reflect my own views and not necessarily those of
the Commission or any individual commissioner.
Maintaining the privacy and security of consumers'
sensitive personal information is one of the Commission's
highest priorities. We have wrestled with spam, spyware, and
identity theft and, in cooperation with the FCC, are now
vigorously investigating companies that use subterfuge to gain
access to consumers' telephone call logs. Today I will describe
the FTC's efforts to protect consumers from pretexters
generally and the specific practice of pretexting for telephone
records. Then I will address the issue of whether new laws are
needed to stop this troubling practice.
The Commission filed its first pretexting suit in 1999,
against a company that offered to provide consumers' bank
account numbers and balances to anybody for a fee. The FTC
alleged that this deceptive conduct violated section 5 of the
FTC Act. Later that year, Congress enacted the Gramm-Leach-
Bliley (GLB) Act, which expressly prohibits pretexting for
financial records.
Since GLB's passage, the FTC has sent warning letters to
200 firms that sold asset information to third parties and
brought more than a dozen financial pretexting cases. But it is
also important to control the supply side of sensitive consumer
information. In that vein, the Commission recently announced a
recordbreaking $15 million settlement against ChoicePoint,
challenging business practices that we alleged unreasonably
exposed consumer data to theft and misuse.
Now let me turn to the cottage industry of companies
peddling cell phone and landline records. In preparation for
this hearing, we did a quick review of the telephone record
marketplace. The results are illuminating. First, we looked at
40 websites previously reported to be selling call records. As
of this Monday, more than half were no longer advertising the
sale of such records. One website told would-be customers, and
I quote: ``Due to controversy surrounding the availability of
phone records via the Internet, we have decided to discontinue
offering these searches.''
Unfortunately, we also found that at least nine of the
companies still make unabashed offers to obtain call records.
The remaining companies are making more ambiguous offers that
are still of concern. Thus, thanks to the attention this issue
has received in the media and in hearings like this one, at
least some in the pretexting industry have gotten the message.
But there is still work to be done.
Yesterday we sent warning letters to 20 companies that are
offering to obtain and sell telephone call records, and the
Commission has a number of ongoing investigations as well.
I know the Committee is considering whether additional
legislation is necessary to protect these records. One approach
would be a specific prohibition on the pretexting of telephone
call records, modeled on the Gramm-Leach-Bliley Act's
protection of financial records. If Congress were to consider
such legislation, I would recommend that it give the Commission
authority to seek civil penalties against violators, a remedy
that the FTC does not currently have in cases like this. I
believe that in this area, penalties are the most effective
civil remedy.
This is also a situation where criminal penalties may be
warranted, but as a civil agency we would defer to the
Department of Justice on the need for criminal legislation and
particularly its structure.
In addition, our recent surf revealed that some sites
offering these records were registered to foreign addresses.
This finding underscores the importance of the Commission's
previous recommendation that Congress enact cross-border fraud
legislation. The proposal, called the U.S. SAFE WEB Act, will
overcome many of the existing obstacles to information-sharing
and cross-border investigations. I would like to thank the
Committee for its leadership on this bill.
Finally, Congress may consider, as recommended by the FCC,
whether a ban on the sale of call records in all cases is
appropriate. Should it do so, I would recommend that Congress
exercise caution in determining the breadth of such a ban.
Certainly law enforcers will continue to have legitimate
reasons for obtaining phone records and it is possible that
there may be other limited circumstances in which these records
might be disclosed for appropriate and useful purposes. For
example, the GLB pretexting prohibition provides an exception
in cases involving the collection of court-ordered child
support payments.
Again, thank you for the opportunity to testify today. We
look forward to working with the Committee and its staff on
this very important issue.
[The prepared statement of Ms. Parnes follows:]
Prepared Statement of Lydia B. Parnes, Director, Bureau of Consumer
Protection, Federal Trade Commission
Introduction
Mr. Chairman, and Members of the Subcommittee, I am Lydia B.
Parnes, Director of the Bureau of Consumer Protection at the Federal
Trade Commission (``FTC'' or ``Commission''). \1\ I appreciate the
opportunity to discuss telephone records pretexting and the
Commission's significant work to protect the privacy and security of
telephone records and other types of sensitive consumer information.
The Commission is currently investigating companies that offer consumer
telephone records for sale, and we plan to pursue these investigations
vigorously.
---------------------------------------------------------------------------
\1\ The views expressed in this statement represent the views of
the Commission. My oral testimony and responses to questions reflect my
own views and do not necessarily represent the views of the Commission
or any individual Commissioner.
---------------------------------------------------------------------------
Maintaining the privacy and security of consumers' personal
information is one of the Commission's highest priorities. Companies
that engage in pretexting--the practice of obtaining personal
information, such as telephone records, under false pretenses--not only
violate the law, but they undermine consumers' confidence in the
marketplace and in the security of their sensitive data. While
pretexting to acquire telephone records has recently become more
prevalent, the practice of pretexting is not new. The Commission has
used its full arsenal of tools to attack scammers who use fraud to gain
access to consumers' personal information.
Aggressive law enforcement is at the center of the FTC's efforts to
protect consumers' sensitive information. The Commission has taken law
enforcement action against companies allegedly offering surreptitious
access to consumers' financial records, and will continue to challenge
business practices that unnecessarily expose consumers' sensitive
information. The Commission also continues to provide consumer
education and outreach to industry to ensure that the marketplace is
safe for consumers and commerce. \2\
---------------------------------------------------------------------------
\2\ For example, the Commission recently launched OnGuard Online, a
campaign to educate consumers about the importance of safe computing.
See www.onguardonline.gov. One module offers advice on avoiding spyware
and removing it from computers. Another module focuses on how to guard
against ``phishing,'' a scam where fraudsters send spam or pop-up
messages to extract personal and financial information from
unsuspecting victims. Yet another module provides practical tips on how
to avoid becoming a victim of identity theft. These materials are
additions to our comprehensive library on consumer privacy and
security. See www.ftc.gov/privacy/index.html.
---------------------------------------------------------------------------
Today I will discuss the FTC's efforts to protect consumers from
firms engaged in pretexting and the practice of pretexting for
telephone records. \3\
---------------------------------------------------------------------------
\3\ Pretexting is not the only way to obtain consumers' telephone
records, however. Such records also reportedly have been obtained by
bribing telephone company employees and hacking into telephone
companies' computer systems. See, e.g., Jonathan Krim, Online Data Gets
Personal: Cell Phone Records for Sale, Wash. Post, July 13, 2005,
available at 2005 WLNR 10979279; Simple Mobile Security for Paris
Hilton, PC Magazine, Mar. 1, 2005, available at 2005 WLNR 3834800.
---------------------------------------------------------------------------
II. FTC Efforts to Protect Consumers From Firms That Engage in
Pretexting
The Commission has a history of combating pretexting. Using Section
5 of the FTC Act, which prohibits ``unfair or deceptive acts or
practices in or affecting commerce,'' \4\ the Commission has brought
actions against businesses that use false pretenses to gather financial
information on consumers. In these cases, we have alleged that it is a
deceptive and unfair practice to obtain a consumer's financial
information by posing as the consumer.
---------------------------------------------------------------------------
\4\ 15 U.S.C. Sec. 45(a).
---------------------------------------------------------------------------
The Commission's first pretexting case was filed against a company
that offered to provide consumers' financial records to anybody for a
fee. \5\ According to our complaint, the company's employees obtained
these records from financial institutions by posing as the consumer
whose records it was seeking. The complaint charged that this practice
was both deceptive and unfair under Section 5 of the FTC Act. \6\
---------------------------------------------------------------------------
\5\ FTC v. James J. Rapp and Regana L. Rapp, d/b/a Touch Tone
Information, Inc., No. 99-WM-783 (D. Colo.) (final judgment entered
June 22, 2000). See http://www.ftc.gov/os/2000/06/touchtoneorder.
\6\ An act or practice is unfair if it: (1) causes or is likely to
cause consumers substantial injury; (2) the injury is not reasonably
avoidable by consumers; and (3) the injury is not outweighed by
countervailing benefits to consumers or competition. 15 U.S.C.
Sec. 45(n).
---------------------------------------------------------------------------
In 1999, Congress passed the Gramm-Leach-Bliley Act (``GLBA''). The
GLBA provided another tool to attack the unauthorized acquisition of
consumers' financial information. \7\ Section 521 of the Act directly
prohibits pretexting of customer data from financial institutions.
Specifically, this provision prohibits ``false, fictitious, or
fraudulent statement[s] or representation[s] to an officer, employee,
or agent of a financial institution'' to obtain customer information of
a financial institution. \8\
---------------------------------------------------------------------------
\7\ Id. Sec. Sec. 6801-09.
\8\ Id. Sec. 6821.
---------------------------------------------------------------------------
To ensure awareness of and compliance with the new anti-pretexting
provisions of the GLBA, the Commission launched Operation Detect
Pretext in 2001. \9\ Operation Detect Pretext combined a broad
monitoring program, the widespread dissemination of industry warning
notices, consumer education, and aggressive law enforcement.
---------------------------------------------------------------------------
\9\ See FTC press release ``As Part of Operation Detect Pretext,
FTC Sues to Halt Pretexting'' (Apr. 18, 2001), available at
http://www.ftc.gov/opa/2001/04/pretext.htm. For more information about
the cases the Commission has brought under Section 521 of the GLBA, see
http://www.ftc.gov/privacy/privacyinitiatives/pretexting_enf. Since
GLBA's passage, the FTC has brought over a dozen cases alleging
violations of Section 521 in various contexts.
---------------------------------------------------------------------------
In the initial monitoring phase of Operation Detect Pretext, FTC
staff conducted a ``surf'' of more than 1,000 websites and a review of
more than 500 advertisements in print media to spot firms offering to
conduct searches for consumers' financial data. The staff found
approximately 200 firms that offered to obtain and sell consumers'
asset or bank account information to third parties. The staff then sent
notices to these firms advising them that their practices were subject
to the FTC Act and the GLBA, and provided information about how to
comply with the law. \10\
---------------------------------------------------------------------------
\10\ See FTC press release ``FTC Kicks Off Operation Detect
Pretext'' (Jan. 31, 2001), available at http://www.ftc.gov/opa/2001/01/
pretexting.htm.
---------------------------------------------------------------------------
In conjunction with the warning letters, the Commission released a
consumer alert, Pretexting: Your Personal Information Revealed,
describing how pretexters operate and advising consumers on how to
avoid having their information obtained through pretexting. \11\ The
alert warns consumers not to provide personal information in response
to telephone calls, e-mail, or postal mail, and advises them to review
their financial statements carefully, to make certain that their
statements arrive on schedule, and to add passwords to financial
accounts.
---------------------------------------------------------------------------
\11\ See http://www.ftc.gov/bcp/conline/pubs/credit/pretext.htm.
---------------------------------------------------------------------------
While consumer education is important, it is only part of the FTC's
efforts to combat pretexting. Aggressive law enforcement is critical.
The FTC therefore followed up the first phase of Operation Detect
Pretext in 2001 with a trio of law enforcement actions against
information brokers. \12\ In each of these cases, the defendants
advertised that they could obtain non-public, confidential financial
information, including information on checking and savings account
numbers and balances, stock, bond, and mutual fund accounts, and safe
deposit box locations, for fees ranging from $100 to $600. The FTC
alleged that the defendants or persons they hired called banks, posing
as customers, to obtain balances on checking accounts. \13\
---------------------------------------------------------------------------
\12\ FTC v. Victor L. Guzzetta, d/b/a Smart Data Systems, No. CV-
01-2335 (E.D.N.Y.) (final judgment entered Feb. 25, 2002); FTC v.
Information Search, Inc., and David Kacala, No. AMD-01-1121 (D. Md.)
(final judgment entered Mar. 15, 2002); FTC v. Paula L. Garrett, d/b/a
Discreet Data Systems, No. H 01-1255 (S.D. Tex.) (final judgment
entered Mar. 25, 2002).
\13\ In sting operations set up by the FTC in cooperation with
banks, investigators established dummy bank account numbers in the
names of cooperating witnesses and then called defendants, posing as
purchasers of their pretexting services. In the three cases, an FTC
investigator posed as a consumer seeking account balance information on
her fiance's checking account. The defendants or persons they hired
proceeded to call the banks, posing as the purported fiance, to obtain
the balance on his checking account. The defendants later provided the
account balances to the FTC investigator.
---------------------------------------------------------------------------
The FTC's complaints alleged that the defendants' conduct violated
the anti-pretexting prohibitions of the GLBA, and further was unfair
and deceptive in violation of Section 5 of the FTC Act. The defendants
in each of the cases ultimately agreed to settlements that barred them
from further violations of the law and required them to surrender ill-
gotten gains. \14\
---------------------------------------------------------------------------
\14\ See http://www.ftc.gov/opa/2002/03/pretextingsettlements.htm.
---------------------------------------------------------------------------
Because the anti-pretexting provisions of the GLBA provide for
criminal penalties, the Commission also may refer pretexters to the
U.S. Department of Justice for criminal prosecution, as appropriate.
One such individual recently pled guilty to one count of pretexting
under the GLBA. \15\
---------------------------------------------------------------------------
\15\ United States v. Peter Easton, No. 05 CR 0797 (S.D.N.Y.)
(final judgment entered Nov. 17, 2005).
---------------------------------------------------------------------------
Finally, the Commission is aware that it is not enough to focus on
the purveyors of illegally obtained consumer data. It is equally
critical to ensure that entities that handle and maintain sensitive
consumer information have in place reasonable and adequate processes to
protect that data. Accordingly, the Commission has challenged data
security practices as unreasonably exposing consumer data to theft and
misuse. \16\ Companies that have failed to implement reasonable
security and safeguard processes for consumer data face liability under
various statutes enforced by the FTC, including the Fair Credit
Reporting Act, the Safeguards provisions of the GLBA, and Section 5 of
the FTC Act. \17\
---------------------------------------------------------------------------
\16\ In addition to law enforcement in the data security area, the
Commission has provided business education about the requirements of
existing laws and the importance of good security. See, e.g.,
Safeguarding Customers' Personal Information: A Requirement for
Financial Institutions, available at http://www.ftc.gov/bcp/conline/
pubs/alerts/safealrt.htm.
\17\ United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga.)
(complaint and proposed settlement filed on Jan. 30, 2006 and pending
court approval); In the Matter of BJ's Wholesale Club, Inc., FTC Docket
No. 042-3160 (Sept. 20, 2005); In the Matter of DSW, Inc., FTC Docket
No. 052-3096 (proposed settlement posted for public comment on Dec. 1,
2005); Superior Mortgage Corp., FTC Docket No. C-4153 (Dec. 14, 2005).
As the Commission has stated, an actual breach of security is not a
prerequisite for enforcement under Section 5; however, evidence of such
a breach may indicate that the company's existing policies and
procedures were not adequate. It is important to note, however, that
there is no such thing as perfect security, and breaches can happen
even when a company has taken every reasonable precaution. See
Statement of the Federal Trade Commission Before the Committee on
Commerce, Science, and Transportation, U.S. Senate, on Data Breaches
and Identity Theft (June 16, 2005) at 6, available at http://
www.ftc.gov/os/2005/06/050616databreaches.pdf.
---------------------------------------------------------------------------
In fact, two weeks ago the Commission announced a record-breaking
proposed settlement with data broker ChoicePoint, Inc. This proposed
settlement requires ChoicePoint to pay $10 million in civil penalties
and $5 million in consumer redress to settle charges that its security
and record-handling procedures violated the Fair Credit Reporting Act
and the FTC Act. In addition, the proposed settlement requires
ChoicePoint to implement new procedures to ensure that it provides
consumer reports only to legitimate businesses for lawful purposes, to
establish and maintain a comprehensive information security program,
and to obtain audits by an independent third-party security
professional every other year until 2026. Further, the proposed
settlement sends a strong signal to industry that it must maintain
reasonable procedures for safeguarding sensitive consumer information
and protecting it from data thieves.
III. Pretexting for Consumers' Telephone Records
An entire industry of companies offering to provide purchasers with
the cellular and landline phone records of third parties recently has
developed. Recent press stories report on the successful purchase of
the phone records of prominent figures. \18\ Although the acquisition
of telephone records does not present the opportunity for immediate
financial harm as the acquisition of financial records does, it
nonetheless is a serious intrusion into consumers' privacy and could
result in stalking, harassment, and embarrassment. \19\ Although
pretexting for consumer telephone records is not prohibited by the
GLBA, the Commission may bring a law enforcement action against a
pretexter of telephone records for deceptive or unfair practices under
Section 5 of the FTC Act. \20\
---------------------------------------------------------------------------
\18\ News stories state that reporters obtained cell phone records
of General Wesley Clark and cell phone and landline records of Canada's
Privacy Commissioner Jennifer Stoddart. See, e.g., Aamer Madhani and
Liam Ford, Brokers of Phone Records Targeted, Chicago Trib., Jan. 21,
2006, available at 2006 WLNR 1167949.
\19\ Albeit anecdotal, news articles illustrate some harmful uses
of telephone records. For example, data broker Touch Tone Information
Inc. reportedly sold home phone numbers and addresses of Los Angeles
Police Department detectives to suspected mobsters, who then used the
information in an apparent attempt to intimidate the police officers
and their families. See, e.g., Peter Svensson, Calling Records Sales
Face New Scrutiny, Wash. Post, Jan. 18, 2006, available at http://
www.washingtonpost.com/wp-dyn/content/article/2006/01/18/
AR2006011801659.html.
\20\ Under Section 13(b) of the FTC Act, the Commission has the
authority to file actions in Federal district court against those
engaged in deceptive or unfair practices and obtain injunctive relief
and other equitable relief, including monetary relief in the form of
consumer redress or disgorgement of ill-gotten profits. However, the
FTC Act does not authorize the imposition of civil penalties for an
initial violation, unless there is a basis for such penalties, i.e., an
applicable statute, rule or litigated decree.
---------------------------------------------------------------------------
The Commission is currently investigating companies that appear to
be engaging in telephone pretexting. Using the approach that proved
successful in Operation Detect Pretext, Commission staff surfed the
Internet for companies that offer to sell consumers' phone records. FTC
staff then identified appropriate targets for investigation and
completed undercover purchases of phone records. Commission attorneys
currently are evaluating the evidence to determine if law enforcement
action is warranted.
In addition, the FTC is working closely with the Federal
Communications Commission, which has jurisdiction over
telecommunications carriers subject to the Communications Act. \21\ Our
two agencies are committed to coordinating our work on this issue, as
we have done successfully with the enforcement of the ``National Do Not
Call'' legislation. \22\
---------------------------------------------------------------------------
\21\ Consumer telephone records are considered ``customer
proprietary network information'' under the Telecommunications Act of
1996 (``Telecommunications Act''), which amended the Communications
Act, and accordingly are afforded privacy protections by the
regulations under that Act. See 42 U.S.C. Sec. 222; 47 CFR
Sec. Sec. 64.2001-64.2009. The Telecommunications Act requires
telecommunications carriers to secure the data, but does not
specifically address pretexting to obtain telephone records. Moreover,
the FTC's governing statute specifically states that the Commission
lacks jurisdiction over common carrier activities that are subject to
the Communications Act. 15 U.S.C. Sec. 46(a). The Commission opposed
this jurisdictional gap during the two most recent reauthorization
hearings. See http://www.ftc.gov/os/2003/06/030611reauthhr.htm; see
also http://www.ftc.gov/os/203/06/030611learysenate.htm; http://
www.ftc.gov/os/2002/07/sfareauthtest.htm.
\22\ In addition, the Attorneys General of Florida, Illinois, and
Missouri recently sued companies allegedly engaged in pretexting. See
http://myfloridalegal.com/_852562220065EE67.nsf/0/
D510D79C5EDFB4B98525710000Open&Highlight=0,telephone,records; http://
www.ag.state.il.us/pressroom/2006_01/20060120.html; http://
www.ago.mo.gov/newsreleases/2006/012006h.html. Several
telecommunications carriers also have sued companies that reportedly
sell consumers' phone records. According to press reports, Cingular
Wireless, Sprint Nextel, T-Mobile, and Verizon Wireless have sued such
companies. See, e.g., http://www.upi.com/Hi-Tech/
view.php?StoryID=20060124-6403r; http://www.wired.com/news/technology/
1,70027-0.html; http://news.zdnet.com/2100-1035_22-6031204.html.
---------------------------------------------------------------------------
IV. Conclusion
Protecting the privacy of consumers' data requires a multi-faceted
approach: coordinated law enforcement by government agencies as well as
action by the telephone carriers, outreach to educate consumers and
industry, and improved security by record holders are essential for any
meaningful response to this assault on consumers' privacy. Better
security measures for sensitive data will prevent unauthorized access;
aggressive and well-targeted law enforcement against the pretexters
will deter others from further invasion of privacy; and outreach to
consumers and industry will provide meaningful ways to avoid the harm
to the public.
The Commission has been at the forefront of efforts to safeguard
consumer information and is committed to continuing our work in this
area. We also are committed to working with this Committee to provide
greater security and privacy for American consumers.
Senator Allen. Thank you, Ms. Parnes. We appreciate your
comments and we will have questions of you also.
Now we would like to hear from the Honorable, a former
Congressman and now Chairman, Steve Largent.
STATEMENT OF HON. STEVE LARGENT, PRESIDENT/CHIEF
EXECUTIVE OFFICER, CELLULAR TELECOMMUNICATIONS AND INTERNET
ASSOCIATION (CTIA)
Mr. Largent. Well, thank you, Mr. Chairman and Ranking
Member and other Members of the Committee, for giving me a
chance to testify here this afternoon on the theft and illegal
sale of phone records by data brokers. With your consent, I
would like to have my full written statement made a part of the
record.
Senator Allen. It will be.
Mr. Largent. At the outset of my testimony, I want to make
it unequivocally clear that the wireless industry and more
specifically the wireless carriers that I represent take this
matter very seriously. The theft of customer call records is
unacceptable and CTIA and the wireless carriers believe that
the current practice of pretexting is illegal.
