Numerous Web sites, such as Locatecell.com and CellTolls.com, are advertising that they can provide records of incoming and outgoing cell phone calls--for less than $100, in some cases. That kind of information is often used by law enforcement agencies in their investigations. However, the online availability of such data could be exploited by criminals, such as stalkers, abusive spouses or identity thieves, experts have warned.
Wireless operators claim these sites get customer information through fraud, such as posing as a customer and asking for information about an account.
Lawmakers on Capitol Hill and law enforcement agencies are vowing to protect consumers' cell phone records by penalizing those who use deception to obtain customer information. But some experts say the problem won't go away unless phone companies better protect customer data.
Experts say there are several steps operators can take to verify that a records request is legitimate, including use of a customer password system, confirmation of each request by sending a text message to the customer's cell phone and implementation of auditing systems at customer service centers.
The practice of using trickery to obtain the records from phone companies has been the subject of news reports for months. The issue reached a fever pitch when Washington, D.C.-based blogger John Aravosis posted on his site Americablog.com a detailed account of how easy it was for him to buy his own cell phone records, and then purchase the records of Gen. Wesley Clark, a former candidate for U.S. president.
Cell phone companies say they are taking a stand against those selling this information. In the last couple of weeks, Cingular Wireless and Verizon Wireless have requested court orders against data brokers accused of obtaining the records through fraud. The Federal Communications Commission's enforcement bureau this week also said it's looking into companies that obtain telephone records without the customer's approval or knowledge.
Now federal lawmakers are jumping on the bandwagon, introducing legislation in both the House of Representatives and in the Senate to criminalize the activity of obtaining customer information falsely. For example, Sens. Charles E. Schumer (D- N.Y.), Arlen Specter (R-Pa.) and Bill Nelson (D-Fla.) introduced a bill earlier this week that would make it illegal to pose as someone else when calling a phone company, or for an employee to sell customer data. On the state level, the office of Connecticut Attorney General Richard Blumenthal launched an investigation of companies that may have illegally sold consumers' cell phone data.
It's clear the low-hanging fruit in these lawsuits, investigations and proposed legislation are the online businesses that sell and advertise the availability of this information. But shutting down a few Web sites won't fix the problem, experts said. Some people believe that as an industry, the cell phone companies need to improve how they secure the personal billing information of the almost 20 million wireless subscribers in the U.S.
"Phone companies can definitely do a better job securing data," said Sherwin Siy, staff counsel for the Electronic Privacy Information Center in Washington, D.C. "It's extremely important that something be done to prevent these breaches from continuing, because it impacts everyone's right to privacy."
So how do these Web sites get access to customer billing information? Experts believe the records are leaked in a couple of ways. One is through the mishandling of data by employees in call centers or by workers companies doing outsourced tasks for wireless operators.
A common misconception in corporate security is that a company's biggest threat is an outsider trying to hack into a server with sensitive information. But research indicates that Vontu and its rival Vericept have built data-interception products that monitor e-mail, instant messages, FTP files and other electronic communications on corporate networks, sniffing for leaks of sensitive information.--employees, partners and contractors?- . Companies such as
The second way people get their hands on billing information is by simply pretending to be the customer on the account. They may, for example, call a customer service operator and ask for a copy of the last few months' bills. They then ask to have it sent to them via e-mail, fax or a mailing address not listed on the account. Called "pretexting," this practice is already illegal for people trying to fraudulently obtain financial records. The new laws that are being introduced further clarify the strictures against such behavior and will make it explicitly illegal to pretend to be someone else to obtain billing information for phone service.
"The kinds of information that is available in call centers, coupled with access to the Internet that people working in these centers have, is a perfect storm for data breaches," said Kit Robinson, the director of corporate communications for Vontu. "The key to protecting data in any company is having a policy about how to handle sensitive data and enforcing it from a personnel perspective, as well as from a technology perspective."
Experts say there are several things that the cell phone companies can do to mitigate these issues.
Require customers to have a password to access their call records or billing information. When someone calls for information on the bill, they must enter a secure personal-identification number to get data. Customers can request that this be added to their account, but most cell phone operators do not require it.
Send short text messages to customers' cell phones every time there is a request for their personal information. They can respond to these messages to authorize the delivery of this information.
Implement internal auditing tools in call centers. Several companies offer software that can look for anomalies in employee behavior to see if a particular worker may be mishandling data. For example, if an employee accesses dozens of files at the end of every shift, it may because that employee is copying files and selling them.
Policies and procedures
Despite the widespread availability of all kinds of billing information on the Internet, Cingular and Verizon claim they have already been implementing many of these safeguards. And, they say they are continually improving security.
"We are constantly looking at our policies and procedures as it relates to customers and their interaction with the company," said Jeffrey Nelson, a spokesman for Verizon. "I can't say what exactly we've been doing internally to protect customer information, but we are looking at best practices in other industries that deal with even more sensitive information than we do. We've already started taking steps toward improvement."
Cingular said that it has also been focusing on improving how it handles customer data and how it trains employees to deal with people seeking sensitive information.
"Some of the steps we're taking are more human in terms of training and ensuring that our employees follow strict guidelines," said Mark Siegel, a Cingular spokesman. "We're using this situation as an opportunity to tighten our security and improve the good work that our employees are already doing."
But some people, including lawmakers, say it's clear that more needs to be done to safeguard customer information.
"The protection of an individual's personal information is a high priority with me," U.S. Rep. Joe Barton, a Texas Republican and the chairman of the House Energy and Commerce Committee, said in a statement. "While businesses have legitimate reasons to compile and keep the data that define our lives, they have a responsibility to safeguard it as if it were their own."
Barton is introducing a bill in the House of Representatives that will make pretexting for obtaining phone records illegal. And he is also calling for penalties for cell phone operators that do not properly protect personal information.
"It seems to me that the most sensible action we can take quickly to thwart the buyers and sellers of personal phone records is to make pretexting illegal," he said. "I will introduce legislation to accomplish that, and my bill will substantially increase the penalties if telephone companies release consumer telephone records without the permission of the consumer."