Archives: Phones & Cell Phones

Consumer groups—Consumer Federation of America, U.S. PIRG, and Consumers Union and AARP — are supporting the Prevention of Fraudulent Access to Phone Records Act which will be taken up by the House Commerce Committee tomorrow morning. The legislation would require phone companies to adopt more stringent internal security procedures to protect consumers' private calling records which include some of consumers, most private information: their cell phone number, who they called, when they called, how long they talked, and more.

In preparation for tomorrow’s House Energy and Commerce mark-up on the legislation, consumer groups have submitted the following letter.

***

March 7, 2006

Dear Chairman Barton and Ranking Member Dingell:

We are pleased to support the Prevention of Fraudulent Access to Phone Records Act and thank you for your leadership in protecting the privacy of consumers' phone records.

Although the draft bill omits some important consumer provisions, importantly, it balances the need for pretexting prohibitions and tougher enforcement with the need to improve phone company safeguards to prevent pretexting before consumers' private information is released. Both are key components of a meaningful legislative solution.

Phone records include some of consumers' most private information: who they call, when they called them, how long they talked and more. The serious problem of phone record breaches will not be solved merely by prohibiting pretexting. Phone records should be closely guarded by carriers with whom consumers have entrusted their detailed calling information and consumers must be given greater control over whether and with whom those records may be shared. Carriers have a first obligation to their customers, not their joint venture partners, contractors or others.

Therefore, we applaud your efforts to protect consumers and note the following important provisions of the legislation:

Prohibitions on Pretexting and the Sale of Consumer Proprietary Network Information and Detailed Phone Records

First, the legislation explicitly prohibits pretexting to obtain customer proprietary network information. This provision will help stifle the growing commercial market for consumers' calling records. Moreover, it explicitly prohibits phone companies, their affiliates, joint venture partners and contractors from selling CPNI--information that should never be available to the highest bidder. Additionally, the bill provides for dual enforcement of pretexting violations by both the Federal Trade Commission and the Federal Communications Commission.

However, pretexting to gain access to private information should be explicitly prohibited, regardless of the industry. We remain concerned that banning pretexting to phone companies alone will result in the practice being shifted to other targets. Phone records are pretexted now, in part because Congress did not include phone companies in its pretexting ban of the Gramm-Leach-Bliley Act of 1999. Congress should close the door on pretexting and provide explicit and absolute prohibitions on the practice. We look forward to working with you to extend pretexting bans beyond financial and phone records.

Requirements for Stronger Privacy Safeguards by Phone Companies

Secondly, because the legislation requires the Federal Communications Commission to promulgate stringent regulations to help ensure that phone companies diligently protect the security of their customers' phone records, consumers will not have to rely solely on enforcement of violations. That the safeguards phone companies currently have in place are inadequate to protect consumers' privacy is demonstrated by the explosion in the unscrupulous businesses that offer to sell phone records.

Under this legislation, consumers will have greater assurances that companies are taking steps to prevent release of records before a subscriber's privacy has been violated. In particular, the bill ensures that FCC regulations will require carriers to establish security policies that address administrative, technical and physical safeguards; maintain records of requests for CPNI and how the identity of the requesting party was verified; and submit to periodic compliance audits by the FCC. We encourage to the Committee to also require the FCC to prescribe regulations regarding customer-specific identifiers, encryption and records deletion--provisions that the legislation leaves to the FCC's discretion.

Greater Consumer Control Over Detailed Calling Records

Third, the legislation provides consumers with greater control over who has access to their phone records than exists under current regulations. Currently, the FCC requires only that providers offer consumers the ability to opt-out of carrier sharing of their records. Inadequate consumer opt-out notices are frequently buried in contracts and shrouded in language that fails to accurately convey the magnitude of private information that could be shared with others. Furthermore, some subscribers have complained that even after calling the carrier to opt-out, they have encountered customer service representatives who did not know how to stop the CPNI release. By contrast, requiring that consumers affirmatively consent - or opt-in - to the sharing of their records before they are released provides stronger assurances that consumers know what they are consenting to and the implications of their consent.

Although consumers should have the ability to opt-in before their CPNI records are shared with any party, including affiliates, your legislation takes an important step in that direction. By requiring carriers to secure opt-in consent before sharing detailed customer telephone records with joint venture partners, independent contractors, and any other third party, the legislation ensures that, at a minimum, consumers' most detailed, private information is not released without their knowing consent. Though we strongly favor opt-in consent before CPNI is released to anyone, this legislation begins to close the gaps that may have fostered phone record privacy breaches.

We applaud your efforts to craft a meaningful and comprehensive legislative solution to the serious problem of phone records privacy breaches. By including both prevention and enforcement provisions, consumers will have greater assurances that their most personal information cannot be easily shared with others. We look forward to working with you toward effective, enforceable consumer privacy legislation.

Respectfully,

Jeannine Kenney, Senior Policy Analyst, Consumers Union 

Travis Plunkett, Legislative Director, Consumer Federation of America

Edmund Mierzwinski, Consumer Program Director, U.S. Public Interest Research Group 

David P. Sloane, Senior Managing Director, AARP