Your Cell Phone Records Are For Sale

Your phone records are for sale

January 5, 2006

BY FRANK MAIN Crime Reporter

The Chicago Police Department is warning officers their cell phone
records are available to anyone -- for a price. Dozens of online
services are selling lists of cell phone calls, raising security
concerns among law enforcement and privacy experts.

Criminals can use such records to expose a government informant who
regularly calls a law enforcement official.

Suspicious spouses can see if their husband or wife is calling a
certain someone a bit too often.

And employers can check whether a worker is regularly calling a
psychologist -- or a competing company.

Some online services might be skirting the law to obtain these phone
lists, according to Sen. Charles Schumer (D-N.Y.), who has called for
legislation to criminalize phone record theft and use.

In some cases, telephone company insiders secretly sell customers'
phone-call lists to online brokers, despite strict telephone company
rules against such deals, according to Schumer.

And some online brokers have used deception to get the lists from the
phone companies, he said.

"Though this problem is all too common, federal law is too narrow to
include this type of crime," Schumer said last year in a prepared
statement.

The Chicago Police Department is looking into the sale of phone
records, a source said.

Late last month, the department sent a warning to officers about
Locatecell.com, which sells lists of calls made on cell phones and
land lines.

"Officers should be aware of this information when giving out their
personal cell phone numbers to the general public," the bulletin said.
"Undercover officers should also be aware of this information if they
occasionally call personal numbers such as home or the office, from
their [undercover] ones."

Test got FBI's calls in 3 hours

To test the service, the FBI paid Locatecell.com $160 to buy the
records for an agent's cell phone and received the list within three
hours, the police bulletin said.

Representatives of Data Find Solutions Inc., the Tennessee-based
operator of Locatecell.com, could not be reached for comment.

Frank Bochte, a spokesman for the FBI in Chicago, said he was aware of
the Web site.

"Not only in Chicago, but nationwide, the FBI notified its field
offices of this potential threat to the security of our agents, and
especially our undercover agents," Bochte said. "We need to educate
our personnel about the dangers posed by individuals using this site
and others like it. We are stressing that they should be careful in
their cellular use."

How well do the services work? The Chicago Sun-Times paid $110 to
Locatecell.com to purchase a one-month record of calls for this
reporter's company cell phone. It was as simple as e-mailing the
telephone number to the service along with a credit card number. The
request was made Friday after the service was closed for the New
Year's holiday.

'Most powerful investigative tool'

On Tuesday, when it reopened, Locatecell.com e-mailed a list of 78
telephone numbers this reporter called on his cell phone between Nov.
19 and Dec. 17. The list included calls to law enforcement sources,
story subjects and other Sun-Times reporters and editors.

Ernie Rizzo, a Chicago private investigator, said he uses a similar
cell phone record service to conduct research for his clients. On
Friday, for instance, Rizzo said he ordered the cell phone records of
a suburban police chief whose wife suspects he is cheating on her.

"I would say the most powerful investigative tool right now is cell
records," Rizzo said. "I use it a couple times a week. A few hundred
bucks a week is well worth the money."

Only financial info protected?

In July, the Electronic Privacy Information Center filed a petition
with the Federal Communications Commission seeking an end to the sale
of telephone records.

"We're very concerned about Locatecell," said Chris Jay Hoofnagle,
senior counsel for the center. "This is the company that sold the
phone records of a Canadian official to a reporter 'no questions
asked.' "

Schumer has called for legislation to criminalize the "stealing and
selling" of cell phone logs. He also urged the Federal Trade
Commission to set up a unit to stop it.

He said a common method for obtaining cell phone records is
"pretexting," involving a data broker pretending to be a phone's owner
and duping the phone company into providing the information.

"Pretexting for financial data is illegal, but it does not include
phone records," Schumer said. "We already have protections for our
financial information. We ought to have it for the very personal
information that can be gleaned from telephone records."

