Commissioner releases pretexting report

You may recall some time ago when pretexting made the headlines in Canada after a MacLean's reporter purchased the Privacy Commissioner's phone records (Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). Today the Commissioner released a finding into the incident, accompanied by a big media release:

Data broker exploits human error, weak safeguards to access phone records

July 10, 2007

PIPEDA Case summary #372: Disclosures to data brokers expose weaknesses in telecoms’ safeguards

Here's the release:

Data broker exploits human error, weak safeguards to access phone records

OTTAWA, July 10 /CNW Telbec/ - Recent experience has shown Canadian
companies must take precautions to ensure personal information and customer
data is not vulnerable to data thieves and pretexters. Strong identification
and authentication procedures are essential in blocking unauthorized attempts
to access the personal information of Canadians.

An investigation by the Office of the Privacy Commissioner of Canada
(OPC) has found that human error and weaknesses in the policies and procedures
of three telecommunications companies allowed a data broker to gain
unauthorized access to personal phone records.

The investigation was prompted by an article in Maclean's alleging the
magazine had been able to purchase the telephone records of Privacy
Commissioner Jennifer Stoddart and a senior Maclean's editor from US-based
data broker Locatecell.com.

The investigation found that Locatecell.com used "social engineering" to
trick phone company customer service representatives into divulging
confidential information, either in the specific instances alleged and/or
subsequent test cases. Social engineering involves manipulating people into
divulging personal information, for example, by pretexting, or pretending to
be someone authorized to obtain the information.

The OPC looked at improper disclosures of personal information to
pretexters seeking to gain unauthorized access to phone records of individuals
without their knowledge or consent. The three companies investigated were Bell
Canada, Telus Mobility and Fido.

"In each case, we found that customer service representatives had not
followed the companies' established authentication procedures. We also found
that training of customer service representatives was not comprehensive enough
to protect customers' personal information from illegal access by pretexters,"
says Assistant Commissioner Raymond D'Aoust. "As a result, the three companies
failed to meet the requirements of the Protection of Personal Information and
Electronic Documents Act (PIPEDA)."

All three companies revised their customer authentication procedures
shortly after the disclosures took place. The OPC reviewed those changes and
recommended further steps to address weaknesses in their policies and
procedures to prevent unauthorized individuals from gaining access to
customers' personal information. All three companies have since taken
additional steps to further mitigate the risks resulting from pretexting and
unauthorized access to personal records. The Office of the Privacy
Commissioner is generally satisfied that all three companies have put in place
an adequate set of measures to address the problems.

Nonetheless, the Assistant Commissioner says the companies should have
been better prepared to deal with social engineering in the first place. The
issue of data brokers using social engineering to obtain call records in the
United States had been in the news some time before these incidents occurred.

"It's particularly troubling that not enough was done to let call centre
employees know about this kind of threat," says Assistant Commissioner
D'Aoust.

"Given the prevalence of identity theft, it is absolutely crucial that
all companies adopt strong authentication processes to help ensure that they
are providing information to someone who is actually authorized to have that
information. It is equally vital that companies ensure that their employees
are following these processes and are aware of the threats to personal
information that pretexting poses."

The OPC has developed Guidelines for Identification and Authentication on
its web site.

A summary of findings in the three cases is also available on the web
site.

New laws in the US have recently made it an offence to use pretexting to
obtain individuals' phone records in an effort to curb the activities of US
information brokers, including Locatecell.com. However, this does not mean the
problem has gone away either in the US, or elsewhere, particularly in other
countries, including Canada, where no similar legislation yet exists.

In an appearance before a Parliamentary committee last month,
Commissioner Stoddart called on the federal government to work collaboratively
with the provinces and international partners to adopt a range of legislative
and policy solutions to address this problem.

The Privacy Commissioner of Canada is mandated by Parliament to act as an
ombudsman, advocate and guardian of privacy and the protection of personal
information rights of Canadians.

New anti-pretexting regulation in the United States

These sound like eminently sensible regulations that could be adopted as best practices for any company that handles personal information. According to the Privacy and Security Law Blog, the US Federal Communications Commission has adopted regulations about the release of calling records by telecommunications companies. The rules provide that information can only be released to those who have a password associated with the account. If no password is provided, the information can only be either (i) mailed to the address of record or (ii) telephoned to the phone number of record. Also, the customer has to be alerted via these approved channels of the address or the password is changed. Makes sense to me.

US FTC successfully sues Accusearch/Abika

Recently, the us Federal Trade Commission successfully brought an action against Accusearch (aka Abika) for selling customer phone records without consent.

