Protecting cell phone users' privacy

Reports of Web sites that sell records of cell phone calls have been in the press for months, prompting action this week by lawmakers and the Federal Communications Commission. But some critics believe that cellular carriers should do even more to protect personal information.

Numerous Web sites, such as Locatecell.com and CellTolls.com, are advertising that they can provide records of incoming and outgoing cell phone calls--for less than $100, in some cases. That kind of information is often used by law enforcement agencies in their investigations. However, the online availability of such data could be exploited by criminals, such as stalkers, abusive spouses or identity thieves, experts have warned.

Wireless operators claim these sites get customer information through fraud, such as posing as a customer and asking for information about an account.

News.context

What's new:
Lawmakers on Capitol Hill and law enforcement agencies are vowing to protect consumers' cell phone records by penalizing those who use deception to obtain customer information. But some experts say the problem won't go away unless phone companies better protect customer data.

Bottom line:
Experts say there are several steps operators can take to verify that a records request is legitimate, including use of a customer password system, confirmation of each request by sending a text message to the customer's cell phone and implementation of auditing systems at customer service centers.

More stories on this topic

The practice of using trickery to obtain the records from phone companies has been the subject of news reports for months. The issue reached a fever pitch when Washington, D.C.-based blogger John Aravosis posted on his site Americablog.com a detailed account of how easy it was for him to buy his own cell phone records, and then purchase the records of Gen. Wesley Clark, a former candidate for U.S. president.

Cell phone companies say they are taking a stand against those selling this information. In the last couple of weeks, Cingular Wireless and Verizon Wireless have requested court orders against data brokers accused of obtaining the records through fraud. The Federal Communications Commission's enforcement bureau this week also said it's looking into companies that obtain telephone records without the customer's approval or knowledge.

Now federal lawmakers are jumping on the bandwagon, introducing legislation in both the House of Representatives and in the Senate to criminalize the activity of obtaining customer information falsely. For example, Sens. Charles E. Schumer (D- N.Y.), Arlen Specter (R-Pa.) and Bill Nelson (D-Fla.) introduced a bill earlier this week that would make it illegal to pose as someone else when calling a phone company, or for an employee to sell customer data. On the state level, the office of Connecticut Attorney General Richard Blumenthal launched an investigation of companies that may have illegally sold consumers' cell phone data.

It's clear the low-hanging fruit in these lawsuits, investigations and proposed legislation are the online businesses that sell and advertise the availability of this information. But shutting down a few Web sites won't fix the problem, experts said. Some people believe that as an industry, the cell phone companies need to improve how they secure the personal billing information of the almost 20 million wireless subscribers in the U.S.

"Phone companies can definitely do a better job securing data," said Sherwin Siy, staff counsel for the Electronic Privacy Information Center in Washington, D.C. "It's extremely important that something be done to prevent these breaches from continuing, because it impacts everyone's right to privacy."

Phone companies can definitely do a better job securing data.

--Sherwin Siy, staff counsel, Electronic Privacy Information Center

So how do these Web sites get access to customer billing information? Experts believe the records are leaked in a couple of ways. One is through the mishandling of data by employees in call centers or by workers companies doing outsourced tasks for wireless operators.

A common misconception in corporate security is that a company's biggest threat is an outsider trying to hack into a server with sensitive information. But research indicates that insiders--employees, partners and contractors?-cause more security problems. Companies such as Vontu and its rival Vericept have built data-interception products that monitor e-mail, instant messages, FTP files and other electronic communications on corporate networks, sniffing for leaks of sensitive information.

The second way people get their hands on billing information is by simply pretending to be the customer on

[Rita McKee]

Selling of personal data from ANY source

If the Supreme Court would make a clear blanket ruling confirming the right to privacy, laws covering each and every infraction would not be necessary.

Lawmakers could also separately pass legislation stating that every American has sole and exclusive property of their personal information, and setting the punishment bar high for those who infringe upon that property.

[DougDbug]

Supreme court????

With the recent and upcoming changes to the court, I wouldn't expect the court to be "making up" any more new privacy laws.

Your second comment is more on target. It's the legislatures job to enact laws, and they can respond more quickly to the will of the people. And, its much easier for the legislative branch to reverse a mistake than it is to reverse a bad supreme court precedent.

[zaznet]

Information has too much value

There is too much value in the information, and some is used for legitimate purposes. It is the fraudulent use that needs to be stopped, not all use of personal information.

[Seaspray0]

Rules are never followed

If you think that the rules would be followed, think again. Your social security number was originally designated that the only people who have the right to aquire it were government agencies, financial institutions that dealt with providing you income (interest), and your employer. Any request for your number is supposed to be accompanied by a written document stating the purpose and intended use of your number. Nobody else has the right to ask you for your social security number as a means of identification.

Today, just about everyone wants your social security number. Just about every bank will refuse to open a checking account without it even though no interest is involved. Almost every hospital form requests your social security number. Try and get a credit card without disclosing your social security number, it won't happen. Many businesses these days will refuse to do business with you unless you provide your social security number even though they have no legal right to even ask for it. The rules ARE NOT being followed as it is.

[CharlesRovira]

If I get a cold call on my cell phone,

I intend to sue my provider.

I pay for every call. I don't want to have to pay for some idiot trying to sell me hemmorhoid cream.

I'd rather avoid getting reamed in the first place. The people who have my cell phone number are the people I WANT to have my cell phone number.

The others can leave me alone.

[zaznet]

Not what this is about...

They would need information about you already. Name, cell #, maybe even the carrier you use.

[MasqueNumber]

get a Masque Number...

I so totally agree with you I created that service, to get rid of nuisance calls.
Check it out, I'm sure you'll like it!

[DougDbug]

How about a "sting operation"

It would be really easy for the phone companies to set-up a sting operation to find out whos leaking the information& if they really want to. Fire a few employees, terminate a few contracts / contractors, make some security fixes, and these abuses would drop way off.

[zaznet]

Too costly.

It would be too costly for most operators to do such an operation though. This won't happen until cell phone owners sue their carriers for breach of contract. They have to see that not doing something costs more than doing something.

If you doubt that is how the business world works, look at the recent mine explosion in WV. The company didn't do anything to fix problems because it cost more to comply than to just leave it alone. Now they are going to be hurting with some law suites as well as fines from the government. The sad part is those miners who were not killed will likely end up out of work.

[ballssalty]

IT ALREADY IS A CRIME - You don't need new legislation!

They obtained the information through fraud. That is a crime. What new legislation is needed? They should easily be able to shut them down and prosecute.

[MasqueNumber]

You should get a Masque Number...

That way your calls are protected away from your operator.
And since you can identify who calls you by "calling-id" (the number used to call you), you are able to trace back to the people you gave your Masque Number to, in case it gets compromised by nuisance calls or identity theft.
You can check the call records of your Masque Number online with your password, and that's all.

<a class="jive-link-external" href="http://www.masquenumber.com" target="_newWindow">http://www.masquenumber.com</a>

[Zak70smith]

One of the best file searchers and download centers is here <a class="jive-link-external" href="http://megaupload.name/" target="_newWindow">http://megaupload.name/</a>
Find al the necessary information there!