Shining new light on the issue of wireless privacy, the state of California has filed a US$10 million lawsuit against a firm that sells cell phone numbers.
State officials filed suit Tuesday in San Diego Superior Court against Florida-based Data Trace USA, claiming the company misrepresented how it would use the data it purchased from telecom companies, a practice known as “pretexting,” a form of social engineering.
The state is alleging the firm engaged in unfair business practices and false or deceptive advertising, and also violated state laws that guarantee the privacy of such records — aside from narrow exceptions giving law enforcement access under certain terms.
California is the second state to take action against Data Trace. Missouri filed a similar complaint about a month ago. A number of private suits have been filed as well, with Sprint-Nextel and T-Mobile among those taking action to stop the practice.
Attorney General Bill Lockyer said the enforcement action stems from a continuing investigation into the sale of cell phone records. Data Trace obtained records under false pretenses, he said, sometimes claiming to be the cell phone customer or an agent of the customer, in order to trick phone companies into disclosing call records.
“Data Trace has used fraudulent means to commit outrageous invasions of privacy against California cell phone users,” Lockyer said. “Unfortunately, this company is not alone. These shady operators are increasing in number.”
Once obtained, the records were made available for sale on the Internet and through other means, the complaint alleges.
“I’m committed to vigorously fighting this growing threat to privacy,” Lockyer added. “Californians’ privacy is not for sale. They have a right to expect that their confidential cell phone call records remain just that — confidential.”
As part of their investigation, agents purchased cell phone records of a deputy attorney general through Data Trace, paying $220 for a lengthy recounting of calls, the times they were made and their duration, Lockyer said.
Such records are often purchased by private investigators or individuals seeking to check up on a partner or acquaintance and could have disastrous consequences, the attorney general noted.
Attempts to reach Data Trace USA for comment were unsuccessful. As of Wednesday morning, the company’s Web site was replaced with a note saying the page was unavailable.
The action comes as more attention is being focused on the issue of mobile privacy.
Earlier this month, a bill moved forward in the U..S. Congress that would outlaw the practice of obtaining and selling both mobile and traditional telephone numbers and related information. The bill would require telecommunications carriers to obtain permission from customers before sharing information on them with their business partners or disclosing cell phone numbers.
In fact, this week saw the House Energy and Commerce Committee advance a bill that included an amendment to specifically target the practice of pretexting.
Congressman Joe Pitts, a Pennsylvania Republican, said the attachment to a larger bill that limits phone companies’ ability to resell phone numbers and other private information is meant to forbid the sale of mobile phone records without the customer’s approval.
“The American people deserve to know once and for all whether or not their cell phone numbers are going to remain private,” Congressman Pitts said. “My legislation lets consumers decide whether or not they want their number made available to anyone who wants it.”
The Federal Communications Commission (FCC) has also backed legislation that would ban outright any commercial sale of phone records.
The Electronic Privacy Information Center (EPIC) began calling on regulators and lawmakers to take action on the pretexting practice almost a year ago.
Attempts by the FCC to handle the practice by targeting known brokers — and shutting many down in the process — are not effective due to the scope of the problem, said Chris Hoofnagle, senior counsel at EPIC.
“Existing carrier practices and regulations are inadequate to stop this trade in personal information,” he maintained. “Intervention is necessary to enhance security standards and authentication standards.”