OT: Your phone records are for sale

phone records are for sale

January 5, 2006

BY FRANK MAIN Crime Reporter

The Chicago Police Department is warning officers their cell phone records are available to anyone -- for a price. Dozens of online services are selling lists of cell phone calls, raising security concerns among law enforcement and privacy experts.

Criminals can use such records to expose a government informant who regularly calls a law enforcement official.

Suspicious spouses can see if their husband or wife is calling a certain someone a bit too often.

And employers can check whether a worker is regularly calling a psychologist -- or a competing company.

Some online services might be skirting the law to obtain these phone lists, according to Sen. Charles Schumer (D-N.Y.), who has called for legislation to criminalize phone record theft and use.

In some cases, telephone company insiders secretly sell customers' phone-call lists to online brokers, despite strict telephone company rules against such deals, according to Schumer.

And some online brokers have used deception to get the lists from the phone companies, he said.

"Though this problem is all too common, federal law is too narrow to include this type of crime," Schumer said last year in a prepared statement.

The Chicago Police Department is looking into the sale of phone records, a source said.

Late last month, the department sent a warning to officers about Locatecell.com, which sells lists of calls made on cell phones and land lines.

"Officers should be aware of this information when giving out their personal cell phone numbers to the general public," the bulletin said. "Undercover officers should also be aware of this information if they occasionally call personal numbers such as home or the office, from their [undercover] ones."

Test got FBI's calls in 3 hours

To test the service, the FBI paid Locatecell.com $160 to buy the records for an agent's cell phone and received the list within three hours, the police bulletin said.

Representatives of Data Find Solutions Inc., the Tennessee-based operator of Locatecell.com, could not be reached for comment.

Frank Bochte, a spokesman for the FBI in Chicago, said he was aware of the Web site.

"Not only in Chicago, but nationwide, the FBI notified its field offices of this potential threat to the security of our agents, and especially our undercover agents," Bochte said. "We need to educate our personnel about the dangers posed by individuals using this site and others like it. We are stressing that they should be careful in their cellular use."

How well do the services work? The Chicago Sun-Times paid $110 to Locatecell.com to purchase a one-month record of calls for this reporter's company cell phone. It was as simple as e-mailing the telephone number to the service along with a credit card number. The request was made Friday after the service was closed for the New Year's holiday.

'Most powerful investigative tool'

On Tuesday, when it reopened, Locatecell.com e-mailed a list of 78 telephone numbers this reporter called on his cell phone between Nov. 19 and Dec. 17. The list included calls to law enforcement sources, story subjects and other Sun-Times reporters and editors.

Ernie Rizzo, a Chicago private investigator, said he uses a similar cell phone record service to conduct research for his clients. On Friday, for instance, Rizzo said he ordered the cell phone records of a suburban police chief whose wife suspects he is cheating on her.

"I would say the most powerful investigative tool right now is cell records," Rizzo said. "I use it a couple times a week. A few hundred bucks a week is well worth the money."

Only financial info protected?

In July, the Electronic Privacy Information Center filed a petition with the Federal Communications Commission seeking an end to the sale of telephone records.

"We're very concerned about Locatecell," said Chris Jay Hoofnagle, senior counsel for the center. "This is the company that sold the phone records of a Canadian official to a reporter 'no questions asked.' "

Schumer has called for legislation to criminalize the "stealing and selling" of cell phone logs. He also urged the Federal Trade Commission to set up a unit to stop it.

He said a common method for obtaining cell phone records is "pretexting," involving a data broker pretending to be a phone's owner and duping the phone company into providing the information.

"Pretexting for financial data is illegal, but it does not include phone records," Schumer said. "We already have protections for our financial information. We ought to have it for the very personal information that can be gleaned from telephone records."

snipped-for-privacy@suntimes.com

Phone records have been for sale almost as long as home street addresses have been bought and sold.

When one purchases a "public domain" identity to people can contact them, they become "customers" and businesses suplement their income by sharing your information with like or "value add" product vendors.

Where is the outrage that our home street address information is available to all those junk mailers?

I didn't know this either. I doubt that this privacy invasion will survive the outcry that's going to happen.

All of this is going to put pressure on folks to use more peer-to-peer calling methods and bypass any central service that can easily aggregate all calling information. I've never used skype since there is no open-source software for it, but from what I understand it would be very difficult for some outside organization to gather CDR records for the calls. Certainly the SIP world could, if needed, move to something that offered similar privacy protection.

-wolfgang

I agree that public domain records are fair game. The story however detailed how any one of us can purchase a detailed record of a specific person's calls. For instance, if you called me and I captured your number on my caller ID, I could then spend $110 and find out who you called and who called you for a specific month. (My VOIP provider doesn't honor anonymus calls, so I get the number and usually a name when people think that they have blocked that CNID information.) For an additional fee, I could also find the duration of the calls. So it would be easy to tell if you were having an affair, receiving infertility treatments, called an abortion clinic or an aids treatment clinic. Maybe you work for me and I suspect that you are interviewing for another job. Maybe it would be better for me to fire you rather than let you linger on while arranging a job with a competitor. The possibilities are endless.

What you describe is the public domain, business collect publicly available data, aggregate it and and offer it for sale for a price.

Just as all your activities outside your dwelling are "public domain" so to you "expose" yourself when you make the effort to telephone a second party. You make the choice to expose yourself when you picked up the phone and dialed no one forced your actions.

However, call information has been readily available from the telcos for a fee, using real time on line queries since the seventies when I first entered the field of telephonic software application business. Within the first six of a call, while my phone switches played "ring back" to your phone, I could get how long you owned the phone number, whether you charged back on your phone bill, a "basic" credit score, street address of the phones location -- LATA -- who prepares your phone bill and who is your LEC as well as other info.

