Selling Cell Phone Records

Overview

Consumers are concern about the public availability of cell phone records, which may include detailed information on calls to and from a particular number, such as the number dialed, the duration, and the location of the cell phone. Some of these records, along with records from other telephone and voice communications, may become available for sale over the Internet from “data brokers” who collect and sell the information. Attention is focused on how the data brokers obtain the information, and whether telecommunications companies are adequately protecting the so-called Customer Proprietary Network Information (CPNI) as required by law.

From a legislative standpoint, a fundamental issue is whether existing laws — the Federal Trade Commission (FTC) Act^[1] which bans unfair and deceptive practices that might be employed by pretexters, and the Telecommunications Act of 1996, which requires telecommunications carriers to protect CPNI — are adequate, or if new laws are needed to criminalize specifically the fraudulent acquisition and sale of cell phone (or all telephone) records. Generally, privacy rights groups want additional legislation. One telecommunications association, CTIA, supports new legislation to criminalize obtaining phone records by fraudulent means. Another, USTelecom, wants improved enforcement of existing laws instead of new laws. The FCC supports three potential legislative actions: making the commercial availability of consumers’ phone records illegal, overturning a 1999 court ruling that limited the FCC’s ability to implement more stringent protections of consumer phone record information, and strengthening the FCC’s enforcement tools. The FTC has not endorsed new laws, but recommends a multi-faceted approach that includes coordinated law enforcement by government agencies and telephone carriers, outreach to educate consumers and industry, and improved security measures by record holders.

EPIC filings with the FTC and FCC

In July 2005, EPIC filed a complaint with the FTC regarding the sale of cell phone records by a company named Intelligent e-Commerce, Inc. (IEI), which operates the bestpeoplesearch.com website.^[2] Among the charges was that IEI was violating section 222 of the Telecommunications Act of 1996^[3] by selling information about cell phone calls made by subscribers, including billing records and other data defined as CPNI. Current law requires telecommunications carriers to protect the confidentiality of CPNI. EPIC later expanded its request to the FTC, asking for an industry-wide investigation. An IEI spokesman described the company as a customer-service and billing agency for licensed private investigators and was not aware that it was breaking any laws.^[4]

EPIC’s original complaint focused on the actions of IEI in obtaining the records, asserting that it only could have done so through unfair and deceptive practices, which are under the FTC’s jurisdiction. Subsequently, EPIC filed a petition^[5] with the Federal Communications Commission (FCC) as to whether telecommunications carriers are adequately safeguarding those records as required by law.

FTC and FCC actions

In November 2005, Representative Markey asked the FCC and the FTC to act to stop the sale of cell phone subscribers’ records.^[6] In a December 13, 2005 letter to Mr. Markey, FTC Chairman Deborah Platt Majoras declined to discuss ongoing investigations, but noted that the FTC has the authority to bring a law enforcement action against a pretexter if it believes the pretexter’s activities constitute unfair and deceptive practices as defined in the FTC Act.

In a January 13, 2006 letter, FCC Chairman Kevin Martin told Mr. Markey that the FCC’s Enforcement Bureau is investigating the issue. On January 17, 2006, FCC Commissioners Adelstein and Copps issued separate statements applauding the investigation.^[7] On January 30, 2006, the Enforcement Bureau issued Notices of Apparent Liability for Forfeiture (NALs) to AT&T Wireless and Alltel for failing to certify that they have protected CPNI.^[8] The Enforcement Bureau recommended $100,000 fines for each company. The FCC also issued subpoenas to several prominent data brokers seeking details on how they obtain the telephone records and asked about the sale of those records.

Mr. Martin testified to the House Energy and Commerce Committee on February 1, 2006 that the data brokers did not reply adequately to the request, and that the FCC issued letters of citation to the companies and referred the inadequate responses to the Justice Department for enforcement of the subpoenas.^[9] He added that the FCC subsequently issued subpoenas to an additional 30 data brokers, and, as of February 1, was awaiting their responses. He also reported that the FCC made undercover purchases of phone records from various data brokers to assist in the investigation.

Reaction from sellers of cell phone information

IEI president Noah Webster reportedly defended his company’s practices by saying that cell phone records have been obtained by private investigators for a long time, and the issue is only being raised now because of privacy groups, which “often have their own agenda.”^[10] Mr. Webster reportedly said that subscribers could protect themselves by asking their phone company to remove call details from their bills: “I have done this personally, so I know it works. No one will be able to get your detailed phone records, because they won’t exist.”

