Cellphone Firms Tell of Limits to Security
Major cellphone company executives told Congress on Friday that they had fortified defenses against data brokers who fraudulently obtain call records, but were limited by customers who balked at mandatory passwords and other protections.
The testimony before a House Energy and Commerce subcommittee came as lawmakers push for legislation in the wake of the Hewlett-Packard Co. spying scandal to add clear criminal and civil penalties for a ruse known as pretexting -- pretending to be account holders to obtain their calling records. But the companies warned against enacting onerous new rules.
“If our security measures become too complicated, it may cause real customers to be denied access to their information when they need it,” said Greg Schaffer, chief security officer for Alltel Wireless.
In addition to bills pending in Congress, some states are taking their own steps. On Friday, California Gov. Arnold Schwarzenegger signed a bill making it illegal to obtain phone records “by fraud or deceit” or to sell a person’s records without consent. First-time violators face a $2,500 fine and a year in jail.
And, for the last year, phone companies have been filing lawsuits against data brokers and others who obtain records surreptitiously.
“Right now, anyone who wants to can purchase your phone records for as little as $100,” the bill’s sponsor, state Sen. Joe Simitian (D-Palo Alto) said. “It’s an unconscionable invasion of privacy.”
New York Post reporter Christopher Byron told the subcommittee that someone used his call records in 2002 to track down two of his confidential sources. The person called AT&T; 46 times over a 10-week period before persuading a customer service agent to read a list of his calls.
“If word gets around you can do this type of thing with impunity
The subcommittee tried to question a Southern California investigator whom it had identified as a pretexter. But Doug Atkin, owner of Anglo-American Investigations Inc. in Venice, refused to testify, invoking his constitutional right against self-incrimination.
Executives from six of the leading cellphone carriers, including Verizon Wireless, T-Mobile USA and Cingular Wireless, said they had moved aggressively to stop the practice after reports this year of websites offering access to anybody’s cellphone records.
Of the six companies, only Verizon Wireless allows customers to obtain information about their calls over the phone. The others require that information be sent to the billing address.
Executives from all the companies said they were training employees to better recognize ruses.
Late Thursday, Verizon Wireless sued 20 unnamed investigators that HP used, saying they used “fraud, trickery and deceit” at least three times to try to gain unauthorized access to an HP director’s phone records.
On Friday, Cingular sued HP outside investigator Charles Kelly, his CAS Agency Inc. in Villa Rica, Ga., and others to halt alleged pretexting and demand a return of unauthorized information, profits from the practice and unspecified damages.
Kelly was one of seven contractors who appeared at a congressional hearing Thursday on the HP scandal but refused to testify.
“They are not data brokers, they are data thieves,” said Thomas Meiss, Cingular’s associate general counsel.
But federal laws may be somewhat confusing on the issue, a point highlighted by HP lawyers who asserted that it was legal to fraudulently obtain phone records in that company’s investigation of a boardroom leak. Lawmakers said they wanted to make it clear that such practices are illegal.
Cellphone company executives said they supported clearer and stronger criminal penalties, as well as expanded civil penalties.
The Federal Trade Commission also would like stiffer penalties. It filed five lawsuits in May against companies it accused of selling illegally obtained phone records. And the Federal Communications Commission is developing guidelines for phone companies to protect customer records.
But cellphone executives said they were concerned that new rules could stymie quick policy changes to outwit data thieves and could force the use of unpopular steps, such as requiring customer passwords.
“They don’t want another password,” Meiss said.
*
james.granelli@latimes.com
