Focusing public attention on emerging privacy and civil liberties issues

Illegal Sale of Phone Records

Top News

  • Deadline Approaches for End of NSA's Telephone Record Collection Program: March 28 marks the deadline set by President Obama to end the NSA's bulk collection of American's telephone records. Last week, Attorney General Eric Holder confirmed that the Justice Department is ready to meet the deadline that the President has set. After extensive meetings with leaders of the Intelligence Community, both the President's Review Group and the Privacy and Civil Liberties Oversight Board found the program was ineffective and likely exceeded current legal authority. Senator Leahy, who held extensive public hearings, has stated "This program is not effective. It has to end." EPIC, supported by dozens of legal scholars and former members of the Church Committee, petitioned the US Supreme Court in July 2013 to end the "215" program. For more information, see In re EPIC and EPIC: NSA Verizon Phone Record Monitoring. (Mar. 24, 2014)
  • New Limits on NSA Telephone Record Program Established, Authority Expires March 28: The Foreign Intelligence Surveillance Court has granted the government’s motion to limit access by the NSA to the bulk telephone records provided by US telephone companies. Under the new rules, the government cannot "query" the telephone metadata until after the court finds that there is a "reasonable, articulable suspicion that the selection term is associated with" a terrorist organization. The new rules also limit query results to telephone numbers within "two hops" of the selector. President Obama announced the new legal requirement during his recent speech on surveillance reform, when he committed to end the NSA’s bulk record collection program. The NSA's authority to force US telephone companies to turn over records on all their customers will expire on March 28th. The President has recommended that the Intelligence Community and the Attorney General propose an alternative to the bulk collection program prior to that deadline. For more information, see EPIC: FISC and EPIC: NSA Verizon Phone Record Monitoring. (Feb. 7, 2014)
  • Oversight Board Calls for End of NSA Telephone Records Program: Today the Privacy and Civil Liberties Oversight Board called for the end of the section 215 program that allows the NSA to collect the telephone records of all Americans. In a comprehensive report, the Oversight Board unanimously found that "the NSA's Section 215 program has not proven useful in identifying unknown terrorists or terrorist plots" and that "telephone calling records, when collected in bulk and subjected to powerful analytic tools, can reveal highly sensitive personal information." A majority of the board also concluded that Section 215 did not permit the routine collection of all telephone records on all Americans. The report set out 12 recommendations discussing additional privacy safeguards, greater transparency, and improvements to the Foreign Intelligence Surveillance Court. The members of the Oversight Board unanimously supported almost all of the recommendations. EPIC urged the Board last year at a public workshop to (1) find that section 215 does not permit the collection of all telephone records by the NSA; (2) improve reporting of FISA activities; (3) establish new safeguards for transparency and accountability; and (4) reconsider the Constitutional basis of metadata collection in light of the scope of the government's activities and recent Supreme Court opinions. EPIC had earlier petitioned the Supreme Court to find the 215 program unlawful. Former members of the Church Committee and dozens of legal scholars supported the EPIC petition. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance. (Jan. 23, 2014)
  • Expert Panel Calls for End of NSA Bulk Data Collection: The President's Review Group on Intelligence and Communications Technologies has concluded that the NSA’s collection of bulk telephone records should end. In a sweeping report "Liberty and Security in a Changing World," the review panel set out 46 recommendations, which would limit NSA surveillance, expand judicial oversight, create new transparency requirements, update federal privacy laws, and create a new privacy agency. Other recommendations include the application of the Privacy Act of 1974 to both U.S. and non-U.S. persons, support for strong encryption techniques, and the cessation of U.S. practice of stockpiling software vulnerabilities known as "zero day" exploits. Earlier this year, EPIC met with the review group and submitted extensive comments to the panel, specifically urging the end of the bulk record collection program. EPIC had earlier petitioned the Supreme Court to find the program unlawful. For more information, see EPIC: In re EPIC - NSA Telephone Record Surveillance. (Dec. 19, 2013)
  • Appeals Court Upholds Non-Harmful Phone Spoofing: A federal appeals court has ruled that a state law prohibiting all caller ID spoofing is preempted by the federal Truth in Caller ID Act of 2009. Under the federal law, it is only unlawful to transmit misleading caller information with the intent to defraud or cause harm. EPIC urged the Senate in 2007 and House of Representatives in 2006 and 2007 to establish this intent requirement to protect the use of Privacy Enhancing Technologies, which limit the disclosure of actual identity. The appeals court's ruling upholds this important privacy protection. For more information, see EPIC: Illegal Sale of Phone Records and EPIC: Comments to FCC on TCIA Rules. (Dec. 14, 2012)
