Cell Phone Records For Sale

cellphone-4a.jpgThe Chicago Sun Times reports:

The Chicago Police Department is warning officers their cell phone records are available to anyone — for a price. Dozens of online services are selling lists of cell phone calls, raising security concerns among law enforcement and privacy experts. . . .

To test the service, the FBI paid Locatecell.com $160 to buy the records for an agent’s cell phone and received the list within three hours, the police bulletin said. . . .

How well do the services work? The Chicago Sun-Times paid $110 to Locatecell.com to purchase a one-month record of calls for this reporter’s company cell phone. It was as simple as e-mailing the telephone number to the service along with a credit card number. . . .

On Tuesday, when it reopened, Locatecell.com e-mailed a list of 78 telephone numbers this reporter called on his cell phone between Nov. 19 and Dec. 17. The list included calls to law enforcement sources, story subjects and other Sun-Times reporters and editors.

The website that the story discusses is Locatecell.com. This story is interesting, but it isn’t new — these companies brokering people’s cell phone records have been around for a while, and I blogged about them in July when the Washington Post reported about the issue.

In my post, originally posted at PrawfsBlawg, I wrote:

An article in the Washington Post by Jonathan Krim discusses a really disturbing new market of personal data – the numbers people dial on their cell phones. Here’s an excerpt of the article:

. . . [P]hone records are a part of the sea of personal data routinely bought and sold online in an Internet-driven, I-can-find-out-anything-about-you world. Legal experts say many of the methods for acquiring such information are illegal, but they receive scant attention from authorities.

Think your mate is cheating? For $110, Locatecell.com will provide you with the outgoing calls from his or her cell phone for the last billing cycle, up to 100 calls. All you need to supply is the name, address and the number for the phone you want to trace. Order online, and get results within hours. . . .

Learning who someone talked to on the phone cannot enable the kind of financial fraud made easier when a Social Security or credit card number is purloined. Instead, privacy advocates say, the intrusion is more personal.

“This is a person’s associations,” said Daniel J. Solove, a George Washington University Law School professor who specializes in privacy issues. “Who their physicians are, are they seeing a psychiatrist, companies they do business with . . . it’s a real wealth of data to find out the people that a person interacts with.” . . . .

How pervasive is the problem? According to the article:

“There are probably 100 such sites” known to security officials at Verizon Wireless that offer to sell phone records, said Jeffrey Nelson, a company spokesman, who said Verizon is always trying to respond to abusive practices. He said that the company views all such activity as illegal. . . .

Cell phone records are kept by telephone companies, which must keep that information private. So how are the data brokers getting a hold of it? According to the article, the cell phone data is typically obtained by (1) getting it from an insider at the phone company; (2) “pretexting,” which involves tricking the phone company into releasing the information; and (3) obtaining it via customer accounts online. The article explains this third technique:

Telephone companies, like other service firms, are encouraging their customers to manage their accounts over the Internet. Typically, the online capability is set up in advance, waiting to be activated by the customer. But many customers never do.

If the person seeking the records can figure out how to activate online account management in the name of a real customer before that customer does, the call records are there for the taking.

These tactics are all illegal. The FTC, however, has not done anything to crack down on the practice. According to the Washington Post article, an official at the FTC states that “the agency has never taken such a case to court and does not know how widespread the problem is. He said the FTC must focus its resources on the practices of data thieves that can cause the most damage to large numbers of consumers, such as financial fraud.” Chris Hoofnagle of the Electronic Privacy Information Center, has just filed a complaint with the FTC about these practices.

These events are a further demonstration that the FTC is not doing a sufficient enough job at protecting consumer privacy. Earlier this year, a litany of data leaks were announced, involving the personal information of millions of people. All this happened on the FTC’s watch. There are a few reasons that can explain why the FTC is having such a difficult time enforcing privacy. First, it was not originally designed to do the job. It became involved with privacy issues in the mid 1990s because the United States had no agency to address privacy issues. But privacy enforcement is just one of the many things the FTC does. Second, the FTC sometimes lacks the legal firepower to do very much. There are many gaps in federal privacy law that are exploited. The FTC has limited authority over many privacy issues. (It would, however, seemingly have authority over these illicit and deceptive practices by which cell phone numbers are obtained.) Third, the FTC is only so big, and it is overburdened with things to do.

Congress needs to give the FTC the power and resources to deal with privacy, or else Congress should create a new agency with this focus and authority. The current situation is simply untenable, with illegally-obtained cell phone data being brazenly sold over the Internet while the FTC sits idly by.

More at Schneier on Security.

You may also like...

5 Responses

  1. E says:

    How about a couple of other alternatives? Provide a private cause of action so that the victims of such activites can get these issues dealt with. Alternatively, allow state AGs power to enforce these laws. It sounds like Illinois would be interested in pursuing the matter.

  2. Anyone Can Get Anyone’s Phone Records

    Interested in who your spouse is talking to? Your boss? A celebrity? A politician? The Chicago Police Department is warning officers their cell phone records are available to anyone — for a price. Dozens of online services are selling lists…

  3. gadfly says:

    My response to how this story broke, and the differential treatment of people in the blogosphere:


  4. isabella says:

    dear sirs,

    I can not agree on all comments concerning phone tapping. If one has nothing to hide then one has nothing to fear. I have a cheating husband and I would

    like to know his calls. Some people have to be watched. ( THE QUILTY)

  5. anthony says:

    My girlfriend (now ex) purchased my cell phone records after I took a trip for 5 days.

    This left me with a very annoying feeling. I can’t believe that my personal informatoin is that availalbe and that anyone would be stupid enourgh to buy it.

    Goodbuy girlfriend and fuck you t-mobile.

    I ordered a landline and will limit my cell calls. (what if my competitors know who I am selling to)?