PIs Selling Phone Records Sued By The FTC

carl writes "According to an MSNBC article, the FTC has sued five different background investigation firms for selling confidential phone records." From the article: "In the lawsuits announced Wednesday, the FTC charged the companies used 'false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier' to get the phone records. The companies advertised on their Web sites that they could get the confidential phone records of any individual and make them available for a fee, the agency said."

tch tch

[dotpavan]

NSA lost a good business opportunity ;)

Re:tch tch

[sepharious]

that's just like the government to pass on an opportunity to *make* money doing what it does best. $9Trillion and counting....

Re:tch tch

[CRCulver]

The NSA already has plenty of the business opportunities that especially irk us here at Slashdot: patents. Read any introduction to the NSA's work like Bamford's The Puzzle Palace or Body of Secrets , and you'll see the NSA develops plenty of interesting technologies which they then patent. Cryptome often reports on new NSA patents.

Don't Steal.

[Tackhead]

From TFA:

"Trafficking in consumers' confidential telephone records is outrageous," FTC consumer protection chief Lydia Parnes said in a statement. "It robs consumers of their privacy and exposes them to everything from snoops to stalkers."

Don't steal. Your Government's surveillance programme hates competition.

Don't forget

[nizo]

... the FTC charged the companies used "false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier to get the phone records.

(Emphasis mine)

So when is the FTC going to charge carriers with improperly handling private information? I hope they don't forget to nail the carriers to the wall for handing out this information in the first place. If they wouldn't just give the information away to every Tom, Dick, and Harry that called without verifiying they are who they say they are, there wouldn't be as much of a problem would there? Some simple ways to avoid giving the information to the wrong person might include calling them back on their cellphone or sending the information to the address that gets the bills. Selling this information is wrong, but the carriers are just as culpable for giving it out without proper verification.

Re:Don't forget

[Kapsar]

You are definately right, the phone companies need to train their employees how to avoid social engineering, which is how the people probably get the information from the company. Getting the person answering the phone call to provide them with the information they need to get access to the phone records. This is really pretty scary, what else can those PIs get at if they can get your phone records?

Re:Don't forget

I do consulting work for some private investigators, and have a fairly good handle on this as a result. PIs can get at a lot of data online, usually with a simple (paid) database search. The good database vendors verify that the PI has a valid license before granting access, and typically charge a dollar amount per search. Results are mostly public record: property ownership (house, vehicle registrations, etc.), outstanding warrants, convictions and similar. It's also trivial to obtain credit reports from offshore credit reporting groups (who, by being offshore, don't have to comply with US privacy requirements).

Offline, you do see PIs using social engineering to get phone records and other data - but there is enough concern over the legality of this process in the PI community that many PIs stay away from this.

That said, in probably 90% of the cases I've seen, the useful data is obtained the old fashioned way: through subpoenas (issued as part of a case for which the PI is doing investigative work), going through suspect's trash (it's public property if it's out on the street), tailing/observation, and interviews.

It's amazing what you can find in people's rubbish; most people don't shred phone records, bank/credit card statements, and other personal data. A PI, just like an identity thief, can benefit from this. You just need to be able to stomach handling refuse, which is often quite unpleasant and malodorous.

There is a strong debate in the PI community about who the results of searches should be given to. No PI (I hope! Certainly no PI I've conversed with) wants to assist a stalker or other miscreant. In some cases it's relatively clear cut - they are assisting an attorney or law enforcement with an investigation, and the results will be given the same confidentiality as other evidence obtained in a case. In others it may seem clear cut, but suspicions may arise regarding the motives of a client - at which point the hard decision has to be made between not getting paid, and potentially (without solid evidence) assisting someone in a misdeed.

Re:Don't forget

[jhylkema]

So when is the FTC going to charge carriers with improperly handling private information?

They won't. The carriers paid their protection money^W^Wcampaign contributions to the RNC. These guys didn't, and that's why they're getting hammered. Hell, ChoicePoint and a whole host of other companies traffic in customer information all the time!

Re:PLS...

[Kapsar]

private investigators

Re:PLS...

