Telcos may face new antipretexting regulations
Proposal by two Congress members would require phone carriers to notify customers whose records have been unlawfully accessed.
The Consumer Telephone Records Protection Act, introduced on Tuesday by Rep. Jay Inslee (D-Wash.) and Rep. Marsha Blackburn (R-Tenn.), would also reiterate that it's unlawful for anyone to obtain confidential information about others through fraudulent means, popularly known as "pretexting."
It's already a crime, punishable by prison time, to buy, sell or obtain personal phone records under a bill signed into law last month by President Bush. An Inslee aide said her boss' bill is also necessary because it would give the Federal Trade Commission explicit authority to investigate and prosecute such incidents.
The FTC has already tried to prohibit telephone pretexting under Section 5 of the FTC Act, which bars "unfair or deceptive acts" in business practices. Last year, the organization filed several lawsuits against companies that sell phone records on the Internet.
At the RSA Conference in San Francisco on Wednesday, FTC Chairman Deborah Majoras recounted her agency's successes in pursuing pretexters so far. (In fact, the FTC had been pursuing pretexters as far back as 2003, according to congressional testimony.)
Majoras stressed, too, that companies must be careful with customers' information. The "basic proposition is that companies must maintain reasonable and appropriate measures to protect personal information," she said.
But some commissioners have suggested in congressional hearings that an outright ban on the practice would make their work easier.
Efforts to outlaw the technique took on renewed urgency last year after word that investigators hired by Hewlett-Packard, in a quest to trace the source of boardroom media leaks, employed pretexting to nab the phone records of journalists, including three from CNET News.com, and company board members.
An Inslee aide said the congressman's bill would require phone companies to notify anyone whose records may have been improperly accessed (it's currently an optional practice). She couldn't point to a specific incident in which a carrier had withheld such information.
The focus on additional obligations for phone companies extends to other politicians, who have indicated interest in enacting legislation beyond what passed last year. A bill reintroduced this year by Sen. Ted Stevens (R-Alaska), for instance, would instruct the Federal Communications Commission to consider adopting stricter rules about protecting the security and confidentiality of phone records.
Another antipretexting bill, which failed to go to a floor vote last year, sought broader regulations. It would have required phone companies to "institute customer-specific identifiers" for access to information, encrypt all sensitive customer data, and delete it after a certain period of time. At a hearing last year, some wireless carriers hesitated to endorse the suggestions, saying they were overly prescriptive and that requiring customers, for instance, to remember yet another password, could do more harm than good.
CNET News.com's Declan McCullagh contributed to this report