RealTime IT News

EPIC Battle Brewing Over Personal Phone Data

Telephone carriers are not adequately protecting the personal information of subscribers, increasing consumer vulnerability to identity theft, fraud and online stalkers.

According to the privacy watchdog Electronic Privacy Information Center (EPIC), carriers are often duped into providing customers' personal data, including the personal call logs of subscribers.

EPIC says the information is then bought and sold at more than 40 Websites.

"Data brokers and private investigators are taking advantage of inadequate security through pretexting, the practice of pretending to have authority to access protected records," an EPIC petition to the Federal Communications Commission (FCC) states.

EPIC also claims unscrupulous operators can crack consumers' online telephone accounts and suggests evidence exists of dishonest insiders at the carriers selling access to information.

In addition, EPIC claims, individual phone records are not the only ones at risk. The FCC petition calling for more stringent security by the carriers also says business telephone records and logs are also targets.

"Given the prevalence of phones, both wired and wireless, used for business purposes, these services could be (and most likely are being) used for industrial espionage and other illicit business activities," the petition states.

Under the Telecommunications Act of 1996, telephone carriers are obligated to protect the Consumer Proprietary Network Information (CPNI) of all customers. The CPNI is considered sensitive personal data since includes logs of calls that individuals or businesses initiate and receive on their phones.

The FCC, for its part, requires carriers to provide notice and disclosure to disseminate CPNI data to carrier affiliates and third parties for marketing efforts.

"However, these efforts did not adequately address third party data brokers and private investigators that have been accessing CPNI without authorization," EPIC claims.

To support its arguments, EPIC points to advertising widely dispersed over the Internet offering to obtain CPNI without the account holder's knowledge and consent. EPIC also claims "strong evidence" exists showing CPNI is acquired outside legal channels.

"This unauthorized release of information suggests that the security and identification requirements carriers use to validate the identity of the CPNI requestor is insufficient," EPIC claims.

EPIC wants the FCC to immediately initiate a rulemaking proceeding to establish a security standard that heightens the privacy of CPNI.

"Telecommunication carriers are not responsible for actively disseminating information to unauthorized third parties," EPIC stresses. "Rather, unauthorized third parties have been exploiting security standards at the carriers to access and sell the information acquired through illegal means."