CTIA and the wireless industry are on record as supporting
Congress's efforts to enact Federal legislation that
criminalizes the fraudulent behavior by third parties to
obtain, sell, and distribute call records. I believe that it is
important to note that the four national carriers--Verizon
Wireless, Cingular, Sprint Nextel, and T-Mobile--have all filed
complaints and obtained injunctions across the country to shut
down these data thieves.
The fact that data brokers apparently have been able to
break and enter carrier customer service operations to obtain
call records has given our industry a black eye. To quote from
one of CTIA's member companies' code of conduct, it says:
``Great companies are defined by their reputation for ethics
and integrity in every aspect of their business. By their
actions, these companies demonstrate the values that serve as
the foundation of their culture and attract the best customers,
employees, and stakeholders in their industry.''
The wireless industry is dedicated to being responsive to
its customers' requests for assistance with their service. To
the extent that the theft of customer call records has
jeopardized the industry's reputation, it is most unfortunate.
Trust is a currency that is difficult to refund.
As we all know, the way that these thieves are obtaining
call records is through the use of pretexting, otherwise known
as lying. I would note that no two carriers can or should
employ the exact same security procedures and I would caution
the Committee Members that as you proceed forward in drafting
legislation that you consider that the threat environment is
constantly changing and static rules can quickly become
outmoded or easily avoided by fraudsters. Moreover, CTIA in its
comments to the EPIC petition for rulemaking at the FCC noted
that requiring wireless carriers to identify security
procedures on the record and to further identify any
inadequacies in their procedures would provide a road map to
criminals to avoid fraud detection measures. The industry fears
that public disclosure potentially could lead to serious harm
to consumers and carriers alike.
One security practice we know works is litigation. I cannot
emphasize enough how seriously wireless carriers are taking
these illegal and unauthorized attempts to obtain and traffic
our customers' private information. These internal
investigations have led to the carriers filing these cases,
which began months before the current media glare. As I
mentioned at the beginning of my testimony, the four national
carriers have all filed complaints and obtained injunctions
across the country to shut these data thieves down. Carriers
have taken additional security steps to require personal
identification numbers and passwords when obtaining call record
information and many carriers have instituted a ban on e-mail
and faxing call records.
It is important to remember carriers are under tremendous
pressure to quickly respond to customer calls. What was largely
perceived as good customer service yesterday is now a practice
seen as a potential inspection flaw. Wireless carriers
collectively received hundreds of millions, if not billions, of
customer inquiries in 2005 alone. Inside our member companies,
customer service reps are striving to address the requests of
customers as best they can with the very best interests of the
customer at heart.
Bearing this statistic in mind, it would prove
counterproductive to enact legislation that would impede
wireless customers' access to their own account information.
Rules that may require in-person customer service would be a
step backward from the convenient and responsive customer
service wireless carriers strive to achieve.
Clearly, the privacy of a small percentage of our customers
and constituents has been compromised. As far as I am
concerned, the breach of even one wireless customer's calling
records is one customer too many. But to the best of my
knowledge, no system is foolproof, especially one that handles
hundreds of millions of customer calls each year without the
customer being present.
There is one component to this problem that really has not
been discussed, but I believe plays a very large role in the
sale of call records, and that is the use of credit cards to
purchase these records. I think we all agree that pretexting
should be made illegal, and if we make the underlying act of
making the sale of records illegal, does it not make sense then
to prohibit the use of credit cards to buy the records? I know
my suggestion goes beyond the jurisdiction of this Committee,
but I truly believe that if Congress dries up the funding
source for these sites they will disappear.
The wireless industry wholeheartedly supports making it
explicitly clear that the marketing, possession, and sale of
call records is against the law. If we have learned anything
from this experience, it is that combatting pretexting is a war
where the unscrupulous continuously seek out vulnerabilities
and the weaknesses in the carriers' defenses. Unfortunately, no
defense will be perfect, which is why we need a good offense
and strong enforcement measures against these criminals.
Again, thank you for this opportunity and I welcome any
questions you may have, Mr. Chairman.
[The prepared statement of Mr. Largent follows:]
Prepared Statement of Hon. Steve Largent, President/Chief Executive
Officer, Cellular Telecommunications and Internet Association (CTIA)
Chairman Allen, Ranking Member Pryor and Members of the
Subcommittee, thank you for the opportunity to appear before you this
afternoon to testify on the theft and illegal sale of phone records by
data brokers. At the outset of my testimony, I want to make it
unequivocally clear that the wireless industry, and more specifically,
the wireless carriers that I represent take this matter very seriously.
The theft of this data is unacceptable, and CTIA and wireless carriers
believe that the current practice of ``pretexting'' is illegal.
Chairwoman Majoras has declared that the Federal Trade Commission
currently has the authority it needs to prosecute these thieves.
Carriers have successfully filed injunctions to take these sites down.
Additionally, CTIA and the wireless industry are on record as
supporting Congress's efforts to enact Federal legislation that
criminalizes the fraudulent behavior by third parties to obtain, sell
or distribute call records. I believe that it is important to note that
the four national carriers: Verizon Wireless, Cingular, Sprint Nextel,
and T-Mobile have all filed complaints and obtained injunctions across
the country to shut these data thieves down.
The fact that data brokers apparently have been able to break and
enter carrier customer service operations to obtain call records has
given our industry a black eye. To quote from one of CTIA's member
companies' Code of Conduct, ``Great companies are defined by their
reputation for ethics and integrity in every aspect of their business.
By their actions, these companies demonstrate the values that serve as
the foundation of their culture and attract the best customers,
employees and stakeholders in their industry.'' The wireless industry
is dedicated to being responsive to its customers' requests for
assistance with their service because of its concern for wireless
customers. To the extent that the theft of customer call records has
jeopardized the industry's reputation, I believe this is most
unfortunate because trust is a currency that is difficult to refund.
Pretexting
Overwhelmingly, the vast majority of cell phone records are being
fraudulently obtained through the use of ``pretexting,'' which is
nothing more than lying to obtain something you aren't entitled to
procure lawfully. Allow me to explain how these data thieves operate.
For the sake of illustration, if someone--and in most cases it appears
to be a private investigator--wants to acquire my call records, the
private investigator will go to a website that publicly offers to
obtain such records such as locatecell.com. The person trying to obtain
my call records will provide the website in most cases with nothing
more than my name and phone number. At that point, the website or a
subcontractor of the website will pose as Steve Largent call a
carrier's customer service department to get the records. Customer
Service Representatives (CSR) are trained to require more than just a
name and phone number, but the thieves are well trained too and often
badger, threaten or plead with the CSR to acquire the records as if
they are the actual customer. Our carrier investigations confirm that
these calls are rebuffed, but these data brokers are quite determined.
The data broker will scour other sources on the Internet or elsewhere
to obtain my Social Security number or date of birth so that eventually
the data broker will appear to be Steve Largent calling customer
service, and thus, the CSR is duped into releasing the records. To be
clear, from the carrier perspective, the CSR is dealing with the actual
customer.
Make no mistake, these data thieves are extremely sophisticated. If
they are unable to deceive one CSR on the first attempt, they will
place multiple calls to customer service call centers until they are
able to mislead a CSR into providing the call records.
No combination of identifiers is safe against pretexting. We have
had cases where the data brokers have possessed the customer password.
We have had cases where they knew the date of birth of the customer and
the full Social Security number. Because many of these cases seem to
arise in divorce or domestic cases, it is common for a spouse to have
all of the necessary identifying information long after a divorce or
separation to obtain call records.
Wireless Carrier Security Practices
CTIA's members are committed to protecting customer privacy and
security. This is no hollow pronouncement--we are talking about
carriers protecting the privacy of their most valuable assets--their
customers--as well as the very infrastructure of their networks. No
carrier has an interest in seeing customer records disclosed without
authority and every carrier has security policies and technical
defenses to guard against it. I am also confident that our carriers are
utilizing the best industry practices for combating fraud and ensuring
security; however, the thieves who want to commit these crimes are
constantly changing their tactics and approaches--staying one step
ahead of them requires flexibility.
Wireless carriers employ a broad range of security measures beyond
those put in place to meet the Federal Communications Commission's
(FCC) customer proprietary network information (CPNI) rules to prevent
unauthorized access to and disclosure of CPNI. I would note that no two
carriers can or should employ the exact same security procedures. I
would caution Committee Members that as you proceed forward in drafting
legislation that you consider the threat environment is constantly
changing and static rules can quickly become outmoded or easily avoided
by the fraudster. Additionally, CTIA in its comments to the EPIC
petition for rulemaking at the FCC, noted that requiring wireless
carriers to identify security procedures on the record and to further
identify any inadequacies in those procedures would provide a roadmap
to criminals to avoid fraud detection measures. Public disclosure
potentially could lead to serious harm to consumers and carriers alike.
CPNI is protected from unauthorized disclosure under Section 222 of
Title 47 and the FCC's implementing rules. ``Every telecommunications
carrier has a duty to protect the confidentiality of proprietary
information.'' Every wireless carrier takes that duty seriously; it is
the law. The FCC, too, has followed up strongly on that mandate. In its
very first order after the passage of the Telecommunications Act of
1996, the FCC directly addressed security concerns related to the
protection of CPNI, and it has addressed the CPNI rules multiple times
over.
Consistent with Congress's intent in Section 222, the wireless
industry has worked continuously to maintain and improve the security
of its customers' private information. CSRs are trained extensively on
the rules related to access, use and disclosure of call records.
Technical restrictions are placed on access to call records to ensure
that no one can walk off with a database of customer information, and
CSRs are monitored to ensure they follow the necessary procedures.
While we have heard stories about insiders selling call records on the
side, we have not actually seen these cases. Instead, the vast majority
of cases we have seen involve pretexting where the fraudster actually
has all the necessary customer information to obtain the records.
Wireless carriers have taken additional measures to reiterate to
their customers that it is important to continue to take steps to
protect their accounts by utilizing passwords. For example, T-Mobile
``urges all users of mobile services to take the following password
protection steps:''
create separate passwords for voice mail, online access, and
for use when calling customer care about your billing account
set complex passwords using both numbers and letters where
appropriate
avoid common passwords such as birthdates, family or pet
names and street addresses
change your passwords at least every 60 days
memorize your passwords, and
don't share passwords with anyone
But passwords get lost or forgotten and in many cases, customers
call a CSR to refresh a password. The ability to change a password
remotely presents another pretexting opportunity. In short, passwords
are not a ``silver bullet.'' Some carriers also report that some
customers rebel against mandatory passwords, preferring instead to be
empowered to make that choice individually, rather than by dictate.
The Committee should be aware that carriers are extremely cautious
when allowing any third party vendor access to call records. Carrier
contracts contain strict confidentiality and security provisions. It is
common for carriers, for example, to require that vendors represent and
warrant that they have adequate security procedures to protect customer
information and to provide immediate notice of any security breach to
the carrier. This contractual framework flows down a carrier's own
security standards to vendors who conduct customer billing
responsibilities creating security in depth.
One security practice we know now works is litigation. I cannot
emphasize enough how seriously wireless carriers are taking these
illegal and unauthorized attempts to obtain and traffic our customers'
private information. These internal investigations have led to the
carriers filing these cases which began months before the current media
glare. As I mentioned at the beginning of my testimony, the four
national carriers: Verizon Wireless, Cingular, Sprint Nextel, and T-
Mobile have all filed complaints and obtained injunctions across the
country to shut these data thieves down. Moreover, smaller Tier II and
Tier III wireless carriers are re-examining their security protocols to
ensure their customers' privacy. The carriers' internal investigations
against the data brokers made it possible to secure injunctions aimed
at taking down the sites and preserving evidence so we can determine
exactly who is buying the records through these brokers. We look
forward to working with the Committee to utilize this information so
Congress will be in a better position to draft legislation aimed not
only at those who engage in pretexting, but also those that solicited
the deed in the first place and later received the stolen property.
Customer Service Protections
As I mentioned previously, carriers have taken additional security
steps to require personal identification numbers and passwords when
obtaining call record information. For example, when call records are
accessed, it is logged in the customer service database, so the carrier
can see who looked at what records. Further, CSRs are trained to
annotate the customer record whenever an account change or event
occurs. A CSR will note when a customer called and asked for his or her
records. To prevent the fraudster from adding a fax or e-mail account
identifier to another's account, many carriers have instituted a ban on
faxing or e-mailing call records. It is important to remember, carriers
are under tremendous pressure to quickly respond to customer calls.
What was largely perceived as good customer service yesterday, is now a
practice seen as a potential security flaw.
Because of the highly competitive nature of the wireless phone
industry, customer service is extremely important to wireless carriers
and their customers. Wireless carriers collectively received hundreds
of millions, if not billions, of customer inquiries in 2005. Inside our
member companies, CSRs are striving to address the requests of
customers as best they can with the very best interest of the customer
at heart. Bearing this statistic in mind, it could prove
counterproductive to enact legislation that would impede wireless
customers' access to their own account information. Rules that may
require in-person customer service would be a step backwards from the
convenient and responsive customer service wireless carriers strive to
achieve.
Conclusion
Clearly, the privacy of a small percentage of our customers and
your constituents' has been compromised. As far as I am concerned, the
breach of even one wireless customer's calling records, is one customer
too many. But to the best of my knowledge no system is foolproof,
especially one that handles hundreds of millions of customer calls each
year without the customer being present.
The wireless industry wholeheartedly supports making it explicitly
clear that the marketing, possession, and sale of call records is
against the law. CTIA and its carriers are on record as supporting
Congress's efforts to enact Federal legislation that criminalizes the
fraudulent behavior by third parties to obtain, sell, or distribute
call records. Carriers have been successful in using existing state and
Federal law to obtain injunctions to shut down these Internet sites.
If we have learned anything from this experience, it is that
combating pretexting is a war where the unscrupulous continuously seek
out vulnerabilities and weaknesses in the carrier defenses.
Unfortunately, no defense will be perfect, which is why we need a good
offense and strong enforcement measures against these criminals.
Again, thank you for this opportunity and I welcome any questions
you may have.
Senator Allen. Thank you, Mr. Largent, for your comments.
Now we would like to hear from Mr. Rotenberg.
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Rotenberg. Thank you, Mr. Chairman and Members of the
Committee, for the opportunity to be here today. I would like
to ask that my full statement be entered into the record.
Senator Allen. It is so ordered.
Mr. Rotenberg. Thank you.
I want to thank the Committee for holding this important
hearing today, the sponsors of the legislation to safeguard the
privacy of our cell phone records, and also the chairman of the
FCC, who I think has taken important steps in the last few
months to address this problem.
Last summer my organization, the Electronic Privacy
Information Center, EPIC, wrote to the Federal Trade Commission
and we expressed our concern about a new problem that many
people were not aware of. That was the fact that their cell
phone records, those monthly billing statements that are
received by more than 190 million Americans, were available for
sale on the Internet. We asked the Federal Trade Commission to
investigate the matter. We followed up with a supplemental
filing after we had identified 40 different companies that were
selling our monthly billing statements.
We also filed a petition with the FCC and we expressed
concern in that petition that the security standard simply
seemed to be inadequate. Yes, we understood there were people
engaging in fraud or pretexting to obtain personal information,
but the companies also were not doing enough to safeguard the
information. So we asked the FCC to look at its authority under
section 222 to see if it could take more steps to ensure that
there would be stronger security measures to protect those
important call billing information records.
Well, here we are today and it seems clear that it is time
for Congress to do something about this problem. Even though it
may be the case that fraud is illegal, there has just not been
enough action on the enforcement front. In fact, last week,
after the House hearing was held on the problem, the companies
engaged in this practice had such an increase in activity that
a couple of the websites actually had to go down because they
could not take all the increased business resulting from the
publicity surrounding their practices.
So I am going to make a few suggestions about the type of
steps that Congress could take at this point and at the same
time acknowledge that many of the proposals that EPIC and other
privacy and consumer groups will put forward are similar to
those that have been suggested by the chairman of the FCC.
First, it is clear that pretexting should be banned. If
there is any question about this, it has to be answered that it
is unfair, deceptive, unethical, illegal, and wrong. The ban
should be broad, it should be emphatic, and the report should
be no ambiguity about that practice.
The second key point is that the sale of these monthly
billing statements should be made illegal. There is just no
scenario under which it makes sense for a company to take the
records of who we have called each month and make that data
available for sale. If those records are needed, for example by
a law enforcement agent in the course of a criminal
investigation, then there is subpoena or warrant authority. If
those records are needed in civil litigation, subpoena can also
be used. If an individual wants to disclose billing
information, for whatever purpose, it can be done by consent.
But there is no scenario, I believe, under which it makes
sense to allow a market for the sale of personal phone records.
The third key recommendation is that stronger security
standards are clearly needed in this industry. We were,
frankly, disappointed by the decision of the wireless industry
to oppose our recommendation to the FCC for stronger security
standards.
Mr. Largent, I have a very simple recommendation for the
companies in your industry: If they cannot protect the
information, they should not collect the information. It is
placing consumers at risk when their personal information can
be obtained online over the Internet.
Mr. Chairman, this goes to the final recommendation. This
Committee of course over the years has had to consider many new
communications services and oftentimes we have held these
hearings about privacy-related issues. I think one of the
lessons that we are learning is that when personal information
is collected in the context of a communication service, it
creates a privacy risk.
We know that historically it was not always the case that
this type of detailed call information was made available.
Local call service traditionally in the United States was
actually treated as a utility. It was only the long distance
calls that included the detailed billing information. We know
that there are new telephone services on the horizon, such as
VoIP services, that take advantage of the Internet.
So I would just like to suggest to you, sir, and other
Members of the Committee that going ahead, if it is possible to
develop communications services that do not require the
collection of so much detailed personal information, at least
the privacy problem will not be as serious as it is today for
the American consumer.
Thank you so much for the opportunity to testify.
[The prepared statement of Mr. Rotenberg follows:]
Prepared Statement of Marc Rotenberg, Executive Director, Electronic
Privacy Information Center
Introduction
Chairman Allen, Ranking Member Pryor, and Members of the Committee,
thank you for the opportunity to testify on the privacy of telephone
records. My name is Marc Rotenberg and I am Executive Director and
President of the Electronic Privacy Information Center in Washington,
D.C. EPIC is a not-for-profit research center established to focus
public attention on emerging civil liberties issues and to protect
privacy, the First Amendment, and constitutional values. We have played
a leading role in emerging communications privacy issues since our
founding in 1994.
We thank the Members of the Committee and others who are developing
legislation to address pretexting and to increase security standards at
companies that collect and maintain data. We especially commend the
sponsors of the Telephone Consumer Protection Act, S. 2178, and the
Phone Record Protection Act, S. 2177, which would ban the sale of
personal telephone records. These measures will help establish
important safeguards for American consumers and keep call record
details off the Internet, but more work remains to be done: Records
other than telecommunications records must be protected from abuse for
profit.
In this statement today, I will summarize EPIC's efforts to bring
public attention to the problems of pretexting and communications
record sales; suggest several approaches to the problem, including a
ban on pretexting and the restriction of the sale of telephone records;
and make specific recommendations concerning current and future
legislation.
EPIC's Efforts to Address Pretexting and Phone Record Sales
In July 2005, EPIC filed a complaint with the Federal Trade
Commission concerning a website that offered phone records and the
identities of P.O. Box owners for a fee through pretexting. Pretexting
is a practice where an individual impersonates another person, employs
false pretenses, or otherwise uses trickery to obtain records.
EPIC supplemented that filing in August with a list of 40 websites
that offered to sell phone records to anyone online. In light of the
fact that so many companies were selling communication records online,
EPIC also petitioned the Federal Communications Commission, urging the
agency to require enhanced security precautions for phone companies'
customer records. \1\ Although telephone carriers unanimously opposed
enhanced security requirements, proposing that lawsuits against
pretexters would solve the problem, Chairman Martin of the FCC last
week announced that he and his fellow Commissioners will be considering
EPIC's petition and acting upon it within the next few days. The FCC
has recognized that enforcement alone will not solve this problem. It
will simply drive these practices underground, where they will continue
with less public scrutiny. Simple security enhancements, such as
sending a wireless phone user a text message in advance of releasing
records, could tip off a victim to this invasion of privacy and block
the release.
---------------------------------------------------------------------------
\1\ Petition of EPIC for Enhanced Security and Authentication
Standards, In re Implementation of the Telecommunications Act of 1996,
CC Docket No. 96-115, available at http://www.epic.org/privacy/iei/
cpnipet.html.
---------------------------------------------------------------------------
Phone Records Are the Tip of the Problem
While the sale of cell phone records has gained significant media
attention, and telecommunications records are the focus of the two
bills currently before the Senate, many other types of private records
are being bought and sold in the public market. Alongside many
advertisements for cell phone records, wireline records and the records
associated with calling cards are advertised. As individuals shift to
VoIP telephones, it is safe to assume that those records will be
offered for sale as well, and we commend the authors of S. 2178, who
have included this and other emerging technologies in their legislative
efforts.
However, the problem of record sales is not limited to the many
methods of voice communication that we can use. Sites commonly
advertise the ability to obtain the home addresses of those using P.O.
Boxes. Some websites, such as Abika.com, advertise their ability to
obtain the real identities of people who participate in online dating
websites. A page on Abika.com advertises the company's ability to
perform ``Reverse Search AOL ScreenName'' services, a search that finds
the ``Name of person associated with the AOL ScreenName'' and the
``option for address and phone number associated with the AOL
ScreenName.'' \2\ The same page offers name, address, and phone number
information for individuals on Match.com, Kiss.com, Lavalife, and
Friendfinder.com. These are all dating websites that offer individuals
the opportunity to meet others without immediately revealing who they
are.
---------------------------------------------------------------------------
\2\ See http://www.abika.com/Reports/
tracepeople.htm#Search%20Address/Phone%20
Number%20associated%20with%20email%20Address%20or%20Instant%20Messenger%
20Name.
---------------------------------------------------------------------------
The availability of these services presents serious risks to
victims of domestic violence and stalking. There is no reason why one
should be able to obtain these records through pretexting, or outside
of existing legal process.
We therefore urge the Committee to follow up on Congress' excellent
first steps by expanding pretexting bans, as well as restrictions on
record sales, to cover other forms of communication, such as Internet
services and other information services, as well as postal information.
