Private Phone Records Sold Online, Privacy Group Complains
The Electronic Privacy Information Center wants telecommunications carriers to do more to prevent customer information from being sold online.
The Electronic Privacy Information Center (Epic), an online privacy advocacy group, on Tuesday petitioned the Federal Communications Commission to require that telecommunications carriers establish better policies and procedures to prevent customer billing records from being sold illegally online.
The group's request that the FCC establish stronger security standards governing the release of consumer proprietary network information follows a July 7 complaint against the illegal sale of consumer information by Intelligent e-Commerce Inc.
Intelligent e-Commerce operates BestPeopleSearch.com, a Web site that advertises the sale of telephone records along with other sensitive personal information. Epic charges that the company is violating the FTC Act, the Telecommunications Act of 1996, and U.S. Postal Regulations.
In an update of a July 7 complaint filed Tuesday, Epic identifies an additional 40 Web sites engaged in the practice of selling telephone records.
The Telecommunications Act forbids telecom companies from using or disclosing consumer proprietary network information without customer approval, unless required by law or permitted by certain exceptions. The data "is protected by statute and regulation," Chris Jay Hoofnagle, Epic's West Coast director, said in a telephone interview. "The problem is, in implementing the regulations, the main concern was marketing use. And the regulations do not adequately address other uses, such as a private investigator calling up and getting the data."
And that's what Epic contends is happening. Just as ChoicePoint Inc. was conned into revealing data to criminals, telephone companies are being duped by social-engineering attacks. "Private investigators are calling up and saying, 'I am the account holder and I didn't get my bill. Can you send me another copy of it?' Hoofnagle explains. "Then out of the fax machine comes the data, and they provider it to the buyer."
If that's the case, telecom companies aren't admitting it. But they insist they're eager to protect customer privacy.
"Our customers' privacy is very important to us," SBC Communications Inc. said in a statement. "We carefully protect the confidentiality of each customer's account and calling information. SBC's Code of Business Conduct prohibits employees from disclosing customer records or customer communications to unauthorized persons."
Asked whether Verizon Communications had encountered these social-engineering attacks, a company spokesman said, "We share our customers' concerns about the protection of data and continually take industry-leading steps in this area. We also continually look at ways to enhance the protection of such data." The company said in a statement that it would file comments about specific steps outlined in the Epic petition when the FCC issues a Notice of Proposed Rulemaking.
Hoofnagle believes the FCC has to do something. "This data can be used to track people, to figure out their associations," he said, "and it's a matter of time before the data is sold to a stalker who harms someone."
That's happened in three well-known cases. Actresses Theresa Saldana and Rebecca Schaeffer were attacked in California by stalkers in 1982 and 1989, respectively. Saldana survived, but Schaeffer was killed. In both cases, the stalkers used information obtained by private investigators. In 1999, Amy Lynn Boyer was killed in New Hampshire by a stalker who found her with the aid of a private investigator.
The domain registrant behind BestPeopleSearch could not be immediately reached for comment because that person has chosen to conceal his or her contact information through a third-party privacy service.
Reached by phone, a customer-service representative at BestPeopleSearch said that Chuck, her boss and the person who could explain how the company obtained its phone billing records, would not be available Tuesday but would call Wednesday. Dutifully protecting his privacy, she declined to provide his last name.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.