Tuesday, June 20, 2006

Who's been using "pretexting" to get your phone records?

Back on January 8, I wrote a posting titled "Cell phone call records available online." In that post, I wrote about sites on the Internet where you can pay a fee and get the calling records for cell phones and long distance call records for land lines. The companies providing these services are typically private investigators who use "pretexting"--pretending to be the legitimate owner of the phone--in order to con phone companies into turning over the data. Some also used social engineering or exploited server security flaws to gain access to phone provider online web portals.

Subsequent to the publicity around that story, there was a brief attempt to pass a law making "pretexting" illegal for telephone records as it already is for financial records. Frankly, I think unauthorized use of someone's phone provider web portal account should already be illegal under most state computer crime statutes, and obtaining phone records through misrepresentation should constitute theft by deception or violation of identity theft statutes, but I am not a lawyer.

Now, we are learning who some of the major users of these services are: various offices of the Department of Homeland Security and the Department of Justice, including the FBI; police departments in California, Colorado, Florida, Georgia, and Utah, and most likely hundreds of other police departments. These agencies are bypassing legal processes to obtain private phone records without warrants from private companies engaged in highly unethical if not illegal activity.

Hat tip: Ed Brayton at Dispatches from the Culture Wars.

No comments: