[Senate Hearing 109-452] [From the U.S. Government Publishing Office] S. Hrg. 109-452 PROTECTING CONSUMERS' PHONE RECORDS ======================================================================= HEARING before the SUBCOMMITTEE ON CONSUMER AFFAIRS, PRODUCT SAFETY, AND INSURANCE OF THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ FEBRUARY 8, 2006 __________ Printed for the use of the Committee on Commerce, Science, and Transportation _____ U.S. GOVERNMENT PRINTING OFFICE 27-705 WASHINGTON : 2006 _________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 0SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED NINTH CONGRESS SECOND SESSION TED STEVENS, Alaska, Chairman JOHN McCAIN, Arizona DANIEL K. INOUYE, Hawaii, Co- CONRAD BURNS, Montana Chairman TRENT LOTT, Mississippi JOHN D. ROCKEFELLER IV, West KAY BAILEY HUTCHISON, Texas Virginia OLYMPIA J. SNOWE, Maine JOHN F. KERRY, Massachusetts GORDON H. SMITH, Oregon BYRON L. DORGAN, North Dakota JOHN ENSIGN, Nevada BARBARA BOXER, California GEORGE ALLEN, Virginia BILL NELSON, Florida JOHN E. SUNUNU, New Hampshire MARIA CANTWELL, Washington JIM DeMINT, South Carolina FRANK R. LAUTENBERG, New Jersey DAVID VITTER, Louisiana E. BENJAMIN NELSON, Nebraska MARK PRYOR, Arkansas Lisa J. Sutherland, Republican Staff Director Christine Drager Kurth, Republican Deputy Staff Director Kenneth R. Nahigian, Republican Chief Counsel Margaret L. Cummisky, Democratic Staff Director and Chief Counsel Samuel E. Whitehorn, Democratic Deputy Staff Director and General Counsel Lila Harper Helms, Democratic Policy Director ------ SUBCOMMITTEE ON CONSUMER AFFAIRS, PRODUCT SAFETY, AND INSURANCE GEORGE ALLEN, Virginia, Chairman TED STEVENS, Alaska MARK PRYOR, Arkansas, Ranking CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii JIM DeMINT, South Carolina BARBARA BOXER, California DAVID VITTER, Louisiana C O N T E N T S ---------- Page Hearing held on February 8, 2006................................. 1 Statement of Senator Allen....................................... 1 Statement of Senator Boxer....................................... 7 Prepared statement........................................... 8 Statement of Senator Burns....................................... 5 Prepared statement........................................... 6 Statement of Senator Dorgan...................................... 55 Statement of Senator Inouye...................................... 4 Prepared statement........................................... 4 Statement of Senator Bill Nelson................................. 57 Statement of Senator Pryor....................................... 2 Statement of Senator Smith....................................... 9 Statement of Senator Stevens..................................... 3 Prepared statement........................................... 4 Statement of Senator Vitter...................................... 5 Witnesses Douglas, Robert, Chief Executive Officer, PrivacyToday.com....... 31 Prepared statement........................................... 34 Largent, Hon. Steve, President/Chief Executive Officer, Cellular Telecommunications and Internet Association (CTIA)............. 22 Prepared statement........................................... 24 Monteith, Kris Anne, Chief, Enforcement Bureau, Federal Communications Commission...................................... 12 Prepared statement........................................... 14 Parnes, Lydia B., Director, Bureau of Consumer Protection, Federal Trade Commission....................................... 17 Prepared statement........................................... 19 Rotenberg, Marc, Executive Director, Electronic Privacy Information Center............................................. 27 Prepared statement........................................... 29 Schumer, Hon. Charles, U.S. Senator from New York................ 9 Southworth, Cindy, Director, Technology and the Safety Net Project, National Network to End Domestic Violence............. 46 Prepared statement........................................... 48 Appendix Response to written questions submitted by Hon. Daniel K. Inouye to: Kris Anne Monteith........................................... 67 Lydia B. Parnes.............................................. 67 Marc Rotenberg............................................... 69 Cindy Southworth............................................. 71 PROTECTING CONSUMERS' PHONE RECORDS ---------- WEDNESDAY, FEBRUARY 8, 2006 U.S. Senate, Subcommittee on Consumer Affairs, Product Safety, and Insurance, Committee on Commerce, Science, and Transportation, Washington, DC. The Subcommittee met, pursuant to notice, at 2:30 p.m. in room SD-562, Dirksen Senate Office Building, Hon. George Allen, Chairman of the Subcommittee, presiding. OPENING STATEMENT OF HON. GEORGE ALLEN, U.S. SENATOR FROM VIRGINIA Senator Allen. Good afternoon. I call this hearing of the Senate Subcommittee on Consumer Affairs, Product Safety, and Insurance to order. This hearing is going to examine ways to protect consumers' phone records from being fraudulently obtained and sold into the public domain. I am pleased to see the Ranking Member of the Subcommittee, Senator Pryor, here with us, as well as the Chairman of the Full Committee, Senator Stevens, and the Ranking Member, Senator Inouye. Senator Vitter and Senator Burns and other Senators will be appearing. This is a very serious topic that is disturbing to all of us, that people can fraudulently obtain someone's phone records surreptitiously, without their knowledge, and invade their privacy. We appreciate all the witnesses who will be here today. We are going to, instead of two panels, have all the witnesses in one panel, all six, after we hear from Senator Schumer. We appreciate all of you being here. We look forward to your testimony. The impetus, of course, of this hearing today is the deceptive practice of obtaining and selling confidential phone records without an owner's consent. I know I probably speak for all Americans, and Members of the Subcommittee, when I say that it was important to take action as soon as we heard that these unscrupulous marketers were obtaining and selling confidential personal phone billing records. This is fraudulent and criminal activity that must be prosecuted and must be stopped to protect innocent people. Especially of concern to me are the rights of some women, who have had their privacy violated by stalkers who use the information to get details of their personal lives--also harming law enforcement investigations. This fraudulent activity can be every bit as harmful, and in some cases even more disconcerting, than when a third party uses false pretenses to obtain an innocent person's confidential financial records. In some cases, even physical harm can result from one's private phone records becoming a public record. We have a witness today who will explain how domestic violence can result if a woman's call records are divulged to an abusive spouse or an ex-boyfriend. We will also hear how law enforcement can be hindered if records of an undercover agent are suddenly made available to a criminal party. We all feel that we cannot allow these unscrupulous, deceptive, and fraudulent practices to continue. That is why Chairman Stevens and I, along with the Ranking Member, Senator Pryor, decided that we should hold a hearing, listen, learn, and then craft legislation, effective legislation--do not just pass a bill, but let us make sure this is effective legislation--to protect innocent individuals from becoming prey to conniving people willing to make a quick buck by violating someone's privacy and security. Senator Stevens and I and others are working on legislation to address this issue, but it is important that we listen. We will hear from our witnesses today regarding a prudent, balanced perspective on how to ensure that customer phone records are protected. We hope that our witnesses will offer to us possible solutions as well. We look forward to hearing from each of our witnesses on a commonsense and properly focused solution to avoid any unintended consequences. In fact, any Federal involvement in addressing deceptive business practices can harm, obviously, consumers; it does need to be reasonable; and, it needs to be effective. With that, I would now like to turn it over to Senator Pryor if he would like to make an opening statement, and then opening statements from--while he was not the next one here, I will defer to the Chairman and Ranking Member, and then in the order in which Senators arrived. Senator Pryor. STATEMENT OF HON. MARK PRYOR, U.S. SENATOR FROM ARKANSAS Senator Pryor. Thank you, Mr. Chairman. The Internet has provided a whole new world of information services and a vigorous platform to conduct commerce. Unfortunately, the success of the Internet has also created problems regarding consumer privacy, which this Committee has wrestled with for the past several years. There has been spam, spyware, identity theft, and several other issues we have tackled with varying degrees of success. Congress has been addressing issues of privacy in a piecemeal fashion and this approach, quite frankly, places us at a disadvantage. There is always a new threat to our privacy because of the very nature of changing technology and Congress has to address each threat separately. Today we face the threat of data brokers selling cell phone records with $100 in their pocket. Phone records make the owner of that phone number especially vulnerable. These records show every incoming and outgoing number, the duration of the call, and even the location of the numbers called. GPS systems are on all cell phones now, making it possible for sophisticated parties to track the person holding the cell phone. I reviewed the testimony and our witnesses note that some data brokers have been selling cell phone records for years and have likely been obtaining these records by legally questionable practices. There can be only a few ways to get a cell phone number and record for virtually anyone in the United States just within a few hours. The sellers either get the information by fraudulent misrepresentations, or pretexting, hacking into a phone company database, or bribing a phone company employee to steal this information. However this information gets into the hands of data brokers, it has to stop. The consequences of this type of information being available to anyone are too severe. As the Chairman mentioned a moment ago, murderers have been aided by the information sold by these data brokers and countless others have been endangered. The Federal Trade Commission and the Federal Communications Commission have regulatory responsibility in protecting the privacy of consumers. The FTC has jurisdiction over the data brokers and other sellers of this type of information via its authority from section 5 of the FTC Act. The FCC has jurisdiction over the telecommunications company via section 222 of the 1996 Telecommunications Act. We need to make sure that both agencies have the statutory authority they need to quickly and effectively end this activity. Most importantly, we must make sure that both agencies use their authority aggressively and that they are working together to vigorously protect and prosecute these cases. I look forward to hearing from today's witnesses and moving quickly toward a solution that will protect all of America's consumers. I would also like to welcome Senator Schumer, wherever he may be, because he has done some work on this issue and he has really shown some leadership here. Mr. Chairman. Senator Allen. Thank you, Senator. Now we would like to hear from the Chairman of the Full Committee, Senator Stevens, who has been working and trying to address this matter. We thank you, Mr. Chairman, for allowing the Subcommittee to hold this hearing, and I think it will allow us to craft workable and effective legislation. STATEMENT OF HON. TED STEVENS, U.S. SENATOR FROM ALASKA The Chairman. Thank you, Mr. Chairman. I would ask that you put my prepared remarks in the record. Senator Allen. Without objection. The Chairman. I am here despite another conflict because I want to listen to the FCC. I am particularly interested in knowing why the FCC regulation requires notice to a party before moving to an enforcement action. In effect, they give notice to the people that are doing wrong that they are about ready to look into whether they are doing wrong. So they just disappear and we never have a real enforcement. So I hope that FCC can address that. But please put my statement in the record. Thank you. Senator Allen. Without objection, the full statement will be put in the record. If opening statements could be limited to 5 minutes, and full statements will be made part of the record. [The prepared statement of Senator Stevens follows:] Prepared Statement of Hon. Ted Stevens, U.S. Senator from Alaska The recent reports detailing the ease with which third parties can access private phone records are alarming. These reports have shown us that it is important that Congress ensure that Americans' phone records are protected and that there will be severe penalties for invading phone record privacy. I have been working on crafting a legislative solution to address this growing problem and assess the proper role of government. As we move forward, I look forward to continuing to work with the industry, the relevant Federal agencies, and other Members of Congress to ensure that all phone records are kept safe. This hearing is an important step as this Committee addresses this issue. But we are not alone in this fight, and I look forward to hearing the thoughts of the Federal agencies with oversight, the industry, and concerned public interest groups. Senator Allen. Now we would like to hear from the Ranking Member of the Full Committee, Senator Inouye. STATEMENT OF HON. DANIEL K. INOUYE, U.S. SENATOR FROM HAWAII Senator Inouye. Mr. Chairman, I thank you very much and commend you for convening this hearing. I wish to associate myself with your remarks, with that of the Chairman Stevens, and Mr. Pryor as I see what is pending before us, the horrendous possibility of invasion of privacy. I have got a cell phone and all of us have cell phones and just the thought that someone is passing information to others just horrifies me. Thank you very much, sir. May I have my statement put in the record. Senator Allen. Your full statement will be made part of the record. [The prepared statement of Senator Inouye follows:] Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii It was troubling to learn that unscrupulous data brokers have made a business of selling consumers' personal phone records. Equally disturbing is the fact that the Federal Trade Commission (FTC) received numerous complaints about these egregious practices and refused to act on them. While many recent identity theft scams have employed tech-savvy tactics of hackers, the sale of consumer phone records is simply the work of swindlers. It is well within the FTC's current authority to address this problem. I understand the FTC found numerous instances of cell phone record sales in other investigations related to financial services and chose to turn a blind eye. Unfortunately, the FTC's inaction resulted from a lack of attention, not a lack of authority. Nonetheless, if further clarity and additional authority are necessary, this Committee should not hesitate to provide it. The Federal Communications Commission (FCC) has a key role to play as well. The FCC must ensure that telecommunications providers are doing all that is necessary to protect the confidentiality of consumers phone records, or what is also known as customer proprietary network information (CPNI). The FCC appears to be taking this matter seriously. Next week, the FCC will consider ways to strengthen CPNI safeguards through rulemaking. In addition, FCC Chairman Kevin Martin has recommended specific Congressional action to address this problem, including enhancing the FCC's enforcement authority. We also need to keep in mind emerging services, such as Voice over Internet Protocol (VoIP). They, too, must be subject to the same privacy requirements. Consumers have every right to expect that their personal data will be protected regardless of the communications service they choose to utilize. It is my hope that the recent press attention to this matter has served as a wake up call, and that, in the interest of consumer privacy and public safety, the FTC and FCC do everything they can to eliminate these egregious practices as quickly as possible. I can assure both agencies that this Committee will be a willing and cooperative partner in their efforts. Senator Allen. Now we would like to hear from Senator Vitter of Louisiana. Welcome, Senator. STATEMENT OF HON. DAVID VITTER, U.S. SENATOR FROM LOUISIANA Senator Vitter. Thank you, Mr. Chairman, and thank you for holding the hearing today. It is clearly a very important issue. I join everybody in expressing my concern and outrage about data broker companies with fraudulent websites selling these sorts of records. It is clearly a part of the growing family of issues like identity theft that we need to get ahead of the curve on in this Committee, and this Subcommittee is a big part of that. I understand, as others have said, that there are many theories about how these data brokers get this information. It could come from inside the wireless companies by a corrupt employee, by hacking into the system, by pretexting. However it is obtained, we need to do what we can to protect consumers. My first thought is that all of these practices appear to be criminal activities already, but because there are loopholes in the current law and probably even bigger loopholes in the enforcement, we need to do more. My hope is we will follow up on this hearing and move legislation that removes all doubt and, even more importantly, gives relevant agencies the powers they need to go after this fraud. I believe we should focus on fraudulent actors and make sure this is stopped. Again, Mr. Chairman, I want to thank you for calling this hearing. I look forward to working with you and the rest of the Subcommittee. Senator Allen. Thank you, Senator Vitter. Now we would like Senator Burns, if you would have any opening remarks and wisdom. STATEMENT OF HON. CONRAD BURNS, U.S. SENATOR FROM MONTANA Senator Burns. Thank you, Mr. Chairman and Ranking Member Pryor. I appreciate that, and the Members of this Committee. I would ask unanimous consent that my statement be made part of the record today. Senator Allen. Without objection. But I just want to bring up--and I am glad to see Senator Schumer here. We are on a bill right now. We are crafting a bill. It is the Consumer Telephone Records Protection Act of 2006. We look forward to working with Members on this Committee, knowing that you are interested in this, and whenever you get your legislation put back together we can marry up with those two pieces and I think could come up with a pretty good bill. I was appalled when I learned of this, that anybody could call up a telephone company and, especially with a stolen Social Security number and your date of birth, you can obtain the records, and those records were being harvested. Then you have got people that put up a website that says, we will sell you that number for 100 bucks or so, whatever. I thought--I just could not believe it. I want to applaud first Chairman Martin of the FCC for the action that he has taken pursuant to the statutory authority to protect consumers' personal telephone records. If you take right out of section 222 of the Communications Act and the Commission's rule will result, I think, in pretty strong enforcement by the FCC. The FTC also is involved in this. But we have got to make this fine on those who would participate in such an action such as this a pretty hefty fine and with some little jail time behind it, because basically you are robbing a person's private records. It can be used for a multitude of things. We all have cell phones. Now, I would say, today is the tenth anniversary of the telecom bill of 1996, and I can remember working on that bill a long time and it took a long time, I think anyways, from 1991 to 1996, to get that changed. We were trying to deal with 1990s' technology with a 1935 law. Now we have got to go back, because technology moves so fast, and look at that Act again. How much did we miss the number of prospective cell phone users by the year 2000? We only missed it 300 percent. I do not think you want me coming out and estimating what you can produce on your ranch under those kind of circumstances. But this is appalling and we must take action. It has to be now and it has to be stringent. There can be no loopholes in it like that exist today in the law. I thank the Chairman for having these hearings. [The prepared statement of Senator Burns follows:] Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana Good afternoon Chairman Allen, Ranking Member Pryor, Members of the Committee, and distinguished panelists. Thank you for holding this important hearing on protecting consumers' phone records. First, I am very disturbed about the disclosure and sale of personal telephone records through data brokers pretexting or by data brokers obtaining access to consumers' accounts online by overcoming carriers' data security protocols. As an original cosponsor of the Consumer Telephone Records Protection Act of 2006, I'm proud to say my bill will close existing loopholes and will make you pay a hefty price in both money and jail time if you access someone's private records without their permission. Importantly, this bill criminalizes the act of pretexting, adding a new violation for fraud and related activity connected with obtaining confidential phone records from a company that provides telephone service. Specifically, the Consumer Telephone Records Protection Act of 2006 proposes that for each occurrence the illegal actor can be fined up to $250,000 and/or imprisoned for up to 5 years. These penalties can be doubled for aggravated cases. The criminal violations in this bill, along with action taken by the FCC and further Congressional Action, if needed, will restore consumers' confidence that their personal information is safe when they sign up for phone service with a telecommunications company. Next, I want to applaud Chairman Martin for the action that the FCC has undertaken pursuant to its statutory authority to protect consumers' personal telephone records. Chairman Martin recently appeared before the House of Representatives and testified that any noncompliance by telecommunications carriers with the customer proprietary network information (CPNI) obligations under section 222 of the Communications Act and the Commission's rules will result in strong enforcement action by the FCC. Section 222 of the Communications Act was written to protect consumers' privacy. Specifically, it provides that carriers must protect the confidentiality of customer proprietary network information. CPNI includes, among other things, customers' calling activities and history, and billing records. Under FTC Law, it is already considered an illegal deceptive business practice to use false pretenses to gather a consumer's financial information. The FTC has the power to pursue actions against phone record pretexters based on its authority to prevent deceptive and unfair business practices, but without this statutory authority spelled out in a statute, a question of statutory interpretation regarding FTC authority could be litigated. Furthermore, even if the FTC's authority to pursue actions against pretexters of phone records is assumed, the FTC is not authorized to immediately impose civil penalties against third party data brokers. Unfortunately, in today's information age, there are those who are constantly seeking new ways to navigate the gray areas of our laws in hopes of finding something they can use to their advantage. My bill will shine a bright light on this particular gray area, wiping it out, and protect Americans from these rats who invade someone's privacy. Thank you all for your time and concern and I look forward to working with the Members of this Committee, panel and other interested parties as this discussion moves forward. Senator Allen. Thank you, Senator Burns. Senator Boxer. STATEMENT OF HON. BARBARA BOXER, U.S. SENATOR FROM CALIFORNIA Senator Boxer. Thank you so much, Mr. Chairman. I really appreciate your having this hearing. The battle to keep confidential consumer information is never-ending. It seems like every month we hear of a new way that shady companies are exploiting the information of consumers for a profit. The latest example is the sale of phone records by online data brokers. We have all read that sites like datatraceusa.com will sell a person's phone records to anyone willing to spend $100. The time, duration, and number of every call a person has made from their phone is being made available to the public. Such information is being purchased by the likes of abusive spouses, leading to more domestic violence, and stalkers, who are able to infiltrate the lives of their victims. It has gotten to the point that the Chicago police and the FBI are warning their undercover agents that their phone records may be compromised, which could lead to their cover being blown. Most of the online data brokers take no steps to make sure that the information is being used for legitimate purposes. Moreover, the data brokers themselves are using fraudulent means to obtain the information from cell phone companies. In the pursuit of making a few dollars, these companies are helping criminals and undermining law enforcement. This must be stopped. That is why I have cosponsored the Consumer Telephone Records Protection Act introduced by Senators Specter and Schumer, and I am so glad that Senator Schumer is here. This bill will criminalize the sale of phone records without the consent of the subscriber. Mr. Chairman, it is a very simple notion and it will work. I also would urge my colleagues to support another privacy bill, introduced by Senator Specter and myself, the Wireless 411 Privacy Act, that prohibits the listing of a cell phone number in any wireless directory unless the subscriber elects to be included. Again, abused women should not have to worry that their cell phone number will be listed in a directory without them knowing about it. More generally, consumers should be able to keep their numbers private if that is what they want. So I would ask unanimous consent that the rest of my statement be placed in the record, Mr. Chairman. But I do feel we see this problem; we must act before people are really hurt. Also, we have a couple of bills out there that are so good, and they are bipartisan and they make sense. I hope we can move them quickly, and I think we will be doing something very good for our constituents. Thank you. Senator Allen. Thank you, Senator Boxer. Your full statement will be made part of the record. [The prepared statement of Senator Boxer follows:] Prepared Statement of Hon. Barbara Boxer, U.S. Senator from California Mr. Chairman, thank you for holding this hearing on the privacy rights of cell phone subscribers. The battle to keep confidential consumer information private is never ending. It seems like every month we hear of a new way that shady companies are exploiting the information of consumers for a profit. The latest example is the sale of phone records by online data brokers. We have all read that sites like datatraceusa.com will sell a person's phone records to anyone willing to spend $100. The time, duration, and number of every call a person has made from their phone is being made available to the public. Such information is being purchased by the like of abusive spouses leading to more domestic violence and stalkers who are able to infiltrate the lives of their victims. It has gotten to the point that the Chicago police and FBI are warning their undercover agents that their phone records may be compromised, which could lead to their cover being blown. Most of the online data brokers take no steps to make sure that the information being sold is used for legitimate purposes. Moreover, the data brokers themselves are using fraudulent means to obtain the information from cell phone companies. In the pursuit of making a few dollars, these companies are helping criminals and undermining law enforcement. This must be stopped and that is why I have cosponsored the Consumer Telephone Records Protection Act introduced by Senators Schumer and Specter, which criminalizes the sale of phone records without the consent of the subscriber. I also would urge my colleagues to support another privacy bill I introduced last session and reintroduced last year with Senator Specter--the Wireless 411 Privacy Act. This bill prohibits the listing of a cell phone number in any wireless directory service unless the subscriber elects to be included. Abused women should not have to worry that their cell phone number will be listed in a directory without them knowing about it. And more generally, consumers should be able to keep their number private if that is what they want. This is especially important with respect to cell phone numbers, because consumers pay for each call they receive. Last session, a number of wireless carriers objected to certain provisions of my bill, including the requirement that subscribers opt- in to being listed. It is my understanding that the major wireless companies no longer object to this provision. This is a promising change. It is a sign that companies are beginning to recognize that it is our responsibility to protect the privacy of consumers. In response to press reports, the wireless phone companies are improving their privacy practices and suing data brokers to prevent the release of their customers' phone records. Reacting to revelations in the papers of privacy breaches, however, is not enough. All companies--not just the wireless operators--should be proactive in protecting the privacy of their customers. They know the weakness of their own systems and how to fix those problems. If companies fail to act, Congress has a duty to step in and legislate the changes that are necessary to protect consumers. I look forward to hearing from the witnesses about what is being done to protect consumers' confidential information and I plan to work with this Committee to get my Wireless 411 Privacy bill marked-up and brought to the floor. Thank you, Mr. Chairman. Senator Allen. Senator Smith. STATEMENT OF HON. GORDON H. SMITH, U.S. SENATOR FROM OREGON Senator Smith. Thank you, Senator Allen and Chairman Stevens, for this very important hearing. The deceptive practice of pretexting has gotten, rightfully, a lot of attention lately. It is nothing more than lying to get something you are not entitled to have, and it is currently illegal. The Federal Trade Commission has the authority to pursue companies or individuals that engage in pretexting or other deceptive practices under section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. Using this authority, the FTC has brought civil actions against U.S. businesses that use false pretenses to gather information on consumers. Unfortunately, the FTC lacks authority to pursue bad actors operating overseas. We need to give the FTC these necessary tools. I sponsored the U.S. SAFE WEB Act with Senator Inouye, Senator McCain, Senator Nelson of Florida, Senator Burns, Senator Dorgan, and Senator Pryor. This is an important bill that will provide the FTC with the tools to protect consumers from cross-border fraud and deception, including pretexting. Our bill has already passed the Commerce Committee. It did so unanimously and I urge quick passage on the floor of the Senate. It will help solve this problem we are dealing with. One last point. Like consumers, phone companies are victims of fraud perpetrated by pretexters. Additional regulation of phone companies may not change fraudulent behavior pretexters. I think it is important to emphasize that enforcement is the key. If we need more laws, let us get more laws. But let us enforce the laws that we have. Thank you, Mr. Chairman. Senator Allen. Thank you, Senator Smith. I would like to hear from our first panelist, all by his lonesome, but not by his lonesome insofar as this issue and concern. Senator Chuck Schumer has joined us today to discuss this issue in terms of the law enforcement perspective proceeding from his viewpoint as a Member of the Judiciary Committee. Senator Schumer's involvement also extends to a bill that he has recently introduced. Senator Schumer, you can go ahead with your testimony. Then we will hear from the rest of our witnesses. Senator Schumer. STATEMENT OF HON. CHARLES SCHUMER, U.S. SENATOR FROM NEW YORK Senator Schumer. Thank you. Thank you, Mr. Chairman, and I want to thank you, Senator Pryor, Chairman Stevens, and all the rest of the Members, for the opportunity to speak to you today. I know this issue is of great concern to all of us, protecting the very privacy and personal information that is kept part of people's telephone records, because when a person talks on the phone, whether it is their cell phone or their home phone, they have an expectation of privacy. No one thinks that information about who they are calling and when they are calling them, as well as all of the personal information kept by phone companies for billing purposes, are available for sale to anyone with $100. But, sadly, that is the case. The activities of websites such as locatecell.com and other pretexters who pose as telephone customers to get people's personal phone record information from the phone companies have made some of our most personal and confidential information vulnerable to criminals who want that information for nefarious purposes. Even worse, unauthorized access to this information can put law enforcement officers and victims of domestic abuse in danger. A former spouse, a stalker, can find out who their target is calling and intensely personal information, like who their doctor is, whether the person sees a psychologist. Targets of criminal investigations can find out if someone is talking to law enforcement authorities about them. And in a particularly frightening scenario, the FBI recently was able to obtain the cell phone records of one of its agents online in just 3 hours. Business people too are subject to this. A list of who a salesperson is calling upon could be available to a business rival. So this is a problem that we have to deal with. We already have a law that protects our financial information. Pretexting of financial information is illegal per se. That is in the Gramm-Leach-Bliley Act that many of us supported and worked on several years ago. But there is no Federal law that makes it a criminal offense to steal someone's cell phone records. Right now there are laws on the books, as has been mentioned, but they are general fraud statutes, far less specific, and not good tools according to law enforcement for what they need to go after these illegal acts. So far the cell phone companies have to go after pretexters with civil lawsuits or prosecutors have to cobble together a case from a patchwork of laws. But if all that pretexters really face are civil fines, they are going to look at this as the cost of doing business. What these thieves do is a crime and ought to be treated like a crime. That is why, along with Senator Specter and many others, eight Members of this Committee cosponsored legislation that will do that, make stealing a person's phone records a felony. It is called the Consumer Telephone Records Protection Act, and I am happy to report that we have a bipartisan group of cosponsors, mainly from the Commerce and Judiciary Committees, which are the two committees of relevant jurisdiction. In addition, three of the major wireless carriers--Verizon Wireless, T-Mobile, and Sprint Nextel--as well as consumer groups like Consumers Union, support the bill. It is a very simple bill. It makes it a crime to fraudulently buy someone's phone records. It prohibits the sale or transfer of those records and specifically prohibits employees of phone companies from selling this information. We are also looking at enhanced penalties when the records are used to commit a crime of domestic violence or if they are used to harm law enforcement officers. The bill also contains an enhanced penalty for multiple offenses, aimed at the websites and companies that make a business out of stealing records, such as some of them that are on the screen over there. All of the bipartisan support, support from industry and consumers groups, I think shows very clearly the need to do something now, and I look forward to working with all of you on the Commerce Committee, which you have jurisdiction, of course, over FTC and all of that (we have jurisdiction over the criminal law in Judiciary) to find a quick solution that will stop pretexters and protect the privacy of American citizens. Thank you. Senator Allen. Thank you, Senator Schumer. We would now like to hear from the rest of the panel. We appreciate again, Senator Schumer, your willingness to work with us. We look forward to working on a team effort. I would like all of the six witnesses to come forward. I will introduce all of the witnesses. The order that we will go through the witnesses' testimony will be: first, Ms. Kris Monteith and Ms. Lydia Parnes, then the Honorable Steve Largent, Mark Rotenberg, Robert Douglas, and Cindy Southworth. So if you could--it looks like we are not going to get them in that order. As our witnesses are getting seated, let me begin with a brief introduction of each for those assembled here and for our Committee. To start, we have Ms. Kris Monteith, the Chief of the Enforcement Bureau at the Federal Communications Commission. Ms. Monteith's role at the FCC places her in a direct role in protecting consumers' phone records. We appreciate your willingness to discuss the role of the FCC and what it can play in the safety of consumer phone records. Thank you for testifying. Next we will hear from Ms. Lydia Parnes, who is the Director--she is Director of the Bureau of Consumer Protection at the Federal Trade Commission. The FTC is at the center of protecting consumers from deceptive business practices. Ms. Parnes will be able to give us a better idea of how to deter this fraudulent behavior and put these bad actors out of business, and we want to do that for good. Thank you for being here. Next we will hear from the Honorable Steve Largent, President and CEO of the Cellular, Telecommunications and Internet Association, otherwise known as ``CTIA.'' He is a Hall of Famer, was there at the Superbowl. The Seattle Seahawks had a tough game. Still, they made it to the Superbowl. More importantly, as a Hall of Famer we hope you help bring this team here together for success in combatting these pretexters. Next we will hear from Mr. Marc Rotenberg, Mr. Rotenberg, who has actually been here testifying on several occasions. He is Executive Director of the Electronic Privacy Information Center, otherwise known as ``EPIC.'' He has testified on a variety of issues. We welcome you back. He is here to give us his suggestions on how to best prevent an individual's phone records from being compromised. Then we will hear from Mr. Robert Douglas, Chief Executive Officer of PrivacyToday.com. Mr. Douglas is a former private investigator and has testified in front of Congress multiple times regarding information security. He can provide us with examples of real-life experiences with pretexting. Thank you, Mr. Douglas, for coming all the way from Steamboat Springs, Colorado. I know you once lived in Virginia, but now you have a farther trek. Finally, we are going to hear from Cindy Southworth. Cindy Southworth is the Director of Technology and Director of the Safety Net Project at the National Network to End Domestic Violence. Ms. Southworth's testimony can shed light on the potential ramifications of a person's phone records being divulged to someone other than the customer. Domestic violence against women is her area of expertise and she can offer a perspective on how physical abuse can result if a woman's phone records are obtained from an abusive husband, ex-boyfriend, or stalker, and we appreciate, Ms. Southworth, your attendance today and we look forward to your insight. Senator Burns. Mr. Chairman, before we go to the witnesses, can I make an announcement here, because I have got to go to the floor in about 15 minutes. Senator Allen. All right. Senator Burns. Just an announcement to remind everybody. The Internet Caucus--and what we are talking about is the Internet here and the Internet business--is tonight, 5 o'clock, over in Dirksen G-50. We have got a lot of vendors---- Senator Inouye. It is for Members. Senator Burns. Well, no; for everybody. Everybody can go. We do not check anybody at the door. Senator Allen. Open standards. Senator Burns. Open standards. I just thought I would remind it to you if you are in the buildings and want to attend that. Senator Allen. All right, thank you. Thank you, Senator Burns. Now we would like to hear from Ms. Monteith. STATEMENT OF KRIS ANNE MONTEITH, CHIEF, ENFORCEMENT BUREAU, FEDERAL COMMUNICATIONS COMMISSION Ms. Monteith. Good afternoon, Mr. Chairman. Senator Allen. I am going to ask, in the event that you can, I know you all have written testimony. If you can present it in 5 minutes; if it is longer than 5 minutes you may summarize, and all of your testimony will be made part of the record. In the questioning of the witnesses, I would ask that the Senators also be limited to 5 minutes in their inquiries. Ms. Monteith. Ms. Monteith. Good afternoon, Mr. Chairman and Members of the Subcommittee and the Full Committee. I appreciate the opportunity to speak with you today about what appears to be an alarming breach of the privacy of consumers' telephone records. As Chairman Martin made clear in his testimony last week, the Commission is deeply concerned about the disclosure and sale of these records. Determining how this violation of consumers' privacy is happening and addressing it is a priority for the Commission. In my testimony today, I will describe the Commission's current investigation into this serious issue and then touch on the legislative proposals Chairman Martin identified as possible measures Congress might take to prevent data brokers from selling consumers' phone records. The Commission is taking numerous actions to combat this issue. First, we are investigating how data brokers are obtaining consumers' personal telephone records. Second, we are investigating whether telecommunications carriers are adequately protecting the privacy of the personal and confidential data entrusted to them by American consumers. Third, we are initiating a proceeding to determine what additional rules the Commission should adopt to further protect consumers' sensitive telephone records from unauthorized disclosure. The disclosure and sale of consumer phone records was brought to the Commission's attention late last summer. On August 30th, the Electronic Privacy Information Center filed a petition expressing concern over the sale of consumers' private telephone data by data brokers. The Commission's Enforcement Bureau began researching and investigating these practices. Its research culminated in the Commission issuing subpoenas to several of the most prominent data brokers. When these companies failed to adequately respond to the subpoenas, we issued letters of citation and referred to responses to the Department of Justice for enforcement. Subsequently, we issued subpoenas to another 30 data brokers and are awaiting their responses. We also made undercover purchases of phone records from various data brokers to assist us in targeting additional subpoenas and to determine exactly how the consumer phone record data is being disclosed. In conjunction with our investigation of data brokers, in December and January the Commission met with the major wireless and wireline providers to discuss efforts they have undertaken to protect their confidential consumer data. Formal letters of inquiry followed that required the carriers to document their customer data security procedures and practices, identify security and disclosure problems, and address any changes they have made in response to the data brokers issue. In late January we asked the five largest wireline and wireless carriers to send us their required annual compliance certificates. In addition, early last week the Enforcement Bureau issued notices of apparent liability in the amount of $100,000 against two companies for failure to comply with the certification requirement. We also issued a public notice requiring all telecommunications carriers to file their most recent certification with the Commission. Throughout our investigation, we have coordinated closely with the FTC and will continue to share any evidence of fraudulent behavior that we detect in the course of our investigation. Finally, several weeks ago Chairman Martin circulated an item to his fellow Commissioners granting EPIC's petition and inviting comment on whether additional Commission rules are necessary to strengthen the safeguards for customer records. The item will be acted on by February 10th. In response to questions about what Congress might do to prevent data brokers from selling consumers' phone records, Chairman Martin identified three primary actions. First, Congress could specifically make illegal the commercial availability of consumers' phone records. Second, Congress could overturn the Tenth Circuit ruling that limited the Commission's ability to implement more stringent protection of consumer phone record information. This ruling has resulted in a much broader dissemination of consumer phone records and may have contributed to the proliferation of the unlawful practices of data brokers that we are seeing today. Third, the Commission's enforcement tools could be strengthened by, for example, eliminating the citation requirement in section 503(b) of the Act, raising the statutory maximum forfeiture penalties, and lengthening the applicable 1- year statute of limitations. To conclude, the disclosure of private calling records represents a significant invasion of privacy. The Commission looks forward to working collaboratively with the Members of this Subcommittee, other Members of Congress, and our colleagues at the Federal Trade Commission to ensure that consumers' personal phone data remains confidential. Thank you for the opportunity to testify. I would be pleased to answer your questions. [The prepared statement of Ms. Monteith follows:] Prepared Statement of Kris Anne Monteith, Chief, Enforcement Bureau, Federal Communications Commission Introduction Good afternoon, Chairman Allen, Ranking Member Pryor, and Members of the Subcommittee. I appreciate the opportunity to speak with you today about what appears to be an alarming breach of the privacy of consumers' telephone records. As Chairman Martin made clear in his testimony last week, the entire Commission is deeply concerned about the disclosure and sale of these personal telephone records and will take strong enforcement action to address any noncompliance by telecommunications carriers with the customer proprietary network information (``CPNI'') obligations under section 222 of the Communications Act of 1934, as amended, (the Act) and the Commission's rules. In my testimony, I will describe the Commission's current investigation into the procurement and sale of consumers' private phone records and the steps the FCC is taking to make sure that telecommunications carriers are fully meeting their obligations under the law to protect those records. As the Subcommittee is aware, the issue of third parties known as ``data brokers'' obtaining and selling consumers' telephone call records, which has been widely reported, is a tremendous concern for consumers, lawmakers, and regulators alike. Determining how this violation of consumers' privacy is happening and addressing it is a priority for Chairman Martin and the Commission. As outlined below, we are taking numerous steps to combat the problem. First, we are investigating the data brokers to determine how they are obtaining this information. Second, we are investigating the telecommunications carriers to determine whether they have implemented safeguards that are appropriate to secure the privacy of the personal and confidential data entrusted to them by American consumers. Third, the Commission is initiating a proceeding to determine what additional rules the Commission should adopt to further protect consumers' sensitive telephone record data from unauthorized disclosure. Background Numerous websites advertise the sale of personal telephone records for a price. Specifically, data brokers advertise the availability of cell phone records, which include calls to and/or from a particular cell phone number, the duration of such calls, and may even include the physical location of the cell phone. In addition to selling cell phone call records, many data brokers also claim to provide calling records for landline and voice over Internet protocol, as well as non-published phone numbers. In many cases, the data brokers claim to be able to provide this information within fairly quick time frames, ranging from a few hours to a few days. The data brokers provide no explanation on their websites of how they are able to obtain such personal data. \1\ There are several possible theories for how these data brokers are obtaining this information. These data brokers may be engaged in ``pretexting, `' that is, obtaining the information under false pretenses--often by impersonating the account holder. In addition, they may be obtaining access to consumers' accounts online by overcoming carriers' data security protocols. To the extent this is the cause of the privacy breaches, we must determine whether this is in part due to the lack of adequate carrier safeguards. Finally, various telecommunications carriers could have ``rogue'' employees who are engaged in the practice of sharing this information with data brokers in exchange for a fee. --------------------------------------------------------------------------- \1\ The websites often contain statements that the information obtained is confidential and not admissible in court, and may specify that the purchaser must employ a legal avenue, such as a subpoena, for obtaining the data if the purchaser intends to use the information in a legal proceeding. --------------------------------------------------------------------------- The mandate requiring telecommunications carriers to implement adequate safeguards to protect consumers' call records is found in section 222 of the Act. Congress enacted section 222 to protect consumers' privacy. Specifically, section 222 of the Act provides that telecommunications carriers must protect the confidentiality of customer proprietary network information. CPNI includes, among other things, customers' calling activities and history, and billing records. The Act limits carriers' abilities to use customer phone records even for their own marketing purposes without appropriate consumer approval and safeguards. Furthermore, the Act prohibits carriers from using, disclosing, or permitting access to this information without approval of the customer, or as otherwise required by law, if the use or disclosure is not in connection with the provided service. When it originally implemented section 222, the Commission required telecommunications carriers to obtain express written, oral, or electronic consent from their customers, i.e., an ``opt-in'' requirement, before a carrier could use any customer phone records to market services outside the customer's existing service relationship with that carrier. The United States Court of Appeals for the Tenth Circuit (10th Circuit) struck down these rules finding that they violated the First and Fifth Amendments of the Constitution. Required by the 10th Circuit to reverse its ``opt-in'' rule, the Commission ultimately adopted an ``opt-out'' approach whereby a customer's phone records may be used by carriers, their affiliates, agents, and joint venture partners that provide communications-related services provided that a customer does not expressly withhold consent to such use. The Commission must determine whether carriers are complying with their obligations under section 222. In order to make this determination, we are examining the methods that data brokers use to gain access to consumers' call records, and the methods employed by carriers to guard against such breaches. Commission Investigation The issue of the disclosure and sale of consumer phone records was brought to the Commission's attention late last summer. On August 30th, the Electronic Privacy Information Center (EPIC) filed a petition for rulemaking expressing concern about the sufficiency of carrier privacy practices and the fact that online data brokers were selling consumers' private telephone data. At this same time, the Commission's Enforcement Bureau began researching and investigating the practices of data brokers. This research culminated in the Commission issuing subpoenas to several of the most prominent data broker companies. These subpoenas, served in November 2005, sought details regarding how the companies obtained this phone record information and contained further questions about the companies' sale of consumer call records. Unfortunately, the companies failed to adequately respond to our request. As a consequence, we issued letters of citation to these entities for failing to fully respond to a Commission order and referred the inadequate responses to the Department of Justice for enforcement of the subpoenas. In addition, we subsequently served another approximately 30 data broker companies with subpoenas and are currently waiting for their response. Finally, in support of these investigations, we have made undercover purchases of phone records from various data brokers. The purpose of this information is to assist us in targeting additional subpoenas and in determining the exact method by which consumer phone record data is being disclosed. In conjunction with our investigation of data brokers, the Commission also focused its attention on the practices of the telecommunications carriers subject to section 222. Specifically, in December and January, the Commission's Enforcement Bureau staff met with the major wireless and wireline providers to discuss efforts they have undertaken to protect their confidential customer data and to prevent data brokers from obtaining and using such information. Discussions focused on the specific procedures employed to protect consumer call records from being accessed by anyone other than the consumers themselves. Staff also probed who within the companies has access to call record information and the procedures the carriers use to ensure that employees and other third parties with access to such information do not improperly disclose it to others. The carriers generally expressed their belief that the problems they have experienced in this area are largely, if not exclusively, related to attempts by individuals outside the company to obtain information through pretexting, rather than by ``rogue'' employees selling information to data brokers. In order to have the carriers' responses in written form, last month, we sent formal Letters of Inquiry to these carriers. Inquiry letters are formal requests for information from carriers that may trigger penalties if not answered fully. These letters require the carriers to document their customer data security procedures and practices, identify security and disclosure problems, and address any changes they have made in response to the data broker issue. In addition, under the Commission's rules, a telecommunications carrier ``must have an officer, as an agent of the carrier, sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance'' with the Commission's CPNI rules. In late January, we asked the five largest wireline and wireless carriers to send us their CPNI certifications. Early last week, the Enforcement Bureau issued Notices of Apparent Liability in the amount of $100,000 against both AT&T and Alltel for failure to comply with the certification requirement. We also issued a public notice requiring all telecommunications carriers to submit their most recent certification with us. To the extent that carriers are unable to do so, or do not respond adequately, we are prepared to take appropriate enforcement action against them as well. Coordination with the FTC and State Attorneys General. Because this problem implicates the jurisdiction of both the FCC and FTC, we have coordinated with the FTC throughout our investigation. Beginning last summer, Commission staff and FTC staff have been in regular contact regarding the sale of phone records by data brokers. In addition, Chairman Martin met with Chairman Majoras late last year and discussed this issue, among others. Commission staff will continue to coordinate closely with the FTC staff and share with them any evidence of fraudulent behavior that we detect in the course of our investigation. The FCC has also responded to several inquiries and provided guidance to individual state Attorneys General, and the National Association of Attorneys General (NAAG). As you are aware, a number of states, including Florida, Illinois, and Missouri have taken recent legal action against data brokers. Commission's Efforts to Strengthen Existing CPNI Rules As I mentioned previously, EPIC filed a petition with the Commission raising concerns about the sale of call records. Specifically, EPIC petitioned the Commission to open a proceeding to consider adopting stricter security standards to prevent carriers from releasing private consumer data. Several weeks ago, Chairman Martin circulated an item to his fellow Commissioners granting EPIC's petition and inviting comment on whether additional Commission rules are necessary to strengthen the safeguards for customer records. Specifically, the item seeks comment on EPIC's five proposals to address the unlawful and fraudulent release of CPNI: (1) consumer-set passwords; (2) audit trails; (3) encryption; (4) limiting data retention; and (5) notice procedures to the customer on release of CPNI data. In addition to these proposals, the item also seeks comment on whether carriers should be required to report further on the release of CPNI. Further, the item tentatively concludes that the Commission should require all telecommunications carriers to certify on a date certain each year that they have established operating procedures adequate to ensure compliance with the Commission's rules and file these certifications with the Commission. As Chairman Martin has indicated, the item has been distributed to the Commissioners for their consideration and will be acted on by February 10, 2006. Legislative Assistance In addition to the Commission's actions, several members have asked for the Commission's views on any potential changes to the law that could help combat this troubling trend. Chairman Martin has identified three primary actions that Congress could take to prevent data broker companies from selling consumers' phone records. First, Congress could specifically make illegal the commercial availability of consumers' phone records. Thus, if any entity is found to be selling this information for a fee, regardless of how it obtained such information, it would face liability. Second, Congress could overturn the ruling of a Federal court that limited the Commission's ability to implement more stringent protection of consumer phone record information. Specifically, when the Commission first implemented section 222, it required carriers to obtain express written, oral, or electronic consent from their customers, i.e., an ``opt-in'' requirement before a carrier could use any customer phone records to market services outside the customer's existing service relationship with that carrier. The Commission held that this ``opt- in'' requirement provided consumers with the most meaningful privacy protection. In August of 1999, the 10th Circuit struck down these rules finding that they violated the First and Fifth Amendments of the Constitution. Required by the 10th Circuit to reverse its ``opt-in'' rule, the Commission adopted an ``opt-out'' approach whereby a customer's phone records may be used by carriers, their affiliates, agents, and joint venture partners that provide communications-related services provided that a customer does not expressly withhold consent to such use. This ruling shifted the burden to consumers, requiring them to specifically request that their personal phone record information not be shared. This ruling has resulted in a much broader dissemination of consumer phone records and thereby may have contributed to the proliferation of the unlawful practices of data brokers that we are seeing today. Third, Chairman Martin has recommended that the Commission's enforcement tools be strengthened. For example, the need to issue citations to non-licensees before taking any other type of action sometimes hinders us in our investigations, and allows targets to disappear before we are in a position to take action against them. Eliminating the citation requirement in section 503(b) of the Act would enable more streamlined enforcement. In addition, I believe that raising maximum forfeiture penalties, currently prescribed by statute, would assist the Commission in taking effective enforcement action, as well as act as a deterrent to companies who otherwise view our current forfeiture amounts simply as costs of doing business. Further, the one- year statute of limitations in section 503 of the Communications Act for bringing action has been a source of difficulty at times. In particular, when the violation is not immediately apparent, or when the Commission undertakes a complicated investigation, we often run up against the statute of limitations and must compromise our investigation, or begin losing violations for which we can take action. Conclusion The disclosure of consumers' private calling records is a significant privacy invasion. The Commission is taking numerous steps to try to address practice as soon as possible. We look forward to working collaboratively with the Members of this Subcommittee, other Members of Congress, as well as our colleagues at the Commission and at the Federal Trade Commission to ensure that consumers' personal phone data remains confidential. Thank you for the opportunity to testify, and I would be pleased to respond to your questions. Senator Allen. Ms. Monteith, thank you very much for your testimony and your very specific ideas of what we can do to strengthen the enforcement capabilities of the FCC. You will undoubtedly have some questions posed to you later, as will all the witnesses. Now we would like to hear from Ms. Parnes with the Federal Trade Commission. Please proceed. STATEMENT OF LYDIA B. PARNES, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION Ms. Parnes. Good afternoon, Mr. Chairman and Members of the Subcommittee. I too appreciate the invitation to appear today to discuss the important topic of the privacy and security of consumers' telephone records. My oral testimony and responses to questions reflect my own views and not necessarily those of the Commission or any individual commissioner. Maintaining the privacy and security of consumers' sensitive personal information is one of the Commission's highest priorities. We have wrestled with spam, spyware, and identity theft and, in cooperation with the FCC, are now vigorously investigating companies that use subterfuge to gain access to consumers' telephone call logs. Today I will describe the FTC's efforts to protect consumers from pretexters generally and the specific practice of pretexting for telephone records. Then I will address the issue of whether new laws are needed to stop this troubling practice. The Commission filed its first pretexting suit in 1999, against a company that offered to provide consumers' bank account numbers and balances to anybody for a fee. The FTC alleged that this deceptive conduct violated section 5 of the FTC Act. Later that year, Congress enacted the Gramm-Leach- Bliley (GLB) Act, which expressly prohibits pretexting for financial records. Since GLB's passage, the FTC has sent warning letters to 200 firms that sold asset information to third parties and brought more than a dozen financial pretexting cases. But it is also important to control the supply side of sensitive consumer information. In that vein, the Commission recently announced a recordbreaking $15 million settlement against ChoicePoint, challenging business practices that we alleged unreasonably exposed consumer data to theft and misuse. Now let me turn to the cottage industry of companies peddling cell phone and landline records. In preparation for this hearing, we did a quick review of the telephone record marketplace. The results are illuminating. First, we looked at 40 websites previously reported to be selling call records. As of this Monday, more than half were no longer advertising the sale of such records. One website told would-be customers, and I quote: ``Due to controversy surrounding the availability of phone records via the Internet, we have decided to discontinue offering these searches.'' Unfortunately, we also found that at least nine of the companies still make unabashed offers to obtain call records. The remaining companies are making more ambiguous offers that are still of concern. Thus, thanks to the attention this issue has received in the media and in hearings like this one, at least some in the pretexting industry have gotten the message. But there is still work to be done. Yesterday we sent warning letters to 20 companies that are offering to obtain and sell telephone call records, and the Commission has a number of ongoing investigations as well. I know the Committee is considering whether additional legislation is necessary to protect these records. One approach would be a specific prohibition on the pretexting of telephone call records, modeled on the Gramm-Leach-Bliley Act's protection of financial records. If Congress were to consider such legislation, I would recommend that it give the Commission authority to seek civil penalties against violators, a remedy that the FTC does not currently have in cases like this. I believe that in this area, penalties are the most effective civil remedy. This is also a situation where criminal penalties may be warranted, but as a civil agency we would defer to the Department of Justice on the need for criminal legislation and particularly its structure. In addition, our recent surf revealed that some sites offering these records were registered to foreign addresses. This finding underscores the importance of the Commission's previous recommendation that Congress enact cross-border fraud legislation. The proposal, called the U.S. SAFE WEB Act, will overcome many of the existing obstacles to information-sharing and cross-border investigations. I would like to thank the Committee for its leadership on this bill. Finally, Congress may consider, as recommended by the FCC, whether a ban on the sale of call records in all cases is appropriate. Should it do so, I would recommend that Congress exercise caution in determining the breadth of such a ban. Certainly law enforcers will continue to have legitimate reasons for obtaining phone records and it is possible that there may be other limited circumstances in which these records might be disclosed for appropriate and useful purposes. For example, the GLB pretexting prohibition provides an exception in cases involving the collection of court-ordered child support payments. Again, thank you for the opportunity to testify today. We look forward to working with the Committee and its staff on this very important issue. [The prepared statement of Ms. Parnes follows:] Prepared Statement of Lydia B. Parnes, Director, Bureau of Consumer Protection, Federal Trade Commission Introduction Mr. Chairman, and Members of the Subcommittee, I am Lydia B. Parnes, Director of the Bureau of Consumer Protection at the Federal Trade Commission (``FTC'' or ``Commission''). \1\ I appreciate the opportunity to discuss telephone records pretexting and the Commission's significant work to protect the privacy and security of telephone records and other types of sensitive consumer information. The Commission is currently investigating companies that offer consumer telephone records for sale, and we plan to pursue these investigations vigorously. --------------------------------------------------------------------------- \1\ The views expressed in this statement represent the views of the Commission. My oral testimony and responses to questions reflect my own views and do not necessarily represent the views of the Commission or any individual Commissioner. --------------------------------------------------------------------------- Maintaining the privacy and security of consumers' personal information is one of the Commission's highest priorities. Companies that engage in pretexting--the practice of obtaining personal information, such as telephone records, under false pretenses--not only violate the law, but they undermine consumers' confidence in the marketplace and in the security of their sensitive data. While pretexting to acquire telephone records has recently become more prevalent, the practice of pretexting is not new. The Commission has used its full arsenal of tools to attack scammers who use fraud to gain access to consumers' personal information. Aggressive law enforcement is at the center of the FTC's efforts to protect consumers' sensitive information. The Commission has taken law enforcement action against companies allegedly offering surreptitious access to consumers' financial records, and will continue to challenge business practices that unnecessarily expose consumers' sensitive information. The Commission also continues to provide consumer education and outreach to industry to ensure that the marketplace is safe for consumers and commerce. \2\ --------------------------------------------------------------------------- \2\ For example, the Commission recently launched OnGuard Online, a campaign to educate consumers about the importance of safe computing. See www.onguardonline.gov. One module offers advice on avoiding spyware and removing it from computers. Another module focuses on how to guard against ``phishing,'' a scam where fraudsters send spam or pop-up messages to extract personal and financial information from unsuspecting victims. Yet another module provides practical tips on how to avoid becoming a victim of identity theft. These materials are additions to our comprehensive library on consumer privacy and security. See www.ftc.gov/privacy/index.html. --------------------------------------------------------------------------- Today I will discuss the FTC's efforts to protect consumers from firms engaged in pretexting and the practice of pretexting for telephone records. \3\ --------------------------------------------------------------------------- \3\ Pretexting