RealTime IT News

IM, E-Mail Identities Hot on The Net

WASHINGTON -- Online data brokers are selling far more than personal telephone records, including the actual names, addresses and phone numbers of instant messaging users and those registered with dating sites, such as Match.com.

Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), told a Senate panel investigating the sale of online phone data Wednesday that "many other types of private records are being bought and sold in the public marketplace."

EPIC ignited a series of federal investigations and a spate of proposed legislation last summer when it revealed more than 40 Web sites that sell the personal phone records of consumers to anyone.

"The problem of record sales is not limited to the many methods of voice communication that we can use," Rotenberg said. "Sites commonly advertise the ability to obtain the home addresses of those using P.O. boxes. Some sites ... advertise their ability to obtain the real identities of people who participate in online dating Web sites."

One site, Rotenberg said, even advertises the ability to perform "Reverse Search AOL ScreenName" services that find the name associated with the IM user.

Optionally, for another fee, the site offers the physical address and phone number of the user.

Congress wants to know how the data brokers are obtaining the data from telephone companies, primarily cellular carriers, why selling the data isn't illegal and what the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) are doing about it.

The telephone carriers say their systems are secure and they are being scammed out of their customers' personal call information by a con known as pretexting, the art of obtaining information under false pretenses.

Once pretexters have obtained some morsel of personally identifying information about an individual, customer service reps become easy prey since they rarely require more than a few easily obtained bits of information to verify the caller as an account holder.

"There is no reason why one should be able to obtain these records through pretexting," Rotenberg said, contending the telephone companies have inadequate controls in place to properly protect consumer data.

The end results of all this lax security -- either through pretexting or inside jobs -- can be dangerous.

"The availability of these services presents serious risks to victims of domestic violence and stalking," Rotenberg said.

Robert Douglas, CEO of PrivacyToday.com, urged the lawmakers to move their investigation and probable legislation beyond the scope of just personal telephone records for sale.

"In each case I've worked involving Web-based illicit information providers, when we have been able to review the files of the company, there have been indications of identity thieves and other criminals - including stalkers - using those companies to buy information about Americans," he said.

Cindy Southworth of the National Network to End Domestic Violence testified that several battered women have ultimately suffered violent deaths after their former husbands or ex-boyfriends obtained personal information bought through data brokers.

"Phone records are a particularly rich source of information for the determined stalker," Southworth said. "Through pretexting, a stalker can access records that include who was called, when the call was made, how long the call took and the location of the calls. By illegally obtaining this information, a stalker can locate his victim without his victim even knowing that she is being tracked."

Pretexting is not new. The Graham-Leach-Biley Act (GLBA) forbids the practice in the context of obtaining personal financial information. The GLBA does not specifically prohibit pretexting in the search for telephone records or other electronic communications such as instant messaging and e-mail.

The FTC is charged with enforcing the anti-pretexting provisions of the GLBA.

"Although pretexting for consumer telephone records is not prohibited by the GLBA, the [FTC] may bring a law enforcement action against a pretexter of telephone records for deceptive or unfair practices," Lydia Parnes, director of the FTC's Bureau of Consumer Protection, told the Senate panel.

But it hasn't, despite complaints by organizations like EPIC.

"It was troubling to learn that unscrupulous data brokers have made a business of selling consumers' personal phone records," Sen. Daniel Inouye of Hawaii said. "Equally disturbing is the fact that the FTC received numerous complaints about these egregious practices and refused to act on them."

Parnes said the FTC may soon bring its first action against telephone pretexting.

"Commission staff surfed the Internet for companies that offer to sell consumers' phone records," she said. "FTC staff then identified appropriate targets for investigation and completed undercover purchases of phone records.

Parnes said FTC attorneys are evaluating the evidence to determine if law enforcement action is needed.

Congress may not wait on the FTC to decide.

"I wanted to take action as soon as I heard that unscrupulous marketers were obtaining and selling confidential, personal phone billing records," Sen. George Allen (R-Va.), who chaired Wednesday's hearing, said. "This fraudulent and criminal activity must be prosecuted and stopped to protect innocent people."