EPIC Illegal Sale of Phone Records Page / Concerning Data Brokers that Sell Phone Records and Other Personal Information

Illegal Sale of Phone Records

EPIC Main Resources on Phone Records

Original FTC Complaint

Update to the FTC

Petition to FCC

List of 40 Websites That Offer Phone Records (3.8 MB PDF)

It's not just wireless phone records for sale. Some of these companies sell wireline phone logs too, others offer "Post Office Box" lookups, where the owner of a USPS or private mail box is identified for a fee. Some offer the real identities of people who use dating websites like Lavalife or Internet Service Providers like AOL.

What You Can Do.

Top News

New Privacy Safeguards for Telephone Customers. In response to a petition filed by EPIC, the Federal Communications Commission issued rules (pdf) to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information. The FCC also announced a new rulemaking to consider such issues as audit trails, data retention, and safeguards for information stored in cell phones. (Apr. 3, 2007)

EPIC Testifies in Congress on Combating Pretexting. In testimony (pdf) before the House Energy and Commerce Committee, EPIC Executive Director Marc Rotenberg expressed support for H.R. 936, the Prevention of Fraudulent Access to Phone Records Act. The Act would increase privacy protections for phone records. In August 2005, EPIC petitioned the FCC to establish stronger security standaard for telephone records. The FCC endorsed (pdf) EPIC's petition in February 2006, but more than a year later, there are still no clear standards for telephone record privacy. (Mar. 9, 2007)

Coalition Comments on Phone Records Security. In comments to the Federal Communications Commission, EPIC and seven consumer rights groups urged the agency to heighten standards for protecting phone records. The groups recommended a series of protection to deter unauthorized access to records, including auditing, notice to the individual when records are acquired, and greater controls over commercial use of phone records. (Apr. 28)

EPIC: NY Should Ban Pretexting. In comments to two Committees of the New York Assembly, EPIC advised lawmakers to broadly prohibit pretexting in order to protect individuals' privacy. EPIC warned that a narrow, phone-records only ban on pretexting would invite using the practice against holders of other records, such as email providers and dating services. (Mar. 13, 2006)

EPIC Testifies in CA Assembly on Pretexting. In testimony before the California State Assembly Committee on Public Safety, EPIC discussed the need for a ban on pretexting. California Senate Bill 202, currently under consideration by the Committee, would broadly prohibit buying and selling phone records, and establish criminal and civil penalties for violating privacy. (Mar. 7, 2006)

Senate and House Committees Push laws to Protect Phone Records. The Senate and House Judiciary Committees both approved bills that would prohibit the unauthorized sale of call detail information and ban the pretexting of phone records. The House's Law Enforcement and Phone Privacy Protection Act of 2006 and the Senate's the Consumer Telephone Records Protection Act of 2006 both received unanimous support. Several other bills protecting phone records are moving forward in both the House and Senate. EPIC testified before both the House(pdf) and Senate, advocating for broader bans on pretexting and stronger regulations to pretect phone records. (Mar. 2, 2006)

EPIC to Attorneys: Pretexting is Unethical. In a letter sent to state ethical and professional responsibility boards, EPIC warned that there is mounting evidence that attorneys are major purchases of "pretexting" services. Pretexting is the practice of using false pretenses to trick a company into releasing personal information. EPIC urged state boards to evaluate pretexting under ethics rules, and to issue opinions to attorneys advising them not to pretext or hire investigators who use pretexting to obtain information. (Feb. 21, 2006)

FCC Initiates Phone Records Security Rulemaking. The Federal Communications Commission has approved (pdf) EPIC's petition calling upon the agency to create heightened security protections for telephone calling records. FCC Chairman Martin said, "I support this Notice because I am deeply concerned about reports of companies trafficking in personal telephone records?" You can comment on the proceeding by clicking here. Remember, anything you write will appear in the public record. (Feb. 10, 2006)