---

› See More: Your Cell Phone Records Are For Sale

Calling customer service to set a password on your account will easily fix this issue. Passwords placed on accounts override any other verification method.

"Michael Singletary" <[email protected]> wrote in message
news:[email protected]...
> Calling customer service to set a password on your account will easily fix
this issue. Passwords placed on accounts override any other verification
method.

Probably not in this case. If the company that is getting these records in
large numbers then they probably have someone inside most of the providers
who is giving them this information. I could see it if it were one or 2 but
on a large scale would require an insider or 2 or 3. But you are correct
on the password overriding the verification.

On Sat, 07 Jan 2006 23:09:27 GMT, "Cliff" <[email protected]>
wrote:

>
>"Michael Singletary" <[email protected]> wrote in message
>news:[email protected]...
>> Calling customer service to set a password on your account will easily fix
>this issue. Passwords placed on accounts override any other verification
>method.
>
>Probably not in this case. If the company that is getting these records in
>large numbers then they probably have someone inside most of the providers
>who is giving them this information. I could see it if it were one or 2 but
>on a large scale would require an insider or 2 or 3. But you are correct
>on the password overriding the verification.

This would be something fairly complicated to pull off.

Any manager worth something to the company would check the 'call'
records of their representatives. Everything you do on company systems
is logged and is made readily available to your floor manager, via
Screen Scrape and the normal logging methods of the many different
systems one accesses. A sharp manager will notice when accounts are
being pulled up and there are no actual calls to accompany them.

I doubt an inside source would last too long before somebody picks up
on it. A lazy manager negates all of that, however.

The interesting thing in the case of this article is that a majority
of it does NOT apply to Cingular (barring an inside source). When I
worked at Cingular, we were specifically told to NOT give out call
records to anyone over the phone. If a customer called in and wanted
to know the last 20 or so numbers that they called, we would tell them
to go to Cingular.com and check that information, because we don't
have access to it. I believe this was put into place for that reason.

I guess the plus to that is if a private investigator is trying to
obtain call records from Cingular, they MUST have an inside source.
They won't be getting information from just any representative they
call up by dialing the support number.

Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

"Michael Singletary" <[email protected]> wrote in message
news:[email protected]...

>
> This would be something fairly complicated to pull off.
>
> Any manager worth something to the company would check the 'call'
> records of their representatives. Everything you do on company systems
> is logged and is made readily available to your floor manager, via
> Screen Scrape and the normal logging methods of the many different
> systems one accesses.

Actually, most of this is not available for every call, especially screen
scrapes. The amount of space needed to store all activity for a 300 seat
call center would bankrupt most companies.

>A sharp manager will notice when accounts are
> being pulled up and there are no actual calls to accompany them.

What about those groups that work on accounts without call activity? Many
of these exist in a cellular company.

On Sat, 7 Jan 2006 17:04:28 -0700, "Scott" <[email protected]> wrote:

>Actually, most of this is not available for every call, especially screen
>scrapes. The amount of space needed to store all activity for a 300 seat
>call center would bankrupt most companies.

I used to think that it was an impossible feat, as well. I've seen the
tool used by managers to look up already scraped information and to
view live scrapes being recorded from representatives, as well.

>What about those groups that work on accounts without call activity? Many
>of these exist in a cellular company.

There has to be some sort of customer initiation for this sort of
thing. Representatives do not go about randomly pulling up accounts
and fixing issues with them (though this would be nice!).

There is a paper trail for every action performed on an account, and
it should be able to be traced back to a customer-initiated phone
call. If it can't be traced to that call, then there's no reason that
account should have been pulled up.

This puts most of the responsibility of the manager to notice things
like this, and I can honestly say that a majority of them would not
notice things like this.

The time needed for an inside operator to perform these 'jobs' would
definitely be suspicious to anyone, though. I don't see how they could
have the time to do it. Constantly asking for time to be off the
phones would make any manager wonder what they're doing, and would do
the same for the operations team, which approves all of these 'offline
requests.'

