Since the day I stood at Amy’s grave I’ve asked myself many unanswerable questions. I’ve wondered what Amy was thinking about in the last moments prior to the first sign of danger. Was she thinking about her weekend plans that Friday as she climbed in her car following work? I’ve wondered about the confusion she must have felt as she looked out her window at the car that rushed up alongside hers, coming to a sliding stop drivers’ door to drivers’ door. Did Amy recognize the young man behind the wheel shouting her name? Did she recognize Liam as a former high school classmate? And yes, having seen the photos of Amy’s bullet-torn body, I’ve wondered about the moment when Amy’s confusion turned to terror as Liam repeatedly shot her — saving the last bullet to die alongside Amy.
There are questions I can answer. Amy didn’t know of Liam’s obsession to kill her and she didn’t know Liam had been tracking her, detailing his lust for her death on a Web site named for her. And she certainly didn’t know Liam hired private investigators that used “pretext” — a deceptively benign word for a form of identity theft that has now entered the lexicon due to Hewlett Packard — to obtain her work address and sell it to a stalker.
Still, in the aftermath of Amy’s murder on Oct. 15, 1999 – almost seven years to the day as I write this — more questions remain unanswered than answered. The one that awakens me at night, drives my work during the day and angers me more with each passing moment since Amy’s death is: Why has Congress failed to pass a law protecting people like Amy from private investigators that steal and sell Americans’ private information? Quite simply – Why did Congress fail Amy?
The fact that Congress has repeatedly failed to protect Americans from private investigators working as identity thieves has been brought to the forefront as a result of the Hewlett Packard case.
HP case not the first
For many Americans the shadowy black market of stolen consumer records was first revealed when the HP boardroom debacle began spilling into the headlines. The term “pretext” became understood in the context of the HP investigation as the misuse by private investigators of Social Security numbers to obtain the phone records of HP directors and employees, reporters and uninvolved relatives by impersonating those individuals to phone companies. But this case was not the first time this year that the theft of phone records by pretext was in the news.
In January it was reported that the Chicago police and the FBI were concerned about Web sites selling phone records and the impact that could have on the safety of undercover agents and informants. Within days of those reports a blogger used one of the Web sites to purchase and post to his blog the cell phone records of former presidential candidate Gen. Wesley Clark in order to demonstrate how easy it is to obtain Americans’ phone records.
Following the January reports, Congress – acting as if it had never heard of pretext – held multiple hearings, conducted an investigation of dozens of private investigators involved in the market for stolen phone records and introduced multiple bills outlawing the use of pretext to steal phone records. Those bills were accompanied by grand election year promises like the one made by Rep. Joe Barton, R-Texas, chairman of the House Energy and Commerce Committee, to have a bill on the president’s desk by late last spring. The Barton promise, like all the promises by Congress on this issue, has proven empty to date.
Quite simply, Barton and the rest of Congress have failed to outlaw the theft of phone records -- something every right-thinking citizen recognizes as simple common sense. And that failure is despite knowing, from their own investigation coupled with years of prior warnings, that hundreds of thousands of Americans have their phone records stolen every year.
But that unconscionable failure is just the most recent example of congressional impotence when it comes to defending Americans against information thieves. And what makes those failures inexcusable is that Congress has known since at least 1998 of the dangers presented when private information is stolen and sold to anyone and everyone willing to pay the thief.
Danger highlighted in 1998
In 1998, 15 months before Amy was murdered, I testified before Congress for the first of seven times through February of this year about the increasing use of social engineering (the proper term for pretext) by private investigators, illicit information brokers and identity thieves to steal private information. That first hearing in 1998 focused on the theft of financial records and resulted in a specific provision in the Gramm-Leach-Bliley Act that made it a federal crime to use pretext to steal financial records.
In what can only be viewed as the most tragic of ironies, the act was signed into law 25 days after Liam killed Amy – only 39 days after Liam hired private investigators to find where Amy worked. Those investigators specialized in stealing financial records the law was designed to protect. To find Amy’s workplace address one of the investigators impersonated an insurance company executive to Amy’s mother and asked where Amy worked. As Amy’s mom stated, “I was made an accomplice to my own daughter’s murder.”
Instead of being a good first step in an ongoing legislative process to specifically outlaw the use of pretext, the law turned out to be the only step. Yet, the theft and sale of Americans’ private records is routine and growing in both scope and volume. At any given time thousands of private investigators offer Social Security numbers, financial records, phone records, utility (gas/power/water) records, cable and satellite television records, post office box records, and much more – usually stolen by pretext.
All of this has been made known to Congress repeatedly from 1998 right through the HP hearings in recent weeks via multiple hearings and excellent reporting by numerous publications.
So the question remains. When is Congress going to stop the outrageous use of pretext by private investigators to steal Americans’ private information? For eight years Congress has been on notice of these practices and has only protected one category of private information – and even that law is now being routinely circumvented by private investigators. It is time for Congress to stop looking at the category of information stolen and start focusing on the tactic used by the thieves – pretext. It is time that Congress act to protect all private information by broadly outlawing the use of pretext to steal private, consumer, and proprietary records. It is time for Congress to do their job and stop failing Amy.
Rob Douglas is an information security consultant and has spent the past decade exposing the use of pretext by private investigators and identity thieves to steal customer account information maintained by consumer oriented businesses.