  • Senator Leahy Presses Justice Department on Telephone Privacy. Senator Patrick Leahy has asked the Department of Justice to provide information about investigations and prosecutions under the federal law that prohibits viewing confidential phone records information, following reports that Verizon employees improperly accessed President-elect Obama's cell phone records. The employees were dismissed but no criminal investigation was pursued. In 2007, EPIC testified before Congress on fraudulent access to phone records and urged Congress to establish stronger safeguards. For more information, see EPIC's illegal sale of phone records page. (Nov. 25)
  • New Privacy Safeguards for Telephone Customers. In response to a petition filed by EPIC, the Federal Communications Commission issued rules (pdf) to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information. The FCC also announced a new rulemaking to consider such issues as audit trails, data retention, and safeguards for information stored in cell phones. (Apr. 3, 2007)
  • EPIC Testifies in Congress on Combating Pretexting. In testimony (pdf) before the House Energy and Commerce Committee, EPIC Executive Director Marc Rotenberg expressed support for H.R. 936, the Prevention of Fraudulent Access to Phone Records Act. The Act would increase privacy protections for phone records. In August 2005, EPIC petitioned the FCC to establish stronger security standaard for telephone records. The FCC endorsed (pdf) EPIC's petition in February 2006, but more than a year later, there are still no clear standards for telephone record privacy. (Mar. 9, 2007)
  • Coalition Comments on Phone Records Security. In comments to the Federal Communications Commission, EPIC and seven consumer rights groups urged the agency to heighten standards for protecting phone records. The groups recommended a series of protection to deter unauthorized access to records, including auditing, notice to the individual when records are acquired, and greater controls over commercial use of phone records. (Apr. 28)
  • EPIC: NY Should Ban Pretexting. In comments to two Committees of the New York Assembly, EPIC advised lawmakers to broadly prohibit pretexting in order to protect individuals' privacy. EPIC warned that a narrow, phone-records only ban on pretexting would invite using the practice against holders of other records, such as email providers and dating services. (Mar. 13, 2006)
  • EPIC Testifies in CA Assembly on Pretexting. In testimony before the California State Assembly Committee on Public Safety, EPIC discussed the need for a ban on pretexting. California Senate Bill 202, currently under consideration by the Committee, would broadly prohibit buying and selling phone records, and establish criminal and civil penalties for violating privacy. (Mar. 7, 2006)
  • Senate and House Committees Push laws to Protect Phone Records. The Senate and House Judiciary Committees both approved bills that would prohibit the unauthorized sale of call detail information and ban the pretexting of phone records. The House's Law Enforcement and Phone Privacy Protection Act of 2006 and the Senate's the Consumer Telephone Records Protection Act of 2006 both received unanimous support. Several other bills protecting phone records are moving forward in both the House and Senate. EPIC testified before both the House(pdf) and Senate, advocating for broader bans on pretexting and stronger regulations to pretect phone records. (Mar. 2, 2006)
  • EPIC to Attorneys: Pretexting is Unethical. In a letter sent to state ethical and professional responsibility boards, EPIC warned that there is mounting evidence that attorneys are major purchases of "pretexting" services. Pretexting is the practice of using false pretenses to trick a company into releasing personal information. EPIC urged state boards to evaluate pretexting under ethics rules, and to issue opinions to attorneys advising them not to pretext or hire investigators who use pretexting to obtain information. (Feb. 21, 2006)
  • FCC Initiates Phone Records Security Rulemaking. The Federal Communications Commission has approved (pdf) EPIC's petition calling upon the agency to create heightened security protections for telephone calling records. FCC Chairman Martin said, "I support this Notice because I am deeply concerned about reports of companies trafficking in personal telephone records?" You can comment on the proceeding by clicking here. Remember, anything you write will appear in the public record. (Feb. 10, 2006)
  • EPIC Testifies in Senate on Phone Records. In testimony (also available in pdf) before the Senate Commerce Committee, EPIC Executive Director Marc Rotenberg called for a ban on the sale of communications records, as well as a ban on "pretexting," the practice of using false pretenses to trick a company into releasing personal information. EPIC noted that in addition to phone records, the records of PO Box owners and dating service users are susceptible to unauthorized disclosure and pretexting. Rotenberg also called for limitations on the information collected and stored by communications companies, and stronger security measures for stored information. (Feb. 8, 2006)
  • EPIC Testifies on Pretexting and Phone Record Sales. EPIC Executive Director Marc Rotenberg testified (pdf) before the House Energy and Commerce Committee on the sale of personal phone records. EPIC called for laws that would ban pretexting (a technique used by data brokers to obtain personal information), as well as enhanced security procedures, and restrictions on the collection of customer data. "A ban on pretexting will protect consumers and make it clear to online information brokers that pretexting is unfair, deceptive, illegal, and wrong," said Rotenberg. FCC Chairman Kevin Martin and FTC Commissioner John Liebowitz also testified at the hearing, and urged stronger safeguards for phone records. (Feb. 1, 2006)

Introduction

Online data brokers and other companies openly advertise on the Internet that they can obtain others' phone records. For about $100, these companies will obtain all the calls made and initiated from a wireless phone, or toll calls from wireline phones. This is a dangerous and illegal practice. This information can be used by jealous spouses, stalkers, business competitors, political opponents, and others to learn about others' whereabouts and conversations. These companies sometimes offer other personal information, including medical records, banking records, and Social Security numbers.

This information is being obtained in one of three ways:

  • In pretexting, one pretends to be the account holder, and gains access to the records by fooling a customer service representative. This is the most prevalent method of gaining access, because these companies have subscriptions to "commercial data broker" services that allow them to obtain account holders' Social Security numbers, mother's maiden names, and dates of birth.
  • Second, some access phone records by cracking online account administration tools. Almost all phone carriers now give their customers the ability to view and pay their bill online. If this service has not been activated by the customer, the company can attempt to activate it and read the bill.
  • Last, there is always the risk that the company has an "insider" at the carrier who obtains information and sells it.

What EPIC is Doing to Protect Your Phone Records

In July 2005, EPIC urged the Federal Trade Commission to investigate the companies that offer to sell phone calling records. The complaint is being considered by the FTC.

In August 2005, EPIC petitioned the Federal Communications Commission to establish greater protections for phone records. EPIC pointed out that at least 40 websites offered to sell phone records. The phone carriers have responded to our petition, and have asked to the FCC to ignore our calls for greater protections. The carriers believe that enforcement actions against the data brokers are enough to stop these practices, and think that their security standards, which are easily circumvented, are sufficient

What You Can Do

  • Is your account in your name? Remember that if someone else is paying for your phone, or gets the bill, that person may be able to view your phone records. It's best for you to start your own service in your own name. It is the case that the people most interested in seeing your phone records are people close to you--jealous spouses/significant others, employers, and if you are a kid, your parents!
  • Put a password on your account. All carriers will allow you to place a password on your account to help stop others from accessing your records. Use a password that you are apt to remember, but others are not likely to know. The name of your first pet, a street you lived on, or the name of your grade school will suffice. Do not use your date of birth, mother's maiden name, or Social Security number.
  • Did you know that phone companies sell your records, including the numbers that you have dialed, to marketers? You can opt out of this information sale by telling your phone company that you want to "restrict" or "opt out" from all CPNI sharing.
  • File comments with the FCC in support of greater privacy standards for your telephone data. Our petition urges the FCC to require carriers to do a better job in protecting records. You can support the cause by writing to the FCC in support of EPIC's petition and the protections you think should be in place for phone records. Just click here and put ensure "96-115" appears in the proceeding box. Remember, anything you write appears in the public record.

