By Jonathan Krim
Washington Post Staff Writer
Tuesday, August 30, 2005
A privacy group wants the government to force telephone companies to better protect their customers' private data -- including records of calls made and received -- from being bought and sold on the Internet.
In a petition scheduled to be filed today, the Electronic Privacy Information Center urges the Federal Communications Commission to create tougher rules for how and when landline and wireless carriers release customer information.
The group argues that the active marketplace for telephone records demonstrates that security practices at telecommunications companies are lax. Dozens of Web sites operated by data brokers and private investigators offer to sell detailed calling records for as little as $110 for the most recent billing cycle.
The data are often collected by impersonating customers or paying off insiders, according to the petition. Buyers of the information include attorneys trying to find witnesses or suspects, debt collectors and spurned or suspicious lovers.
But EPIC West Coast Director Chris Jay Hoofnagle said stalkers or those engaged in industrial espionage could just as easily be the buyers.
"And these records are just as sensitive as financial information because they reveal our associations, and in some cases location," Hoofnagle said.
Carriers acknowledge that such theft occasionally happens, but claim it is infrequent and that they aggressively guard against it. Typically, law enforcement agencies and other third parties seeking customer data must get a court order, the carriers say.
"We have a variety of measures in place to protect against unauthorized access to customer information, and we also train our customer care representatives to be alert for anyone who tries to improperly coax information out of them," said Cingular Wireless LLC spokeswoman Rochelle Cohen.
But EPIC included in its filing a list of more than 40 Web sites that offer to sell call records, often within hours of receiving credit-card orders that are taken online.
"The security standards that carriers use to verify the identity of the . . . requestor have been insufficient to prevent unauthorized third parties from acquiring and exploiting such data for personal and financial gain," according to a draft of the petition obtained by The Washington Post.
The group is also renewing calls for the Federal Trade Commission to crack down on trafficking in private data, such as Social Security numbers, which can often be gleaned from public records available at courthouses or government agencies.
But call record information resides largely at phone companies, and they are obligated by federal law to protect it.
EPIC argues that carriers are making it too easy for fraud artists to glean customer data by requiring only basic biographical identifiers that are easily obtainable, such as Social Security numbers or dates of birth.
Another breach, say investigators familiar with the practice, can occur when carriers provide consumers with the ability to manage their accounts online.
If the consumer has not activated the feature and created a unique password, the system can be compromised by an outsider, investigators say.
Joe Farren, spokesman for CTIA -- the Wireless Association, said that anyone impersonating a customer to get customer data should be prosecuted, but he did not comment directly on the request for tougher regulations.
Spokesmen for Verizon Corp. and Verizon Wireless did not respond to inquiries seeking comment.