US Judge Bars Unauthorized Sales of Phone Records

The Register delivers the good news that a US federal judge had slapped down the practice of pretexting and ordered a Wyoming company to pay almost $200,000; AccuSearch was also permanently barred from selling individuals' phone records without their permission. The FTC had filed suit in 2006 against the company and four others. AccuSearch had advertised a service that made phone records of any individual available for a fee. The current article makes no mention of whatever became of the other four accused data brokers.

What? This is unheard of!

[Phantombrain]

Since when has the US government cared about the privacy of individuals?

Re:What? This is unheard of!

[Dr. Hellno]

If I may, I'll take off my top hat and replace it with my tinfoil cap for a second:

It seems probable to me that the reason this happened is phone records which show calls

from politicians to call girls

from lobbyists to politicians

and of course

conference calls between the three.

Re:

[AndGodSed]

Since... uh no you got me.

Re:

[technicalandsocial]

I would guess pressure had something to do with it:
http://www.cippic.ca/en/news/documents/Judgement.pdf [cippic.ca]

Someone made a request to Accusearch for information on Canada's privacy commissioner, and they got it. The case made it to the Canadian court system. And if you wonder why affairs in Canada would affect the US;

Canada now has a "do not fly list" ("Passenger protect") -- yet they don't want one
Canada is now starting a war against drugs -- yet they don't want one

Paint me stupid.

[palegray.net]

How in the hell did this firm gain access to peoples' phone records in the first place? I guess I don't know enough about how this works, but I thought it was illegal for the phone company to provide such records to a private firm without a court order. Hell, even cops have to get warrants to go through phone records, right?

Re:Paint me stupid.

[corsec67]

In the current government, who cares about a "warrant"? Not like that means anything anymore. Especially to a phone company.

Paint me stupid too

[erareno]

This is how spammers get your number, I'm guessing? If so, does this mean no more phone spam? *Awaits the inevitable denial of such high hopes*

Re:

[servognome]

Sorry to dash your hopes, but there are a bunch of ways you "willingly" authorize companies to sell your number. Just look at the little text on cell phone bill/credit card application/airline ticket/etc.

Re:

[TheThiefMaster]

You mean like

tick which of the following you don't want us to contact you on:
O Phone text O email
and which of these you do:
O Post O Phone call
and which of the following you would not like us to not send you our newsletter on: ...
and tick 1,3 and A if you don't want us to sell all your private data to some dodgy firm, making sure to erase the pre-printed tick in 4. Note that if you opt to not have us contact you above, you agree to let us sell all your details regardless of what you tick here...

Grr

Re:

[FredFredrickson]

Yeah, My guess is even with this court order, all they need for authorization is an opt out mail that has a timeout of 1 month. If you choose not to read your junk mail carefully, you silently consent to all sorts of horrid things. And for some- maybe they never even get the letter...

Re:

[KillerCow]

How in the hell did this firm gain access to peoples' phone records in the first place?

Say you want the phone records for John Smith.

1. Call the phone company.
2. Pretend to be John Smith
3. Ask them to send a copy of your phone records.

Re:

[CodeBuster]

Indeed this is what is meant by "pretexting" in the summary. For more detailed information, including sample conversation transcripts and other stories of pretexting and the early hacking days of Kevin Mitnick [wikipedia.org], you may want to take a look at The Art of Deception [wikipedia.org]. The more recent examples of similar types of activities include spamming and phishing of course, but the old phone pretexting techniques are still just as serviceable today as they were before, during, and even after the golden age of phone preak [wikipedia.org]

Re:

[mwvdlee]

So all of this could've been avoided if the phone companies would only send records to the addresses registered in their system for the client requesting their phone records?

Re:

[Loconut1389]

for the most part, but social engineering always works.
Our mail almost always comes within an hour timeframe. It wouldn't take much for someone to sit on my porch and smoke a cigarette until the mail comes. The mailman would gladly hand it to someone who looked like they lived there. You then avoid the messing with a mailbox charge and the clank of incoming mail. We have a mailbox on the porch- not a street box- I imagine it would be easier to steal from a street box- though 'more' illegal.

Re:

[Anonymous Coward]

As long as legitimate customers have access to their accounts, so will anyone else who cares to look.

