Seriously...a black eye for the industry, no doubt. This legislation will continue to be embarassing to the investigative community. There are legal ways to obtain cell phone records that don't involve funny voices or bribes of company employees. There are also less invasive ways to get at the same information through public records, interviews and plain old hard work. In the end any client is better off not having questionable actions undetaken in their name and on their dollar. As an investigator ones does not ever want to put your corporate or legal client in the position to explain how they got ahold of questionable data. Litigation like this is the inevitable result:

Devious Tactic Snags Phone Data

By Kim Zetter
Wired.com

Online information brokers pried thousands of private cell-phone records from Verizon Wireless by posing as speech-impaired customers and company employees, court documents show.

The charges, which appear in a civil suit filed by Verizon in Florida late last year, shed a rare light on the shadowy world of online phone-record vendors -- a cottage industry among private investigators that has operated below the radar for years but is now in the spotlight amid a flurry of private suits and calls for laws restricting phone-record sales.

According to the suit, online cell-phone record vendors placed hundreds of thousands of calls to Verizon customer service requesting customer account information while posing as Verizon employees from the company's "special needs group," a nonexistent department. The caller would claim to be making the request on behalf of a voice-impaired customer who was unable to request the records himself. If the service representative asked to speak with the customer directly, the caller would impersonate a voice-impaired customer, using a mechanical device to distort his voice and make it impossible for the service representative to understand him -- a variant of a widely used social-engineering technique known as the "mumble attack."

Rob Douglas, a private investigator turned privacy activist, says federal authorities have known about the sale of private phone records since at least 1998 but have done little to address the problem. In the absence of federal action, phone companies have been resorting to civil lawsuits to prevent sellers from obtaining and selling records.

"I would put (the sale of) cell-phone records No. 3 as the most invasive after banking and medical records, and the most fraught for harm," says Douglas, who operates PrivacyToday.com. "This stuff has life-or-death consequences and severe investigative consequences for law enforcement."

The case is the second Verizon has brought against entities selling its customers' cell-phone records. The first, filed last July, ended in settlements barring two sellers from calling Verizon again. Cingular Wireless won a similar result Friday in a suit filed in December against two companies operating at least four websites.

These sites have come under renewed scrutiny since November when a Canadian reporter showed Canada's privacy commissioner how easy it was to purchase records for her home and work phones. The records, obtained from a U.S.-based website, listed the phone numbers for all incoming and outgoing calls made over several months. Such records generally specify the date, time and duration of calls, making them invaluable to private investigators and attorneys, whom Douglas says drive the market for phone records.

"No one likes to talk about who uses these records the most," Douglas says, "but it's lawyers for the most part who created this market" and often claim ignorance of the ways in which the information they purchase is obtained. Journalists also purchase the records, as do criminals.

A criminal case brought the issue to the FTC's attention in 1999 when law enforcement authorities discovered that an info broker sold a Los Angeles detective's pager number to an Israeli mafia member who was trying to determine the identity of the detective's confidential informant.
Verizon spokesman Tom Pica said the phone company went after brokers this year with state anti-fraud laws in the absence of any other way to stop the sellers.
"There does not appear to be a clear criminal statute at work here," he said. "We're trying to protect our customers' privacy, and we're using whatever legal means are at our disposal. We're encouraging legislation that would make this a criminal offense."

Verizon, of course, isn't just concerned about harm to customers. Federal law requires phone companies to protect the confidentiality of their customer network information. Currently, to obtain a Verizon phone record a caller need provide only the last four digits of the account-holder's Social Security number -- data that one could purchase from an online info-broker.

Selling phone records is not illegal. But obtaining them under false pretenses -- called "pretexting" -- violates section 5 of the Federal Trade Commission Act, which deals with unfair and deceptive trade practices. Pretexting doesn't just occur with phone records; private investigators and others use it to obtain everything from financial records to medical files. The FTC prosecuted three companies in 2001 for using pretexting to obtain records from financial institutions, but since then has seemingly done little to address the pretexting of cell-phone records.

The FTC's Betsy Broder says the commission has prosecuted a large number of cases around privacy but wouldn't discuss whether it was currently investigating the sale of phone records.
"There are a large number of players out there, and we want to make sure we're reaching them regardless of how they're plying their trade," says Broder, assistant director in the FTC's division of privacy and identity protection. "We could spend all of our time prosecuting pretexting, but we want to make sure that our work has the right kind of impact. We hope that states are taking action when appropriate and that businesses are taking better approaches to protecting information so that it doesn't get out."

States have unfair-trade-practice laws under which pretexting could be prosecuted. But what's really needed, says Chris Hoofnagle, director of the Electronic Privacy Information Center's West Coast office, is an anti-pretexting statute that says, explicitly, "thou shalt not pretext," and addresses all types of private consumer records.

Recent publicity about the problem prompted the governor of Illinois to call for legislation addressing pretexting and the sale of records in his state, and lawmakers and attorneys general in other states are also discussing solutions. But Hoofnagle says a federal law would be better than piecemeal state laws since websites operate across state lines.

The federal Gramm-Leach-Bliley Act currently prohibits pretexting, but only of financial records. Last July, Sen. Charles Schumer (D-New York) promised to introduce legislation to address pretexting of all private records, but so far hasn't done so. Schumer's office didn't return calls for comment.

Legislation will only help deter brokers who care if they break the law. It won't halt identity thieves and others who defiantly sell information underground in private chat rooms and members-only websites. The Electronic Privacy Information Center last July petitioned the FCC to pressure phone companies to improve their procedures to protect customer records. EPIC also called on phone companies to establish an automated auditing process whereby customers are notified on their bill whenever someone requests their record.

Verizon and other phone carriers have so far rejected moves to scrutinize their practices.

The original article appears here.

-- MDT