A while ago, I blogged about companies that were selling records of the numbers people call on their cell phones on the Internet. Congress is currently conducting an investigation into these companies.
Today, Bob Sullivan at MSNBC reports:
As part of its inquiry, the committee has asked dozens of Web sellers to reveal their customers lists. MSNBC.com has viewed one such list, and spoken with several other data sellers.
One seller, Advanced Research Inc., which operates ADVSearch.com, told the committee that it has sold data to the FBI.
“On occasion, ARI (Advanced Research) has done work for municipalities, banks, mortgage and insurance companies, private companies, foreign governments, law enforcement, even the FBI,” ARI’s letter to Congress said.
FBI spokesman Richard J. Kolko said Sunday he could not confirm or deny whether the bureau had received mobile phone records from Advanced Research, but acknowledged that the FBI sometimes buys or receives data from private companies to help with investigations. But he said agents would never break any laws to obtain such evidence.
“The FBI, in pursuit of its investigative priorities, at times gets information from private companies that provide information to the public, or at least to others outside of the government,” Kolko said. “This investigative technique is used to support investigations or other aspects of our missions. When this is done, we adhere to all established DOJ guidelines, FBI policy and the law.”
Kolko also said he could not comment on processes the FBI may have in place to ensure that data it receives from private companies has been acquired legally by intermediaries.
If the FBI is obtaining cell phone records from these companies, it is a very troubling revelation. The cell phone records being peddled by these companies is often obtained via fraud. It is hard to imagine how these companies could have legally obtained the cell phone records. The FBI’s seeking the records in this manner strikes me as an end-run around the Pen Register Act, 18 U.S.C. § 3121 et seq., which requires a court order before the FBI can install pen register devices that record the phone numbers people dial. However, the Pen Register Act applies to a “device or process” that records dialing information. These cell phone records most likely fall outside the Pen Register Act because they are just records, not devices or processes. But the result of the FBI obtaining the records seems to contravene at least the spirit of the Pen Register Act, which is to require a court order before the government can obtain a list of the phone numbers people dial.
It isn’t clear from the article whether the FBI is saying that it does not acquire illegally obtained information or whether it is simply saying it isn’t violating the law by acquiring such information. According to the article, the problem extends beyond the FBI obtaining the records — state police are also obtaining records from these companies.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog