Private Investigator Public Records Internet Search Privacy Reporting - PI Buzz

Selected Laws Governing the Disclosure of
Customer Phone Records by Telecommunications
Carriers, a recently released Congressional Research Service report, summarizes the laws, legislation and congressional actions related to telephone call log records. The Federation of American Scientists has a database of some of these CRS reports, which are selectively released by members of Congress.

The Los Angeles County Superior Court has ruled that church personnel files of priests accused of molesting children may be released to the public, whether or not there was a criminal prosecution. The decision affects a small number of clergy but tips the balance in favor of the public right to know over privacy, which could affect many other cases.

Santa Clara County, California is continuing to fight a Superior Court determination that its GIS mapping should be easily available to the public at low cost. Meanwhile, Greenwich, Connecticut has assented to that state’s Supreme Court ruling and will post aerial photographs of the town on its Web site. Both government agencies used the specious defense that freely available geographic information systems maps were a security risk.

Folks in North Carolina may want to comment at the blog of a county Register who removed vital records from the Internet, then wrote about it.

The state police can demand lists of email activity conducted by a business if they deem it relevant to an investigation, according to an opinion by the Nebraska Attorney General. This includes “non content” records retained by providers of electronic communication services, such as ISP records of email headers, but not the email message.

Search the New York local civil court records by index number, party name, attorney/firm or judge. Some courts are online now and others will be added through the year.

Appeals filed with the Minnesota Supreme Court and the Minnesota Court of Appeals are now searchable online. More extensive information is available for cases filed after March 2003.

The Federal Communications Commission has issued new rules related to the disclosure of the personal telephone records of consumers. There are some specific new requirements for the carriers:

- Carriers are prohibited from releasing a customer’s phone call records when a customer calls the carrier except when the customer provides a password.

- Carriers are required to notify the customer when their password is changed

- Carriers must obtain explicit consent from a customer before disclosing a customer’s proprietary network information to a carrier’s joint venture partners or independent contractors

Read the full order and Commissioner comments.

The Federal Trade Commission has settled another telephone pretexting case, Federal Trade Commission, Plaintiff, v. Information Search, Inc. and David J. Kacala, individually and as an officer of Information Search, Inc., Defendants. The FTC will collect $3000 from the telephone information broker, who is also required to abandon the now illegal practice of impersonating telephone subscribers to get toll call records from the telecommunications carrier. The Commission had previously filed suit against Information Search, Inc. for obtaining personal financial bank account records in violation of the federal law known as Gramm-Leach-Bliley.

The Federal Trade Commission testified today at the Committee on Energy and Commerce on, Combating Pretexting: H.R. 936, Prevention of Fraudulent Access to Phone Records Act. The text of the testimony of other participants is not yet available.

The Federal Trade Commission has sought a permanent injunction against Action Research Group and Eye In the Sky Investigations for obtaining and selling to third parties confidential customer phone records in violation of the FTC Act prohibiting deceptive acts.
Federal Trade Commission, Plaintiff, v. Action Research Group, Inc., Joseph Depante, Matthew Depante, Bryan Wagner, Cassandra Selvage, and Eye in the Sky Investigations, Inc., Defendants. (United States District Court for the Middle District of Florida Orlando Division)

Meanwhile, the Federal Communications Commission is getting resistance from telephone companies over proposed rules requiring that customers use a password to access their account information and that the companies get a customer’s permission before they release information for telemarketing.

The Justice Department is objecting to two of the FCC proposals.

The first would tell phone companies to destroy customer records as soon as the records no longer are needed for legitimate business purposes. The government wants the records preserved for possible use in criminal investigations.

Secondly, the two departments want phone companies to notify law enforcement officials first, before customers, when customers’ private billing information has been disclosed improperly.

Private investigator, Bryan Wagner, of Littleton, Colorado pleaded guilty on Friday to identity theft and conspiracy charges in United States District Court in San Jose. His sentencing is now scheduled for June 20 in San Jose federal court.

The private investigator admitted to the two felony counts as part of a plea deal based on his obtaining the SSN’s and telephone toll records of journalists, former Hewlett-Packard directors, and their family members.

Mr. Wagner admitted to “pretexting” the telephone companies into releasing their records. He admitted to using personal information to set up online accounts in the names of several people to access their telephone toll logs and billing records.