EPIC Testifies in Senate on Phone Records. In testimony (also available in pdf) before the Senate Commerce Committee, EPIC Executive Director Marc Rotenberg called for a ban on the sale of communications records, as well as a ban on "pretexting," the practice of using false pretenses to trick a company into releasing personal information. EPIC noted that in addition to phone records, the records of PO Box owners and dating service users are susceptible to unauthorized disclosure and pretexting. Rotenberg also called for limitations on the information collected and stored by communications companies, and stronger security measures for stored information. (Feb. 8, 2006)

EPIC Testifies on Pretexting and Phone Record Sales. EPIC Executive Director Marc Rotenberg testified (pdf) before the House Energy and Commerce Committee on the sale of personal phone records. EPIC called for laws that would ban pretexting (a technique used by data brokers to obtain personal information), as well as enhanced security procedures, and restrictions on the collection of customer data. "A ban on pretexting will protect consumers and make it clear to online information brokers that pretexting is unfair, deceptive, illegal, and wrong," said Rotenberg. FCC Chairman Kevin Martin and FTC Commissioner John Liebowitz also testified at the hearing, and urged stronger safeguards for phone records. (Feb. 1, 2006)

Introduction

Online data brokers and other companies openly advertise on the Internet that they can obtain others' phone records. For about $100, these companies will obtain all the calls made and initiated from a wireless phone, or toll calls from wireline phones. This is a dangerous and illegal practice. This information can be used by jealous spouses, stalkers, business competitors, political opponents, and others to learn about others' whereabouts and conversations. These companies sometimes offer other personal information, including medical records, banking records, and Social Security numbers.

This information is being obtained in one of three ways:

In pretexting, one pretends to be the account holder, and gains access to the records by fooling a customer service representative. This is the most prevalent method of gaining access, because these companies have subscriptions to "commercial data broker" services that allow them to obtain account holders' Social Security numbers, mother's maiden names, and dates of birth.

Second, some access phone records by cracking online account administration tools. Almost all phone carriers now give their customers the ability to view and pay their bill online. If this service has not been activated by the customer, the company can attempt to activate it and read the bill.

Last, there is always the risk that the company has an "insider" at the carrier who obtains information and sells it.

What EPIC is Doing to Protect Your Phone Records

In July 2005, EPIC urged the Federal Trade Commission to investigate the companies that offer to sell phone calling records. The complaint is being considered by the FTC.

In August 2005, EPIC petitioned the Federal Communications Commission to establish greater protections for phone records. EPIC pointed out that at least 40 websites offered to sell phone records. The phone carriers have responded to our petition, and have asked to the FCC to ignore our calls for greater protections. The carriers believe that enforcement actions against the data brokers are enough to stop these practices, and think that their security standards, which are easily circumvented, are sufficient

What You Can Do

Is your account in your name? Remember that if someone else is paying for your phone, or gets the bill, that person may be able to view your phone records. It's best for you to start your own service in your own name. It is the case that the people most interested in seeing your phone records are people close to you--jealous spouses/significant others, employers, and if you are a kid, your parents!

Put a password on your account. All carriers will allow you to place a password on your account to help stop others from accessing your records. Use a password that you are apt to remember, but others are not likely to know. The name of your first pet, a street you lived on, or the name of your grade school will suffice. Do not use your date of birth, mother's maiden name, or Social Security number.

Did you know that phone companies sell your records, including the numbers that you have dialed, to marketers? You can opt out of this information sale by telling your phone company that you want to "restrict" or "opt out" from all CPNI sharing.

File comments with the FCC in support of greater privacy standards for your telephone data. Our petition urges the FCC to require carriers to do a better job in protecting records. You can support the cause by writing to the FCC in support of EPIC's petition and the protections you think should be in place for phone records. Just click here and put ensure "96-115" appears in the proceeding box. Remember, anything you write appears in the public record.

