In the immediate aftermath of the revelations of the Hewlett-Packard
spying scandal, outraged legislators on Capitol Hill promised to do
something about the evils of pretexting the shady practice of
impersonating someone to obtain that individual's personal information
that was at the center of the company's efforts to eavesdrop on
journalists and board members. For the moment, however, it appears
that all the tough talk, as is so often the case in Washington, will
remain just talk.
This year states have passed laws of varying
strength banning the practice California recently became the 15th
one, although the bill won't take effect until January but the
feds have been slow to follow suit. In the absence of a national law,
the five people connected to the HP case were indicted under
California state fraud statutes, but their lawyers are expected to
challenge whether these even cover pretexting; the statutes would have
to be interpreted expansively to do so, and one attorney is looking at
whether California even has jurisdiction over his client.
To avoid
such loopholes and create a clear standard, lawmakers, phone company
executives and regulators have stressed how important it is to adopt
federal legislation against pretexting, but party turf wars and
special interests will likely prevent this from happening anytime
soon. "It's mind-boggling to me how all the parties in February said
they would have a bill to the President soon and it hasn't happened
yet," said Robert Douglas, an information security consultant who runs
PrivacyToday.com. "To pass a bill saying it's a crime to get someone's
phone records through deceit is a simple issue." Here's a look at the
players, the interests and why it hasn't been simple at all.
Why a
new law is necessary
Clearly there's some confusion in this
area as to what's legal and what's not when it comes to pretexting
just ask the Hewlett-Packard lawyers. In addition to the states
that have anti-pretexting laws, general fraud statutes may cover
pretexting, but those statutes don't specifically refer to the
practice and they require proving intent and financial damages, a bar
prosecutors often can't meet.
Winning these kinds of cases can be
difficult, says Robert Gellman, a Washington-based privacy consultant,
because "with most privacy suits it's hard to prove you were actually
damaged if you didn't lose your job or if it [the violation] didn't
cost you money. It's not enough to show you were upset." Currently,
the Federal Trade Commission has authority to bring suits, but they
can only issue injunctions to stop the behavior and sue for
illegitimate profits. There's also ambiguity as to whether individuals
or phone companies own personal records, so individuals may have a
hard time demonstrating standing to bring a suit. To remedy that,
several of the bills before Congress would let individuals and
companies initiate suits, and provide punishment of stiff fines and
penalties of up to 10 years in prison. An anti-pretexting law would
also ban the data brokers who practice pretexting from advertising
their services, making it harder for them to create a business out of
it.
Congressional Jockeying
The House Committee on
Energy & Commerce had their own dig at party politics at the recent
hearings, displaying a mock vintage movie poster featuring Scarlett and
Rhett's classic pose with the caption "H.R. 4943 Gone with the Wind."
(You have to be a Congressional aide to appreciate the humor.) They
were referring to the Committee's pretexting bill, Prevention of
Fraudulent Access to Phone Records Act, which they approved last May
only to see it disappear from the docket when it was time for a floor
vote.
Committee member Representative Jan Schakowsky believes the
anti-pretexting bill was delayed "because of the Administration's
concerns that maybe they were using the tactic themselves," says her
spokesperson. Democrats speculated about a link to the National
Security Administration's controversial warrantless wiretapping
program. An Intelligence Committee spokesman tells TIME that the bill
was initially pulled because of "national security concerns" they
wanted addressed, but once those issues were raised they had no
problems with the bill. Don Weber, a spokesman for the NSA, told TIME,
"Given the nature of the work we do, we do not discuss actual or
alleged operational issues as it can provide those wishing to do harm
to the United States insight that could potentially place Americans in
danger. However, it is important to note that the NSA takes its legal
responsibilities seriously and operates within the law."
During
the HP testimony Committee chairman Representative Joe Barton
indicated there was a "good chance" they would pass the pretexting
legislation that day the end of the hearings and the final
Congressional session. (Members then left to campaign for the midterm
elections and won't return until November.) No such luck. Aides to
Representative Edward Markey and Senator Bill Nelson said that late in
the day Barton's staff drafted an exception to the bill for
"intelligence gathering purposes." The Democrats wouldn't approve it
because the exception was too broad and raised too many questions at
that late hour, according to an aide from Representative Markey's
office.
"People don't mind law enforcement getting people's phone
records if they go before a judge and say why they need them," said
the aide. We just don't want a carte blanche exception that allows for
phishing expeditions." According to Larry Neal, House Energy and
Commerce Committee deputy staff director, a proposal with an exception
for intelligence gathering was offered to Democrats. "They said no.
The result is that they have something to complain about instead of
something to legislate."
Why the House bill is not a slam-dunk
Not surprisingly, the powerful phone companies don't favor the House's
pretexting bill because of its broad (and still vague) requirements
that they implement new security measures for access to customer
records and file regular reports of any suspicious activity. Phone
carriers would be fined if they don't comply, and they insist they
already have every motivation to continuously update their methods to
keep data safe. As an alternative, they support other stalled bills
that have emerged from the House and Senate Judiciary Committees,
which outlaw pretexting, but nothing more.
"It seems like they're
penalizing the wrong parties here," said Jeffrey Nelson, spokesman for
Verizon Wireless. "The problem is the pretexters. Requiring the phone
companies to report what they're doing makes the assumption that
companies don't have every reason to go after these people. Why create
another bureaucratic layer that won't really solve the problem and
takes a lot of time and resources to do?" The bill would also make it
harder for phone companies to give out customer data for marketing
purposes; in order to share any information that lists phone numbers
and a time log of calls, they would have to get explicit permission
from customers the so-called opt-in approach instead of the
current opt-out method where they can largely do what they like with
the information unless a customer expressly forbids it.
Many
private investigators aren't crazy about the bill either. While most
support pretexting laws, they would like some wiggle room to track
down deadbeat dads, creditors and others trying to shirk the law. For
instance the 1999 Gramm-Leach Bliley Act prohibits pretexting
specifically to obtain financial information, but it includes an
exception for insurance companies investigating fraud to make sure
claims are accurate. Private investigators would like a similar
exception to help them catch bad actors. "The anti-fraud interests are
very strong," said Chris Hoofnagle, senior staff attorney with the
Samuelson Law, Technology, and Public Policy Clinic at U.C. Berkeley
School of Law.
Most Hill staffers believe it's unlikely that the
pretexting legislation will pass during the "lame duck" session of
Congress, which happens in November when the members return from
campaigning. Other issues and distractions will probably grab center
stage, which means another bill will have to be introduced during the
start of the new Congress in January; a change in leadership could
further complicate matters. For now, it looks like the most we can
expect is more hearings in January, when the only thing we know for
sure is that politicians will make bold new promises to crack down on
pretexting.