Caslon Analytics elephant logo title for Pretexting note
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa
overview

USA

Europe

Australia














related pages icon
related
Guides:

Privacy

Secrecy &
Confidentiality

Security
& Infocrime



related pages icon
related
Profiles:

Identity
Crime

Data
trading

Stalking

section heading icon     US

This page considers pretexting in the USA.

It covers -

     introduction

In the US federal law prohibits pretexting for financial information, but prior to 2007 did not specifically ban the practice in relation to phone records or forbid online sale of phone records. Carriers are required by the Telecommunications Act of 1996 to protect Customer Proprietary Network Information (CPNI) and have accordingly claimed on occasion that they are victimised by pretexters.

EPIC commented that

Banning the commercial sale of private consumer information is a necessary complement to banning pretexting, as it would "dry up the market" for illegally obtained telephone records. Such a prohibition would also allow consumers and consumer protection agencies to go after those who advertise privacy-invasive services without having to prove the specific techniques that the data brokers have used

Section 6821 of the Gramm-Leach-Bliley Act (15 USC) makes it a crime to commit pretexting against a financial institution, broadly defined under the Act, but does not provide for private action: enforcement is a federal responsibility. The FTC has initiated a handful of enforcement actions under that Act, notably against a Canadian company, generally resulting in administrative penalties. Critics have accordingly argued that federal legislation must specify that pretexting to obtain mobile phone records - or other records where there is no financial loss - is just as serious as pretexting for financial data.

Supporters of the pre-2007 US regime noted that breaking into online accounts violates the Computer Fraud & Abuse Act (18 USC 1030), although a caution is supplied in Jennifer Granick's 2006 article Faking It: Calculating Loss in Computer Crime Sentencing. It has been argued that pretexting that deceives network operators to provide 'private' information violates the Wire Fraud Act (18 USC 1343).

In 2007 the federal Telephone Records & Privacy Protection Act of 2006 (TRPPA) came into force, providing up to 10 years imprisonment for anyone who pretends to be someone else, or otherwise employs fraudulent tactics, to persuade phone companies to hand over what is supposed to be confidential data about customers' calling habits. There have been proposals to phone and internet providers to implement new safeguards against unauthorized access to their customers' records, with provision for consumers to sue those who managed to secure their records without permission.

The legislation was underpinned by FCC rules in April 2007 that require landline and mobile phone network operators to adopt safeguards to protect personal telephone records from being disclosed to unauthorised people. Carriers are prohibited from releasing (over the phone or online) sensitive personal data such as call detail records unless the customer provides a password.

The carriers are also required to notify customers immediately when changes are made to their account and to notify customers in the event of a breach of confidentiality. Those carriers must annually certify compliance with the rules, inform the FCC of any action they taken against data brokers and provide a summary of complaints received regarding unauthorised release of personal customer information. They are also required to notify law enforcement agencies before customers when they suspect breaches are suspected.

An industry spokesperson, critical of restrictions on telcos providing marketers with customer information, sniffed that "this is an extremely anticonsumer outcome".

     practice

There have however been no definitive cases regarding pretexting in relation to the pre-2007 enactments or the FTC's broader power to prevent "unfair, deceptive or fraudulent business activities", including anti-phishing cases highlighted here.

The weakness of US privacy law means that data brokers can buy and mine a wealth of private consumer information such as

  • magazine subscription details
  • recent purchase information
  • travel records
  • name, address, birth date and Social Security number

from credit reporting agencies, retailers, publishers and other companies. That information can be aggregated with public and quasi-public information from -

  • state and local government agencies (including land registries and offender registers)
  • phone books
  • professional and other directories
  • personal and corporate sites.

     studies

Points of entry to the literature include -

  • Flora Garcia's 2007 'Data Protection, Breach Notification and the Interplay between State and Federal Law: The Experiments Need More Time' in 17 Fordham Intellectual Property, Media & Entertainment Law Journal (Spring 2007), 693-726
  • Anthony White's 2005 'The Recognition of a Negligence Cause of Action for Victims of Identity Theft: Someone Stole My Identity, Now Who is Going To Pay For It?' in 88 Marquette Law Review, 847-866
  • Sarah Ludington's 2006 'Reining in the Data Traders: A Tort for the Misuse of Personal Information' in 66 Maryland Law Review, 140-192






     next page  (Europe)



this site
the web

Google

version of April 2007
© Bruce Arnold