Nov. 22, 2005 at 11:00 AM ET
It's actually obscene what you can find out about people on the Internet.
Take cell phone records -- literally. Your cell phone bills are there for the taking, for about $100 a month. Dozens of Web sites offer this service –- one month, or one year. Every call, every phone number. However scary that sounds, it won’t really hit you until you see it for yourself -- so click here for an example of what's out there. Then hit "back" in your browser, and let me explain.
Who your friends are. How to contact them. Even where you were. All those crumbs are on sale. Right now. Online. To anyone.
It may be outrageous, but it's not new. MSNBC.com first wrote about this problem in October 2001, in a story titled "I know who you called last month."
The problem was exposed years earlier by a private investigator named Rob Douglas. Banking records, home phone long-distance calling, even medical information, were all for sale, he told Congress. Once a buyer of that kind of information, Douglas came to believe the practice was unethical, unfair and maybe even illegal –- and he began a crusade against the industry, eventually founding PrivacyToday.com.
During hearings in 1998 and 2000, Douglas told Congress that private investigators simply pretend to be their targets, call up the phone companies involved, and ask for the data they want. Someone who wanted John Smith's cell phone records would just call up the cell company claiming to be John Smith and ask for a duplicate copy of last month's bill. It usually worked. In the business, it's known as "pretext" calling -- calling and asking for records under a false pretext. It was that easy.
Since then, reporters around the world have proved Douglas' point by purchasing all kinds of interesting cell phone records. Most recently, Maclean's magazine purchased the records of Canadian federal privacy commissioner Jennifer Stoddart.
Still, all those Web sites selling all those records keep advertising their services.
But finally, someone seems to be noticing. In July, the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission, asking for an investigation. A month later, EPIC asked the Federal Communications Commission to alter its regulations to make cell phone companies more accountable.
At about the same time, Sen. Charles Schumer, D-N.Y., introduced legislation designed to crack down on the sale of cell phone records by pretext callers. More recently -- just last week -- Sen. Ed Markey, D-Mass., sent a letter to both the FTC and the FCC demanding action.
Verizon steps up to the plate
But most important, a cell phone company has finally stepped forward and said it can't take it any more. In July, Verizon sued a Web site named SourceResources.com for selling its customers' cell phone records. In September, the site settled with Verizon, agreeing to discontinue sales, and to tell Verizon how it managed to obtain the customer records. Verizon spokesman Tom Pica won't say what the company has learned from the trove of information. But it appears Verizon is in it for the long haul; on Nov. 2, the firm went after another alleged pretext Web site, a Florida company named Global Information Group. Pica said Global Information agents made "thousands of attempts" to trick Verizon customer service representatives into divulging phone records.
Kudos to Verizon for taking the issue on. For some time, cell phone companies have been operating like the ostrich -- pretending the problem didn't exist would make it go away. In truth, cell phone firms were afraid to take on the issue because doing so would be a tacit admission that there's a problem. To sue Global and SourceResources, Verizon had to admit these firms managed to steal data, something companies are often reluctant to do.
But it's time to do something. Back in 2001, after Douglas testified before Congress, he helped orchestrate a sting operation against private investigators called Operation Detect Pretext. It specifically targeted firms selling banking information; most sell the same slate of personal data, including cell phone records.
Undeterred by FTC investigation
Initially, Douglas said, the Federal Trade Commission identified 1,500 firms advertising such services, both online and offline. The list was pared to 200 firms, which received warning notices. Then, about a dozen were targeted for stings. FTC investigators using techniques designed by Douglas called those firms, purchased data and recorded the conversations to be used as evidence in later legal action. Eventually, three firms were sued. None was put out of business. In fact, one of the three still operates -- Information Search Inc. On its site, it laments restrictions placed on its business by the FTC. And while the site indicates the firm no longer sells banking information without a permissible purpose, Information Search Inc. does still sell cell phone records.
"We talk all the time about securing information, and yet all of these companies are being duped by the easiest of scams," Douglas says.
Five years after his sting operation, pretext calling still thrives. That's why Douglas says he doesn’t hold out much hope that law enforcement will solve the problem of cell phone records for sale.
For now, Verizon's willingness to admit there's a problem, and to put legal muscle into the fight against those who would steal customer data, is the most hopeful sign.
Lack of imagination
Still, EPIC's Chris Hoofnagle has so far been disappointed by other telecommunications companies and what he describes as a "hostile" response to his complaint. They’ve so far resisted calls for higher security standards. But simple steps could make a big difference, like sending letters to account holders after toll records are requested. Even a text message to the cell phone saying a request had been made would alert consumers that there's a problem.
"The cell phone companies so far have suffered from a lack of imagination," Hoofnagle said.
For now, Douglas says, Verizon's initial legal forays haven’t deterred pretext calling -- and a simple Google search supports his claim. That means even bolder action is required. This is no mere philosophical debate for privacy advocates. Stolen cell phone records and information sold by data thieves and pretext callers have led to embarrassment, unfair harassment, even murder. Reporters used the records to find and hassle families in the Columbine tragedy. In the Internet's most celebrated murder case, stalker Liam Youens purchased Amy Boyer's Social Security number and name of her employer from a data seller named Docusearch. He then showed up at Boyer's office and shot her to death.
On Youens' personal Web site was a simple indictment we would all do well to heed.
"It's actually obsene [sic] what you can find out about people on the Internet."