Telephone carriers are not adequately protecting the personal information of subscribers, increasing consumer vulnerability to identity theft, fraud and online stalkers.
According to the privacy watchdog Electronic Privacy Information Center
(EPIC), carriers are often duped into providing customers’ personal data,
including the personal call logs of subscribers.
EPIC says the information is then bought and sold at more than 40 Websites.
“Data brokers and private investigators are taking advantage of inadequate
security through pretexting, the practice of pretending to have authority to
access protected records,” an EPIC petition to the Federal Communications
Commission (FCC) states.
EPIC also claims unscrupulous operators can crack consumers’ online
telephone accounts and suggests evidence exists of dishonest insiders at the
carriers selling access to information.
In addition, EPIC claims, individual phone records are not the only ones at
risk. The FCC petition calling for more stringent security by the carriers
also says business telephone records and logs are also targets.
“Given the prevalence of phones, both wired and wireless, used for business
purposes, these services could be (and most likely are being) used for
industrial espionage and other illicit business activities,” the petition
Under the Telecommunications Act of 1996, telephone carriers are obligated
to protect the Consumer Proprietary Network Information (CPNI) of all
customers. The CPNI is considered sensitive personal data since includes
logs of calls that individuals or businesses initiate and receive on their
The FCC, for its part, requires carriers to provide notice and disclosure to
disseminate CPNI data to carrier affiliates and third parties for marketing
“However, these efforts did not adequately address third party data brokers
and private investigators that have been accessing CPNI without
authorization,” EPIC claims.
To support its arguments, EPIC points to advertising widely dispersed over
the Internet offering to obtain CPNI without the account holder’s knowledge
and consent. EPIC also claims “strong evidence” exists showing CPNI is
acquired outside legal channels.
“This unauthorized release of information suggests that the security and
identification requirements carriers use to validate the identity of the
CPNI requestor is insufficient,” EPIC claims.
EPIC wants the FCC to immediately initiate a rulemaking proceeding to
establish a security standard that heightens the privacy of CPNI.
“Telecommunication carriers are not responsible for actively disseminating
information to unauthorized third parties,” EPIC stresses. “Rather,
unauthorized third parties have been exploiting security standards at the
carriers to access and sell the information acquired through illegal means.”