I'm sure it can be done, but I would think that it would need some
level of cooperation with management, and can't be pulled off by a
care representative alone.

Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

Andy wrote:
> Your phone records are for sale

Let someone pull up the records for Homeland Security Secretary Michael
Chertoff and see how fast this security hole is plugged. <snicker>

On Sun, 08 Jan 2006 00:20:55 GMT, DecaturTxCowboy
<DTC@boogie_boggie.blog> wrote:

>Andy wrote:
>> Your phone records are for sale
>
>Let someone pull up the records for Homeland Security Secretary Michael
>Chertoff and see how fast this security hole is plugged. <snicker>

You know.. that's what I find interesting. The only reason this
article was ever written was because it was affecting law enforcement
and the government in some way. I'm quite sure that this has been
going on for some time with consumers, but now that the police and
government are involved it must be stopped.

Where's the care for the public as a whole?

Oh, and what do they have to hide on their personal cell phone records
that I don't, for example? These ARE personal phones, right? You would
think that those tasked with keeping us safe from terrorists are using
some sort of secure and encrypted communication medium, and not
something commercially available to the mass-market, consumer level.

Cell phones are an item that have proven continually insecure for
consumers.. much less public safety officials.

"Michael Singletary" <[email protected]> wrote in message
news:[email protected]...
> On Sat, 7 Jan 2006 17:04:28 -0700, "Scott" <[email protected]> wrote:
>
>>Actually, most of this is not available for every call, especially screen
>>scrapes. The amount of space needed to store all activity for a 300 seat
>>call center would bankrupt most companies.
>
> I used to think that it was an impossible feat, as well. I've seen the
> tool used by managers to look up already scraped information and to
> view live scrapes being recorded from representatives, as well.

It is impossible- I work with the tools you are talking about quite
extensively. EVERYTHING is not recorded, although it's good to see a
comapny scare their employees into thinking it is.

>
>>What about those groups that work on accounts without call activity? Many
>>of these exist in a cellular company.
>
> There has to be some sort of customer initiation for this sort of
> thing. Representatives do not go about randomly pulling up accounts
> and fixing issues with them (though this would be nice!).
>
> There is a paper trail for every action performed on an account, and
> it should be able to be traced back to a customer-initiated phone
> call. If it can't be traced to that call, then there's no reason that
> account should have been pulled up.

Letters are received with issues, emails are received with issues,
salespeople are contacted..... it is not as simple as you portray it.

>
> This puts most of the responsibility of the manager to notice things
> like this, and I can honestly say that a majority of them would not
> notice things like this.
>
> The time needed for an inside operator to perform these 'jobs' would
> definitely be suspicious to anyone, though. I don't see how they could
> have the time to do it. Constantly asking for time to be off the
> phones would make any manager wonder what they're doing, and would do
> the same for the operations team, which approves all of these 'offline
> requests.'

Again, you are assuming that everybody who touches an account is 'on the
phones'. This is far from the case.

If you can get SprintPCS/Nextel customer records, it's an express
violation of Sprint's Privacy Policy
(http://www.sprint.com/legal/sprint_privacy.html).

"Sprint Nextel does not disclose CPNI outside Sprint Nextel or its
authorized agents without customer consent except as required or allowed
by law."

"CPNI" = Customer Proprietary Network Information, which includes "call
detail records".

I wonder what the remedy is for violation of of a privacy policy. An
apology?

Do I smell a class action lawsuit in the making?

Well, like in any lawsuit, to get damages you have to prove injury. If
you can show that the disclosure of the call records caused you
physical, emotional or financial harm you may get compensation. A class
action lawsuit would greatly enrich the attorneys (if they reached a
settlement) and probably give the class members a statement of no
admission of wrongdoing, an assurance to continue to abide by the
privacy policy and maybe - just maybe - a certificate redeemable for a
free ringtone download or other meaningless concession.

