It's Time for Congress to Prohibit and Criminally Punish the Sale of our Cell Phone Records: "Pretexting" for Phone Numbers is a Serious Privacy Violation

By ANITA RAMASASTRY
Monday, Jan. 23, 2006

For around $100, an online "people locator" or "information broker" company can get you unauthorized access to almost anyone's cell phone records. All you need to provide to the company is a credit card, and the person's cell phone number.

Recently, a blogger claimed to have obtained the cell phone records of General Wesley Clark. The Chicago Police department also obtained cell phone records for its own officers. And, of course, the service is ripe for use and abuse by spouses who suspect their partners of infidelity, criminals who may want to track down law enforcement officials, or creditors chasing down a debtor who has skipped town.

This has been going on for some time. But is it illegal? At present, the answer is not clear. Federal law does make our call records private. And making false statements to procure cell phone records can, under some circumstances, constitute federal wire fraud. But federal law does not expressly make "pretexting"--the practice of procuring these records for sale -- illegal. Thus, it's possible that, to stop these companies, further federal legislation is needed.

Fortunately, just this week, Senators have proposed legislation that would criminalize obtaining cell phone records without a customer's authorization or consent. The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) are also investigating the matter.

This practice needs to be stopped immediately, and companies or others who are selling such records need to be penalized if they continue to do so. Otherwise, these repeated, serious violations of privacy will only continue.

"Pretexting": How Companies Get Cell Phone Records Without User Authorization

How do the "people locator"/"information broker" companies procure the records they sell?

First, they look in commercial databases or public records to find out personal identifiers, such as a person's Social Security number, date of birth, or mother's maiden name. And with this information, they are able to impersonate the cell phone customer, when they call the company - a practice nicknamed "pretexting."

News reports also indicate that our cell phone records end up in the public domain in a few other ways: Employees of cell phone companies - or of their overseas data processing facilities -- may be illegally selling our records. In other cases, an information broker may activate a cell phone customer's previously unused online account features by figuring out how to log in and check a customer's phone records.

The Harm That Pretexting Causes: Privacy Violations and More

Anyone who has been the victim of pretexting has suffering a serious privacy violation. But some victims suffer other violations, as well - and are put directly in peril by pretexting.

A phone log that results from pretexting lists not only all call made during a billing cycles, but also their dates, times, and duration. Some of these calls will reveal the victims' own location: A call to a mechanic or taxi service or temp agency, for instance, may reveal roughly where the victim lives. And knowing the cell phone users' location - when the person does not know they know - can be a tool for criminals such as stalkers or abusive spouses and ex-spouses. "Pretexting" can also help the criminal who's angry at a police officer, prosecutor, or judge, carry out an assault or murder. It may even aid the potential assassin trying to target a political candidate.

In short, cell phones are lifelines for people in vulnerable situations - but with "pretexting," they can leave a trail a predator can follow.

And special situations may raise other, specific concerns. A reporter's confidential sources could easily be revealed - without a subpoena - by "pretexting" his cell phone records. So could a cell phone user's visits to an AIDS clinic. And even a corporate executive might find her calls monitored by a competitor who is trying to find out about the companies with which she does business.

A Possible Gap in the Law: The Need to Punish the "Brokers" Who Pretext

The only repository of telephone call records is the phone company - so one may argue that the phone company has been negligent in allowing "pretexting" to occur, and should have better systems for detecting employees illegally selling information, and preventing impersonators from getting user records. After all, so-called Customer Proprietary Network information (CPNI) is private under federal telecommunications laws. And this means that phone companies (including cell phone carriers) have a duty to safeguard our phone records.

Still even if the cell phone companies may at times be negligent, the "brokers" who are pretexting are the ones intentionally breaking the law. Yet so far, the government has not aggressively legislated, or using existing enforcement powers, to mount a campaign to find and punish these intentional wrongdoers.

The FTC has enforcement authority to police the marketplace against unfair and deceptive trade practices - and pretexting seems to be just such a practice. Yet the FTC has not yet engaged in widespread enforcement actions against information brokers.

Instead, the FTC has taken enforcement actions against certain information brokers who have posed as customers to gain access to bank records. And that is because federal law expressly prohibits pretexting for financial data -- which at one time was a primary means of stealing credit card and other account information -- but does not cover telephone records.

Legislation must make clear that pretexting to obtain cell phone records is just as nefarious as pretexting to obtain financial records. Toward this end, Congress needs to either give the FTC the power and resources to deal with these privacy violations, or else create a new agency with this focus and authority. The current situation is simply untenable.

The Proposed Legislative Solution: Senator Schumer's Bill

In an effort to combat this scenario, Senator Charles Schumer (D-NY) has introduced legislation that would close the existing loophole and criminalize phone record theft and use. The bill would make it a federal offense, punishable as a felony, to obtain customer information from a telephone company by false pretenses.

Specifically, it would be a federal offense to either make false or fraudulent statements or representations to an employee or customer of a telephone service provider; or to provide false documentation to a telephone service provider, knowing that the documentation is false. This would make pretexting to obtain cell phone records illegal.

Schumer also has called on the FTC to set up a special unit to investigate these crimes. The agency has never taken a case like this to court. Schumer's called-for special unit would study the breadth of the problem, and devise new measures to ensure that cell records do not get in the wrong hands.

The proposed legislation is a vital and important first step in cracking down on the unauthorized sale of our phone records. But what about the phone companies? Should they, too, do more? After all, going after the brokers is a bit like closing the barn door after the horse is already gone; it's the phone companies who are supposed to make sure that door is firmly barred.

Laudably, some phone companies are talking matters into their own hands. For instance, Verizon has recently initiated civil lawsuits against information brokers who obtained customer phone records through pretexting.

Customers need to ask their phone companies to take greater care in releasing customer records, and to use new security measures to prevent phone records from being accessed by third parties. Unless more care is taken, our private records will remain for sale to anyone willing to pay - even if the person paying is our worst enemy, or someone who means us harm.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.

Ads by FindLaw