In Addition to Pretexting, Sales of Communications Records Should be
Banned
Just as initial attention on this issue needs to expand beyond cell
phone records, discussion of solutions needs to look beyond merely
banning one method of obtaining and abusing personal information. EPIC
fully supports a ban on pretexting, as such action would make
unmistakably clear the fact that such practices are unfair, deceptive,
illegal, and wrong. However, any method used to obtain and sell a
person's private records should be prohibited, whether that method
involves pretexting, computer hacking, bribery, or other methods. In
order to curb these invasions of privacy, consumers and law enforcement
need to be able to pursue those who would offer private consumer
information for sale, regardless of the methods used to steal it. We
support the provisions in S. 2177 and S. 2178 that would ban the sale
of consumers' telephone information.
Banning the commercial sale of private consumer information is a
necessary complement to banning pretexting, as it would ``dry up the
market'' for illegally obtained telephone records. Such a prohibition
would also allow consumers and consumer protection agencies to go after
those who advertise privacy-invasive services without having to prove
the specific techniques that the data brokers have used.
EPIC has asked both the Federal Trade Commission and the Federal
Communications Commission to take action on this issue. The FTC
proposes a ban on pretexting; the FCC proposed a ban on commercial sale
of records. EPIC believes that these efforts are necessary complements
to the effort to protect consumers' communication records.
No Law Enforcement Exception
Both of the bills introduced in the Senate have included exceptions
for law enforcement. We recognize the need for law enforcement to gain
access to communications records, and that is why there are existing,
routine procedures under the law for such access, such as warrants and
subpoena powers. We note that Senator Schumer's bill notes that any law
enforcement acquisition of records must be made ``in accordance with
applicable laws,'' and we agree that such a caveat is necessary. EPIC
would go further, however, in urging that, since such procedures for
law enforcement access exist, there is no need for law enforcement to
engage in the fraud that these bills are trying to prevent.
Carriers and Other Holders of Personal Information Should Have Legal
Obligations to Shield Data From Fraudsters
The acquisition and sale of these records, however, is only a part
of the problem. Pretexting works because phone companies and others who
store our communications records fail to adequately protect our
personal information. Phone companies can be fooled into releasing
information easily because releases of customer information are so
routine, and because they use inadequate means to verify a requester's
identity. If carriers only require a few pieces of easily-obtained
information to verify a requester's identity (such as date of birth,
mother's maiden name, or a Social Security number), then pretexters can
impersonate account holders and obtain records with ease. All of this
information is easily obtained in commercial databases or in public
records. Furthermore, the online data brokers who do the pretexting
often have easy access to these banks of private dossiers on
individuals.
If legislation that is to fully address the problem of private
information sales, Congress must look not only at the practices and
tactics used by bad actors, but also at the loopholes and
vulnerabilities they exploit. Laws that criminalize deceptive, unfair,
and privacy-invasive sales must be complemented by laws and regulations
that strengthen communications privacy and security.
Carriers Should Limit Data Retention and Disclosure
An even more fundamental question in this discussion--more
fundamental than how data brokers pretext information, or what
vulnerabilities they exploit--is why this sensitive information is
there to be stolen in the first place. The records that data brokers
buy and sell online are often simply our past phone bills. The numbers
we dial, the times of our calls, and the length of our conversations
are known because of the way in which the cellular billing system is
structured.
One way to alleviate this problem would be to delete records after
they are no longer needed for billing or dispute purposes. This,
however, could leave consumers still vulnerable in the time between
payment periods. Another alternative would be simply to not record and
disclose all of this information. If telephone service were billed as a
utility, as it was in the past for local service and may be in the
future with VoIP service, many of the threats to privacy would simply
disappear. The concept of data limitation--that data should only be
collected and stored when necessary--can be applied not only in
protecting call records, but other sensitive personal information.
Senators Specter and Boxer's proposal, S. 1350, the Wireless 411
Privacy Act, to provide privacy for consumers' mobile phone numbers is
a good example of this important privacy safeguard. If the number need
not published in directories or in billing records, then it should not
be provided, and opportunities for abuse are reduced by just that much.
The vulnerabilities that our by-the-minute system of billing build
into our phone records is a good example of how decisions made about a
communication system's initial structure and function create built-in
privacy issues. In a letter that EPIC sent to then-Chairman Powell of
the FCC, we noted that the emergence of new communications systems,
such as Internet telephony, requires that Congress and executive
agencies look forward in creating privacy-protective regulatory
frameworks into which the new technologies can grow. \3\ We support the
provisions in Senator Durbin's bill that extend anti-pretexting
provisions to next-generation wireless communications, as well as
Senator Schumer's inclusion of Internet telephony and other
communications services.
---------------------------------------------------------------------------
\3\ Letter of EPIC to FCC Chairman Powell, Dec. 15, 2003, available
at http://www.epic.org/privacy/voip/fccltr12.15.03.html.
---------------------------------------------------------------------------
We hope that the Committee will act on the proposals from Senator
Schumer and Senator Durbin to protect the privacy of customers' phone
records. There is no good reason that our monthly call billing records
should be available for sale on the Internet.
Senator Allen. Thank you, Mr. Rotenberg. We appreciate your
comments and your testimony and your insight.
Now we would like to hear from Mr. Robert Douglas.
Mr. Douglas.
STATEMENT OF ROBERT DOUGLAS, CHIEF EXECUTIVE OFFICER,
PrivacyToday.COM
Mr. Douglas. Thank you, Chairman Allen, Ranking Member
Pryor, Senator Smith, and Members of the Committee. It is a
pleasure to be here today. As you mentioned before, I was a
private investigator in Washington, D.C., for the better part
of 20 years. For the last 9 years, I worked as an information
security consultant, specifically on the issue of theft of
consumer records, and I served as a consultant to the FTC in
Operation Detect Pretext, which has been mentioned, to the
Florida statewide grand jury on identity theft, and
specifically in a murder case in New Hampshire where a young
woman named Amy Boyer was murdered when this type of
information was stolen, and I will address that in just a
moment.
I have submitted very extensive written testimony, but I
would like to use pictures, if I could, instead of words in my
5 minutes to demonstrate what is happening, what is out there,
and maybe bring a face to what we are discussing today, Mr.
Chairman.
[Screen.]
The screen up right now is CellularTrace.com. This is one
of the companies that was named in the EPIC complaint. I worked
with EPIC's Chris Hoofnagle in putting together the 40
companies that were named in that complaint last July. And this
company is continuing to sell specific cell phone records and,
as Mr. Rotenberg noted, this is one that has a notice up about
how inundated they are being with business. They are saying
right now: ``Notice. As a result of the recent newscast on
cellular research, we have been completely inundated with
orders. We are getting caught up as quickly as possible, but
those placing the orders should expect delays.'' This may be
one of the companies--I believe, Mr. Smith, you referenced this
issue earlier--that is operating offshore, but we are taking a
look at that right now.
I also want to address some of the tangential issues which
address how they are getting some of this information.
[Screen.]
This is a website called HackersHomePage.com, where they
are specifically selling a voice-changing device, telephone
voice changer. I have noticed in one of the suits brought by
Verizon they have publicly acknowledged that one of the methods
being used to defeat their call center operators customer
authentication procedures was to impersonate a nonexistent
division of Verizon, claiming to be--I do not even really need
the microphone, evidently--claiming to be a division that helps
disabled customers who have problems using their voice. So when
the call center operator says to the pretexter, well, I still
need to speak to the customer, they just use this voice changer
to change their voice and continue to be one and the same
thief.
[Screen.]
This is a site called SpoofTel, Spoof Telephone, and these
types of websites and actual devices that are for sale all over
the Internet are used by private investigators and information
brokers as part of pretext, allow you to make any caller ID
system look like it is coming from a different number. So Kevin
Mitnick, who is known in social engineering circles, hacking
circles, once demonstrated how he could make a call look like
it is coming from the White House.
More specifically for what we are talking about today, you
could make the call look like it is coming from your telephone
carrier, thereby duping the customer themself into turning over
important information to then beat the customer authentication
protocols that the phone companies have.
What I would like to close my testimony with is talking
about where we were back in 1998. I testified at that time and
my testimony with others resulted in the anti-pretext
legislation contained in Gramm-Leach-Bliley, and I find myself
having a little deja vu. I am here again on a similar issue,
different type of record.
At that time, as there has been some mention about danger
to police officers, there was a company, Touchtone, as
mentioned by the FTC today. But in addition to stealing
financial record information, they stole thousands and
thousands of phone records of Americans. They were involved in
stealing records in the Clinton-Lewinsky investigation, in the
JonBenet Ramsey investigation, in the murder of Bill Cosby's
son Enis Cosby.
But most relevant to what we are talking about today, they
sold the phone records of undercover Los Angeles police
officers to organized crime in an ongoing investigation--not a
what-if with the FBI buying records, not a what-if with the
Chicago Police Department. This has happened already. That is
one we know about. I am sure it has happened many other times.
[Screen.]
This company, Docusearch, same timeframe, back in 1998-1999
when Gramm-Leach-Bliley was being signed into law, advertised
and continues to advertise to this day--Mr. Chairman, when we
spoke before the hearing this afternoon I told you I would talk
about a company in your home State. That is Docusearch. That is
Dan Cohen, who owns it, who moved from Florida after he was
sued in the Boyer murder case and now operates right out of
Northern Virginia.
To this day--this is today on his website--he is trumpeting
that he was the featured cover story article in Forbes Magazine
November 1999, as Gramm-Leach-Bliley was being signed into law,
bragging about how he steals financial records and phone
records, specifically phone records back at that time.
[Screen.]
Well, we should have paid attention, because this woman,
Amy Boyer, who was 20 years old, had her whole life ahead of
her, was murdered, and she was murdered by this man, Liam
Youens, standing in the corner of his bedroom with an AK-47,
shortly before he went out and gunned her down. He was telling
the world on this website that I have got one captured page
from here, documenting for the better part of a year how he
obtained information on her. And while it was not specifically
phone records, it was her employment address, obtained through
pretext--part of what we are talking about today.
The sad and sick thing was they called her mother and
impersonated an insurance company and said they had an
insurance refund from her. So her mother today says: I was an
accomplice to my own daughter's murder.
I will close with what he says at the end, which is that
``It is actually obscene what you can find out about somebody
on the Internet.'' He wrote those words right before he left on
October 15, 1999, and murdered Amy. With that, I will avail
myself to your questions, Mr. Chairman.
[The prepared statement of Mr. Douglas follows:]
Prepared Statement of Robert Douglas, Chief Executive Officer,
PrivacyToday.com
Chairman Allen, Ranking Member Pryor, Members of the Committee, my
name is Robert Douglas and I thank you for the opportunity to appear
before this Committee to address the Committee's concerns about the
theft of Americans' phone records.
I. Background and Basis of Knowledge
I am the CEO of PrivacyToday.com and work as an information
security consultant to the private and public sectors on issues
involving all aspects of identity theft, identity fraud, and customer
information security. During the past nine years, I have assisted the
financial services industry, the general business community,
government, and law enforcement agencies to better understand the scope
and methodology of identity crimes through educational materials,
presentations, auditing, and consultation.
My specialty is monitoring and investigating the practices of
identity thieves, illicit information brokers, and illicit private
investigators that use identity theft, fraud, deception, bribery,
social engineering, and ``pretext'' to steal customer and proprietary
records from a wide range of businesses. Additionally, I teach
businesses, government agencies, and law enforcement how to detect and
defend against these forms of theft in order to better protect all
Americans.
This is my seventh appearance before the United States Congress to
discuss information security. Most relevant to today's hearing, I
worked in 1998 with the House Financial Services Committee to expose
the use of ``pretext'' and other forms of deceptive practices to steal
and sell consumers private financial records maintained by financial
institutions. That work resulted in the July 28, 1998 hearing titled
``The Use of Deceptive Practices to Gain Access to Personal Financial
Information''. Testimony offered at that hearing resulted in the Gramm-
Leach-Bliley Act provisions outlawing the use of deceptive practices to
gain access to financial account information. In follow-up testimony I
presented in a September 13, 2000 hearing before the same committee
acting in its oversight capacity, I discussed the emerging and growing
threat of deceptive practices being used to gain access to phone
records--the precise issue before you today. [The 1998 and 2000
testimonies, along with my other congressional testimonies are
available at PrivacyToday.com/speeches.htm]
Following the 2000 testimony I served as a consultant and expert to
the Federal Trade Commission in the design and execution of Operation
Detect Pretext, a sting operation to catch and civilly prosecute
companies participating in the illicit information market.
In 2002, I testified as an expert witness on illicit information
brokers and the role they play in identity theft and fraud before the
Florida Statewide Grand Jury on Identity Theft.
From 2001 to 2004, I was an expert witness and consultant for the
plaintiffs in Remsburg v. Docusearch, a suit brought by the parents of
Amy Boyer against a private investigator selling illicitly obtained
personal information via a website. Ms. Boyer was murdered by an
infatuated young man who purchased Ms. Boyer's Social Security number,
date of birth, and place of employment from Docusearch who employed a
``pretexter'' to impersonate an insurance company official to obtain
the employment address of Ms. Boyer. Subsequently the killer gunned
down Ms. Boyer as she left work.
I am currently serving as a consultant in a Pennsylvania murder
case involving the sale by a private investigator of data-mining
``research'' about the victim to a deranged former employee who used
the ``research'' to locate the victim and kill him.
I assisted Chris Hoofnagle of EPIC West, who deserves full credit
for this issue reaching the attention of Congress, with the amended
complaints submitted to the FCC and FTC by compiling the 40 companies
named therein.
I have lectured before local, state, Federal and international law
enforcement, banking, and business associations on the topic of
identity crimes.
I am the author of ``Spotting and Avoiding Pretext Calls'' which
was distributed by the American Bankers Association to all member
institutions. I am also the author of ``Privacy and Customer
Information Security--An Employee Awareness Guide'', a training manual
that has been used by numerous banks and businesses to train employees
to defend against deceptive practices designed to steal customer
information.
Prior to my work as an information security consultant. I was a
Washington D.C. private detective.
II. Identity Thieves Use the Same Methods
I'd ask the Committee to keep one important fact in mind while
investigating the practices of illicit information brokers and illicit
private investigators stealing phone and other consumer records. The
methods used by those industries are used by identity thieves and
financial criminals every day in this country to defeat customer
information security systems for a wide range of businesses.
Additionally, in each case I've worked involving web-based illicit
information providers, when we have been able to review the files of
the company, there have been indications of identity thieves and other
criminals--including stalkers--using those companies to buy information
about Americans. Finally, as we are focusing on phone records today, I
would hazard an educated opinion that one of the reasons that the FTC
lists cell phone fraud as one of the most common forms of fraud
resulting from identity theft is the ease with which cell phone records
are stolen or purchased on the Internet.
For further background information, I recommend reading ``Your Evil
Twin,'' by Bob Sullivan. I'd also like to recommend Robert O'Harrow's
``No Place To Hide'' as an excellent work on the growing data-mining
industry and a number of the public policy issues raised by this
industry.
III. The Illicit Sale of Phone Records and Much More
News reports have served an important role in bringing the problem
of web-based information brokers and private investigators selling
detailed phone records to the attention of this Committee, Congress,
and the American people. While reporting by Robert O'Harrow of the
Washington Post and Bob Sullivan of MSNBC on the sale of phone records
dates back to the late 1990s, the issue has only recently caught the
full attention of the American consumer and law enforcement agencies
across the country.
In part this was due to the work of Frank Main at the Chicago Sun-
Times who discovered that the Chicago Police were concerned that the
sale of detailed cell phone records could jeopardize the safety of
police officers and criminal investigations. Subsequently, Frank Main
reported that the FBI was alarmed to learn in a test purchase of a web-
based information broker that anyone could obtain the cell phone
records of a FBI agent within a matter of hours from placing the order.
As the Committee will learn a bit later in my testimony, the
Chicago Police and FBI were correct in their concerns as years ago the
phone records of Los Angeles police officers had been sold by an
information broker to organized crime.
But for the most part, the overwhelming number of news reports has
inadvertently served to minimize the scope and extent of the problem.
While the vast majority of reporting has focused on cell phone records
and a small number of web-based brokers selling those records, the
reality is that all entities that maintain consumer and proprietary
information are under attack. The list includes, but is not limited to,
telecommunication (including e-mail and Internet service providers),
cable and satellite television, utility (including electric, gas, water
and sewer companies), and financial industries, plus all government
agencies. In short, any business or government agency maintaining
customer records or confidential proprietary information is at risk
because identity thieves, illicit information brokers, illicit private
investigators, corporate spies, and con artists know quite often the
most effective tool for stealing highly valued information is the
telephone.
In addition to minimizing the types of consumer information for
sale, recent news reports have also inadvertently minimized the number
of outlets and methodologies via which phone records can be purchased
or stolen. Even the range of telecommunications records for sale has
been inadvertently minimized with most media focusing on just the sale
of cell phone records.
Specifically, there are far more web-based illicit information
brokers and illicit private investigators than the 40 cited in the EPIC
West complaint and there are a myriad of methods used to defeat phone
company information security protocols far beyond the simple pretext of
impersonating the customer. Additionally, when considering phone
records, all types of telecommunications records are for sale--from
home and business phone records to cell phone records to reverse-911
cell tower location information to pager records to GPS tracking
devices to name just a few categories.
Finally, the reporting has inadvertently minimized the dangers
posed by phone records and other forms of information stolen by means
of pretext falling into the wrong hands when information brokers and
private investigators sell either information obtained through pretext,
or even database information, to individuals without any understanding
of why the individual wants the information. Murders and assaults have
occurred when information brokers and private investigators have not
taken adequate steps to understand who they are providing information
to.
With the caveat that all consumer records and government/business
proprietary information are at risk; that there are far more than the
40 brokers and investigators selling phone and other records cited in
the EPIC West complaint; and, that these records in the wrong hands
have caused severe harm--including loss of life, I will confine the
remainder of my testimony to the sale of phone records obtained most
commonly through pretext and other forms of deception.
IV. To Understand Why Records Are Sold, You Need To Know Who Buys Them
To understand why the phone records of practically any American--
from former presidential candidate General Wesley Clark to women hiding
under threat of violence--are for sale on the Internet, you need to
know who is buying the bulk of the phone records that are obtained
through illicit means. The overwhelming majority of phone records are
purchased by attorneys, private investigators, skip tracers, debt
collectors, and the news media.
Attorneys purchase the records as a means of discovery in all forms
of litigation from divorce, to criminal defense, to ``business
intelligence''. Private investigators buy phone records as a means of
locating witnesses, developing leads, and developing evidence. Skip
tracers use phone records to locate hard to find individuals who may be
using deceit themselves to cover their tracks. Debt collectors find
phone records a valuable tool in locating ``deadbeats'' who may be
hiding from the collector and/or hiding assets. The news media--
especially the tabloid press--want phone records to track celebrities'
lives and develop leads in cases like the JonBenet Ramsey murder, the
Columbine massacre, and the freeway slaying of Bill Cosby's son. Each
of these categories of users and purchasers have at one time or another
made impassioned pleas to me that they need access to phone records--
outside of normal judicial review processes--to conduct what they argue
are socially beneficial services.
These buyers and their thirst for the information contained in
detailed phone billing records resulted in the market and the cash flow
that fed and encouraged the online sale of phone records. Specifically,
the methods for stealing phone records had been known and in use for
decades in order to service attorneys, private investigators, skip
tracers, debt collectors, and the news media. With the advent of the
Internet and the World Wide Web it was only a matter of time before
some illicit information broker or private investigator decided to
advertise the availability of phone records on the web. And once the
first ads appeared and other brokers and investigators learned how much
money could be made selling phone records via the Internet--in some
instances more than a million dollars per year for small operations--
the feeding frenzy was on. So today there are hundreds of ads on the
web (and in legal and investigative trade journals) for phone records
and phone ``research''. And contrary to the language on those sites
claiming to limit sales of personal information to attorneys,
investigators, skip tracers, debt collectors, and bail bondsmen, most
of these companies will sell to anyone as long as they think you're not
a reporter or law enforcement agency conducting a media expose or sting
operation. Frankly, greed is the name of the game.
Those hundreds of ads on the web only represent the tip of the
iceberg. Two other factors combine to push the total to thousands of
outlets for purchasing phone records. First, many brokers and
investigators don't advertise on the web or at all. These brokers and
investigators work beneath the surface and develop clients by word of
mouth while shunning publicity. Many of these hidden brokers and
investigators are the actual sources--once removed--for the information
sold via the web as many of the web-based operators are not skilled in
the methods of stealing customer information and serve as mere front
companies. Second, the brokers and investigators who shun a web
presence but supply many of the web-based operations, also supply other
brokers and investigators throughout the country who don't openly
advertise on the web or anywhere else. And often those brokers and
investigators service other brokers and investigators in a spider web
or pebble-dropped-in-the-pond effect. Through this black market phone
records may pass through several sources--at times including a bribed
phone company insider--before reaching the eventual buyer. So in
reality there are thousands of brokers and investigators, on the web
and off, comprising the totality of suppliers of illicit phone records.
And the records are now for sale to anyone who wants them--regardless
of reason.
V. How Phone Records Are Obtained
Phone records are obtained through numerous methods and sources.
Some of these methods and sources have been publicly discussed--some
have not.
By far the most common method is the use of ``pretext''. Pretext,
used in this fashion, is the method of convincing someone you are a
person or entity entitled to obtain the records sought. The term
``pretext'' when used in the context of obtaining confidential,
statutorily protected, or consumer and proprietary information is
actually a misnomer used by illicit brokers and investigators to add an
air of legitimacy to the fraud they commit. The reality is pretext is a
combination of identity theft and fraud. Identity theft because the
individual carrying out the pretext needs to assume the identity of the
rightful owner of the information sought--usually including
biographical information such as name, address, Social Security number,
and date of birth--in order to impersonate that individual during the
pretext. Fraud because once impersonating that individual, the
pretexter defrauds the rightful custodian of the information sought
into turning the information over to an improper recipient.
To further understand pretext you need to know the code of the
identity thief, broker, or investigator seeking information they don't
have legitimate access to.
1) Know what piece of information you want.
