Numerous Web sites, such as Locatecell.com and CellTolls.com, are advertising that they can provide records of incoming and outgoing cell phone calls--for less than $100, in some cases. That kind of information is often used by law enforcement agencies in their investigations. However, the online availability of such data could be exploited by criminals, such as stalkers, abusive spouses or identity thieves, experts have warned.
Wireless operators claim these sites get customer information through fraud, such as posing as a customer and asking for information about an account.
Lawmakers on Capitol Hill and law enforcement agencies are vowing to protect consumers' cell phone records by penalizing those who use deception to obtain customer information. But some experts say the problem won't go away unless phone companies better protect customer data.
Experts say there are several steps operators can take to verify that a records request is legitimate, including use of a customer password system, confirmation of each request by sending a text message to the customer's cell phone and implementation of auditing systems at customer service centers.
The practice of using trickery to obtain the records from phone companies has been the subject of news reports for months. The issue reached a fever pitch when Washington, D.C.-based blogger John Aravosis posted on his site Americablog.com a detailed account of how easy it was for him to buy his own cell phone records, and then purchase the records of Gen. Wesley Clark, a former candidate for U.S. president.
Cell phone companies say they are taking a stand against those selling this information. In the last couple of weeks, Cingular Wireless and Verizon Wireless have requested court orders against data brokers accused of obtaining the records through fraud. The Federal Communications Commission's enforcement bureau this week also said it's looking into companies that obtain telephone records without the customer's approval or knowledge.
Now federal lawmakers are jumping on the bandwagon, introducing legislation in both the House of Representatives and in the Senate to criminalize the activity of obtaining customer information falsely. For example, Sens. Charles E. Schumer (D- N.Y.), Arlen Specter (R-Pa.) and Bill Nelson (D-Fla.) introduced a bill earlier this week that would make it illegal to pose as someone else when calling a phone company, or for an employee to sell customer data. On the state level, the office of Connecticut Attorney General Richard Blumenthal launched an investigation of companies that may have illegally sold consumers' cell phone data.
It's clear the low-hanging fruit in these lawsuits, investigations and proposed legislation are the online businesses that sell and advertise the availability of this information. But shutting down a few Web sites won't fix the problem, experts said. Some people believe that as an industry, the cell phone companies need to improve how they secure the personal billing information of the almost 20 million wireless subscribers in the U.S.
"Phone companies can definitely do a better job securing data," said Sherwin Siy, staff counsel for the Electronic Privacy Information Center in Washington, D.C. "It's extremely important that something be done to prevent these breaches from continuing, because it impacts everyone's right to privacy."
So how do these Web sites get access to customer billing information? Experts believe the records are leaked in a couple of ways. One is through the mishandling of data by employees in call centers or by workers companies doing outsourced tasks for wireless operators.
A common misconception in corporate security is that a company's biggest threat is an outsider trying to hack into a server with sensitive information. But research indicates that Vontu and its rival Vericept have built data-interception products that monitor e-mail, instant messages, FTP files and other electronic communications on corporate networks, sniffing for leaks of sensitive information.--employees, partners and contractors?- . Companies such as
The second way people get their hands on billing information is by simply pretending to be the customer on