EPIC logo

Comments of the Electronic Privacy Information Center on

Consumer Protection in the Wireless Telecommunications Industry

Before the New York State Assembly Standing Committee on Consumer Affairs and Protection and the Standing Committee on Corporations, Authorities, and Commissions

Chancellor’s Hall
State Education Building
89 Washington Avenue
Albany, NY

Monday, March 13, 2006
11:00 a.m.

Dear Chairmen Pheffer and Brodsky,

The Electronic Privacy Information Center is a not-for-profit research center established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.  We have played a leading role in emerging communications privacy issues, including the one considered by the Committees today, since our founding in 1994.

In our testimony today, I will summarize EPIC's efforts to bring public attention to the problems of pretexting, the practice where an individual impersonates another person, employs false pretenses, or otherwise uses trickery to obtain records.  We will then make the following recommendations for ending the practice: 

In investigating this issue, I encourage Members and Staffpersons to review the testimony in hearings held in the US Senate and House on this issue.[1]

EPIC's Efforts to Address Pretexting and Phone Record Sales

In July 2005, EPIC filed a complaint with the Federal Trade Commission concerning a website that offered phone records and the identities of P.O. Box owners for a fee through pretexting.  Pretexting is a practice where an individual impersonates another person, employs false pretenses, or otherwise uses trickery to obtain records.  

The owners of the California-based business operating the website responded to our complaint, claiming that they knew of no law that prohibited them from selling phone records!  Other pretexters have taken the same approach.  They have ignored general consumer protection norms and argued that no specific law prohibits pretexting.

EPIC supplemented the July filing in August with a list of 40 websites that offered to sell phone records to anyone online.  In light of the fact that so many companies were selling communication records online, EPIC also petitioned the Federal Communications Commission, urging the agency to require enhanced security precautions for phone companies’ customer records.[2]  Although telephone carriers unanimously opposed enhanced security requirements, proposing that lawsuits against pretexters would solve the problem, the FCC unanimously granted the petition and is seeking comments on enhanced security standards for phone records.

Most recently, EPIC wrote to the American Bar Association and 50 states' bar ethics committees to explain that attorneys are hiring investigators and online data brokers to pretext.  EPIC argued that it is unethical for attorneys to employ these practices, and urged the state authorities to advise attorneys not to buy pretexting services.

We continue to believe that legislative action is needed at the federal and state level to protect this information.  Phone records can be used by individuals to stalk and harass other people.  They can be used for corporate espionage purposes.  While some claim that pretexting is a legitimate research tool, that argument is mere sophistry.  Those who have a legitimate need for phone records can obtain a court order in order to access the information.  Pretexting is simply an end-run around existing legal access provisions for people who probably do not have a legitimate reason to obtain calling data.

An archive of EPIC's efforts is available online at http://epic.org/privacy/iei/

New York should prohibit all pretexting (not just pretexting to telephone companies) by classifying the practice as an identity theft crime.

Many Types of Records Are Vulnerable to Pretexting

The pretexting debate has surrounded wireless phone records.  But the problem is much broader.  Pretexting is used against many different companies in order to obtain personal information from companies. 

Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised.  As individuals shift to VOIP (Internet telephony) telephones, it is safe to assume that those records will be offered for sale as well.

Pretexters also target Post Offices in order to learn who uses Postal Boxes and Private Mail Boxes, they target users of automobile navigation systems (such as GM's OnStar service) in order to locate individuals' cars, they pretext utilities companies to locate people, they target employers to learn facts about employees, and they even target family members to locate subjects of investigation.  Some websites, such as Abika.com, advertise their ability to obtain the real identities of people who participate in online dating websites.  A page on Abika.com advertises the company's ability to perform "Reverse Search AOL ScreenName" services, a search that finds the "Name of person associated with the AOL ScreenName" and the "option for address and phone number associated with the AOL ScreenName." [3]  The same page offers name, address, and phone number information for individuals on Match.com, Kiss.com, Lavalife, and Friendfinder.com.  These are all dating websites that offer individuals the opportunity to meet others without immediately revealing who they are. 

The availability of these services presents serious risks to victims of domestic violence and stalking.  There is no reason why one should be able to obtain these records through pretexting, or outside of existing legal process. 

We urge New York lawmakers to broadly prohibit pretexting.  A sectoral approach, where just phone records are protected, does not fully address the problem of pretexting.  Furthermore, if just phone records are covered, pretexters will simply move on to other targets.  In fact, phone records are the current target because Congress took a sectoral approach in 1999, and banned pretexting only to financial institutions. 

