Forgot your password?
typodupeerror

PIs Selling Phone Records Sued By The FTC 79

Posted by Zonk
from the argh-my-records dept.
carl writes "According to an MSNBC article, the FTC has sued five different background investigation firms for selling confidential phone records." From the article: "In the lawsuits announced Wednesday, the FTC charged the companies used 'false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier' to get the phone records. The companies advertised on their Web sites that they could get the confidential phone records of any individual and make them available for a fee, the agency said."
This discussion has been archived. No new comments can be posted.

PIs Selling Phone Records Sued By The FTC

Comments Filter:
  • tch tch (Score:5, Funny)

    by dotpavan (829804) on Thursday May 04, 2006 @02:31PM (#15264933) Homepage
    NSA lost a good business opportunity ;)
  • by Tackhead (54550) on Thursday May 04, 2006 @02:32PM (#15264941)
    From TFA:

    "Trafficking in consumers' confidential telephone records is outrageous," FTC consumer protection chief Lydia Parnes said in a statement. "It robs consumers of their privacy and exposes them to everything from snoops to stalkers."

    Don't steal. Your Government's surveillance programme hates competition.

  • Don't forget (Score:5, Insightful)

    by nizo (81281) * on Thursday May 04, 2006 @02:32PM (#15264950) Homepage Journal
    ... the FTC charged the companies used "false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier to get the phone records.

    (Emphasis mine)


    So when is the FTC going to charge carriers with improperly handling private information? I hope they don't forget to nail the carriers to the wall for handing out this information in the first place. If they wouldn't just give the information away to every Tom, Dick, and Harry that called without verifiying they are who they say they are, there wouldn't be as much of a problem would there? Some simple ways to avoid giving the information to the wrong person might include calling them back on their cellphone or sending the information to the address that gets the bills. Selling this information is wrong, but the carriers are just as culpable for giving it out without proper verification.

    • You are definately right, the phone companies need to train their employees how to avoid social engineering, which is how the people probably get the information from the company. Getting the person answering the phone call to provide them with the information they need to get access to the phone records. This is really pretty scary, what else can those PIs get at if they can get your phone records?
      • Re:Don't forget (Score:1, Informative)

        by Anonymous Coward
        I do consulting work for some private investigators, and have a fairly good handle on this as a result. PIs can get at a lot of data online, usually with a simple (paid) database search. The good database vendors verify that the PI has a valid license before granting access, and typically charge a dollar amount per search. Results are mostly public record: property ownership (house, vehicle registrations, etc.), outstanding warrants, convictions and similar. It's also trivial to obtain credit reports from o
    • by necro2607 (771790) on Thursday May 04, 2006 @03:04PM (#15265208)
      Heh, social engineering is a technique that essentially all humans are vulnerable to. Also, phone companies are actually one of the top targets of social engineering. That combination makes for a pretty high likelihood of peoples' phone-line-related data to be effectively public domain...

      There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind. I know people who do this sort of stuff (I don't mean theft though heh) for fun on a fairly regular basis and they can all screw with pretty much any person. It's really amazing how easily you can manipulate someone of any personality type, actually. heh.

      The only people who I've found to be highly resistant to any sort of social engineering are the type of people who know how to do it as well. It requires a certain mindset to be able to catch on to when a person might be trying to manipulate you. Unfortunately that sort of mindset usually involves always having a certain amount of suspicion towards peoples' statements all the time...

      Some reading material:

      http://www.securityfocus.com/infocus/1527 [securityfocus.com]

      http://www.morehouse.org/hin/blckcrwl/hack/soceng. txt [morehouse.org]

      http://www.kuro5hin.org/story/2004/6/3/223758/2267 [kuro5hin.org]

      http://rf-web.tamu.edu/security/secguide/V1comput/ Social.htm [tamu.edu]

      etc. etc..
      • Heh, social engineering is a technique that essentially all humans are vulnerable to.

        That's why I never interact with humans. Or at least that's what I tell my mom when she says I shouldn't eat dinner in the basement.
      • by Bob3141592 (225638) on Thursday May 04, 2006 @03:48PM (#15265588) Homepage
        There isn't really much way to be "secure" against social engineering because it exploits the one system you can't secure - the human mind.

        Why not? When you establish service with a company, they should require you to provide them with a security question and answer of your choosing, and not simply ask you to select a common one from a list. Then when someone calls to access information from your account, they simply read back the question to you, and wait for the answer. If it matches, fine, they can presume it's you. If you don't know the answer, then they don't give out any information. If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?
        • If you've forgotten, they can mail it to the billing address on record (or email it to the address on record) and you can call them back later. Why wouldn't that work?