Mr. Wagner’s lawyer, Stephen Naratil, stated his client was the “little guy” who was tricked by others into thinking the investigative method he used was legal. He also said that Mr. Wagner would testify for prosecutors as they pursue other figures in the case.

The four other defendants associated with this case have all pleaded not guilty. You can read more about this here.

What’s your opinion on this?

The Federal Trade Commission announced a settlement of its complaint against Integrity Security & Investigation Services for “unfair or deceptive acts or practices in or affecting commerce” by obtaining telephone customer data and credit card purchase records. Four other similar cases against other data brokers are still pending. The FTC has little enforcement authority in this area and the cost for each investigation must be very high for the immediate results.

The settlement bars the defendants from obtaining or selling consumers’ phone records or personal information unless authorized by law or court order. It bars them from pretexting – obtaining records using false pretenses – or hiring others who pretext to obtain phone or financial records. Under the terms of the settlement, the defendants will give up $2,700 in ill-gotten gains – the entire amount they earned from selling the phone records and credit card transaction reports.

The order also requires the defendant to “appear and provide truthful testimony in any trial, deposition, or other proceeding related to or associated with the transactions or the occurrences that are the subject of the Complaint, without the service of a subpoena…”

The FTC action and states’ attorney generals lawsuits shine an ever brighter spotlight on data gathering techniques, which has prompted congressional hearings and more specific state laws banning pretexting to obtain telephone records. No doubt, other industries and research methods will be targeted as a “consumer protection” concern without consideration for other overriding interests.

The legitimate corporate governance issues that prompted the leak investigation by Hewlett-Packard has fallen from the front pages, now covered with the long expected indictments by the California Attorney General, Bill Lockyer, who is a current candidate for State Treasurer. As I mentioned a few weeks ago, Lockyer is charging various parties, from HP’s Patricia Dunn to the individuals who obtained the telephone records, with violations of several criminal statutes. The complaint lists the accusations.

The Federal Trade Commission testified last week on telephone record acquisition before the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations. Joel Winston, an FTC Associate Director, requested that Congress “enact specific prohibitions against telephone records pretexting and to allow the Commission to seek civil penalties against violators…” Winston advocated for an exemption for law enforcement, which have been among the recipients of the data broker’s services, according to those who previously testified before Congress. A law enforcement privilege could further disadvantage criminal defendants, whose representatives would not be accorded the same access.

News and Opinion, in print, audio and video on HP and corporate governance related to telephone records

C-Span, Congressional Hearings on Telephone Pretexting

It is little surprise that Governor Schwarzenegger signed SB 202, Privacy: telephone calling pattern record or list, making the acquisition of a telephone subscriber’s phone call records a crime.[Read more at Computerworld]

Any person who purchases, sells, offers to purchase or
sell, or conspires to purchase or sell any telephone calling pattern record or list, without the written consent of the subscriber, or any person who procures or obtains through fraud or deceit, or attempts to procure or obtain through fraud or deceit any telephone calling pattern record or list shall be punished by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in a county jail not exceeding one year, or by both a fine and imprisonment. If the person has previously been convicted of a violation of this section, he or she is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in a county jail not exceeding one year, or by both a fine and imprisonment.

The prohibition applies to telephone numbers called by the subscriber, not reverse address or telephone information. The California Association of Licensed Investigators (CALI) supported the bill and urged the governor to sign it.

Other states have restricted access to telephone records, among them are Michigan, Maine, Oklahoma, Arizona, Washington and Florida. Other state legislation on telephone records is collected at the National Conference of State Legislatures Web site.

Listen to the live Webcast, Hewlett-Packard’s Pretexting Scandal, followed in relentless pursuit by Internet Data Brokers and Pretexting: Who Has Access to Your Private Records? — Hearings of The U.S House Committee on Energy and Commerce Subcommittee on Oversight and Investigations. The HP broadcast is Thursday, September 28, 2006. The data broker show follows on Friday, September 29, 2006. Both Hearings begin at 10:00AM.

