phone records for sale.
Steven M. Bellovin
smb at cs.columbia.edu
Fri Jan 6 13:46:40 EST 2006
In message <87sls1s1k6.fsf at snark.piermont.com>, "Perry E. Metzger" writes:
>
>The Chicago Sun Times reports that, for the right price, you can buy
>just about anyone's cell phone records:
>
>http://www.suntimes.com/output/news/cst-nws-privacy05.html
>
>Quite disturbing.
Yes, but it's also bad reporting -- the newspaper neglected to call the
cell phone companies and ask what their privacy policies are. What
happened may have been 100% legal and explicitly permitted by law...
18 USC 2702(a)(3) says
a provider of remote computing service or electronic
communication service to the public shall not knowingly
divulge a record or other information pertaining to a
subscriber to or customer of such service (not including
the contents of communications covered by paragraph (1) or (2)) to
any governmental entity.
18 USC 2702(c) says
A provider described in subsection (a) may divulge a record or
other information pertaining to a subscriber to or customer of
such service (not including the contents of communications
covered by subsection (a)(1) or (a)(2)) ...
(6) to any person other than a governmental entity.
See http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002702----000-.html
for the full text.
The first time I read that last clause, I couldn't believe it; I
actually went and looked up the legislative history. I found that
Congress wanted to permit sale for marketing or financial reasons, but
wanted to limit the power of the government. (The Supreme Court had
ruled previously that individuals had no expectation of privacy for
phone numbers they'd dialed, since they were being given voluntarily to
a third party -- the phone company.)
If the phone companies are not giving it out voluntarily, perhaps
they're being tricked or perhaps they have corrupt employees. From my
experience, one way you authenticate yourself to a cell phone company is
by social security number, and those aren't exactly hard to find. That
possibility suggests using stronger authentication, but of course that
gets in the way of customer service for the 99.99% of queries that are
legitimate. (I've had to call my company from abroad, more than once,
on fairly urgent matters. I had no easy access to, say, my last bill.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list