2) Know who the custodian of the information is.
3) Know who the custodian will release the information to.
4) Know under what circumstances the custodian will release the
information.
5) Become that person with those circumstances.
Once you know the code and apply a little imagination and bravado,
you can steal almost any piece of information in this country.
But again, contrary to most reporting on this subject, the number
of pretext methods and variations of those methods are vast and far
beyond just merely impersonating the consumer. By way of example, in a
state action brought under an unfair and deceptive trade practice
statute captioned Massachusetts v. Peter Easton, Easton was caught
calling into banks impersonating a Federal banking official in order to
get the banks to surrender consumer financial account records. In one
of the current Verizon cases involving phone records, there is report
indicating the information brokers were impersonating Verizon employees
assisting disabled account holders. These are just two of literally
dozens of variations of methods I am aware of that succeed thousands of
times each day in defeating phone and other companies customer
authentication procedures.
An important aspect in the conduct of a pretext is the ability of
the illicit information broker or private investigator to purchase data
about the individual consumer they seek to impersonate. After all, to
fraudulently convince a customer call center representative that the
pretexter is the actual customer, the pretexter needs to know the full
name, Social Security number, date of birth, address, and other forms
of personal identifying information of the actual account holder. In
order to gain access to this information, the illicit information
brokers and private investigators need to have subscriber accounts with
legitimate data-mining companies--also commonly referred to as
information brokers.
Beginning approximately a year ago, it became more difficult for
illicit information brokers and private investigators to get or
maintain subscriber accounts with the large legitimate data-mining
information brokers. This is because in the wake of reports of data
breaches by legitimate information brokers and a wide variety of other
businesses maintaining consumer records--coupled with congressional
hearings examining the data breach problems and the ease with which
personal information like Social Security numbers could be purchased
from many of the illicit brokers and investigators we are discussing
today--the legitimate data-mining information brokers began to curtail
and in some cases terminate all sales of information to private
investigators and other business lines with a history of improper
resale or use of database information.
But other small and mid-size companies have stepped in to fill the
void and continue to provide Social Security numbers and other personal
identifiers to illicit information brokers and private investigators. I
am aware of at least a dozen companies that illicit information brokers
and illicit private investigators are using to obtain full social
numbers and other biographical data in order to conduct pretexts
against consumers and businesses. This is an issue crying out for
attention by Congress.
The second most common method of gaining illicit access to phone
records is bribery of a company employee or even the trade of
information with inside employees working in skip-tracing and
collection divisions within phone companies. There is a small but
constantly present underground network of employees who trade
information--sometimes lawfully, sometimes not--and those seeking
information that have no lawful right to that information have learned
how to tap those resources.
While I am not aware specifically of a case involving phone records
where threats of violence were used to coerce phone company employees
to supply information to criminals, that has happened in the financial
services community resulting in Federal banking regulatory agencies
warning financial institutions of the trend a number of years ago. I
would not be surprised if this was happening to phone company employees
as well. Remember--information equals cash to all sorts of information
thieves and they will do anything necessary to obtain the information
they seek.
Finally, I have a substantial amount of evidence developed over
nine years on methods, tactics, and sources used to obtain phone
records that is inappropriate for revelation in an open hearing. I'd be
happy to share this with the Committee, enforcement agencies, the phone
associations, or companies in a closed setting.
VI. Phone Record Sales and ``Spoofing'' Services on the Web Are Most
Alarming
While the totality of brokers and investigators selling phone
records are troubling, the Internet-based operations are most alarming
for the simple reason that by their very nature they allow a buyer to
easily conceal their identity and intent in purchasing another
citizen's records. This anonymity is a criminal's delight. From
identity thieves to stalkers to child predators to corporate spies, the
ability to conceal the identity and intent of the end user of the
records is paramount.
Additionally, when consumers see the websites advertising the sale
of phone records and services like Caller-ID ``spoofing'' services
designed to defeat Caller-ID, it increases mistrust between the
consumer and businesses Americans provide information to, and increases
the belief by many consumers that the government isn't protecting the
American consumer.
Web-based services like spooftel.com and the open sale of devices
designed to show a different number on a Caller-ID system than the
actual number the call is being placed from can be used as part of
pretext and can even be used to defeat security systems for voice mail.
In one well known demonstration of Caller-ID spoofing, convicted
``hacker'' Kevin Mitnick demonstrated for a reporter how he could make
a call look like it was coming from the White House.
The use of spoofing services and devices as part of pretext is so
well known within the investigative and information broker industries
that advice on how to pick the best services is often bantered about.
Here's an example:
If you are considering using one of the numerous Caller ID Spoofing
services, you may want to know several things before you sign-up.
1. Can this service be employed as part of your PI business, or
is it just to be used for entertainment purposes?
2. If it is to be use only for entertainment purposes, do they
offer a commercial version, and if so what are the differences?
3. Do they record/log all transactions?
4. Can you call 800 numbers, or other toll free line?
5. Can you call financial institutions through their website,
even if the financial institution is one you have an account
with?
6. Can you use an anonymous Internet surfing software product
(these change your IP number and make you appear as if you are
accessing the Internet from another state, country, etc.) to
access their website?
7. Will they inform you if they suspect fraudulent activity?
What is their method for settling such a dispute?
8. Will they supply you with a list of all the activities that
can lead to a cancellation of your account?
I raise the issue of Caller-ID spoofing fraud so this Committee
will be aware that the extent of the problem is far more than just the
sale of phone records. It is a myriad of techniques and use of
technology designed to defeat information security systems. The use of
these technologies--specifically Caller-ID spoofing devices and
services should be outlawed immediately.
VII. Did The FTC Give Tacit Approval To The Sale Of Phone Records?
Given how prevalent and open the sale of phone records is, this
Committee must be wondering how these companies and their devious
practices have remained untouched by the Federal Trade Commission and
other enforcement agencies. After all, the FTC is charged with stopping
unfair and deceptive trade practices.
Congress and the American people have a right to ask a series of
questions of the Federal Trade Commission when it comes to the sale of
phone records. The questions include:
a) Was the FTC aware of the sale of phone records prior to
recent news accounts?
b) If the FTC was aware, for how long has the FTC been aware?
c) Prior to recent media revelations and Congressional demands,
did the FTC take aggressive steps to stop the sale of phone
records?
d) Did the FTC signal tacit approval of the sale of phone
records by private investigators?
e) Why has the FTC been AWOL when it comes to protecting phone
records?
These questions are fair as, after all, the FTC is supposed to be
the watchdog for the American consumer. Given my work with, study of,
and access to information concerning the role of the FTC when it comes
to illicit information brokers and private investigators I'd like to
posit answers to the above questions as I believe the reality is that
when it comes to phone records--and all other illicitly obtained
consumer records--the watchdog is nothing more than a lapdog on a leash
held by the illicit information brokers and private investigators.
a) Was the FTC Aware of the Sale of Phone Records Prior to Recent News
Accounts?
Yes. The FTC has been aware of the sale of phone records due to the
Touch Tone Information case, Operation Detect Pretext, the Boyer murder
case, and direct interaction and communication with the private
investigative profession--including direct inquiries from PI Magazine
on the FTC's views regarding pretexting for phone records.
b) If the FTC Was Aware of the Sale of Phone Records, For How Long Has
the FTC Been Aware?
The FTC has been aware of the problem since at least April of 1999
when the FTC filed an action against Touch Tone Information. While the
FTC brought the action against Touch Tone for the sale of consumer
financial information obtained by means of deception, the Touch Tone
records available to FTC staffers were replete with thousands of
instances of phone records being obtained and sold by means of
deception.
In 2002, I interviewed the Colorado Bureau of Investigation
detectives who broke the Touch Tone case and whose work the FTC piggy-
backed in bringing the FTC complaint against Touch Tone. The detectives
informed me the FTC showed little interest in following up on the
voluminous records contained in the files of Touch Tone showing a vast
network of hundreds of private investigators, attorneys, and media
outlets around the country using Touch Tone to obtain phone and other
records.
For example, as documented by the Washington Post, Touch Tone sold
Kathleen Willey's phone records to a Montgomery County, Maryland
private investigator during the investigation of President Clinton.
Additionally, the Touch Tone records contained the following letter
listing phone and other records sold by James Rapp, co-owner of Touch
Tone, about participants in the JonBenet Ramsey murder investigation as
reported by the Denver Post in a June 26, 1999 article titled, ``Letter
Details Information Rapp Dug Up''. Each reference to ``tolls'' means
detailed phone records.
Here is the text of an undated letter purportedly written by James
Rapp to a private investigator in California named Larry Olmstead,
owner of Press Pass Media. Olmstead used Rapp to get information for
his clients, primarily tabloid media outlets, prosecutors say.
Dear Larry,
Here is a list of all Ramsey cases we have been involved with
during the past lifetime (sic).
1. Cellular toll records, both for John and Patsy.
2. Land line tolls for the Michigan and Boulder homes.
3. Tolls on the investigative firm.
4. Tolls and home location on the housekeeper, Mr. and Mrs. Mervin
Pugh.
5. Credit card tolls on the following:
a. Mr. John Ramsey, AMX and VISA
b. Mr. John Ramsey Jr., AMX.
6. Home location of ex-wife in Georgia, we have number, address and
tolls.
7. Banking investigation on Access Graphics, Mr. Ramsey's company,
as well as banking information on Mr. Ramsey personal.
8. We have the name, address and number of Mr. Sawyer and Mr.
Smith, who sold the pictures to the Golbe (sic), we also have tolls on
their phone.
9. The investigative firm of H. Ellis Armstead, we achieved all
their land and cellular lines, as well as cellular tolls, they were the
investigative firm assisting the Boulder DA's office, as well as
assisting the Ramseys.
10. Detective Bill Palmer, Boulder P.D., we achieved personal
address and numbers.
11. The public relations individual ``Pat Kroton'' (sic) for the
Ramseys, we achieved the hotel and call detail where he was staying
during his assistance to the Ramseys. We also have his direct cellular
phone records.
12. We also achieved the son's John Jr.'s SSN and DOB.
13. During all our credit card cases, we acquired all ticket
numbers, flight numbers, dates of flights, departing times and arriving
times.
14. Friend of the Ramseys, working with the city of Boulder, Mr.
Jay Elowskay, we have his personal info.
But that was not all, nor was it the most alarming aspect of the
sale of phone records contained in the Touch Tone case the FTC had
access to. Through a conduit Touch Tone had sold phone and pager
records of Los Angeles police officers to organized crime.
Again, the Denver Post reported on this shocking set of facts in a
June 29, 1999 article titled, ``Accusations against Rapps Widen, Pair
Allegedly Sold Phone Numbers of L.A. Cops to Mobster''. Here is the
text of the article:
James Rapp, the Denver private detective charged with
trafficking in confidential information about the Ramsey murder
case, also furnished the private phone numbers of police
officers to a member of the so-called ``Israeli mafia,''
authorities say.
Rapp allegedly got the unlisted home phone numbers and pager
numbers for some Los Angeles police officers and funneled them
through a middleman to Assaf Walknine, a reputed Israeli mafia
member who'd been arrested on forgery charges, according to an
affidavit unsealed Monday. Colorado Bureau of Investigation
agent in charge Mark Wilson said the release of officers'
numbers can be extremely dangerous.
``Not only is it dangerous, but it definitely could compromise
any investigation that could be ongoing,'' he said.
Rapp and his wife, Regana, were indicted last week by the
Jefferson County grand jury on two counts of racketeering,
charges that carry maximum penalties of 24 years in prison and
fines of $1 million on conviction.
Authorities claim the Rapps ran a detective agency, Touch Tone
Information Inc., that used subterfuge to obtain confidential
information about the JonBenet Ramsey murder investigation and
passed it to the world tabloid media.
The pair surrendered Monday. They were jailed, then released on
bond of $25,000 for him and $10,000 for her.
The CBI started investigating the Rapps in January after
getting a referral from the Los Angeles Police Department, the
affidavit says.
The LAPD alleged that the Rapps helped get phone numbers of
police officers for Walknine after Walknine's arrest in
connection with an alleged scheme to forge credit cards and
gold coins.
Authorities believe that Walknine also ``cloned'' the pagers
worn by the officers. For instance, every time L.A. Detective
Mike Gervais would be paged, the person paging him would get a
call from Walknine, the affidavit says.
The middleman between Walknine and the Rapps was a former L.A.
cop and convicted felon named Mike Edelstein, the affidavit
says.
``LAPD is most interested in Edelstein,'' CBI agent Bob Brown
said. ``He was buying the information for Walknine from (the
Rapps). As I understand it, when Walknine was arrested, he
admitted he got this information from Edelstein--the pager
numbers, the home telephone numbers and home addresses of LAPD
officers.
``At one point, Edelstein actually showed up at the front door
of one of the police officers while the officer was at work and
his wife answered the door,'' Brown said. ``He gives his name
and walks away. The officer believes Edelstein was stalking him
or in some way trying to intimidate him.''
Brown said Edelstein was a cop who was fired from the Los
Angeles Police Department. Edelstein served a prison sentence
for possession of an automatic weapon and, after getting out of
prison, became a private investigator, Brown said. He later
began using the Rapps and their Touch Tone Information Inc.
Brown said that Los Angeles police discovered Edelstein's
connection with the Rapps after a Los Angeles shoplifter
claimed he was a LAPD officer and showed them identification.
It was a forgery and traced to Edelstein.
During a search of Edelstein's home, officers found a cover
letter from Touch Tone Information Inc. with a price sheet
stating that the company could obtain the address and phone
tolls for any telephone in the United States or
internationally. Touch Tone also claimed it could provide
banking information on an individual or corporation.
A former employee of the Rapps told investigators that they
excelled at obtaining confidential phone numbers and bank
records.
The former employee said he overheard phone discussions between
James Rapp and his clients, which led him to believe that Touch
Tone clients were a mix of private investigators, lawyers and
news reporters. [end of article]
c) Prior to Recent Media Revelations and Congressional Demands, Did the
FTC Take Aggressive Steps to Stop the Sale of Phone Records?
The simple answer is no. Given the wealth of knowledge and
intelligence coupled with client lists for hundreds of private
investigators, attorneys, media outlets, and other buyers of phone
records contained within the Touch Tone files--not to mention what the
FTC learned in the Boyer murder case and Operation Detect Pretext--what
did the FTC do to root out this market and stop the sale of phone
records? Not a thing.
d) Did the FTC Signal Tacit Approval of the Sale of Phone Records by
Private Investigators?
Arguably yes. In direct and indirect ways the FTC has signaled to
the illicit brokers and investigators that the sale of phone records
will be tolerated--as long as it isn't too blatant.
This happened indirectly by brokers and investigators noting the
FTC was aware of the sale of phone records for years and had taken no
actions against any individuals or companies selling the records. In
places where investigators and brokers meet to discuss sources,
tactics, methods, enforcement actions, and legislation, there has been
a continuing dialogue for years that argues the practice of selling
phone records must be OK since the FTC has done nothing about it.
Another indirect signal was sent to brokers and investigators as an
unintended consequence of the passage of the anti-pretexting for
financial information statute contained with the Gramm-Leach-Bliley
Act. Brokers and investigators, rather than looking at the spirit of
the law, interpreted the letter of the law to allow the continued use
of pretext and other forms of deception to obtain consumer records
other than financial records. And the FTC, in bringing the paltry
number of cases it has to date under Gramm-Leach-Bliley and the Unfair
and Deceptive Trade Practices Act, has inexplicably ignored the
evidence in those cases of phone record sales. This did not go
unnoticed by the illicit information brokers and private investigators
and was again read as a green light to sell phone records.
In addition to indirect signals, the FTC, whether intending to or
not, has directly signaled the brokers and investigators that phone
record sales would be tolerated.
In January of 2005, the cover story of PI Magazine was ``The FTC on
Pretexting: The PI Magazine Interview with Joel Winston''. The
interview was conducted by PI Magazine Editor-in Chief, Jimmie Mesis.
In the set-up to the interview Mesis describes the reason he
interviewed Joel Winston as the following:
``In an effort to get a definitive definition of pretexting and
the potential risks and penalties for conducting pretexts, PI
Magazine was granted an interview with Joel Winston, Associate
Director of the FTC, Division of Financial Practices. His
office has the responsibility to monitor and regulate the use
of pretexting. '' [Emphasis added]
During the course of the interview which covered a number of
aspects regarding the definition of pretexting, various pretexting
tactics, Gramm-Leach-Bliley, Operation Detect Pretext, and the Unfair
and Deceptive Trade Practices Act, Mesis asked Winston about the use of
pretext for phone records. The following Q and A resulted:
PI Magazine (PIM): Do you classify the acquisition of telephone
toll records as a clear violation of deceptive business
practices?
Winston: It's not what we traditionally look at as deception
because you're deceiving party A, but party B is the actual
party being harmed. But, we believe that, even though it has
not been tested in the courts, that acquiring toll records
through false statements constitutes deceptive business
practices.
PIM: Is this an area the FTC is going to start looking into?
Winston: We are aware that there have been some concerns about
that and were continuing to consider it.
Not exactly a clear and strong message from Mr. Winston, the FTC
official charged with pretext regulation, that the sale of phone
records will not be tolerated when Mr. Winston was afforded an ideal
forum to send an unambiguous warning. And I would note that a year
later when this issue exploded in the media, 6 months after the EPIC
West complaint was filed with the FTC, the FTC still had not brought a
single enforcement action against any company selling phone records.
The interview continued and in a later question Winston was asked:
PIM: Are there currently any FTC concerns about private
investigators?
Winston: Not as a general matter. If I thought that there were
major problems in the PI industry that concerned us, I would
certainly tell you. As with any industry, there are occasional
bad apples, but the PI industry as a whole is not an area about
which we have any particular concerns . . . [Winston then
discusses an area dealing with credit reports unrelated to
pretext and phone records]
An objective reader--not to mention a subjective reader, like a
broker or investigator, trying to read the tea leaves of Winston's
answers--comes away with the distinct impression that the sale of phone
records by brokers and investigators is not high on Joel Winston's or
the FTC's priority list. Particularly when coupled with the fact that
in the seven years that the FTC has been aware of the sale of these
records, they hadn't brought a single enforcement action against a
company selling phone records.
But don't take my word on how the investigators and brokers reading
Mr. Winston's comments interpreted them. Instead, read how the
interviewer, Jimmie Mesis, Editor-in-Chief of PI Magazine interpreted
Mr. Winston's answers. In a statement to fellow investigators and
brokers on July 11, 2005 titled EPIC Fighting Phone Records Sales, Mr.
Mesis, responding to other investigators and brokers that were angered
by the complaint EPIC West filed, stated:
([Bracketed comments and emphasis added by Douglas])
Greetings,
There is no doubt that that one complaint to the FTC does not
constitute ``a problem.'' However, when that complaint comes
from EPIC, we have a problem. This organization continues to
exist by its consistent efforts to blast alleged violations of
consumer privacy. My immediate concern is not the FTC, rather
EPIC for their aggressive negative media publicity campaigns
against PI's and their strong lobbying efforts in Washington,
D.C.
I recommend that you read my interview with the FTC and the
specific comments about telephone records at
www.pimagazine.com/ftc_article.htm The FTC wasn't too concerned
about telephone information, but if PI's are going to blatantly
advertise tolls directly to the public as a commodity, the FTC
will get involved and we are going to lose that commodity and
our ability to solve many cases because of it.
[Note that Mesis considers Americans' phone records a
``commodity''!]
PI's need to stop promoting the selling toll records directly
to the public as a commodity. Rather, use it as an
investigative tool used in the course of your investigation to
lead you to a missing person or to the lead you need to solve
the case. I also suggest that PI's promote such services as
``telephone research'' as compared to coming right out and
mentioning tolls, non-pubs, etc.
[Note that Mesis recommends hiding what is actually being sold
on websites by using terminology designed to deceive--this is a
common practice within the trade and its web advertising]
Roe and I decided last January to voluntarily remove our
magazines from the books shelves at Barnes & Noble and many
other book stores. We did this at a financial loss to make it a
bit more difficult for the public to readily learn and see the
suppliers of information that shouldn't be directly accessible
to the public. We as professional investigators need to know
who these sources are, yet we all need to do something to stop
this avalanche of perceived identity theft hysteria that the
media has latched onto.
Remember, one day . . . soon, you will no longer be able to get
non-pubs, addresses for telephone numbers, and tolls, all
because some new law is going to be passed. Why? Because PI's
shouldn't be promoting these investigative tools as a
commodity. Then, just like with GLB, a new law will eventually
prevent us from using an amazing investigative resource that
will be lost, and it won't be anyone's fault other than our
own.
Please do your part,
Jimmie Mesis, Editor-in-Chief, PI Magazine, Inc.
So in Mr. Mesis' own words--again, this is the man who sat in the
room and interviewed the FTC's Joel Winston--``There is no doubt that
that one complaint to the FTC does not constitute ``a problem'' . . .
My immediate concern is not the FTC . . . The FTC wasn't too concerned
about telephone information . . . ''
One wonders what additional off the record discussion may have
taken place between Mr. Mesis and Mr. Winston that may have bolstered
Mr. Mesis' belief that the FTC ``wasn't too concerned about telephone
information.''
But the interview was a year ago and before the EPIC West
complaint. Perhaps in light of the EPIC West complaint and resultant
media attention to the issue, Mr. Winston of the FTC has had a change
of heart--perhaps not.
In an article by Peter Svensson of the Associated Press published
less than two weeks ago on January 18, 2006, Joel Winston again stated
why he doesn't see the sale of phone records as an issue rising to the
level of seriousness surrounding the sale of financial records.
In the context of the article, Winston stated:
So why didn't the Touch Tone case put such businesses out of
business?
For one, the FTC went after Touch Tone not for snooping on the
private lives of police officers but for ``pretexting''
financial information from banks.
``Our primary focus there was on financial, because that's
really where the most direct harm is,'' Joel Winston, associate
director of the FTC's division of privacy and identity
protection, said in an interview. ``If I'm pretexting a bank
and getting your bank account records I can drain your
account.''
``With phone records . . . not to minimize the intrusion on
one's privacy, but generally it doesn't lead to any specific
economic harm. It's a different kind of harm,'' Winston said.