is not the only way to obtain consumers' telephone records, however. Such records also reportedly have been obtained by bribing telephone company employees and hacking into telephone companies' computer systems. See, e.g., Jonathan Krim, Online Data Gets Personal: Cell Phone Records for Sale, Wash. Post, July 13, 2005, available at 2005 WLNR 10979279; Simple Mobile Security for Paris Hilton, PC Magazine, Mar. 1, 2005, available at 2005 WLNR 3834800. --------------------------------------------------------------------------- II. FTC Efforts to Protect Consumers From Firms That Engage in Pretexting The Commission has a history of combating pretexting. Using Section 5 of the FTC Act, which prohibits ``unfair or deceptive acts or practices in or affecting commerce,'' \4\ the Commission has brought actions against businesses that use false pretenses to gather financial information on consumers. In these cases, we have alleged that it is a deceptive and unfair practice to obtain a consumer's financial information by posing as the consumer. --------------------------------------------------------------------------- \4\ 15 U.S.C. Sec. 45(a). --------------------------------------------------------------------------- The Commission's first pretexting case was filed against a company that offered to provide consumers' financial records to anybody for a fee. \5\ According to our complaint, the company's employees obtained these records from financial institutions by posing as the consumer whose records it was seeking. The complaint charged that this practice was both deceptive and unfair under Section 5 of the FTC Act. \6\ --------------------------------------------------------------------------- \5\ FTC v. James J. Rapp and Regana L. Rapp, d/b/a Touch Tone Information, Inc., No. 99-WM-783 (D. Colo.) (final judgment entered June 22, 2000). See http://www.ftc.gov/os/2000/06/touchtoneorder. \6\ An act or practice is unfair if it: (1) causes or is likely to cause consumers substantial injury; (2) the injury is not reasonably avoidable by consumers; and (3) the injury is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. Sec. 45(n). --------------------------------------------------------------------------- In 1999, Congress passed the Gramm-Leach-Bliley Act (``GLBA''). The GLBA provided another tool to attack the unauthorized acquisition of consumers' financial information. \7\ Section 521 of the Act directly prohibits pretexting of customer data from financial institutions. Specifically, this provision prohibits ``false, fictitious, or fraudulent statement[s] or representation[s] to an officer, employee, or agent of a financial institution'' to obtain customer information of a financial institution. \8\ --------------------------------------------------------------------------- \7\ Id. Sec. Sec. 6801-09. \8\ Id. Sec. 6821. --------------------------------------------------------------------------- To ensure awareness of and compliance with the new anti-pretexting provisions of the GLBA, the Commission launched Operation Detect Pretext in 2001. \9\ Operation Detect Pretext combined a broad monitoring program, the widespread dissemination of industry warning notices, consumer education, and aggressive law enforcement. --------------------------------------------------------------------------- \9\ See FTC press release ``As Part of Operation Detect Pretext, FTC Sues to Halt Pretexting'' (Apr. 18, 2001), available at http://www.ftc.gov/opa/2001/04/pretext.htm. For more information about the cases the Commission has brought under Section 521 of the GLBA, see http://www.ftc.gov/privacy/privacyinitiatives/pretexting_enf. Since GLBA's passage, the FTC has brought over a dozen cases alleging violations of Section 521 in various contexts. --------------------------------------------------------------------------- In the initial monitoring phase of Operation Detect Pretext, FTC staff conducted a ``surf'' of more than 1,000 websites and a review of more than 500 advertisements in print media to spot firms offering to conduct searches for consumers' financial data. The staff found approximately 200 firms that offered to obtain and sell consumers' asset or bank account information to third parties. The staff then sent notices to these firms advising them that their practices were subject to the FTC Act and the GLBA, and provided information about how to comply with the law. \10\ --------------------------------------------------------------------------- \10\ See FTC press release ``FTC Kicks Off Operation Detect Pretext'' (Jan. 31, 2001), available at http://www.ftc.gov/opa/2001/01/ pretexting.htm. --------------------------------------------------------------------------- In conjunction with the warning letters, the Commission released a consumer alert, Pretexting: Your Personal Information Revealed, describing how pretexters operate and advising consumers on how to avoid having their information obtained through pretexting. \11\ The alert warns consumers not to provide personal information in response to telephone calls, e-mail, or postal mail, and advises them to review their financial statements carefully, to make certain that their statements arrive on schedule, and to add passwords to financial accounts. --------------------------------------------------------------------------- \11\ See http://www.ftc.gov/bcp/conline/pubs/credit/pretext.htm. --------------------------------------------------------------------------- While consumer education is important, it is only part of the FTC's efforts to combat pretexting. Aggressive law enforcement is critical. The FTC therefore followed up the first phase of Operation Detect Pretext in 2001 with a trio of law enforcement actions against information brokers. \12\ In each of these cases, the defendants advertised that they could obtain non-public, confidential financial information, including information on checking and savings account numbers and balances, stock, bond, and mutual fund accounts, and safe deposit box locations, for fees ranging from $100 to $600. The FTC alleged that the defendants or persons they hired called banks, posing as customers, to obtain balances on checking accounts. \13\ --------------------------------------------------------------------------- \12\ FTC v. Victor L. Guzzetta, d/b/a Smart Data Systems, No. CV- 01-2335 (E.D.N.Y.) (final judgment entered Feb. 25, 2002); FTC v. Information Search, Inc., and David Kacala, No. AMD-01-1121 (D. Md.) (final judgment entered Mar. 15, 2002); FTC v. Paula L. Garrett, d/b/a Discreet Data Systems, No. H 01-1255 (S.D. Tex.) (final judgment entered Mar. 25, 2002). \13\ In sting operations set up by the FTC in cooperation with banks, investigators established dummy bank account numbers in the names of cooperating witnesses and then called defendants, posing as purchasers of their pretexting services. In the three cases, an FTC investigator posed as a consumer seeking account balance information on her fiance's checking account. The defendants or persons they hired proceeded to call the banks, posing as the purported fiance, to obtain the balance on his checking account. The defendants later provided the account balances to the FTC investigator. --------------------------------------------------------------------------- The FTC's complaints alleged that the defendants' conduct violated the anti-pretexting prohibitions of the GLBA, and further was unfair and deceptive in violation of Section 5 of the FTC Act. The defendants in each of the cases ultimately agreed to settlements that barred them from further violations of the law and required them to surrender ill- gotten gains. \14\ --------------------------------------------------------------------------- \14\ See http://www.ftc.gov/opa/2002/03/pretextingsettlements.htm. --------------------------------------------------------------------------- Because the anti-pretexting provisions of the GLBA provide for criminal penalties, the Commission also may refer pretexters to the U.S. Department of Justice for criminal prosecution, as appropriate. One such individual recently pled guilty to one count of pretexting under the GLBA. \15\ --------------------------------------------------------------------------- \15\ United States v. Peter Easton, No. 05 CR 0797 (S.D.N.Y.) (final judgment entered Nov. 17, 2005). --------------------------------------------------------------------------- Finally, the Commission is aware that it is not enough to focus on the purveyors of illegally obtained consumer data. It is equally critical to ensure that entities that handle and maintain sensitive consumer information have in place reasonable and adequate processes to protect that data. Accordingly, the Commission has challenged data security practices as unreasonably exposing consumer data to theft and misuse. \16\ Companies that have failed to implement reasonable security and safeguard processes for consumer data face liability under various statutes enforced by the FTC, including the Fair Credit Reporting Act, the Safeguards provisions of the GLBA, and Section 5 of the FTC Act. \17\ --------------------------------------------------------------------------- \16\ In addition to law enforcement in the data security area, the Commission has provided business education about the requirements of existing laws and the importance of good security. See, e.g., Safeguarding Customers' Personal Information: A Requirement for Financial Institutions, available at http://www.ftc.gov/bcp/conline/ pubs/alerts/safealrt.htm. \17\ United States v. ChoicePoint, Inc., No. 106-CV-0198 (N.D. Ga.) (complaint and proposed settlement filed on Jan. 30, 2006 and pending court approval); In the Matter of BJ's Wholesale Club, Inc., FTC Docket No. 042-3160 (Sept. 20, 2005); In the Matter of DSW, Inc., FTC Docket No. 052-3096 (proposed settlement posted for public comment on Dec. 1, 2005); Superior Mortgage Corp., FTC Docket No. C-4153 (Dec. 14, 2005). As the Commission has stated, an actual breach of security is not a prerequisite for enforcement under Section 5; however, evidence of such a breach may indicate that the company's existing policies and procedures were not adequate. It is important to note, however, that there is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution. See Statement of the Federal Trade Commission Before the Committee on Commerce, Science, and Transportation, U.S. Senate, on Data Breaches and Identity Theft (June 16, 2005) at 6, available at http:// www.ftc.gov/os/2005/06/050616databreaches.pdf. --------------------------------------------------------------------------- In fact, two weeks ago the Commission announced a record-breaking proposed settlement with data broker ChoicePoint, Inc. This proposed settlement requires ChoicePoint to pay $10 million in civil penalties and $5 million in consumer redress to settle charges that its security and record-handling procedures violated the Fair Credit Reporting Act and the FTC Act. In addition, the proposed settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026. Further, the proposed settlement sends a strong signal to industry that it must maintain reasonable procedures for safeguarding sensitive consumer information and protecting it from data thieves. III. Pretexting for Consumers' Telephone Records An entire industry of companies offering to provide purchasers with the cellular and landline phone records of third parties recently has developed. Recent press stories report on the successful purchase of the phone records of prominent figures. \18\ Although the acquisition of telephone records does not present the opportunity for immediate financial harm as the acquisition of financial records does, it nonetheless is a serious intrusion into consumers' privacy and could result in stalking, harassment, and embarrassment. \19\ Although pretexting for consumer telephone records is not prohibited by the GLBA, the Commission may bring a law enforcement action against a pretexter of telephone records for deceptive or unfair practices under Section 5 of the FTC Act. \20\ --------------------------------------------------------------------------- \18\ News stories state that reporters obtained cell phone records of General Wesley Clark and cell phone and landline records of Canada's Privacy Commissioner Jennifer Stoddart. See, e.g., Aamer Madhani and Liam Ford, Brokers of Phone Records Targeted, Chicago Trib., Jan. 21, 2006, available at 2006 WLNR 1167949. \19\ Albeit anecdotal, news articles illustrate some harmful uses of telephone records. For example, data broker Touch Tone Information Inc. reportedly sold home phone numbers and addresses of Los Angeles Police Department detectives to suspected mobsters, who then used the information in an apparent attempt to intimidate the police officers and their families. See, e.g., Peter Svensson, Calling Records Sales Face New Scrutiny, Wash. Post, Jan. 18, 2006, available at http:// www.washingtonpost.com/wp-dyn/content/article/2006/01/18/ AR2006011801659.html. \20\ Under Section 13(b) of the FTC Act, the Commission has the authority to file actions in Federal district court against those engaged in deceptive or unfair practices and obtain injunctive relief and other equitable relief, including monetary relief in the form of consumer redress or disgorgement of ill-gotten profits. However, the FTC Act does not authorize the imposition of civil penalties for an initial violation, unless there is a basis for such penalties, i.e., an applicable statute, rule or litigated decree. --------------------------------------------------------------------------- The Commission is currently investigating companies that appear to be engaging in telephone pretexting. Using the approach that proved successful in Operation Detect Pretext, Commission staff surfed the Internet for companies that offer to sell consumers' phone records. FTC staff then identified appropriate targets for investigation and completed undercover purchases of phone records. Commission attorneys currently are evaluating the evidence to determine if law enforcement action is warranted. In addition, the FTC is working closely with the Federal Communications Commission, which has jurisdiction over telecommunications carriers subject to the Communications Act. \21\ Our two agencies are committed to coordinating our work on this issue, as we have done successfully with the enforcement of the ``National Do Not Call'' legislation. \22\ --------------------------------------------------------------------------- \21\ Consumer telephone records are considered ``customer proprietary network information'' under the Telecommunications Act of 1996 (``Telecommunications Act''), which amended the Communications Act, and accordingly are afforded privacy protections by the regulations under that Act. See 42 U.S.C. Sec. 222; 47 CFR Sec. Sec. 64.2001-64.2009. The Telecommunications Act requires telecommunications carriers to secure the data, but does not specifically address pretexting to obtain telephone records. Moreover, the FTC's governing statute specifically states that the Commission lacks jurisdiction over common carrier activities that are subject to the Communications Act. 15 U.S.C. Sec. 46(a). The Commission opposed this jurisdictional gap during the two most recent reauthorization hearings. See http://www.ftc.gov/os/2003/06/030611reauthhr.htm; see also http://www.ftc.gov/os/203/06/030611learysenate.htm; http:// www.ftc.gov/os/2002/07/sfareauthtest.htm. \22\ In addition, the Attorneys General of Florida, Illinois, and Missouri recently sued companies allegedly engaged in pretexting. See http://myfloridalegal.com/_852562220065EE67.nsf/0/ D510D79C5EDFB4B98525710000Open&Highlight=0,telephone,records; http:// www.ag.state.il.us/pressroom/2006_01/20060120.html; http:// www.ago.mo.gov/newsreleases/2006/012006h.html. Several telecommunications carriers also have sued companies that reportedly sell consumers' phone records. According to press reports, Cingular Wireless, Sprint Nextel, T-Mobile, and Verizon Wireless have sued such companies. See, e.g., http://www.upi.com/Hi-Tech/ view.php?StoryID=20060124-6403r; http://www.wired.com/news/technology/ 1,70027-0.html; http://news.zdnet.com/2100-1035_22-6031204.html. --------------------------------------------------------------------------- IV. Conclusion Protecting the privacy of consumers' data requires a multi-faceted approach: coordinated law enforcement by government agencies as well as action by the telephone carriers, outreach to educate consumers and industry, and improved security by record holders are essential for any meaningful response to this assault on consumers' privacy. Better security measures for sensitive data will prevent unauthorized access; aggressive and well-targeted law enforcement against the pretexters will deter others from further invasion of privacy; and outreach to consumers and industry will provide meaningful ways to avoid the harm to the public. The Commission has been at the forefront of efforts to safeguard consumer information and is committed to continuing our work in this area. We also are committed to working with this Committee to provide greater security and privacy for American consumers. Senator Allen. Thank you, Ms. Parnes. We appreciate your comments and we will have questions of you also. Now we would like to hear from the Honorable, a former Congressman and now Chairman, Steve Largent. STATEMENT OF HON. STEVE LARGENT, PRESIDENT/CHIEF EXECUTIVE OFFICER, CELLULAR TELECOMMUNICATIONS AND INTERNET ASSOCIATION (CTIA) Mr. Largent. Well, thank you, Mr. Chairman and Ranking Member and other Members of the Committee, for giving me a chance to testify here this afternoon on the theft and illegal sale of phone records by data brokers. With your consent, I would like to have my full written statement made a part of the record. Senator Allen. It will be. Mr. Largent. At the outset of my testimony, I want to make it unequivocally clear that the wireless industry and more specifically the wireless carriers that I represent take this matter very seriously. The theft of customer call records is unacceptable and CTIA and the wireless carriers believe that the current practice of pretexting is illegal. CTIA and the wireless industry are on record as supporting Congress's efforts to enact Federal legislation that criminalizes the fraudulent behavior by third parties to obtain, sell, and distribute call records. I believe that it is important to note that the four national carriers--Verizon Wireless, Cingular, Sprint Nextel, and T-Mobile--have all filed complaints and obtained injunctions across the country to shut down these data thieves. The fact that data brokers apparently have been able to break and enter carrier customer service operations to obtain call records has given our industry a black eye. To quote from one of CTIA's member companies' code of conduct, it says: ``Great companies are defined by their reputation for ethics and integrity in every aspect of their business. By their actions, these companies demonstrate the values that serve as the foundation of their culture and attract the best customers, employees, and stakeholders in their industry.'' The wireless industry is dedicated to being responsive to its customers' requests for assistance with their service. To the extent that the theft of customer call records has jeopardized the industry's reputation, it is most unfortunate. Trust is a currency that is difficult to refund. As we all know, the way that these thieves are obtaining call records is through the use of pretexting, otherwise known as lying. I would note that no two carriers can or should employ the exact same security procedures and I would caution the Committee Members that as you proceed forward in drafting legislation that you consider that the threat environment is constantly changing and static rules can quickly become outmoded or easily avoided by fraudsters. Moreover, CTIA in its comments to the EPIC petition for rulemaking at the FCC noted that requiring wireless carriers to identify security procedures on the record and to further identify any inadequacies in their procedures would provide a road map to criminals to avoid fraud detection measures. The industry fears that public disclosure potentially could lead to serious harm to consumers and carriers alike. One security practice we know works is litigation. I cannot emphasize enough how seriously wireless carriers are taking these illegal and unauthorized attempts to obtain and traffic our customers' private information. These internal investigations have led to the carriers filing these cases, which began months before the current media glare. As I mentioned at the beginning of my testimony, the four national carriers have all filed complaints and obtained injunctions across the country to shut these data thieves down. Carriers have taken additional security steps to require personal identification numbers and passwords when obtaining call record information and many carriers have instituted a ban on e-mail and faxing call records. It is important to remember carriers are under tremendous pressure to quickly respond to customer calls. What was largely perceived as good customer service yesterday is now a practice seen as a potential inspection flaw. Wireless carriers collectively received hundreds of millions, if not billions, of customer inquiries in 2005 alone. Inside our member companies, customer service reps are striving to address the requests of customers as best they can with the very best interests of the customer at heart. Bearing this statistic in mind, it would prove counterproductive to enact legislation that would impede wireless customers' access to their own account information. Rules that may require in-person customer service would be a step backward from the convenient and responsive customer service wireless carriers strive to achieve. Clearly, the privacy of a small percentage of our customers and constituents has been compromised. As far as I am concerned, the breach of even one wireless customer's calling records is one customer too many. But to the best of my knowledge, no system is foolproof, especially one that handles hundreds of millions of customer calls each year without the customer being present. There is one component to this problem that really has not been discussed, but I believe plays a very large role in the sale of call records, and that is the use of credit cards to purchase these records. I think we all agree that pretexting should be made illegal, and if we make the underlying act of making the sale of records illegal, does it not make sense then to prohibit the use of credit cards to buy the records? I know my suggestion goes beyond the jurisdiction of this Committee, but I truly believe that if Congress dries up the funding source for these sites they will disappear. The wireless industry wholeheartedly supports making it explicitly clear that the marketing, possession, and sale of call records is against the law. If we have learned anything from this experience, it is that combatting pretexting is a war where the unscrupulous continuously seek out vulnerabilities and the weaknesses in the carriers' defenses. Unfortunately, no defense will be perfect, which is why we need a good offense and strong enforcement measures against these criminals. Again, thank you for this opportunity and I welcome any questions you may have, Mr. Chairman. [The prepared statement of Mr. Largent follows:] Prepared Statement of Hon. Steve Largent, President/Chief Executive Officer, Cellular Telecommunications and Internet Association (CTIA) Chairman Allen, Ranking Member Pryor and Members of the Subcommittee, thank you for the opportunity to appear before you this afternoon to testify on the theft and illegal sale of phone records by data brokers. At the outset of my testimony, I want to make it unequivocally clear that the wireless industry, and more specifically, the wireless carriers that I represent take this matter very seriously. The theft of this data is unacceptable, and CTIA and wireless carriers believe that the current practice of ``pretexting'' is illegal. Chairwoman Majoras has declared that the Federal Trade Commission currently has the authority it needs to prosecute these thieves. Carriers have successfully filed injunctions to take these sites down. Additionally, CTIA and the wireless industry are on record as supporting Congress's efforts to enact Federal legislation that criminalizes the fraudulent behavior by third parties to obtain, sell or distribute call records. I believe that it is important to note that the four national carriers: Verizon Wireless, Cingular, Sprint Nextel, and T-Mobile have all filed complaints and obtained injunctions across the country to shut these data thieves down. The fact that data brokers apparently have been able to break and enter carrier customer service operations to obtain call records has given our industry a black eye. To quote from one of CTIA's member companies' Code of Conduct, ``Great companies are defined by their reputation for ethics and integrity in every aspect of their business. By their actions, these companies demonstrate the values that serve as the foundation of their culture and attract the best customers, employees and stakeholders in their industry.'' The wireless industry is dedicated to being responsive to its customers' requests for assistance with their service because of its concern for wireless customers. To the extent that the theft of customer call records has jeopardized the industry's reputation, I believe this is most unfortunate because trust is a currency that is difficult to refund. Pretexting Overwhelmingly, the vast majority of cell phone records are being fraudulently obtained through the use of ``pretexting,'' which is nothing more than lying to obtain something you aren't entitled to procure lawfully. Allow me to explain how these data thieves operate. For the sake of illustration, if someone--and in most cases it appears to be a private investigator--wants to acquire my call records, the private investigator will go to a website that publicly offers to obtain such records such as locatecell.com. The person trying to obtain my call records will provide the website in most cases with nothing more than my name and phone number. At that point, the website or a subcontractor of the website will pose as Steve Largent call a carrier's customer service department to get the records. Customer Service Representatives (CSR) are trained to require more than just a name and phone number, but the thieves are well trained too and often badger, threaten or plead with the CSR to acquire the records as if they are the actual customer. Our carrier investigations confirm that these calls are rebuffed, but these data brokers are quite determined. The data broker will scour other sources on the Internet or elsewhere to obtain my Social Security number or date of birth so that eventually the data broker will appear to be Steve Largent calling customer service, and thus, the CSR is duped into releasing the records. To be clear, from the carrier perspective, the CSR is dealing with the actual customer. Make no mistake, these data thieves are extremely sophisticated. If they are unable to deceive one CSR on the first attempt, they will place multiple calls to customer service call centers until they are able to mislead a CSR into providing the call records. No combination of identifiers is safe against pretexting. We have had cases where the data brokers have possessed the customer password. We have had cases where they knew the date of birth of the customer and the full Social Security number. Because many of these cases seem to arise in divorce or domestic cases, it is common for a spouse to have all of the necessary identifying information long after a divorce or separation to obtain call records. Wireless Carrier Security Practices CTIA's members are committed to protecting customer privacy and security. This is no hollow pronouncement--we are talking about carriers protecting the privacy of their most valuable assets--their customers--as well as the very infrastructure of their networks. No carrier has an interest in seeing customer records disclosed without authority and every carrier has security policies and technical defenses to guard against it. I am also confident that our carriers are utilizing the best industry practices for combating fraud and ensuring security; however, the thieves who want to commit these crimes are constantly changing their tactics and approaches--staying one step ahead of them requires flexibility. Wireless carriers employ a broad range of security measures beyond those put in place to meet the Federal Communications Commission's (FCC) customer proprietary network information (CPNI) rules to prevent unauthorized access to and disclosure of CPNI. I would note that no two carriers can or should employ the exact same security procedures. I would caution Committee Members that as you proceed forward in drafting legislation that you consider the threat environment is constantly changing and static rules can quickly become outmoded or easily avoided by the fraudster. Additionally, CTIA in its comments to the EPIC petition for rulemaking at the FCC, noted that requiring wireless carriers to identify security procedures on the record and to further identify any inadequacies in those procedures would provide a roadmap to criminals to avoid fraud detection measures. Public disclosure potentially could lead to serious harm to consumers and carriers alike. CPNI is protected from unauthorized disclosure under Section 222 of Title 47 and the FCC's implementing rules. ``Every telecommunications carrier has a duty to protect the confidentiality of proprietary information.'' Every wireless carrier takes that duty seriously; it is the law. The FCC, too, has followed up strongly on that mandate. In its very first order after the passage of the Telecommunications Act of 1996, the FCC directly addressed security concerns related to the protection of CPNI, and it has addressed the CPNI rules multiple times over. Consistent with Congress's intent in Section 222, the wireless industry has worked continuously to maintain and improve the security of its customers' private information. CSRs are trained extensively on the rules related to access, use and disclosure of call records. Technical restrictions are placed on access to call records to ensure that no one can walk off with a database of customer information, and CSRs are monitored to ensure they follow the necessary procedures. While we have heard stories about insiders selling call records on the side, we have not actually seen these cases. Instead, the vast majority of cases we have seen involve pretexting where the fraudster actually has all the necessary customer information to obtain the records. Wireless carriers have taken additional measures to reiterate to their customers that it is important to continue to take steps to protect their accounts by utilizing passwords. For example, T-Mobile ``urges all users of mobile services to take the following password protection steps:''create separate passwords for voice mail, online access, and for use when calling customer care about your billing account set complex passwords using both numbers and letters where appropriate avoid common passwords such as birthdates, family or pet names and street addresses change your passwords at least every 60 days memorize your passwords, and don't share passwords with anyone But passwords get lost or forgotten and in many cases, customers call a CSR to refresh a password. The ability to change a password remotely presents another pretexting opportunity. In short, passwords are not a ``silver bullet.'' Some carriers also report that some customers rebel against mandatory passwords, preferring instead to be empowered to make that choice individually, rather than by dictate. The Committee should be aware that carriers are extremely cautious when allowing any third party vendor access to call records. Carrier contracts contain strict confidentiality and security provisions. It is common for carriers, for example, to require that vendors represent and warrant that they have adequate security procedures to protect customer information and to provide immediate notice of any security breach to the carrier. This contractual framework flows down a carrier's own security standards to vendors who conduct customer billing responsibilities creating security in depth. One security practice we know now works is litigation. I cannot emphasize enough how seriously wireless carriers are taking these illegal and unauthorized attempts to obtain and traffic our customers' private information. These internal investigations have led to the carriers filing these cases which began months before the current media glare. As I mentioned at the beginning of my testimony, the four national carriers: Verizon Wireless, Cingular, Sprint Nextel, and T- Mobile have all filed complaints and obtained injunctions across the country to shut these data thieves down. Moreover, smaller Tier II and Tier III wireless carriers are re-examining their security protocols to ensure their customers' privacy. The carriers' internal investigations against the data brokers made it possible to secure injunctions aimed at taking down the sites and preserving evidence so we can determine exactly who is buying the records through these brokers. We look forward to working with the Committee to utilize this information so Congress will be in a better position to draft legislation aimed not only at those who engage in pretexting, but also those that solicited the deed in the first place and later received the stolen property. Customer Service Protections As I mentioned previously, carriers have taken additional security steps to require personal identification numbers and passwords when obtaining call record information. For example, when call records are accessed, it is logged in the customer service database, so the carrier can see who looked at what records. Further, CSRs are trained to annotate the customer record whenever an account change or event occurs. A CSR will note when a customer called and asked for his or her records. To prevent the fraudster from adding a fax or e-mail account identifier to another's account, many carriers have instituted a ban on faxing or e-mailing call records. It is important to remember, carriers are under tremendous pressure to quickly respond to customer calls. What was largely perceived as good customer service yesterday, is now a practice seen as a potential security flaw. Because of the highly competitive nature of the wireless phone industry, customer service is extremely important to wireless carriers and their customers. Wireless carriers collectively received hundreds of millions, if not billions, of customer inquiries in 2005. Inside our member companies, CSRs are striving to address the requests of customers as best they can with the very best interest of the customer at heart. Bearing this statistic in mind, it could prove counterproductive to enact legislation that would impede wireless customers' access to their own account information. Rules that may require in-person customer service would be a step backwards from the convenient and responsive customer service wireless carriers strive to achieve. Conclusion Clearly, the privacy of a small percentage of our customers and your constituents' has been compromised. As far as I am concerned, the breach of even one wireless customer's calling records, is one customer too many. But to the best of my knowledge no system is foolproof, especially one that handles hundreds of millions of customer calls each year without the customer being present. The wireless industry wholeheartedly supports making it explicitly clear that the marketing, possession, and sale of call records is against the law. CTIA and its carriers are on record as supporting Congress's efforts to enact Federal legislation that criminalizes the fraudulent behavior by third parties to obtain, sell, or distribute call records. Carriers have been successful in using existing state and Federal law to obtain injunctions to shut down these Internet sites. If we have learned anything from this experience, it is that combating pretexting is a war where the unscrupulous continuously seek out vulnerabilities and weaknesses in the carrier defenses. Unfortunately, no defense will be perfect, which is why we need a good offense and strong enforcement measures against these criminals. Again, thank you for this opportunity and I welcome any questions you may have. Senator Allen. Thank you, Mr. Largent, for your comments. Now we would like to hear from Mr. Rotenberg. STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER Mr. Rotenberg. Thank you, Mr. Chairman and Members of the Committee, for the opportunity to be here today. I would like to ask that my full statement be entered into the record. Senator Allen. It is so ordered. Mr. Rotenberg. Thank you. I want to thank the Committee for holding this important hearing today, the sponsors of the legislation to safeguard the privacy of our cell phone records, and also the chairman of the FCC, who I think has taken important steps in the last few months to address this problem. Last summer my organization, the Electronic Privacy Information Center, EPIC, wrote to the Federal Trade Commission and we expressed our concern about a new problem that many people were not aware of. That was the fact that their cell phone records, those monthly billing statements that are received by more than 190 million Americans, were available for sale on the Internet. We asked the Federal Trade Commission to investigate the matter. We followed up with a supplemental filing after we had identified 40 different companies that were selling our monthly billing statements. We also filed a petition with the FCC and we expressed concern in that petition that the security standard simply seemed to be inadequate. Yes, we understood there were people engaging in fraud or pretexting to obtain personal information, but the companies also were not doing enough to safeguard the information. So we asked the FCC to look at its authority under section 222 to see if it could take more steps to ensure that there would be stronger security measures to protect those important call billing information records. Well, here we are today and it seems clear that it is time for Congress to do something about this problem. Even though it may be the case that fraud is illegal, there has just not been enough action on the enforcement front. In fact, last week, after the House hearing was held on the problem, the companies engaged in this practice had such an increase in activity that a couple of the websites actually had to go down because they could not take all the increased business resulting from the publicity surrounding their practices. So I am going to make a few suggestions about the type of steps that Congress could take at this point and at the same time acknowledge that many of the proposals that EPIC and other privacy and consumer groups will put forward are similar to those that have been suggested by the chairman of the FCC. First, it is clear that pretexting should be banned. If there is any question about this, it has to be answered that it is unfair, deceptive, unethical, illegal, and wrong. The ban should be broad, it should be emphatic, and the report should be no ambiguity about that practice. The second key point is that the sale of these monthly billing statements should be made illegal. There is just no scenario under which it makes sense for a company to take the records of who we have called each month and make that data available for sale. If those records are needed, for example by a law enforcement agent in the course of a criminal investigation, then there is subpoena or warrant authority. If those records are needed in civil litigation, subpoena can also be used. If an individual wants to disclose billing information, for whatever purpose, it can be done by consent. But there is no scenario, I believe, under which it makes sense to allow a market for the sale of personal phone records. The third key recommendation is that stronger security standards are clearly needed in this industry. We were, frankly, disappointed by the decision of the wireless industry to oppose our recommendation to the FCC for stronger security standards. Mr. Largent, I have a very simple recommendation for the companies in your industry: If they cannot protect the information, they should not collect the information. It is placing consumers at risk when their personal information can be obtained online over the Internet. Mr. Chairman, this goes to the final recommendation. This Committee of course over the years has had to consider many new communications services and oftentimes we have held these hearings about privacy-related issues. I think one of the lessons that we are learning is that when personal information is collected in the context of a communication service, it creates a privacy risk. We know that historically it was not always the case that this type of detailed call information was made available. Local call service traditionally in the United States was actually treated as a utility. It was only the long distance calls that included the detailed billing information. We know that there are new telephone services on the horizon, such as VoIP services, that take advantage of the Internet. So I would just like to suggest to you, sir, and other Members of the Committee that going ahead, if it is possible to develop communications services that do not require the collection of so much detailed personal information, at least the privacy problem will not be as serious as it is today for the American consumer. Thank you so much for the opportunity to testify. [The prepared statement of Mr. Rotenberg follows:] Prepared Statement of Marc Rotenberg, Executive Director, Electronic Privacy Information Center Introduction Chairman Allen, Ranking Member Pryor, and Members of the Committee, thank you for the opportunity to testify on the privacy of telephone records. My name is Marc Rotenberg and I am Executive Director and President of the Electronic Privacy Information Center in Washington, D.C. EPIC is a not-for-profit research center established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. We have played a leading role in emerging communications privacy issues since our founding in 1994. We thank the Members of the Committee and others who are developing legislation to address pretexting and to increase security standards at companies that collect and maintain data. We especially commend the sponsors of the Telephone Consumer Protection Act, S. 2178, and the Phone Record Protection Act, S. 2177, which would ban the sale of personal telephone records. These measures will help establish important safeguards for American consumers and keep call record details off the Internet, but more work remains to be done: Records other than telecommunications records must be protected from abuse for profit. In this statement today, I will summarize EPIC's efforts to bring public attention to the problems of pretexting and communications record sales; suggest several approaches to the problem, including a ban on pretexting and the restriction of the sale of telephone records; and make specific recommendations concerning current and future legislation. EPIC's Efforts to Address Pretexting and Phone Record Sales In July 2005, EPIC filed a complaint with the Federal Trade Commission concerning a website that offered phone records and the identities of P.O. Box owners for a fee through pretexting. Pretexting is a practice where an individual impersonates another person, employs false pretenses, or otherwise uses trickery to obtain records. EPIC supplemented that filing in August with a list of 40 websites that offered to sell phone records to anyone online. In light of the fact that so many companies were selling communication records online, EPIC also petitioned the Federal Communications Commission, urging the agency to require enhanced security precautions for phone companies' customer records. \1\ Although telephone carriers unanimously opposed enhanced security requirements, proposing that lawsuits against pretexters would solve the problem, Chairman Martin of the FCC last week announced that he and his fellow Commissioners will be considering EPIC's petition and acting upon it within the next few days. The FCC has recognized that enforcement alone will not solve this problem. It will simply drive these practices underground, where they will continue with less public scrutiny. Simple security enhancements, such as sending a wireless phone user a text message in advance of releasing records, could tip off a victim to this invasion of privacy and block the release. --------------------------------------------------------------------------- \1\ Petition of EPIC for Enhanced Security and Authentication Standards, In re Implementation of the Telecommunications Act of 1996, CC Docket No. 96-115, available at http://www.epic.org/privacy/iei/ cpnipet.html. --------------------------------------------------------------------------- Phone Records Are the Tip of the Problem While the sale of cell phone records has gained significant media attention, and telecommunications records are the focus of the two bills currently before the Senate, many other types of private records are being bought and sold in the public market. Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to assume that those records will be offered for sale as well, and we commend the authors of S. 2178, who have included this and other emerging technologies in their legislative efforts. However, the problem of record sales is not limited to the many methods of voice communication that we can use. Sites commonly advertise the ability to obtain the home addresses of those using P.O. Boxes. Some websites, such as Abika.com, advertise their ability to obtain the real identities of people who participate in online dating websites. A page on Abika.com advertises the company's ability to perform ``Reverse Search AOL ScreenName'' services, a search that finds the ``Name of person associated with the AOL ScreenName'' and the ``option for address and phone number associated with the AOL ScreenName.'' \2\ The same page offers name, address, and phone number information for individuals on Match.com, Kiss.com, Lavalife, and Friendfinder.com. These are all dating websites that offer individuals the opportunity to meet others without immediately revealing who they are. --------------------------------------------------------------------------- \2\ See http://www.abika.com/Reports/ tracepeople.htm#Search%20Address/Phone%20 Number%20associated%20with%20email%20Address%20or%20Instant%20Messenger% 20Name. --------------------------------------------------------------------------- The availability of these services presents serious risks to victims of domestic violence and stalking. There is no reason why one should be able to obtain these records through pretexting, or outside of existing legal process. We therefore urge the Committee to follow up on Congress' excellent first steps by expanding pretexting bans, as well as restrictions on record sales, to cover other forms of communication, such as Internet services and other information services, as well as postal information. In Addition to Pretexting, Sales of Communications Records Should be Banned Just as initial attention on this issue needs to expand beyond cell phone records, discussion of solutions needs to look beyond merely banning one method of obtaining and abusing personal information. EPIC fully supports a ban on pretexting, as such action would make unmistakably clear the fact that such practices are unfair, deceptive, illegal, and wrong. However, any method used to obtain and sell a person's private records should be prohibited, whether that method involves pretexting, computer hacking, bribery, or other methods. In order to curb these invasions of privacy, consumers and law enforcement need to be able to pursue those who would offer private consumer information for sale, regardless of the methods used to steal it. We support the provisions in S. 2177 and S. 2178 that would ban the sale of consumers' telephone information. Banning the commercial sale of private consumer information is a necessary complement to banning pretexting, as it would ``dry up the market'' for illegally obtained telephone records. Such a prohibition would also allow consumers and consumer protection agencies to go after those who advertise privacy-invasive services without having to prove the specific techniques that the data brokers have used. EPIC has asked both the Federal Trade Commission and the Federal Communications Commission to take action on this issue. The FTC proposes a ban on pretexting; the FCC proposed a ban on commercial sale of records. EPIC believes that these efforts are necessary complements to the effort to protect consumers' communication records. No Law Enforcement Exception Both of the bills introduced in the Senate have included exceptions for law enforcement. We recognize the need for law enforcement to gain access to communications records, and that is why there are existing, routine procedures under the law for such access, such as warrants and subpoena powers. We note that Senator Schumer's bill notes that any law enforcement acquisition of records must be made ``in accordance with applicable laws,'' and we agree that such a caveat is necessary. EPIC would go further, however, in urging that, since such procedures for law enforcement access exist, there is no need for law enforcement to engage in the fraud that these bills are trying to prevent. Carriers and Other Holders of Personal Information Should Have Legal Obligations to Shield Data From Fraudsters The acquisition and sale of these records, however, is only a part of the problem. Pretexting works because phone companies and others who store our communications records fail to adequately protect our personal information. Phone companies can be fooled into releasing information easily because releases of customer information are so routine, and because they use inadequate means to verify a requester's identity. If carriers only require a few pieces of easily-obtained information to verify a requester's identity (such as date of birth, mother's maiden name, or a Social Security number), then pretexters can impersonate account holders and obtain records with ease. All of this information is easily obtained in commercial databases or in public records. Furthermore, the online data brokers who do the pretexting often have easy access to these banks of private dossiers on individuals. If legislation that is to fully address the problem of private information sales, Congress must look not only at the practices and tactics used by bad actors, but also at the loopholes and vulnerabilities they exploit. Laws that criminalize deceptive, unfair, and privacy-invasive sales must be complemented by laws and regulations that strengthen communications privacy and security. Carriers Should Limit Data Retention and Disclosure An even more fundamental question in this discussion--more fundamental than how data brokers pretext information, or what vulnerabilities they exploit--is why this sensitive information is there to be stolen in the first place. The records that data brokers buy and sell online are often simply our past phone bills. The numbers we dial, the times of our calls, and the length of our conversations are known because of the way in which the cellular billing system is structured. One way to alleviate this problem would be to delete records after they are no longer needed for billing or dispute purposes. This, however, could leave consumers still vulnerable in the time between payment periods. Another alternative would be simply to not record and disclose all of this information. If telephone service were billed as a utility, as it was in the past for local service and may be in the future with VoIP service, many of the threats to privacy would simply disappear. The concept of data limitation--that data should only be collected and stored when necessary--can be applied not only in protecting call records, but other sensitive personal information. Senators Specter and Boxer's proposal, S. 1350, the Wireless 411 Privacy Act, to provide privacy for consumers' mobile phone numbers is a good example of this important privacy safeguard. If the number need not published in directories or in billing records, then it should not be provided, and opportunities for abuse are reduced by just that much. The vulnerabilities that our by-the-minute system of billing build into our phone records is a good example of how decisions made about a communication system's initial structure and function create built-in privacy issues. In a letter that EPIC sent to then-Chairman Powell of the FCC, we noted that the emergence of new communications systems, such as Internet telephony, requires that Congress and executive agencies look forward in creating privacy-protective regulatory frameworks into which the new technologies can grow. \3\ We support the provisions in Senator Durbin's bill that extend anti-pretexting provisions to next-generation wireless communications, as well as Senator Schumer's inclusion of Internet telephony and other communications services. --------------------------------------------------------------------------- \3\ Letter of EPIC to FCC Chairman Powell, Dec. 15, 2003, available at http://www.epic.org/privacy/voip/fccltr12.15.03.html. --------------------------------------------------------------------------- We hope that the Committee will act on the proposals from Senator Schumer and Senator Durbin to protect the privacy of customers' phone records. There is no good reason that our monthly call billing records should be available for sale on the Internet. Senator Allen. Thank you, Mr. Rotenberg. We appreciate your comments and your testimony and your insight. Now we would like to hear from Mr. Robert Douglas. Mr. Douglas. STATEMENT OF ROBERT DOUGLAS, CHIEF EXECUTIVE OFFICER, PrivacyToday.COM Mr. Douglas. Thank you, Chairman Allen, Ranking Member Pryor, Senator Smith, and Members of the Committee. It is a pleasure to be here today. As you mentioned before, I was a private investigator in Washington, D.C., for the better part of 20 years. For the last 9 years, I worked as an information security consultant, specifically on the issue of theft of consumer records, and I served as a consultant to the FTC in Operation Detect Pretext, which has been mentioned, to the Florida statewide grand jury on identity theft, and specifically in a murder case in New Hampshire where a young woman named Amy Boyer was murdered when this type of information was stolen, and I will address that in just a moment. I have submitted very extensive written testimony, but I would like to use pictures, if I could, instead of words in my 5 minutes to demonstrate what is happening, what is out there, and maybe bring a face to what we are discussing today, Mr. Chairman. [Screen.] The screen up right now is CellularTrace.com. This is one of the companies that was named in the EPIC complaint. I worked with EPIC's Chris Hoofnagle in putting together the 40 companies that were named in that complaint last July. And this company is continuing to sell specific cell phone records and, as Mr. Rotenberg noted, this is one that has a notice up about how inundated they are being with business. They are saying right now: ``Notice. As a result of the recent newscast on cellular research, we have been completely inundated with orders. We are getting caught up as quickly as possible, but those placing the orders should expect delays.'' This may be one of the companies--I believe, Mr. Smith, you referenced this issue earlier--that is operating offshore, but we are taking a look at that right now. I also want to address some of the tangential issues which address how they are getting some of this information. [Screen.] This is a website called HackersHomePage.com, where they are specifically selling a voice-changing device, telephone voice changer. I have noticed in one of the suits brought by Verizon they have publicly acknowledged that one of the methods being used to defeat their call center operators customer authentication procedures was to impersonate a nonexistent division of Verizon, claiming to be--I do not even really need the microphone, evidently--claiming to be a division that helps disabled customers who have problems using their voice. So when the call center operator says to the pretexter, well, I still need to speak to the customer, they just use this voice changer to change their voice and continue to be one and the same thief. [Screen.] This is a site called SpoofTel, Spoof Telephone, and these types of websites and actual devices that are for sale all over the Internet are used by private investigators and information brokers as part of pretext, allow you to make any caller ID system look like it is coming from a different number. So Kevin Mitnick, who is known in social engineering circles, hacking circles, once demonstrated how he could make a call look like it is coming from the White House. More specifically for what we are talking about today, you could make the call look like it is coming from your telephone carrier, thereby duping the customer themself into turning over important information to then beat the customer authentication protocols that the phone companies have. What I would like to close my testimony with is talking about where we were back in 1998. I testified at that time and my testimony with others resulted in the anti-pretext legislation contained in Gramm-Leach-Bliley, and I find myself having a little deja vu. I am here again on a similar issue, different type of record. At that time, as there has been some mention about danger to police officers, there was a company, Touchtone, as mentioned by the FTC today. But in addition to stealing financial record information, they stole thousands and thousands of phone records of Americans. They were involved in stealing records in the Clinton-Lewinsky investigation, in the JonBenet Ramsey investigation, in the murder of Bill Cosby's son Enis Cosby. But most relevant to what we are talking about today, they sold the phone records of undercover Los Angeles police officers to organized crime in an ongoing investigation--not a what-if with the FBI buying records, not a what-if with the Chicago Police Department. This has happened already. That is one we know about. I am sure it has happened many other times. [Screen.] This company, Docusearch, same timeframe, back in 1998-1999 when Gramm-Leach-Bliley was being signed into law, advertised and continues to advertise to this day--Mr. Chairman, when we spoke before the hearing this afternoon I told you I would talk about a company in your home State. That is Docusearch. That is Dan Cohen, who owns it, who moved from Florida after he was sued in the Boyer murder case and now operates right out of Northern Virginia. To this day--this is today on his website--he is trumpeting that he was the featured cover story article in Forbes Magazine November 1999, as Gramm-Leach-Bliley was being signed into law, bragging about how he steals financial records and phone records, specifically phone records back at that time. [Screen.] Well, we should have paid attention, because this woman, Amy Boyer, who was 20 years old, had her whole life ahead of her, was murdered, and she was murdered by this man, Liam Youens, standing in the corner of his bedroom with an AK-47, shortly before he went out and gunned her down. He was telling the world on this website that I have got one captured page from here, documenting for the better part of a year how he obtained information on her. And while it was not specifically phone records, it was her employment address, obtained through pretext--part of what we are talking about today. The sad and sick thing was they called her mother and impersonated an insurance company and said they had an insurance refund from her. So her mother today says: I was an accomplice to my own daughter's murder. I will close with what he says at the end, which is that ``It is actually obscene what you can find out about somebody on the Internet.'' He wrote those words right before he left on October 15, 1999, and murdered Amy. With that, I will avail myself to your questions, Mr. Chairman. [The prepared statement of Mr. Douglas follows:] Prepared Statement of Robert Douglas, Chief Executive Officer, PrivacyToday.com Chairman Allen, Ranking Member Pryor, Members of the Committee, my name is Robert Douglas and I thank you for the opportunity to appear before this Committee to address the Committee's concerns about the theft of Americans' phone records. I. Background and Basis of Knowledge I am the CEO of PrivacyToday.com and work as an information security consultant to the private and public sectors on issues involving all aspects of identity theft, identity fraud, and customer information security. During the past nine years, I have assisted the financial services industry, the general business community, government, and law enforcement agencies to better understand the scope and methodology of identity crimes through educational materials, presentations, auditing, and consultation. My specialty is monitoring and investigating the practices of identity thieves, illicit information brokers, and illicit private investigators that use identity theft, fraud, deception, bribery, social engineering, and ``pretext'' to steal customer and proprietary records from a wide range of businesses. Additionally, I teach businesses, government agencies, and law enforcement how to detect and defend against these forms of theft in order to better protect all Americans. This is my seventh appearance before the United States Congress to discuss information security. Most relevant to today's hearing, I worked in 1998 with the House Financial Services Committee to expose the use of ``pretext'' and other forms of deceptive practices to steal and sell consumers private financial records maintained by financial institutions. That work resulted in the July 28, 1998 hearing titled ``The Use of Deceptive Practices to Gain Access to Personal Financial Information''. Testimony offered at that hearing resulted in the Gramm- Leach-Bliley Act provisions outlawing the use of deceptive practices to gain access to financial account information. In follow-up testimony I presented in a September 13, 2000 hearing before the same committee acting in its oversight capacity, I discussed the emerging and growing threat of deceptive practices being used to gain access to phone records--the precise issue before you today. [The 1998 and 2000 testimonies, along with my other congressional testimonies are available at PrivacyToday.com/speeches.htm] Following the 2000 testimony I served as a consultant and expert to the Federal Trade Commission in the design and execution of Operation Detect Pretext, a sting operation to catch and civilly prosecute companies participating in the illicit information market. In 2002, I testified as an expert witness on illicit information brokers and the role they play in identity theft and fraud before the Florida Statewide Grand Jury on Identity Theft. From 2001 to 2004, I was an expert witness and consultant for the plaintiffs in Remsburg v. Docusearch, a suit brought by the parents of Amy Boyer against a private investigator selling illicitly obtained personal information via a website. Ms. Boyer was murdered by an infatuated young man who purchased Ms. Boyer's Social Security number, date of birth, and place of employment from Docusearch who employed a ``pretexter'' to impersonate an insurance company official to obtain the employment address of Ms. Boyer. Subsequently the killer gunned down Ms. Boyer as she left work. I am currently serving as a consultant in a Pennsylvania murder case involving the sale by a private investigator of data-mining ``research'' about the victim to a deranged former employee who used the ``research'' to locate the victim and kill him. I assisted Chris Hoofnagle of EPIC West, who deserves full credit for this issue reaching the attention of Congress, with the amended complaints submitted to the FCC and FTC by compiling the 40 companies named therein. I have lectured before local, state, Federal and international law enforcement, banking, and business associations on the topic of identity crimes. I am the author of ``Spotting and Avoiding Pretext Calls'' which was distributed by the American Bankers Association to all member institutions. I am also the author of ``Privacy and Customer Information Security--An Employee Awareness Guide'', a training manual that has been used by numerous banks and businesses to train employees to defend against deceptive practices designed to steal customer information. Prior to my work as an information security consultant. I was a Washington D.C. private detective. II. Identity Thieves Use the Same Methods I'd ask the Committee to keep one important fact in mind while investigating the practices of illicit information brokers and illicit private investigators stealing phone and other consumer records. The methods used by those industries are used by identity thieves and financial criminals every day in this country to defeat customer information security systems for a wide range of businesses. Additionally, in each case I've worked involving web-based illicit information providers, when we have been able to review the files of the company, there have been indications of identity thieves and other criminals--including stalkers--using those companies to buy information about Americans. Finally, as we are focusing on phone records today, I would hazard an educated opinion that one of the reasons that the FTC lists cell phone fraud as one of the most common forms of fraud resulting from identity theft is the ease with which cell phone records are stolen or purchased on the Internet. For further background information, I recommend reading ``Your Evil Twin,'' by Bob Sullivan. I'd also like to recommend Robert O'Harrow's ``No Place To Hide'' as an excellent work on the growing data-mining industry and a number of the public policy issues raised by this industry. III. The Illicit Sale of Phone Records and Much More News reports have served an important role in bringing the problem of web-based information brokers and private investigators selling detailed phone records to the attention of this Committee, Congress, and the American people. While reporting by Robert O'Harrow of the Washington Post and Bob Sullivan of MSNBC on the sale of phone records dates back to the late 1990s, the issue has only recently caught the full attention of the American consumer and law enforcement agencies across the country. In part this was due to the work of Frank Main at the Chicago Sun- Times who discovered that the Chicago Police were concerned that the sale of detailed cell phone records could jeopardize the safety of police officers and criminal investigations. Subsequently, Frank Main reported that the FBI was alarmed to learn in a test purchase of a web- based information broker that anyone could obtain the cell phone records of a FBI agent within a matter of hours from placing the order. As the Committee will learn a bit later in my testimony, the Chicago Police and FBI were correct in their concerns as years ago the phone records of Los Angeles police officers had been sold by an information broker to organized crime. But for the most part, the overwhelming number of news reports has inadvertently served to minimize the scope and extent of the problem. While the vast majority of reporting has focused on cell phone records and a small number of web-based brokers selling those records, the reality is that all entities that maintain consumer and proprietary information are under attack. The list includes, but is not limited to, telecommunication (including e-mail and Internet service providers), cable and satellite television, utility (including electric, gas, water and sewer companies), and financial industries, plus all government agencies. In short, any business or government agency maintaining customer records or confidential proprietary information is at risk because identity thieves, illicit information brokers, illicit private investigators, corporate spies, and con artists know quite often the most effective tool for stealing highly valued information is the telephone. In addition to minimizing the types of consumer information for sale, recent news reports have also inadvertently minimized the number of outlets and methodologies via which phone records can be purchased or stolen. Even the range of telecommunications records for sale has been inadvertently minimized with most media focusing on just the sale of cell phone records. Specifically, there are far more web-based illicit information brokers and illicit private investigators than the 40 cited in the EPIC West complaint and there are a myriad of methods used to defeat phone company information security protocols far beyond the simple pretext of impersonating the customer. Additionally, when considering phone records, all types of telecommunications records are for sale--from home and business phone records to cell phone records to reverse-911 cell tower location information to pager records to GPS tracking devices to name just a few categories. Finally, the reporting has inadvertently minimized the dangers posed by phone records and other forms of information stolen by means of pretext falling into the wrong hands when information brokers and private investigators sell either information obtained through pretext, or even database information, to individuals without any understanding of why the individual wants the information. Murders and assaults have occurred when information brokers and private investigators have not taken adequate steps to understand who they are providing information to. With the caveat that all consumer records and government/business proprietary information are at risk; that there are far more than the 40 brokers and investigators selling phone and other records cited in the EPIC West complaint; and, that these records in the wrong hands have caused severe harm--including loss of life, I will confine the remainder of my testimony to the sale of phone records obtained most commonly through pretext and other forms of deception. IV. To Understand Why Records Are Sold, You Need To Know Who Buys Them To understand why the phone records of practically any American-- from former presidential candidate General Wesley Clark to women hiding under threat of violence--are for sale on the Internet, you need to know who is buying the bulk of the phone records that are obtained through illicit means. The overwhelming majority of phone records are purchased by attorneys, private investigators, skip tracers, debt collectors, and the news media. Attorneys purchase the records as a means of discovery in all forms of litigation from divorce, to criminal defense, to ``business intelligence''. Private investigators buy phone records as a means of locating witnesses, developing leads, and developing evidence. Skip tracers use phone records to locate hard to find individuals who may be using deceit themselves to cover their tracks. Debt collectors find phone records a valuable tool in locating ``deadbeats'' who may be hiding from the collector and/or hiding assets. The news media-- especially the tabloid press--want phone records to track celebrities' lives and develop leads in cases like the JonBenet Ramsey murder, the Columbine massacre, and the freeway slaying of Bill Cosby's son. Each of these categories of users and purchasers have at one time or another made impassioned pleas to me that they need access to phone records-- outside of normal judicial review processes--to conduct what they argue are socially beneficial services. These buyers and their thirst for the information contained in detailed phone billing records resulted in the market and the cash flow that fed and encouraged the online sale of phone records. Specifically, the methods for stealing phone records had been known and in use for decades in order to service attorneys, private investigators, skip tracers, debt collectors, and the news media. With the advent of the Internet and the World Wide Web it was only a matter of time before some illicit information broker or private investigator decided to advertise the availability of phone records on the web. And once the first ads appeared and other brokers and investigators learned how much money could be made selling phone records via the Internet--in some instances more than a million dollars per year for small operations-- the feeding frenzy was on. So today there are hundreds of ads on the web (and in legal and investigative trade journals) for phone records and phone ``research''. And contrary to the language on those sites claiming to limit sales of personal information to attorneys, investigators, skip tracers, debt collectors, and bail bondsmen, most of these companies will sell to anyone as long as they think you're not a reporter or law enforcement agency conducting a media expose or sting operation. Frankly, greed is the name of the game. Those hundreds of ads on the web only represent the tip of the iceberg. Two other factors combine to push the total to thousands of outlets for purchasing phone records. First, many brokers and investigators don't advertise on the web or at all. These brokers and investigators work beneath the surface and develop clients by word of mouth while shunning publicity. Many of these hidden brokers and investigators are the actual sources--once removed--for the information sold via the web as many of the web-based operators are not skilled in the methods of stealing customer information and serve as mere front companies. Second, the brokers and investigators who shun a web presence but supply many of the web-based operations, also supply other brokers and investigators throughout the country who don't openly advertise on the web or anywhere else. And often those brokers and investigators service other brokers and investigators in a spider web or pebble-dropped-in-the-pond effect. Through this black market phone records may pass through several sources--at times including a bribed phone company insider--before reaching the eventual buyer. So in reality there are thousands of brokers and investigators, on the web and off, comprising the totality of suppliers of illicit phone records. And the records are now for sale to anyone who wants them--regardless of reason. V. How Phone Records Are Obtained Phone records are obtained through numerous methods and sources. Some of these methods and sources have been publicly discussed--some have not. By far the most common method is the use of ``pretext''. Pretext, used in this fashion, is the method of convincing someone you are a person or entity entitled to obtain the records sought. The term ``pretext'' when used in the context of obtaining confidential, statutorily protected, or consumer and proprietary information is actually a misnomer used by illicit brokers and investigators to add an air of legitimacy to the fraud they commit. The reality is pretext is a combination of identity theft and fraud. Identity theft because the individual carrying out the pretext needs to assume the identity of the rightful owner of the information sought--usually including biographical information such as name, address, Social Security number, and date of birth--in order to impersonate that individual during the pretext. Fraud because once impersonating that individual, the pretexter defrauds the rightful custodian of the information sought into turning the information over to an improper recipient. To further understand pretext you need to know the code of the identity thief, broker, or investigator seeking information they don't have legitimate access to. 1) Know what piece of information you want. 2) Know who the custodian of the information is. 3) Know who the custodian will release the information to. 4) Know under what circumstances the custodian will release the information. 