RealTime IT News

The Murky World of Pretexting

The scandal enveloping HP's board is not a did they or didn't they caper.

HP admits it obtained the phone records of certain board members and nine journalists while investigating the source of boardroom leaks to the media.

The only real question is was it legal to obtain those phone records? "We believe a crime has been committed," said Tom Dresslar, spokesman for California Attorney General Bill Lockyer, whose office is investigating HP's involvement.

HP hired an outside firm to investigate the leaks. The outside firm then hired a third party to obtain the phone records. The third party admits to using "pretexting" to obtain the records. It's an old and usually illegal practice.

Pretexters con company service representatives into believing they are an account holder with the company. From there, it's easy to obtain a wealth of personal data on an individual.

Federal law prohibits pretexting for financial information, but it does not specifically ban the practice when it comes to phone records. Nor does federal law prohibit the selling of phone records over the Internet.

Under the Telecommunications Act of 1996, though, telephone carriers are obligated to protect the Customer Proprietary Network Information (CPNI) of consumers.

Last year, the privacy watchdog Electronic Privacy Information Center (EPIC) complained to the Federal Communications Commission (FCC) that confidential phone records are readily available for sale on the Internet.

The EPIC complaint spawned investigations by the FCC, the Federal Trade Commission and a flurry of proposed legislation by Congress.

A simple Google search reveals that for as little as $100, personal telephone records, including call logs and locations of those receiving the calls, are for sale.

The telephone carriers claim the data brokers are getting their information through pretexting.

They're probably right.

At a June U.S. House hearing on pretexting spawned by the EPIC complaint, 11 data brokers took the Fifth Amendment rather than reveal how they obtain the telephone records for sale on their sites.

"Data brokers and private investigators are taking advantage of inadequate security through pretexting, the practice of pretending to have authority to access protected records," EPIC's FCC petition states.

The House investigation also revealed it isn't just data brokers and PIs like HP's man working the phone companies for dubiously legal purposes.

Some law enforcement officials, it turns out, "frequently" use data brokers to circumvent obtaining subpoenas and search warrants.

EPIC claims attorneys are the chief customers of data brokers.

"There is mounting evidence that attorneys are top consumers of pretexting services that acquire private records through impersonation, fraud or false pretenses," EPIC wrote in a letter to state bar associations.

"The records of whom we choose to call and how long we speak with them can reveal much about our business and personal lives," Rep. Lamar Smith (R-Tex.), a sponsor of one of the bills before the U.S. House, said at a March hearing.

"A careful study of these records may reveal details of our medical or financial life. It may even disclose our physical location. This is a serious concern for undercover police officers and victims of stalking or domestic violence."

Presaging the HP scandal, EPIC added in its FCC complaint, "Given the prevalence of phones, both wired and wireless, used for business purposes, these services could be (and most likely are being) used for industrial espionage and other illicit business activities."

Legislation banning pretexting for phone records and outlawing the sale of that information over the Internet has passed committees in both the House and the Senate. Full floor votes are pending before both chambers.