I just realized, it isn't "Pls", as in short for 'Please', but it is P.I.s, as in Private Investigators.

Never mind me...

And another thing... Why do I have to wait for over 5 minutes between posting anonymous replies? I realize it's flood protection, but 2 replies within 5 minutes would hardly make a flood. Something more reasonable, like a minute or two would be better.

Re:PLS...

[szembek]

Not a troll, a valid question. PIs is not an intuitive acronym. And unless yer name is Magnum... don't use it!

SBC gives this stuff out for free

[pestilence669]

Call the SBC's DSL department and claim to be a friend "helping" someone install their DSL modem... but insist that you don't know the address or anything else. Be as dumb as possible on the phone. Get a little drunk if you can't be convincing.

Often, the customer service reps will read back the entire address, and sometimes, even the last for digits of the SSN. I found this out when I was ligitimately calling them because of a line problem.

I never had any problems adding service, removing service, or getting personal account information... all without identifying myself whatsoever. Need an address for a telephone number, call SBC and tell them you want DSL. The phone reps will "verify" your address by reading it back. Awesome, huh?

Re:SBC gives this stuff out for free

[CastrTroy]

In order to get the point accross, some reporter bought the Canadian Privacy Minister's phone records and sent them to her. She was amazed that this kind of information was available. It amazes me that a lot of the time the people in charge don't even know what is going on, or what is even possible. By the time the press had gotten wind of bittorrent, I had already been using it for a year.

Re:SBC gives this stuff out for free

[darkmeridian]

The tech support technicians have caller ID. They can verify that you are calling from your home phone. The security risks are therefore greatly reduced, because a hacker would presumably know your address already if he already could spoof your phone number. Have you ever wondered why you have to activate your credit card from your home phone?

Re:SBC gives this stuff out for free

[pestilence669]

Ahh. Good point... I'm sure many call centers take advantage of caller ID, but not SBC definately doesn't.

I haven't had a home phone for ten years. When I decided to go mobile, I *REALLY* went mobile. All of my experiences with SBC were done with my mobile phone.

Re:SBC gives this stuff out for free

[Grrr]

By the time the press had gotten wind of bittorrent

When Time Magazine declares something to be "cool," it's completely passé.

<grrr />

Criminal Charges

[Tweekster]

Isnt posing as a customer a criminal act? Why havent they simply arrested these people?

Re:Criminal Charges

[Detritus]

No, not by itself.

Re:Criminal Charges

[packeteer]

Companies cant be arrested. If a problem is more widespread than just a single person's action then you need to sue the whole company. A company does nto value its freedom, the only thing a company cares for is profits therefore sueing is the best way to get to them.

Re:Criminal Charges

[Tweekster]

if it is more than one person? That is called a conspiracy. I understand how it works, but it is not right that the law pretends a company doesnt have people behind it actually carrying out the felonies. The 10 people responsible should be arrested, handcuffed and go to trial for felony charges. and forget about the company completely. if you held the people responsible for what they did, the company as a whole doing wrong makes no difference anymore (except in deep pocket cases)

Re:Criminal Charges

[masdog]

I think that was tried once in State of Indiana vs. Ford Motor Company.

Re:Criminal Charges

[packeteer]

I think the idea here is to curb future companies from encouraging these practices. If you arrest the people involved but dont punish the company it will still leave the financial incentive to encourage future employees to take part in illegal activity.

Re:Criminal Charges

[Tweekster]

True, but financial incentive is a whole lot less of an incentive when I am doing 5-10 at a federal prison

Selling private information?

[JTorres176]

Doesn't equifax as well as a number of other credit reporting agencies sell private information of consumers without their consent already? Hell, they even want to charge you if you look at it.

1. Collect Private information
2. Sell information to companies
3. profit!
4. Sell individuals their own information
5. More Profit!

Re:Selling private information?

[brjndr]

Under the Free File Disclosure Rule of the Fair and Accurate Credit Transactions Act (FACT Act), each of the nationwide consumer reporting companies -- Equifax, Experian, and TransUnion -- is required to provide you with a free copy of your credit report once every 12 months, if you ask for it.