Changing your address won't work. People get around that problem by simply forwarding your mail, which anyone can do to anyone else, for free even! And then restoring it to the old address when they get what they want. Or yeah, simply stopping by your house and grabbing your mail.

All of the security, encryption, firewalls and passwords in the world won't stop someone from calling you on the phone and just si

Re:Paint me stupid.

[Doc Daneeka]

The company, AccuSearch, was calling up phone companies and pretending to be certain persons in order to gain their account information. They then sold the relevant information to an interested third party. The private firm was misrepresenting itself in order to gain sensitive information.

"FTC attorneys argued that using false pretenses, fraudulent statements and fraudulent or stolen documents to induce carriers to disclose records was illegal."

So, they didn't need a warrant because they were pretending to be a customer trying to access their account records.

Re:Paint me stupid.

[palegray.net]

I'd like to see criminal charges pressed for this sort of behavior. Surely the employees taking these actions couldn't possibly use the defense of "I was just doing my job." That would be like low level dope peddlers claiming they only sold their product under duress from their "boss." Anyone care to do a little digging on exactly what criminal statutes might have been broken here?

Re:

[penix1]

It doesn't take digging to find out what the violated statute is. It is fraud. Wire fraud if done over the phone like it usually is. The thing I don't get is how the phone companies can justify giving phone records for one phone number to someone calling from another. The reply should be, "Call us back from the phone you want the records to." It won't stop all the fraud but it will make it that much harder.

Re:

[Tanktalus]

Ok, so I call up using a Skype account where I can fake the caller ID.

No, someone else already had this right. Only send to the mail address on file. Still not perfect, but it should stop this corporations from being able to get out-of-region phone records (ok, if they're in NYC, they could sit on someone's porch in NYC, but that might get suspicious. They won't likely fly to Los Angeles or Toronto to get phone records from those areas.)

Re:

[FuzzyDaddy]

Only send to the mail address on file.

I know someone whose ex wanted to get her mail, so he filled out a mail forwarding card and forged the signature. It's not hard to do. They'll forward to anywhere in the country based on a little slip of paper.

Re:

[ih8bills]

That is a crime-- but rarely enforced. The Post Office makes a lame, half-assed attempt to "verify" the order via a pair of "confirmation letters" which is about as effective as screen doors on a submarine... The victim can and should complain to the Postal Inspection Service.

Re:

[FuzzyDaddy]

They actually kept the forged card as some leverage in their future dealings with the ex.

Re:

[ih8bills]

Only trouble with that is...the authorities would question their motive for waiting to file a complaint. They WON'T be drawn into divorce battles-- tampering with the mail is a Felony offense... but they are not anyone's "tool".

Re:

[ThreeSpace]

It's the phone company. Do you think they'd use CallerID? More likely, they'd be using ANI which is way more difficult to forge.

Re:

[Darth Eggbert]

I currently work for one of the ILECs, and have for over 3 years, and the FCC has forced us to beef up some of our procedures. They have recently decreed that we can only send duplicate copies of bills to the address on file, as long as it has been that way for at least 30 days (a billing cycle). You also can no longer access your online account unless you have a security code that is hardcopied to you via snail mail.

All this is great, right?

Well you can't imagin how much this has pissed customers off. If p

Re:

[Kaenneth]

Same way that guy on Dateline (or whatever show that "Have a seat" guy is on) catches child 'predators'.

The government requires 'Warrants', has rules against 'Entrapment', etc. However, if a private party does the work, they hands it over to them, magically it's accepable as evidence.

Just like the Blackwater contractors, it's not the Government, so it's OK.

Corporations don't just get favors from Government, sometimes they give them.

How many warrentless wiretaps is the spectrum auction worth?

I am just joking

Re:

[BVis]

I knew someone who contributed to the Bush campaign, she wants the second coming (of Jesus) to happen and she's looking forward to the events in Revelations, such as the battle of Armegeddon.

Lots of people feel that way. I don't see how it's relevant.

For the record, I'm not an evangelical, but I think that people's beliefs should be respected insofar as they don't infringe on other people's rights to have different ones. RAmen.

Re:

[aproposofwhat]

people's beliefs should be respected insofar as they don't infringe on other people's rights to have different ones

Wrong, wrong, wrong.

If someone believes something that is patently stupid, why is it deserving of respect?

Just because it's a religion?

Sorry, but I respect people based on how they act towards others, not because they subscribe to a particular belief system, and their being religious reduces the respect that I have for them, whichever sky monster they subscribe to.

The idea that religious belie

Re:

[BVis]

If someone believes something that is patently stupid, why is it deserving of respect?

Just because it's a religion?

Because by accepting that people believe different things than you do, you reduce their ability to tell YOU that what you believe is wrong. Not to mention the fact that arguing over religion is a waste of time.

And what is "moral relativism"? Morals are ALWAYS relative, as far as I can tell. What works for you doesn't necessarily work for me, and vice versa. Personally, what I believe is tha

Re:

[aproposofwhat]

Oh, I accept that other people believe different things than I do, but I see no need to respect their belief systems and to give them equal weight to my own.

And no - I'm not an objectivist (though I am often objectionable) - I'm more of a meld between Wittgenstinian and Utilitarian, which is where I get my moral code from.

Strangely, the moral code that fits best with what can be deduced from utilitarian principles was promulgated by one Jesus of Nazareth some 2000 years ago, but it was immediately corrupted

Re:

[BVis]

You don't have to give them any weight whatsoever as far as your own decisions go. But just because they believe something else doesn't make them 'wrong', it just makes them different. I'm not asking you to respect their beliefs, but to respect what those beliefs mean to them, no matter how bizarre they might seem to you. Most of the time this involves simply keeping your mouth shut, so it's actually LESS effort for you.

NO NO NO!!

[onkelonkel]

People's beliefs should NOT be respected.

No belief is ever, in any way, deserving of or entitled to "Respect"

What we ought to respect is a persons right to believe whatever they like. Their beliefs can be agreed or disagreed with, applauded or ridiculed, depending on their congruence with observed reality and, yes, your own beliefs.

There are people who believe the earth is flat, that a God has decided that women should be subservient to men, or that it's ok to have sex with children. Do you automatically

Re:

[BVis]

I misspoke. I meant 'respect a person's right to believe what they want'.

This includes NOT ridiculing those beliefs for its own sake. I find it's best to smile, nod, and say nothing when it's obvious from my perspective that what someone believes is patently ridiculous. If you want to pick a fight, go for it, I respect your right to believe that that's the correct course of action. Personally, I find that arguing with a zealot accomplishes two things: pisses you off, and convinces the zealot that you'r

Re:

[onkelonkel]

Right you are. The only reasons to argue with a zealot are to deliberately annoy them, or (more difficult, but scores higher)use facts and reason to get close enough to one of their core beliefs that they go into cognitive dissonance.

If you want to be nice, my Mum told me a simple substitution trick - instead of saying "Bullshit", say "Amazing".

"all the Jews left the World Trade Center an hour before the planes hit" - "Amazing"

"Bill Gates will send me a dollar for every e-mail I forward to him" - "Ama

See laws on CDR's

[thule]

I wish I could find the article I read awhile back that explained the law around log files. Traditionally, call detail records (CDR's) were not owned by you, the customer. CDR's were/are owned by the phone company. They could use the data anyway they wanted, including selling it. There are some states (Washington?) that created laws that stated that CDR's are not owned by the phone company, but are partially owned by the customer and are therefore considered private information.

If you run a web server,

Re:

[Devistater]

You must not be keeping up on /. news :)
http://yro.slashdot.org/article.pl?sid=02/07/18/1245202 [slashdot.org]
http://yro.slashdot.org/article.pl?sid=01/10/03/1628242 [slashdot.org]

They probably would have been ok if they made themselves as an affiliate of the phone companies (they could say they were selling cell phone batteries or something).
Then they could buy/sell/trade for all the customer information they want, names, addresses, who they call, what times, the phone numbers they call, etc. All without a warrant. No pre-texting nessa

Other data brokers?

[hawks5999]

The current article makes no mention of whatever became of the other four accused data brokers

They all now go by their original names:

NSA

CIA

FBI

DHS

Re:

[gbobeck]

I thought their real names were the following:

AT&T
AARP
ACM (thats Association For Computing Machinery)
Publisher's Clearinghouse

Re:

[Artuir]

Hm. Coward, indeed.