5) Become that person with those circumstances. Once you know the code and apply a little imagination and bravado, you can steal almost any piece of information in this country. But again, contrary to most reporting on this subject, the number of pretext methods and variations of those methods are vast and far beyond just merely impersonating the consumer. By way of example, in a state action brought under an unfair and deceptive trade practice statute captioned Massachusetts v. Peter Easton, Easton was caught calling into banks impersonating a Federal banking official in order to get the banks to surrender consumer financial account records. In one of the current Verizon cases involving phone records, there is report indicating the information brokers were impersonating Verizon employees assisting disabled account holders. These are just two of literally dozens of variations of methods I am aware of that succeed thousands of times each day in defeating phone and other companies customer authentication procedures. An important aspect in the conduct of a pretext is the ability of the illicit information broker or private investigator to purchase data about the individual consumer they seek to impersonate. After all, to fraudulently convince a customer call center representative that the pretexter is the actual customer, the pretexter needs to know the full name, Social Security number, date of birth, address, and other forms of personal identifying information of the actual account holder. In order to gain access to this information, the illicit information brokers and private investigators need to have subscriber accounts with legitimate data-mining companies--also commonly referred to as information brokers. Beginning approximately a year ago, it became more difficult for illicit information brokers and private investigators to get or maintain subscriber accounts with the large legitimate data-mining information brokers. This is because in the wake of reports of data breaches by legitimate information brokers and a wide variety of other businesses maintaining consumer records--coupled with congressional hearings examining the data breach problems and the ease with which personal information like Social Security numbers could be purchased from many of the illicit brokers and investigators we are discussing today--the legitimate data-mining information brokers began to curtail and in some cases terminate all sales of information to private investigators and other business lines with a history of improper resale or use of database information. But other small and mid-size companies have stepped in to fill the void and continue to provide Social Security numbers and other personal identifiers to illicit information brokers and private investigators. I am aware of at least a dozen companies that illicit information brokers and illicit private investigators are using to obtain full social numbers and other biographical data in order to conduct pretexts against consumers and businesses. This is an issue crying out for attention by Congress. The second most common method of gaining illicit access to phone records is bribery of a company employee or even the trade of information with inside employees working in skip-tracing and collection divisions within phone companies. There is a small but constantly present underground network of employees who trade information--sometimes lawfully, sometimes not--and those seeking information that have no lawful right to that information have learned how to tap those resources. While I am not aware specifically of a case involving phone records where threats of violence were used to coerce phone company employees to supply information to criminals, that has happened in the financial services community resulting in Federal banking regulatory agencies warning financial institutions of the trend a number of years ago. I would not be surprised if this was happening to phone company employees as well. Remember--information equals cash to all sorts of information thieves and they will do anything necessary to obtain the information they seek. Finally, I have a substantial amount of evidence developed over nine years on methods, tactics, and sources used to obtain phone records that is inappropriate for revelation in an open hearing. I'd be happy to share this with the Committee, enforcement agencies, the phone associations, or companies in a closed setting. VI. Phone Record Sales and ``Spoofing'' Services on the Web Are Most Alarming While the totality of brokers and investigators selling phone records are troubling, the Internet-based operations are most alarming for the simple reason that by their very nature they allow a buyer to easily conceal their identity and intent in purchasing another citizen's records. This anonymity is a criminal's delight. From identity thieves to stalkers to child predators to corporate spies, the ability to conceal the identity and intent of the end user of the records is paramount. Additionally, when consumers see the websites advertising the sale of phone records and services like Caller-ID ``spoofing'' services designed to defeat Caller-ID, it increases mistrust between the consumer and businesses Americans provide information to, and increases the belief by many consumers that the government isn't protecting the American consumer. Web-based services like spooftel.com and the open sale of devices designed to show a different number on a Caller-ID system than the actual number the call is being placed from can be used as part of pretext and can even be used to defeat security systems for voice mail. In one well known demonstration of Caller-ID spoofing, convicted ``hacker'' Kevin Mitnick demonstrated for a reporter how he could make a call look like it was coming from the White House. The use of spoofing services and devices as part of pretext is so well known within the investigative and information broker industries that advice on how to pick the best services is often bantered about. Here's an example: If you are considering using one of the numerous Caller ID Spoofing services, you may want to know several things before you sign-up. 1. Can this service be employed as part of your PI business, or is it just to be used for entertainment purposes? 2. If it is to be use only for entertainment purposes, do they offer a commercial version, and if so what are the differences? 3. Do they record/log all transactions? 4. Can you call 800 numbers, or other toll free line? 5. Can you call financial institutions through their website, even if the financial institution is one you have an account with? 6. Can you use an anonymous Internet surfing software product (these change your IP number and make you appear as if you are accessing the Internet from another state, country, etc.) to access their website? 7. Will they inform you if they suspect fraudulent activity? What is their method for settling such a dispute? 8. Will they supply you with a list of all the activities that can lead to a cancellation of your account? I raise the issue of Caller-ID spoofing fraud so this Committee will be aware that the extent of the problem is far more than just the sale of phone records. It is a myriad of techniques and use of technology designed to defeat information security systems. The use of these technologies--specifically Caller-ID spoofing devices and services should be outlawed immediately. VII. Did The FTC Give Tacit Approval To The Sale Of Phone Records? Given how prevalent and open the sale of phone records is, this Committee must be wondering how these companies and their devious practices have remained untouched by the Federal Trade Commission and other enforcement agencies. After all, the FTC is charged with stopping unfair and deceptive trade practices. Congress and the American people have a right to ask a series of questions of the Federal Trade Commission when it comes to the sale of phone records. The questions include: a) Was the FTC aware of the sale of phone records prior to recent news accounts? b) If the FTC was aware, for how long has the FTC been aware? c) Prior to recent media revelations and Congressional demands, did the FTC take aggressive steps to stop the sale of phone records? d) Did the FTC signal tacit approval of the sale of phone records by private investigators? e) Why has the FTC been AWOL when it comes to protecting phone records? These questions are fair as, after all, the FTC is supposed to be the watchdog for the American consumer. Given my work with, study of, and access to information concerning the role of the FTC when it comes to illicit information brokers and private investigators I'd like to posit answers to the above questions as I believe the reality is that when it comes to phone records--and all other illicitly obtained consumer records--the watchdog is nothing more than a lapdog on a leash held by the illicit information brokers and private investigators. a) Was the FTC Aware of the Sale of Phone Records Prior to Recent News Accounts? Yes. The FTC has been aware of the sale of phone records due to the Touch Tone Information case, Operation Detect Pretext, the Boyer murder case, and direct interaction and communication with the private investigative profession--including direct inquiries from PI Magazine on the FTC's views regarding pretexting for phone records. b) If the FTC Was Aware of the Sale of Phone Records, For How Long Has the FTC Been Aware? The FTC has been aware of the problem since at least April of 1999 when the FTC filed an action against Touch Tone Information. While the FTC brought the action against Touch Tone for the sale of consumer financial information obtained by means of deception, the Touch Tone records available to FTC staffers were replete with thousands of instances of phone records being obtained and sold by means of deception. In 2002, I interviewed the Colorado Bureau of Investigation detectives who broke the Touch Tone case and whose work the FTC piggy- backed in bringing the FTC complaint against Touch Tone. The detectives informed me the FTC showed little interest in following up on the voluminous records contained in the files of Touch Tone showing a vast network of hundreds of private investigators, attorneys, and media outlets around the country using Touch Tone to obtain phone and other records. For example, as documented by the Washington Post, Touch Tone sold Kathleen Willey's phone records to a Montgomery County, Maryland private investigator during the investigation of President Clinton. Additionally, the Touch Tone records contained the following letter listing phone and other records sold by James Rapp, co-owner of Touch Tone, about participants in the JonBenet Ramsey murder investigation as reported by the Denver Post in a June 26, 1999 article titled, ``Letter Details Information Rapp Dug Up''. Each reference to ``tolls'' means detailed phone records. Here is the text of an undated letter purportedly written by James Rapp to a private investigator in California named Larry Olmstead, owner of Press Pass Media. Olmstead used Rapp to get information for his clients, primarily tabloid media outlets, prosecutors say. Dear Larry, Here is a list of all Ramsey cases we have been involved with during the past lifetime (sic). 1. Cellular toll records, both for John and Patsy. 2. Land line tolls for the Michigan and Boulder homes. 3. Tolls on the investigative firm. 4. Tolls and home location on the housekeeper, Mr. and Mrs. Mervin Pugh. 5. Credit card tolls on the following: a. Mr. John Ramsey, AMX and VISA b. Mr. John Ramsey Jr., AMX. 6. Home location of ex-wife in Georgia, we have number, address and tolls. 7. Banking investigation on Access Graphics, Mr. Ramsey's company, as well as banking information on Mr. Ramsey personal. 8. We have the name, address and number of Mr. Sawyer and Mr. Smith, who sold the pictures to the Golbe (sic), we also have tolls on their phone. 9. The investigative firm of H. Ellis Armstead, we achieved all their land and cellular lines, as well as cellular tolls, they were the investigative firm assisting the Boulder DA's office, as well as assisting the Ramseys. 10. Detective Bill Palmer, Boulder P.D., we achieved personal address and numbers. 11. The public relations individual ``Pat Kroton'' (sic) for the Ramseys, we achieved the hotel and call detail where he was staying during his assistance to the Ramseys. We also have his direct cellular phone records. 12. We also achieved the son's John Jr.'s SSN and DOB. 13. During all our credit card cases, we acquired all ticket numbers, flight numbers, dates of flights, departing times and arriving times. 14. Friend of the Ramseys, working with the city of Boulder, Mr. Jay Elowskay, we have his personal info. But that was not all, nor was it the most alarming aspect of the sale of phone records contained in the Touch Tone case the FTC had access to. Through a conduit Touch Tone had sold phone and pager records of Los Angeles police officers to organized crime. Again, the Denver Post reported on this shocking set of facts in a June 29, 1999 article titled, ``Accusations against Rapps Widen, Pair Allegedly Sold Phone Numbers of L.A. Cops to Mobster''. Here is the text of the article: James Rapp, the Denver private detective charged with trafficking in confidential information about the Ramsey murder case, also furnished the private phone numbers of police officers to a member of the so-called ``Israeli mafia,'' authorities say. Rapp allegedly got the unlisted home phone numbers and pager numbers for some Los Angeles police officers and funneled them through a middleman to Assaf Walknine, a reputed Israeli mafia member who'd been arrested on forgery charges, according to an affidavit unsealed Monday. Colorado Bureau of Investigation agent in charge Mark Wilson said the release of officers' numbers can be extremely dangerous. ``Not only is it dangerous, but it definitely could compromise any investigation that could be ongoing,'' he said. Rapp and his wife, Regana, were indicted last week by the Jefferson County grand jury on two counts of racketeering, charges that carry maximum penalties of 24 years in prison and fines of $1 million on conviction. Authorities claim the Rapps ran a detective agency, Touch Tone Information Inc., that used subterfuge to obtain confidential information about the JonBenet Ramsey murder investigation and passed it to the world tabloid media. The pair surrendered Monday. They were jailed, then released on bond of $25,000 for him and $10,000 for her. The CBI started investigating the Rapps in January after getting a referral from the Los Angeles Police Department, the affidavit says. The LAPD alleged that the Rapps helped get phone numbers of police officers for Walknine after Walknine's arrest in connection with an alleged scheme to forge credit cards and gold coins. Authorities believe that Walknine also ``cloned'' the pagers worn by the officers. For instance, every time L.A. Detective Mike Gervais would be paged, the person paging him would get a call from Walknine, the affidavit says. The middleman between Walknine and the Rapps was a former L.A. cop and convicted felon named Mike Edelstein, the affidavit says. ``LAPD is most interested in Edelstein,'' CBI agent Bob Brown said. ``He was buying the information for Walknine from (the Rapps). As I understand it, when Walknine was arrested, he admitted he got this information from Edelstein--the pager numbers, the home telephone numbers and home addresses of LAPD officers. ``At one point, Edelstein actually showed up at the front door of one of the police officers while the officer was at work and his wife answered the door,'' Brown said. ``He gives his name and walks away. The officer believes Edelstein was stalking him or in some way trying to intimidate him.'' Brown said Edelstein was a cop who was fired from the Los Angeles Police Department. Edelstein served a prison sentence for possession of an automatic weapon and, after getting out of prison, became a private investigator, Brown said. He later began using the Rapps and their Touch Tone Information Inc. Brown said that Los Angeles police discovered Edelstein's connection with the Rapps after a Los Angeles shoplifter claimed he was a LAPD officer and showed them identification. It was a forgery and traced to Edelstein. During a search of Edelstein's home, officers found a cover letter from Touch Tone Information Inc. with a price sheet stating that the company could obtain the address and phone tolls for any telephone in the United States or internationally. Touch Tone also claimed it could provide banking information on an individual or corporation. A former employee of the Rapps told investigators that they excelled at obtaining confidential phone numbers and bank records. The former employee said he overheard phone discussions between James Rapp and his clients, which led him to believe that Touch Tone clients were a mix of private investigators, lawyers and news reporters. [end of article] c) Prior to Recent Media Revelations and Congressional Demands, Did the FTC Take Aggressive Steps to Stop the Sale of Phone Records? The simple answer is no. Given the wealth of knowledge and intelligence coupled with client lists for hundreds of private investigators, attorneys, media outlets, and other buyers of phone records contained within the Touch Tone files--not to mention what the FTC learned in the Boyer murder case and Operation Detect Pretext--what did the FTC do to root out this market and stop the sale of phone records? Not a thing. d) Did the FTC Signal Tacit Approval of the Sale of Phone Records by Private Investigators? Arguably yes. In direct and indirect ways the FTC has signaled to the illicit brokers and investigators that the sale of phone records will be tolerated--as long as it isn't too blatant. This happened indirectly by brokers and investigators noting the FTC was aware of the sale of phone records for years and had taken no actions against any individuals or companies selling the records. In places where investigators and brokers meet to discuss sources, tactics, methods, enforcement actions, and legislation, there has been a continuing dialogue for years that argues the practice of selling phone records must be OK since the FTC has done nothing about it. Another indirect signal was sent to brokers and investigators as an unintended consequence of the passage of the anti-pretexting for financial information statute contained with the Gramm-Leach-Bliley Act. Brokers and investigators, rather than looking at the spirit of the law, interpreted the letter of the law to allow the continued use of pretext and other forms of deception to obtain consumer records other than financial records. And the FTC, in bringing the paltry number of cases it has to date under Gramm-Leach-Bliley and the Unfair and Deceptive Trade Practices Act, has inexplicably ignored the evidence in those cases of phone record sales. This did not go unnoticed by the illicit information brokers and private investigators and was again read as a green light to sell phone records. In addition to indirect signals, the FTC, whether intending to or not, has directly signaled the brokers and investigators that phone record sales would be tolerated. In January of 2005, the cover story of PI Magazine was ``The FTC on Pretexting: The PI Magazine Interview with Joel Winston''. The interview was conducted by PI Magazine Editor-in Chief, Jimmie Mesis. In the set-up to the interview Mesis describes the reason he interviewed Joel Winston as the following: ``In an effort to get a definitive definition of pretexting and the potential risks and penalties for conducting pretexts, PI Magazine was granted an interview with Joel Winston, Associate Director of the FTC, Division of Financial Practices. His office has the responsibility to monitor and regulate the use of pretexting. '' [Emphasis added] During the course of the interview which covered a number of aspects regarding the definition of pretexting, various pretexting tactics, Gramm-Leach-Bliley, Operation Detect Pretext, and the Unfair and Deceptive Trade Practices Act, Mesis asked Winston about the use of pretext for phone records. The following Q and A resulted: PI Magazine (PIM): Do you classify the acquisition of telephone toll records as a clear violation of deceptive business practices? Winston: It's not what we traditionally look at as deception because you're deceiving party A, but party B is the actual party being harmed. But, we believe that, even though it has not been tested in the courts, that acquiring toll records through false statements constitutes deceptive business practices. PIM: Is this an area the FTC is going to start looking into? Winston: We are aware that there have been some concerns about that and were continuing to consider it. Not exactly a clear and strong message from Mr. Winston, the FTC official charged with pretext regulation, that the sale of phone records will not be tolerated when Mr. Winston was afforded an ideal forum to send an unambiguous warning. And I would note that a year later when this issue exploded in the media, 6 months after the EPIC West complaint was filed with the FTC, the FTC still had not brought a single enforcement action against any company selling phone records. The interview continued and in a later question Winston was asked: PIM: Are there currently any FTC concerns about private investigators? Winston: Not as a general matter. If I thought that there were major problems in the PI industry that concerned us, I would certainly tell you. As with any industry, there are occasional bad apples, but the PI industry as a whole is not an area about which we have any particular concerns . . . [Winston then discusses an area dealing with credit reports unrelated to pretext and phone records] An objective reader--not to mention a subjective reader, like a broker or investigator, trying to read the tea leaves of Winston's answers--comes away with the distinct impression that the sale of phone records by brokers and investigators is not high on Joel Winston's or the FTC's priority list. Particularly when coupled with the fact that in the seven years that the FTC has been aware of the sale of these records, they hadn't brought a single enforcement action against a company selling phone records. But don't take my word on how the investigators and brokers reading Mr. Winston's comments interpreted them. Instead, read how the interviewer, Jimmie Mesis, Editor-in-Chief of PI Magazine interpreted Mr. Winston's answers. In a statement to fellow investigators and brokers on July 11, 2005 titled EPIC Fighting Phone Records Sales, Mr. Mesis, responding to other investigators and brokers that were angered by the complaint EPIC West filed, stated: ([Bracketed comments and emphasis added by Douglas]) Greetings, There is no doubt that that one complaint to the FTC does not constitute ``a problem.'' However, when that complaint comes from EPIC, we have a problem. This organization continues to exist by its consistent efforts to blast alleged violations of consumer privacy. My immediate concern is not the FTC, rather EPIC for their aggressive negative media publicity campaigns against PI's and their strong lobbying efforts in Washington, D.C. I recommend that you read my interview with the FTC and the specific comments about telephone records at www.pimagazine.com/ftc_article.htm The FTC wasn't too concerned about telephone information, but if PI's are going to blatantly advertise tolls directly to the public as a commodity, the FTC will get involved and we are going to lose that commodity and our ability to solve many cases because of it. [Note that Mesis considers Americans' phone records a ``commodity''!] PI's need to stop promoting the selling toll records directly to the public as a commodity. Rather, use it as an investigative tool used in the course of your investigation to lead you to a missing person or to the lead you need to solve the case. I also suggest that PI's promote such services as ``telephone research'' as compared to coming right out and mentioning tolls, non-pubs, etc. [Note that Mesis recommends hiding what is actually being sold on websites by using terminology designed to deceive--this is a common practice within the trade and its web advertising] Roe and I decided last January to voluntarily remove our magazines from the books shelves at Barnes & Noble and many other book stores. We did this at a financial loss to make it a bit more difficult for the public to readily learn and see the suppliers of information that shouldn't be directly accessible to the public. We as professional investigators need to know who these sources are, yet we all need to do something to stop this avalanche of perceived identity theft hysteria that the media has latched onto. Remember, one day . . . soon, you will no longer be able to get non-pubs, addresses for telephone numbers, and tolls, all because some new law is going to be passed. Why? Because PI's shouldn't be promoting these investigative tools as a commodity. Then, just like with GLB, a new law will eventually prevent us from using an amazing investigative resource that will be lost, and it won't be anyone's fault other than our own. Please do your part, Jimmie Mesis, Editor-in-Chief, PI Magazine, Inc. So in Mr. Mesis' own words--again, this is the man who sat in the room and interviewed the FTC's Joel Winston--``There is no doubt that that one complaint to the FTC does not constitute ``a problem'' . . . My immediate concern is not the FTC . . . The FTC wasn't too concerned about telephone information . . . '' One wonders what additional off the record discussion may have taken place between Mr. Mesis and Mr. Winston that may have bolstered Mr. Mesis' belief that the FTC ``wasn't too concerned about telephone information.'' But the interview was a year ago and before the EPIC West complaint. Perhaps in light of the EPIC West complaint and resultant media attention to the issue, Mr. Winston of the FTC has had a change of heart--perhaps not. In an article by Peter Svensson of the Associated Press published less than two weeks ago on January 18, 2006, Joel Winston again stated why he doesn't see the sale of phone records as an issue rising to the level of seriousness surrounding the sale of financial records. In the context of the article, Winston stated: So why didn't the Touch Tone case put such businesses out of business? For one, the FTC went after Touch Tone not for snooping on the private lives of police officers but for ``pretexting'' financial information from banks. ``Our primary focus there was on financial, because that's really where the most direct harm is,'' Joel Winston, associate director of the FTC's division of privacy and identity protection, said in an interview. ``If I'm pretexting a bank and getting your bank account records I can drain your account.'' ``With phone records . . . not to minimize the intrusion on one's privacy, but generally it doesn't lead to any specific economic harm. It's a different kind of harm,'' Winston said. Nevertheless, he added, the practice ``raises significant privacy concerns.'' Perhaps Mr. Winston should sit down with police officers and their families and explain those responses. Perhaps Mr. Winston should sit down with the parents of murder victim Amy Boyer and explain those responses. Perhaps Mr. Winston should stop focusing on ``economic harm'' and start worrying about the lives at stake--and already lost-- because of pretext for ``non-economic'' information. Perhaps it is time the FTC finds a replacement for Mr. Winston who, unlike Mr. Winston, understands the dangers inherent in the sale of phone records. Given Mr. Winston's inability to even analyze the information contained in the FTC's own case files--notably the Touch Tone case and Operation Detect Pretext--American consumers and this Congress should not believe that the FTC, even if armed with a new law, will be aggressive in the protection of phone records area as long as Mr. Winston is in charge. But as hard as it may be to believe, the problems at the FTC are more extensive than Mr. Winston. The problems are institutional. Even when the FTC has brought cases against individuals and firms using pretext to steal financial information, the result has been to signal the brokers and investigators selling such information that the odds of being caught are slim and that the FTC will not impose serious sanctions. In the Touch Tone case the FTC trumpets that they fined Touch Tone $200,000. What the FTC is slower to point out is that they suspended the fine. So Touch Tone paid not one penny in fines. In Operation Detect Pretext 1,500 advertisements for the sale of personal financial information were located by the FTC. From that universe, only 3 firms were the subject of court action. And once again the FTC settled for minimal fines of $2,000 in two of the cases, and waived the fine in its entirety in the third case. In a subsequent case, the FTC made a criminal referral to the Department of Justice recommending prosecution of a broker selling financial information obtained through pretext. That broker received a $1,000 fine and a 2-year suspended prison sentence. But perhaps the most brazen evidence of all that the FTC is viewed as a toothless, paper tiger is the case of FTC v. Information Search, Inc, and David Kacala. This is the third case of Operation Detect Pretext mentioned in the preceding paragraph where the FTC waived the fine entirely. Not only is Information Search, Inc. still in business, until just a matter of days ago the website, located at www.information-search.com was selling cell phone and other telecommunications records. And on a page named for the FTC, Information Search, Inc. has been publicly thumbing its nose at the FTC and Congress for what Information Search, Inc. views as the wrong-headed passage and enforcement of the Gramm- Leach-Bliley Act. So for years, Information Search, Inc., having been once prosecuted by the FTC for selling financial records obtained through pretext, has continued to sell phone records with all the indicia that they too were obtained through deceptive means, and the FTC has not done a thing. I seriously doubt the FTC ever went back and looked at the information- search.com website. Only when increased media attention was brought to bear on the problem of the sale of phone records and