          Because 80% of the people will forget their secret answer and then whine, cry, or yell to get what they want. The people on the phone, being people, will give in sometimes - hence the social engineering. As long as there is a human answering the call they can be duped into bending the rules. If a machine answers the phone the company ge
        • My bank already does this, but it's not going to prevent social engineering in any manner. All that really does is prevent a person from posing as a *customer*.

          However, that's a pretty amateur (and often minimally effective) way to social engineer some information out of a company employee. Did you look at the links I posted? It's far more likely that someone would pose as an employee of another department at the same company, or even a higher-up from "the head office in New York", for example. Think about
        • For all the various issues I might have with my carrier (Telus), security isn't really one. For my home phone, for major changes they will verify against the PIN number than comes on my bills. For cellphone service, the last time I was having issues they asked me for my PIN code before applying major changes.

          I guess not all carriers do that... but yes, they should.
    • So when is the FTC going to charge carriers with improperly handling private information?

      They won't. The carriers paid their protection money^W^Wcampaign contributions to the RNC. These guys didn't, and that's why they're getting hammered. Hell, ChoicePoint and a whole host of other companies traffic in customer information all the time!
  • Ah nice... (Score:1, Redundant)

    by suv4x4 (956391)
    the FTC has sued five different background investigation firms for selling confidential phone records.

    Good, the competition is eliminated...
  • by pestilence669 (823950) on Thursday May 04, 2006 @02:53PM (#15265101)
    Call the SBC's DSL department and claim to be a friend "helping" someone install their DSL modem... but insist that you don't know the address or anything else. Be as dumb as possible on the phone. Get a little drunk if you can't be convincing.

    Often, the customer service reps will read back the entire address, and sometimes, even the last for digits of the SSN. I found this out when I was ligitimately calling them because of a line problem.

    I never had any problems adding service, removing service, or getting personal account information... all without identifying myself whatsoever. Need an address for a telephone number, call SBC and tell them you want DSL. The phone reps will "verify" your address by reading it back. Awesome, huh?
    • In order to get the point accross, some reporter bought the Canadian Privacy Minister's phone records and sent them to her. She was amazed that this kind of information was available. It amazes me that a lot of the time the people in charge don't even know what is going on, or what is even possible. By the time the press had gotten wind of bittorrent, I had already been using it for a year.
    • The tech support technicians have caller ID. They can verify that you are calling from your home phone. The security risks are therefore greatly reduced, because a hacker would presumably know your address already if he already could spoof your phone number. Have you ever wondered why you have to activate your credit card from your home phone?
      • Ahh. Good point... I'm sure many call centers take advantage of caller ID, but not SBC definately doesn't.

        I haven't had a home phone for ten years. When I decided to go mobile, I *REALLY* went mobile. All of my experiences with SBC were done with my mobile phone.
  • Isnt posing as a customer a criminal act? Why havent they simply arrested these people?
    • No, not by itself.
    • Companies cant be arrested. If a problem is more widespread than just a single person's action then you need to sue the whole company. A company does nto value its freedom, the only thing a company cares for is profits therefore sueing is the best way to get to them.
      • if it is more than one person? That is called a conspiracy. I understand how it works, but it is not right that the law pretends a company doesnt have people behind it actually carrying out the felonies. The 10 people responsible should be arrested, handcuffed and go to trial for felony charges. and forget about the company completely. if you held the people responsible for what they did, the company as a whole doing wrong makes no difference anymore (except in deep pocket cases)
  • Doesn't equifax as well as a number of other credit reporting agencies sell private information of consumers without their consent already? Hell, they even want to charge you if you look at it.

    1. Collect Private information
    2. Sell information to companies
    3. profit!
    4. Sell individuals their own information
    5. More Profit!
    • Under the Free File Disclosure Rule of the Fair and Accurate Credit Transactions Act (FACT Act), each of the nationwide consumer reporting companies -- Equifax, Experian, and TransUnion -- is required to provide you with a free copy of your credit report once every 12 months, if you ask for it.

      The three nationwide consumer reporting companies are using one website, one toll-free telephone number, and one mailing address for consumers to order their free annual report. They are:

      www.annualcreditreport.com
      1-87
      • So this is how it works...

