Archive for the ‘Telco’ Category

The Federal Trade Commission announced a settlement of its complaint against Integrity Security & Investigation Services for “unfair or deceptive acts or practices in or affecting commerce” by obtaining telephone customer data and credit card purchase records. Four other similar cases against other data brokers are still pending. The FTC has little enforcement authority in this area and the cost for each investigation must be very high for the immediate results.

The settlement bars the defendants from obtaining or selling consumers’ phone records or personal information unless authorized by law or court order. It bars them from pretexting – obtaining records using false pretenses – or hiring others who pretext to obtain phone or financial records. Under the terms of the settlement, the defendants will give up $2,700 in ill-gotten gains – the entire amount they earned from selling the phone records and credit card transaction reports.

The order also requires the defendant to “appear and provide truthful testimony in any trial, deposition, or other proceeding related to or associated with the transactions or the occurrences that are the subject of the Complaint, without the service of a subpoena…”

The FTC action and states’ attorney generals lawsuits shine an ever brighter spotlight on data gathering techniques, which has prompted congressional hearings and more specific state laws banning pretexting to obtain telephone records. No doubt, other industries and research methods will be targeted as a “consumer protection” concern without consideration for other overriding interests.

The legitimate corporate governance issues that prompted the leak investigation by Hewlett-Packard has fallen from the front pages, now covered with the long expected indictments by the California Attorney General, Bill Lockyer, who is a current candidate for State Treasurer. As I mentioned a few weeks ago, Lockyer is charging various parties, from HP’s Patricia Dunn to the individuals who obtained the telephone records, with violations of several criminal statutes. The complaint lists the accusations.

The Federal Trade Commission testified last week on telephone record acquisition before the House Committee on Energy and Commerce Subcommittee on Oversight and Investigations. Joel Winston, an FTC Associate Director, requested that Congress “enact specific prohibitions against telephone records pretexting and to allow the Commission to seek civil penalties against violators…” Winston advocated for an exemption for law enforcement, which have been among the recipients of the data broker’s services, according to those who previously testified before Congress. A law enforcement privilege could further disadvantage criminal defendants, whose representatives would not be accorded the same access.

News and Opinion, in print, audio and video on HP and corporate governance related to telephone records

C-Span, Congressional Hearings on Telephone Pretexting

It is little surprise that Governor Schwarzenegger signed SB 202, Privacy: telephone calling pattern record or list, making the acquisition of a telephone subscriber’s phone call records a crime.[Read more at Computerworld]

Any person who purchases, sells, offers to purchase or
sell, or conspires to purchase or sell any telephone calling pattern record or list, without the written consent of the subscriber, or any person who procures or obtains through fraud or deceit, or attempts to procure or obtain through fraud or deceit any telephone calling pattern record or list shall be punished by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in a county jail not exceeding one year, or by both a fine and imprisonment. If the person has previously been convicted of a violation of this section, he or she is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in a county jail not exceeding one year, or by both a fine and imprisonment.

The prohibition applies to telephone numbers called by the subscriber, not reverse address or telephone information. The California Association of Licensed Investigators (CALI) supported the bill and urged the governor to sign it.

Other states have restricted access to telephone records, among them are Michigan, Maine, Oklahoma, Arizona, Washington and Florida. Other state legislation on telephone records is collected at the National Conference of State Legislatures Web site.

Listen to the live Webcast, Hewlett-Packard’s Pretexting Scandal, followed in relentless pursuit by Internet Data Brokers and Pretexting: Who Has Access to Your Private Records? — Hearings of The U.S House Committee on Energy and Commerce Subcommittee on Oversight and Investigations. The HP broadcast is Thursday, September 28, 2006. The data broker show follows on Friday, September 29, 2006. Both Hearings begin at 10:00AM.

The methods that HP contractors used to secure telephone call logs, “the pretext story”, repeated ad infinitum, has reporters looking for new approaches to this story. The San Jose Mercury News has posted the transcript of a call to Verizon Wireless from 1st Source Information Specialists. It’s an odd selection for an example of a pretext from an information broker since no personal information appears to have been released. Perhaps Verizon’s interest in providing the telephone conversation text is to bolster their position that they are taking effective measures to foil non subscriber access to accounts.

The investigation of the Hewlett-Packard contractors who secured the telephone call logs of phone numbers registered to reporters and HP directors is revealing footprints in Florida, Massachusetts and Iowa, which could lead to investigations and prosecutions by those states Attorneys General.

Meanwhile, the U.S. House Committee on Energy and Commerce sent a letter to Hewlett-Packard
requesting that the company turn over documents listing employees and contractors involved in the leak probe, and “a list of all individuals or entities whose telephone records or other personal consumer information were procured…” The letter specifically requested that no telephone records be provided. I guess the House committee doesn’t want that to become a public record.

The earlier flurry of fines and lawsuits against brokers of telephone subscriber records has continued with this recent gust from AT&T. The company has filed suit in federal court in Texas against 25 entities, which are as yet, unnamed.

AT&T, headquartered in San Antonio, where the suit was filed, hopes to learn the defendants’ identities through their Internet protocol addresses. AT&T has “most if not all” of the defendants’ IP addresses and will ask the court to subpoena the Internet providers to disclose the identities linked to those addresses, spokesman Walt Sharp said.

I gather that the suspected data collectors gained unauthorized access by changing account passwords for either AT&T or their customers to be alerted. If so, the targets of this case may differ from those cited in the FCC investigation –entities which advertised on the Internet–, assuming that they were flying under the radar. Or the purchasers of the personal information may have concluded that they were beyond the reach of the government or courts.

The individuals gained access to the records by “pretexting” or fooling AT&T’s computer or interactive voice response phone system into believing they were real customers. This was done by providing the customer’s telephone number and the last four digits of the customer’s Social Security number or the three-digit customer code associated with the customer’s account, the complaint states. The defendants also sometimes used “spoofing” software to make it appear that they were calling from the customer’s telephone, the complaint alleges.

In each instance, the defendant entered an e-mail address to be associated with the fraudulently established account, and AT&T’s computer servers logged the IP address of the computer accessing the account.

The history of this swarm of regulation, litigation and legislation is recounted in InternetNews.

Technology Evangelist is dismayed by the ease with which humans can talk their way into getting facts.