Previous Top News

Company Halts Phone Records Sales. In a press release, the company first identified by EPIC as selling phone records illegally claims to have discontinued the service because it "concluded that continuing to provide the service would link it to disreputable companies who do not use any safeguards to protect against the potential dangers of this service." The company also posted a guide (pdf) to protect your records against pretexting. The company still offers "Post Office Breaks," and other personal information sales. (Jan. 18, 2006)

FCC Commissioners Call for Action on Phone Records. Federal Communications Commission Commissioners Adelstein and Copps released statements today calling for swift action to address the illegal sale of telephone records. Commissioner Adelstein announced (pdf) that they agency's enforcement bureau launched an investigation into "these troublesome data brokering practices, and I support swift action against carriers that have not complied with our existing rules and procedures." Commissioner Copps announced (pdf) that, "These incidents further highlight the need to act on the petition filed by the Electronic Privacy Information Center (EPIC) on enhanced security standards for access to consumer records." (Jan. 17, 2006)

Senate Minority Leader Calls on FCC to Investigate Illegal Phone Sales. In a letter (200k pdf) to the Federal Communications Commission, Senator Harry Reid has called upon the agency to "begin an investigation into how online data brokers are obtaining Americans' private phone records, and whether phone companies are doing enough to protect the personal and private information with which they are entrusted." This letter follows numerous news reports that demonstrate the vulnerability of phone records to online data brokers, who for a fee will obtain calling logs. In July 2005, EPIC filed a complaint with the Federal Trade Commission detailing these practices, and identified 40 websites (3.8M pdf) that offered to sell phone records. EPIC also petitioned the Federal Communications Commission to require heightened protections for telephone records. (Jan. 13, 2006)

Illegal Phone Records Sales Poses Security Risks. The Chicago Police Department has warned officers that private investigators may access and sell their telephone calling records, according to the Chicago Sun-Times. EPIC has filed a complaint with the Federal Trade Commission concerning these practices, and a petition with the Federal Communications Commission to require phone companies to enhance their security safeguards. To protect your privacy, ensure that your phone account is in your name, and call your phone company to place a password on your account. (Jan. 5, 2006)

Privacy Commissioner: "Drastic Action" Needed to Protect Phone Records. Canadian Privacy Commissioner Jennifer Stoddart has called for "drastic action" to address the problem of the security of phone records, after a reporter obtained both her personal and professional phone logs through a US-based data broker. EPIC identified 40 online data brokers that sell phone records, and has filed complaints at federal agencies to rein in these companies. To protect your records, call your phone companies to place a password on your account, and opt out of the sharing or sale of "CPNI." (Nov. 16, 2005)

Phone Records Need Greater Protection. In reply comments (also available in PDF) to the Federal Communications Commission, EPIC argued that the agency needs to intervene to protect individuals' phone records from online data brokers. The reply comments respond to telephone carriers' arguments that no new security measures are needed, despite the demonstrated ease with which online data brokers can access phone records. CTIA has responded (PDF) to EPIC's reply comments. (Nov. 9, 2005)

Industry Responds to EPIC's Phone Records Petition. A number of phone carriers have urged the Federal Communications Commission to take enforcement actions against companies that sell phone records. But they oppose any regulatory intervention that would require heightened security standards. So far, Bellsouth (PDF), Verizon (PDF), Verizon Wireless (PDF), SBC (PDF) and the CTIA (PDF) have argued in favor of enforcement actions but against heightened security standards. Verisign filed comments (PDF) that included a directory interoperability standard adopted by the ITU that could increase security of phone records. Verizon Wireless is bringing suit (PDF) against companies that sell phone records. (Nov. 3, 2005)

EPIC Petitions FCC to Protect Customers' Info. EPIC has petitioned the Federal Communications Commission to initiate a rulemaking to enhance security safeguards for individuals' calling records. The petition follows a complaint concerning the illegal sale of personal information obtained from telephone carriers, and an updated filing where EPIC identified 40 websites that openly offer to obtain calling records without the knowledge and consent of the account holder. (Aug. 30, 2005)

EPIC Urges FTC to Investigate Online Data Brokers. In a complaint to the Federal Trade Commission, EPIC urged the agency to investigate online data brokers, companies that promise to sell phone calling records, the identities of people who own private mail boxes, and the identities associated with AOL Screen names, Match.com profiles, and Lavalife profiles. The complaint argues that this information cannot be obtained without violating federal law or regulations. Both the Washington Post and Wall Street Journal have reported on the filing. (Jul. 8, 2005)

EPIC Privacy Page | EPIC Home Page
Last Updated: April 6, 2007
Page URL: http://www.epic.org/privacy/iei/default.html