Network Sites: B/OSS Conference & Expo Channel Partners Conference & Expo xchange magazine PHONE+ VON Conference & Expo VON
Billing and OSS World
Search
Weekly E-mail Newsletter 

  Home News Articles White Papers Webinars Resource Directory eBooks Blogs Subscriptions Media Kit Events Contacts

Congress, FCC: Carriers Must Get CPNI Act in Order!

John Guerra
03/01/2006
Capitol Hill lawmakers, even as they urge the White House to respect Americans’ privacy, discovered in January that the phone records of wireless subscribers are available in the online market for as little as $89. Dozens of companies—such as phone.bust, datafind.org, locatecell.com, celltolls.com and First.Source—obtain call logs assigned to specific cell phone numbers. Those companies get the info from “pretexters,” who pretend to be a wireless customer and dupe carriers into giving them the information. Phone.bust and other companies then sell it to whoever has the money and an Internet connection.

The companies sell what once took a court order to obtain: a list of phone numbers the cell phone owner calls in a day, a week, a month—up to a year. One company, celltolls.com, promises “outgoing calls made from the most recent (or requested) billing period, including dates and calls made,” with results available as soon as an hour.

To obtain originating, terminating, call duration or date and time of call information, also known as customer proprietary network information (CPNI), scam artists go to great lengths: by posing as someone else, by hacking into customer-care Web sites run by the phone companies or by paying someone working for the phone company.

Although it is against the law to obtain financial information by posing as someone else, it’s not illegal to pose as someone else to obtain calling records. Not yet, anyway.

After the Chicago Police Department in December warned its undercover agents about a scam that lets ex-spouses, stalkers and criminals obtain victims’ phone records from wireline, wireless and VoIP providers, Washington officials jumped into action. At least two bills have been introduced in the House and Senate making pretexting and the sale of CPNI illegal. Meanwhile, the FCC announced its intention to write new rules governing the collection, storage and dissemination of customer information by carriers, adding that it will adopt most ideas in an Electronic Privacy Information Center (EPIC) petition to the FCC.

The Cellular Telecommunications & Internet Association (CTIA), while agreeing with the mission of protecting subscriber privacy, believes the EPIC guidelines go too far.

One thing’s certain: by the time Congress, the FCC and EPIC are finished with their efforts, pretexting and marketing private call records will be illegal, and the rules carriers have been required to follow are about to become more stringent. Here’s a quick roundup of recent action on pretexting law and the handling of CPNI:

• Sen. Charles Schumer (D-N.Y.) has already introduced bills making the sale of customer phone records illegal. Schumer’s bill, the Consumer Telephone Records Protection Act of 2006, is backed by Sens. Arlen Specter (R-Pa.) and Bill Nelson (D-Fla.). The bill (S. 2178) would criminalize the practice of both stealing and selling call records for cell phone, landline and VoIP subscribers. It also would make it illegal to access a customer account on the Internet without the customer’s authorization and to provide false documentation to a telephone service provider knowing that the document is false.

• The Phone Records Protection Act of 2006 (S. 2177) introduced by Sen. Richard Durbin (D-Ill.) would make it illegal to transfer personal information from cell phone companies to online phone record brokers. It provides jail time—up to 10 years in prison—for those found guilty of violating phone users’ privacy. Durbin also wants the Senate Judiciary Committee, of which he is a member, to hold hearings and wants the FCC and FTC to launch investigations.

• On Jan. 10, the FCC announced a Notice of Proposed Rulemaking, seeking comment on which, if any, additional security measures would protect CPNI and the kinds of weaknesses that exist in carrier back-office systems or accounting systems that make it easy for records to be accessed. In response to that notice, EPIC petitioned the FCC to undertake stronger security measures to protect CPNI, and the commission says it will adopt some of them. They include the use of passwords set by consumers; building audit trails that record all instances when a customer’s records have been accessed, whether information was disclosed, and to whom; encryption by carriers of stored CPNI; limits on data retention; requiring the deletion of call records when they are no longer needed; notifying customers when their records may have been breached; and other technical suggestions to block leaks.

Whether telecom carriers like it or not, they are at the center of the privacy problem. The FCC for years has had CPNI rules designed to protect the privacy of phone customers, but apparently phone companies themselves are responsible for customer information reaching the street. Telecom carriers have always played fast and loose with customer information, regardless of their claims to the contrary. They regularly sell customer name, address and phone number information to large telemarketing firms in a thinly defined relationship in which the phone companies then turn around and sell a special service to its customers to block unwanted telemarketing calls.

Carriers also maintain those lists of customer information for their own telemarketing efforts, but they hire third-party call centers that work from the customer phone number lists that they supply.

Portions of the Telecom Act already mandate network security devices and processes to prevent customer call information from making it out of the phone company’s possession. Some carriers haven’t enacted CPNI rules from three years ago, such as the requirement that carriers install firewalls. “Instead, these records are blazing all over the Internet, available on numerous websites even as we issue this notice,” writes FCC Commissioner Jonathon S. Adelstein. Another CPNI rulemaking that deals with giving phone records to telemarketers and other third parties has been stalled.

Carriers have failed to update their privacy certification on time this year; each year carriers must certify that they are protecting CPNI and make the certification documentation available to the FCC and the public upon request. When the Commerce Committee asked the top carriers for their certifications in late January, five did not adequately respond, the FCC says.

In an indication of how serious the commission is playing the game, those five carriers now face $100,000 fines for failing to produce the CPNI certification documents.

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
RSS Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines

Read Comments [0]

Post a Comment

Email Email this article Comment Add a comment
Print Printer version Reprints Order reprints
RSS RSS Feed Bookmark Bookmark article

Tags


Similar Articles

Most Popular

   

Subscribe to Billing & OSS World Magazine
First Name Last Name
E-mail

Sponsored LinksB/OSS Magazine Announcements
All material on this site Copyright © 2008 Virgo Publishing, LLC. All rights reserved.
Privacy Statement | Legal Page | Contact