Tech.gov: Your Phone Records in Peril
By now you've heard the stories. Countless phone records have been stolen using a practice known as pretexting: Someone pretending to be you calls up your telephone or cellular carrier and asks for a copy of your latest bill, or worse, multiple copies of past bills with call details. In some cases thieves simply activate online access to your phone records--a service your carrier intended as a courtesy to you--and get your info that way.
Once they have your records, thieves turn around and sell them online. No one is safe: The folks at AmericaBlog demonstrated that when they bought General Wesley Clark's phone records earlier this year.
Some online information sellers, such as All Star Investigations and First Source Information Specialists, have come under scrutiny and are facing lawsuits from carriers such as Sprint Nextel, T-Mobile, and Verizon Wireless. The lawsuits typically allege that the companies in question fraudulently obtained phone records and then sold them without authorization. These companies run Web sites that sell the information; for example, Locatecell.com displays a notice saying the site is managed by First Source Information Specialists and Sprint Nextel says the same company also operates Datafind.org.
Regardless of whether these particular firms are found to be at fault, others are certainly blithely stealing and selling your information.
Yes, there are laws against this sort of thing, and phone companies are supposed to at least attempt to confirm your identity before they release your records. However, the system clearly has broken down.
Congress, outraged by a problem everyone can agree on, has acted swiftly (for Congress). Two related bills, one in the House of Representative, the other in the Senate, spell out the criminal behavior in these cases and propose tough penalties for violations. Both have recently passed out of committee with relatively little debate and are headed for a vote. Given the general agreement on the problem in committee, and the desire to protect voters (it's an election year, have you heard?), I'd bet these or similar bills will be passed.
But none of the proposed bills addresses the need for stronger privacy protections at the phone company level, or broader privacy standards for any company that gathers and stores information about us. (For a few tips on what to do to help protect your phone records, read the Privacy Rights Clearing House recommendations.)
What these bills do offer are clear definitions of what is illegal, along with stiff penalties and jail time for offenders. The House version is the Law Enforcement and Phone Privacy Protection Act of 2006 (H.R. 4709); the Senate version is the Consumer Telephone Protections Act of 2006 (S. 2178). Some related bills also cover these topics: H.R. 4657, H.R. 4662, H.R. 4714, and S. 2177.
H.R. 4709 and S. 2178 are the only bills to have made it out of committee so far, and they seem the most likely to pass. They attack the problem in very similar ways. The Senate bill specifically addresses pretexting, illegal record sales by phone company employees, illegal access through Internet accounts that customers may or may not have activated themselves, and buying and selling illegally obtained data. Penalties vary, but in cases where there's a pattern of illegal activity, jail terms can be as high as 10 years. The House version goes a few steps further, including jail terms of 20 years among other things.
Explicitly criminalizing this behavior gives states, customers, and businesses more options when they suspect problems, and should simplify prosecution. That's all well and good. But while these types of laws punish offenders and therefore presumably serve as deterrents to crime, they do nothing to address prevention.
A Call for Privacy Standards
The type and number of companies that store our personal data continue to grow at an astonishing rate. Search engines like Google and Yahoo know what you're looking up. Your car's navigation system knows where you go. TiVo knows what you watch. Phone companies know who you call, how often you talk to them, and who calls you. Unlike financial and health institutions, these companies are not subject to uniform privacy and confidentiality laws that address the protection of personal data collected as a consequence of business.
Many of these firms have made good-faith efforts to safeguard the data they collect about you and me. But the fact remains that we're basically at their mercy--if they should change their policies, we'd be sunk. We need some code of conduct that applies to any company that collects potentially sensitive information about individuals. That code should include minimum safeguards on data storage, an expiration date after which the data is destroyed, and some requirement of consent and input by the individuals involved as to who can see their data and whether it can be sold. Depending on the type of data, some mechanism for consumer review and correction of information would be nice, too.
Moreover, we need better authentication procedures for verifying that someone attempting to get at our information is authorized to do so. Granted, the authentication process has to straddle the fine line between efficiency and convenience for those with a legitimate right to access your records, and better security to protect you from those who shouldn't be allowed such access.
For now, most companies require an account number and either a password or some other form of ID, like a mother's maiden name or a social security number. But these identifiers are so easily available, they've ceased to be secure. Call details should be absent on a bill unless you request otherwise, not the other way around. Online accounts should not be ready and waiting for you to simply activate them--you should have to request an account first, after providing proper identification. Strong passwords should be mandatory whenever sensitive data is involved. Resetting passwords to critical records such as your bank accounts should perhaps require a visit to a branch office.
The data broker scandals of the past year and the phone record problems of this year are part and parcel of the same problem: Our private information is out there and it's not being protected well enough. The data stores will only keep growing. We need standards for their protection, and thus ours.