Re:

[palegray.net]

Please do not feed the trolls. It only incites them to further stupidity. Please reference the official Wikipedia article [wikipedia.org] on the topic for further information. You may also be interested in The Psychology of Trolling [barbelith.com]. This has been an online discussion tactics PSA. Thank you, HAND, YMMV, IANAL, FWIW.

Not such a big deal

[Anonymous Coward]

The 3 letter agencies don't have to buy their phone records

OK, that's a start.

[ScentCone]

But a judge telling a firm that they can't do it any more isn't NEARLY as good as congress making it a big ol' Federal No-No. So, c'mon, Pelosi. Reid? Where's all of that protect-the-little-guy stuff? Hillary? Obama? Where are the firey populist bits about how they'll use their party's control of congress to work on this sort of thing? Well, first things first. Like... hearings on steroid use in baseball leagues.

Re:

[rhizome]

But a judge telling a firm that they can't do it any more isn't NEARLY as good as congress making it a big ol' Federal No-No. So, c'mon, Pelosi. Reid? Where's all of that protect-the-little-guy stuff?

It's in the same place the FTC went [theregister.co.uk] when they were looking for a club [wikipedia.org]to use against these guys.

Articles...they's good for readin', Jethro!

Re:

[rhizome]

Yeah it sure is Uncle Jedd!

You might want to find a newer article that describes developments in that story since last Thursday, of which there have been "some."

Re:

[Doc Daneeka]

We don't need more laws when the current ones are already adequate. We just need the enforcing agencies to start upholding the law. Merely throwing more laws at the ills of society will not cure them. I would have to agree that Congress often does not focus on the important things but it is another thing to be asking them to go off on more tangents making things already illegal go on "Double Secret Probation".

Re:

[kmac06]

RTFA. It's already illegal you twit.

Now for email

[timeOday]

We need the same protections for email - who emails whom should be private. As it stands, I'm not even sure the contents of emails are protected.

Re:

[ih8bills]

Of course not--email is like broadcasting-- anyone between you & the intended recipient can read it anytime they like. Is not even hard to do-- any 3rd grader could probably figure it out. Unless it is encrypted before it's sent.

Meh

[SeaFox]

Perhaps I would be more impressed if the ruling said that all companies, including phone carriers, had to get customer approval before selling records via an opt-in waiver separate from their service agreement. I imagine most carriers have some sentence in the fine print saying that by taking their service you're agreeing by default to let them use your data.

Oh, wait. They do. Hence we all have to run around to every company we do business with and make phone calls, check boxes on online forms, and send postcards to opt-out of their information selling.

Re:

[rtb61]

It is far more logical to make it illegal across the board to sell private information, without notifying the recipient of every sale of private information, including the name and details of the individual who sold the data, the name and details of the individual who bought the data and the company they represent, the full extent of the data traded, and what they intend to do with the data, and this should be done for each and every transaction, no exemptions.

They should also implement realistic data ret

Re:

[Devistater]

Yeah, ever since the FCC changed the rules to make sharing CPNI (Customer Proprietary Network Information) an opt OUT process instead of opt IN, thats what you need to do. You are one of the few people that know about and recognize this, most people don't know about it.

http://yro.slashdot.org/article.pl?sid=02/07/18/1245202 [slashdot.org]
http://yro.slashdot.org/article.pl?sid=01/10/03/1628242 [slashdot.org]

Re:

[ih8bills]

While I agree whole-heartedly with the principle and the idea... I'm afraid it is wayyyyy too late for 99% of the US population to opt out of anything. There are entire companies in the US that make all of their income by selling/trading your personal information. In some States (like mine) you have to opt out of the bloody Registry of Motor Vehicles selling your name/address--I just did that 2 days ago... :( Credit-card companies (especially STORE-cards like JC Penney/Sears) Magazine subscriptions-- EVERYB

Wait...

[Shifty Jim]

This was legal to begin with? Umm... Yeah.

Well, it's not so bad

[cgomezr]

I don't think bars can sell records in the Europe, with or without authorization. It makes no difference whether their clients are judges or not.

Now let's get Intelius

[LouTheTroll]

Here's another one: http://www.intelius.com/phone-search-name.html [intelius.com]

Hmm. Does it prevent -

[Geminii]

- the company giving the records, gratis, to a second company coincidentally owned by the same people, which then sells the records for profit?