FTC takes aim at underground information trafficking
June 24, 1999
by Kim S. Nash
(IDG) -- The underground market in personal information is like any other: It has buyers, sellers and suppliers of raw material.
The buyers include lawyers and employers, who want financial and medical data about litigants, employees or job applicants. The sellers are "information brokers," who use a variety of tricks -- most of them legal, some legally hazy -- to obtain those personal details.
And who supplies the raw material? Corporate employees who have been duped into divulging the salaries, bank balances and medical histories held in customer information systems.
The data traffickers use a technique known as "pretext calling." That's when a broker telephones a bank, for example, and impersonates a customer to get information about his account. Armed with details such as Social Security number and address, the broker persuades customer service agents to reveal more valuable nuggets.
As one data dealer advised in a recent online post: "You can't be afraid to play roles and place yourself in positions of getting caught. ... You can always hang up."
But the Federal Trade Commission calls the ruse illegal and is cracking down. In an April lawsuit against Denver data broker Touch Tone Information Inc., the agency said the practice is deceptive, unfair and "a particularly pernicious invasion of consumers' privacy."
FTC officials set up a sting, recording a pretext call allegedly from Touch Tone to Bank One Corp. in Chicago, seeking -- and gaining -- customer account information that was later sold.
"We caught them on tape lying to a federally insured bank to obtain financial information. And the trafficking is the unfair part," said David Medine, an FTC official on the case.
In the information underground, facts are compiled in databases, sometimes transferred to clients electronically or sold on the Internet. Hundreds of information brokers advertise online and on Web chat boards and e-mail listservs are full of deal-making traffic.
Certainly not all information dealers are underhanded. Most probably don't break any laws, agreed both privacy advocates and brokers. And the strength of the FTC's legal case is unclear.
Touch Tone filed court papers last month that said the FTC doesn't have authority to pursue the case because, among other reasons, the agency is charged with protecting consumers and a bank isn't a consumer. Touch Tone also said it shouldn't be blamed if banks give out "confidential information by virtue of a telephone call, without adhering to its security protocols."
Last month, the American Bankers Association in Washington met with local bankers to warn them that pretext calling is growing -- and banks could be held liable if customer information is revealed in error.
"Bank employees who release information risk penalties or legal action by their employer, the government and the customer," a spokeswoman for the trade group said. "We say, take this issue seriously."
Information brokers often use public databases such as court rulings or motor vehicle records to get started on a search about someone. They then use that routine data to concoct ruses to get more sensitive information from other sources.
The same techniques work for people seeking private medical data, said Rob Douglas, CEO of American Data Protection Services Inc. in Alexandria, Va.
A pretext caller with a search target's name, date of birth and Social Security number can easily call a hospital and pretend he's filling out forms for a new insurance policy. Insurers often ask applicants for prior medical history.
Companies are easily deceived, and a big problem is that some don't separate sensitive data from routine customer records, said Bob Campbell, managing director at Alpine Computer Systems, a security and privacy consulting company in Woodbridge, Va.
What's needed are multilevel access controls. "I've gone into organizations where all the personal information regarding a customer -- financial or insurance data, for example -- is available to all the employees that have any role in [customer] service," Campbell said.
Meanwhile, as the Touch Tone case progresses, company owners James and Regana Rapp agreed to stop pretext calling but "do not admit to any of the actual allegations," said their lawyer, Jim Butera, at Butera & Andrews in Washington.
Butera wouldn't say whether the Rapps are still in business and advised his clients not to do interviews.
To help Touch Tone fight the government and to defend pretext calling, brokers have formed a lobbying group that raises money by charging customers an extra $5 per search.
"Pretext is just a technique to mine data," said Lee Wind, a founder of the Coalition to Amend the Financial Information Privacy Act, in Mamaroneck, N.Y. "It is done very specifically and in all the cases, at least by the scrupulous brokers, for what we consider to be justifiable legal purposes."
The practice isn't wrong, in part because many brokers use it for good causes, such as to track down withheld child-support money or divorce settlements, he said.
Wind, an information broker in New York, co-founded the coalition last year to combat a bill pending in Congress that would outlaw obtaining someone's financial information under false pretenses. A vote on H.R. 30 is expected this year.
The FTC's Medine declined to say if the agency plans to pursue other information brokers. But he added, "If I were trafficking illegally in medical or financial information, I would not rest easy."
Aside from written -- and enforced -- policies against customer information leaks, companies can use technology and common sense to help guard against data seepage.
Profile: Jane Doe
For $750, Computerworld hired an information broker to create a profile of our subject, whose name and complete Social Security number have been omitted to preserve what little privacy she has left. The following sampling of data, however, is real:
Date of birth: 6/22/53
Social Security number: 102-XX-XXXX
Cars: 1997 Lexus ES300, 1992 Lexus LS400, 1982 Toyota Cressida, 1986 Chevrolet C10 pickup truck (all cars traced to Doe are registered to her husband, whose Social Security number and date of birth were also recovered)
Cost of house: $218,500
Amount financed: $196,650
Annual real estate taxes: $3,782
House description: Four bedrooms, two-and-a-half bathrooms, two fireplaces, on 1.3 acres
Next-door neighbors: The Capones on one side, Stephen Pope on the other
Criminal record, driving tickets, liens, bankruptcies: None
Source: Ferguson Investigation Agency, Dumas, Ark.
California governor orders agency not to sell confidential wage information
RELATED IDG.net STORIES:
FTC files suit against information broker
Federal Trade Commission
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.