[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



 
                     INTERNET DATA BROKERS:  
                WHO HAS ACCESS TO YOUR PRIVATE RECORDS?


                            HEARINGS

                           BEFORE THE

         SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                              OF THE 

                   COMMITTEE ON ENERGY AND 
                             COMMERCE 

                    HOUSE OF REPRESENTATIVES


                    ONE HUNDRED NINTH CONGRESS

                           SECOND SESSION


             JUNE 21, JUNE 22, AND SEPTEMBER 29, 2006

                         Serial No. 109-130

Printed for the use of the Committee on Energy and Commerce



Available via the World Wide Web:  http://www.access.gpo.gov/congress/house




                    U.S. GOVERNMENT PRINTING OFFICE

31-363 PDF                  WASHINGTON : 2006
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax:  (202) 512-2250. Mail:  Stop SSOP, 
Washington, DC 20402-0001 


                    COMMITTEE ON ENERGY AND COMMERCE

JOE BARTON, Texas, Chairman
RALPH M. HALL, Texas
MICHAEL BILIRAKIS, Florida
  Vice Chairman
FRED UPTON, Michigan
CLIFF STEARNS, Florida
PAUL E. GILLMOR, Ohio
NATHAN DEAL, Georgia
ED WHITFIELD, Kentucky
CHARLIE NORWOOD, Georgia
BARBARA CUBIN, Wyoming
JOHN SHIMKUS, Illinois
HEATHER WILSON, New Mexico
JOHN B. SHADEGG, Arizona
CHARLES W. "CHIP" PICKERING,  Mississippi 
  Vice Chairman 
VITO FOSSELLA, New York 
ROY BLUNT, Missouri 
STEVE BUYER, Indiana
GEORGE RADANOVICH, California 
CHARLES F. BASS, New Hampshire 
JOSEPH R. PITTS, Pennsylvania 
MARY BONO, California 
GREG WALDEN, Oregon 
LEE TERRY, Nebraska 
MIKE FERGUSON, New Jersey 
MIKE ROGERS, Michigan 
C.L. "BUTCH" OTTER, Idaho 
SUE MYRICK, North Carolina 
JOHN SULLIVAN, Oklahoma 
TIM MURPHY, Pennsylvania 
MICHAEL C. BURGESS, Texas 
MARSHA BLACKBURN, Tennessee 
JOHN D. DINGELL, Michigan 
  Ranking Member 
HENRY A. WAXMAN, California 
EDWARD J. MARKEY, Massachusetts 
RICK BOUCHER, Virginia 
EDOLPHUS TOWNS, New York 
FRANK PALLONE, JR., New Jersey 
SHERROD BROWN, Ohio 
BART GORDON, Tennessee 
BOBBY L. RUSH, Illinois 
ANNA G. ESHOO, California 
BART STUPAK, Michigan 
ELIOT L. ENGEL, New York 
ALBERT R. WYNN, Maryland 
GENE GREEN, Texas 
TED STRICKLAND, Ohio 
DIANA DEGETTE, Colorado 
LOIS CAPPS, California 
MIKE DOYLE, Pennsylvania 
TOM ALLEN, Maine 
JIM DAVIS, Florida 
JAN SCHAKOWSKY, Illinois 
HILDA L. SOLIS, California 
CHARLES A. GONZALEZ, Texas 
JAY INSLEE, Washington 
TAMMY BALDWIN, Wisconsin 
MIKE ROSS, Arkansas 


BUD ALBRIGHT, Staff Director 
DAVID CAVICKE, General Counsel 
REID P. F. STUNTZ, Minority Staff Director and Chief Counsel 


             SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS 
ED WHITFIELD, Kentucky, Chairman 
CLIFF STEARNS, Florida 
CHARLES W. "CHIP" PICKERING,  Mississippi 
CHARLES F. BASS, New Hampshire 
GREG WALDEN, Oregon 
MIKE FERGUSON, New Jersey 
MICHAEL C. BURGESS, Texas 
MARSHA BLACKBURN, Tennessee 
JOE BARTON, Texas 
  (EX OFFICIO) 
BART STUPAK, Michigan 
  Ranking Member 
DIANA DEGETTE, Colorado 
JAN SCHAKOWSKY, Illinois 
JAY INSLEE, Washington 
TAMMY BALDWIN, Wisconsin 
HENRY A. WAXMAN, California 
JOHN D. DINGELL, Michigan 
  (EX OFFICIO) 


CONTENTS 


Page
Hearings held:

June 21, 2006	
1
June 22, 2006	
923
September 29, 2006 
1165
Testimony of:

Yuzuk, Adam, Atlantic Beach, New York	
23
Rapp, James, Touch Tone Information, Parker, Colorado	
43
Gandal, David, Shpondow.com, Loveland, Colorado	
52
Lyskowski, Peter, Assistant Attorney General, Office of Attorney 
General, State of Missouri 

935 
Harris, Julia, Assistant Attorney General, Office of Attorney 
General, State of Florida 
939
Kilcoyne, Paul, Deputy Assistant Director of Investigations, 
U.S. Immigration and Customs Enforcement, U.S. Department of 
Homeland 
Security 

961 
Lammert, Elaine, Deputy General Counsel, Investigative Law Branch, 
Federal Bureau of Investigation, U.S. Department of Justice 

964 
Bankston, James J., Chief Inspector, Investigative Services 
Division, U.S. Marshals Service, U.S. Department of Justice 

967 
Cooper Davis, Ava, Deputy Assistant Administrator, Office of 
Special Intelligence, Intelligence Division, U.S. Drug 
Enforcement Administration, U.S. Department of Justice	

972 
Ford, W. Larry, Assistant Director, Office of Public and 
Governmental Affairs, Bureau of Alcohol, Tobacco, Firearms, and 
Explosives, U.S. Department of Justice	

976 
Ubieta, Raul, Police Major, Miami-Dade Police Department, Economic 
Crimes Bureau	

1146 
Carter, David L., Assistant Chief of Police, Austin Police 
Department 
1150 
Byron, Christopher, Journalist, The New York Post 
1188
Meiss, Thomas, Associate General Counsel, Cingular Wireless 
1215
Wunsch, Charles, Vice President for Corporate Transactions and 
Business Law, Sprint Nextel 

1221 
Schaffer, Greg, Chief Security Officer, Alltel Wireless	
1227
Holden, Michael, Litigation Counsel, Verizon Wireless	
1236 
Venezia, Lauren, Deputy General Counsel, T-Mobile USA	
1247 
Boersma, Rochelle, Vice President for Customer Service, 
U.S. Cellular	
1254
Monteith, Kris Anne, Chief, Enforcement Bureau, Federal 
Communications Commission 

1276 
Winston, Joel, Associate Director, Division of Privacy and 
Identity Protection, Bureau of Consumer Protection, Federal Trade 
Commission 

1285 
Additional material submitted for the record: 

Lammert, Elaine, Deputy General Counsel, Investigative Law Branch, 
Federal Bureau of Investigation, U.S. Department of Justice; 
Bankston, James J., Chief Inspector, Investigative Services 
Division, U.S. Marshals Service, U.S. Department of Justice; 
Cooper Davis, Ava, Deputy Assistant Administrator, Office of Special 
 Intelligence, Intelligence Division, U.S. Drug Enforcement 
Administration, U.S. Department of Justice; and Ford, W. Larry, 
Assistant Director, Office of Public and Governmental Affairs, 
Bureau of Alcohol, Tobacco, Firearms, and Explosives, U.S. 
Department of Justice, response for the record	


1157
Kilcoyne, Paul, Deputy Assistant Director of Investigations, U.S. 
Immigration and Customs Enforcement, U.S. Department of Homeland 
Security, response for the record 


1164

INTERNET DATA BROKERS:  WHO HAS ACCESS TO YOUR PRIVATE RECORDS? 

