Real Time Communications Industry News

[January 20, 2006]

Protecting cell phone users' privacy

(ZDNet News Via Thomson Dialog NewsEdge)Reports of Web sites that sell records of cell phone calls have been in the press for months, prompting action this week by lawmakers and the Federal Communications Commission. But some critics believe that cellular carriers should do even more to protect personal information.

Numerous Web sites, such as and, are advertising that they can provide records of incoming and outgoing cell phone calls--for less than $100, in some cases. That kind of information is often used by law enforcement agencies in their investigations. However, the online availability of such data could be exploited by criminals, such as stalkers, abusive spouses or identity thieves, experts have warned.

Wireless operators claim these sites get customer information through fraud, such as posing as a customer and asking for information about an account.


What's new:

Lawmakers on Capitol Hill and law enforcement agencies are vowing to protect consumers' cell phone records by penalizing those who use deception to obtain customer information. But some experts say the problem won't go away unless phone companies better protect customer data.

Bottom line:

Experts say there are several steps operators can take to verify that a records request is legitimate, including use of a customer password system, confirmation of each request by sending a text message to the customer's cell phone and implementation of auditing systems at customer service centers.

More stories on this topic

The practice of using trickery to obtain the records from phone companies has been the subject of news reports for months. The issue reached a fever pitch when Washington, D.C.-based blogger John Aravosis posted on his site a detailed account of how easy it was for him to buy his own cell phone records, and then purchase the records of Gen. Wesley Clark, a former candidate for U.S. president.

Cell phone companies say they are taking a stand against those selling this information. In the last couple of weeks, Cingular Wireless and Verizon Wireless have requested court orders against data brokers accused of obtaining the records through fraud. The Federal Communications Commission's enforcement bureau this week also said it's looking into companies that obtain telephone records without the customer's approval or knowledge.

Now federal lawmakers are jumping on the bandwagon, introducing legislation in both the House of Representatives and in the Senate to criminalize the activity of obtaining customer information falsely. For example, Sens. Charles E. Schumer (D- N.Y.), Arlen Specter (R-Pa.) and Bill Nelson (D-Fla.) introduced a bill earlier this week that would make it illegal to pose as someone else when calling a phone company, or for an employee to sell customer data. On the state level, the office of Connecticut Attorney General Richard Blumenthal launched an investigation of companies that may have illegally sold consumers' cell phone data.

It's clear the low-hanging fruit in these lawsuits, investigations and proposed legislation are the online businesses that sell and advertise the availability of this information. But shutting down a few Web sites won't fix the problem, experts said. Some people believe that as an industry, the cell phone companies need to improve how they secure the personal billing information of the almost 20 million wireless subscribers in the U.S.

"Phone companies can definitely do a better job securing data," said Sherwin Siy, staff counsel for the Electronic Privacy Information Center in Washington, D.C. "It's extremely important that something be done to prevent these breaches from continuing, because it impacts everyone's right to privacy."

Phone companies can definitely do a better job securing data.

--Sherwin Siy, staff counsel, Electronic Privacy Information Center

So how do these Web sites get access to customer billing information? Experts believe the records are leaked in a couple of ways. One is through the mishandling of data by employees in call centers or by workers companies doing outsourced tasks for wireless operators.

A common misconception in corporate security is that a company's biggest threat is an outsider trying to hack into a server with sensitive information. But research indicates that insiders--employees, partners and contractors-cause more security problems. Companies such as Vontu and its rival Vericept have built data-interception products that monitor e-mail, instant messages, FTP files and other electronic communications on corporate networks, sniffing for leaks of sensitive information.

The second way people get their hands on billing information is by simply pretending to be the customer on

the account. They may, for example, call a customer service operator and ask for a copy of the last few months' bills. They then ask to have it sent to them via e-mail, fax or a mailing address not listed on the account. Called "pretexting," this practice is already illegal for people trying to fraudulently obtain financial records. The new laws that are being introduced further clarify the strictures against such behavior and will make it explicitly illegal to pretend to be someone else to obtain billing information for phone service.

"The kinds of information that is available in call centers, coupled with access to the Internet that people working in these centers have, is a perfect storm for data breaches," said Kit Robinson, the director of corporate communications for Vontu. "The key to protecting data in any company is having a policy about how to handle sensitive data and enforcing it from a personnel perspective, as well as from a technology perspective."

Experts say there are several things that the cell phone companies can do to mitigate these issues.

It seems to me that the most sensible action we can take quickly to thwart the buyers and sellers of personal phone records is to make pretexting illegal.

--U.S. Rep. Joe Barton, Texas Republican

Do not send billing information to fax numbers or e-mail accounts that the mobile operator cannot verify are owned by the customer. This could be easily fixed by only sending records to the mailing address on the account.

Require customers to have a password to access their call records or billing information. When someone calls for information on the bill, they must enter a secure personal-identification number to get data. Customers can request that this be added to their account, but most cell phone operators do not require it.

Send short text messages to customers' cell phones every time there is a request for their personal information. They can respond to these messages to authorize the delivery of this information.