From:[email protected]
[email protected]

> If you can get SprintPCS/Nextel customer records, it's an express
> violation of Sprint's Privacy Policy
> (http://www.sprint.com/legal/sprint_privacy.html).
>
> "Sprint Nextel does not disclose CPNI outside Sprint Nextel or its
> authorized agents without customer consent except as required or
> allowed by law."
>
> "CPNI" = Customer Proprietary Network Information, which includes
> "call detail records".
>
> I wonder what the remedy is for violation of of a privacy policy. An
> apology?
>
> Do I smell a class action lawsuit in the making?

Originally Posted by BruceR

Well, like in any lawsuit, to get damages you have to prove injury. If
you can show that the disclosure of the call records caused you
physical, emotional or financial harm you may get compensation. A class
action lawsuit would greatly enrich the attorneys (if they reached a
settlement) and probably give the class members a statement of no
admission of wrongdoing, an assurance to continue to abide by the
privacy policy and maybe - just maybe - a certificate redeemable for a
free ringtone download or other meaningless concession.

From:[email protected]
[email protected]

> If you can get SprintPCS/Nextel customer records, it's an express
> violation of Sprint's Privacy Policy
> (http://www.sprint.com/legal/sprint_privacy.html).
>
> "Sprint Nextel does not disclose CPNI outside Sprint Nextel or its
> authorized agents without customer consent except as required or
> allowed by law."
>
> "CPNI" = Customer Proprietary Network Information, which includes
> "call detail records".
>
> I wonder what the remedy is for violation of of a privacy policy. An
> apology?
>
> Do I smell a class action lawsuit in the making?

Cingular has the same policy. Which by the way is true for customers but also our sales agents. A caller can get little or no information on an account, call records, autopay information etc. In addition Cingular has a Subpoena Compliance department where all such requests from law enforcement are directed.

BruceR wrote:
> Well, like in any lawsuit, to get damages you have to prove injury.

You'd also have to prove that the carrier sold the records in the first
place, if you were to go after them for a privacy violation.

--
Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: [email protected] Snail: 22674 Motnocab Road, Apple Valley, CA 92307

[email protected] wrote:
>
> If you can get SprintPCS/Nextel customer records, it's an express
> violation of Sprint's Privacy Policy
> (http://www.sprint.com/legal/sprint_privacy.html).
>
> "Sprint Nextel does not disclose CPNI outside Sprint Nextel or its
> authorized agents without customer consent except as required or allowed
> by law."
>
> "CPNI" = Customer Proprietary Network Information, which includes "call
> detail records".
>
> I wonder what the remedy is for violation of of a privacy policy. An
> apology?
>
> Do I smell a class action lawsuit in the making?


Uh....

> "Sprint Nextel does not disclose CPNI outside Sprint Nextel or its
> authorized agents without customer consent except as required or allowed
> by law."

"....except as allowed by law" is pretty broad.

All this says is that Sprint/Nextel will not knowingly break the law.
As a privacy policy, it's meaningless.

So, is it a direct corollary of this assertion is that, with customer
consent, Sprint Nextel will disclose CPNI in violation of the law?

Richard

That would be best if the proof were there but you might not need to
even prove they sold them. You could contend that they were grossly
negligent in failing to secure them even if they were stolen or leaked.
If they were stolen rather than sold then the settlement might not be so
rich - they'd give you something worth even less than the ringtone.

From:Steve Sobol
[email protected]

> BruceR wrote:
>> Well, like in any lawsuit, to get damages you have to prove injury.
>
> You'd also have to prove that the carrier sold the records in the
> first place, if you were to go after them for a privacy violation.
>
> --
> Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED
> Company website: http://JustThe.net/
> Personal blog, resume, portfolio: http://SteveSobol.com/
> E: [email protected] Snail: 22674 Motnocab Road, Apple Valley, CA
> 92307