WEDNESDAY, JUNE 21, 2006 

HOUSE OF REPRESENTATIVES, 
COMMITTEE ON ENERGY AND COMMERCE,
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS,
Washington, DC. 


The subcommittee met, pursuant to notice, at 10:00 a.m., in Room 232 
of the Rayburn House Office Building, Hon. Ed Whitfield [Chairman] 
presiding. 
Members present:  Representatives Whitfield, Walden, Burgess, 
Blackburn, Barton (ex officio), Stearns, DeGette, Schakowsky, 
Dingell (ex officio), and Inslee.  
Staff Present: Tom Feddo, Counsel; Mark Paoletta, Chief Counsel for 
Oversight and Investigations; Clayton Matheson, Analyst; Matthew 
Johnson, Legislative Clerk; John Halliwell, Policy Coordinator; 
Chris Knauer, Minority Investigator; Consuela Washington, Minority 
Senior Counsel; and Alec Gerlach, Minority Staff Assistant.  
MR. WHITFIELD.  This hearing will come to order.  Today the 
Oversight and Investigations Subcommittee will examine issues 
surrounding data brokers who operate on the Internet and obtain 
and sell personal information about our fellow citizens without 
the consent of those people.  Documents are sold, such as 
Americans' personal cell phone records, their credit card 
statements, their bank accounts, their Social Security numbers, 
and other very private information. 
All of us assume these records are secure.  But, unfortunately, 
that is not the case.  
Earlier this year, the Energy and Commerce Committee reported a 
bill out to make it more difficult and to make it explicitly 
illegal to obtain, possess, or sell any kind of personal information 
without the consent of the person whose information is being sold. 
 And these hearings stem from work that began in February of this 
year and helped that effort. 
When the committee wrote to a total of 18 data brokers around the 
country, we sought to learn more about this shadowy industry that 
buys and sells phone records and other personal consumer 
information.  How do the data brokers obtain this information?  
Who is buying the records and driving the market?  How large is 
the industry?  Who exactly is procuring this information and from 
where?  It probably comes as no surprise that the vast majority 
of the companies we wrote seeking such information were 
uncooperative. 
Ultimately, Chairman Barton issued subpoenas for records of 12 of 
the data brokers to obtain the information that we needed. 
Several data brokers failed to comply with the subpoenas.  These 
individuals and their attorneys should note, however, that we will 
encourage this committee to hold all of them in contempt.  We will 
not permit our constitutional obligations to protect the American 
people to be undermined in this way. 
In the meantime, despite the delay in unresponsiveness, the 
subcommittee has acquired literally tens of thousands of documents. 
 And what we have found to date has been eye-opening to say the 
least. 
There are hundreds of data broker companies operating on the 
Internet.  They offer just about any nonpublic information under 
the sun: cell phone and landline call records, bank account 
activity, post office box, private mailbox information, blind 
credit reports, Social Security records, credit card transaction 
histories, e-mail account information, and it goes on and on. 
Even cell phone pings or locators are available, providing the 
purchaser an almost exact real time location of a cell phone as 
long as the phone is turned on. 
Most of this information is gathered by a relatively small group of 
companies and individuals who primarily use pretext--that is, lies, 
deception, and impersonation--to acquire the records they are 
seeking.  The data broker is often just a middleman who receives a 
request from a customer for a piece of information.  The data broker 
turns to the inner web of pretexters to acquire the information and 
then marks up the price when passing the records back to the 
customer.  The pretexters procure the information from phone 
carriers, utility companies, the Post Office, other corporate 
and government repositories of personal consumer information.  
The primary key that allows pretexters to unlock the doors to 
this information is the Social Security number of the victim.  
The pretexters will often enhance their impersonation by using 
