Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=170101910
The Electronic Privacy Information Center (Epic), an online privacy advocacy group, on Tuesday petitioned the Federal Communications Commission to require that telecommunications carriers establish better policies and procedures to prevent customer billing records from being sold illegally online.
The group's request that the FCC establish stronger security standards governing the release of consumer proprietary network information follows a July 7 complaint against the illegal sale of consumer information by Intelligent e-Commerce Inc.
Intelligent e-Commerce operates BestPeopleSearch.com, a Web site that advertises the sale of telephone records along with other sensitive personal information. Epic charges that the company is violating the FTC Act, the Telecommunications Act of 1996, and U.S. Postal Regulations.
In an update of a July 7 complaint filed Tuesday, Epic identifies an additional 40 Web sites engaged in the practice of selling telephone records.
The Telecommunications Act forbids telecom companies from using or disclosing consumer proprietary network information without customer approval, unless required by law or permitted by certain exceptions. The data "is protected by statute and regulation," Chris Jay Hoofnagle, Epic's West Coast director, said in a telephone interview. "The problem is, in implementing the regulations, the main concern was marketing use. And the regulations do not adequately address other uses, such as a private investigator calling up and getting the data."
And that's what Epic contends is happening. Just as ChoicePoint Inc. was conned into revealing data to criminals, telephone companies are being duped by social-engineering attacks. "Private investigators are calling up and saying, 'I am the account holder and I didn't get my bill. Can you send me another copy of it?' Hoofnagle explains. "Then out of the fax machine comes the data, and they provider it to the buyer."
If that's the case, telecom companies aren't admitting it. But they insist they're eager to protect customer privacy.
"Our customers' privacy is very important to us," SBC Communications Inc. said in a statement. "We carefully protect the confidentiality of each customer's account and calling information. SBC's Code of Business Conduct prohibits employees from disclosing customer records or customer communications to unauthorized persons."
Asked whether Verizon Communications had encountered these social-engineering attacks, a company spokesman said, "We share our customers' concerns about the protection of data and continually take industry-leading steps in this area. We also continually look at ways to enhance the protection of such data." The company said in a statement that it would file comments about specific steps outlined in the Epic petition when the FCC issues a Notice of Proposed Rulemaking.
Hoofnagle believes the FCC has to do something. "This data can be used to track people, to figure out their associations," he said, "and it's a matter of time before the data is sold to a stalker who harms someone."
That's happened in three well-known cases. Actresses Theresa Saldana and Rebecca Schaeffer were attacked in California by stalkers in 1982 and 1989, respectively. Saldana survived, but Schaeffer was killed. In both cases, the stalkers used information obtained by private investigators. In 1999, Amy Lynn Boyer was killed in New Hampshire by a stalker who found her with the aid of a private investigator.
The domain registrant behind BestPeopleSearch could not be immediately reached for comment because that person has chosen to conceal his or her contact information through a third-party privacy service.
Reached by phone, a customer-service representative at BestPeopleSearch said that Chuck, her boss and the person who could explain how the company obtained its phone billing records, would not be available Tuesday but would call Wednesday. Dutifully protecting his privacy, she declined to provide his last name.