Phone companies must not release phone call records over the phone unless the caller knows the account password and can no longer share phone call records with marketers without approval, under sweeping proposed rules by government regulators trying to prevent the sale of such records by data brokers who use fraud to get access. These online data brokers would then call customer service and pretend to be the customer in order to get call records, a technique often referred to as 'pretexting,'
While this practice was well known to privacy groups and was a key focus of the Electronic Privacy Information Center, the practice did not gain wide scrutiny until news broke that Hewlett-Packard launched an intensive spying campaign against journalists, as well as their own employees and board members. While the company took a beating in the media and in Congress, the courts sentenced the fraudsters to the equivalent of after-school detention.
The rules (.pdf), published Tuesday by the Federal Communications Commission, apply to landlines, cell phones, and internet phone services that interact with the traditional phone system. Companies will also have to report to customers and law enforcement when the rules are breached, provide an annual report to the government, and be found liable for negligence if phone records are repeatedly accessed improperly.
Companies however must first notify law enforcement within 7 business days of discovering a breach, and then must wait a week before notifying customers whose private records may have been stolen or used fraudulently.
If customers calling in do not have or remember their passwords, then the company can only send out the records to the address listed on the account. Online accounts must also be password protected.
Chris Hoofnagle, Senior Staff Attorney at UC Berkeley's Samuelson Law, Technology & Public Policy Clinic and a former attorney at EPIC, says the order is notable for two reasons, both related to phone companies use of phone calling records for marketing purposes.
One is the example of regulatory blowback. The industry messed up so badly on pretexting that it gave the FCC authority to go after marketing it has been bothered by.
The second thing is that the FCC decisions shows they think the US West decision (1999) is vulnerable, the US west decision is a a 10th circuit case where it struck down limits on the use of Customer Proprietary Network Information for marketing based on free speech issues. Since then a lot of cases have gone the other way on the issue. So I think the FCC is acknowledging that the the US West case is no longer good law and it is free to regulate marketing uses of CPNI.
Photo: Steve Ling