Readers will recall that Abika was the subject of a complaint brought by CIPPIC in Canada that is still ongoing.

District Court Bars the Sale of Consumers’ Telephone Records to Third Parties

A federal judge has barred the illegal operation of an information broker who advertised and sold confidential consumer telephone records to third parties without the consumers’ knowledge or consent. In entering summary judgment for the Federal Trade Commission, Judge William F. Downes of the U.S. District Court for the District of Wyoming also required the defendants to give up nearly $200,000 in ill-gotten gains derived from the consumer phone records they sold, and ordered that the individuals whose records were sold be notified.

In May 2006, the FTC charged AccuSearch, Inc., doing business as Abika.com, and its principal, Jay Patel, with violating federal law by selling consumers’ phone records to third parties without the consumers’ knowledge or authorization. According to the FTC complaint, the defendants advertised on their Web site that they could obtain the confidential phone records of any individual – including details of outgoing and incoming calls – and make that information available to their clients for a fee. To obtain such information, which is not legally available to the public, the FTC alleged that the defendants caused others to use “false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier,” to induce the telecommunications carriers to disclose the confidential records. Consumers whose phone records were sold by defendants suffered substantial injury as a result of those sales. The FTC charged that the defendants’ practices were unfair in violation of the FTC Act.

In his ruling, Judge Downes found that the defendants’ obtaining and selling of confidential phone records without consumers’ knowledge or consent was “necessarily accomplished through illegal means,” and that defendants knew that the phone records were being obtained surreptitiously. The court further found that this practice caused substantial injury to consumers, including: serious health and safety risks experienced by some consumers from stalkers and abusers; economic harm associated with changing telephone carriers and upgrading security on their accounts; and a host of “substantial and real” emotional harms. The court concluded that consumers had no way to avoid these harms. “In fact,” Judge Downes wrote, “the evidence presented before the court indicates that confidential consumer phone records were sold through Abika.com despite considerable efforts by consumers to maintain the privacy of those records.” Finally, the court found no countervailing benefits to consumers or competition that could be derived from defendants’ practice.

Judge Downes also rejected the defendants’ claimed immunity under Section 230 of the Communications Decency Act, 47 U.S.C. § 230, a federal statute that confers immunity on interactive computer service providers for publishing information content provided by a third party. The court found that the defendants failed to establish two of the three necessary elements of a CDA defense, holding that the FTC’s lawsuit did not seek to “treat” defendants as a publisher within the meaning of the CDA, and that the defendants participated in the creation or development of the information content.

Following his opinion, Judge Downes permanently barred the defendants from obtaining, causing others to obtain, marketing, or selling consumers’ telephone records except as permitted by law. The order also bars the defendants from purchasing, marketing, or selling consumer personal information unless the information was lawfully obtained. The order prohibits the defendants from making deceptive statements to obtain consumers’ personal information and from buying such information from third parties.

The judge’s order requires the defendants to give up the $199,692.71 in ill-gotten gains they earned through illegally obtaining and selling the records. The order also authorizes the FTC to notify the individuals whose phone records were sold by defendants, to the extent that those consumers can be located. The order allows the FTC to use the forfeited ill-gotten gains for this purpose. Finally, the order contains certain bookkeeping and record keeping requirements to allow the FTC to monitor compliance.

The defendants have appealed the order to the Tenth Circuit Court of Appeals.

The FTC wishes to thank the Office of the U.S. Attorney for the District of Wyoming for its assistance in this matter.

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.

Gov't balks at phone privacy provision

The Federal Communications Commission is trying to develop rules to counter pretexting, but is encountering resistance from the FBI and Secret Service. A requirement to destroy calling records after they have served legitimate business purposes would not make the records available to be reviewed by law enforcement. A second requirement to notify consumers if their records have been disclosed by a pretexter would tip the consumers off if they are the subject of an investigation. See: Gov't balks at phone privacy provision - Yahoo! News.

Charges laid in HP pretexting case

The first charges have been laid in the HP pretexting case: Federal charge in HP spy case.

PIs, privacy and pretexting

Kevin Bousquet, a private investigator with The Corpa Group, has an interesting and long post on PIs, privacy law and pretexting on his blog. It's his view that privacy laws have backfired and that Bill C-299 (the anti-pretexting private member's bill) will have a disastrous effect on the ability of private investigators to deal with fraud, among other things. It's obvious that he put a lot of thought into it and, though I don't agree with many of his conclusions, it is an interesting perspective.

Oddly, there wasn't anyone espousing this perspective who appeared at the PIPEDA review hearings.