Testimony and Statement for the Record of
Chris Jay Hoofnagle
Director, Electronic Privacy Information Center West Coast Office
Hearing on SB 202 (Senator Simitian, Privacy: telephone calling pattern record or list.)
Before the California State Assembly Committee on Public Safety
March 7, 2006 / 9 AM / Room 4202
Introduction
Chairman Leno, Vice Chair La Suer, and Members of the Committee, thank you for the opportunity to testify on the privacy of telephone records. My name is Chris Hoofnagle and I am Director of the Electronic Privacy Information Center's West Coast Office in San Francisco. EPIC is a not-for-profit research center established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. We have played a leading role in emerging communications privacy issues since our founding in 1994.
In this statement today, I will summarize EPIC's efforts to bring public attention to the problems of pretexting and discuss how SB 202 would protect a broad range of communications records from sale. In investigating this issue, I encourage Members and Staffpersons to review the testimony in hearings held in the US Senate and House on this issue.[1]
EPIC's Efforts to Address Pretexting and Phone Record Sales
In July 2005, EPIC filed a complaint with the Federal Trade Commission concerning a website that offered phone records and the identities of P.O. Box owners for a fee through pretexting. Pretexting is a practice where an individual impersonates another person, employs false pretenses, or otherwise uses trickery to obtain records.
The owners of the California-based business operating the website responded to our complaint, claiming that they knew of no law that prohibited them from selling phone records!
EPIC supplemented the July filing in August with a list of 40 websites that offered to sell phone records to anyone online. In light of the fact that so many companies were selling communication records online, EPIC also petitioned the Federal Communications Commission, urging the agency to require enhanced security precautions for phone companies’ customer records.[2] Although telephone carriers unanimously opposed enhanced security requirements, proposing that lawsuits against pretexters would solve the problem, the FCC unanimously granted the petition and is seeking comments on enhanced security standards for phone records.
Most recently, EPIC wrote to the American Bar Association and 50 states' bar ethics committees to explain that attorneys are hiring investigators and online data brokers to pretext. EPIC argued that it is unethical for attorneys to employ these practices, and urged the state authorities to advise attorneys not to buy pretexting services.
We continue to believe that legislative action is needed at the federal and state level to protect this information. Phone records can be used by individuals to stalk and harass other people. They can be used for corporate espionage purposes. While some claim that pretexting is a legitimate research tool, that argument is mere sophistry. Those who have a legitimate need for phone records can obtain a court order in order to access the information. Pretexting is simply an end-run around existing legal access provisions for people who probably do not have a legitimate reason to obtain calling data.
Finally, pretexting is used against many different companies. Pretexters target Post Offices in order to learn who uses Postal Boxes and Private Mail Boxes, they target users of automobile navigation systems (such as GM's OnStar service) in order to locate individuals' cars, they pretext utilities companies to locate people, they target employers to learn facts about employees, and they even target family members to locate subjects of investigation. Some websites, such as Abika.com, advertise their ability to obtain the real identities of people who participate in online dating websites. A page on Abika.com advertises the company's ability to perform "Reverse Search AOL ScreenName" services, a search that finds the "Name of person associated with the AOL ScreenName" and the "option for address and phone number associated with the AOL ScreenName." [3] The same page offers name, address, and phone number information for individuals on Match.com, Kiss.com, Lavalife, and Friendfinder.com. These are all dating websites that offer individuals the opportunity to meet others without immediately revealing who they are.
An archive of EPIC's efforts is available online at http://epic.org/privacy/iei/
SB 202 Will End the Sale of Many Communications Records
Senator Simitian continued his outstanding track record on privacy by introducing the amended SB 202 shortly after EPIC filed its original phone records complaint. Reacting to the claims of data brokers that it was legal to sell phone records, SB 202 makes it clearly illegal to purchase, sell, offer to sell, or conspire to sell any telephonic calling record.
Telephone record is defined broadly so as to capture pretexters who are targeting next-generation communications devices, such as "Voice over Internet Protocol" Telephony (which is widely used by corporations and governments). Cordless and wireless phones are covered too.
SB 202 contains an exception allowing the sale of phone records where both the caller and recipient consent. This provision is consistent with California's heightened telephone privacy laws, which require consent of all parties to a conversation before it can be taped.
The provisions are backed by serious penalties--up to $2500 in fines and up to a year in prison. Repeat offenders are subject to a $10,000 fine and jail time.
SB 202 Is Necessary to Supplement Carrier Enforcement Actions
Telephone carriers have brought lawsuits against pretexters in order to legally shield their systems and customer records from the practice. While we support these enforcement efforts, we do not believe they will adequately secure phone records for two reasons:
First, there is mounting evidence that pretexters will simply rename their products or start offering them "underground." In an email responding to EPIC's initial complaint, the Editor of PI Magazine wrote to readers:
[…]
I recommend that you read my interview with the FTC and the specific comments about telephone records at www.pimagazine.com/ftc_article.htm The FTC wasn't too concerned about telephone information, but if PI's are going to blatantly advertise tolls directly to the public as a commodity, the FTC will get involved and we are going to lose that commodity and our ability to solve many cases because of it.
PI's need to STOP promoting the selling toll records directly to the public as a commodity. Rather, use it as an investigative tool used in the course of your investigation to lead you to a missing person or to the lead you need to solve the case. I also suggest that PI's promote such services as "telephone research" as compared to coming right out and mentioning tolls, non-pubs, etc.Indeed, since we filed the original complaint, many websites have removed their advertisements for phone records. We believe that these services are still operating by selling data to callers seeking the service or to people who contact the companies through email. By going underground, it is unlikely that carriers will identify and bring suits against wrongdoers.Second, when a carrier brings an enforcement action and obtains an injunction, the injunction only applies to that carrier. As a result, some companies that have been sued simply stop selling records pertaining to a single carrier. In the case illustrated below, Datatrace USA still offers records of Verizon, Sprint, Nextel, T-Mobile, US Cellular, and MetroPCS.
Because enforcement actions are carrier-specific, they alone cannot solve the problem of our phone records being subject to pretexting. We therefore believe that pretexting these records should be prohibited explicitly so that all carriers are covered by specific legislation.
We believe the SB 202 will go far in ending the sale of phone records. Please feel free to contact EPIC if we can provide the Committee any further information.
[1] Protecting Consumers’ Phone Records, Hearing Before the US Senate Consumer Affairs, Product Safety, and Insurance Hearing, Wed, Feb. 8 2006, available online at http://commerce.senate.gov/hearings/witnesslist.cfm?id=1742; Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?, Hearing Before the US House Committee on Energy and Commerce, Feb. 1, 2006, available online at http://energycommerce.house.gov/108/Hearings/02012006hearing1763/hearing.htm
[2] Petition of EPIC for Enhanced Security and Authentication Standards, In re Implementation of the Telecommunications Act of 1996, CC Docket No. 96-115, available at http://www.epic.org/privacy/iei/cpnipet.html.
[3] See http://www.abika.com/Reports/tracepeople.htm#Search%20Address/Phone%20Number%20associated%20with%20email%20Address%20or%20Instant%20Messenger%20Name.
[4] This screenshot of http://datatraceusa.com/products.asp was taken March 6, 2006.
EPIC Privacy Page | EPIC Home Page Last Updated: March 6, 2006
Page URL: http://www.epic.org/privacy/iei/sb202test3706.html