The methods that HP contractors used to secure telephone call logs, “the pretext story”, repeated ad infinitum, has reporters looking for new approaches to this story. The San Jose Mercury News has posted the transcript of a call to Verizon Wireless from 1st Source Information Specialists. It’s an odd selection for an example of a pretext from an information broker since no personal information appears to have been released. Perhaps Verizon’s interest in providing the telephone conversation text is to bolster their position that they are taking effective measures to foil non subscriber access to accounts.

The investigation of the Hewlett-Packard contractors who secured the telephone call logs of phone numbers registered to reporters and HP directors is revealing footprints in Florida, Massachusetts and Iowa, which could lead to investigations and prosecutions by those states Attorneys General.

Meanwhile, the U.S. House Committee on Energy and Commerce sent a letter to Hewlett-Packard
requesting that the company turn over documents listing employees and contractors involved in the leak probe, and “a list of all individuals or entities whose telephone records or other personal consumer information were procured…” The letter specifically requested that no telephone records be provided. I guess the House committee doesn’t want that to become a public record.

The earlier flurry of fines and lawsuits against brokers of telephone subscriber records has continued with this recent gust from AT&T. The company has filed suit in federal court in Texas against 25 entities, which are as yet, unnamed.

AT&T, headquartered in San Antonio, where the suit was filed, hopes to learn the defendants’ identities through their Internet protocol addresses. AT&T has “most if not all” of the defendants’ IP addresses and will ask the court to subpoena the Internet providers to disclose the identities linked to those addresses, spokesman Walt Sharp said.

I gather that the suspected data collectors gained unauthorized access by changing account passwords for either AT&T or their customers to be alerted. If so, the targets of this case may differ from those cited in the FCC investigation –entities which advertised on the Internet–, assuming that they were flying under the radar. Or the purchasers of the personal information may have concluded that they were beyond the reach of the government or courts.

The individuals gained access to the records by “pretexting” or fooling AT&T’s computer or interactive voice response phone system into believing they were real customers. This was done by providing the customer’s telephone number and the last four digits of the customer’s Social Security number or the three-digit customer code associated with the customer’s account, the complaint states. The defendants also sometimes used “spoofing” software to make it appear that they were calling from the customer’s telephone, the complaint alleges.

In each instance, the defendant entered an e-mail address to be associated with the fraudulently established account, and AT&T’s computer servers logged the IP address of the computer accessing the account.

The history of this swarm of regulation, litigation and legislation is recounted in InternetNews.

Technology Evangelist is dismayed by the ease with which humans can talk their way into getting facts.

The California Supreme Court has sided with plaintiffs in their complaint against a bank that recorded telephone conversations that originated in Georgia but terminated in California. Georgia allows one-party consent to audio recording of telephone calls but California requires the permission of all parties.

Although Georgia and most other states permit taping of phone conversations as long as one person consents, Kearney and Levy argued that the bank’s actions violated California’s 39-year-old Invasion of Privacy Act, which — similar to 10 other states — prohibits the recording of any communication without the permission of all affected parties.

The SoCal Law Blog questions the application of the California court’s notion that this state’s privacy law is superior to others.

The Federal Communications Commission (FCC) has issued a fine against the Internet-based data broker of cell phone and telephone subscriber call logs, 1st Source Information Specialists (LocateCell). The press release only names one company but at least 40 Web sites were listed in the EPIC petition.

The Federal Communications Commission (FCC) today found that LocateCell apparently “willfully or repeatedly” violated a Commission order by failing to provide information and documents required by a subpoena. For this failure, the Commission issued a $97,500 Notice of Apparent Liability for Forfeiture against LocateCell.

Specifically, the subpoena required LocateCell to provide information and documents relating to its website advertisement for the sale of consumers’ private telephone records and other customer proprietary network information. The company failed to fully respond to the subpoena and a subsequent Citation. Because LocateCell’s response to the subpoena remains deficient, the Commission proposed the maximum forfeiture for a continuing violation by a non-common carrier of $97,500.

The FCC Commissioners provided a recap of the history of their investigation and statements reflecting the basis for this determination. Commissioner McDowell alludes to the possibility of further fines being levied against similar companies.

