What's Holding Up a Pretexting Law

  • Share
  • Read Later
In the immediate aftermath of the revelations of the Hewlett-Packard spying scandal, outraged legislators on Capitol Hill promised to do something about the evils of pretexting — the shady practice of impersonating someone to obtain that individual's personal information that was at the center of the company's efforts to eavesdrop on journalists and board members. For the moment, however, it appears that all the tough talk, as is so often the case in Washington, will remain just talk.

This year states have passed laws of varying strength banning the practice — California recently became the 15th one, although the bill won't take effect until January — but the feds have been slow to follow suit. In the absence of a national law, the five people connected to the HP case were indicted under California state fraud statutes, but their lawyers are expected to challenge whether these even cover pretexting; the statutes would have to be interpreted expansively to do so, and one attorney is looking at whether California even has jurisdiction over his client.

To avoid such loopholes and create a clear standard, lawmakers, phone company executives and regulators have stressed how important it is to adopt federal legislation against pretexting, but party turf wars and special interests will likely prevent this from happening anytime soon. "It's mind-boggling to me how all the parties in February said they would have a bill to the President soon and it hasn't happened yet," said Robert Douglas, an information security consultant who runs PrivacyToday.com. "To pass a bill saying it's a crime to get someone's phone records through deceit is a simple issue." Here's a look at the players, the interests and why it hasn't been simple at all.

Why a new law is necessary

Clearly there's some confusion in this area as to what's legal and what's not when it comes to pretexting — just ask the Hewlett-Packard lawyers. In addition to the states that have anti-pretexting laws, general fraud statutes may cover pretexting, but those statutes don't specifically refer to the practice and they require proving intent and financial damages, a bar prosecutors often can't meet.

Winning these kinds of cases can be difficult, says Robert Gellman, a Washington-based privacy consultant, because "with most privacy suits it's hard to prove you were actually damaged if you didn't lose your job or if it [the violation] didn't cost you money. It's not enough to show you were upset." Currently, the Federal Trade Commission has authority to bring suits, but they can only issue injunctions to stop the behavior and sue for illegitimate profits. There's also ambiguity as to whether individuals or phone companies own personal records, so individuals may have a hard time demonstrating standing to bring a suit. To remedy that, several of the bills before Congress would let individuals and companies initiate suits, and provide punishment of stiff fines and penalties of up to 10 years in prison. An anti-pretexting law would also ban the data brokers who practice pretexting from advertising their services, making it harder for them to create a business out of it.

Congressional Jockeying

The House Committee on Energy & Commerce had their own dig at party politics at the recent hearings, displaying a mock vintage movie poster featuring Scarlett and Rhett's classic pose with the caption "H.R. 4943 Gone with the Wind." (You have to be a Congressional aide to appreciate the humor.) They were referring to the Committee's pretexting bill, Prevention of Fraudulent Access to Phone Records Act, which they approved last May only to see it disappear from the docket when it was time for a floor vote.

Committee member Representative Jan Schakowsky believes the anti-pretexting bill was delayed "because of the Administration's concerns that maybe they were using the tactic themselves," says her spokesperson. Democrats speculated about a link to the National Security Administration's controversial warrantless wiretapping program. An Intelligence Committee spokesman tells TIME that the bill was initially pulled because of "national security concerns" they wanted addressed, but once those issues were raised they had no problems with the bill. Don Weber, a spokesman for the NSA, told TIME, "Given the nature of the work we do, we do not discuss actual or alleged operational issues as it can provide those wishing to do harm to the United States insight that could potentially place Americans in danger. However, it is important to note that the NSA takes its legal responsibilities seriously and operates within the law."

During the HP testimony Committee chairman Representative Joe Barton indicated there was a "good chance" they would pass the pretexting legislation that day — the end of the hearings and the final Congressional session. (Members then left to campaign for the midterm elections and won't return until November.) No such luck. Aides to Representative Edward Markey and Senator Bill Nelson said that late in the day Barton's staff drafted an exception to the bill for "intelligence gathering purposes." The Democrats wouldn't approve it because the exception was too broad and raised too many questions at that late hour, according to an aide from Representative Markey's office.

"People don't mind law enforcement getting people's phone records if they go before a judge and say why they need them," said the aide. We just don't want a carte blanche exception that allows for phishing expeditions." According to Larry Neal, House Energy and Commerce Committee deputy staff director, a proposal with an exception for intelligence gathering was offered to Democrats. "They said no. The result is that they have something to complain about instead of something to legislate."

Why the House bill is not a slam-dunk

Not surprisingly, the powerful phone companies don't favor the House's pretexting bill because of its broad (and still vague) requirements that they implement new security measures for access to customer records and file regular reports of any suspicious activity. Phone carriers would be fined if they don't comply, and they insist they already have every motivation to continuously update their methods to keep data safe. As an alternative, they support other stalled bills that have emerged from the House and Senate Judiciary Committees, which outlaw pretexting, but nothing more.

"It seems like they're penalizing the wrong parties here," said Jeffrey Nelson, spokesman for Verizon Wireless. "The problem is the pretexters. Requiring the phone companies to report what they're doing makes the assumption that companies don't have every reason to go after these people. Why create another bureaucratic layer that won't really solve the problem and takes a lot of time and resources to do?" The bill would also make it harder for phone companies to give out customer data for marketing purposes; in order to share any information that lists phone numbers and a time log of calls, they would have to get explicit permission from customers — the so-called opt-in approach — instead of the current opt-out method where they can largely do what they like with the information unless a customer expressly forbids it.

Many private investigators aren't crazy about the bill either. While most support pretexting laws, they would like some wiggle room to track down deadbeat dads, creditors and others trying to shirk the law. For instance the 1999 Gramm-Leach Bliley Act prohibits pretexting specifically to obtain financial information, but it includes an exception for insurance companies investigating fraud to make sure claims are accurate. Private investigators would like a similar exception to help them catch bad actors. "The anti-fraud interests are very strong," said Chris Hoofnagle, senior staff attorney with the Samuelson Law, Technology, and Public Policy Clinic at U.C. Berkeley School of Law.

Most Hill staffers believe it's unlikely that the pretexting legislation will pass during the "lame duck" session of Congress, which happens in November when the members return from campaigning. Other issues and distractions will probably grab center stage, which means another bill will have to be introduced during the start of the new Congress in January; a change in leadership could further complicate matters. For now, it looks like the most we can expect is more hearings in January, when the only thing we know for sure is that politicians will make bold new promises to crack down on pretexting.