The three nationwide consumer reporting companies are using one website, one toll-free telephone number, and one mailing address for consumers to order their free annual report. They are:

www.annualcreditreport.com
1-877-322-8228
or complete the Annual Credit Report Request Form and mail it to:
Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281. (The form is at ftc.gov/credit)

Under federal law, you're entitled to a free report if a company takes adverse action against you, such as denying your application for credit, insurance, or employment, and you ask for your report within 60 days of receiving notice of the action. The notice will give you the name, address, and phone number of the consumer reporting company. You're also entitled to one free report a year if you're unemployed and plan to look for a job within 60 days; if you're on welfare; or if your report is inaccurate because of fraud, including identity theft. Otherwise, any of the three consumer reporting companies may charge you up to $9.50 for another copy of your report within a 12-month period.

Re:Selling private information?

[SuperBanana]

www.annualcreditreport.com

If that is the same "unified" website I visited 6 months ago- they go through no end of complexity to "hand off" your session to each credit agency; I lost track of how many times my browser was redirected and bounced off various URLs. I wasn't able to retrieve 2 out of the 3 credit reports because I couldn't supply correct login information, but I had cut+paste the username and password into a text document to save them, and pasted them back into the login pages.

Re:Selling private information?

[Intron]

Interesting - I tried this just now online.

• Experian provided all the information with minimal confirmation of who I was.
• Equifax refused to provide the information online and wanted me to fill out a form and mail it to them.
• Transunion wanted me to enter the account numbers for some expired credit cards in order to authenticate me. Evidently their info is outdated.

Re:Selling private information?

[JTorres176]

Cool.... How do I opt out?

I barely trust the government enough to keep all my private information, I definitely don't trust a private organization to keep track of my records. I don't give them permission to collect this information, I don't give them permission to sell my information, and I'd rather just not be a part of it so... where's the "opt out" button on their website?

You can't really secure against social engineering

[necro2607]

Heh, social engineering is a technique that essentially all humans are vulnerable to. Also, phone companies are actually one of the top targets of social engineering. That combination makes for a pretty high likelihood of peoples' phone-line-related data to be effectively public domain...

There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind. I know people who do this sort of stuff (I don't mean theft though heh) for fun on a fairly regular basis and they can all screw with pretty much any person. It's really amazing how easily you can manipulate someone of any personality type, actually. heh.

The only people who I've found to be highly resistant to any sort of social engineering are the type of people who know how to do it as well. It requires a certain mindset to be able to catch on to when a person might be trying to manipulate you. Unfortunately that sort of mindset usually involves always having a certain amount of suspicion towards peoples' statements all the time...

Some reading material:

http://www.securityfocus.com/infocus/1527

http://www.morehouse.org/hin/blckcrwl/hack/soceng. txt

http://www.kuro5hin.org/story/2004/6/3/223758/2267

http://rf-web.tamu.edu/security/secguide/V1comput/ Social.htm

etc. etc..

Re:PLS...

[gpw213]

PIs is not an intuitive acronym. And unless yer name is Magnum... don't use it!

The acronym is not the problem so much as the font. Like the original poster, I also read that at P-L-S, and count not guess what it was supposed to mean. The font used for the title of the article makes capital-I and lowercase-L identical.

Are they going to sue the FBI as well?

[Aqua_boy17]

There was an arricle on Tech Dirt today about this that went on to say that the FBI and some local law enforcement agencies had been purchasing data from the same sources. Aren't the buyers as guilty as the sellers?

Re:Are they going to sue the FBI as well?

[Detritus]

Maybe morally, but not legally.

Re:Are they going to sue the FBI as well?

[packeteer]

Are cops commiting a crime when they buy drugs in a controlled buy?

Re:You can't really secure against social engineer

[spun]

Heh, social engineering is a technique that essentially all humans are vulnerable to.

That's why I never interact with humans. Or at least that's what I tell my mom when she says I shouldn't eat dinner in the basement.

Why steal?

