IM, E-Mail Identities Hot on The Net


WASHINGTON — Online data brokers are selling far more than personal
telephone records, including the actual names, addresses and phone numbers
of instant messaging users and those registered with dating sites, such as
Match.com.


Marc Rotenberg, executive director of the Electronic Privacy Information
Center (EPIC), told a Senate panel investigating the sale of online phone
data Wednesday that “many other types of private records are being bought
and sold in the public marketplace.”


EPIC ignited a series of federal investigations and a spate of proposed
legislation last summer when it revealed more than 40 Web sites that sell the personal phone records of consumers to anyone.


“The problem of record sales is not limited to the many methods of voice
communication that we can use,” Rotenberg said. “Sites commonly advertise
the ability to obtain the home addresses of those using P.O. boxes. Some
sites … advertise their ability to obtain the real identities of people who
participate in online dating Web sites.”


One site, Rotenberg said, even advertises the ability to perform “Reverse
Search AOL ScreenName” services that find the name associated with the IM
user.

Optionally, for another fee, the site offers the physical address and
phone number of the user.


Congress wants to know how the data brokers are obtaining the data from
telephone companies, primarily cellular carriers, why selling the data isn’t
illegal and what the Federal Trade Commission (FTC) and the Federal
Communications Commission (FCC) are doing about it.


The telephone carriers say their systems are secure and they are being
scammed out of their customers’ personal call information by a con known as
pretexting, the art of obtaining information under false pretenses.


Once pretexters have obtained some morsel of personally identifying
information about an individual, customer service reps become easy prey
since they rarely require more than a few easily obtained bits of
information to verify the caller as an account holder.


“There is no reason why one should be able to obtain these records through
pretexting,” Rotenberg said, contending the telephone companies have
inadequate controls in place to properly protect consumer data.


The end results of all this lax security — either through pretexting or
inside jobs — can be dangerous.


“The availability of these services presents serious risks to victims of
domestic violence and stalking,” Rotenberg said.


Robert Douglas, CEO of PrivacyToday.com, urged the lawmakers to move their
investigation and probable legislation beyond the scope of just personal
telephone records for sale.


“In each case I’ve worked involving Web-based illicit information providers,
when we have been able to review the files of the company, there have been
indications of identity thieves and other criminals – including stalkers –
using those companies to buy information about Americans,” he said.


Cindy Southworth of the National Network to End Domestic Violence testified
that several battered women have ultimately suffered violent deaths after
their former husbands or ex-boyfriends obtained personal information bought
through data brokers.


“Phone records are a particularly rich source of information for the
determined stalker,” Southworth said. “Through pretexting, a stalker can
access records that include who was called, when the call was made, how long
the call took and the location of the calls. By illegally obtaining this
information, a stalker can locate his victim without his victim even knowing
that she is being tracked.”


Pretexting is not new. The Graham-Leach-Biley Act (GLBA) forbids the
practice in the context of obtaining personal financial information. The
GLBA does not specifically prohibit pretexting in the search for telephone
records or other electronic communications such as instant messaging and
e-mail.


The FTC is charged with enforcing the anti-pretexting provisions of the
GLBA.


“Although pretexting for consumer telephone records is not prohibited by the
GLBA, the [FTC] may bring a law enforcement action against a pretexter of
telephone records for deceptive or unfair practices,” Lydia Parnes, director
of the FTC’s Bureau of Consumer Protection, told the Senate panel.


But it hasn’t, despite complaints by organizations like EPIC.


“It was troubling to learn that unscrupulous data brokers have made a
business of selling consumers’ personal phone records,” Sen. Daniel Inouye of Hawaii said. “Equally disturbing is the fact that the FTC received
numerous complaints about these egregious practices and refused to act on
them.”


Parnes said the FTC may soon bring its first action against telephone
pretexting.


“Commission staff surfed the
Internet for companies that offer to sell consumers’ phone records,” she said. “FTC staff then identified appropriate targets for investigation and completed
undercover purchases of phone records.


Parnes said FTC attorneys are evaluating the evidence to determine if law
enforcement action is needed.


Congress may not wait on the FTC to decide.


“I wanted to take action as soon as I heard that unscrupulous marketers were
obtaining and selling confidential, personal phone billing records,” Sen.
George Allen (R-Va.), who chaired Wednesday’s hearing, said. “This
fraudulent and criminal activity must be prosecuted and stopped to protect
innocent people.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web