LocateCell is not the only company from which the Commission has sought information. Our Enforcement Bureau has been actively investigating a number of these data brokers, many of which have
advertised the availability of records of wireless subscribers’ incoming and outgoing telephone calls, as well as certain landline toll call records, for a fee. The Bureau is also investigating the alleged failure of
carriers to certify compliance with our CPNI rules, and is vigorously pursuing non-compliant companies.
These investigations will continue, and I thank the Bureau for its work in moving these initiatives forward.

View the Webcast of the FCC meeting.

Media outlets, stimulated by today’s U.S. House Committee on Energy and Commerce hearing, Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?, are announcing that law enforcement agencies acquire telephone call logs and telephone subscriber data from information brokers, as if this is news. I mentioned this in a posting last month, when the law enforcement and Department of Homeland Security role in obtaining phone records without a subpoena, was broadly reported. This came to the general public’s awareness because the data brokers who were sent letters by the Commerce committee, demanding that they reveal their customer lists, told the committee that police agencies were one of the largest requesters.

Listen to the House Committee on Energy and Commerce webcast at 2pm (East coast), June 22.

Listen to the NPR report

Read the AP story

The Michigan legislature passed SB 1202, Identity Theft Protection Act, which would prohibit the sale or acquisition of phone records, including VoIP, broadband and cellular, without the customer’s permission.

Sec. 5. (1) A person shall not do any of the following:

(a) With intent to defraud or violate the law, use or attempt to use the personal identifying information of another person to do either of the following:

(i) Obtain credit, goods, services, money, property, a vital record, a confidential telephone record, medical records or information, or employment.

The legislation gives a new, broad exception to law enforcement to obtain records without a warrant. Cold comfort is offered to others who may have legitimate need for the records.

(2) A person who violates subsection (1)(b)(i) may assert 1 or more of the following as a defense in a civil action or as an affirmative defense in a criminal prosecution, and has the burden of proof on that defense by a preponderance of the evidence:

(b) That the person acted in otherwise lawful pursuit or enforcement of a person’s legal rights, including an investigation of a crime or an audit, collection, investigation, or transfer of a debt, child or spousal support obligation, tax liability, claim, receivable, account, or interest in a receivable or account.

(c) That the action taken was authorized or required by state or federal law, rule, regulation, or court order or rule.

The Rhode Island Senate has passed a bill that will give law enforcement special access to telephone company records for subscribers without first obtaining a warrant. This should be of special interest to criminal defense investigators who could face prosecutors holding secret, unknowable evidence. The governor has raised civil liberties concerns, which could doom the legislation.

UPDATE: Bill To Allow Searches of Phone Records Dies

HR 5126, Truth in Caller ID Act of 2006, is in the first stages of consideration by Congress, referred to the House Committee on Energy and Commerce.and the Subcommittee on Telecommunications and the Internet. The sponsor, Joe Barton, launched his campaign with a press release explaining the manipulation of caller id, which was timed to the subcommittee hearing.

This bill is necessary to shut down the growing problem of manipulating caller ID information. Caller ID ’spoofing’ occurs when a caller masquerades as someone else by falsifying the number that appears on the recipient’s caller ID display.

However, it appears that a mismatch between the originating telephone number and that which appears on a calller id box has not emerged as a problem requiring federal legislation. Barton’s example underscores this point.

Everyone is familiar with the caller ID product that provides to a consumer the name and number of who is placing an incoming call. Unfortunately, caller ID spoofing is yet another tool available to criminals to hijack the identity of consumers. For instance, the AARP recently ran a ’scam alert’ when someone posing to be a courthouse employee called a Sterling, Mich. woman claiming that she had missed jury duty that week. The caller threatened that a warrant was being issued for her arrest and then asked her to confirm her Social Security number, to verify her identity. This scam can appear even more real when the con artist uses a caller ID ’spoofing’ product which allows the con to display the name and number of the courthouse on the caller ID box.

This law is aimed at the commercial uses of technology that changes the name and number that displays on the caller id screen. There is inadvertent telephone number altering that occurs when receiving calls from some cell phones which don’t display the exact originating number. Also, 3-way calling, one of the myriad telephone carrier products, will indicate a landline number on caller id linked to a location other than the one associated with the calling party. Police departments are familiar with this problem, which is significant in an emergency situation. This legislation won’t squeeze the telecommunication companies.