Previous Top News

  • Company Halts Phone Records Sales. In a press release, the company first identified by EPIC as selling phone records illegally claims to have discontinued the service because it "concluded that continuing to provide the service would link it to disreputable companies who do not use any safeguards to protect against the potential dangers of this service." The company also posted a guide (pdf) to protect your records against pretexting. The company still offers "Post Office Breaks," and other personal information sales. (Jan. 18, 2006)
  • FCC Commissioners Call for Action on Phone Records. Federal Communications Commission Commissioners Adelstein and Copps released statements today calling for swift action to address the illegal sale of telephone records. Commissioner Adelstein announced (pdf) that they agency's enforcement bureau launched an investigation into "these troublesome data brokering practices, and I support swift action against carriers that have not complied with our existing rules and procedures." Commissioner Copps announced (pdf) that, "These incidents further highlight the need to act on the petition filed by the Electronic Privacy Information Center (EPIC) on enhanced security standards for access to consumer records." (Jan. 17, 2006)
  • Senate Minority Leader Calls on FCC to Investigate Illegal Phone Sales. In a letter (200k pdf) to the Federal Communications Commission, Senator Harry Reid has called upon the agency to "begin an investigation into how online data brokers are obtaining Americans' private phone records, and whether phone companies are doing enough to protect the personal and private information with which they are entrusted." This letter follows numerous news reports that demonstrate the vulnerability of phone records to online data brokers, who for a fee will obtain calling logs. In July 2005, EPIC filed a complaint with the Federal Trade Commission detailing these practices, and identified 40 websites (3.8M pdf) that offered to sell phone records. EPIC also petitioned the Federal Communications Commission to require heightened protections for telephone records. (Jan. 13, 2006)
  • Illegal Phone Records Sales Poses Security Risks. The Chicago Police Department has warned officers that private investigators may access and sell their telephone calling records, according to the Chicago Sun-Times. EPIC has filed a complaint with the Federal Trade Commission concerning these practices, and a petition with the Federal Communications Commission to require phone companies to enhance their security safeguards. To protect your privacy, ensure that your phone account is in your name, and call your phone company to place a password on your account. (Jan. 5, 2006)
  • Privacy Commissioner: "Drastic Action" Needed to Protect Phone Records. Canadian Privacy Commissioner Jennifer Stoddart has called for "drastic action" to address the problem of the security of phone records, after a reporter obtained both her personal and professional phone logs through a US-based data broker. EPIC identified 40 online data brokers that sell phone records, and has filed complaints at federal agencies to rein in these companies. To protect your records, call your phone companies to place a password on your account, and opt out of the sharing or sale of "CPNI." (Nov. 16, 2005)
  • Phone Records Need Greater Protection. In reply comments (also available in PDF) to the Federal Communications Commission, EPIC argued that the agency needs to intervene to protect individuals' phone records from online data brokers. The reply comments respond to telephone carriers' arguments that no new security measures are needed, despite the demonstrated ease with which online data brokers can access phone records. CTIA has responded (PDF) to EPIC's reply comments. (Nov. 9, 2005)
  • Industry Responds to EPIC's Phone Records Petition. A number of phone carriers have urged the Federal Communications Commission to take enforcement actions against companies that sell phone records. But they oppose any regulatory intervention that would require heightened security standards. So far, Bellsouth (PDF), Verizon (PDF), Verizon Wireless (PDF), SBC (PDF) and the CTIA (PDF) have argued in favor of enforcement actions but against heightened security standards. Verisign filed comments (PDF) that included a directory interoperability standard adopted by the ITU that could increase security of phone records. Verizon Wireless is bringing suit (PDF) against companies that sell phone records. (Nov. 3, 2005)
  • EPIC Petitions FCC to Protect Customers' Info. EPIC has petitioned the Federal Communications Commission to initiate a rulemaking to enhance security safeguards for individuals' calling records. The petition follows a complaint concerning the illegal sale of personal information obtained from telephone carriers, and an updated filing where EPIC identified 40 websites that openly offer to obtain calling records without the knowledge and consent of the account holder. (Aug. 30, 2005)
  • EPIC Urges FTC to Investigate Online Data Brokers. In a complaint to the Federal Trade Commission, EPIC urged the agency to investigate online data brokers, companies that promise to sell phone calling records, the identities of people who own private mail boxes, and the identities associated with AOL Screen names, Match.com profiles, and Lavalife profiles. The complaint argues that this information cannot be obtained without violating federal law or regulations. Both the Washington Post and Wall Street Journal have reported on the filing. (Jul. 8, 2005)