According to the Associated Press, in January 2006, 40 websites were offering cell phone numbers, unlisted numbers, and calling records for sale.^[11] The AP story reported that operators of such websites insist they are not doing anything illegal because there is no specific prohibition against pretexting to obtain another person’s data unless it involves financial data (the latter would violate the Gramm-Leach-Bliley Act). Subsequently, following an FTC sweep of these sites, about 20 reportedly discontinued offering cell phone records.^[12]

Reaction from the telecommunications industry

Four major wireless service providers (Verizon Wireless, Cingular Wireless, Sprint Nextel, and T-Mobile) have taken legal actions to stop companies that allegedly fraudulently obtain or sell their customers’ cell phone records. Representatives of two major telecommunications associations — USTelecom and CTIA — testified at House and Senate hearings in 2006, as summarized below. As noted already, CTIA supports legislation to criminalize obtaining cell phone records fraudulently, while USTelecom does not support new legislation, but wants better enforcement of existing laws instead.

Congressional response

Several bills have been introduced in the U.S. House of Representatives and the U.S. Senate. The House Energy and Commere Committee held a hearing on February 1, 2006, and the Senate Commerce, Science, and Transportation Subcommittee on Consumer Affairs, Product Safety, and Insurance, held a hearing on February 8, 2006. A number of organizations were represented at both hearings: FCC, FTC, CTIA, EPIC, and PrivacyToday.com.

Witnesses from the FCC and FTC indicated that the two agencies are working collaboratively on the issue. In his prepared statement (cited previously) to the House Energy and Commerce Committee, after summarizing the actions already taken by the FCC, FCC Chairman Martin pledged to take strong action against companies that do not comply with the CPNI protection requirements. He said that EPIC’s petition to open a proceeding on this matter will be acted upon formally by the FCC by February 10, 2006. Finally, he listed three actions Congress could take: make illegal the commercial availability of consumer’s phone records, overturn a 1999 ruling by the 10th Circuit Court that limited the FCC’s ability to implement more stringent protection of CPNI, and strengthen the FCC’s enforcement tools.

FTC Commissioner Jon Leibowitz’s prepared statement to the House Energy and Commerce Committee reviewed FTC’s actions against pretexters, particularly in the context of enforcing the Gramm-Leach-Bliley Act that prohibits obtaining financial data through pretexting.^[13] He also recounted the FTC’s actions against data brokers who do not adequately safeguard data, noting that the FTC reached a settlement with data broker ChoicePoint the previous week in which ChoicePoint will pay $10 million in civil penalties and $5 million in consumer redress. That case did not involve cell phone records, however, but he explained that the FTC may bring a law enforcement action against a pretexter who obtains telephone records as an unfair and deceptive practices. Mr. Leibowitz did not make recommendations on actions Congress might take.

Other witnesses before the House committee included CTIA President Steve Largent, Robert Douglas from PrivacyToday.com, and Marc Rotenberg from EPIC. Mr. Largent and Mr. Douglas supported legislation to criminalize obtaining phone records by fraudulent means. In addition, Mr. Larson stressed that such legislation may not entirely solve the problem, while Mr. Douglas argued that the legislation should not be limited to telephone records, and that the FTC should not be given primary authority for enforcement. Mr. Rotenberg summarized his organization’s efforts at raising awareness of this issue through the filings with the FCC and FTC (discussed above). He explained that telephone carriers opposed the use of enhanced security requirements for the data they collect, arguing that bringing lawsuits against pretexters would be sufficient. He insisted that enforcement alone would only drive the practice underground, and that “simple security enhancements, such as sending a wireless phone user a text message in advance of releasing records, could tip off a victim. . . .”^[14]

Similar sentiments were offered by those witnesses or other representatives of their organizations at the Senate hearing on February 8. In addition, the House committee heard from the Attorney General of Illinois, who asked that state laws not be preempted if federal legislation is enacted, and from a representative of the U.S. Telecom Association, who argued in favor of enforcement of existing laws and increased penalties, and against new security mandates. The Senate subcommittee also heard from Ms. Cindy Southworth representing the National Network to End Domestic Violence. She testified about the potential impact of the availability of stolen cell phone records and other personal information on victims of domestic violence.

References

1. 15 U.S.C. §§41-51.
2. EPIC’s complaint is available here.
3. 47 U.S.C. §222.
4. Anand Shefali, “Privacy Group Questions Cellphone Data,” Wall St. J. Europe, July 11, 2005, at A7.
5. CC Docket No. 96-115.
6. ”FCC Probing Sale of Customer Data Acquired from Phone Companies, Martin Says,” TR Daily, January 17, 2006.
7. Mr. Adelstein’s statement is available here. Mr. Copps’ statements is available here.
8. The notices are available here.
9. Mr. Martin’s prepared statement is available here.
10. “EPIC Asks FTC To Investigate Companies Selling Cellphone Call Records,” Communications Daily, Jan. 17, 2006.
11. Peter Svensson, “New Demands to Halt an Old Practice: Selling Calling Records,” Associated Press, Jan. 18, 2006, 17:59.
12. Jennifer C. Kerr, “Web Sites Hawking Phone Records Cease Sales,” Associated Press, Feb. 8, 2006, 20:07.
13. Mr. Leibowitz’s statement is here.
14. Prepared statement of Marc. S. Rotenberg to the House Energy and Commerce Comm., Feb.1, 2006.[1]