Last week, the governor of Maine signed into law LD 2038, An Act To Protect the Privacy of Cellular Telephone Customers. The law specifically bans the unauthorized acquisition and sale of subscriber cell phone records. Read the press release

Oklahoma legislation, HB 2903 - An Act relating to telephone records, prohibiting certain acts with telephone records without the authorization of the customer, has been signed into law, going into affect November 1, 2006.

Procuring or receiving 10 or more telephone records of a subscriber is a felony, punishable by up to 10 years in prison; 1 record could bring a 5 year sentence. This is not restricted to telephone call records but encompasses any subscriber information obtained through deception or without the consent of the subscriber. The only exceptions are for law enforcement, which, as in most of these telephone subscriber privacy bills, is actually given greater latitude in securing personal phone data, and the National Center for Missing and Exploited Children.

HR 4943, To prohibit fraudulent access to telephone records, which was expected to be approved by Congress, has been withdrawn from a House vote, perhaps in light of the recently revealed National Security Agency program collecting telephone activity information without a subpoena or the subscriber’s authorization.

Read the article

I previously reported on this and an other related House bill.

Letter from Ed Markey to Dennis Hastert inquiring about the disappearance of HR 4943.

Arizona Governor Napolitano signed HB 2785, Telephone Records, Unauthorized Sale Prohibited, into law this week. The Arizona law defines civil sanctions and classifies unauthorized access of telephone account information as a misdemeanor. As in other states, Arizona expands law enforcement authority in this area to allow access in the course of “official duties.”

The Arizona papers don’t appear to have given the story much ink.

The Federal Trade Commission, with assistance from the major cell phone carriers, has filed civil suits in 5 federal jurisdictions against resellers of telephone call records, seeking to bar them from this activity and to press them to deliver, to the federal government, any profits they’ve obtained.

U.S. District Court, Central District of California, Federal Trade Commission v. 77 INVESTIGATIONS, INC., and REGINALD KIMBRO:

The FTC brings this action pursuant to Section 13(b) of l9 the Federal Trade Commission Act (”FTC net’), 15 U.S.C. S 53(b), to secure permanent injunctive relief, rescission of contracts,
2211 restitution, disgorgement of ill-gotten gains, and other equitable relief against Defendants for violations of Section 23 24 II S(a) of the FTC Act, 15 U.S.C. § aS(a), in connection with surreptitiously obtaining and selling confidential customer phone records without the customer knowledge or authorization.

Read the FTC press release and all case complaints.

Data brokers, responding to subpoenas issued by the U.S. House Energy and Commerce Committee requesting their customer lists are delivering some surprising material. Apparently, law enforcement is among the customers of the resellers of customer phone records, depending on them to get quick background information to assist in breaking cases. The most prolific purchasers appear to be debt collectors, according to MSNBC, which got a peek at the data sellers letters.

The possibility that the Department of Homeland Security may be acquiring telephone records through the back door is not going down well with the Committee, who probably didn’t consider that they weren’t just going after nobodies.

Rob Douglas, an information security consultant who operates PrivacyToday.com, performed research for the House committee conducting the investigation. He recently quit because he said significant issues “were not being fully investigated.”

In a letter announcing his resignation, Douglas said the committee needs to look into dramatic allegations that officials from the Homeland Security Department are among the law enforcement officials purchasing the cell phone records.

“There have been allegations made by one party in the investigation that the Department of Homeland Security purchased American’s phone records from a company in Texas,” Douglas wrote. “It is not clear that this lead is being fully and aggressively explored.”

The federal legislation that will criminalize unauthorized access to telephone customer data is steaming toward passage. HR 4709, Telephone Records and Privacy Protection Act of 2006
passed the House by 409 to 0, with 23 representatives not voting. I’d say that the Senate will move this with little fanfare.

The bill is unambiguous in defining the covered activity and roles.

…whoever, in interstate or foreign commerce, knowingly and intentionally purchases or receives, or attempts to purchase or receive, confidential phone records information of a covered entity, without prior authorization from the customer to whom such confidential phone records information relates, or knowing or having reason to know such information was obtained fraudulently, shall be fined under this title, imprisoned not more than years, or both.

HR 4943, Prevention of Fraudulent Access to Phone Records Act will be discussed on the floor of the House May 3.