Implement internal auditing tools in call centers. Several companies offer software that can look for anomalies in employee behavior to see if a particular worker may be mishandling data. For example, if an employee accesses dozens of files at the end of every shift, it may because that employee is copying files and selling them.

Policies and procedures

Despite the widespread availability of all kinds of billing information on the Internet, Cingular and Verizon claim they have already been implementing many of these safeguards. And, they say they are continually improving security.

"We are constantly looking at our policies and procedures as it relates to customers and their interaction with the company," said Jeffrey Nelson, a spokesman for Verizon. "I can't say what exactly we've been doing internally to protect customer information, but we are looking at best practices in other industries that deal with even more sensitive information than we do. We've already started taking steps toward improvement."

Cingular said that it has also been focusing on improving how it handles customer data and how it trains employees to deal with people seeking sensitive information.

"Some of the steps we're taking are more human in terms of training and ensuring that our employees follow strict guidelines," said Mark Siegel, a Cingular spokesman. "We're using this situation as an opportunity to tighten our security and improve the good work that our employees are already doing."

But some people, including lawmakers, say it's clear that more needs to be done to safeguard customer information.

"The protection of an individual's personal information is a high priority with me," U.S. Rep. Joe Barton, a Texas Republican and the chairman of the House Energy and Commerce Committee, said in a statement. "While businesses have legitimate reasons to compile and keep the data that define our lives, they have a responsibility to safeguard it as if it were their own."

Barton is introducing a bill in the House of Representatives that will make pretexting for obtaining phone records illegal. And he is also calling for penalties for cell phone operators that do not properly protect personal information.

"It seems to me that the most sensible action we can take quickly to thwart the buyers and sellers of personal phone records is to make pretexting illegal," he said. "I will introduce legislation to accomplish that, and my bill will substantially increase the penalties if telephone companies release consumer telephone records without the permission of the consumer."

[ Back To Real Time Communications's Homepage ]

Featured Videos

GenView Real Time Session Manager Demo

Session-based VoIP and rich media services such as video can place unique demands on the network.


Contact GENBAND about the SPiDRâ„¢ WebRTC Gateway by clicking here.

A videoconference that calls you

On the busiest of days, who has time to stop and search for that bridge information, to have to dial or hope the link works...only to wait for the chairperson to arrive?

Call Grabber Demo

Move calls seamlessly between phones, soft clients and mobile devices at the push of a button.

Hosted Unified Communications

GENBAND's Hosted Unified Communications is a SMART OFFICE™ solution that enables voice over broadband to Business users, providing flexible migration from legacy services, supporting full regulatory features, and offering advanced services.

Featured Whitepapers

Is Your Network Ready for the Internet of Everything?

The telephone industry is undergoing a dramatic transformation that began with the introduction of IP-based data networks in the early 1990s and then with Voice over Internet Protocol (VoIP) in the late 1990s, and it now includes all forms ofvoice, video, and messaging communications.

Building a Secure and Scalable Multimedia IP Exchange

As fixed and mobile operators increasingly move to IP-based networks, the complexity required to interconnect these networks grows dramatically. Faced with increasing competition from all corners and constant challenge to grow revenues, operators are struggling with the variety and disparities in partner and customer networks.

How Carriers Can Optimize for LTE Roaming

Connectivity between mobile network operators (MNO) in 4G LTE is much more complex than it was in legacy networks.This complexity is primarily due to the change in focus. LTE is not a voice-focused roaming environment, but rather a datacentric environment.

Featured Case Studies

CASE STUDY: Real Time Communications Made Easy Via The Mobile Web

HubRTC offers the world's first WebRTC communication as a service to small and medium businesses, combining browser-based voice, video and messaging over WiFi that works on personal computers and Android smartphones and tablets. Their basic and premium solutions work with existing PBX applications servers, and support rich feature sets including voice mail and visual voice mail, audio and video conferencing, all for a fraction of the cost of old fashioned "phone systems." They have combined their Real Time Communications experts with software, devices and accessories, and cloud platforms to deliver a true office-on-the-run.

CASE STUDY: TW Telecom Accelerates Market Adoption of SIP Trunking Services

tw telecom is one of the top three largest providers of Business Ethernet in the US, connecting approximately 20,000 commercial buildings and third-party data centers to its national fiber network.

CASE STUDY: Embedding Real-Time Communications Into Digital Interactive Publishing Platforms

X-Factor Communications (XFC) is a premium provider of easy-to-use, interactive digital media software and services delivering single point publishing of Mass Notifications, advisories, emergency messages, rich informational content and advertising to any connected device.

Featured Webinars

WebRTC Applications for Service Providers using GENBAND'S SPiDR Gateway

GENBAND's SPiDR WebRTC Gateway provides an intelligent bridge between SIP/IMS based VoIP networks and the open ecosystem of the Internet. WebRTC holds great promise to revolutionize the nature of our daily communications. But what should you, as a service provider, be doing today to take advantage of this movement?

Best Practices in Deploying Hosted IP Telephony

Speaker: Sara Hughes and Mitch Layman

LTE, How Can You Accelerate The Payback? Diameter Signaling Controller

Speaker: Ashish Jain - Director Solutions Marketing