We urge New York lawmakers to adopt the approach currently being pursued by Illinois lawmakers.  Illinois SB 2554 (which has passed the State's Senate and is supported by the Governor) prohibits the use of impersonation or trickery for the purpose of gaining access to any personal information of another person.[4] 

The proposed legislation would classify pretexting as an identity theft crime, which we believe to be an appropriate approach.  Pretexting formally meets the definition of identity theft adopted by the Federal Trade Commission: "a fraud committed or attempted using the identifying information of another person without authority."  The difference here is that identity theft is usually committed in order to obtain some product, service, or financial gain.  Pretexting is identity theft committed for obtaining personal information.

No Exclusion Should Be Made to the Pretexting Ban

We recognize the need for law enforcement to gain access to communications records, and that is why there are existing, routine procedures under the law for such access, such as warrants and subpoena powers.  Since such procedures for law enforcement access exist, there is no need for law enforcement to engage in the fraud that bans on pretexting are trying to prevent.

Similarly, an exception for private investigators is inappropriate.  If an investigator has a legitimate need for a communications or other record, she can obtain a subpoena.  There is no need to create an exception to allow private investigators to engage in this fraud.

A Pretexting Ban Is Necessary to Supplement Carrier Enforcement Actions

Telephone carriers have brought lawsuits against pretexters in order to legally shield their systems and customer records from the practice.  While we support these enforcement efforts, we do not believe they will adequately secure phone records for two reasons:

First, there is mounting evidence that pretexters will simply rename their products or start offering them "underground."  In an email responding to EPIC's initial complaint, the Editor of PI Magazine wrote to readers:

[…]

I recommend that you read my interview with the FTC and the specific comments about telephone records at www.pimagazine.com/ftc_article.htm  The FTC wasn't too concerned about telephone information, but if PI's are going to blatantly advertise tolls directly to the public as a commodity, the FTC will get involved and we are going to lose that commodity and our ability to solve many cases because of it.

PI's need to STOP promoting the selling toll records directly to the public as a commodity. Rather, use it as an investigative tool used in the course of your investigation to lead you to a missing person or to the lead you need to solve the case. I also suggest that PI's promote such services as "telephone research" as compared to coming right out and mentioning tolls, non-pubs, etc.

Indeed, since we filed the original complaint, many websites have removed their advertisements for phone records.  We believe that these services are still operating by selling data to callers seeking the service or to people who contact the companies through email.  By going underground, it is unlikely that carriers will identify and bring suits against wrongdoers.

Second, when a carrier brings an enforcement action and obtains an injunction, the injunction only applies to that carrier.  As a result, some companies that have been sued simply stop selling records pertaining to a single carrier.  In the case illustrated below, Datatrace USA, a company that has been sued by Cingular, still offers records of Verizon, Sprint, Nextel, T-Mobile, US Cellular, and MetroPCS.

[5]

Because enforcement actions are carrier-specific, they alone cannot solve the problem of our phone records being subject to pretexting.  We therefore believe that pretexting these records should be prohibited explicitly so that all carriers are covered by specific legislation.

Conclusion

Thank you for holding this hearing to address communications privacy.  We continue to believe that there is no legitimate use for pretexting, and that states should act to broadly ban the practice.

Please feel free to call upon EPIC if we can provide any further assistance.

Respectfully Submitted,

/s

Chris Jay Hoofnagle
Senior Counsel
Electronic Privacy Information Center
West Coast Office
944 Market St. #709
San Francisco, CA 94102
415-981-6400



[1] Protecting Consumers’ Phone Records, Hearing Before the US Senate Consumer Affairs, Product Safety, and Insurance Hearing, Wed, Feb. 8 2006, available online at http://commerce.senate.gov/hearings/witnesslist.cfm?id=1742; Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?, Hearing Before the US House Committee on Energy and Commerce, Feb. 1, 2006, available online at http://energycommerce.house.gov/108/Hearings/02012006hearing1763/hearing.htm

[2] Petition of EPIC for Enhanced Security and Authentication Standards, In re Implementation of the Telecommunications Act of 1996, CC Docket No. 96-115, available at http://www.epic.org/privacy/iei/cpnipet.html.

[3] See http://www.abika.com/Reports/tracepeople.htm#Search%20Address/Phone%20Number%20associated%20with%20email%20Address%20or%20Instant%20Messenger%20Name.

[4] Available online at http://www.ilga.gov/legislation/BillStatus.asp?GAID=8&GA=94&DocNum=2554&DocTypeID=SB&SessionID=50&LegID=23442&SpecSess=&Session=

[5] This screenshot of http://datatraceusa.com/products.asp was taken March 6, 2006.


EPIC Privacy Page | EPIC Home Page

Last Updated: March 13, 2006
Page URL: http://www.epic.org/privacy/iei/nycom31306.html