EPIC West named Information Search, Inc. in its complaint, did Information Search, Inc. take down the web ads for phone records--hoping that by the time the FTC looked they wouldn't find the ads. But EPIC West's Hoofnagle was savvy enough to capture the offending pages and various search engines continue to have cached pages showing Information Search, Inc. offered cell and other phone records for sale. Bottom line. The message that is repeated loud and clear throughout the investigative and broker industries on a regular basis is: No need to fear the FTC. Fear EPIC West. But just lay low. The media storm will subside. And the FTC will look the other way as usual. In fact, let me quote a North Carolina licensed private investigator who just days ago had this to say about the publicity surrounding the availability of cell phone records and his prediction for how this will play out in Congress once lobbyists for the illicit information brokers and investigators go to work: Just my humble opinion, but the more we talk about this, and say things like what we are going to do, etc. the more we encourage people in general to use pay phones (if you can find one), office phone extensions, friends cell phones or friends home phones, etc. Lets stop this silly comments and discussions. The more ``we stir it, the more it will stink.'' We keep shooting ourselves in the foot. Not to mention, the cost to obtain various ``information'' from various ``brokers'' will only rise, putting some items of investigative value out of reach! Let it die, the Media will soon lose interest, and our lobbyists will stay on top of it in our interests in Washington, D.C. e) Why Has the FTC Been AWOL When it Comes to Protecting Phone Records? I wish I fully knew the answer to this question and it is one that this Committee and Congress should investigate. I do have definitive ideas about the problems at the FTC that I saw firsthand when I served as a consultant to Operation Detect Pretext. I would be happy to share those observations and concerns with this Committee in a non-public setting if the FTC will release me from my non-disclosure agreement. All of my statements concerning Operation Detect Pretext in this testimony are based upon aspects of Operation Detect Pretext that the FTC has made public. But there is much more to the story that I am unable to discuss under threat of severe penalty given my signed agreement with the FTC which I will continue to honor. VIII. The FTC's Attitude Towards Pretexting is Inexcusable From an outsider's perspective it is very difficult to understand the lack of interest by the FTC when it comes to pursuing those who are using deception to obtain consumer records, including phone records. The FTC routinely goes after scams and fraud where there is a distinct element of buyer beware--in other words--the consumer using a little common sense could have avoided being scammed or defrauded. That's fine. Those types of con artists should be dealt with. Yet the FTC has shown great reluctance and reticence in stopping the theft of consumer records where the consumer has no way of knowing the records are being stolen and therefore cannot protect himself as the records are in the control of other corporate or government custodians. Given this fact-- the theft of consumer records cries out for assistance and prosecution by appropriate government agencies in order to defend the American consumer. How many murders of Americans will it take before the FTC gets serious? How many law enforcement officers, their families, and investigations have to be put at risk before the FTC gets serious? What will this Congress and future Congresses do to exercise oversight and force the FTC to get serious? IX. The Need For A Comprehensive Statute Protecting All Consumer Records While it is important that this Committee and Congress move quickly to outlaw the sale of phone records, it is also time for this Committee and Congress to pass a broad anti-pretexting statute designed to outlaw the use of deception to steal any consumer record. In 1998, I first testified before Congress to expose the use of pretext to steal financial information and that practice was outlawed in 1999. In 2000 I again testified before Congress warning that phone records had become the new record of choice for information brokers and private investigators to steal. Here we are six years later dealing with the consequences. If Congress does not move to outlaw the tactics used to steal information--instead of merely protecting categories of information in a piecemeal approach--I fear we will be meeting again and again to address category by category. Already other categories of information are under attack. I have tape of an information broker recorded surreptitiously describing how he defeats cable and satellite television providers and public utility providers information security systems. In fact, many of the websites under scrutiny today advertise the sale of utility information and Post Office Box underlying street address information. Post Office Box information is protected by regulation, but is commonly obtained by the filing of fraudulent forms stating that the requestor needs the underlying address information for service of process when that is not the case. Bottom line. If Congress only moves to protect phone records, Congress will create a nightmare for another industry similar to what the phone companies are experiencing today. Finally, Congress should consider making the use of deceptive practices to gain access to consumer information a criminal act with primary jurisdiction falling to the Department of Justice and FBI while simultaneously empowering state attorneys general to act as well. As an aside, I would note that several state attorneys general have already begun prosecutions under their state unfair and deceptive trade practices acts within weeks of learning of the problem, while the FTC with knowledge of the phone records issue since 1999 has yet to bring an action. This is all the more reason that primary authority for enforcement should not be given to the FTC. To vest primary authority with the FTC acting in a civil capacity, given the agencies history of impotence, is to almost guarantee that the illicit practices will not stop. X. Congress, Enforcement Agencies, and The Private Sector Must Work Together Just passing legislation will not be enough. The enforcement and regulatory agencies must actively work to root out and prosecute those who are stealing information. Congress must exercise regular oversight of the enforcement agencies to keep the agencies focused on protecting the American consumer. And the phone companies, along with all consumer services companies, must use appropriate customer authentication protocols to protect their customers. Following the 1998 hearings on the use of deceptive practices to steal financial information from financial institutions, the American Bankers Association moved aggressively to educate all member institutions about the theft of customer account information. Working together with the ABA, I authored several training documents that were provided free of charge by the ABA to member institutions. We conducted numerous telephone seminars and I appeared at dozens of ABA conferences all over the country to teach financial institutions about the threats posed by the practices of identity thieves, illicit information broker, and illicit private investigators. While it is still possible to find financial records for sale on the web, the number of offerings has been dramatically reduced through those efforts. I believe the phone companies--indeed all consumer services companies--working together with Congress, enforcement and regulatory agencies, and their representative associations can have similar success. One final item for consideration. I have reluctantly come to the conclusion that it may be time for Federal regulation of the private investigative trade. By this means minimum standards may be set to assist in weeding out those who have no regard for the law and are destroying the hard earned reputation of thousands of professional private investigators who serve in a vital capacity in out nation's justice system. XI. Conclusion Mr. Chairman, thank you for your invitation to appear before this Committee. I will do anything I can to be of assistance to the Committee, Congress as a whole, the enforcement agencies, the trade associations, or individual companies affected by these issues. Senator Allen. Thank you, Mr. Douglas, for your testimony. I am sure there will be follow-up questions. Finally out of our witnesses, we would like to hear from you, Ms. Southworth. STATEMENT OF CINDY SOUTHWORTH, DIRECTOR, TECHNOLOGY AND THE SAFETY NET PROJECT, NATIONAL NETWORK TO END DOMESTIC VIOLENCE Ms. Southworth. Thank you. Chairman Allen, Ranking Member Pryor, and distinguished Members of the Committee. My name is Cindy Southworth and I thank you for the opportunity to appear before this Committee. I am the Director of Technology at the National Network to End Domestic Violence, which represents 53 State domestic violence coalitions who in turn represent over 3,000 local domestic violence shelter and hotline programs across the country. I founded the Safety Net Project to educate victims and their advocates on the strategic use of technology and I have focused on the intersection of technology and domestic violence since 1998. Our member State domestic violence coalitions from around the country, including the Arkansas Coalition and the Virginia Action Alliance, are extremely pleased that we are addressing this issue with you today because they have been expressing concerns about pretexting for many, many years. Every day there is a staggering amount of data generated and maintained about all of us, far beyond cell phone records. Personally identifying information is now tracked as never before. The theft of such personal information can be extremely inconvenient for all of us here in this room, but may be fatal for a victim of domestic violence. As Mr. Douglas explained, Amy Boyer was one of my examples, but I think he covered it quite thoroughly. Sadly, domestic violence is quite prevalent and many victims are stalked relentlessly for years after having escaped. The batterers that hunt them down are the most dangerous batterers and they pose the highest lethality risk. Because of this, victims often take extraordinary and desperate steps to hide their location. They use post office boxes, they change their Social Security numbers, and they hide in confidential shelter locations. Pretexters and information brokers are not just stealing someone's data, they may be endangering someone's life. Seventy-six percent of women killed by their abusers had been stalked prior to the murder. Stalkers are often in a prime position to obtain cell phone and other records through pretexting or through information brokers who steal the data and then sell it to the abusers. Since abusers often know their victim's date of birth, their mother's maiden name and computer passwords, they can easily either pose as the victim or have someone pose as the victim for them. It is not uncommon for abusers to have a new girlfriend pose as the victim and call and get information. In one case in rural Virginia, a woman was stalked by her ex-husband. She changed her e-mail address, she moved, she found a new job, she did everything. Several businesses that she frequented used her seven-digit cell phone number as her customer identifier. Her ex-husband simply asked someone at the video store to look up her cell number in the system, which made tracking her movements quite simple. He discovered that she had rented a video on Monday and it was due back on Wednesday. He was lying in wait for her when she showed up at the video store. Phone records are a particularly rich source of information for the determined stalker. By illegally obtaining this information, a stalker can easily locate his victim. In recent years there have been concerted efforts by Congress, various Federal agencies, and nearly every State to create privacy and confidentiality provisions that help shield victims of domestic violence. For example, at least 17 States now offer address confidentiality programs and 39 States provide for confidentiality of shelter records. All of these extraordinary steps that victims take to shield their location and identity and that shelters take on behalf of victims are futile if pretexting is allowed to continue. In Hawaii, a victim on the run was found through a car rental agency. Her abuser walked into the agency, pretexted. He pretended and told the staff that his wife was diabetic and forgot her insulin--a common strategy--and he said he thought she might have rented a car. After a simple reverse look-up using her phone number, staff provided him the make, model, and license plate number of the rented car. The victim was found by the abuser later that day and badly beaten in a parking lot. The theft of personal information is not only a violation of privacy, it is a crime. Stolen goods are addressed by various State and Federal laws and both the original thieves and those who trade in stolen goods are subject to prosecution. The theft of personal information should be handled in a similar fashion. However, because pretexting phone records is just one piece of a larger problem of stealing and selling personal information, a multi-faceted approach would protect all consumers. Pending Federal legislation makes the stealing, selling, and fraudulent transfer of these records a criminal offense. Strengthening Federal law will help discourage data mining and protect consumers, including battered women. We encourage State and Federal entities to use all existing and emerging laws to hold individuals and organizations accountable for illegally obtaining, using, or selling phone records or other personal information. All companies that collect and retain personal information about their customers should enhance the security and privacy options available to consumers and create levels of security that are not easily breached from within or outside of the company. Given the creative and persistent tactics of perpetrators, companies must work with consumers to identify the methods of security that will work best for general consumers as well as for consumers in higher risk situations, like victims of domestic violence. Cell phones can be a lifeline for battered women and victims of sexual assault and stalking, but with illegitimate pretexting, a phone, and other personal records, those lifelines can forever connect the victim to her abuser without hope of escape. Thank you for allowing us this opportunity to address the Committee on this critical and urgent issue, and I am happy to answer any questions. Thank you. [The prepared statement of Ms. Southworth follows:] Cindy Southworth, Director, Technology and the Safety Net Project, National Network to End Domestic Violence Introduction Chairman Allen, Ranking Member Pryor, and distinguished Members of the Committee, my name is Cindy Southworth and I thank you for the opportunity to appear before the Committee to address the Committee's concerns about the theft of Americans' phone records. The Committee is taking remarkable leadership by seriously considering the issues of pretexting and the sale and acquisition of personal data by information brokers. It means so much to victims of domestic violence and stalking that you are carefully considering all aspects of these complex issues and are contemplating enhancing privacy protections for all citizens, including these vulnerable victims. Our members from around the country, including the Alaska Network on Domestic Violence and Sexual Assault, the Arkansas Coalition Against Domestic Violence, the California Partnership to End Domestic Violence, the Hawaii State Coalition Against Domestic Violence, the Louisiana Coalition Against Domestic Violence, the Montana Coalition Against Domestic and Sexual Violence, the South Carolina Coalition Against Domestic Violence and Sexual Assault, and the Virginia Sexual and Domestic Violence Action Alliance have been expressing concern about the dangers of pretexting and stealing phone records, and they are extremely pleased to see their Senators take such an active role in addressing this issue and protecting the privacy of victims. I am the Director of Technology at the National Network to End Domestic Violence, a social change organization dedicated to creating a social, political, and economic environment in which violence against women no longer exists. Founded in 1995, the National Network to End Domestic Violence (NNEDV) represents 53 state domestic violence coalitions who in turn represent over 3,000 local domestic violence service providers across the country. In 2002, I founded the Safety Net Project at NNEDV to educate victims of sexual and domestic violence, their advocates and the public on the strategic use of technology to increase personal safety and privacy. Safety Net is the only national initiative addressing the intersection of domestic violence and all forms of technology. Looking beyond the traditional ``digital divide,'' our project is ardently working to increase the technology knowledge and skills of victims, advocates, law enforcement, and allied organizations in every state and each of the local shelter and hotline programs across the country. Safety Net also tracks emerging technology issues and their impact on victim safety, working with local, state and Federal agencies to amend or create policies that enhance victim safety and confidentiality. I have been working to end violence against women for over 16 years and have focused on the intersection of technology and domestic violence since 1998. I thank you for the opportunity to submit testimony about the real dangers that victims of abuse and stalking face as a result of pretexting and selling stolen personal information. Risks to Victims There is a staggering amount of data generated and maintained about individuals in our society every day--far beyond cell phone records. Personally identifying information like date of birth, Social Security number, frequently visited websites, and grocery shopping preferences, are now being tracked as never before. The theft of such private information can be devastating for the average individual who may have her identity stolen and her credit destroyed. For a victim of domestic violence or stalking, however that theft of private information is not just financially or personally devastating--it can be fatal. In 1999, Amy Boyer, a young woman in New Hampshire, was tracked down and murdered by a former classmate who had been stalking her for years. Liam Youens paid Docusearch, an Information Broker, to obtain Amy's work address. Docusearch contracted with a pretexter to illegally obtain her work address by pretending to need it for insurance purposes. \1\ --------------------------------------------------------------------------- \1\ Ramer, Holly. ``Murdered woman's mother settles suit.'' The Union Leader (Manchester NH), March 11, 2004 , State Edition: Pg. A1. --------------------------------------------------------------------------- Domestic violence, sexual assault and stalking are the most personal of crimes, and the more personal information that the perpetrator has about his victim, the more dangerous and damaging the perpetrator can be. Sadly, domestic violence is quite prevalent, and women continue to be the vast majority of victims. The National Institute of Justice reported that 4.9 million intimate partner rapes and physical assaults are perpetrated against U.S. women annually. \2\ Leaving the relationship does not stop the violence. In fact, the most dangerous time for a victim of domestic violence is when she takes steps to leave the relationship. \3\ Many victims are stalked relentlessly for years after having escaped from their partners. These batterers who stalk their former partners, determined to hunt them down, are the most dangerous and pose the highest lethality risk. \4\ --------------------------------------------------------------------------- \2\ Patricia Tjaden and Nancy Thoennes, National Institute of Justice and the Centers of Disease Control and Prevention, Extent, Nature, and Consequences of Intimate Partner Violence (2000); Dr. Callie Marie Rennison, Department of Justice, Bureau of Justice Statistics, Intimate Partner Violence, 1993-2001 (February 2003). \3\ Ronet Bachman and Linda Salzman, Bureau of Justice Statistics, Violence Against Women: Estimates From the Redesigned Survey 1 (January 2000). \4\ Barbara J. Hart, Assessing Whether Batterers Will Kill. (This document may be found online at: http://www.mincava.umn.edu/hart/ lethali.htm), Jacqueline Campbell, Prediction of Homicide of and by Battered Women, reprinted in Assessing Dangerousness: Violence by Sexual Offender, Batterers, and Sexual Abusers 96 (J. Campbell, ed., 1995). --------------------------------------------------------------------------- Because of this, victims often take extraordinary and desperate steps to hide their location, sometimes even changing their identities to avoid being found by their abusers. Those steps can include: Moving to new states; Using post office boxes; Getting unlisted phone numbers; Using only cell phones to avoid having utility records tied to a home phone and thus a particular address; Changing names through the court system; Changing Social Security numbers; Relocating to confidential shelters; Enrolling in state address and voter record confidentiality programs; Sealing location information in court filings; and Never using the Internet from a home computer. Victims of domestic violence, acquaintance rape, and stalking are particularly vulnerable because perpetrators know so much about their victims that they can often predict where their victims may flee, and to whom they may turn for help. Notably, it is not just the victims of domestic violence who are at risk if her personal information and location is revealed, but also the individuals and programs that help them. Pretexting and Information Brokers Pretexters and information brokers are not just stealing someone's data, they may be endangering someone's life. Fifty-nine percent of female stalking victims are stalked by current or former intimate partners, \5\ and 76 percent of women killed by their abusers had been stalked prior to their murder. \6\ Stalkers are often in a prime position to obtain cell phone and other personal records through ``pretexting'' or through Information Brokers who have used this tactic and then sold the stolen data. Since abusers often know enough private information about their victims (such as date of birth, mother's maiden name, or her commonly chosen computer passwords), they can easily pose as their victims and illegally access their credit, utility, bank, phone, and other accounts as a means of getting information after their victims have fled. --------------------------------------------------------------------------- \5\ Tjaden &Thoennes. (1998) ``Stalking in America,'' NIJ. \6\ McFarlane et al. (1999). ``Stalking and Intimate Partner Femicide,'' Homicide Studies. --------------------------------------------------------------------------- In one case, a woman in rural Virginia was stalked by her ex- husband. She couldn't figure out how he kept showing up wherever she was. She had changed her e-mail address, moved, and found a new job. Eventually, a savvy advocate started asking about other ``records'' such as where she got the oil in her car changed, where she rented videos, etc. Several businesses she used, including the video store and the local autoshop, all used her 7-digit cell phone number as her customer identifier. Her ex-husband simply asked someone he knew to look up her name in one system, which made tracking her movements simple. Finally, he discovered that she had rented a video on Monday and that it was due back on Wednesday. He was lying in wait when she came to return the video. Phone records are a particularly rich source of information for the determined stalker. Through pretexting, a stalker can access records that include who was called, when the call was made, how long the call took, and the location of the calls. By illegally obtaining this information, a stalker can locate his victim without his victim even knowing that she is being tracked. For example, a victim from rural Louisiana, whose cell phone records reveal to her batterer that she contacted a shelter program in South Carolina, is no longer safe going to that South Carolina shelter, though she may never realize that until it is too late. In January 2003, Peggy Klinke was brutally killed by a former boyfriend, Patrick Kennedy, after he hunted her down with the help of a private investigator. Peggy had worked closely with the Albuquerque Police Department, obtained a restraining order, and after Patrick burned down her home in New Mexico, she fled to California to try to remain safe until the pending criminal court hearing. Patrick hired a private investigator, located her, flew to San Jose, rented a car, drove to her neighborhood, posed as a private investigator to find her exact apartment location, and chased her around the apartment complex before shooting her and eventually shooting himself. \7\ --------------------------------------------------------------------------- \7\ Holland, John. ``Grim act of a man unable to let go.'' The Modesto Bee (Modesto California), January 25, 2003, Available online http://www.modbee.com/local/story/5973772p-6932417c.html. --------------------------------------------------------------------------- Shelter programs and their employees and volunteers are also vulnerable to being located through pretexting. Shelters try to protect their location in the same way that individual victims of domestic violence do, by using post office boxes and unlisted phone numbers and addresses for both the shelter and for staff and volunteers. However, many shelters' emergency response teams use cell phones and pagers for on-call staff, which puts those individual staff and volunteers at risk from abusers who are trying to gain access to the shelter to find their partners. Whether the phone records obtained are those of the domestic violence or sexual assault program or are those of an individual who contacted the program, the harm can be devastating. Circumventing Laws That Protect Victim Privacy In recent years, there have been concerted efforts by Congress, various Federal agencies, and nearly every state to create privacy and confidentiality protections that help shield victims of domestic violence from being found by their perpetrators and from having to reveal private information about their victimizations. For example, at least 17 states now offer Address Confidentiality Programs, which provide for a secure system for receiving mail, often through the Attorney General or Secretary of State's office, without having to reveal a victim's address. \8\ A number of other states, including Hawaii, Virginia, Maryland, and Texas, are presently considering enacting similar address confidentiality programs. \9\ Twenty-two states, including Virginia, California, Maine, and Arizona, provide that voter registration data, including address and other identifying data, can be kept confidential by victims of domestic violence. The great majority of states (39) provide for confidentiality of domestic violence or sexual assault program records and communication, including the time, location, and manner by which a victim may have consulted a program for help in escaping the abuse--some of the very information that is at risk through pretexting of records. --------------------------------------------------------------------------- \8\ California, Cal. Gov Code Sec. 6205, et seq. (2005); Connecticut, Conn. Stat. Sec. 54-240, et seq. (2005); Florida, Fla. Stat. Sec. 741.401, et seq. (2005); Illinois, 750 ILCS 61/1, et seq. (2005); Indiana, Burns Ind. Code Ann. Sec. 5-26.5-1-1 (2005); Maine, 5 Maine Rev. Stat. 90-B(2005); Massachusetts, MGLA ch. 9A Sec. 1 (2005); Nebraska, Neb. Rev. Stat. Sec. 42-1206, Nevada, Nev. Rev. Stat. Ann. Sec. 217.462 , et seq. (2005); New Hampshire, N.H. Rev. Stat. Ann.Sec. 7:41 et seq. (2005); New Jersey, N.J. Stat. Sec. 47:4-2, et. seq. (2005); North Carolina, N.C. Gen. Stat. 15C-1 (2005); Oklahoma, 22 Oklahoma Stat. Sec. 60.14 (2005); Pennsylvania, 23 Penn. C. S. Sec. 6702 (2005);Rhode Island, R.I. Gen. Laws @ 17-28-1, et seq. (2006); Vermont, 15 V.S.A. Ch. 21, Sec. 1101 to 1115 (2005); Washington, Rev. Code Wash. (ARCW) Sec. 40.24.010, et seq. (2005). \9\ For example, Alaska, 2005 AK HB 118; Hawaii, 2005 HI HB 1492; Maryland, 2006 MD SB 25; New York, 2005 NY AB 5310; Texas, 2005 TX SB 160; Virginia, 2004 VA HB 2876. --------------------------------------------------------------------------- The recent reauthorization of the Violence Against Women Act, enacted by Congress and signed by President Bush just over a month ago, includes several confidentiality provisions that protect identifying data disclosed by a victim of domestic violence to a domestic violence program from being shared with databases. \10\ Some states, including Nevada and New York, have provisions that allow an individual to change her name without publishing that name change in the newspaper, as a way of protecting the identity and location of victims of stalking and domestic violence. Nearly every state allows victims to ask to seal their address from the public (and the perpetrators) in protection order actions and in certain types of criminal cases. --------------------------------------------------------------------------- \10\ The Violence Against Women and Department of Justice Reauthorization Act of 2005, Public Law 109-162, Sections 3(b)(2) and 605. --------------------------------------------------------------------------- The Social Security Administration allows domestic violence victims to change their Social Security numbers to help them seek protection. \11\ But even taking the drastic step of obtaining a new social security number does not eliminate the problem caused by pretexting. Determined abusers continue to track their victims through relatives' phone records and other means, often obtaining their information by additional pretexting. --------------------------------------------------------------------------- \11\ See SSA Publication 05-10093 (December 2005). --------------------------------------------------------------------------- All of these extraordinary, difficult and sometimes costly steps that victims of domestic violence take to shield their location and identity, and that domestic violence programs take on behalf of victims, are completely futile if data mining through pretexting is allowed to continue. Phone records and pretexting are the focus of this hearing. Those issues are part of a larger problem that victims of abuse face--the prevalence of information regarding their activities and location and the ease with which that information can be purchased by their perpetrators. A quick search of the Internet reveals hundreds of businesses that, for a relatively nominal cost, will provide information including the address of record associated with a post office box; AOL screen names and e-mail addresses; unlisted phone numbers; physical addresses and Social Security numbers; and even photos and floor plans of people's homes. Any one of these invasions of a victim's privacy could put her in grave danger. A woman in Hawaii was getting ready to flee to a shelter and was nervous about her abuser recognizing her car in front of the shelter building. She parked her own car on a side street and rented a car to use. Since there are only a few rental places on the island it was not long before the abuser walked into the office, told the staff his ``wife was diabetic and forgot her insulin'' but thought she might have rented a car while hers was getting fixed. She had used her sister's identity and paid cash, but had given her own phone number because her sister did not have a phone and the rental agency had insisted on entering a number into the system. After a reverse lookup using the phone number, staff provided him with the make, model and license plate number of the rented car. The victim was found by the abuser later that day and badly beaten in a parking lot behind a store. A Multi-Faceted Approach is Needed The theft of personal information is not only a violation of privacy, it is a crime that particularly puts victims of domestic violence, stalking and sexual assault at risk. Stolen goods are addressed by various state and Federal laws, and both the original thieves and those who trade in stolen goods are subject to prosecution and punishment. The theft of personal information should be handled in a similar fashion. However, because pretexting phone records is just one piece of the larger problem of pretexting, stealing, mining, and selling personal information, a multi-faceted approach would offer the best protection to all consumers. Pending Federal legislation, including the Consumer Telephone Records Protection Act of 2006 and the Phone Records Protection Act of 2006, make the stealing, selling, and fraudulent transfer of telephone records a criminal offense. A number of states also have or are considering specific laws to criminalize and punish pretexting and the use and sale of such stolen information, while other states like Florida, Missouri, and Illinois are addressing the issue through the court system. Strengthening Federal law enforcement options through the pending legislation, and subsequent prosecution, will hold offenders, information brokers, pretexters, and those who use illegally obtained information accountable, and will help discourage data mining and protect consumers, including battered women. We encourage State and Federal entities to use all existing and emerging laws to hold individuals and organizations accountable for illegitimately obtaining, using, or selling phone records or other personal information. All companies that collect and retain personal information about their customers should enhance the security and privacy options available to consumers, and create levels of security that are not easily breached from within or from outside of the company. Given the creative and persistent tactics of perpetrators, companies must work with consumers to identify the methods of security that will work best for general consumers, as well as methods for consumers in higher-risk situations, including victims of domestic violence and law enforcement officers. Conclusion Cell phones can be a lifeline for battered women and victims of sexual assault and stalking. But with illegitimate pretexting of phone and other personal records, those lifelines can forever connect the victim to her abuser, without hope of escape. As the examples I have described demonstrate, we cannot underestimate the potential harm to victims of allowing pretexting to continue. I applaud Congress and the state Attorneys General for addressing the widespread problem of pretexting and selling of stolen personal data. Thank you for allowing me this opportunity to address the Committee on this critical and urgent issue. I am happy to answer any questions. Senator Allen. Thank you, Ms. Southworth, for your testimony, and all our witnesses. We will go through questions. There will be 5-minute rounds. Let me begin asking you, Ms. Parnes. Clearly there is kind of a loophole, and most of this is under the FCC as far as Federal agencies. If Congress, in