|
What's Holding Up a Pretexting Law
The HP spying
scandal has shown why federal legislation is needed to crack down on data
thieves who impersonate people to get their personal information. So why are
advocates of the law still getting a busy signal on Capitol Hill?
By Kristina Dell
Time Magazine
October 18,
2006
In the immediate
aftermath of the revelations of the Hewlett-Packard spying scandal, outraged
legislators on Capitol Hill promised to do something about the evils of
pretexting — the shady practice of impersonating someone to obtain that
individual's personal information that was at the center of the company's
efforts to eavesdrop on journalists and board members. For the moment, however,
it appears that all the tough talk, as is so often the case in Washington, will
remain just talk.
This year states have passed laws of varying strength banning the practice —
California recently became the 15th one, although the bill won't take effect
until January — but the feds have been slow to follow suit. In the absence of a
national law, the five people connected to the H-P case were indicted under
California state fraud statutes, but their lawyers are expected to challenge
whether these even cover pretexting; the statutes would have to be interpreted
expansively to do so, and one attorney looking at whether California even has
jurisdiction over his client.
To avoid such loopholes and create a clear standard, lawmakers, phone company
executives and regulators have stressed how important it is to adopt federal
legislation against pretexting, but party turf wars and special interests will
likely prevent this from happening anytime soon. "It's mind boggling to me how
all the parties in February said they would have a bill to the President soon
and it hasn't happened yet," said Robert Douglas, an information security
consultant who runs PrivacyToday.com. "To pass a bill saying it's a crime to get
someone's phone records through deceit is a simple issue." Here's a look at the
players, the interests and why it hasn't been simple at all.
Why a new law is necessary
Clearly there's some confusion in this area as to what's legal and what's not
when it comes to pretexting — just ask the Hewlett-Packard lawyers. In addition
to the states which have anti-pretexting laws, general fraud statutes may cover
pretexting, but those statutes don't specifically refer to the practice and they
require proving intent and financial damages, a bar prosecutors often can't
meet.
Winning these kinds of cases can be difficult, says Robert Gellman, a
Washington-based privacy consultant, because "with most privacy suits it's hard
to prove you were actually damaged if you didn't lose your job or if it (the
violation) didn't cost you money. It's not enough to show you were upset."
Currently, the Federal Trade Commission has authority to bring suits, but they
can only issue injunctions to stop the behavior and sue for illegitimate
profits. There's also ambiguity as to whether individuals or phone companies own
personal records, so individuals may have a hard time demonstrating standing to
bring a suit. To remedy that, several of the bills before Congress would let
individuals and companies initiate suits, and provide punishment of stiff fines
and penalties of up to 10 years in prison. An anti-pretexting law would also ban
the data brokers who practice pretexting from advertising their services, making
it harder for them to create a business out of it.
Congressional Jockeying
The House Committee on Energy & Commerce had their own dig at party politics at
the recent hearings, displaying a mock vintage movie poster featuring Scarlet
and Rhett's classic pose with the caption "H.R. 4943 Gone with the Wind." (You
have to be a Congressional aide to appreciate the humor.) They were referring to
the Committee's pretexting bill, Prevention of Fraudulent Access to Phone
Records Act, which they approved last May only to see it disappear from the
docket when it was time for a floor vote.
Committee member Representative Jan Schakowsky believes the anti-pretexting bill
was delayed "because of the Administration's concerns that maybe they were using
the tactic themselves," says her spokesperson. Democrats speculated about a link
to the National Security Administration's controversial warrant-less wiretapping
program. An Intelligence Committee spokesman tells TIME that the bill was
initially pulled because of "national security concerns" they wanted addressed,
but once those issues were raised they had no problems with the bill. Don Weber,
a spokesman for the NSA, told TIME, "Given the nature of the work we do, we do
not discuss actual or alleged operational issues as it can provide those wishing
to do harm to the United States insight that could potentially place Americans
in danger. However, it is important to note that the NSA takes its legal
responsibilities seriously and operates within the law."
During the H-P testimony Committee chairman Representative Joe Barton indicated
there was a "good chance" they would pass the pretexting legislation that day —
the end of the hearings and the final Congressional session. (Members then left
to campaign for the midterm elections and won't return until November.) No such
luck. Aides to Representative Edward Markey and Senator Bill Nelson said that
late in the day Barton's staff drafted an exception to the bill for
"intelligence gathering purposes." The Democrats wouldn't approve it because the
exception was too broad and raised too many questions at that late hour,
according to an aide from Representative Markey's office.
"People don't mind law enforcement getting people's phone records if they go
before a judge and say why they need them," said the aide. We just don't want a
carte blanche exception that allows for phishing expeditions." According to
Larry Neal, House Energy and Commerce Committee deputy staff director, a
proposal with an exception for intelligence gathering was offered to Democrats.
"They said no. The result is that they have something to complain about instead
of something to legislate."
Why the House bill is not a slam-dunk
Not surprisingly, the powerful phone companies don't favor the House's
pretexting bill because of its broad (and still vague) requirements that they
implement new security measures for access to customer records and file regular
reports of any suspicious activity. Phone carriers would be fined if they don't
comply, and they insist they already have every motivation to continuously
update their methods to keep data safe. As an alternative, they support other
stalled bills that have emerged from the House and Senate Judiciary Committees,
which outlaw pretexting, but nothing more.
"It seems like they're penalizing the wrong parties here," said Jeffrey Nelson,
spokesman for Verizon Wireless. "The problem is the pretexters. Requiring the
phone companies to report what they're doing makes the assumption that companies
don't have every reason to go after these people. Why create another
bureaucratic layer that won't really solve the problem and takes a lot of time
and resources to do?" The bill would also make it harder for phone companies to
give out customer data for marketing purposes; in order to share any information
that lists phone numbers and a time log of calls, they would have to get
explicit permission from customers — the so-called opt-in approach — instead of
the current opt-out method where they can largely do what they like with the
information unless a customer expressly forbids it.
Many private investigators aren't crazy about the bill either. While most
support pretexting laws, they would like some wiggle room to track down deadbeat
dads, creditors and others trying to shirk the law. For instance the 1999 Gramm-Leach
Bliley Act prohibits pretexting specifically to obtain financial information,
but it includes an exception for insurance companies investigating fraud to make
sure claims are accurate. Private investigators would like a similar exception
to help them catch bad actors. "The anti-fraud interests are very strong," said
Chris Hoofnagle, senior staff attorney with the Samuelson Law, Technology, and
Public Policy Clinic at U.C. Berkeley School of Law.
Most Hill staffers believe it's unlikely that the pretexting legislation will
pass during the "lame duck" session of Congress, which happens in November when
the members return from campaigning. Other issues and distractions will probably
grab center stage, which means another bill will have to be introduced during
the start of the new Congress in January; a change in leadership could further
complicate matters. For now, it looks like the most we can expect is more
hearings in January, when the only thing we know for sure is that politicians
will make bold new promises to crack down on pretexting. |
|