Nevertheless, he added, the practice ``raises significant
privacy concerns.''
Perhaps Mr. Winston should sit down with police officers and their
families and explain those responses. Perhaps Mr. Winston should sit
down with the parents of murder victim Amy Boyer and explain those
responses. Perhaps Mr. Winston should stop focusing on ``economic
harm'' and start worrying about the lives at stake--and already lost--
because of pretext for ``non-economic'' information. Perhaps it is time
the FTC finds a replacement for Mr. Winston who, unlike Mr. Winston,
understands the dangers inherent in the sale of phone records. Given
Mr. Winston's inability to even analyze the information contained in
the FTC's own case files--notably the Touch Tone case and Operation
Detect Pretext--American consumers and this Congress should not believe
that the FTC, even if armed with a new law, will be aggressive in the
protection of phone records area as long as Mr. Winston is in charge.
But as hard as it may be to believe, the problems at the FTC are
more extensive than Mr. Winston. The problems are institutional. Even
when the FTC has brought cases against individuals and firms using
pretext to steal financial information, the result has been to signal
the brokers and investigators selling such information that the odds of
being caught are slim and that the FTC will not impose serious
sanctions.
In the Touch Tone case the FTC trumpets that they fined Touch Tone
$200,000. What the FTC is slower to point out is that they suspended
the fine. So Touch Tone paid not one penny in fines. In Operation
Detect Pretext 1,500 advertisements for the sale of personal financial
information were located by the FTC. From that universe, only 3 firms
were the subject of court action. And once again the FTC settled for
minimal fines of $2,000 in two of the cases, and waived the fine in its
entirety in the third case. In a subsequent case, the FTC made a
criminal referral to the Department of Justice recommending prosecution
of a broker selling financial information obtained through pretext.
That broker received a $1,000 fine and a 2-year suspended prison
sentence.
But perhaps the most brazen evidence of all that the FTC is viewed
as a toothless, paper tiger is the case of FTC v. Information Search,
Inc, and David Kacala. This is the third case of Operation Detect
Pretext mentioned in the preceding paragraph where the FTC waived the
fine entirely.
Not only is Information Search, Inc. still in business, until just
a matter of days ago the website, located at www.information-search.com
was selling cell phone and other telecommunications records. And on a
page named for the FTC, Information Search, Inc. has been publicly
thumbing its nose at the FTC and Congress for what Information Search,
Inc. views as the wrong-headed passage and enforcement of the Gramm-
Leach-Bliley Act.
So for years, Information Search, Inc., having been once prosecuted
by the FTC for selling financial records obtained through pretext, has
continued to sell phone records with all the indicia that they too were
obtained through deceptive means, and the FTC has not done a thing. I
seriously doubt the FTC ever went back and looked at the information-
search.com website.
Only when increased media attention was brought to bear on the
problem of the sale of phone records and EPIC West named Information
Search, Inc. in its complaint, did Information Search, Inc. take down
the web ads for phone records--hoping that by the time the FTC looked
they wouldn't find the ads. But EPIC West's Hoofnagle was savvy enough
to capture the offending pages and various search engines continue to
have cached pages showing Information Search, Inc. offered cell and
other phone records for sale.
Bottom line. The message that is repeated loud and clear throughout
the investigative and broker industries on a regular basis is: No need
to fear the FTC. Fear EPIC West. But just lay low. The media storm will
subside. And the FTC will look the other way as usual.
In fact, let me quote a North Carolina licensed private
investigator who just days ago had this to say about the publicity
surrounding the availability of cell phone records and his prediction
for how this will play out in Congress once lobbyists for the illicit
information brokers and investigators go to work:
Just my humble opinion, but the more we talk about this, and
say things like what we are going to do, etc. the more we
encourage people in general to use pay phones (if you can find
one), office phone extensions, friends cell phones or friends
home phones, etc. Lets stop this silly comments and
discussions. The more ``we stir it, the more it will stink.''
We keep shooting ourselves in the foot. Not to mention, the
cost to obtain various ``information'' from various ``brokers''
will only rise, putting some items of investigative value out
of reach! Let it die, the Media will soon lose interest, and
our lobbyists will stay on top of it in our interests in
Washington, D.C.
e) Why Has the FTC Been AWOL When it Comes to Protecting Phone Records?
I wish I fully knew the answer to this question and it is one that
this Committee and Congress should investigate. I do have definitive
ideas about the problems at the FTC that I saw firsthand when I served
as a consultant to Operation Detect Pretext. I would be happy to share
those observations and concerns with this Committee in a non-public
setting if the FTC will release me from my non-disclosure agreement.
All of my statements concerning Operation Detect Pretext in this
testimony are based upon aspects of Operation Detect Pretext that the
FTC has made public. But there is much more to the story that I am
unable to discuss under threat of severe penalty given my signed
agreement with the FTC which I will continue to honor.
VIII. The FTC's Attitude Towards Pretexting is Inexcusable
From an outsider's perspective it is very difficult to understand
the lack of interest by the FTC when it comes to pursuing those who are
using deception to obtain consumer records, including phone records.
The FTC routinely goes after scams and fraud where there is a distinct
element of buyer beware--in other words--the consumer using a little
common sense could have avoided being scammed or defrauded. That's
fine. Those types of con artists should be dealt with. Yet the FTC has
shown great reluctance and reticence in stopping the theft of consumer
records where the consumer has no way of knowing the records are being
stolen and therefore cannot protect himself as the records are in the
control of other corporate or government custodians. Given this fact--
the theft of consumer records cries out for assistance and prosecution
by appropriate government agencies in order to defend the American
consumer.
How many murders of Americans will it take before the FTC gets
serious? How many law enforcement officers, their families, and
investigations have to be put at risk before the FTC gets serious? What
will this Congress and future Congresses do to exercise oversight and
force the FTC to get serious?
IX. The Need For A Comprehensive Statute Protecting All Consumer
Records
While it is important that this Committee and Congress move quickly
to outlaw the sale of phone records, it is also time for this Committee
and Congress to pass a broad anti-pretexting statute designed to outlaw
the use of deception to steal any consumer record.
In 1998, I first testified before Congress to expose the use of
pretext to steal financial information and that practice was outlawed
in 1999. In 2000 I again testified before Congress warning that phone
records had become the new record of choice for information brokers and
private investigators to steal. Here we are six years later dealing
with the consequences. If Congress does not move to outlaw the tactics
used to steal information--instead of merely protecting categories of
information in a piecemeal approach--I fear we will be meeting again
and again to address category by category.
Already other categories of information are under attack. I have
tape of an information broker recorded surreptitiously describing how
he defeats cable and satellite television providers and public utility
providers information security systems. In fact, many of the websites
under scrutiny today advertise the sale of utility information and Post
Office Box underlying street address information. Post Office Box
information is protected by regulation, but is commonly obtained by the
filing of fraudulent forms stating that the requestor needs the
underlying address information for service of process when that is not
the case.
Bottom line. If Congress only moves to protect phone records,
Congress will create a nightmare for another industry similar to what
the phone companies are experiencing today.
Finally, Congress should consider making the use of deceptive
practices to gain access to consumer information a criminal act with
primary jurisdiction falling to the Department of Justice and FBI while
simultaneously empowering state attorneys general to act as well. As an
aside, I would note that several state attorneys general have already
begun prosecutions under their state unfair and deceptive trade
practices acts within weeks of learning of the problem, while the FTC
with knowledge of the phone records issue since 1999 has yet to bring
an action. This is all the more reason that primary authority for
enforcement should not be given to the FTC. To vest primary authority
with the FTC acting in a civil capacity, given the agencies history of
impotence, is to almost guarantee that the illicit practices will not
stop.
X. Congress, Enforcement Agencies, and The Private Sector Must Work
Together
Just passing legislation will not be enough. The enforcement and
regulatory agencies must actively work to root out and prosecute those
who are stealing information. Congress must exercise regular oversight
of the enforcement agencies to keep the agencies focused on protecting
the American consumer. And the phone companies, along with all consumer
services companies, must use appropriate customer authentication
protocols to protect their customers.
Following the 1998 hearings on the use of deceptive practices to
steal financial information from financial institutions, the American
Bankers Association moved aggressively to educate all member
institutions about the theft of customer account information. Working
together with the ABA, I authored several training documents that were
provided free of charge by the ABA to member institutions. We conducted
numerous telephone seminars and I appeared at dozens of ABA conferences
all over the country to teach financial institutions about the threats
posed by the practices of identity thieves, illicit information broker,
and illicit private investigators. While it is still possible to find
financial records for sale on the web, the number of offerings has been
dramatically reduced through those efforts. I believe the phone
companies--indeed all consumer services companies--working together
with Congress, enforcement and regulatory agencies, and their
representative associations can have similar success.
One final item for consideration. I have reluctantly come to the
conclusion that it may be time for Federal regulation of the private
investigative trade. By this means minimum standards may be set to
assist in weeding out those who have no regard for the law and are
destroying the hard earned reputation of thousands of professional
private investigators who serve in a vital capacity in out nation's
justice system.
XI. Conclusion
Mr. Chairman, thank you for your invitation to appear before this
Committee. I will do anything I can to be of assistance to the
Committee, Congress as a whole, the enforcement agencies, the trade
associations, or individual companies affected by these issues.
Senator Allen. Thank you, Mr. Douglas, for your testimony.
I am sure there will be follow-up questions.
Finally out of our witnesses, we would like to hear from
you, Ms. Southworth.
STATEMENT OF CINDY SOUTHWORTH, DIRECTOR, TECHNOLOGY AND THE
SAFETY NET PROJECT, NATIONAL
NETWORK TO END DOMESTIC VIOLENCE
Ms. Southworth. Thank you. Chairman Allen, Ranking Member
Pryor, and distinguished Members of the Committee. My name is
Cindy Southworth and I thank you for the opportunity to appear
before this Committee. I am the Director of Technology at the
National Network to End Domestic Violence, which represents 53
State domestic violence coalitions who in turn represent over
3,000 local domestic violence shelter and hotline programs
across the country. I founded the Safety Net Project to educate
victims and their advocates on the strategic use of technology
and I have focused on the intersection of technology and
domestic violence since 1998.
Our member State domestic violence coalitions from around
the country, including the Arkansas Coalition and the Virginia
Action Alliance, are extremely pleased that we are addressing
this issue with you today because they have been expressing
concerns about pretexting for many, many years.
Every day there is a staggering amount of data generated
and maintained about all of us, far beyond cell phone records.
Personally identifying information is now tracked as never
before. The theft of such personal information can be extremely
inconvenient for all of us here in this room, but may be fatal
for a victim of domestic violence. As Mr. Douglas explained,
Amy Boyer was one of my examples, but I think he covered it
quite thoroughly.
Sadly, domestic violence is quite prevalent and many
victims are stalked relentlessly for years after having
escaped. The batterers that hunt them down are the most
dangerous batterers and they pose the highest lethality risk.
Because of this, victims often take extraordinary and desperate
steps to hide their location. They use post office boxes, they
change their Social Security numbers, and they hide in
confidential shelter locations.
Pretexters and information brokers are not just stealing
someone's data, they may be endangering someone's life.
Seventy-six percent of women killed by their abusers had been
stalked prior to the murder. Stalkers are often in a prime
position to obtain cell phone and other records through
pretexting or through information brokers who steal the data
and then sell it to the abusers. Since abusers often know their
victim's date of birth, their mother's maiden name and computer
passwords, they can easily either pose as the victim or have
someone pose as the victim for them. It is not uncommon for
abusers to have a new girlfriend pose as the victim and call
and get information.
In one case in rural Virginia, a woman was stalked by her
ex-husband. She changed her e-mail address, she moved, she
found a new job, she did everything. Several businesses that
she frequented used her seven-digit cell phone number as her
customer identifier. Her ex-husband simply asked someone at the
video store to look up her cell number in the system, which
made tracking her movements quite simple. He discovered that
she had rented a video on Monday and it was due back on
Wednesday. He was lying in wait for her when she showed up at
the video store.
Phone records are a particularly rich source of information
for the determined stalker. By illegally obtaining this
information, a stalker can easily locate his victim.
In recent years there have been concerted efforts by
Congress, various Federal agencies, and nearly every State to
create privacy and confidentiality provisions that help shield
victims of domestic violence. For example, at least 17 States
now offer address confidentiality programs and 39 States
provide for confidentiality of shelter records. All of these
extraordinary steps that victims take to shield their location
and identity and that shelters take on behalf of victims are
futile if pretexting is allowed to continue.
In Hawaii, a victim on the run was found through a car
rental agency. Her abuser walked into the agency, pretexted. He
pretended and told the staff that his wife was diabetic and
forgot her insulin--a common strategy--and he said he thought
she might have rented a car. After a simple reverse look-up
using her phone number, staff provided him the make, model, and
license plate number of the rented car. The victim was found by
the abuser later that day and badly beaten in a parking lot.
The theft of personal information is not only a violation
of privacy, it is a crime. Stolen goods are addressed by
various State and Federal laws and both the original thieves
and those who trade in stolen goods are subject to prosecution.
The theft of personal information should be handled in a
similar fashion. However, because pretexting phone records is
just one piece of a larger problem of stealing and selling
personal information, a multi-faceted approach would protect
all consumers.
Pending Federal legislation makes the stealing, selling,
and fraudulent transfer of these records a criminal offense.
Strengthening Federal law will help discourage data mining and
protect consumers, including battered women. We encourage State
and Federal entities to use all existing and emerging laws to
hold individuals and organizations accountable for illegally
obtaining, using, or selling phone records or other personal
information.
All companies that collect and retain personal information
about their customers should enhance the security and privacy
options available to consumers and create levels of security
that are not easily breached from within or outside of the
company. Given the creative and persistent tactics of
perpetrators, companies must work with consumers to identify
the methods of security that will work best for general
consumers as well as for consumers in higher risk situations,
like victims of domestic violence.
Cell phones can be a lifeline for battered women and
victims of sexual assault and stalking, but with illegitimate
pretexting, a phone, and other personal records, those
lifelines can forever connect the victim to her abuser without
hope of escape.
Thank you for allowing us this opportunity to address the
Committee on this critical and urgent issue, and I am happy to
answer any questions. Thank you.
[The prepared statement of Ms. Southworth follows:]
Cindy Southworth, Director, Technology and the Safety Net Project,
National Network to End Domestic Violence
Introduction
Chairman Allen, Ranking Member Pryor, and distinguished Members of
the Committee, my name is Cindy Southworth and I thank you for the
opportunity to appear before the Committee to address the Committee's
concerns about the theft of Americans' phone records. The Committee is
taking remarkable leadership by seriously considering the issues of
pretexting and the sale and acquisition of personal data by information
brokers. It means so much to victims of domestic violence and stalking
that you are carefully considering all aspects of these complex issues
and are contemplating enhancing privacy protections for all citizens,
including these vulnerable victims. Our members from around the
country, including the Alaska Network on Domestic Violence and Sexual
Assault, the Arkansas Coalition Against Domestic Violence, the
California Partnership to End Domestic Violence, the Hawaii State
Coalition Against Domestic Violence, the Louisiana Coalition Against
Domestic Violence, the Montana Coalition Against Domestic and Sexual
Violence, the South Carolina Coalition Against Domestic Violence and
Sexual Assault, and the Virginia Sexual and Domestic Violence Action
Alliance have been expressing concern about the dangers of pretexting
and stealing phone records, and they are extremely pleased to see their
Senators take such an active role in addressing this issue and
protecting the privacy of victims.
I am the Director of Technology at the National Network to End
Domestic Violence, a social change organization dedicated to creating a
social, political, and economic environment in which violence against
women no longer exists. Founded in 1995, the National Network to End
Domestic Violence (NNEDV) represents 53 state domestic violence
coalitions who in turn represent over 3,000 local domestic violence
service providers across the country.
In 2002, I founded the Safety Net Project at NNEDV to educate
victims of sexual and domestic violence, their advocates and the public
on the strategic use of technology to increase personal safety and
privacy. Safety Net is the only national initiative addressing the
intersection of domestic violence and all forms of technology. Looking
beyond the traditional ``digital divide,'' our project is ardently
working to increase the technology knowledge and skills of victims,
advocates, law enforcement, and allied organizations in every state and
each of the local shelter and hotline programs across the country.
Safety Net also tracks emerging technology issues and their impact on
victim safety, working with local, state and Federal agencies to amend
or create policies that enhance victim safety and confidentiality.
I have been working to end violence against women for over 16 years
and have focused on the intersection of technology and domestic
violence since 1998. I thank you for the opportunity to submit
testimony about the real dangers that victims of abuse and stalking
face as a result of pretexting and selling stolen personal information.
Risks to Victims
There is a staggering amount of data generated and maintained about
individuals in our society every day--far beyond cell phone records.
Personally identifying information like date of birth, Social Security
number, frequently visited websites, and grocery shopping preferences,
are now being tracked as never before. The theft of such private
information can be devastating for the average individual who may have
her identity stolen and her credit destroyed. For a victim of domestic
violence or stalking, however that theft of private information is not
just financially or personally devastating--it can be fatal. In 1999,
Amy Boyer, a young woman in New Hampshire, was tracked down and
murdered by a former classmate who had been stalking her for years.
Liam Youens paid Docusearch, an Information Broker, to obtain Amy's
work address. Docusearch contracted with a pretexter to illegally
obtain her work address by pretending to need it for insurance
purposes. \1\
---------------------------------------------------------------------------
\1\ Ramer, Holly. ``Murdered woman's mother settles suit.'' The
Union Leader (Manchester NH), March 11, 2004 , State Edition: Pg. A1.
---------------------------------------------------------------------------
Domestic violence, sexual assault and stalking are the most
personal of crimes, and the more personal information that the
perpetrator has about his victim, the more dangerous and damaging the
perpetrator can be. Sadly, domestic violence is quite prevalent, and
women continue to be the vast majority of victims. The National
Institute of Justice reported that 4.9 million intimate partner rapes
and physical assaults are perpetrated against U.S. women annually. \2\
Leaving the relationship does not stop the violence. In fact, the most
dangerous time for a victim of domestic violence is when she takes
steps to leave the relationship. \3\ Many victims are stalked
relentlessly for years after having escaped from their partners. These
batterers who stalk their former partners, determined to hunt them
down, are the most dangerous and pose the highest lethality risk. \4\
---------------------------------------------------------------------------
\2\ Patricia Tjaden and Nancy Thoennes, National Institute of
Justice and the Centers of Disease Control and Prevention, Extent,
Nature, and Consequences of Intimate Partner Violence (2000); Dr.
Callie Marie Rennison, Department of Justice, Bureau of Justice
Statistics, Intimate Partner Violence, 1993-2001 (February 2003).
\3\ Ronet Bachman and Linda Salzman, Bureau of Justice Statistics,
Violence Against Women: Estimates From the Redesigned Survey 1 (January
2000).
\4\ Barbara J. Hart, Assessing Whether Batterers Will Kill. (This
document may be found online at: http://www.mincava.umn.edu/hart/
lethali.htm), Jacqueline Campbell, Prediction of Homicide of and by
Battered Women, reprinted in Assessing Dangerousness: Violence by
Sexual Offender, Batterers, and Sexual Abusers 96 (J. Campbell, ed.,
1995).
---------------------------------------------------------------------------
Because of this, victims often take extraordinary and desperate
steps to hide their location, sometimes even changing their identities
to avoid being found by their abusers. Those steps can include:
Moving to new states;
Using post office boxes;
Getting unlisted phone numbers;
Using only cell phones to avoid having utility records tied
to a home phone and thus a particular address;
Changing names through the court system;
Changing Social Security numbers;
Relocating to confidential shelters;
Enrolling in state address and voter record confidentiality
programs;
Sealing location information in court filings; and
Never using the Internet from a home computer.
Victims of domestic violence, acquaintance rape, and stalking are
particularly vulnerable because perpetrators know so much about their
victims that they can often predict where their victims may flee, and
to whom they may turn for help. Notably, it is not just the victims of
domestic violence who are at risk if her personal information and
location is revealed, but also the individuals and programs that help
them.
Pretexting and Information Brokers
Pretexters and information brokers are not just stealing someone's
data, they may be endangering someone's life. Fifty-nine percent of
female stalking victims are stalked by current or former intimate
partners, \5\ and 76 percent of women killed by their abusers had been
stalked prior to their murder. \6\ Stalkers are often in a prime
position to obtain cell phone and other personal records through
``pretexting'' or through Information Brokers who have used this tactic
and then sold the stolen data. Since abusers often know enough private
information about their victims (such as date of birth, mother's maiden
name, or her commonly chosen computer passwords), they can easily pose
as their victims and illegally access their credit, utility, bank,
phone, and other accounts as a means of getting information after their
victims have fled.
---------------------------------------------------------------------------
\5\ Tjaden &Thoennes. (1998) ``Stalking in America,'' NIJ.
\6\ McFarlane et al. (1999). ``Stalking and Intimate Partner
Femicide,'' Homicide Studies.
---------------------------------------------------------------------------
In one case, a woman in rural Virginia was stalked by her ex-
husband. She couldn't figure out how he kept showing up wherever she
was. She had changed her e-mail address, moved, and found a new job.
Eventually, a savvy advocate started asking about other ``records''
such as where she got the oil in her car changed, where she rented
videos, etc. Several businesses she used, including the video store and
the local autoshop, all used her 7-digit cell phone number as her
customer identifier. Her ex-husband simply asked someone he knew to
look up her name in one system, which made tracking her movements
simple. Finally, he discovered that she had rented a video on Monday
and that it was due back on Wednesday. He was lying in wait when she
came to return the video.
Phone records are a particularly rich source of information for the
determined stalker. Through pretexting, a stalker can access records
that include who was called, when the call was made, how long the call
took, and the location of the calls. By illegally obtaining this
information, a stalker can locate his victim without his victim even
knowing that she is being tracked. For example, a victim from rural
Louisiana, whose cell phone records reveal to her batterer that she
contacted a shelter program in South Carolina, is no longer safe going
to that South Carolina shelter, though she may never realize that until
it is too late.
