WASHINGTON-Privacy groups oppose Bush administration efforts to require wireless carriers and others to delay notifying customers when phone records and other personal data are stolen through subscriber impersonation and other fraudulent means.
The Department of Justice wants a pretexting safeguard rule under consideration by the Federal Communications Commission to include a provision that would direct carriers to contact law enforcement first and later alert subscribers when theft of customer proprietary network information, or CPNI, is discovered in order to avoid compromising criminal investigations.
“We . strongly support the right of consumers to be notified in the event of breaches of personal data, including CPNI. However, immediate consumer notification of a breach may tip off the person(s) responsible, causing them, among other things, to destroy evidence, change their behavior, and accelerate their illegal use of any data before consumers or company victims can act,” said Deputy Attorney General Paul McNulty in a letter to FCC Chairman Kevin Martin. “These concerns are particularly acute in cases involving access to electronically stored records where the electronic evidentiary trail is often short lived and easily compromised by the target.”
Under the DoJ plan, wireless and other telecom carriers generally would have up to seven business days to inform the Secret Service and FBI that a customer’s phone records were stolen.
Victimizing victims
The Electronic Privacy Information Center said the DoJ’s initiative is ill-conceived and only further victimizes victims of phone-record theft.
“It doesn’t seem that it works in consumers’ best interest,” said Lillie Coney, associate director of EPIC. “The whole point is to limit [a customer’s] exposure. . You need to notify them immediately.”
Jim Dempsey, policy director at the Center for Democracy & Technology, agreed. The benefits of promptly telling customers of phone-record theft outweigh law enforcement’s concern about lost opportunities in criminal probes. Because very few pretexting cases will be prosecuted, policy-makers should concentrate on having telecom carriers improve protection of subscribers’ proprietary phone data, Dempsey added.
The FCC is nearing a decision to force cellphone operators and other service providers to better protect the privacy of subscribers’ phone records. The FCC could have wireless carriers require a password from those seeking phone records and limit operators’ abilities to freely share subscriber data with joint-venture partners and others.
Congress last year passed legislation to criminalize pretexting, but failed to act on a separate bill that would force carriers to take additional steps to protect the privacy of phone records. That measure has yet to be re-introduced in Congress.
Carrier dilemma
The DoJ’s push to delay customer notification when pretexting is detected puts industry in a dilemma of sorts. Cellular carriers want to cooperate with law enforcement, but also must avoid disenfranchising their customer base such that subscribers lose confidence in operators’ ability to protect and champion privacy.
In addition, the wireless industry is furiously lobbying the FCC to dissuade regulators from doing anything that could hurt their business. Sprint Nextel Corp. told the FCC any rule requiring carriers to obtain a customer’s opt-in consent before sharing subscriber data with independent contractors and JV partners would complicate customer service transactions. Moreover, noted Sprint Nextel, an opt-in approach likely would not curb pretexting.
