The Chicago Sun Times reports:
The Chicago Police Department is warning officers their cell phone records are available to anyone — for a price. Dozens of online services are selling lists of cell phone calls, raising security concerns among law enforcement and privacy experts. . . .
To test the service, the FBI paid Locatecell.com $160 to buy the records for an agent’s cell phone and received the list within three hours, the police bulletin said. . . .
How well do the services work? The Chicago Sun-Times paid $110 to Locatecell.com to purchase a one-month record of calls for this reporter’s company cell phone. It was as simple as e-mailing the telephone number to the service along with a credit card number. . . .
On Tuesday, when it reopened, Locatecell.com e-mailed a list of 78 telephone numbers this reporter called on his cell phone between Nov. 19 and Dec. 17. The list included calls to law enforcement sources, story subjects and other Sun-Times reporters and editors.
The website that the story discusses is Locatecell.com. This story is interesting, but it isn’t new — these companies brokering people’s cell phone records have been around for a while, and I blogged about them in July when the Washington Post reported about the issue.
In my post, originally posted at PrawfsBlawg, I wrote:
An article in the Washington Post by Jonathan Krim discusses a really disturbing new market of personal data – the numbers people dial on their cell phones. Here’s an excerpt of the article:
. . . [P]hone records are a part of the sea of personal data routinely bought and sold online in an Internet-driven, I-can-find-out-anything-about-you world. Legal experts say many of the methods for acquiring such information are illegal, but they receive scant attention from authorities.
Think your mate is cheating? For $110, Locatecell.com will provide you with the outgoing calls from his or her cell phone for the last billing cycle, up to 100 calls. All you need to supply is the name, address and the number for the phone you want to trace. Order online, and get results within hours. . . .
Learning who someone talked to on the phone cannot enable the kind of financial fraud made easier when a Social Security or credit card number is purloined. Instead, privacy advocates say, the intrusion is more personal.
“This is a person’s associations,” said Daniel J. Solove, a George Washington University Law School professor who specializes in privacy issues. “Who their physicians are, are they seeing a psychiatrist, companies they do business with . . . it’s a real wealth of data to find out the people that a person interacts with.” . . . .
How pervasive is the problem? According to the article:
“There are probably 100 such sites” known to security officials at Verizon Wireless that offer to sell phone records, said Jeffrey Nelson, a company spokesman, who said Verizon is always trying to respond to abusive practices. He said that the company views all such activity as illegal. . . .
Cell phone records are kept by telephone companies, which must keep that information private. So how are the data brokers getting a hold of it? According to the article, the cell phone data is typically obtained by (1) getting it from an insider at the phone company; (2) “pretexting,” which involves tricking the phone company into releasing the information; and (3) obtaining it via customer accounts online. The article explains this third technique:
Telephone companies, like other service firms, are encouraging their customers to manage their accounts over the Internet. Typically, the online capability is set up in advance, waiting to be activated by the customer. But many customers never do.
If the person seeking the records can figure out how to activate online account management in the name of a real customer before that customer does, the call records are there for the taking.
These tactics are all illegal. The FTC, however, has not done anything to crack down on the practice. According to the Washington Post article, an official at the FTC states that “the agency has never taken such a case to court and does not know how widespread the problem is. He said the FTC must focus its resources on the practices of data thieves that can cause the most damage to large numbers of consumers, such as financial fraud.” Chris Hoofnagle of the Electronic Privacy Information Center, has just filed a complaint with the FTC about these practices.
These events are a further demonstration that the FTC is not doing a sufficient enough job at protecting consumer privacy. Earlier this year, a litany of data leaks were announced, involving the personal information of millions of people. All this happened on the FTC’s watch. There are a few reasons that can explain why the FTC is having such a difficult time enforcing privacy. First, it was not originally designed to do the job. It became involved with privacy issues in the mid 1990s because the United States had no agency to address privacy issues. But privacy enforcement is just one of the many things the FTC does. Second, the FTC sometimes lacks the legal firepower to do very much. There are many gaps in federal privacy law that are exploited. The FTC has limited authority over many privacy issues. (It would, however, seemingly have authority over these illicit and deceptive practices by which cell phone numbers are obtained.) Third, the FTC is only so big, and it is overburdened with things to do.
Congress needs to give the FTC the power and resources to deal with privacy, or else Congress should create a new agency with this focus and authority. The current situation is simply untenable, with illegally-obtained cell phone data being brazenly sold over the Internet while the FTC sits idly by.
More at Schneier on Security.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.