In January 2003, Peggy Klinke was brutally killed by a former
boyfriend, Patrick Kennedy, after he hunted her down with the help of a
private investigator. Peggy had worked closely with the Albuquerque
Police Department, obtained a restraining order, and after Patrick
burned down her home in New Mexico, she fled to California to try to
remain safe until the pending criminal court hearing. Patrick hired a
private investigator, located her, flew to San Jose, rented a car,
drove to her neighborhood, posed as a private investigator to find her
exact apartment location, and chased her around the apartment complex
before shooting her and eventually shooting himself. \7\
---------------------------------------------------------------------------
\7\ Holland, John. ``Grim act of a man unable to let go.'' The
Modesto Bee (Modesto California), January 25, 2003, Available online
http://www.modbee.com/local/story/5973772p-6932417c.html.
---------------------------------------------------------------------------
Shelter programs and their employees and volunteers are also
vulnerable to being located through pretexting. Shelters try to protect
their location in the same way that individual victims of domestic
violence do, by using post office boxes and unlisted phone numbers and
addresses for both the shelter and for staff and volunteers. However,
many shelters' emergency response teams use cell phones and pagers for
on-call staff, which puts those individual staff and volunteers at risk
from abusers who are trying to gain access to the shelter to find their
partners.
Whether the phone records obtained are those of the domestic
violence or sexual assault program or are those of an individual who
contacted the program, the harm can be devastating.
Circumventing Laws That Protect Victim Privacy
In recent years, there have been concerted efforts by Congress,
various Federal agencies, and nearly every state to create privacy and
confidentiality protections that help shield victims of domestic
violence from being found by their perpetrators and from having to
reveal private information about their victimizations. For example, at
least 17 states now offer Address Confidentiality Programs, which
provide for a secure system for receiving mail, often through the
Attorney General or Secretary of State's office, without having to
reveal a victim's address. \8\ A number of other states, including
Hawaii, Virginia, Maryland, and Texas, are presently considering
enacting similar address confidentiality programs. \9\ Twenty-two
states, including Virginia, California, Maine, and Arizona, provide
that voter registration data, including address and other identifying
data, can be kept confidential by victims of domestic violence. The
great majority of states (39) provide for confidentiality of domestic
violence or sexual assault program records and communication, including
the time, location, and manner by which a victim may have consulted a
program for help in escaping the abuse--some of the very information
that is at risk through pretexting of records.
---------------------------------------------------------------------------
\8\ California, Cal. Gov Code Sec. 6205, et seq. (2005);
Connecticut, Conn. Stat. Sec. 54-240, et seq. (2005); Florida, Fla.
Stat. Sec. 741.401, et seq. (2005); Illinois, 750 ILCS 61/1, et seq.
(2005); Indiana, Burns Ind. Code Ann. Sec. 5-26.5-1-1 (2005); Maine, 5
Maine Rev. Stat. 90-B(2005); Massachusetts, MGLA ch. 9A Sec. 1 (2005);
Nebraska, Neb. Rev. Stat. Sec. 42-1206, Nevada, Nev. Rev. Stat. Ann.
Sec. 217.462 , et seq. (2005); New Hampshire, N.H. Rev. Stat.
Ann.Sec. 7:41 et seq. (2005); New Jersey, N.J. Stat. Sec. 47:4-2, et.
seq. (2005); North Carolina, N.C. Gen. Stat. 15C-1 (2005); Oklahoma, 22
Oklahoma Stat. Sec. 60.14 (2005); Pennsylvania, 23 Penn. C. S.
Sec. 6702 (2005);Rhode Island, R.I. Gen. Laws @ 17-28-1, et seq.
(2006); Vermont, 15 V.S.A. Ch. 21, Sec. 1101 to 1115 (2005);
Washington, Rev. Code Wash. (ARCW) Sec. 40.24.010, et seq. (2005).
\9\ For example, Alaska, 2005 AK HB 118; Hawaii, 2005 HI HB 1492;
Maryland, 2006 MD SB 25; New York, 2005 NY AB 5310; Texas, 2005 TX SB
160; Virginia, 2004 VA HB 2876.
---------------------------------------------------------------------------
The recent reauthorization of the Violence Against Women Act,
enacted by Congress and signed by President Bush just over a month ago,
includes several confidentiality provisions that protect identifying
data disclosed by a victim of domestic violence to a domestic violence
program from being shared with databases. \10\ Some states, including
Nevada and New York, have provisions that allow an individual to change
her name without publishing that name change in the newspaper, as a way
of protecting the identity and location of victims of stalking and
domestic violence. Nearly every state allows victims to ask to seal
their address from the public (and the perpetrators) in protection
order actions and in certain types of criminal cases.
---------------------------------------------------------------------------
\10\ The Violence Against Women and Department of Justice
Reauthorization Act of 2005, Public Law 109-162, Sections 3(b)(2) and
605.
---------------------------------------------------------------------------
The Social Security Administration allows domestic violence victims
to change their Social Security numbers to help them seek protection.
\11\ But even taking the drastic step of obtaining a new social
security number does not eliminate the problem caused by pretexting.
Determined abusers continue to track their victims through relatives'
phone records and other means, often obtaining their information by
additional pretexting.
---------------------------------------------------------------------------
\11\ See SSA Publication 05-10093 (December 2005).
---------------------------------------------------------------------------
All of these extraordinary, difficult and sometimes costly steps
that victims of domestic violence take to shield their location and
identity, and that domestic violence programs take on behalf of
victims, are completely futile if data mining through pretexting is
allowed to continue.
Phone records and pretexting are the focus of this hearing. Those
issues are part of a larger problem that victims of abuse face--the
prevalence of information regarding their activities and location and
the ease with which that information can be purchased by their
perpetrators. A quick search of the Internet reveals hundreds of
businesses that, for a relatively nominal cost, will provide
information including the address of record associated with a post
office box; AOL screen names and e-mail addresses; unlisted phone
numbers; physical addresses and Social Security numbers; and even
photos and floor plans of people's homes. Any one of these invasions of
a victim's privacy could put her in grave danger.
A woman in Hawaii was getting ready to flee to a shelter and was
nervous about her abuser recognizing her car in front of the shelter
building. She parked her own car on a side street and rented a car to
use. Since there are only a few rental places on the island it was not
long before the abuser walked into the office, told the staff his
``wife was diabetic and forgot her insulin'' but thought she might have
rented a car while hers was getting fixed. She had used her sister's
identity and paid cash, but had given her own phone number because her
sister did not have a phone and the rental agency had insisted on
entering a number into the system. After a reverse lookup using the
phone number, staff provided him with the make, model and license plate
number of the rented car. The victim was found by the abuser later that
day and badly beaten in a parking lot behind a store.
A Multi-Faceted Approach is Needed
The theft of personal information is not only a violation of
privacy, it is a crime that particularly puts victims of domestic
violence, stalking and sexual assault at risk. Stolen goods are
addressed by various state and Federal laws, and both the original
thieves and those who trade in stolen goods are subject to prosecution
and punishment. The theft of personal information should be handled in
a similar fashion. However, because pretexting phone records is just
one piece of the larger problem of pretexting, stealing, mining, and
selling personal information, a multi-faceted approach would offer the
best protection to all consumers.
Pending Federal legislation, including the Consumer Telephone
Records Protection Act of 2006 and the Phone Records Protection Act of
2006, make the stealing, selling, and fraudulent transfer of telephone
records a criminal offense. A number of states also have or are
considering specific laws to criminalize and punish pretexting and the
use and sale of such stolen information, while other states like
Florida, Missouri, and Illinois are addressing the issue through the
court system. Strengthening Federal law enforcement options through the
pending legislation, and subsequent prosecution, will hold offenders,
information brokers, pretexters, and those who use illegally obtained
information accountable, and will help discourage data mining and
protect consumers, including battered women. We encourage State and
Federal entities to use all existing and emerging laws to hold
individuals and organizations accountable for illegitimately obtaining,
using, or selling phone records or other personal information.
All companies that collect and retain personal information about
their customers should enhance the security and privacy options
available to consumers, and create levels of security that are not
easily breached from within or from outside of the company. Given the
creative and persistent tactics of perpetrators, companies must work
with consumers to identify the methods of security that will work best
for general consumers, as well as methods for consumers in higher-risk
situations, including victims of domestic violence and law enforcement
officers.
Conclusion
Cell phones can be a lifeline for battered women and victims of
sexual assault and stalking. But with illegitimate pretexting of phone
and other personal records, those lifelines can forever connect the
victim to her abuser, without hope of escape. As the examples I have
described demonstrate, we cannot underestimate the potential harm to
victims of allowing pretexting to continue. I applaud Congress and the
state Attorneys General for addressing the widespread problem of
pretexting and selling of stolen personal data.
Thank you for allowing me this opportunity to address the Committee
on this critical and urgent issue. I am happy to answer any questions.
Senator Allen. Thank you, Ms. Southworth, for your
testimony, and all our witnesses. We will go through questions.
There will be 5-minute rounds.
Let me begin asking you, Ms. Parnes. Clearly there is kind
of a loophole, and most of this is under the FCC as far as
Federal agencies. If Congress, in this legislation that we are
crafting, amends the Communications Act, would the FCC have
jurisdiction to enforce any pretexting provisions?
Ms. Parnes. Senator, the Commission would not have the
authority to enforce an anti-pretexting provision that amends
the Communications Act. There have been instances, however,
where Congress has given both the FCC and the FTC jurisdiction
in a particular area. 900 numbers is one area where that
occurred.
Senator Allen. How about the Telephone Disclosure and
Dispute Resolution Act?
Ms. Parnes. Yes, yes, that as well. There what Congress did
is it amended the Communications Act and also included separate
provisions that gave the FTC authority.
Senator Allen. That was on advertising and billing and
collection of 900 number services.
Ms. Parnes. Yes, sir.
Senator Allen. Would the FCC--would anybody object if
somehow we could craft language--and we need help from the FTC
and I know, Mrs. Parnes, you are here representing yourself,
not the FTC; we heard that caveat. Would anyone object--
clearly, FCC is involved and should be involved. Would there be
any objection to dual jurisdiction out of any of our witnesses?
[No response.]
Senator Allen. Seeing none, let me ask you this. Anybody,
any of the witnesses: It seems to me that this should be a
national standard. Everyone says this all ought to be made
illegal, the acquisition, the pretexting, the fraud, and the
sale. Everyone agrees that that should be made illegal, and the
question is whether there should be a national standard for
this so you don't have a different law, in Florida it might be
different than Virginia. It seems to me that it does not matter
what State you are in of the Union; we ought to have a
uniformity of a national standard, which should be stronger
than any particular State law. But regardless, is there any
objection to a national standard?
Mr. Rotenberg. Well, Senator, if I may say, if the national
standard is stronger than any State law, then certainly there
would be agreement. I think the concern always is that
sometimes we may end up with a national standard that preempts
a stronger State protection, and then of course the residents
in those States find themselves with less protection than they
might otherwise receive. If there is a strong national
standard, then I think that would be supported.
Mr. Douglas. Mr. Chairman, if I might, one other thing in
case we do not get to it, and specifically because the FTC
raised the issue of the exception in Gramm-Leach-Bliley which
allowed private investigators, in theory allows private
investigators to use pretext in a court-ordered situation for
child support, that is an exception that has allowed those
types of offerings of financial records to continue to appear
on websites by the dozens. Yet when you call them they do not
use the exception; they will sell to anyone if they think you
are not law enforcement.
I would challenge, not necessarily the FTC, but the
investigative industry to demonstrate once that a judge has
authorized the use of deception against a United States bank.
It is an exception that swallows the whole. If you had the
criteria necessary you could get a subpoena, which is the case
in many of these. So I would ask that there not be that
exception this go-around.
Thank you.
Senator Allen. Thank you. I am sure in the event we do
this, Ms. Parnes, you have no problem?
Ms. Parnes. And we would certainly--the staff of the
Commission would certainly be happy to work with the Committee
in developing any legislation.
Senator Allen. All right. Other things that were said: make
this specific--this is from Ms. Monteith and others, that we
need to overturn a court decision, which we can get into; and
greater enforcement tools, eliminate the citation issue, which
is what Chairman Stevens talked about; raise fines, forfeiture,
and so forth.
I am one who just wants to bring everything we can against
these pretexters, whether it is through FCC enforcement or FTC
enforcement--and in fact, if we have a national standard, that
helps with enforcement. But also, like what we did in other
legislation, State attorneys general could enforce the law
against pretexters. They usually have offices themselves. Would
there be any objection from any of you, any of our witnesses,
to also allow States attorneys general to enforce this national
standard within their states?
Ms. Parnes. Senator, at the FTC we have had a tremendous
amount of success working with the State AGs under just that
type of statutory system.
Senator Allen. Well, I am glad to hear that and that is an
example and something I have advocated in the past. We again
want to bring everyone and all resources because, listening to
Mr. Douglas's testimony, which was very disturbing, as to what
is going on right now, and who knows what the impact of this
hearing will be. I saw when Mr. Rotenberg was talking about it
earlier, I saw you raise your eyebrows in agreement. So I think
our legislation should empower attorneys general across the
country as well.
Senator Pryor.
Senator Pryor. Thank you, Mr. Chairman.
The first order of business is I have Senator Boxer's
questions that she wanted submitted for the record. So I will
make sure those get in the record, without objection.
Senator Allen. Her questions?
Senator Pryor. Yes.
Senator Allen. Well, to the extent they are posed to any of
our witnesses, if you would be willing to, you may get some
written inquiries posed to you and if you can respond we would
surely appreciate it.
Senator Pryor. Thank you, Mr. Chairman. Thank you.
I want to direct my first few questions to the FCC. I want
just a little clarification on a couple of items. First, is
this limited to cell phones? Is this problem limited to cell
phones?
Ms. Monteith. No. We are looking at wireline providers and
their records as well, although most of the information that we
have obtained and what we have heard obviously in the media has
focused on cell phones. But no, not limited.
Senator Pryor. I understand that. But you are looking at
residential and business wireline?
Ms. Monteith. Yes, we are.
Senator Pryor. Also, in your view is pretexting already
illegal?
Ms. Monteith. Under the Communications Act--the
Communications Act does not deal with the issue of pretexting
by data brokers, what we have heard. The Communications Act
section 222----
Senator Pryor. Right.
Ms. Monteith.--deals with the safeguards and the kinds of
procedures that the carriers have to put in place.
Senator Pryor. Right. But in your view it is not illegal,
at least from your jurisdiction's standpoint?
Ms. Monteith. Not from our jurisdictional standpoint, no.
Senator Pryor. OK. Let me now ask--I know that the FCC
recently made some requests of some of the wireless carriers
and that was, when, within the last few weeks; is that right?
Ms. Monteith. Yes, in January.
Senator Pryor. Had you made any before that time under the
1996 Act?
Ms. Monteith. We have at various points looked at CPNI
issues and had a number of investigations. We have not taken
formal enforcement action.
Senator Pryor. So you had not made those requests of the
wireless companies before?
Ms. Monteith. No, I do not believe so. I would like to
verify that, though, with my staff.
Senator Pryor. Do you feel like the FCC has been as
aggressive and proactive as it should have been on this issue
before recently?
Ms. Monteith. Yes, I think we have. Certainly when any
information has come to our attention we have acted
aggressively to determine what the issues are and go after
those that are violating the Communications Act.
Senator Pryor. You say that even though you had not sent
these letters of inquiry to the wireless companies before
January 2006?
Ms. Monteith. That is correct. We did not have any evidence
before us that would suggest this was an issue.
Senator Pryor. Let me, if I may, turn to the FTC now. That
is, in your opening statement I picked up on three facts. First
is that the FTC recognized that this has been a problem for
some time now. Second is that the FTC believes it has legal
authority to go after pretexters under section 5 of the FTC
Act. Third is enforcement actions have not been brought against
any company or individual involved in records pretexting. Why
is that?
Ms. Parnes. Senator, we have not brought a public action
against a company engaged in pretexting phone records. We do
have a number of active investigations. As I mentioned in my
statement, we have also done a surf and we have sent warning
letters.
But pretexting, whether for financial records or for
telephone records, is just one part of the FTC's privacy
program and we have a very aggressive program in this area. We
have brought more than 80 spam cases, 11 data security cases, 6
spyware cases, 18 do not call cases, 12 in the area of
financial pretexting. I am certain as a former attorney general
yourself you understand the hard choices we have to make in
selecting the areas that we proceed in.
Senator Pryor. So in other words, you have done in those
areas, which are great--I am all for those areas. But in terms
of cell phone or telephone pretexting, you have not been very
active on that until recently; is that fair to say?
Ms. Parnes. That is fair to say.
Senator Pryor. And apparently you sent out warning letters
yesterday to 20 companies offering to obtain--for the companies
who obtain and sell telephone records, is that right?
Ms. Parnes. Well, yes, we did a look at the 40 companies
that EPIC identified, as I mentioned, and we saw that more than
half of those companies are no longer making claims. We also
looked at--we did a similar search to the search that EPIC did,
using similar search criteria, to identify additional sites and
we sent warning letters to those companies as well.
Senator Pryor. Mr. Chairman, I have one last question for
both of these two witnesses. That is, are you satisfied with
the cooperation you are receiving from the other agency?
Ms. Monteith. Yes.
Ms. Parnes. Yes, we are. Yes, very much so.
Senator Pryor. Thank you, Mr. Chairman.
Senator Allen. It sounds like EPIC is doing a very good job
in helping you figure out which places to be looking.
Congratulations, Mr. Rotenberg.
Mr. Rotenberg. Thank you, Senator.
Senator Allen. For good citizen action.
Which of the two Senators here to my right were here--
Senator Dorgan.
STATEMENT OF HON. BYRON L. DORGAN,
U.S. SENATOR FROM NORTH DAKOTA
Senator Dorgan. Mr. Chairman, thank you. I regret I was not
here to hear the testimony. As you know, we have the attention
span of gnats around here.
Senator Allen. And many things going on.
Senator Dorgan. We flit from hearing to hearing.
But at any rate, I have had a chance to review some of the
testimony. I just wanted to ask a question. Chairman Martin of
the FCC laid out several legislative steps he thought Congress
should take. One, Congress could specifically make illegal the
commercial availability of consumers' phone records. That would
mean that if any entity is found to be selling this information
for a fee, regardless of how it is obtained, it would face
liability.
Let me ask whoever on the panel wishes to respond to that.
Do you agree with Chairman Martin's recommendation? He is
saying that is one of the things Congress could do. We have a
couple of pieces of legislation, I think, that have already
been introduced here in the Senate on that subject.
Mr. Rotenberg. Senator, we think it is a very good
proposal, and we were at the hearing last week when the
chairman of the FCC made it. As I remarked earlier during my
testimony, it is just very difficult to understand the
circumstances under which cell phone records should be sold.
They can be obtained by law enforcement under warrant or
subpoena or civil litigation under subpoena. We just cannot
understand why we would allow a market for that type of
personal information.
Senator Dorgan. Mr. Largent, do you agree?
Mr. Largent. Senator, I would agree with that. We are for
the swift enforcement of an act like that and stand ready to
assist you any way we can.
Senator Dorgan. Let me ask. We have apparently data brokers
online--there was a story I believe in the Chicago Sun-Times
that I saw earlier in January. The FBI paid a fee of $160 and
obtained the cell phone records of an FBI special agent within
3 hours. Apparently they were just testing the system. The
Chicago Police Department was warning its officers their cell
phone numbers were available to anyone for a small fee.
There apparently are data brokers online and you go online,
access those data brokers, and then engage in a transaction to
purchase cell phone call records. They also claim that they can
provide calling records for landline and voice over Internet
protocol, or VoIP calls, as well as nonpublished phone numbers.
Let me ask the two Federal agencies: Have you done a lot of
work to go online, figure out who these companies are, trace
back to these companies, and begin investigations? And if so,
when did that begin?
Ms. Monteith. We first began looking into this issue late
last summer, and the first phase of our enforcement actions was
internal investigations to try and determine who these online
data brokers were. We did, using the companies that EPIC had
pointed out in its petition and our own research, identify a
number of online data brokers. We then made undercover
purchases ourselves to try and obtain the kind of evidence that
we need in an enforcement action to really take action against
these types of brokers.
Those activities were in the timeframe of October,
November, December, and then on up to the present.
Senator Dorgan. Ms. Parnes, if Chairman Allen wanted to
spend whatever was necessary this afternoon to find out all of
your telephone calls for the last 3 or 4 months, do you think
he could do that, just based on what you know?
Ms. Parnes. I imagine he could today, yes.
Senator Allen. I have no desire and will not do that.
Senator Dorgan. Let me quickly stipulate, I am not
suggesting that.
Ms. Parnes. Thank you.
Senator Dorgan. But the fact that you believe that he
probably can do that and the fact that most of us believe that
is probably possible is pretty frightening, is it not, because
anybody for a certain amount of money might be able to go find
a broker someplace that can serve up a substantial amount of
not just telephone records, a substantial amount of other
problems out there with other financial and medical
information. But now we are talking about telephone records. It
is pretty frightening when you think about it. Anybody can
spend some money and go find out your complete telephone
records, your history over the last couple of months.
I tend to think Chairman Martin has given us a
recommendation that we ought to pursue immediately. There ought
not be great debate on the question of whether you ought to be
involved in commercial sale of these kinds of private records.
Congress ought to move quickly and immediately to deal with
that issue.
Chairman Martin mentioned a couple of other things. He
recommends that enforcement tools be strengthened. He argues
that the need to issue a citation to non-licensees before
taking any other type of action can hinder the investigation. I
agree with that as well. Apparently in many cases, because the
Internet is a venue in which you do not see anyone--what you
see are bytes or bits--by the time they get around to dealing
with citations, that enterprise is long gone. So I think we
probably should take Chairman Martin's recommendations pretty
seriously here and move as quickly as we can. I know a number
of my colleagues, including myself, are interested in doing
that.
So again, I regret I did not hear all of your testimony,
but I will have a chance to read it and I appreciate very much
your willingness to testify and I appreciate the Chairman for
holding this hearing. I think it is timely and really
important.
