WASHINGTON-News stories late last week highlighted the tightrope wireless carriers must walk as they try to help law enforcement and protect their customers’ privacy at the same time.
On one hand, Sprint Nextel Corp. found itself defending its privacy-protection policies when it did not readily give the location of phone in a stolen vehicle that had a kidnapped child inside. On the other hand, the wireless industry was condemned on the CBS Evening News Thursday for making customer call records available to online data brokers-something the industry adamantly denies.
In addition to the CBS News story, John Aravosis of Americablog.com said last Thursday he was able to obtain the cell-phone records of retired Army General Wesley Clark.
“All we needed was General Clark’s cell-phone number and our credit card, and 24 hours later we had 100 calls the general made on his cell phone in November,” posted Aravosis. “This is clearly outrageous. But let me first say, as an aside, that I bought my own Cingular Wireless (L.L.C.) phone records this past weekend and reported on it. I wouldn’t do this to any other public person without first doing it to myself. But even after reporting on this gross violation of my (and your) personal privacy, Congress, the administration, and the phone companies have yet to act effectively.”
According to Aravosis’ post, Clark’s carrier is T-Mobile USA Inc.’s Omnipoint business.
“T-Mobile takes the protection of our customers’ privacy seriously. We are not affiliated with any party that sells call records, we do not sell call records, and anyone that purports to offer this service is engaging in an unlawful activity,” said T-Mobile USA in a statement. “The tactics of the companies that are selling call records are deplorable and we believe often are fraudulent.”
Cingular said it is “aggressively fighting back against these websites that offer wireless phone records for sale. We will NOT tolerate theft of customer records,” wrote Rochelle Cohen, a Cingular spokeswoman, in an e-mail to RCR Wireless News.
There are a variety of online services that claim to be able to supply cell-phone data. For example, a Google search of “cell-phone records” listed datatraceusa.com as one such vendor. Datatraceusa claims that for $110 it can provide all the incoming and outgoing calls in a user’s most recent billing cycle, available in one to three hours. The contact button, which purports to connect you to a live person, was unavailable.
It is unclear how datatraceusa.com and other such vendors are accessing subscribers’ records. Some suspect they are engaging in so-called pretexting, or impersonating the subscriber whose records they are trying to get.
Such online services fall into a cloudy legal area. Although there is legislation barring identity theft, no law specifically targets firms that sell cell-phone records.
Because of the lack of such legislation, liberal grassroots group Moveon.org started a petition drive to get Congress to act. The group sent out 110,000 e-mails to encourage members to sign the petition, and in less than 24 hours had 27,000 signatures, said Adam Green, civic communications actions director for Moveon.org.
“Our campaign does two things. It educates people about the problem and it mobilizes them,” Green told RCR Wireless News. “We wanted to know if people found out about this egregious violation of privacy, would they care? They seem to.”
Green hopes the Moveon.org campaign will spur congressional action. Sen. Charles Schumer (D-N.Y.) has previously expressed outrage that while financial records are specifically protected, communications records are not.
Some have decided to act on a state level. The governor of Illinois plans to push for state legislation on the topic when the state’s general assembly meets in the spring.
“It is shocking how easily cell-phone records can be purchased,” said Gov. Rod Blagojevich (D).
CTIA wants those participating in data brokering to be prosecuted. “The wireless industry goes to great lengths to protect its customers’ privacy. We urge the appropriate government authorities to take action necessary to shut down this illegal activity and severely punish those who illegally obtain and market these records,” said CTIA President Steve Largent.
Privacy advocates want stricter rules governing the release of consumer proprietary network information. The Electronic Privacy Information Center petitioned the Federal Communications Commission last summer to tighten rules to cover third-party data brokers specifically.
“The security standards that carriers use to verify the identity of the CPNI (consumer proprietary network information) requestor have been insufficient to prevent unauthorized third parties from acquiring and exploiting such data for personal and financial gain, providing a significant security loophole through which other privacy and security violations flow. Telecommunications carriers are not responsible for actively disseminating information to unauthorized third parties. Rather, unauthorized third parties have been exploiting security standards at the carriers to access and sell the information acquired through illegal means,” said EPIC in its petition.
CTIA opposed the EPIC petition, saying it would cost too much.
“Confusing the victim with the information brokers who steal customers’ identities to obtain account information through pretexting, EPIC argues carriers’ practices are responsible for security problems and urges the FCC to initiate a rulemaking to enhance safety measures and authentication standards for CPNI. CTIA believes new rules are not the answer, as the imposition of redundant and inflexible security rules would not curtail the fraudulent activity, but would impose considerable costs on carriers and ultimately consumers,” said CTIA.
As for Sprint Nextel and the carrier’s refusal to immediately give the location of a phone in a stolen vehicle, the carrier said it was working to balance customers’ privacy against law enforcement’s needs.
“There is some concern as we try to balance privacy and safety,” said Sean Hughes, a spokesman for Sprint Nextel. “There are folks that try for unscrupulous reasons to get information they are not entitled to.”
When the Riverside, Calif., sheriff’s department first notified the carrier about the stolen car and kidnapped child, Sprint Nextel explained that the officers would need to fill out a one-page form and fax it back on department letterhead in order to get the phone’s location information.
“They were working on getting that information to us” when the vehicle was located with the child safe inside, said Sean Hughes, Sprint Nextel spokesman.
Although there was also some confusion about a $25 fee Sprint Nextel charges for such information, Hughes emphatically stated that the $25 fee was not applicable in this case. He said he does not know how it became part of the mass media story.
Hughes said Sprint Nextel followed the industry’s standard operating procedure for giving out location information to law enforcement.
“We received more than 300,000 subpoenas for general information last year, and 2,000 for emergency requests,” he said.
A similar carjacking situation in another city was resolved with Sprint Nextel’s help last week, said Hughes.
