Although they still hope to pass additional legislation that would expressly outlaw obtaining phone records through impersonation or other fraudulent means, members of a U.S. House of Representatives oversight and investigations panel said Congress ultimately has limited ability to curb the shady spying technique. Phone companies must also step up their internal gatekeeping methods, they said.
"Even with a new law...the demand for such records will not disappear," subcommittee Chairman Ed Whitfield, a Kentucky Republican, said at the latest hearing here in an ongoing series focused on pretexting. On Thursday, the same subcommitteeto questioning former HP Chairman Patricia Dunn, CEO Mark Hurd and others about their roles in a media leak investigation that used pretexting, physical surveillance and other methods.
"It is time for the phone companies to guard their customers' information," added Rep. Jan Schakowsky, an Illinois Democrat.
Rep. Joe Barton, chairman of the full Energy and Commerce Committee, nevertheless drew a sprinkling of applause when he announced at the hearing that one such bill, H.R. 4943, may come up for a House floor vote as soon as Friday night. He noted, however, that "I'm not guaranteeing it."
At the Thursday hearing with HP executives and again on Friday, committee members pleaded for that measure to go to a vote, with some voicing dismay that it had disappeared into a veritable "black hole" since being pulled without explanation from the House's vote calendar during the spring. The House has already passed one pretexting measure, H.R. 4709, which would criminalize pretexting and continues to await action by the U.S. Senate.
Because the language is still being negotiated, it appears unlikely the Senate will take action on the bill before Congress recesses this weekend, an aide to the Republican leadership, which sets the schedule, said Friday.
H.R. 4943 would not only make fraudulent access to phone records a crime, but it also aims to raise the burden for telephone companies to protect customer information. Under the bill, federal regulators would be instructed to consider rules that would require those firms to "institute customer-specific identifiers" for access to information, encrypt all sensitive customer data, and delete it after a certain period of time. The Federal Communications Commission is already considering similar regulations.
Executives from Verizon Wireless, Cingular Wireless, Sprint Nextel, T-Mobile USA, Alltel Wireless and U.S. Cellular said they heartily agreed with the general principle of criminalizing the practice of pretexting. The company representatives deferred comment on the bill endorsed by the Energy and Commerce committee to their government relations departments, but some suggested that new rules mandating, for instance, additional passwords for customers could prove problematic.
"The stronger you make the security, the more likely it is people are going to be locked out," which makes it harder to distinguish legitimate customers seeking account access from fraudsters, said Thomas Meiss, Cingular's associate general counsel. AllTel Chief Security Officer Greg Schaeffer said encryption and audit trails would be very difficult to implement companywide, except in certain places, such as laptops and backup drives, "because of the way our systems work."
The executives assured subcommittee members that they already devote significant resources to installing and refiningand that they have been taking an aggressive stance against thievery of their subscribers' records. Several touted against suspected pretexting firms that obtained their customers' records-- , by Cingular and Verizon Wireless, related to the HP scandal--and said they would support additional laws conferring civil and criminal penalties on pretexters.
Rep. Jay Inslee, a Washington Democrat, said he thought new rules were a "fair obligation" for the industry, even though it may prompt additional costs and management headaches. "It's a little like requiring thicker steel on the doors of the bank against criminals who want to do bank robbery," he said, "but I think it's entirely appropriate, and I look forward to your companies helping us get this bill through."