this legislation that we are crafting, amends the Communications Act, would the FCC have jurisdiction to enforce any pretexting provisions? Ms. Parnes. Senator, the Commission would not have the authority to enforce an anti-pretexting provision that amends the Communications Act. There have been instances, however, where Congress has given both the FCC and the FTC jurisdiction in a particular area. 900 numbers is one area where that occurred. Senator Allen. How about the Telephone Disclosure and Dispute Resolution Act? Ms. Parnes. Yes, yes, that as well. There what Congress did is it amended the Communications Act and also included separate provisions that gave the FTC authority. Senator Allen. That was on advertising and billing and collection of 900 number services. Ms. Parnes. Yes, sir. Senator Allen. Would the FCC--would anybody object if somehow we could craft language--and we need help from the FTC and I know, Mrs. Parnes, you are here representing yourself, not the FTC; we heard that caveat. Would anyone object-- clearly, FCC is involved and should be involved. Would there be any objection to dual jurisdiction out of any of our witnesses? [No response.] Senator Allen. Seeing none, let me ask you this. Anybody, any of the witnesses: It seems to me that this should be a national standard. Everyone says this all ought to be made illegal, the acquisition, the pretexting, the fraud, and the sale. Everyone agrees that that should be made illegal, and the question is whether there should be a national standard for this so you don't have a different law, in Florida it might be different than Virginia. It seems to me that it does not matter what State you are in of the Union; we ought to have a uniformity of a national standard, which should be stronger than any particular State law. But regardless, is there any objection to a national standard? Mr. Rotenberg. Well, Senator, if I may say, if the national standard is stronger than any State law, then certainly there would be agreement. I think the concern always is that sometimes we may end up with a national standard that preempts a stronger State protection, and then of course the residents in those States find themselves with less protection than they might otherwise receive. If there is a strong national standard, then I think that would be supported. Mr. Douglas. Mr. Chairman, if I might, one other thing in case we do not get to it, and specifically because the FTC raised the issue of the exception in Gramm-Leach-Bliley which allowed private investigators, in theory allows private investigators to use pretext in a court-ordered situation for child support, that is an exception that has allowed those types of offerings of financial records to continue to appear on websites by the dozens. Yet when you call them they do not use the exception; they will sell to anyone if they think you are not law enforcement. I would challenge, not necessarily the FTC, but the investigative industry to demonstrate once that a judge has authorized the use of deception against a United States bank. It is an exception that swallows the whole. If you had the criteria necessary you could get a subpoena, which is the case in many of these. So I would ask that there not be that exception this go-around. Thank you. Senator Allen. Thank you. I am sure in the event we do this, Ms. Parnes, you have no problem? Ms. Parnes. And we would certainly--the staff of the Commission would certainly be happy to work with the Committee in developing any legislation. Senator Allen. All right. Other things that were said: make this specific--this is from Ms. Monteith and others, that we need to overturn a court decision, which we can get into; and greater enforcement tools, eliminate the citation issue, which is what Chairman Stevens talked about; raise fines, forfeiture, and so forth. I am one who just wants to bring everything we can against these pretexters, whether it is through FCC enforcement or FTC enforcement--and in fact, if we have a national standard, that helps with enforcement. But also, like what we did in other legislation, State attorneys general could enforce the law against pretexters. They usually have offices themselves. Would there be any objection from any of you, any of our witnesses, to also allow States attorneys general to enforce this national standard within their states? Ms. Parnes. Senator, at the FTC we have had a tremendous amount of success working with the State AGs under just that type of statutory system. Senator Allen. Well, I am glad to hear that and that is an example and something I have advocated in the past. We again want to bring everyone and all resources because, listening to Mr. Douglas's testimony, which was very disturbing, as to what is going on right now, and who knows what the impact of this hearing will be. I saw when Mr. Rotenberg was talking about it earlier, I saw you raise your eyebrows in agreement. So I think our legislation should empower attorneys general across the country as well. Senator Pryor. Senator Pryor. Thank you, Mr. Chairman. The first order of business is I have Senator Boxer's questions that she wanted submitted for the record. So I will make sure those get in the record, without objection. Senator Allen. Her questions? Senator Pryor. Yes. Senator Allen. Well, to the extent they are posed to any of our witnesses, if you would be willing to, you may get some written inquiries posed to you and if you can respond we would surely appreciate it. Senator Pryor. Thank you, Mr. Chairman. Thank you. I want to direct my first few questions to the FCC. I want just a little clarification on a couple of items. First, is this limited to cell phones? Is this problem limited to cell phones? Ms. Monteith. No. We are looking at wireline providers and their records as well, although most of the information that we have obtained and what we have heard obviously in the media has focused on cell phones. But no, not limited. Senator Pryor. I understand that. But you are looking at residential and business wireline? Ms. Monteith. Yes, we are. Senator Pryor. Also, in your view is pretexting already illegal? Ms. Monteith. Under the Communications Act--the Communications Act does not deal with the issue of pretexting by data brokers, what we have heard. The Communications Act section 222---- Senator Pryor. Right. Ms. Monteith.--deals with the safeguards and the kinds of procedures that the carriers have to put in place. Senator Pryor. Right. But in your view it is not illegal, at least from your jurisdiction's standpoint? Ms. Monteith. Not from our jurisdictional standpoint, no. Senator Pryor. OK. Let me now ask--I know that the FCC recently made some requests of some of the wireless carriers and that was, when, within the last few weeks; is that right? Ms. Monteith. Yes, in January. Senator Pryor. Had you made any before that time under the 1996 Act? Ms. Monteith. We have at various points looked at CPNI issues and had a number of investigations. We have not taken formal enforcement action. Senator Pryor. So you had not made those requests of the wireless companies before? Ms. Monteith. No, I do not believe so. I would like to verify that, though, with my staff. Senator Pryor. Do you feel like the FCC has been as aggressive and proactive as it should have been on this issue before recently? Ms. Monteith. Yes, I think we have. Certainly when any information has come to our attention we have acted aggressively to determine what the issues are and go after those that are violating the Communications Act. Senator Pryor. You say that even though you had not sent these letters of inquiry to the wireless companies before January 2006? Ms. Monteith. That is correct. We did not have any evidence before us that would suggest this was an issue. Senator Pryor. Let me, if I may, turn to the FTC now. That is, in your opening statement I picked up on three facts. First is that the FTC recognized that this has been a problem for some time now. Second is that the FTC believes it has legal authority to go after pretexters under section 5 of the FTC Act. Third is enforcement actions have not been brought against any company or individual involved in records pretexting. Why is that? Ms. Parnes. Senator, we have not brought a public action against a company engaged in pretexting phone records. We do have a number of active investigations. As I mentioned in my statement, we have also done a surf and we have sent warning letters. But pretexting, whether for financial records or for telephone records, is just one part of the FTC's privacy program and we have a very aggressive program in this area. We have brought more than 80 spam cases, 11 data security cases, 6 spyware cases, 18 do not call cases, 12 in the area of financial pretexting. I am certain as a former attorney general yourself you understand the hard choices we have to make in selecting the areas that we proceed in. Senator Pryor. So in other words, you have done in those areas, which are great--I am all for those areas. But in terms of cell phone or telephone pretexting, you have not been very active on that until recently; is that fair to say? Ms. Parnes. That is fair to say. Senator Pryor. And apparently you sent out warning letters yesterday to 20 companies offering to obtain--for the companies who obtain and sell telephone records, is that right? Ms. Parnes. Well, yes, we did a look at the 40 companies that EPIC identified, as I mentioned, and we saw that more than half of those companies are no longer making claims. We also looked at--we did a similar search to the search that EPIC did, using similar search criteria, to identify additional sites and we sent warning letters to those companies as well. Senator Pryor. Mr. Chairman, I have one last question for both of these two witnesses. That is, are you satisfied with the cooperation you are receiving from the other agency? Ms. Monteith. Yes. Ms. Parnes. Yes, we are. Yes, very much so. Senator Pryor. Thank you, Mr. Chairman. Senator Allen. It sounds like EPIC is doing a very good job in helping you figure out which places to be looking. Congratulations, Mr. Rotenberg. Mr. Rotenberg. Thank you, Senator. Senator Allen. For good citizen action. Which of the two Senators here to my right were here-- Senator Dorgan. STATEMENT OF HON. BYRON L. DORGAN, U.S. SENATOR FROM NORTH DAKOTA Senator Dorgan. Mr. Chairman, thank you. I regret I was not here to hear the testimony. As you know, we have the attention span of gnats around here. Senator Allen. And many things going on. Senator Dorgan. We flit from hearing to hearing. But at any rate, I have had a chance to review some of the testimony. I just wanted to ask a question. Chairman Martin of the FCC laid out several legislative steps he thought Congress should take. One, Congress could specifically make illegal the commercial availability of consumers' phone records. That would mean that if any entity is found to be selling this information for a fee, regardless of how it is obtained, it would face liability. Let me ask whoever on the panel wishes to respond to that. Do you agree with Chairman Martin's recommendation? He is saying that is one of the things Congress could do. We have a couple of pieces of legislation, I think, that have already been introduced here in the Senate on that subject. Mr. Rotenberg. Senator, we think it is a very good proposal, and we were at the hearing last week when the chairman of the FCC made it. As I remarked earlier during my testimony, it is just very difficult to understand the circumstances under which cell phone records should be sold. They can be obtained by law enforcement under warrant or subpoena or civil litigation under subpoena. We just cannot understand why we would allow a market for that type of personal information. Senator Dorgan. Mr. Largent, do you agree? Mr. Largent. Senator, I would agree with that. We are for the swift enforcement of an act like that and stand ready to assist you any way we can. Senator Dorgan. Let me ask. We have apparently data brokers online--there was a story I believe in the Chicago Sun-Times that I saw earlier in January. The FBI paid a fee of $160 and obtained the cell phone records of an FBI special agent within 3 hours. Apparently they were just testing the system. The Chicago Police Department was warning its officers their cell phone numbers were available to anyone for a small fee. There apparently are data brokers online and you go online, access those data brokers, and then engage in a transaction to purchase cell phone call records. They also claim that they can provide calling records for landline and voice over Internet protocol, or VoIP calls, as well as nonpublished phone numbers. Let me ask the two Federal agencies: Have you done a lot of work to go online, figure out who these companies are, trace back to these companies, and begin investigations? And if so, when did that begin? Ms. Monteith. We first began looking into this issue late last summer, and the first phase of our enforcement actions was internal investigations to try and determine who these online data brokers were. We did, using the companies that EPIC had pointed out in its petition and our own research, identify a number of online data brokers. We then made undercover purchases ourselves to try and obtain the kind of evidence that we need in an enforcement action to really take action against these types of brokers. Those activities were in the timeframe of October, November, December, and then on up to the present. Senator Dorgan. Ms. Parnes, if Chairman Allen wanted to spend whatever was necessary this afternoon to find out all of your telephone calls for the last 3 or 4 months, do you think he could do that, just based on what you know? Ms. Parnes. I imagine he could today, yes. Senator Allen. I have no desire and will not do that. Senator Dorgan. Let me quickly stipulate, I am not suggesting that. Ms. Parnes. Thank you. Senator Dorgan. But the fact that you believe that he probably can do that and the fact that most of us believe that is probably possible is pretty frightening, is it not, because anybody for a certain amount of money might be able to go find a broker someplace that can serve up a substantial amount of not just telephone records, a substantial amount of other problems out there with other financial and medical information. But now we are talking about telephone records. It is pretty frightening when you think about it. Anybody can spend some money and go find out your complete telephone records, your history over the last couple of months. I tend to think Chairman Martin has given us a recommendation that we ought to pursue immediately. There ought not be great debate on the question of whether you ought to be involved in commercial sale of these kinds of private records. Congress ought to move quickly and immediately to deal with that issue. Chairman Martin mentioned a couple of other things. He recommends that enforcement tools be strengthened. He argues that the need to issue a citation to non-licensees before taking any other type of action can hinder the investigation. I agree with that as well. Apparently in many cases, because the Internet is a venue in which you do not see anyone--what you see are bytes or bits--by the time they get around to dealing with citations, that enterprise is long gone. So I think we probably should take Chairman Martin's recommendations pretty seriously here and move as quickly as we can. I know a number of my colleagues, including myself, are interested in doing that. So again, I regret I did not hear all of your testimony, but I will have a chance to read it and I appreciate very much your willingness to testify and I appreciate the Chairman for holding this hearing. I think it is timely and really important. Senator Allen. Thank you, Senator Dorgan. For your information, the sole issue on the citations and warning and so forth as we are crafting this legislation--this is a concern of mine and Senator Pryor's, including also Chairman Stevens, and that is one clear unanimous approach. You do not give warning to someone when you are going to get after them or shut them down, right. Senator Nelson. STATEMENT OF HON. BILL NELSON, U.S. SENATOR FROM FLORIDA Senator Nelson. When eight of us on this Committee filed a bill having to do with these telephone records about 2 weeks ago, the press wanted to test it. Senator Dorgan, it is exactly as you said. They paid--went online, found 40 sites, paid 100 bucks by credit card, and got the cell phone records of a number that someone had given to them to see if they could test the system, and they certainly had. My goodness. What happens if this is--as the sheriff of one of my biggest counties in Florida says, what if this is the cell phone record of one of his undercover detectives, and all of a sudden all of his confidential informants are suddenly on that record? We have got a problem here, and it is not just this. I think Senator Burns spoke about this earlier today, it is this whole question of privacy on the Internet, the whole question of shredding our credit statements is not good enough any more. Now all of this information is collected electronically and these data information brokers house all of this information virtually on every American and are buying and selling this information. If we do not do something, none of us are going to have any privacy any more. Here again is another dramatic example. I think in your questioning you have already brought out why it is necessary that we move on this legislation fast, because the regulatory agencies have been slow on the uptake, as we have heard testimony here today. For example, the FTC knew about these problems in 1999 in the Touch Tone case, but here we are talking about cracking down. Let me ask all of the panel here: Do you think that in order to stop this dead in the tracks we need to make it a crime? Mr. Rotenberg. Yes, Senator, I think it has to be made absolutely clear that pretexting by any means in this country is clearly illegal and subject to criminal penalty, absolutely. Senator Nelson. Congressman Largent? Mr. Largent. Absolutely. Senator Nelson. Congressman, you have testified that the vast majority of cell phone records are fraudulently obtained through pretexting. How did you decipher that information? Mr. Largent. Well, we had a number of our companies that have actually gone back in when all this came to light, several months before it hit the press, and they have been in an earnest process of interviewing the employees that are on the phone with their customers, and they cannot find any instances that they know of that their employees have given information to somebody that was not the account holder. These pretexters, they represent that they are the account holder. We are getting literally hundreds of millions, if not billions, of calls every year asking for information about their--various questions about their accounts. As I said in my testimony, what was good customer service is now becoming a liability in this case. So we just want to ensure that we have the ability to serve our customers, our legitimate customers, and at the same time take care of these pretexters that are using lies and schemes to gain access to this information. Senator Nelson. Well, someone who is posing as someone that they are not, what about the requirement of the telephone company to use a password instead of the Social Security number, because of now the availability, unfortunately, of Social Security numbers on some of the government documents? Mr. Largent. Yes, sir, and many of our companies are doing precisely that. They are developing passwords, pass codes. They are no longer sending information via e-mail or faxing information now. They are only sending them to the address that is on the account if it is requested. So those are some of the things that I can tell you about. Many other things our companies are involved in. It was requested by the FCC on Monday and that is available to all of you. I do not want to talk about that here in this open session, but it is available to you and it is recorded down at the FCC. Senator Nelson. In your business, in order to protect consumer confidential information what kind of checks do you have on the employees that have access to that information? Mr. Largent. Well, all the ones that you would expect us to have. We have the highest security you can imagine of employees that are dealing with that information. But as you know---- Senator Nelson. Do you do background checks? Mr. Largent. Sure, background checks. Senator Nelson. You do? Mr. Largent. Absolutely. But as you know, a lot of these call centers, you are talking about people that are oftentimes working at entry level wages, and so we definitely have issues. But I can tell you that we have scrupulously been going over and interviewing those employees to ensure that the breakdowns are not there. But as was mentioned in testimony here today, there is no doubt that some of that has been taking place, and we are trying to weed it out as quickly as we can. Senator Nelson. A final question: Did you not pay for the Seattle Seahawks? Mr. Largent. I did. Senator Nelson. Your team came a long way. Congratulations. Senator Allen. Thank you, Senator Nelson. Let me go through some other ideas here. I just want to elicit responses or ideas from you. I think it was in answer to Senator Dorgan's questions, we somehow got Mr. Rotenberg and Mr. Largent together, Congressman Largent, together. What would be any legitimate reason for anybody to ever want somebody's telephone records other than for law enforcement? Is there any other reasons other than a court order where someone would want to have someone's telephone records? This came up. I just wanted to get some clarification. Mr. Douglas, if you want to add to it you may. Mr. Douglas. Well, as the former private investigator in the room, I will make the---- Senator Allen. Congressman, I just want to make sure your reply in that one on one there was accurate. But go ahead, Mr. Douglas. Mr. Douglas. I will make the argument that they are making. And by the way, this morning they were discussing how this is a very--the PI and investigative trade was discussing how this is a very unbalanced panel here today. They feel that there should be somebody here arguing for them to be able to get these records. The argument they will make--and this addresses one bigger point I would like to make if I could, Mr. Chairman. The argument they will make is that they fight fire with fire, that to track down deadbeats, to develop witnesses, to locate witnesses, that they need access to these records the way law enforcement has it. And they have developed this tactic of going out and--let us call it what it is--stealing these records. But they have found there is a very lucrative market and, without the pretexting connotation, it is the elephant in the room here that nobody is talking about, and that the FCC and the FTC have never addressed. I think the FTC is very aware. It is attorneys that are driving the cash flow that puts these websites up so that stalkers can buy them. It is some of the most prestigious law firms in this country using these investigators and illicit information brokers to buy this. Monday, the Pelicano indictment in Los Angeles, where he was wiretapping celebrities and Hollywood executives. If you read the indictment closely, it talks specifically about bribing and using SBC Global phone company employees to get customer proprietary information, toll records, and the information to conduct these wiretaps. Who did he sell it to? Attorneys in Los Angeles. So I support--and, excuse me, I think it was Mr. Pryor who raised the question before. I support the outlawing of the sale and purchase of records because law enforcement authorities will tell you that you cannot go after the buyers if you are just using the pretext standard, because under Gramm-Leach- Bliley to make those cases against the attorneys you would have to demonstrate that they know the records were obtained by these brokers through deceit and that is a very difficult standard for the Federal agencies to meet. So I just wanted to add that to the record. Senator Allen. Thank you. In view of that, what would you think of the idea of allowing phone companies, whether it is SBC or others--and Congressman Largent, you might want to bring up; we are talking about attorneys general and the FTC, which gets after individuals; FCC gets after companies. But what about allowing SBC or whatever it may be to actually also have a private right of action against any of these third-party data brokers? Mr. Douglas. Absolutely---- Senator Allen. Would you like that, Congressman Largent? Mr. Largent. We would, yes, sir. Senator Allen. What about the idea--and we have kind of gotten around this. What about the idea--and you do not need to get into all the details of how there is security. What about the idea of telephone companies filing security procedures with the Federal Communications Commission, in other words proving to the FCC that you--and the FCC has to approve it--that you have approved security procedures? I am not saying that that may still not get breached. But it seems to me that, while there may be some rare legitimate uses or need for these records to be compiled--and every company may do it differently, which in its own way may actually be good because if somebody breaks the code to one they will break it for all, and it is probably best--and obviously this has to be kept confidential. What would you think of that, Congressman Largent? I am talking about pre-approved plans by the FCC. And I would like to hear from you, Ms. Monteith, as far as the FCC having the capabilities of pre-approving security guidelines from communications companies. Mr. Largent. Well, based upon the experience that we have had, I will just speak very briefly. This is an ever-evolving problem, that just when you set up a system to prevent people from breaking in they figure out how to get around that one and we have to improvise and we have to change it and do something, we have to tweak the system in order to cut them off at the pass. So I am afraid that if we try to implement a system, even if it is different systems for different companies, and we submit that plan to the FCC, it could mean in 3 months or 6 months or 9 months we have to change it because they have figured out how to get around the system at that point in time, even if it is a confidential disclosure to the FCC only. Senator Allen. Ms. Monteith? Ms. Monteith. Thank you. I think Chairman Martin has made clear that he thinks that the strongest proposal would be to specifically make illegal the commercial availability of consumers' records, very clean and no loopholes. I would have to take back to the Chairman and the Commission the idea of filing best practices, I believe, with the Commission and our review of those. But I am happy to do that and follow up with you. Senator Allen. Well, we need to come up--and I will turn it over to Senator Pryor for another round of questions. We need to--there is a responsibility on the part of many people. The communications companies clearly have this information and there should be--and I am sure that you find no desire in having to be here and explaining what some of your member companies have done. But it seems to me that this has to be hit at so many different angles, that every single approach that we can take to assure that this privacy will be protected needs to be put into legislation and enforced and everyone pitching in on it. Senator Pryor. Senator Pryor. Thank you, Mr. Chairman. Ms. Parnes, I have one--the last time I want to put you on the spot. That is, if you answer this question correctly. [Laughter.] Ms. Parnes. I will try. Senator Pryor. On the issue of civil penalties, if the Congress were to give the Federal Trade Commission the authority to impose civil penalties, what do you think the level of those penalties should be? Ms. Parnes. Well, currently the general civil penalty authority for the Commission when we have it gives us the authority to seek $11,000 per violation. It is usually difficult for us to actually get that much money because there are many, many violations and we could be talking about millions and millions of dollars. But I would think that that is a reasonable place to start, certainly. Is that the right answer? Senator Pryor. That is the right answer. Ms. Parnes. Thank you. Senator Pryor. That is actually what I was thinking too, but I just did not know if you had a different take on it. Let me ask you, Congressman Largent if I may. That is, you said something in your earlier testimony that I thought was interesting about credit cards. I would like to hear a little bit more detail on your idea there about what, in your view, what should the rule be on credit cards and if you could expand on that. Mr. Largent. Well, that is actually a new twist. We testified over in the House last week and we started thinking about this and realized that some of the violations as it pertained to the Gramm-Leach-Bliley Act created penalties if you were to use a credit card in a transaction to gain access to information that were found in financial records. Senator Pryor. Penalties against the card user or against the company that is using a credit card in a transaction? Mr. Largent. The law actually is constructed, it is my understanding it is constructed, that the credit card company-- that they cannot utilize the credit card to engage in a transaction of this type that we are talking about. Senator Pryor. I would like to explore that further. Do you have in mind that if you have these data brokers, I guess you want to call them, that in order for them to get information, say for example on the cell phone number, that the number on the--the information on the cell phone they are seeking would have to be the same name as on the credit card? Is that the kind of safeguard you are talking about, where the credit card would have to match up with the person requesting information? Mr. Largent. Right. And I misspoke. I said it was the Gramm-Leach-Bliley Act. It was not. It was on the pornography legislation that passed in the House and the Senate. Senator Pryor. Well, what you said is intriguing and I would like to pursue that after the hearing and visit with you about that and talk to your folks about that. Mr. Rotenberg, let me ask you about, last July you filed a complaint with the FTC about a website that offered phone records and PO Box information; is that right, for a fee through pretexting? What was the response from the FTC to that complaint? Mr. Rotenberg. Well, initially really nothing, Senator. In fact, we followed up the initial complaint with a more detailed letter, with the assistance, I should mention, of Mr. Douglas, who has been very helpful to us throughout this, where we were able to describe 40 different companies that were making this kind of call detail information available. Now, it is true that the FTC has gone after pretexting in the financial services context. They did so back in 1999. But they really have not looked at pretexting in the phone records context until very recently. Senator Pryor. Is that also true for the FCC? Mr. Rotenberg. Well, the FCC we understand in the next couple of days is going to announce action on our petition. They have already taken enforcement action against two companies under section 222 and I believe that this week they will be announcing a broader rulemaking on stronger security standards, and that is in response to our petition. Senator Pryor. Mr. Douglas, if I can turn to you just for a moment. You mentioned the caller ID spoofing in your testimony and showed us a website. Is there any legitimate reason why you would do a caller ID spoof other than maybe law enforcement? Mr. Douglas. No, and many of the sites will advertise it as entertainment purposes. But it has become very well known in the fraud community as a way to deceive people, and particularly in stalking situations and others it is very dangerous. Senator Pryor. You also mentioned attorneys a few moments ago. I just was a little confused about that. How in your view, how are the attorneys using this information? Mr. Douglas. Well, for the short period of time in 1997 when I actually bought these and learned about what was going on, it was all attorneys, since that is all that I worked with as a private investigator, who were interested in them. They do it in collections cases, they do it in competitive intelligence cases. In fact, there is a very good paragraph in the indictment, in the Pelicano indictment, at least Monday, where they describe it as being used for tactical advantage in litigation situations. So if I want to know what my competitor is doing in a business deal or any type of litigation that you can think of, knowing who they are talking to is very important. It has become the electronic equivalent in the private investigative trade of dumpster diving. In the old days before the Internet, if you wanted to know what a business was doing, pick up their trash at the end of the night, hopefully when it is put out at the curb--that makes it, unfortunately in my opinion, legal--and go through their records. Well, now just buy them online. Senator Pryor. It sounds like your solution to this problem would be to follow pretty much what we did with Gramm-Leach- Bliley, just make it clear that it applies to telephone information? Mr. Douglas. Yes, twofold. First and foremost, I would like to see a fast bill out of the Senate and action very quickly to outlaw specifically what we are talking about today. In my perfect world, down the road we need to address these tactics being used for all consumer records. They are already being used to get utility information, gas, electric, cable TV, satellite TV. You have to understand how they work. It is not about the record itself. It is where can I find information. There is a five-step process: know what information I want, know who is the custodian of the information, know who the custodian will release it to, know under what circumstances they will release it, become that person with those circumstances. So it is not just that it is about phone records, although the prevalence of that has brought it to a national crisis. It is about any consumer record. Senator Pryor. The last question I have for you, Mr. Douglas, is, just by way of background, have you been contacted or do you work for any telecom companies in order to try to help them fight against pretexting and identity theft? Have you been contacted by anyone in the telecom industry? Mr. Douglas. No, not so far. Senator Pryor. That is all I had, Mr. Chairman. Thank you. Senator Allen. Thank you, Senator Pryor. Let me follow up on that question. Since you have not, Mr. Douglas, been asked---- Mr. Douglas. And my cell phone drops out just like everybody else's, too. [Laughter.] Senator Allen.