spoofing hardware or software to make their phone number appear 
to be any number they desire it to be. 
Our investigation has shown that all of this information is for 
sale to virtually anyone who wants to buy it. 
The data brokers conduct at most superficial due diligence with 
respect to either their customers or their third-party vendors 
who procure the information. 
It is apparent from the records that there are literally tens of 
thousands of victims of this industry.  And none of these people 
know their records have been procured or sold and that their 
privacy has been invaded.  They do not have the opportunity to 
consent to the activity.  
This morning we are going to hear testimony from somebody who 
discovered that he was the victim of a data broker and what he 
did about it.  And we appreciate very much his willingness to 
testify and tell his story today.  
Our second panel will include two individuals who will explain 
in detail how pretexting works and what can be done to stop it. 
Mr. James Rapp, formerly the owner of Touch Tone Information, 
which was a successful data broker company that operated in 
Denver, Colorado, during the 1990s.  After being convicted for 
his activities, Mr. Rapp left the data broker industry. 
Earlier this year, committee staff had the opportunity to interview 
him at length, and he is here to explain just how pretexting is 
accomplished and what kinds of records are vulnerable, and we 
appreciate his being willing to do that. 
Mr. David Gandal refers to himself as a skip tracer who has been 
involved in the automobile repossession industry for much of his 
life.  When our investigation began, Mr. Gandal contacted the 
committee and offered to informally provide us with information 
about the data broker industry, its key players, and the practice 
of pretexting.  His information has been particularly helpful to 
our understanding of the industry.  And we want to thank him and 
appreciate his testimony. 
Our last panel today includes 11 witnesses from various data broker 
companies to which the subcommittee wrote.  All 11 of these 
witnesses have informed us that they will invoke their Fifth 
Amendment rights against self-incrimination today and refuse to 
answer any questions.  That is regrettable because we have important 
questions to ask them; we would like to have their answers.  
The American people whose private records they exploit, the numerous 
victims of their profits, deserve answers. 
We will give them an opportunity to answer some of our questions 
today, and I think that their response will show the American people 
and the Congress that this industry needs to be shut down as soon 
as possible. 
I note that our investigation has also sought to determine who the 
customers are that purchase these cell phone records and other 
personal information and who drives this multi-million dollar 
industry.  As one might naturally think, many private investigators, 
lawyers, and tabloids purchase these records.  But our work has also 
discovered that automobile finance companies and repossession 
companies and major banks and major corporations around America use 
this information. 
Americans will also be interested to learn that law enforcement 
agencies are sometimes the customers of data brokers. 
And in tomorrow's hearing, we intend to explore the issue of Federal 
and local law enforcement officials and how they use this 
information, and they will be here tomorrow. 
These hearings will not mark the end of this work.  We have been in 
contact with the Nation's major cell phone carriers, and in the 
coming weeks, we will be meeting with them to learn what they are 
doing to prevent data brokers from obtaining access to private 
information of their customers.  
Additionally, we intend to meet with some of the major banks and 
corporations who are purchasers of these records and other personal 
consumer information to learn what they are doing and why they are 
buying these records.  
I look forward to today's testimony on this very important subject.  
I want to thank the witnesses for their attendance.  And I now turn 
to the distinguished Ranking Member for today, Ms. DeGette of 
Colorado, for her opening statement. 
[The prepared statement of Hon. Ed Whitfield follows:] 