Senator Allen. Thank you, Senator Dorgan. For your
information, the sole issue on the citations and warning and so
forth as we are crafting this legislation--this is a concern of
mine and Senator Pryor's, including also Chairman Stevens, and
that is one clear unanimous approach. You do not give warning
to someone when you are going to get after them or shut them
down, right.
Senator Nelson.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. When eight of us on this Committee filed a
bill having to do with these telephone records about 2 weeks
ago, the press wanted to test it. Senator Dorgan, it is exactly
as you said. They paid--went online, found 40 sites, paid 100
bucks by credit card, and got the cell phone records of a
number that someone had given to them to see if they could test
the system, and they certainly had.
My goodness. What happens if this is--as the sheriff of one
of my biggest counties in Florida says, what if this is the
cell phone record of one of his undercover detectives, and all
of a sudden all of his confidential informants are suddenly on
that record?
We have got a problem here, and it is not just this. I
think Senator Burns spoke about this earlier today, it is this
whole question of privacy on the Internet, the whole question
of shredding our credit statements is not good enough any more.
Now all of this information is collected electronically and
these data information brokers house all of this information
virtually on every American and are buying and selling this
information. If we do not do something, none of us are going to
have any privacy any more.
Here again is another dramatic example. I think in your
questioning you have already brought out why it is necessary
that we move on this legislation fast, because the regulatory
agencies have been slow on the uptake, as we have heard
testimony here today. For example, the FTC knew about these
problems in 1999 in the Touch Tone case, but here we are
talking about cracking down.
Let me ask all of the panel here: Do you think that in
order to stop this dead in the tracks we need to make it a
crime?
Mr. Rotenberg. Yes, Senator, I think it has to be made
absolutely clear that pretexting by any means in this country
is clearly illegal and subject to criminal penalty, absolutely.
Senator Nelson. Congressman Largent?
Mr. Largent. Absolutely.
Senator Nelson. Congressman, you have testified that the
vast majority of cell phone records are fraudulently obtained
through pretexting. How did you decipher that information?
Mr. Largent. Well, we had a number of our companies that
have actually gone back in when all this came to light, several
months before it hit the press, and they have been in an
earnest process of interviewing the employees that are on the
phone with their customers, and they cannot find any instances
that they know of that their employees have given information
to somebody that was not the account holder. These pretexters,
they represent that they are the account holder.
We are getting literally hundreds of millions, if not
billions, of calls every year asking for information about
their--various questions about their accounts. As I said in my
testimony, what was good customer service is now becoming a
liability in this case. So we just want to ensure that we have
the ability to serve our customers, our legitimate customers,
and at the same time take care of these pretexters that are
using lies and schemes to gain access to this information.
Senator Nelson. Well, someone who is posing as someone that
they are not, what about the requirement of the telephone
company to use a password instead of the Social Security
number, because of now the availability, unfortunately, of
Social Security numbers on some of the government documents?
Mr. Largent. Yes, sir, and many of our companies are doing
precisely that. They are developing passwords, pass codes. They
are no longer sending information via e-mail or faxing
information now. They are only sending them to the address that
is on the account if it is requested. So those are some of the
things that I can tell you about. Many other things our
companies are involved in. It was requested by the FCC on
Monday and that is available to all of you. I do not want to
talk about that here in this open session, but it is available
to you and it is recorded down at the FCC.
Senator Nelson. In your business, in order to protect
consumer confidential information what kind of checks do you
have on the employees that have access to that information?
Mr. Largent. Well, all the ones that you would expect us to
have. We have the highest security you can imagine of employees
that are dealing with that information. But as you know----
Senator Nelson. Do you do background checks?
Mr. Largent. Sure, background checks.
Senator Nelson. You do?
Mr. Largent. Absolutely. But as you know, a lot of these
call centers, you are talking about people that are oftentimes
working at entry level wages, and so we definitely have issues.
But I can tell you that we have scrupulously been going over
and interviewing those employees to ensure that the breakdowns
are not there. But as was mentioned in testimony here today,
there is no doubt that some of that has been taking place, and
we are trying to weed it out as quickly as we can.
Senator Nelson. A final question: Did you not pay for the
Seattle Seahawks?
Mr. Largent. I did.
Senator Nelson. Your team came a long way. Congratulations.
Senator Allen. Thank you, Senator Nelson.
Let me go through some other ideas here. I just want to
elicit responses or ideas from you. I think it was in answer to
Senator Dorgan's questions, we somehow got Mr. Rotenberg and
Mr. Largent together, Congressman Largent, together. What would
be any legitimate reason for anybody to ever want somebody's
telephone records other than for law enforcement? Is there any
other reasons other than a court order where someone would want
to have someone's telephone records? This came up. I just
wanted to get some clarification. Mr. Douglas, if you want to
add to it you may.
Mr. Douglas. Well, as the former private investigator in
the room, I will make the----
Senator Allen. Congressman, I just want to make sure your
reply in that one on one there was accurate.
But go ahead, Mr. Douglas.
Mr. Douglas. I will make the argument that they are making.
And by the way, this morning they were discussing how this is a
very--the PI and investigative trade was discussing how this is
a very unbalanced panel here today. They feel that there should
be somebody here arguing for them to be able to get these
records. The argument they will make--and this addresses one
bigger point I would like to make if I could, Mr. Chairman. The
argument they will make is that they fight fire with fire, that
to track down deadbeats, to develop witnesses, to locate
witnesses, that they need access to these records the way law
enforcement has it. And they have developed this tactic of
going out and--let us call it what it is--stealing these
records.
But they have found there is a very lucrative market and,
without the pretexting connotation, it is the elephant in the
room here that nobody is talking about, and that the FCC and
the FTC have never addressed. I think the FTC is very aware. It
is attorneys that are driving the cash flow that puts these
websites up so that stalkers can buy them. It is some of the
most prestigious law firms in this country using these
investigators and illicit information brokers to buy this.
Monday, the Pelicano indictment in Los Angeles, where he
was wiretapping celebrities and Hollywood executives. If you
read the indictment closely, it talks specifically about
bribing and using SBC Global phone company employees to get
customer proprietary information, toll records, and the
information to conduct these wiretaps. Who did he sell it to?
Attorneys in Los Angeles.
So I support--and, excuse me, I think it was Mr. Pryor who
raised the question before. I support the outlawing of the sale
and purchase of records because law enforcement authorities
will tell you that you cannot go after the buyers if you are
just using the pretext standard, because under Gramm-Leach-
Bliley to make those cases against the attorneys you would have
to demonstrate that they know the records were obtained by
these brokers through deceit and that is a very difficult
standard for the Federal agencies to meet.
So I just wanted to add that to the record.
Senator Allen. Thank you. In view of that, what would you
think of the idea of allowing phone companies, whether it is
SBC or others--and Congressman Largent, you might want to bring
up; we are talking about attorneys general and the FTC, which
gets after individuals; FCC gets after companies. But what
about allowing SBC or whatever it may be to actually also have
a private right of action against any of these third-party data
brokers?
Mr. Douglas. Absolutely----
Senator Allen. Would you like that, Congressman Largent?
Mr. Largent. We would, yes, sir.
Senator Allen. What about the idea--and we have kind of
gotten around this. What about the idea--and you do not need to
get into all the details of how there is security. What about
the idea of telephone companies filing security procedures with
the Federal Communications Commission, in other words proving
to the FCC that you--and the FCC has to approve it--that you
have approved security procedures?
I am not saying that that may still not get breached. But
it seems to me that, while there may be some rare legitimate
uses or need for these records to be compiled--and every
company may do it differently, which in its own way may
actually be good because if somebody breaks the code to one
they will break it for all, and it is probably best--and
obviously this has to be kept confidential.
What would you think of that, Congressman Largent? I am
talking about pre-approved plans by the FCC. And I would like
to hear from you, Ms. Monteith, as far as the FCC having the
capabilities of pre-approving security guidelines from
communications companies.
Mr. Largent. Well, based upon the experience that we have
had, I will just speak very briefly. This is an ever-evolving
problem, that just when you set up a system to prevent people
from breaking in they figure out how to get around that one and
we have to improvise and we have to change it and do something,
we have to tweak the system in order to cut them off at the
pass.
So I am afraid that if we try to implement a system, even
if it is different systems for different companies, and we
submit that plan to the FCC, it could mean in 3 months or 6
months or 9 months we have to change it because they have
figured out how to get around the system at that point in time,
even if it is a confidential disclosure to the FCC only.
Senator Allen. Ms. Monteith?
Ms. Monteith. Thank you. I think Chairman Martin has made
clear that he thinks that the strongest proposal would be to
specifically make illegal the commercial availability of
consumers' records, very clean and no loopholes. I would have
to take back to the Chairman and the Commission the idea of
filing best practices, I believe, with the Commission and our
review of those. But I am happy to do that and follow up with
you.
Senator Allen. Well, we need to come up--and I will turn it
over to Senator Pryor for another round of questions. We need
to--there is a responsibility on the part of many people. The
communications companies clearly have this information and
there should be--and I am sure that you find no desire in
having to be here and explaining what some of your member
companies have done. But it seems to me that this has to be hit
at so many different angles, that every single approach that we
can take to assure that this privacy will be protected needs to
be put into legislation and enforced and everyone pitching in
on it.
Senator Pryor.
Senator Pryor. Thank you, Mr. Chairman.
Ms. Parnes, I have one--the last time I want to put you on
the spot. That is, if you answer this question correctly.
[Laughter.]
Ms. Parnes. I will try.
Senator Pryor. On the issue of civil penalties, if the
Congress were to give the Federal Trade Commission the
authority to impose civil penalties, what do you think the
level of those penalties should be?
Ms. Parnes. Well, currently the general civil penalty
authority for the Commission when we have it gives us the
authority to seek $11,000 per violation. It is usually
difficult for us to actually get that much money because there
are many, many violations and we could be talking about
millions and millions of dollars. But I would think that that
is a reasonable place to start, certainly.
Is that the right answer?
Senator Pryor. That is the right answer.
Ms. Parnes. Thank you.
Senator Pryor. That is actually what I was thinking too,
but I just did not know if you had a different take on it.
Let me ask you, Congressman Largent if I may. That is, you
said something in your earlier testimony that I thought was
interesting about credit cards. I would like to hear a little
bit more detail on your idea there about what, in your view,
what should the rule be on credit cards and if you could expand
on that.
Mr. Largent. Well, that is actually a new twist. We
testified over in the House last week and we started thinking
about this and realized that some of the violations as it
pertained to the Gramm-Leach-Bliley Act created penalties if
you were to use a credit card in a transaction to gain access
to information that were found in financial records.
Senator Pryor. Penalties against the card user or against
the company that is using a credit card in a transaction?
Mr. Largent. The law actually is constructed, it is my
understanding it is constructed, that the credit card company--
that they cannot utilize the credit card to engage in a
transaction of this type that we are talking about.
Senator Pryor. I would like to explore that further. Do you
have in mind that if you have these data brokers, I guess you
want to call them, that in order for them to get information,
say for example on the cell phone number, that the number on
the--the information on the cell phone they are seeking would
have to be the same name as on the credit card? Is that the
kind of safeguard you are talking about, where the credit card
would have to match up with the person requesting information?
Mr. Largent. Right. And I misspoke. I said it was the
Gramm-Leach-Bliley Act. It was not. It was on the pornography
legislation that passed in the House and the Senate.
Senator Pryor. Well, what you said is intriguing and I
would like to pursue that after the hearing and visit with you
about that and talk to your folks about that.
Mr. Rotenberg, let me ask you about, last July you filed a
complaint with the FTC about a website that offered phone
records and PO Box information; is that right, for a fee
through pretexting? What was the response from the FTC to that
complaint?
Mr. Rotenberg. Well, initially really nothing, Senator. In
fact, we followed up the initial complaint with a more detailed
letter, with the assistance, I should mention, of Mr. Douglas,
who has been very helpful to us throughout this, where we were
able to describe 40 different companies that were making this
kind of call detail information available.
Now, it is true that the FTC has gone after pretexting in
the financial services context. They did so back in 1999. But
they really have not looked at pretexting in the phone records
context until very recently.
Senator Pryor. Is that also true for the FCC?
Mr. Rotenberg. Well, the FCC we understand in the next
couple of days is going to announce action on our petition.
They have already taken enforcement action against two
companies under section 222 and I believe that this week they
will be announcing a broader rulemaking on stronger security
standards, and that is in response to our petition.
Senator Pryor. Mr. Douglas, if I can turn to you just for a
moment. You mentioned the caller ID spoofing in your testimony
and showed us a website. Is there any legitimate reason why you
would do a caller ID spoof other than maybe law enforcement?
Mr. Douglas. No, and many of the sites will advertise it as
entertainment purposes. But it has become very well known in
the fraud community as a way to deceive people, and
particularly in stalking situations and others it is very
dangerous.
Senator Pryor. You also mentioned attorneys a few moments
ago. I just was a little confused about that. How in your view,
how are the attorneys using this information?
Mr. Douglas. Well, for the short period of time in 1997
when I actually bought these and learned about what was going
on, it was all attorneys, since that is all that I worked with
as a private investigator, who were interested in them. They do
it in collections cases, they do it in competitive intelligence
cases.
In fact, there is a very good paragraph in the indictment,
in the Pelicano indictment, at least Monday, where they
describe it as being used for tactical advantage in litigation
situations. So if I want to know what my competitor is doing in
a business deal or any type of litigation that you can think
of, knowing who they are talking to is very important.
It has become the electronic equivalent in the private
investigative trade of dumpster diving. In the old days before
the Internet, if you wanted to know what a business was doing,
pick up their trash at the end of the night, hopefully when it
is put out at the curb--that makes it, unfortunately in my
opinion, legal--and go through their records. Well, now just
buy them online.
Senator Pryor. It sounds like your solution to this problem
would be to follow pretty much what we did with Gramm-Leach-
Bliley, just make it clear that it applies to telephone
information?
Mr. Douglas. Yes, twofold. First and foremost, I would like
to see a fast bill out of the Senate and action very quickly to
outlaw specifically what we are talking about today. In my
perfect world, down the road we need to address these tactics
being used for all consumer records. They are already being
used to get utility information, gas, electric, cable TV,
satellite TV.
You have to understand how they work. It is not about the
record itself. It is where can I find information. There is a
five-step process: know what information I want, know who is
the custodian of the information, know who the custodian will
release it to, know under what circumstances they will release
it, become that person with those circumstances.
So it is not just that it is about phone records, although
the prevalence of that has brought it to a national crisis. It
is about any consumer record.
Senator Pryor. The last question I have for you, Mr.
Douglas, is, just by way of background, have you been contacted
or do you work for any telecom companies in order to try to
help them fight against pretexting and identity theft? Have you
been contacted by anyone in the telecom industry?
Mr. Douglas. No, not so far.
Senator Pryor. That is all I had, Mr. Chairman. Thank you.
Senator Allen. Thank you, Senator Pryor. Let me follow up
on that question.
Since you have not, Mr. Douglas, been asked----
Mr. Douglas. And my cell phone drops out just like
everybody else's, too.
[Laughter.]
Senator Allen.--what do you believe that the phone
companies and the telecommunications associations, like CTIA,
could do to better protect their phone records and their
customers? What recommendations would you have?
Mr. Douglas. Sure, and I actually wrote down what Mr.
Largent said because he hit the nail on the head when he said
customer service as a security flaw. That is how this works in
all industries, but specifically the phone industry. The
pretexters, to use the shorthand, know that they can take
advantage, that the phone company's priority is customer
service.
In the customer call center, which are the employees with
the least amount of time, the least paid and the highest
turnover rate, and usually the least trained overall, they are
graded on how fast they move the call, how successfully they
move the call, and do they offer other services through
marketing. Security, customer authentication, is usually,
unfortunately and historically, fairly low on that schematic,
if you will.
So a number of things. One, they need to better educate
their employees as to these tactics. The banking industry went
through this very industry after the passage of Gramm-Leach-
Bliley and was fairly successful in that regard.
Where I would disagree with Mr. Largent respectfully is
that there do need to be some baseline standards in customer
authentication protocol. You cannot use biographical
identifiers like Social Security number, mother's maiden name,
date of birth. In many cases, even when they use passwords or
PINs they will default to that if the person says, I have
forgotten my password or PIN. Excuse me, this is what they will
say on the phone: Come on, you SOB; I am trying to catch a
plane; I need my information right now. That is how the art of
pretext works, either badgering, cajoling, whatever.
So there need to be some baseline standards. The banking
industry is looking at two-tier authentication. There is a
great template out there in the banking regulatory agencies and
some of the regulations that they have promulgated in the wake
of Gramm-Leach-Bliley. So education and baseline standards, Mr.
Chairman.
Senator Allen. Congressman Largent, what is your initial
response to Mr. Douglas's?
Mr. Largent. I agree with him. I think--and these are
exactly the type of steps that our companies are engaged in
right now.
Senator Allen. Thank you.
Let me finish finally with you, Ms. Southworth. You have
been listening to all of this from the FTC and FCC, the
communications industry, PIs, and the folks with EPIC. You
testified on the inherent risks and the real live risks to
women who have been victimized on account of it, as did Mr.
Douglas in his very graphic, sad testimony of a woman who was
killed by someone who received this information.
What would you suggest? Just give us one, two, three
suggestions. What would you suggest that we do in this
legislation that we are going to be working on? It is going to
come up, I suspect, very soon after this hearing. Give me one,
two, and three, what components would you suggest to your
government leaders?
Ms. Southworth. I cannot talk about this issue without
thinking about stolen goods. We think of theft when you steal
something from someone and it is a crime. If you steal my
personal information it is theft, it is a crime. So I do not
think there should be any less penalties because it is data
versus property. So I would love to see that this be taken
seriously.
I agree with all the other panel members with the issues. I
have been nodding vigorously throughout the discussion. The
piece that I think may or may not be something you can address
in the legislation, but it is the critical element that has not
been mentioned yet, it is the consumer education piece.
Everybody can do everything to increase security standards and
deal with the people misusing the data. However, if consumers
do not know not to use their pet's name as their password, we
still have a security problem. So it is critical to reach the
consumers too so they understand that this is a broader issue
and please do not use your mother's maiden name as your
password.
Senator Allen. Use your pet's name is your suggestion?
Ms. Southworth. No, do not, do not use your pet's name,
your mother's maiden name, or your anniversary date.
Senator Allen. Thank you, Ms. Southworth.
Do you have any further questions?
Senator Pryor. I just have one quick follow-up.
Senator Allen. Go ahead.
Senator Pryor. To you, Ms. Southworth. Again, thank you for
what you do and your organization does in the realm of domestic
violence. I used to work very closely with your folks in
Arkansas and they are wonderful to work with.
Ms. Southworth. They are great.
Senator Pryor. I do have a question to you about the FCC
and the FTC. Have you ever worked with them in any
investigatory capacity?
Ms. Southworth. Not an investigatory capacity. We will be
working closely with the Federal Trade Commission tomorrow on
the anti-spyware initiative issues.
Senator Pryor. But not on this issue?
Ms. Southworth. Not thus far, but we would be happy to
work--we work closely with many Federal agencies.
Senator Pryor. Right.
Ms. Southworth. So we would be happy to work with them in
any capacity.
Senator Pryor. Either the FTC or the FCC.
Ms. Southworth. Absolutely.
Senator Pryor. Even after Amy Boyer was killed in 1999, you
did not--as far as you know, you did not have any contact?
Ms. Southworth. My project did not exist then. We were
founded in 2002. So now we are sort of the go-to folks for
anything around domestic violence victimization and technology.
Senator Pryor. Thank you.
Ms. Southworth. The one piece that I would add to that,
though, is that you mentioned, is the private investigator
piece. Peggy Klinky was killed in 2003 after her ex found her
using a private investigator, and I do not know what
information that private investigator got through pretexting.
Senator Pryor. Thank you.
Mr. Chairman, thank you for the hearing.
Senator Allen. Thank you.
One final question, Ms. Southworth, just to make sure. You
have worked with State attorneys general undoubtedly.
Ms. Southworth. Absolutely.
Senator Allen. So I think that will be one component that
is very important in this legislation, to have that additional
enforcement from those that actually have such offices that are
in the States, closer to the people, and probably--not that an
attorney general's office is something you walk into, but
nonetheless it is closer and responsive to the people.
So I want to thank all of you, all of our panelists, for
your interest, for your insight, your testimony, your ideas. It
is going to make it very, very helpful to us as we put
together, working together on a bipartisan basis--when I look
at this list, you have folks from Virginia, Arkansas, Alaska,
Hawaii, Louisiana, Montana, California, Oregon, North Dakota,
and Florida. There is a great deal of concern.
I mentioned in the beginning when I first heard this I said
we need to act. You have given us some good ideas. I also like
the ideas that some of you mentioned, is that people need to be
aware of this and come up with passwords, so to speak, that are
not easily discernible and replicable. The phone companies or
communications folks are going to need to make a better effort
clearly of this. I am glad to hear, Congressman Largent, your
leadership and willingness to do it. Mr. Douglas, you have
brought up the tragedies that occur from this. Mr. Rotenberg,
thank you for your great public citizenry. I think it helps
certain Federal agencies get moving.
But we need to crack down. It is going to be made a crime.
We are going to bring every aspect that is logical and
reasonable toward this at the Federal level, State attorneys
general, get rid of some of the loopholes and, what were they
calling it, the certifications, giving the criminals a heads
up. Absolutely absurd. We will have greater fines, longer
statutes of limitations. There may be some aspects of this that
you do have to certify a security approach with the
communications companies.
But we are going to act. America expects us to. You help
propel us and give us the information that we can put together
legislation, not just legislation for the heck of it, but
legislation that is effective.
I thank you all and this hearing is adjourned.
[Whereupon, at 4:23 p.m., the Subcommittee was adjourned.]
A P P E N D I X
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Kris Anne Monteith
Question 1. In recent weeks, both the Federal Communications
Commission (FCC) and the Federal Trade Commission (FTC) have initiated
enforcement actions against pretexters. How do your two agencies
coordinate your enforcement activities to ensure that we are not
duplicating efforts?
