Friday's hearing focused on the practice more generally, although several members of the panel mentioned the previous day's hearing, which focused exclusively on HP.
Though nearly every member of a congressional panel investigating Hewlett Packard's role in a pretexting scandal said it is illegal for people to deceive in order to obtain phone records, Congress is considering legislation to make that more clear.
The U.S. House Energy and Commerce Subcommittee on Oversight and Investigation held a hearing Friday that continued to explore pretexting a day after current and former HP leaders testified about the company's role in the practice. HP tried to distance itself from the practice of its investigators, but employees testified under oath that they did not believe the investigators were obtaining people's personal records legally.
Friday's hearing focused on the practice more generally although several members of the panel mentioned the previous day's hearing, which focused exclusively on HP.
Joel Winston, an associate director for the privacy and identity protection division of the Federal Trade Commission requested increased penalties for pretexting. He also requested that law enforcement authorities be allowed to use the practice, though it is unclear why, since law enforcement authorities can subpoena the records if they can show cause.
Federal Communications Commission' enforcement leader Kris Monteith told the panel that the F.C.C. has served about 30 subpoenas on data brokers, charging that they obtain and sell phone records illegally.
Veteran columnist Christopher Byron, a Yale College and Columbia University School of Law graduate, testified about his experience with pretexting in 2002. After Byron wrote a critical piece about a technology company, a phone company representative called his wife to follow up on an earlier call from Byron, who the representative claimed had complained about not getting a phone bill. Byron had not called and later discovered that he had been pretexted.
"To discover that someone has spent weeks trying to obtain access to you and your family's most personal and private records, and finally succeeded at it, is like learning that a Peeping Tom has been spending weeks on end hovering at night outside your bedroom window, watching and videotaping everything that goes on inside" he testified. "And it doesn't end there. When a pretexter goes unpunished, his victims can easily enough start to worry about things that never before concerned them -- things they can ultimately do nothing about except worry even more, until all of life becomes a parade of imagined catastrophes. Is someone reading my mail? Is there a tap on my phone line? A bug in my bedroom?"
Byron said the effects touched his wife and three children and lingered for years.
"Our lives have been convulsed in ways that set our nerves on edge even now, whenever the phone rings unexpectedly or at an odd hour in my home office," he said.
Representatives from Verizon, Cingular and Sprint said that their companies are fighting the practice. In fact, two of the companies filed lawsuits this week against investigators who they allege illegally obtained records as part of HP's quest to identify the source of media leaks. The man identified, former board member George Keyworth denies ever giving reporters confidential or damaging information.
The phone companies cautioned lawmakers not to impose restrictions that would hamper their ability to provide legitimate customers with their own call details. As it stands, most companies request a name, phone number and a social security number in an attempt to confirm the person requesting the records has authorized access to the account. Investigators commonly have access to the personal information and use it to obtain account records.
Members of the committee said that the House could vote soon on a bill that would require phone companies to increase protections and impose harsher penalties on data brokers. The bill, which passed the committee in March but never made it for a full vote on the floor, would allow phone companies and their contractors or partners to be fined up to $300,000 for each time they released records to an unauthorized party.
During Thursday's hearing, several panelists mentioned that efforts to clarify the issue had stalled and questioned HP leaders about whether they had any idea which lobbying firms may have pushed for a hold on the bill. One exchange resulted in an assurance from HP CEO, President and Chairman Mark Hurd vowing to support congressional efforts to pass what lawmakers are referring to as "bright line legislation," which would eliminate apparent confusion about the legality or illegality of the practice.
Current telecommunications and wire fraud laws cover the practice, according to congressional representatives who introduced those laws, but lawyers defending clients accused of pretexting claim that the laws are unclear. The issue has yet to be worked out in the courts.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.