The Murky World of Pretexting

The scandal enveloping HP’s board is not a did they or didn’t

HP admits it obtained the phone records of certain board members and nine journalists
while investigating the source of boardroom leaks to the media.

The only real question is was it legal to obtain those phone records?
“We believe a crime has been committed,” said Tom Dresslar, spokesman for California Attorney General Bill Lockyer, whose office is investigating HP’s involvement.

HP hired an outside firm to investigate the leaks. The outside firm then
hired a third party to obtain the phone records. The third party admits to
using “pretexting” to obtain the records. It’s an old and usually illegal practice.

Pretexters con company service representatives into believing they are an
account holder with the company. From there, it’s easy to obtain a wealth of
personal data on an individual.

Federal law prohibits pretexting for financial information, but it does not
specifically ban the practice when it comes to phone records. Nor does
federal law prohibit the selling of phone records over the Internet.

Under the Telecommunications Act of 1996, though, telephone carriers are
obligated to protect the Customer Proprietary Network Information (CPNI) of

Last year, the privacy watchdog Electronic Privacy Information Center (EPIC)
complained to the Federal Communications Commission (FCC) that confidential
phone records are readily available for sale on the Internet.

The EPIC complaint spawned investigations by the FCC, the Federal Trade
Commission and a flurry of proposed legislation by Congress.

A simple Google search reveals that for as little as $100, personal telephone
records, including call logs and locations of those receiving the calls, are
for sale.

The telephone carriers claim the data brokers are getting their information
through pretexting.

They’re probably right.

At a June U.S. House hearing on
pretexting spawned by the EPIC complaint, 11 data brokers took the Fifth
Amendment rather than reveal how they obtain the telephone records for sale
on their sites.

“Data brokers and private investigators are taking advantage of inadequate
security through pretexting, the practice of pretending to have authority to
access protected records,” EPIC’s FCC petition states.

The House investigation also revealed it isn’t just data brokers and PIs
like HP’s man working the phone companies for dubiously legal purposes.

Some law enforcement officials, it turns out, “frequently” use data brokers to circumvent
obtaining subpoenas and search warrants.

EPIC claims attorneys are the chief customers of data brokers.

“There is mounting evidence that attorneys are top consumers of pretexting
services that acquire private records through impersonation, fraud or false
pretenses,” EPIC wrote in a letter to state bar

“The records of whom we choose to call and how long we speak with them can
reveal much about our business and personal lives,” Rep. Lamar Smith
(R-Tex.), a sponsor of one of the bills before the U.S. House, said at a
March hearing.

“A careful study of these records may reveal details of our medical or
financial life. It may even disclose our physical location. This is a
serious concern for undercover police officers and victims of stalking or
domestic violence.”

Presaging the HP scandal, EPIC added in its FCC complaint, “Given the
prevalence of phones, both wired and wireless, used for business purposes,
these services could be (and most likely are being) used for industrial
espionage and other illicit business activities.”

Legislation banning pretexting for phone records and outlawing the sale of
that information over the Internet has passed committees in both the House
and the Senate. Full floor votes are pending before both chambers.

News Around the Web