--what do you believe that the phone companies and the telecommunications associations, like CTIA, could do to better protect their phone records and their customers? What recommendations would you have? Mr. Douglas. Sure, and I actually wrote down what Mr. Largent said because he hit the nail on the head when he said customer service as a security flaw. That is how this works in all industries, but specifically the phone industry. The pretexters, to use the shorthand, know that they can take advantage, that the phone company's priority is customer service. In the customer call center, which are the employees with the least amount of time, the least paid and the highest turnover rate, and usually the least trained overall, they are graded on how fast they move the call, how successfully they move the call, and do they offer other services through marketing. Security, customer authentication, is usually, unfortunately and historically, fairly low on that schematic, if you will. So a number of things. One, they need to better educate their employees as to these tactics. The banking industry went through this very industry after the passage of Gramm-Leach- Bliley and was fairly successful in that regard. Where I would disagree with Mr. Largent respectfully is that there do need to be some baseline standards in customer authentication protocol. You cannot use biographical identifiers like Social Security number, mother's maiden name, date of birth. In many cases, even when they use passwords or PINs they will default to that if the person says, I have forgotten my password or PIN. Excuse me, this is what they will say on the phone: Come on, you SOB; I am trying to catch a plane; I need my information right now. That is how the art of pretext works, either badgering, cajoling, whatever. So there need to be some baseline standards. The banking industry is looking at two-tier authentication. There is a great template out there in the banking regulatory agencies and some of the regulations that they have promulgated in the wake of Gramm-Leach-Bliley. So education and baseline standards, Mr. Chairman. Senator Allen. Congressman Largent, what is your initial response to Mr. Douglas's? Mr. Largent. I agree with him. I think--and these are exactly the type of steps that our companies are engaged in right now. Senator Allen. Thank you. Let me finish finally with you, Ms. Southworth. You have been listening to all of this from the FTC and FCC, the communications industry, PIs, and the folks with EPIC. You testified on the inherent risks and the real live risks to women who have been victimized on account of it, as did Mr. Douglas in his very graphic, sad testimony of a woman who was killed by someone who received this information. What would you suggest? Just give us one, two, three suggestions. What would you suggest that we do in this legislation that we are going to be working on? It is going to come up, I suspect, very soon after this hearing. Give me one, two, and three, what components would you suggest to your government leaders? Ms. Southworth. I cannot talk about this issue without thinking about stolen goods. We think of theft when you steal something from someone and it is a crime. If you steal my personal information it is theft, it is a crime. So I do not think there should be any less penalties because it is data versus property. So I would love to see that this be taken seriously. I agree with all the other panel members with the issues. I have been nodding vigorously throughout the discussion. The piece that I think may or may not be something you can address in the legislation, but it is the critical element that has not been mentioned yet, it is the consumer education piece. Everybody can do everything to increase security standards and deal with the people misusing the data. However, if consumers do not know not to use their pet's name as their password, we still have a security problem. So it is critical to reach the consumers too so they understand that this is a broader issue and please do not use your mother's maiden name as your password. Senator Allen. Use your pet's name is your suggestion? Ms. Southworth. No, do not, do not use your pet's name, your mother's maiden name, or your anniversary date. Senator Allen. Thank you, Ms. Southworth. Do you have any further questions? Senator Pryor. I just have one quick follow-up. Senator Allen. Go ahead. Senator Pryor. To you, Ms. Southworth. Again, thank you for what you do and your organization does in the realm of domestic violence. I used to work very closely with your folks in Arkansas and they are wonderful to work with. Ms. Southworth. They are great. Senator Pryor. I do have a question to you about the FCC and the FTC. Have you ever worked with them in any investigatory capacity? Ms. Southworth. Not an investigatory capacity. We will be working closely with the Federal Trade Commission tomorrow on the anti-spyware initiative issues. Senator Pryor. But not on this issue? Ms. Southworth. Not thus far, but we would be happy to work--we work closely with many Federal agencies. Senator Pryor. Right. Ms. Southworth. So we would be happy to work with them in any capacity. Senator Pryor. Either the FTC or the FCC. Ms. Southworth. Absolutely. Senator Pryor. Even after Amy Boyer was killed in 1999, you did not--as far as you know, you did not have any contact? Ms. Southworth. My project did not exist then. We were founded in 2002. So now we are sort of the go-to folks for anything around domestic violence victimization and technology. Senator Pryor. Thank you. Ms. Southworth. The one piece that I would add to that, though, is that you mentioned, is the private investigator piece. Peggy Klinky was killed in 2003 after her ex found her using a private investigator, and I do not know what information that private investigator got through pretexting. Senator Pryor. Thank you. Mr. Chairman, thank you for the hearing. Senator Allen. Thank you. One final question, Ms. Southworth, just to make sure. You have worked with State attorneys general undoubtedly. Ms. Southworth. Absolutely. Senator Allen. So I think that will be one component that is very important in this legislation, to have that additional enforcement from those that actually have such offices that are in the States, closer to the people, and probably--not that an attorney general's office is something you walk into, but nonetheless it is closer and responsive to the people. So I want to thank all of you, all of our panelists, for your interest, for your insight, your testimony, your ideas. It is going to make it very, very helpful to us as we put together, working together on a bipartisan basis--when I look at this list, you have folks from Virginia, Arkansas, Alaska, Hawaii, Louisiana, Montana, California, Oregon, North Dakota, and Florida. There is a great deal of concern. I mentioned in the beginning when I first heard this I said we need to act. You have given us some good ideas. I also like the ideas that some of you mentioned, is that people need to be aware of this and come up with passwords, so to speak, that are not easily discernible and replicable. The phone companies or communications folks are going to need to make a better effort clearly of this. I am glad to hear, Congressman Largent, your leadership and willingness to do it. Mr. Douglas, you have brought up the tragedies that occur from this. Mr. Rotenberg, thank you for your great public citizenry. I think it helps certain Federal agencies get moving. But we need to crack down. It is going to be made a crime. We are going to bring every aspect that is logical and reasonable toward this at the Federal level, State attorneys general, get rid of some of the loopholes and, what were they calling it, the certifications, giving the criminals a heads up. Absolutely absurd. We will have greater fines, longer statutes of limitations. There may be some aspects of this that you do have to certify a security approach with the communications companies. But we are going to act. America expects us to. You help propel us and give us the information that we can put together legislation, not just legislation for the heck of it, but legislation that is effective. I thank you all and this hearing is adjourned. [Whereupon, at 4:23 p.m., the Subcommittee was adjourned.] A P P E N D I X Response to Written Questions Submitted by Hon. Daniel K. Inouye to Kris Anne Monteith Question 1. In recent weeks, both the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) have initiated enforcement actions against pretexters. How do your two agencies coordinate your enforcement activities to ensure that we are not duplicating efforts? Answer. FCC staff and FTC staff have communicated regularly to discuss our respective enforcement efforts and to avoid duplicative efforts. We will continue to engage in regular communications to share information with each other to facilitate our enforcement activity. The FCC is focused principally on the activities of telecommunications carriers in protecting their customers' sensitive personal information while the FTC is focused on the activities of the data brokers themselves in acquiring the data from carriers. Thus, our efforts are naturally complementary and the risk of duplication is low. Question 2. What are the maximum penalties under both the Communications Act and the FTC Act, respectively, that can be imposed on pretexters? Answer. The FCC's rules regarding the protection of Customer Proprietary Network Information (CPNI) apply to telecommunications carriers. Thus, the FCC would not be able to impose penalties against pretexters for their CPNI-related practices unless the pretexters were also licensed telecommunications carriers. If pretexters, as carriers, engage in violations of the Communications Act or Commission rules, the FCC may impose a maximum penalty of $130,000 per violation or per day of a continuing violation up to a maximum of $1.35 million. ______ Response to Written Questions Submitted by Hon. Daniel K. Inouye to Lydia B. Parnes Question 1. In recent weeks, both the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) have initiated enforcement actions against pretexters. How do your two agencies coordinate your enforcement activities to ensure that you are not duplicating efforts? Answer. The FTC and FCC have both formal and informal cooperative arrangements for working on cases with overlapping jurisdiction. For example, the agencies have a formal memorandum of understanding relating to telemarketing enforcement, which includes an agreement to meet regularly in order to coordinate comprehensive, efficient, and non-redundant enforcement of our respective telemarketing statutes and rules. Under that agreement, the FTC provides the FCC access to Do Not Call Registry data, and each agency agrees to make its consumer complaints available to the other regarding possible violations of Federal telemarketing rules. That agreement has worked well. On other projects and cases, the FTC has granted the FCC access to investigative files and both agencies share complaints with the other. The agencies are continuing this close coordination with respect to our current investigations of telephone pretexters. Staffs of the agencies have frequent and ongoing discussion about targets, and have shared information obtained in the investigations. Because the agencies have different enforcement tools and jurisdictional limits, the FTC's investigations are focused on the businesses that offer to obtain and sell consumer phone records, while the FCC has oversight of the telecommunications carriers. \1\ --------------------------------------------------------------------------- \1\ The FTC's governing statute, the FTC Act, specifically excludes FTC jurisdiction over common carrier activities that are subject to the Communications Act. 15 U.S.C. Sec. 46(a). Question 2. What are the maximum penalties under both the Communications Act and the FTC Act, respectively, that can be imposed on pretexters? Answer. With respect to the FTC, the Commission has the authority to seek equitable remedies in its Federal court actions. These remedies could include, in appropriate cases, consumer redress or disgorgement of ill gotten gains. It can also seek conduct prohibitions including injunctions against further violations of the law, or, in certain cases, an outright ban on engaging in certain types of conduct or business. Once entered, violations of Federal district court orders are punishable by civil or criminal contempt. The Commission does not have authority to seek civil penalties for a law violation except in specified circumstances, i.e., for violation of a trade regulation rule or of an order in a prior enforcement action, or if specifically so provided in an applicable statute. I believe that civil, and possible criminal, penalties would provide a strong deterrent to telephone pretexting. In the telephone pretexting context--where the harm includes a privacy violation--it may often be difficult to calculate either consumers' economic injury or a violator's gains. Consequently, civil penalties may be a more appropriate remedy than some of the agency's existing tools like consumer redress. Question 3. The FTC originally fined Touch Tone $200,000 for violation of the GLBA and unfair and deceptive practices under Section 5. Why was this amount later suspended, allowing Touch Tone to get away with no monetary punishment? Answer. The Touch Tone case was filed prior to the passage of the Gramm-Leach-Bliley Act and therefore charged violations only of the FTC Act. The $200,000 judgment in Touch Tone represented the defendants' alleged unjust enrichment from the sale of consumers' financial information. However, according to sworn financial disclosures, the individual defendants were unable to pay this amount. The final order makes the judgment immediately payable to the FTC if either defendant is found to have materially misrepresented his or her financial condition. Question 4. In Operation Detect Pretext, the FTC brought charges against three firms, two of which were fined $2,000 and the third wasn't fined at all. Why didn't the FTC exact larger fines for this activity and why weren't the original fines maintained? Answer. The FTC's remedies in the three Operation Detect Pretext cases were based on the disgorgement of unjust enrichment and injunctive relief. In two of the cases, the defendants' gains from the sale of the alleged pretexting services were $2,000. In the third case, the defendant's financial gains were $15,000. However, as in Touch Tone, a sworn statement from the defendant in the third case established that he was financially unable to pay this amount. The final order in this case also makes this payment immediately payable to the FTC if the defendant is found to have materially misrepresented his financial condition. \2\ --------------------------------------------------------------------------- \2\ See http://www.ftc.gov/opal2002/03/pretextingsettlements.htm. --------------------------------------------------------------------------- In addition to imposing monetary payments, the orders in each of the three cases also prohibit the defendants from engaging in the same unlawful conduct, require them to provide the Commission with reports on their compliance with the orders, and ultimately allow the Commission to bring contempt actions for failure to comply with material terms of the orders. Question 5. Why hasn't there been any more legal action taken against pretexters by the FTC since 2001? Answer. The Commission has brought seven additional pretexting cases since 2001, bringing the total to 11 such actions. \3\ These cases are part of the larger Commission program aimed at protecting consumers' privacy. For example, since the Subcommittee hearing, the Commission announced a settlement with CardSystems Solutions, Inc., a credit card processor that allegedly failed to implement reasonable measures to protect consumer credit card information. The Commission's complaint alleges that the company's lack of appropriate security measures exposed the credit card information of tens of millions of consumers and resulted in millions of dollars of fraudulent charges. \4\ The CardSystems settlement follows the FTC's record-breaking settlement with the data broker ChoicePoint, Inc. This agreement settles charges that ChoicePoint lacked reasonable security and customer verification procedures in violation of the Fair Credit Reporting Act and FTC Act. The settlement requires ChoicePoint to pay $10 million in civil penalties (as a remedy for the FCRA violations) and $5 million in consumer redress. --------------------------------------------------------------------------- \3\ See http://www.ftc.gov/privacy/privacyinitiatives/ pretexting_enf.html. \4\ See http://www.ftc.gov/opa/2006/02/cardsystems_r.htm. --------------------------------------------------------------------------- As mentioned in the Commission testimony and my oral remarks during the hearing, the Commission is also investigating a number of companies that appear to be engaging in telephone pretexting. Commission attorneys currently are evaluating the evidence to determine if law enforcement action is warranted. I also believe that in addition to law enforcement efforts, legislative changes could help address the problem of telephone pretexting. Although the Commission already can bring actions against pretexting for consumers' telephone records under the FTC Act, I believe Congress should consider whether additional legislation would be appropriate in this area. One approach would be a specific prohibition on the pretexting of telephone records. Legislation of this kind could help deter pretexting by making clear that this practice is illegal. If Congress were to consider such legislation, I would recommend that it give the Commission authority to seek civil penalties against violators, a remedy that the FTC does not currently have in cases like this. I believe that, in this area, penalties are the most effective civil remedy. This is also a situation where criminal penalties may be warranted, but I would defer to the Department of Justice on the need for criminal legislation and its structure. I and my staff would be happy to work with Commerce Committee Members and staff on any legislation that may be under consideration. Finally, FTC staff recently conducted an Internet surf of telephone pretexters and found that some sites offering these records were registered to foreign addresses. This finding underscores the importance of the Commission's previous recommendation that Congress enact cross-border fraud legislation. The proposal, called the U.S. SAFE WEB Act, would overcome many of the existing obstacles to information sharing in cross-border investigations. I hope that the foregoing information is helpful. Please let us know whenever we may be of service. If you have any questions or comments, please feel free to contact me, or you or your staff may contact Anna Davis, the Director of the FTC's Office of Congressional Relations, at (202) 326-2195. ______ Response to Written Questions Submitted by Hon. Daniel K. Inouye to Marc Rotenberg Question 1. In a statement made by Jimmie Mesis, Editor-in-Chief of Private Investigator (PI) Magazine, on June 11, 2005, to his readers regarding pretexting complaints, ``My immediate concern is not the FTC . . . [w]hen the complaint comes from EPIC, we have a problem.'' Why do you believe you have been more successful in intimidating pretexters than the FTC has? Answer. Since its founding in 1994, EPIC has made effective use of the Internet to draw public attention to new threats to personal privacy. While we lack the resources and enforcement authority of the Federal agencies, we believe that it is possible, in the short term, to curtail some of the worst business practices by publicizing the problem online. However, our ``watchdog'' role is not an adequate substitute for the effective enforcement of privacy laws that help safeguard consumers and establish trust and confidence in the online business environment. Consumer concerns about new threats to privacy are broad and growing. The Federal Trade Commission clearly needs more resources to bring enforcement actions against companies violating Section 5 of the FTC Act. The statement from the Editor-in-Chief of Private Investigator Magazine points to another serious problem: he does not recommend curtailing pretexting or the sale of personal information, nor does he suggest that pretexting is inherently bad; rather he advocates that private investigators and others take the practice underground. Later in the message, he writes ``PI's need to stop promoting the selling of toll records directly to the public as a commodity . . . I also suggest that PI's promote such services as `telephone research' as compared to coming right out and mentioning tolls, non-pubs, etc.'' (emphasis added). \1\ --------------------------------------------------------------------------- \1\ E-mail of Jimmie Mesis, Editor-in-Chief of Private Investigator Magazine, to readers (July 11, 2005). --------------------------------------------------------------------------- We believe that the community will follow this advice, and simply move the trade underground, and further obfuscate the practice by calling it ``telephone research'' rather than ``phone breaks'' and the like. That is why it is critical to enact comprehensive legislation that will broadly prohibit pretexting. Question 2. If legislation was passed to prevent pretexting, who would you recommend be the enforcement authority on matter? Answer. Because widespread pretexting can easily occur without necessarily attracting the attention of the FTC, EPIC recommends that the Committee empower state attorneys general, individual consumers, and companies deceived by pretexting to seek damages from pretexters and the sellers of personal information. The limited action by the FTC indicates that additional law enforcement support is needed to combat the problem and properly enforce any legislative solution to this problem. State attorneys general are in a better position to hear the complaints of individual consumers, and can supplement FTC action. However, even state officials operate at some remove from those most directly affected by the sale of personal information--the individual victims. A private right of action for individuals will allow victims to defend themselves from those who would sell their privacy for a profit, without having to attract the attention of, then wait for Federal or state authorities to focus on their particular case. The Telephone Consumer Protection Act of 1991, which limits telemarketing and the transmissions of junk faxes, contains model enforcement language that allows the individual to sue in state court and get default damages. We also support the right of the carriers to bring actions against pretexters. Carriers are in a position to detect patterns of intrusions into their systems, and should be able to bring enforcement actions against pretexters. Question 3. Mr. Rotenberg, in your testimony, you noted EPIC's rulemaking petition filed at the FCC that calls for action by the FCC to enhance the security requirements that telecommunications carriers must follow under section 222 of the Act. Like you, I am pleased to know that the FCC will soon put this petition out for public notice, and hope that they will expedite the consideration of this item. Answer. Senator, we very much appreciate your support for the decision of the FCC to undertake a rulemaking, in response to EPIC's petition, to enhance the security requirements that telecommunications carriers must follow under section 222 of the Act. \2\ We hope that EPIC's recommendations for stronger security safeguards will be incorporated into a final rule from the Commission. While we understand industry concerns about maintaining flexibility in combating fraud, we believe that sensible regulations will discourage particularly bad security practices, such as using easily obtained biographical data (such as zip code or date of birth) for authentication. Other guidelines, such as the maintenance of audit trails that allow investigators to know who has accessed customer data and notifications of data breaches, are commonsense techniques that companies that collect and maintain customer information should implement. --------------------------------------------------------------------------- \2\ Notice of Proposed Rulemaking, In re Petition for Rulemaking to Enhance Security for Access to Customer Proprietary Network Information, FCC Docket No. 96-115, RM-11277 (Feb. 10, 2006), available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-06-10A1.pdf. Question 4. In your opinion, does section 222 confer sufficient authority on the FCC to ensure that those who handle phone record data in the normal course of business will protect such data? For example, are Voice over Internet Protocol (VoIP) providers covered under section 222? Answer. Section 222 states that ``telecommunications carrier[s]'' have a duty to protect ``customer proprietary network information.'' The FCC has the authority under this section to create rules to protect the confidentiality of CPNI for telecommunications carriers. Therefore, the FCC has sufficient authority to ensure that those handling traditional telephone and cellular records must protect that data. However, as your question indicates, this power is limited to the entities that the FCC may regulate under Title II of the Communications Act. The FCC has held that computer-to-computer VoIP, is not regulated under Title II, and thus fall outside the FCC's regulatory scope. \3\ The extent to which the FCC might regulate VoIP providers that connect to the telephone network is a more problematic question, in which EPIC, in at least one other context, is involved. \4\ The FCC, however, has not yet made a final determination on this issue. \5\ --------------------------------------------------------------------------- \3\ See In re Petition for Declaratory Ruling that pulver.com's Free World Dialup is Neither Telecommunications Nor a Telecommunications Service, 19 F.C.C.R. 3307 (2004). \4\ EPIC is one of several petitioners in Am. Council on Educ. v. FCC, Docket No. 05-1404 (D.C. Cir. filed Oct. 24, 2005), challenging the FCC's application of the Communications Assistance for Law Enforcement Act to facilities-based broadband providers and interconnected VoIP providers. \5\ See In re Petition for declaratory Ruling that AT&T's Phone-to- Phone IP Telephony Services are Exempt from Access Charges, 19 F.C.C.R. 7457 (2004) (holding that phone-to-phone services that use Internet Protocol are subject to access charges levied against telecommunications carriers in certain situations); but see, e.g., Southwestern Bell Tel. v. Global Crossing Ltd., 2006 U.S. Dist. LEXIS 4655 (Feb. 7, 2006) (staying ruling pending FCC determination of whether or not the VoIP telephony at issue is regulated as a telecommunications service). See also Frontier Tel. v. USA Datanet Corp., 386 F. Supp.2d 144 (W.D.N.Y. 2005) (same). --------------------------------------------------------------------------- While I do not believe that Section 222 currently gives the FCC the power to regulate interconnected VoIP, Congress and your Committee should act to ensure that, as the government extends its regulatory power into new areas, it should also build privacy protections into new laws and regulations. If the FCC finds that it has regulatory power over other aspects of interconnected VoIP via the Telecommunications Act, then the privacy-protective portions of the Act, including Section 222 should apply equally. Question 5. Does VoIP call data information qualify as ``CPNI'' under the statute? Answer. Since the statute specifically defines CPNI by referencing ``telecommunications carrier[s],'' VoIP call data information would not be considered CPNI, insofar as a VoIP provider would not be considered a telecommunications carrier. Question 6. Do you have suggestions for how section 222 of the Communications Act might be changed to apply evenly and fairly? Answer. Consumers have clearly been disturbed by the news that their phone records are for sale by pretexters. Many are similarly disturbed that their call records and subscriber information are also being sold by their carriers to other for marketing purposes, under the very auspices of Section 222. Under current FCC regulations interpreting Section 222, \6\ telecommunications carriers may place the burden upon consumers to opt out of this sale of their CPNI to others. Frequently, the notices informing consumers of this right are hard to find, hard to read, and hard to understand. Chairman Martin of the FCC has expressed a desire to use a more privacy-protective opt-in standard for the disclosure of such sensitive information, and legislation specifying the standard within Section 222 would allow this to happen. --------------------------------------------------------------------------- \6\ The current FCC regulations followed the decision in U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999), cert. denied, 530 U.S. 1213, (2000). --------------------------------------------------------------------------- Meanwhile, consumers lack the ability to limit disclosure of their ``subscriber information,'' which includes home addresses. Many individuals, such as victims of stalking or domestic violence, are made more vulnerable by the disclosure of this information. Such individuals frequently rely upon the increased privacy afforded by the use of a cell phone. Section 222 should also ideally prevent the sharing of subscriber information, absent the permission of the individual consumer. As for protecting consumers' records held by VoIP providers and other businesses, a general ban on pretexting could be coupled with requirements that VoIP providers implement basic data security measures. This could be achieved by amending Section 222, although any amendments should limit their scope to that section, to prevent inadvertent application of the Telecommunications Act to VoIP, a technology not widely contemplated during the drafting of the Act. Another solution would be to require VoIP providers to implement security measures for customer data in some other portion of the U.S. Code, to be enforced by the FTC, attorneys general, individual consumers, or other bodies. This would avoid the jurisdictional questions of regulating VoIP as either a telecommunications or an information service, instead focusing on the handling of customer data as a trade practice. ______ Response to Written Questions Submitted by Hon. Daniel K. Inouye to Cindy Southworth Background: In July 1999, Liam Youens obtained information from an Internet-based investigation service called Docusearch on Amy Boyer, a woman Youens had been stalking since high school. He was able to obtain her Social Security number for a mere $45 and hired someone to pretext Boyer to get her employment information. Then in October 1999, Youens drove to Boyer's workplace, shot and killed her, then turned the gun onto himself. Question 1. The Amy Boyer case brought to light another aspect where pretexting can have a direct effect on one's privacy and safety. Do you believe the safety of domestic violence victims has decreased significantly with the increase in popularity of pretexting? Answer. We agree that the safety of victims has decreased with the increase in popularity of pretexting by both abusers and by information brokers who sell illegally obtained victim information to abusers. The murder of Amy Boyer not only highlighted the ease of pretexting, but also the use of pretexting by information brokers, who then sell the sensitive data they obtain. Unfortunately, perpetrators of domestic violence have tried to obtain information about their victims under false pretenses, or ``pretexted,'' for decades, but the growth of the information broker industry has provided an almost unlimited amount of sensitive data for anyone willing to pay. Internet use has reached new levels and stalkers are also using this technological tool to track down victims. Research by Pew Internet and American Life Project shows that 69 percent of adult women and 75 percent of adult men use the Internet. \1\ Eighty-four percent of those adult Internet users have used an online search engine to help them find information on the Web. \2\ Information brokers abound on the Internet and many of these businesses engage in pretexting to illegally obtain sensitive information. --------------------------------------------------------------------------- \1\ Pew Internet and American Life Project, September 2005 Tracking Survey. Available online at: http://www.pewinternet.org/trends/ User_Demo_12.05.05.htm. \2\ Pew Internet and American Life Project, ``Usage Over Time'' spreadsheet. Available online at: http://www.pewinternet.org/trends/ UsageOverTime.xls. Question 2. Do you, and if so how, do you see pretexting affecting those choosing to leave an abusive situation? Answer. Abusers use pretexting to stalk their victims before, during, and after a victim leaves a violent relationship. They also use information brokers to gain private data about their victims. The most dangerous time for a victim of domestic violence is when she takes steps to leave the abusive relationship. \3\ Many victims are stalked relentlessly for years after having escaped from their partners. These batterers who stalk their former partners, determined to hunt them down, are the most dangerous and pose the highest lethality risk. \4\ --------------------------------------------------------------------------- \3\ Ronet Bachman and Linda Salzman, Bureau of Justice Statistics, ``Violence Against Women: Estimates From the Redesigned Survey'' 1 (January 2000). \4\ Barbara J. Hart, ``Assessing Whether Batterers Will Kill''. Available online at: http://www.mincava.umn.edu/hart/lethali.htm; Jacqueline Campbell, ``Prediction of Homicide of and by Battered Women'' reprinted in Assessing Dangerousness: Violence by Sexual Offender, Batterers, and Sexual Abusers 96 (J. Campbell, ed., 1995). --------------------------------------------------------------------------- On February 23, 2005, Luis Alberto Gomez-Rodriguez tracked his ex- girlfriend from Florida to Iowa with the aid of illegally obtained cell phone records and court records. He found her new home near Iowa City and murdered her. \5\ The news reports did not reveal whether he purchased the cell phone records from an information broker who used pretexting or whether he personally pretexted to obtain them. --------------------------------------------------------------------------- \5\ Byrd, Stephen. ``The hunt begins: Witnesses tell of suspect's methodical search for Muscatine couple.'' The Muscatine Journal, (Muscatine, Iowa) February 11, 2006. Available online at: http:// www.muscatinejournal.com/articles/2006/02/11 /news/ doc43ed60933bfef871578540.txt. --------------------------------------------------------------------------- In another example of pretexting and stalking, an Arizona man placed a global positioning system on his ex-girlfriend's car and obtained her phone records to see who she was calling. He also threatened to kill her before she discovered the tracking device and contacted the police. \6\ --------------------------------------------------------------------------- \6\ Sakal, Mike and O'Brien, Charlie. ``Records detail Belle's threats.'' The East Valley Tribune (Mesa, Arizona) February 18, 2006. Available online at: http://www.eastvalleytribune.com/ index.php?sty=59420. --------------------------------------------------------------------------- By monitoring phone and other records before a victim attempts to leave an abuser, the perpetrator may be able to anticipate her plans to flee. Once a victim has fled and is trying to establish a new life, a stalker can learn of her new location by illegally obtaining her records by pretexting or purchasing her records from an information broker who has used this method. The National Network to End Domestic Violence has received calls from countless victims and their advocates who have either been found by abusers who misuse records or who are terrified that their perpetrators will locate them through pretexting.