[Beryllium+Sphere(tm)]

Didn't the phone carriers get permission to sell call records for marketing purposes? Just set up Sam Spade's Market Consultants, pay 17 cents per record for the block of 1000 numbers that includes your target (Joe Whistleblower), then charge your client (Sleazeco) $250 for the information that their employee Joe called Sixty Minutes eighteen times in the last six months.

Then if you're entrepeneurial you take the names from the other 999 records and cross-reference them with divorce filings, call up and say "would it be useful to have proof that your soon-to-be-ex husband called Jennifer's Massage every payday?".

And those are some of the least damaging possibilities. Think how much money a crook could make tracking Wall Street traffic patterns.

Re:Bush is invading our privacy!

[MindStalker]

http://www.nyu.edu/classes/copyXediting/Punctuatio n.html
Use a period to end a rhetorical question.

Re:You can't really secure against social engineer

[Bob3141592]

There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind.

Why not? When you establish service with a company, they should require you to provide them with a security question and answer of your choosing, and not simply ask you to select a common one from a list. Then when someone calls to access information from your account, they simply read back the question to you, and wait for the answer. If it matches, fine, they can presume it's you. If you don't know the answer, then they don't give out any information. If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?

Corps are never held to the standard of people

[Facekhan]

What would a person be charged with rather than a company set up by some people to hide such an illegal activity? This is basically organized fraud and theft of information committed by individuals who set up a company knowing that because of our insane legal system corporate owners are seldom charged even when their companies were setup to be illegal enterprises from the beginning. Sophisticated con artists and fraudsters routinely form corporations for the purpose of limiting their own personal liability for their criminal enterprises. Spammers do it, cult leaders do it, and now black hats are doing it too.

If I did this under my own name, the media would be calling me a hacker who socially engineered and otherwise broke into computer systems for the purpose of stealing sensitive customer information and selling it to the highest bidder.

Credit Agencies!

[arfonrg]

So this is how it works...

ANYONE can claim that you owe them a debt and make a report to the credit agency at ANY TIME. The credit agency then happily reports that to everyone who asks as gospel but, you only get ONCE A YEAR to check that the information is accurate (unless you want to pay)!?!?!

That report (that probably has false information (if you pissed off a company)) is then used to set your loan rates, your auto-insurance rates, and a bunch of other un-credit related things!

WHAT KIND OF CRAP IT THAT!

We, the people, should have FREE access to our credit reports at ALL TIMES! And things that we dispute should be removed UNTIL THE REPORTER CAN PROVE that the info is factual!

Ethical and Legal Private Investigation

[krbuck]

My wife owns a private investigations firm and gets the legal information well... legally.

I think its important to remember that licensed companies (by the state) that act on the behalf of their clients need to have some level of access to public data. The licensing agencies should be quite strict with offenders.

Just an aside: Popular media has imprinted so many strange ideas of what it is to be a PI, I think the service they provide is sometimes overlooked, especially in areas of family law or where the local authorities do not expend resources. Getting an abused wife a good divorce settlement, or catching someone in insurance fraud helps society as a whole. Its up to PIs and their licencing states to make sure the PI license is not abused.

Re:Ethical and Legal Private Investigation

[Brushfireb]

Not to be snide, but in what sense is call records public? Maybe you could say public if they called from a public phone, or called a public place (government office, library, etc). But how is it public if I call my sister down the street. That should be NOT public.

Using your logic, any website should be able to sell the fact that I did business with them, when, for how much, and paid via whatever method. ISP's should be able to sell my browsing history, etc. Thats all complete BS, all of those should be private and confidential, and available only through court order.

B

Re:You can't really secure against social engineer

[robertjw]

If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?

Because 80% of the people will forget their secret answer and then whine, cry, or yell to get what they want. The people on the phone, being people, will give in sometimes - hence the social engineering. As long as there is a human answering the call they can be duped into bending the rules. If a machine answers the phone the company gets a reputation for being cold and inhuman and loses customers. There's no way to win.