All this was made possible by the ISDN system, and as you say, I would reject calls with ANI was not presented. As you say, ANI is always available on all calls, and hiding ANI is a service your telco provides for you.

Privacy is something that only exists when one withdraws from all modern forms of convenience, It is a too edge sword, as consumers we want/demand information on those that attempt to enter our world, yet at the same we want our info kept secret. The two are in direct conflict, and I for one have no answers as to what the middle ground is or should be.

I think most people want the Internet to be free of government controls, and taxation, yet every time we venture into the www we leave our footprints all over the place. Business rise to collect this information and sell their data as well, mostly in "honest" fashion to drive our consumer based economies. But, just like a fire arm can be use for harm, so to our publicly available information.

Ethical behavior begins with the individual who says "this is wrong, and I will have no part of it." Then we legislate the limits on the use of public data, not try to create laws attempting to "guarantee" privacy.

[snip]

No. The list of numbers I call is my business and nobody except the phone company (for billing purposes) and the persons I call have any business knowing it.

No. See above. I do not stand on a hilltop and shout out the numbers I phone. It is not anyone's business.

Ivor

Since I do all my banking outside my dwelling, using your argument all my banking records would available to anyone for a fee. That's the issue here. The records are available to ANYONE for a fee. I dobt that most people know this. I didn't.

You can get a credit score from the phone company?

Actually, all your banking records are available, via credit rating agencies. The big three agencies frequently compile lists and sell them to smaller firms who then offer credit check services for any thing you buy over time, i.e. credit.

However, because of the Great Depression and the banking legislation that aims to prevent its repeat, i.e. FDIC, etc, banks are highly regulated and legislated as to how and who can obtain their records. Unfortunately, our laws loosen up the further your credit/banking history moves away from the bank/credit company holding your accounts, and unscrupulous peoples can get access. But, don't put your head in the sand in fright, laws are also on the books that allow you to sue for damages anyone untowardly using your financial information.

"We" can work to put an end to this practice, but then we would be also be ending the credit lending industry, and our ability to buy more of the things we want/need/desire on credit. "Trust me" will have little weight whey you are "begging" for a loan from a creditor who can no longer get an idea on how likely you are to repay the loan.

I did not say it was obtained from a phone company. You can deny this all you want, but your information is out there now. The proverbial genie is already out of the bottle.

Like two cans and a string? Even peer to peer has a "man in the middle."

But surely Skype, or your VOIP provider, has a record of all the calls you make? Or am I misunderstanding your point? If a cell phone company is selling all your calls then why not Skype or others?

Tony

It sounded like that's what you were saying. I'm the one who posted the original message so I know there are problems. The issue isn't that the "information is out there," because as you point out, there are legitimate reasons for people to access the information. The problem comes when anyone can access the information without a need to know and without your permission.

Peer to peer if done sloppily can have a man-in-the-middle attack. Thats why good systems do end-to-end encryption and end-to-end authentication. That way you can use the services of intermediate proxies without having to trust them not to eavesdrop.

-wolfgang

My voip provider is me. When I make pure end-to-end SIP calls to someone the only two parties involved are myself and the recipient. Thats the whole beauty of it. No outsider need be involved. I think direct sip calling will get much more popular as folks realize they don't need to pay any middleman to make SIP calls. The only thing you need a middleman for is if you want to gateway your SIP into the PSTN. Then you need to pay someone that connects to both networks to move your packets from one to the other. That's a different kettle of fish though. Both the gateway company and the phone companies involved are going to keep plenty of records because money is changing hands for that transaction.

As the OP's story says, there is no ironclad privacy guarantee once you pay a middleman. Even if they have a privacy policy, some dishonest employee could be selling the company's database on the side.

-wolfgang

Hmm. I wish I could think of a source of concise information.

The softphones I've seen all allow dialing by url. You just enter snipped-for-privacy@example.com in the "phone number" window to dial 555-1212 at address example.com. Example.com can either be a proxy or a phone itself. From the standpoint of SIP or the softphone it really don't matter. Sip phones really are just like sip proxies as far as the protocol is concerned.

Both my Sipura's and Grandstream's have ways of dialing IP addresses from the keypad. I recall doing it once just to test it and deciding that it was way to many keypresses for day to day use. I believe the Sipura will even store these "numbers" in the speed dial slots although I didn't test that. The online pdf manuals from the Sipura and Grandstream have the details.

If you have an ATA that is under your control another way is to use a halfway method where some outside program substitutes a sip URL for a dialed number. The easiest way to get started is to initially use sipbroker (at

and then later get a program in-house that does something similar. The sipbroker method requires adding bit of prefix-matching code to the front of your ATA's dial string. When you dial this prefix the ATA will send the SIP invite packet to sipbroker's proxy instead of your default proxy. They inturn lookup the SIP URL corresponding to this prefix and send your phone a SIP redirect response indicating the SIP URL of the phone or proxy you should connect to. Your phone then sends another SIP INVITE packet, this time to the desired SIP URL.

I use asterisk to redirect my call to various sip URL's depending on the prefix I dial. You really don't need anything as complex as asterisk though. SIP is a pretty simple protocol as far as redirects go and you can easily send one from a half-page shell or perl script. (I don't yet know of any pre-packaged program that does that though.)

There are a handful of SIP test numbers around that you can use to test whether direct dial is working.

-wolfgang

Can you point me to some information on direct sip calling?

Ah,so this is similar to an MSN Msgr chat? Now I gotcha.

Tony