Are Your Cell Phone Records for Sale Online?

Aug. 30, 2005 — -- You can see who you've been talking to on your cell phone by taking a quick glance at your monthly bill. What's disturbing is anyone with online access can pay to find out some of that exact same information.

Online credit card scams and fraudulent e-mail spam that seek personal financial information have raised awareness of the threat of identity theft. But now privacy groups and security concerns are also raising the alarm about so-called online "information brokers" -- Web sites that will obtain and sell personal information to anyone willing to pay.

At LocateCell.com, for example, suspicious spouses can pay $110 and secretly obtain the cell phone records of their partners. For additional fees, the company will even identify the names and address of suspicious numbers so customers can determine exactly who their partners are calling. All results, according to the company's Web site, are "guaranteed to be accurate" and can be delivered in as little as an hour.

Sites such as BestPeopleSearch.com will go even further. Online customers can dig up all types of personal information -- phone records, work history, arrest records, residential and mailing addresses, motor vehicle records -- for fees ranging from $37 to $250.

A Stealthy Threat

Privacy advocates note that open access to such information might not lead to financial fraud or other identity theft crimes that depend upon obtaining someone's Social Security or credit card number. They say, however, that unregulated access to detailed personal information is not only extremely invasive but even helps facilitate other illegal activities, such as industrial espionage.

"If you're the CEO of Google, your phone records are worth their weight in gold," says Chris Hoofnagle, senior counsel with the Electronic Privacy Information Center, an advocacy group based in Washington D.C. And "If you have key pieces of information -- Social Security numbers, phone records and numbers -- you can use that to gain access to other bits of data like [bank] account numbers and financial records."

Moreover, while recent attention on financial fraud and identity theft have brought about stricter rules and laws to protect those records, there are far fewer rules that regulate personal information such as telephone records.

And while the telecommunications industry claims that service providers release detailed call logs only under court-issued orders, privacy and security experts suspect that the online data brokers are taking advantage of the legal gaps.

Hoofnagle, for one, is skeptical that the many Web sites selling personal information all use purely legal means. "They say they get these through legal means, like 'dumpster diving,'" he says. "But there's no way that a company can guarantee an online customer that they're going to get someone's phone records in four hours by going through the [telephone] company's trash."

Lying on the Line

Instead, Hoofnagle and others believe these online information brokers are using a mix of old and new illicit tricks to get at supposedly protected phone call data.

"In some instances, they have contacts on the inside they can bribe," says Rob Douglas, a former private investigator of 20 years. "But a majority of instances … almost exclusively, they are using 'pretexting.'"

Pretexting, says Douglas, is a "social engineering" trick that has been perfected by investigators -- and criminals -- to trick companies into releasing protected information. Armed with one or two pieces of information -- say a Social Security number and the cell phone account number -- the trickster calls a company's customer service hotline, pretending to be a subscriber who needs access to their account. Often the account information is indeed released over the phone.

Douglas claims that it was not uncommon for private investigators to use such methods to obtain information for clients -- typically companies who feared corporate espionage or lawyers who wanted to covertly dig deeper into a case -- on a background basis only.

"In a divorce case, for example, an attorney might want to find out if his client's husband had more phone contact with woman X than claimed," he says. "He gets Johnny Private Investigator to get that information on the sly for $150 to $250. It's much more expedient than going through the process of litigation for a subpoena, which would possibly tip his hand to the [husband's] attorney."

But Douglas, now an information security consultant for Privacy Today, a company he founded in Steamboat Springs, Colo., says that the Web has changed all the rules.

"The genesis of this was all about competitive intelligence," says Douglas. But, "What happened was, as private investigators developed these [pretexting] techniques and the World Wide Web came along, you had a shockingly high number of them [investigators and data brokers] who were willing to sell this data to anyone online."

Fighting for Attention

Joe Farren, a spokesman for the Cellular Telecommunications Industry Association in Washington, D.C., says that the industry is well aware of pretexting and the potential problem of online companies who traffic in such illegally gained information. But he says member companies have worked hard to take steps to prevent such data theft.

"We work hard to prevent this from happening. They [service providers] have procedures in place to ensure that personal information and account information are protected," says Farren. "The bottom line is, if you are getting someone's information without their knowledge or consent, we believe it's illegal and a form of fraud and they [data brokers] should be punished. We feel that there are various state laws that are fairly clear about this."