Answer. FCC staff and FTC staff have communicated regularly to
discuss our respective enforcement efforts and to avoid duplicative
efforts. We will continue to engage in regular communications to share
information with each other to facilitate our enforcement activity. The
FCC is focused principally on the activities of telecommunications
carriers in protecting their customers' sensitive personal information
while the FTC is focused on the activities of the data brokers
themselves in acquiring the data from carriers. Thus, our efforts are
naturally complementary and the risk of duplication is low.
Question 2. What are the maximum penalties under both the
Communications Act and the FTC Act, respectively, that can be imposed
on pretexters?
Answer. The FCC's rules regarding the protection of Customer
Proprietary Network Information (CPNI) apply to telecommunications
carriers. Thus, the FCC would not be able to impose penalties against
pretexters for their CPNI-related practices unless the pretexters were
also licensed telecommunications carriers. If pretexters, as carriers,
engage in violations of the Communications Act or Commission rules, the
FCC may impose a maximum penalty of $130,000 per violation or per day
of a continuing violation up to a maximum of $1.35 million.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Lydia B. Parnes
Question 1. In recent weeks, both the Federal Communications
Commission (FCC) and the Federal Trade Commission (FTC) have initiated
enforcement actions against pretexters. How do your two agencies
coordinate your enforcement activities to ensure that you are not
duplicating efforts?
Answer. The FTC and FCC have both formal and informal cooperative
arrangements for working on cases with overlapping jurisdiction. For
example, the agencies have a formal memorandum of understanding
relating to telemarketing enforcement, which includes an agreement to
meet regularly in order to coordinate comprehensive, efficient, and
non-redundant enforcement of our respective telemarketing statutes and
rules. Under that agreement, the FTC provides the FCC access to Do Not
Call Registry data, and each agency agrees to make its consumer
complaints available to the other regarding possible violations of
Federal telemarketing rules. That agreement has worked well.
On other projects and cases, the FTC has granted the FCC access to
investigative files and both agencies share complaints with the other.
The agencies are continuing this close coordination with respect to our
current investigations of telephone pretexters. Staffs of the agencies
have frequent and ongoing discussion about targets, and have shared
information obtained in the investigations. Because the agencies have
different enforcement tools and jurisdictional limits, the FTC's
investigations are focused on the businesses that offer to obtain and
sell consumer phone records, while the FCC has oversight of the
telecommunications carriers. \1\
---------------------------------------------------------------------------
\1\ The FTC's governing statute, the FTC Act, specifically excludes
FTC jurisdiction over common carrier activities that are subject to the
Communications Act. 15 U.S.C. Sec. 46(a).
Question 2. What are the maximum penalties under both the
Communications Act and the FTC Act, respectively, that can be imposed
on pretexters?
Answer. With respect to the FTC, the Commission has the authority
to seek equitable remedies in its Federal court actions. These remedies
could include, in appropriate cases, consumer redress or disgorgement
of ill gotten gains. It can also seek conduct prohibitions including
injunctions against further violations of the law, or, in certain
cases, an outright ban on engaging in certain types of conduct or
business. Once entered, violations of Federal district court orders are
punishable by civil or criminal contempt.
The Commission does not have authority to seek civil penalties for
a law violation except in specified circumstances, i.e., for violation
of a trade regulation rule or of an order in a prior enforcement
action, or if specifically so provided in an applicable statute. I
believe that civil, and possible criminal, penalties would provide a
strong deterrent to telephone pretexting. In the telephone pretexting
context--where the harm includes a privacy violation--it may often be
difficult to calculate either consumers' economic injury or a
violator's gains. Consequently, civil penalties may be a more
appropriate remedy than some of the agency's existing tools like
consumer redress.
Question 3. The FTC originally fined Touch Tone $200,000 for
violation of the GLBA and unfair and deceptive practices under Section
5. Why was this amount later suspended, allowing Touch Tone to get away
with no monetary punishment?
Answer. The Touch Tone case was filed prior to the passage of the
Gramm-Leach-Bliley Act and therefore charged violations only of the FTC
Act. The $200,000 judgment in Touch Tone represented the defendants'
alleged unjust enrichment from the sale of consumers' financial
information. However, according to sworn financial disclosures, the
individual defendants were unable to pay this amount. The final order
makes the judgment immediately payable to the FTC if either defendant
is found to have materially misrepresented his or her financial
condition.
Question 4. In Operation Detect Pretext, the FTC brought charges
against three firms, two of which were fined $2,000 and the third
wasn't fined at all. Why didn't the FTC exact larger fines for this
activity and why weren't the original fines maintained?
Answer. The FTC's remedies in the three Operation Detect Pretext
cases were based on the disgorgement of unjust enrichment and
injunctive relief. In two of the cases, the defendants' gains from the
sale of the alleged pretexting services were $2,000. In the third case,
the defendant's financial gains were $15,000. However, as in Touch
Tone, a sworn statement from the defendant in the third case
established that he was financially unable to pay this amount. The
final order in this case also makes this payment immediately payable to
the FTC if the defendant is found to have materially misrepresented his
financial condition. \2\
---------------------------------------------------------------------------
\2\ See http://www.ftc.gov/opal2002/03/pretextingsettlements.htm.
---------------------------------------------------------------------------
In addition to imposing monetary payments, the orders in each of
the three cases also prohibit the defendants from engaging in the same
unlawful conduct, require them to provide the Commission with reports
on their compliance with the orders, and ultimately allow the
Commission to bring contempt actions for failure to comply with
material terms of the orders.
Question 5. Why hasn't there been any more legal action taken
against pretexters by the FTC since 2001?
Answer. The Commission has brought seven additional pretexting
cases since 2001, bringing the total to 11 such actions. \3\ These
cases are part of the larger Commission program aimed at protecting
consumers' privacy. For example, since the Subcommittee hearing, the
Commission announced a settlement with CardSystems Solutions, Inc., a
credit card processor that allegedly failed to implement reasonable
measures to protect consumer credit card information. The Commission's
complaint alleges that the company's lack of appropriate security
measures exposed the credit card information of tens of millions of
consumers and resulted in millions of dollars of fraudulent charges.
\4\ The CardSystems settlement follows the FTC's record-breaking
settlement with the data broker ChoicePoint, Inc. This agreement
settles charges that ChoicePoint lacked reasonable security and
customer verification procedures in violation of the Fair Credit
Reporting Act and FTC Act. The settlement requires ChoicePoint to pay
$10 million in civil penalties (as a remedy for the FCRA violations)
and $5 million in consumer redress.
---------------------------------------------------------------------------
\3\ See http://www.ftc.gov/privacy/privacyinitiatives/
pretexting_enf.html.
\4\ See http://www.ftc.gov/opa/2006/02/cardsystems_r.htm.
---------------------------------------------------------------------------
As mentioned in the Commission testimony and my oral remarks during
the hearing, the Commission is also investigating a number of companies
that appear to be engaging in telephone pretexting. Commission
attorneys currently are evaluating the evidence to determine if law
enforcement action is warranted.
I also believe that in addition to law enforcement efforts,
legislative changes could help address the problem of telephone
pretexting. Although the Commission already can bring actions against
pretexting for consumers' telephone records under the FTC Act, I
believe Congress should consider whether additional legislation would
be appropriate in this area. One approach would be a specific
prohibition on the pretexting of telephone records. Legislation of this
kind could help deter pretexting by making clear that this practice is
illegal. If Congress were to consider such legislation, I would
recommend that it give the Commission authority to seek civil penalties
against violators, a remedy that the FTC does not currently have in
cases like this. I believe that, in this area, penalties are the most
effective civil remedy. This is also a situation where criminal
penalties may be warranted, but I would defer to the Department of
Justice on the need for criminal legislation and its structure. I and
my staff would be happy to work with Commerce Committee Members and
staff on any legislation that may be under consideration.
Finally, FTC staff recently conducted an Internet surf of telephone
pretexters and found that some sites offering these records were
registered to foreign addresses. This finding underscores the
importance of the Commission's previous recommendation that Congress
enact cross-border fraud legislation. The proposal, called the U.S.
SAFE WEB Act, would overcome many of the existing obstacles to
information sharing in cross-border investigations.
I hope that the foregoing information is helpful. Please let us
know whenever we may be of service. If you have any questions or
comments, please feel free to contact me, or you or your staff may
contact Anna Davis, the Director of the FTC's Office of Congressional
Relations, at (202) 326-2195.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Marc Rotenberg
Question 1. In a statement made by Jimmie Mesis, Editor-in-Chief of
Private Investigator (PI) Magazine, on June 11, 2005, to his readers
regarding pretexting complaints, ``My immediate concern is not the FTC
. . . [w]hen the complaint comes from EPIC, we have a problem.''
Why do you believe you have been more successful in intimidating
pretexters than the FTC has?
Answer. Since its founding in 1994, EPIC has made effective use of
the Internet to draw public attention to new threats to personal
privacy. While we lack the resources and enforcement authority of the
Federal agencies, we believe that it is possible, in the short term, to
curtail some of the worst business practices by publicizing the problem
online.
However, our ``watchdog'' role is not an adequate substitute for
the effective enforcement of privacy laws that help safeguard consumers
and establish trust and confidence in the online business environment.
Consumer concerns about new threats to privacy are broad and
growing. The Federal Trade Commission clearly needs more resources to
bring enforcement actions against companies violating Section 5 of the
FTC Act.
The statement from the Editor-in-Chief of Private Investigator
Magazine points to another serious problem: he does not recommend
curtailing pretexting or the sale of personal information, nor does he
suggest that pretexting is inherently bad; rather he advocates that
private investigators and others take the practice underground. Later
in the message, he writes ``PI's need to stop promoting the selling of
toll records directly to the public as a commodity . . . I also suggest
that PI's promote such services as `telephone research' as compared to
coming right out and mentioning tolls, non-pubs, etc.'' (emphasis
added). \1\
---------------------------------------------------------------------------
\1\ E-mail of Jimmie Mesis, Editor-in-Chief of Private Investigator
Magazine, to readers (July 11, 2005).
---------------------------------------------------------------------------
We believe that the community will follow this advice, and simply
move the trade underground, and further obfuscate the practice by
calling it ``telephone research'' rather than ``phone breaks'' and the
like. That is why it is critical to enact comprehensive legislation
that will broadly prohibit pretexting.
Question 2. If legislation was passed to prevent pretexting, who
would you recommend be the enforcement authority on matter?
Answer. Because widespread pretexting can easily occur without
necessarily attracting the attention of the FTC, EPIC recommends that
the Committee empower state attorneys general, individual consumers,
and companies deceived by pretexting to seek damages from pretexters
and the sellers of personal information. The limited action by the FTC
indicates that additional law enforcement support is needed to combat
the problem and properly enforce any legislative solution to this
problem. State attorneys general are in a better position to hear the
complaints of individual consumers, and can supplement FTC action.
However, even state officials operate at some remove from those
most directly affected by the sale of personal information--the
individual victims. A private right of action for individuals will
allow victims to defend themselves from those who would sell their
privacy for a profit, without having to attract the attention of, then
wait for Federal or state authorities to focus on their particular
case. The Telephone Consumer Protection Act of 1991, which limits
telemarketing and the transmissions of junk faxes, contains model
enforcement language that allows the individual to sue in state court
and get default damages.
We also support the right of the carriers to bring actions against
pretexters. Carriers are in a position to detect patterns of intrusions
into their systems, and should be able to bring enforcement actions
against pretexters.
Question 3. Mr. Rotenberg, in your testimony, you noted EPIC's
rulemaking petition filed at the FCC that calls for action by the FCC
to enhance the security requirements that telecommunications carriers
must follow under section 222 of the Act. Like you, I am pleased to
know that the FCC will soon put this petition out for public notice,
and hope that they will expedite the consideration of this item.
Answer. Senator, we very much appreciate your support for the
decision of the FCC to undertake a rulemaking, in response to EPIC's
petition, to enhance the security requirements that telecommunications
carriers must follow under section 222 of the Act. \2\ We hope that
EPIC's recommendations for stronger security safeguards will be
incorporated into a final rule from the Commission. While we understand
industry concerns about maintaining flexibility in combating fraud, we
believe that sensible regulations will discourage particularly bad
security practices, such as using easily obtained biographical data
(such as zip code or date of birth) for authentication. Other
guidelines, such as the maintenance of audit trails that allow
investigators to know who has accessed customer data and notifications
of data breaches, are commonsense techniques that companies that
collect and maintain customer information should implement.
---------------------------------------------------------------------------
\2\ Notice of Proposed Rulemaking, In re Petition for Rulemaking to
Enhance Security for Access to Customer Proprietary Network
Information, FCC Docket No. 96-115, RM-11277 (Feb. 10, 2006), available
at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-06-10A1.pdf.
Question 4. In your opinion, does section 222 confer sufficient
authority on the FCC to ensure that those who handle phone record data
in the normal course of business will protect such data? For example,
are Voice over Internet Protocol (VoIP) providers covered under section
222?
Answer. Section 222 states that ``telecommunications carrier[s]''
have a duty to protect ``customer proprietary network information.''
The FCC has the authority under this section to create rules to protect
the confidentiality of CPNI for telecommunications carriers. Therefore,
the FCC has sufficient authority to ensure that those handling
traditional telephone and cellular records must protect that data.
However, as your question indicates, this power is limited to the
entities that the FCC may regulate under Title II of the Communications
Act. The FCC has held that computer-to-computer VoIP, is not regulated
under Title II, and thus fall outside the FCC's regulatory scope. \3\
The extent to which the FCC might regulate VoIP providers that connect
to the telephone network is a more problematic question, in which EPIC,
in at least one other context, is involved. \4\ The FCC, however, has
not yet made a final determination on this issue. \5\
---------------------------------------------------------------------------
\3\ See In re Petition for Declaratory Ruling that pulver.com's
Free World Dialup is Neither Telecommunications Nor a
Telecommunications Service, 19 F.C.C.R. 3307 (2004).
\4\ EPIC is one of several petitioners in Am. Council on Educ. v.
FCC, Docket No. 05-1404 (D.C. Cir. filed Oct. 24, 2005), challenging
the FCC's application of the Communications Assistance for Law
Enforcement Act to facilities-based broadband providers and
interconnected VoIP providers.
\5\ See In re Petition for declaratory Ruling that AT&T's Phone-to-
Phone IP Telephony Services are Exempt from Access Charges, 19 F.C.C.R.
7457 (2004) (holding that phone-to-phone services that use Internet
Protocol are subject to access charges levied against
telecommunications carriers in certain situations); but see, e.g.,
Southwestern Bell Tel. v. Global Crossing Ltd., 2006 U.S. Dist. LEXIS
4655 (Feb. 7, 2006) (staying ruling pending FCC determination of
whether or not the VoIP telephony at issue is regulated as a
telecommunications service). See also Frontier Tel. v. USA Datanet
Corp., 386 F. Supp.2d 144 (W.D.N.Y. 2005) (same).
---------------------------------------------------------------------------
While I do not believe that Section 222 currently gives the FCC the
power to regulate interconnected VoIP, Congress and your Committee
should act to ensure that, as the government extends its regulatory
power into new areas, it should also build privacy protections into new
laws and regulations. If the FCC finds that it has regulatory power
over other aspects of interconnected VoIP via the Telecommunications
Act, then the privacy-protective portions of the Act, including Section
222 should apply equally.
Question 5. Does VoIP call data information qualify as ``CPNI''
under the statute?
Answer. Since the statute specifically defines CPNI by referencing
``telecommunications carrier[s],'' VoIP call data information would not
be considered CPNI, insofar as a VoIP provider would not be considered
a telecommunications carrier.
Question 6. Do you have suggestions for how section 222 of the
Communications Act might be changed to apply evenly and fairly?
Answer. Consumers have clearly been disturbed by the news that
their phone records are for sale by pretexters. Many are similarly
disturbed that their call records and subscriber information are also
being sold by their carriers to other for marketing purposes, under the
very auspices of Section 222. Under current FCC regulations
interpreting Section 222, \6\ telecommunications carriers may place the
burden upon consumers to opt out of this sale of their CPNI to others.
Frequently, the notices informing consumers of this right are hard to
find, hard to read, and hard to understand. Chairman Martin of the FCC
has expressed a desire to use a more privacy-protective opt-in standard
for the disclosure of such sensitive information, and legislation
specifying the standard within Section 222 would allow this to happen.
---------------------------------------------------------------------------
\6\ The current FCC regulations followed the decision in U.S. West,
Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999), cert. denied, 530 U.S.
1213, (2000).
---------------------------------------------------------------------------
Meanwhile, consumers lack the ability to limit disclosure of their
``subscriber information,'' which includes home addresses. Many
individuals, such as victims of stalking or domestic violence, are made
more vulnerable by the disclosure of this information. Such individuals
frequently rely upon the increased privacy afforded by the use of a
cell phone. Section 222 should also ideally prevent the sharing of
subscriber information, absent the permission of the individual
consumer.
As for protecting consumers' records held by VoIP providers and
other businesses, a general ban on pretexting could be coupled with
requirements that VoIP providers implement basic data security
measures. This could be achieved by amending Section 222, although any
amendments should limit their scope to that section, to prevent
inadvertent application of the Telecommunications Act to VoIP, a
technology not widely contemplated during the drafting of the Act.
Another solution would be to require VoIP providers to implement
security measures for customer data in some other portion of the U.S.
Code, to be enforced by the FTC, attorneys general, individual
consumers, or other bodies. This would avoid the jurisdictional
questions of regulating VoIP as either a telecommunications or an
information service, instead focusing on the handling of customer data
as a trade practice.
______
Response to Written Questions Submitted by Hon. Daniel K. Inouye to
Cindy Southworth
Background: In July 1999, Liam Youens obtained information from an
Internet-based investigation service called Docusearch on Amy Boyer, a
woman Youens had been stalking since high school. He was able to obtain
her Social Security number for a mere $45 and hired someone to pretext
Boyer to get her employment information. Then in October 1999, Youens
drove to Boyer's workplace, shot and killed her, then turned the gun
onto himself.
Question 1. The Amy Boyer case brought to light another aspect
where pretexting can have a direct effect on one's privacy and safety.
Do you believe the safety of domestic violence victims has decreased
significantly with the increase in popularity of pretexting?
Answer. We agree that the safety of victims has decreased with the
increase in popularity of pretexting by both abusers and by information
brokers who sell illegally obtained victim information to abusers.
The murder of Amy Boyer not only highlighted the ease of
pretexting, but also the use of pretexting by information brokers, who
then sell the sensitive data they obtain. Unfortunately, perpetrators
of domestic violence have tried to obtain information about their
victims under false pretenses, or ``pretexted,'' for decades, but the
growth of the information broker industry has provided an almost
unlimited amount of sensitive data for anyone willing to pay.
Internet use has reached new levels and stalkers are also using
this technological tool to track down victims. Research by Pew Internet
and American Life Project shows that 69 percent of adult women and 75
percent of adult men use the Internet. \1\ Eighty-four percent of those
adult Internet users have used an online search engine to help them
find information on the Web. \2\ Information brokers abound on the
Internet and many of these businesses engage in pretexting to illegally
obtain sensitive information.
---------------------------------------------------------------------------
\1\ Pew Internet and American Life Project, September 2005 Tracking
Survey. Available online at: http://www.pewinternet.org/trends/
User_Demo_12.05.05.htm.
\2\ Pew Internet and American Life Project, ``Usage Over Time''
spreadsheet. Available online at: http://www.pewinternet.org/trends/
UsageOverTime.xls.
Question 2. Do you, and if so how, do you see pretexting affecting
those choosing to leave an abusive situation?
Answer. Abusers use pretexting to stalk their victims before,
during, and after a victim leaves a violent relationship. They also use
information brokers to gain private data about their victims. The most
dangerous time for a victim of domestic violence is when she takes
steps to leave the abusive relationship. \3\ Many victims are stalked
relentlessly for years after having escaped from their partners. These
batterers who stalk their former partners, determined to hunt them
down, are the most dangerous and pose the highest lethality risk. \4\
---------------------------------------------------------------------------
\3\ Ronet Bachman and Linda Salzman, Bureau of Justice Statistics,
``Violence Against Women: Estimates From the Redesigned Survey'' 1
(January 2000).
\4\ Barbara J. Hart, ``Assessing Whether Batterers Will Kill''.
Available online at: http://www.mincava.umn.edu/hart/lethali.htm;
Jacqueline Campbell, ``Prediction of Homicide of and by Battered
Women'' reprinted in Assessing Dangerousness: Violence by Sexual
Offender, Batterers, and Sexual Abusers 96 (J. Campbell, ed., 1995).
---------------------------------------------------------------------------
On February 23, 2005, Luis Alberto Gomez-Rodriguez tracked his ex-
girlfriend from Florida to Iowa with the aid of illegally obtained cell
phone records and court records. He found her new home near Iowa City
and murdered her. \5\ The news reports did not reveal whether he
purchased the cell phone records from an information broker who used
pretexting or whether he personally pretexted to obtain them.
---------------------------------------------------------------------------
\5\ Byrd, Stephen. ``The hunt begins: Witnesses tell of suspect's
methodical search for Muscatine couple.'' The Muscatine Journal,
(Muscatine, Iowa) February 11, 2006. Available online at: http://
www.muscatinejournal.com/articles/2006/02/11 /news/
doc43ed60933bfef871578540.txt.
---------------------------------------------------------------------------
In another example of pretexting and stalking, an Arizona man
placed a global positioning system on his ex-girlfriend's car and
obtained her phone records to see who she was calling. He also
threatened to kill her before she discovered the tracking device and
contacted the police. \6\
---------------------------------------------------------------------------
\6\ Sakal, Mike and O'Brien, Charlie. ``Records detail Belle's
threats.'' The East Valley Tribune (Mesa, Arizona) February 18, 2006.
Available online at: http://www.eastvalleytribune.com/
index.php?sty=59420.
---------------------------------------------------------------------------
By monitoring phone and other records before a victim attempts to
leave an abuser, the perpetrator may be able to anticipate her plans to
flee. Once a victim has fled and is trying to establish a new life, a
stalker can learn of her new location by illegally obtaining her
records by pretexting or purchasing her records from an information
broker who has used this method.
The National Network to End Domestic Violence has received calls
from countless victims and their advocates who have either been found
by abusers who misuse records or who are terrified that their
perpetrators will locate them through pretexting.
