April 24, 2006
Senator Bowen
State Capitol, Room 4040
Sacramento, CA 95814Re: SB 1666, addressing the use of "pretexting" to obtain personal information
Dear Senator Bowen,
The Electronic Privacy Information Center is a not-for-profit research center established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. We have played a leading role in emerging communications privacy issues, including the ones contemplated by SB 1666, since our founding in 1994. EPIC's West Coast Office is located in San Francisco, CA, and focuses on consumer privacy issues.
In this letter, we will summarize EPIC's efforts to bring public attention to the problems of pretexting, the practice where an individual impersonates another person, employs false pretenses, or otherwise uses trickery to obtain records. We then recommend that California adopt the approach to addressing pretexting taken by SB 1666. SB 1666 prohibits all pretexting (not just pretexting to telephone companies) by simply prohibiting the practice. The complete prohibition is necessary, because if a phone-records only pretexting ban is passed, pretexters will simply target other types of records. Furthermore, we think the SB 1666 approach is appropriate because it does not contain exceptions allowing private investigators or law enforcement to pretext. There are routinely-used legal methods for investigators and law enforcement to obtain records where they have a legitimate need for them, therefore an exemption is unnecessary.
EPIC's Efforts to Address PretextingIn July 2005, EPIC filed a complaint with the Federal Trade Commission concerning a website that offered phone records and the identities of P.O. Box owners for a fee through pretexting. Pretexting is a practice where an individual impersonates another person, employs false pretenses, or otherwise uses trickery to obtain records.
The owners of the California-based business operating the website responded to our complaint, claiming that they knew of no law that prohibited them from selling phone records! Other pretexters have taken the same approach. They have ignored general consumer protection norms and argued that no specific law prohibits pretexting.
EPIC supplemented the July filing in August with a list of 40 websites that offered to sell phone records to anyone online. In light of the fact that so many companies were selling communication records online, EPIC also petitioned the Federal Communications Commission, urging the agency to require enhanced security precautions for phone companies’ customer records.[1] Although telephone carriers unanimously opposed enhanced security requirements, proposing that lawsuits against pretexters would solve the problem, the FCC unanimously granted the petition and is seeking comments on enhanced security standards for phone records.
We continue to believe that legislative action is needed at the federal and state level to protect this information. Phone records can be used by individuals to stalk and harass other people. They can be used for corporate espionage purposes. While some claim that pretexting is a legitimate research tool, that argument is mere sophistry. Those who have a legitimate need for phone records can obtain a court order in order to access the information. Pretexting is simply an end-run around existing legal access provisions for people who probably do not have a legitimate reason to obtain calling data.
An archive of EPIC's efforts is available online at http://epic.org/privacy/iei/
California should prohibit all pretexting (not just pretexting to telephone companies).
Many Types of Records Are Vulnerable to Pretexting
The pretexting debate has surrounded wireless phone records. But the problem is much broader. Pretexting is used against many different companies in order to obtain personal information from companies. That is why we believe SB 1666's broad approach in prohibiting pretexting is appropriate.
Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VOIP (Internet telephony) telephones, it is safe to assume that those records will be offered for sale as well.
Pretexters also target Post Offices in order to learn who uses Postal Boxes and Private Mail Boxes, they target users of automobile navigation systems (such as GM's OnStar service) in order to locate individuals' cars, they pretext utilities companies to locate people, they target employers to learn facts about employees, and they even target family members to locate subjects of investigation. Some websites, such as Abika.com, advertise their ability to obtain the real identities of people who participate in online dating websites.
A page on Abika.com advertises the company's ability to perform "Reverse Search AOL ScreenName" services, a search that finds the "Name of person associated with the AOL ScreenName" and the "option for address and phone number associated with the AOL ScreenName." [2] The same page offers name, address, and phone number information for individuals on Match.com, Kiss.com, Lavalife, and Friendfinder.com. These are all dating websites that offer individuals the opportunity to meet others without immediately revealing who they are.
The availability of these services presents serious risks to victims of domestic violence and stalking. In fact, Amy Boyer, who was stalked and killed by a school classmate, was located through pretexting after investigators could not find her address through database searches. There is no reason why one should be able to obtain these records through pretexting, or outside of existing legal process.
We urge California lawmakers to adopt the approach in SB 1666, and broadly prohibit pretexting. A sectoral approach, where just phone records are protected, does not fully address the problem of pretexting. Furthermore, if just phone records are covered, pretexters will simply move on to other targets. In fact, phone records are the current target because Congress took a sectoral approach in 1999, and banned pretexting only to financial institutions.
No Exclusion Should Be Made to the Pretexting Ban
We recognize the need for law enforcement to gain access to communications records, and that is why there are existing, routine procedures under the law for such access, such as warrants and subpoena powers. Since such procedures for law enforcement access exist, there is no need for law enforcement to engage in the fraud that bans on pretexting are trying to prevent.
Similarly, an exception for private investigators is inappropriate. If an investigator has a legitimate need for a communications or other record, she can obtain a subpoena. There is no need to create an exception to allow private investigators to engage in this fraud. We applaud Senator Bowen for not including such exemptions in SB 1666.
A Pretexting Ban Is Necessary to Supplement Carrier Enforcement Actions
Telephone carriers have brought lawsuits against pretexters in order to legally shield their systems and customer records from the practice. While we support these enforcement efforts, we do not believe they will adequately secure phone records for two reasons:
First, there is mounting evidence that pretexters will simply rename their products or start offering them "underground." In an email responding to EPIC's initial complaint, the Editor of PI Magazine wrote to readers:[…]
I recommend that you read my interview with the FTC and the specific comments about telephone records at www.pimagazine.com/ftc_article.htm The FTC wasn't too concerned about telephone information, but if PI's are going to blatantly advertise tolls directly to the public as a commodity, the FTC will get involved and we are going to lose that commodity and our ability to solve many cases because of it.
PI's need to STOP promoting the selling toll records directly to the public as a commodity. Rather, use it as an investigative tool used in the course of your investigation to lead you to a missing person or to the lead you need to solve the case. I also suggest that PI's promote such services as "telephone research" as compared to coming right out and mentioning tolls, non-pubs, etc.Indeed, since we filed the original complaint, many websites have removed their advertisements for phone records. We believe that these services are still operating by selling data to callers seeking the service or to people who contact the companies through email. By going underground, it is unlikely that carriers will identify and bring suits against wrongdoers.Second, when a carrier brings an enforcement action and obtains an injunction, the injunction only applies to that carrier. As a result, some companies that have been sued simply stop selling records pertaining to a single carrier. In the case illustrated below, Datatrace USA, a company that has been sued by Cingular, still offers records of Verizon, Sprint, Nextel, T-Mobile, US Cellular, and MetroPCS.
Because enforcement actions are carrier-specific, they alone cannot solve the problem of our phone records being subject to pretexting. We therefore believe that pretexting these records should be prohibited explicitly so that all carriers are covered by specific legislation.
Conclusion
Thank you for introducing SB 1666. We continue to believe that there is no legitimate use for pretexting, and that states should act to broadly ban the practice. SB 1666 takes the most effective, broadest, and most forward-looking approach to solving the pretexting problem.
Please feel free to call upon EPIC if we can provide any further assistance.
Respectfully Submitted,
Chris Jay Hoofnagle
Senior Counsel
Electronic Privacy Information Center
West Coast Office
944 Market St. #709
San Francisco, CA 94102
415-981-6400
[1] Petition of EPIC for Enhanced Security and Authentication Standards, In re Implementation of the Telecommunications Act of 1996, CC Docket No. 96-115, available at http://www.epic.org/privacy/iei/cpnipet.html.
[2] See http://www.abika.com/Reports/tracepeople.htm#Search%20Address/Phone%20Number%20associated%20with%20email%20Address%20or%20Instant%20Messenger%20Name.
[3] This screenshot of Abika.com was taken March 23, 2006.
[4] This screenshot of http://datatraceusa.com/products.asp was taken March 6, 2006.
EPIC Privacy Page | EPIC Home Page Last Updated: April 5, 2006
Page URL: http://www.epic.org/privacy/iei/sb166632406.html