It's no different than spam. You tell millions of people not to click the link of naked Paris Hilton pictures - you will get a virus. Next week an email goes around with naked pictures of Nicky Hilton. What happens? 80% click and get a virus. I have no idea why people aren't smarter than this, but they this social engineering stuff definitely works.

I agree but...

[Junta]

you didn't read the comment, if you are faced with any negative impact from your credit report, you have to be able to get it there regardless of the annual limitation.

Also, they don't relay info for free either, other people wanting your info have to pay for it.

Still seems horribly broken though.

for great justice

[crabpeople]

pls to be selling phone records!

hot quality! 100%!

Buy Instead

[The+Angry+Mick]

Your Government's surveillance programme hates competition.

But they do love shopping in a free market:

FBI buys illegally acquired phone records for investigations

Re:You can't really secure against social engineer

[necro2607]

My bank already does this, but it's not going to prevent social engineering in any manner. All that really does is prevent a person from posing as a *customer*.

However, that's a pretty amateur (and often minimally effective) way to social engineer some information out of a company employee. Did you look at the links I posted? It's far more likely that someone would pose as an employee of another department at the same company, or even a higher-up from "the head office in New York", for example. Think about it, an employee isn't going to give out any useful info to someone they think is a "lowly customer" outside of the company. If they think it's the technical director from the head office 500 miles away, obviously it's a very different situation.

To further my point: "Social engineering is successful because the malevolent person attempting to get information (or access) preys upon the good, helpful nature of unknowing and unsuspecting employees."

"In larger organizations, an intruder may pretend to be a fellow employee who needs access because his system is down."

"One trick is for a person to pose as a network troubleshooter who needs an ID and password to verify that a problem on the network is fixed and won't recur"

Re:Solution? The Libertarian Party

[slughead]

I'm a libertarian.. I don't see how the libertarianism would solve this as it's a private matter with private phone companies dispensing private information to private investigators... who need kicked in the privates.

Mine does

[phorm]

For all the various issues I might have with my carrier (Telus), security isn't really one. For my home phone, for major changes they will verify against the PIN number than comes on my bills. For cellphone service, the last time I was having issues they asked me for my PIN code before applying major changes.

I guess not all carriers do that... but yes, they should.

Re:Mine does

[multipartmixed]

You think that has anything to do with being overseen by the CRTC instead of the FTC?

Re:Mine does

[phorm]

I really couldn't say. I do know the CRTC can be rather strict at times, but that's not to say they haven't done stupid things before either...

Re:One detail at a time will be voluntary. har har

[mfrank]

Find someone to trade your Albertson's card with. Screw up their statistics. Course, you should hope they don't buy a bunch of apples and razor blades Halloween afternoon . . .

Poor FBI

[Castar]

It just came out that the FBI is one of the places buying these records - no pesky judges to ask for permission or anything. They just hand over cash, and get the phone records they want.

Can't let the terrists win, right?

Hold the phone! PIs Still Have a Chance!

[zeiche]

The suit is a temporary road block. The PIs simply need to assert the state secrets privilege and get the suit dismissed. Then we can go back to buying records of our girlfriends, bosses and enemies.

Canada's Privacy Minister

[DocUi]

There is a post appointed by parliment as the chief advocate for personal privacy here in Canada. It's his or her job to get things like companies to have a mandatory privacy policy for the collection of personal information.

Macleans magazine did an article where they got HER cellphone records. All the calls she had made on not only her office Cell, but her personal Cell as well.

Re:PLS...

[carl.schuett]

Sorry bout that... I realized it after it was posted when I almost asked myself why I put down p-l-s. Plus Magnum called and said he wasn't happy

Ars Technica was the Source I refereced

[Aqua_boy17]

Not Tech Dirt. Sorry, my bad. But from that article:

"The FBI's long history of misconduct illuminates the necessity of judicial oversight. Requiring strict adherence to due process is the only way to promote accountability and ensure that our law enforcement agents are not abusing their authority. There is already evidence that law enforcement agents have misused information from data brokering services."

When you begin to break the law to enforce the law where do you draw the line? Illegally purchasing phone records as a means of circumventing the judicial process bypasses our system of checks and balances. That was my point.