        ANYONE can claim that you owe them a debt and make a report to the credit agency at ANY TIME. The credit agency then happily reports that to everyone who asks as gospel but, you only get ONCE A YEAR to check that the information is accurate (unless you want to pay)!?!?!

        That report (that probably has false information (if you pissed off a company)) is then used to set your loan rates, your auto-insurance rates, and a bunch of other un-credit related things!

        WHAT KIND OF CRAP IT THAT
        • you didn't read the comment, if you are faced with any negative impact from your credit report, you have to be able to get it there regardless of the annual limitation.

          Also, they don't relay info for free either, other people wanting your info have to pay for it.

          Still seems horribly broken though.
      • www.annualcreditreport.com

        If that is the same "unified" website I visited 6 months ago- they go through no end of complexity to "hand off" your session to each credit agency; I lost track of how many times my browser was redirected and bounced off various URLs. I wasn't able to retrieve 2 out of the 3 credit reports because I couldn't supply correct login information, but I had cut+paste the username and password into a text document to save them, and pasted them back into the login pages.

      • Interesting - I tried this just now online.
        • Experian provided all the information with minimal confirmation of who I was.
        • Equifax refused to provide the information online and wanted me to fill out a form and mail it to them.
        • Transunion wanted me to enter the account numbers for some expired credit cards in order to authenticate me. Evidently their info is outdated.
      • Cool.... How do I opt out?

        I barely trust the government enough to keep all my private information, I definitely don't trust a private organization to keep track of my records. I don't give them permission to collect this information, I don't give them permission to sell my information, and I'd rather just not be a part of it so... where's the "opt out" button on their website?
  • There was an arricle on Tech Dirt today about this that went on to say that the FBI and some local law enforcement agencies had been purchasing data from the same sources. Aren't the buyers as guilty as the sellers?
  • Why steal? (Score:4, Interesting)

    by Beryllium Sphere(tm) (193358) on Thursday May 04, 2006 @03:44PM (#15265554) Homepage Journal
    Didn't the phone carriers get permission to sell call records for marketing purposes? Just set up Sam Spade's Market Consultants, pay 17 cents per record for the block of 1000 numbers that includes your target (Joe Whistleblower), then charge your client (Sleazeco) $250 for the information that their employee Joe called Sixty Minutes eighteen times in the last six months.

    Then if you're entrepeneurial you take the names from the other 999 records and cross-reference them with divorce filings, call up and say "would it be useful to have proof that your soon-to-be-ex husband called Jennifer's Massage every payday?".

    And those are some of the least damaging possibilities. Think how much money a crook could make tracking Wall Street traffic patterns.
  • What would a person be charged with rather than a company set up by some people to hide such an illegal activity? This is basically organized fraud and theft of information committed by individuals who set up a company knowing that because of our insane legal system corporate owners are seldom charged even when their companies were setup to be illegal enterprises from the beginning. Sophisticated con artists and fraudsters routinely form corporations for the purpose of limiting their own personal liability
  • My wife owns a private investigations firm and gets the legal information well... legally.

    I think its important to remember that licensed companies (by the state) that act on the behalf of their clients need to have some level of access to public data. The licensing agencies should be quite strict with offenders.

    Just an aside: Popular media has imprinted so many strange ideas of what it is to be a PI, I think the service they provide is sometimes overlooked, especially in areas of family law or where the lo
    • Not to be snide, but in what sense is call records public? Maybe you could say public if they called from a public phone, or called a public place (government office, library, etc). But how is it public if I call my sister down the street. That should be NOT public.

      Using your logic, any website should be able to sell the fact that I did business with them, when, for how much, and paid via whatever method. ISP's should be able to sell my browsing history, etc. Thats all complete BS, all of those should be pr
  • pls to be selling phone records!

    hot quality! 100%!

  • It just came out that the FBI is one of the places buying these records - no pesky judges to ask for permission or anything. They just hand over cash, and get the phone records they want.

    Can't let the terrists win, right?
  • The suit is a temporary road block. The PIs simply need to assert the state secrets privilege and get the suit dismissed. Then we can go back to buying records of our girlfriends, bosses and enemies.
  • There is a post appointed by parliment as the chief advocate for personal privacy here in Canada. It's his or her job to get things like companies to have a mandatory privacy policy for the collection of personal information.

    Macleans magazine did an article where they got HER cellphone records. All the calls she had made on not only her office Cell, but her personal Cell as well.

Life is cheap, but the accessories can kill you.

Working...