After a flurry of legislative initiatives at the state level and policy action at the Federal Communications Commission (FCC), federal legislation to criminalize pretexting–the impersonation of a customer to gain access to his or her private records–appears to have stalled.
The term “pretexting” entered the American consciousness in 2006 after Hewlett Packard (HP) disclosed private investigators hired by the company had obtained phone records of board members by impersonating them to telephone company customer service representatives.
The investigation, ordered by then HP CEO Patricia Dunn, was aimed at smoking out dissident board members she believed were leaking to the press details of an ongoing boardroom dispute.
The ensuing scandal led to Dunn’s resignation and lawsuits against the company. In February, HP settled out of court with a New York Times reporter and three Business Week writers for an undisclosed sum. They were spied on as part of the board’s surveillance program. Suits involving other journalists are still pending.
To settle a civil suit brought by the state of California, HP paid $14.5 million in 2006. The company also negotiated terms of a cease and desist order with the Securities and Exchange Commission that avoided admission of wrongdoing. Dunn and four others associated with the investigation also faced felony criminal charges in California, but those were dropped in early 2007.
The case illuminated the ease with which unauthorized persons can gain access to so-called customer proprietary network information (CPNI)–records that detail phone calls made and received, along with other personal information. Investigators simply called phone company account reps and, claiming to be the account holder, asked for the records associated with the account.
Follow-up news reporting found a proliferation of third-party agencies were using pretexting to obtain phone records, which they then offered for sale for as little as $100.
Responding to consumer concerns, some 40 state legislatures, including Illinois and California (see sidebar), criminalized pretexting in 2006 and 2007, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), a nonprofit group advocating greater consumer privacy legislation and safeguards.
“The prosecution of HP in California led to new laws in a number of states,” Rotenberg said. “In Washington there is a narrower bill criminalizing pretexting, but it does not address the ease with which people can get the information.”
Rotenberg was referring to a U.S. House bill that passed 409-0 in late 2006 but was not taken up by the Senate before the session ended.
Congress Losing Interest
Congress is not likely to revisit pretexting or other types of privacy violations until after the election, said Peter Kosmala, assistant director for the International Association of Privacy Professionals (IAPP), a York, Maine-based professional group.
Agency-level action continues, however. Acting on a petition brought by EPIC, FCC ordered U.S. telecommunications service providers to strengthen security and authentication measures regarding release of personal calling data.
The FCC order prohibits carriers from releasing any call detail information except under three specific circumstances.
First, a customer must provide a pre-established password. Second, the service provider, at the customer’s request, may send call detail information to the customer’s address of record. Third, the service provider may call the telephone number of record and disclose call detail information.
A service provider may not disclose non-call CPNI until the customer is authenticated. The FCC order also requires carriers to password-protect online access to CPNI.
A portion of the order restricting releases of information unless customers pro-actively opt-in to programs in which service providers share certain data with third parties has since been challenged by the National Cable and Telecommunications Association (NCTA), the primary cable TV industry trade group, as overly extensive.
The opt-in requirement would hinder service companies from exchanging customer information with independent contractors and joint venture partners, which they do for marketing purposes, said Scott Delacourt, a partner with Wiley, Rein LLP, a Washington-based firm specializing in communications law.
Such arrangements do not necessarily involve pretexting. Therefore, Delacourt said, “The opt-in requirement is more extensive than necessary,” which he believes makes it contestable on First Amendment grounds.
“The FCC decision missed the mark,” Delacourt said. “The opt-in provision will not be particularly effective in preventing pretexting.”
Steven Titch ([email protected]) is technology policy analyst at the Reason Foundation.