But among privacy and security experts, such voluntary measures aren't enough. They're pressing the federal government to step in and investigate.

On July 7, EPIC filed a complaint with the Federal Trade Commission against Intelligent E-Commerce Inc., the San Diego-based company that runs BestPeopleSearch.com. In the complaint, it claims that IEI was misrepresenting its ability to obtain private information such as phone records using legal means.

Since then, EPIC has expanded its FTC complaint to include 40 Web sites that broker such information. And today, the privacy group has also filed a petition with the Federal Communications Commission to develop specific rules that telecommunications carriers must follow to safeguard customers' personal information.

A Data Broker's Defense

Although neither government agency has announced any plans or reaction to EPIC's motions, online information brokers are adamantly holding their ground.

Noah Wieder, president of IEI, says that EPIC is making a lot of noise over misconceptions about the services his company provides.

"From my standpoint, 10 years ago a person could have walked into a private investigator's office and done the same thing," says Wieder. "You could have gotten the same information … and pay 10 times as much. Now, it's just by the means of the Internet, that it's a lot more accessible."

Still, Wieder says that he understands why some may object to what seems like an obvious invasion of personal privacy. He claims his company goes through extensive steps to ensure his online customers have "legitimate requests."

"We verbally verify every single request … these are typically requests from attornies and such," says Wieder. "We have spouses that are victims of cheating, and physical and mental abuse and use these reports to prove or disprove their claims. We even got a case of a runaway teen where the only way investigators and her parents could find her was through cell phone records."

Wieder also claims that IEI has a sophisticated systems to verify the identity of online customers and detect when pieces of information don't match -- say an attempted payment with a credit card account issued by a U.S. bank, but the customer's Internet address registers as being located overseas.

Wieder also says that any request from an online client that can't be reached directly by telephone is immediately rejected.

While Wieder and his company's attorneys aren't sure if the FTC will follow up on EPIC's complaint, he believes the issue can be resolved with more consumer-focused education than government intervention.

"You can do four things today to keep your phone records [private]. It's as simple as making a phone call [to your provider] and requesting a password to your account, ask for no detailed billing, turn off online access, and a notice that your information is not given to anybody. How hard is that?" asks Wieder. "Why do we need all this government regulation and intervention and spend all this taxpayer money when they [consumers] can do this all on their own?"

Make Way for New Laws Anyway?

Still, it may be too late to avoid government legislation.

On July 24, Sen. Charles Schumer, D-N.Y., announced he was drafting a bill that would make it illegal to "pretext" for phone call records and then sell the information.

"Stealing someone's cell phone records is absolutely a criminal act and the fact that it can't be prosecuted as one has got to change," Schumer said in a statement about his proposal. "We already have these protections for our financial information. We ought to have it for the very personal information that can be gleaned from our telephone records."

A spokesman for Schumer acknowledged parts of the proposed bill -- such as FTC involvement and standards for enforcement -- still need to be "worked out." And since Congress is in summer recess until next month, Schumer hasn't lined up any co-signers or support. Still, he's confident that the bill will be part of the next session and could be filed "very soon."

Preventive Measures

While it's still unclear how or even if legislative measures would effectively protect your personal call logs, privacy and security experts say the following steps might help:

Contact your phone service provider and find out its privacy policies.

Most telecom companies have strict rules and procedures in place to guard your information. Ask representatives what they are and make sure you understand who has access to your records and how they may be used or shared.

Do NOT use an easily guessed PIN or password to protect your account.

Avoid using numbers that can be guessed or tied to your account -- the last four digits of the phone number or your street address, for examples. And don't use your mother's maiden name or any other obvious biographical information.

Request a separate PIN and/or password.

If your telecom provider insists on using "standard" identifiers such as zip codes and the last four digits of your Social Security Number, ask for an additional "lock" on your records. This would place a note on your records that an additional question must be answered successfully before any customer service representatives give out any of your information over the phone.

Disable online access.

Many telecom providers allow their customers to check and pay their bills online through the Internet. If you have no need for this feature, request that it be deactivated so others can't hijack your account.