‘Pretexting’ Likely to Persist if Data Brokers Driven Off Internet
Carriers must remain on guard against “pretexters” selling cellphone records and other customer proprietary network information (CPNI) even if most data brokers are forced to shut down online sales, 2 top information security experts told us. The gray market, with companies quietly selling information to private investigators and other favored customers, may be harder to shut down. The FCC and FTC are investigating companies that sell data obtained from carriers (CD Feb 12 p1) through pretexting. Legislation is expected in Congress.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
“They'll just return to the rock that they were under before the Internet,” predicted Al Gidari, an attorney representing wireless carriers suing data brokers in the U.S. and Canada. “People know how to defraud carriers and retailers out of records… This is nothing new. It’s just more entertaining because it was on the Internet.”
“The history here is that a lot of it will go underground,” said Robert Douglas, an information security consultant who testified in recent weeks before House and Senate committees on the need for privacy legislation: “It’s a black market-grey market for information.”
“Given that a fair amount of their client are insurance investigators, private investigators, the [data brokers] will stay in touch with their people,” Douglas added. “Other data brokers think they're a little bit smarter, more evasive. They're not on the Internet. They'll be able to increase their prices.” He said many online brokers have pulled ads for the sale of billing records off their websites: “They're hoping they are not one of those selected by state attorneys general or federal investigators for investigation and possible prosecution.”
Data brokers have defended themselves by saying law enforcement has been one of their largest markets, wireless carrier sources told us. Douglas said that claim is unsupported. Gidari said the truth may never be fully known because the FCC and FTC were slow in pursuing data broker records. “The claim has never been backed up,” Douglas said. “There’s absolutely no evidence of widespread use by law enforcement… There is extensive evidence in all of those same cases of attorneys and private investigators being a substantial part of the market for those records.”
Data brokers can’t be trusted, Douglas added. “One thing people need to understand is that these guys and gals are professional liars, even with much of what is on their websites,” he said: “This air of legitimacy is designed to convince the public that what they're doing must be legal if law enforcement is using them.” Douglas cited the record from Operation Detect Pretext, an FTC sting to catch bank record buyers. The sting caught only one govt. employee, a low-level DoJ investigator, he said.
But Gidari said many records that would show who buys the data probably have been destroyed. The FCC and FTC had the power, working with federal marshals, to seize records before their parallel investigations made national headlines, he said. “They could have swooped down on these entities at a time when they were unsuspecting. Now what you're hearing from them is, ‘We don’t keep records of sales’… We've been told by the brokers themselves the records are gone.”
Gidari said the FCC and FTC should focus on data brokers and their customers rather than on developing new rules for carriers. “Shut the market down and we will take care of the problem,” he said: “You've got to go after the market.” In a notice of proposed rulemaking released last week the FCC asked a battery of questions about steps the Commission could take to protect CPNI (CD Feb 16 p 10).