« Against Fireworks | Main | Chutzpah and Beyond »

Friday, July 08, 2005

Peddling Your Numbers: Data Brokers and Cell Phone Records

Cellphone An article in today’s Washington Post by Jonathan Krim discusses a really disturbing new market of personal data – the numbers people dial on their cell phones.  Here’s an excerpt of the article:

. . . [P]hone records are a part of the sea of personal data routinely bought and sold online in an Internet-driven, I-can-find-out-anything-about-you world. Legal experts say many of the methods for acquiring such information are illegal, but they receive scant attention from authorities.

Think your mate is cheating? For $110, Locatecell.com will provide you with the outgoing calls from his or her cell phone for the last billing cycle, up to 100 calls. All you need to supply is the name, address and the number for the phone you want to trace. Order online, and get results within hours. . . .

Learning who someone talked to on the phone cannot enable the kind of financial fraud made easier when a Social Security or credit card number is purloined. Instead, privacy advocates say, the intrusion is more personal.

"This is a person's associations," said Daniel J. Solove, a George Washington University Law School professor who specializes in privacy issues. "Who their physicians are, are they seeing a psychiatrist, companies they do business with . . . it's a real wealth of data to find out the people that a person interacts with." . . . .

How pervasive is the problem? According to the article:

"There are probably 100 such sites" known to security officials at Verizon Wireless that offer to sell phone records, said Jeffrey Nelson, a company spokesman, who said Verizon is always trying to respond to abusive practices. He said that the company views all such activity as illegal. . . .

Cell phone records are kept by telephone companies, which must keep that information private.  So how are the data brokers getting a hold of it?  According to the article, the cell phone data is typically obtained by (1) getting it from an insider at the phone company; (2) “pretexting,” which involves tricking the phone company into releasing the information; and (3) obtaining it via customer accounts online.  The article explains this third technique:

Telephone companies, like other service firms, are encouraging their customers to manage their accounts over the Internet. Typically, the online capability is set up in advance, waiting to be activated by the customer. But many customers never do.

If the person seeking the records can figure out how to activate online account management in the name of a real customer before that customer does, the call records are there for the taking.

These tactics are all illegal. The FTC, however, has not done anything to crack down on the practice. According to the Washington Post article, an official at the FTC states that “the agency has never taken such a case to court and does not know how widespread the problem is. He said the FTC must focus its resources on the practices of data thieves that can cause the most damage to large numbers of consumers, such as financial fraud.”  Chris Hoofnagle of the Electronic Privacy Information Center, has just filed a complaint with the FTC about these practices. 

These events are a further demonstration that the FTC is not doing a sufficient enough job at protecting consumer privacy.  Earlier this year, a litany of data leaks were announced, involving the personal information of millions of people.  All this happened on the FTC’s watch.  There are a few reasons that can explain why the FTC is having such a difficult time enforcing privacy.  First, it was not originally designed to do the job.  It became involved with privacy issues in the mid 1990s because the United States had no agency to address privacy issues.  But privacy enforcement is just one of the many things the FTC does.  Second, the FTC sometimes lacks the legal firepower to do very much.  There are many gaps in federal privacy law that are exploited.   The FTC has limited authority over many privacy issues.   (It would, however, seemingly have authority over these illicit and deceptive practices by which cell phone numbers are obtained.) Third, the FTC is only so big, and it is overburdened with things to do. 

Congress needs to give the FTC the power and resources to deal with privacy, or else Congress should create a new agency with this focus and authority.  The current situation is simply untenable, with illegally-obtained cell phone data being brazenly sold over the Internet while the FTC sits idly by.

Posted by Daniel Solove on July 8, 2005 at 01:42 AM in Daniel Solove, Information and Technology | Permalink


TrackBack URL for this entry:

Listed below are links to weblogs that reference Peddling Your Numbers: Data Brokers and Cell Phone Records:

» On the site today from News Weblog
Here on News blog we'll be looking at why polytunnels are... [Read More]

Tracked on Dec 23, 2005 4:30:02 PM


Dan, I agree with your assessment regarding possible reasons that the FTC is a weak enforcer of consumers’ privacy. A fourth and related reason (which I will discuss in the article I am writing this summer): the FTC’s privacy division is so tiny and under-funded that it primarily has to rely on going after a few heavyweights (sporadically) in order to keep the division afloat financially (as settlement monies are almost always retained by the FTC – consumers generally never see a dime.) The result: companies that wish to engage in illegal tactics can do so relatively secure in the knowledge that an FTC enforcement action is highly unlikely.

Posted by: Marcy Peek | Jul 9, 2005 6:45:49 PM

Post a comment