PREPARED STATEMENT OF THE HON. ED WHITFIELD, CHAIRMAN, SUBCOMMITTEE 
ON OVERSIGHT AND INVESTIGATIONS 

	Good morning and welcome.  Today, the Oversight and 
Investigations Subcommittee will examine the very serious issues 
surrounding data brokers who operate on the Internet, and who 
procure and sell Americans' personal cell phone call records and 
other information.  I'm sure many Americans have always assumed - 
as I have - that these records are very secure and nonpublic.  
Unfortunately, this is not the case, as we will hear today.  
	Early this year, the Committee began legislative work to 
draft a bill that would help to keep call records secure.  That bill 
was reported out of the Committee with unanimous support, and I 
hope that these oversight hearings add new impetus for the Congress 
to quickly pass the bill.  These hearings stem from work that began 
in February of this year, in parallel with the Committee's 
legislative efforts, when the Committee wrote to a total of 18 data 
brokers around the country.  We sought to learn more about this 
shadowy industry that buys and sells cell phone records and other 
personal consumer information: How do the data brokers obtain 
access to private information?  Who is buying these records and 
driving the market?  How large is the industry?  Who exactly is 
procuring the information, and from where? 
	It probably comes as no surprise that the vast majority of 
the companies we wrote seeking such information were uncooperative. 
 Many either ignored or partially responded to the Committee's 
letters.  Many individuals declined to be interviewed.  Few data 
brokers provided relevant records.  Ultimately, Chairman Barton 
issued subpoenas for records to 12 of the data brokers, because 
this Subcommittee was determined to conduct meaningful oversight 
and get answers to its questions.  Still, several data brokers 
failed to comply with the subpoenas.  These individuals and their 
attorneys should note that I will encourage this Committee to hold 
them in contempt.  We will not permit our constitutional obligations 
to be undermined in this way. 
	In the meantime, despite the delay and unresponsiveness, 
the Subcommittee has acquired literally tens of thousands of 
documents - through the subpoenas and from other sources.  The 
documents show the pervasive and invasive nature of this market, 
and they reveal an amazing picture.  What we have found to date has 
been eye-opening to say the least.  There are hundreds of data 
broker companies operating on the Internet.  They offer just about 
any non-public information under the sun: cell phone and landline 
call records, bank account activity, post office box and private 
mail box information, "blind" credit reports, social security 
records and  information, credit card transaction histories, and 
email account information.  Even cell phone "pings" or "locates" 
are available, providing the purchaser an almost exact real-time 
location of a cell phone, as long as the phone is turned on. 
	We have persuasive evidence that most of this information 
is gathered by a relatively small group of companies and individuals 
who primarily use "pretext" - that is, lies, deception, and 
impersonation to acquire the records.  In this business, the data 
broker is often just a middleman who receives a request from a 
customer for a piece of information.  The data broker turns to the 
inner web of pretexters to acquire the information, and then marks 
up the price when passing the records back to the customer.  The 
pretexters procure the information from phone carriers, utility 
companies, the post office, or other corporate and government 
repositories of personal consumer information.  The primary key 
that allows pretexters to unlock the doors to this information is 
the social security number of the "victim."  The pretexters will 
often enhance their impersonation by using "spoofing" hardware or 
software to make their phone number appear to be any number they 
desire.  
	Our investigation has also shown that all of this 
information is for sale to virtually anyone who wants to buy it.  
The data brokers conduct, at most, superficial due diligence with 
respect to either their customers or their third-party vendors who 
procure the information.  It is apparent just from the records that 
this Subcommittee has examined that there are literally tens of 
thousands of "victims" of this industry.  What's more, none of 
these people know that their records have been procured and sold, 
and that their privacy has been invaded.  They did not have the 
opportunity to consent to this activity. 
	This morning we will hear testimony from somebody who did 
discover that he was the victim of a data broker.  He will tell us 
about his outrage, and what he did to put a stop to it.  We 
appreciate his willingness to tell his story today.  
	Our second panel includes two individuals who will explain 
how pretexting works, and what can be done to stop it.  Mr. James 
Rapp formerly owned Touch Tone Information, Inc., a very successful 
data broker company that he operated in Denver, Colorado during the 
1990's.  After being convicted for his activities, Mr. Rapp left 
the data broker industry.  Earlier this year, Committee staff had 
the opportunity to interview him at length, and he is here 
voluntarily today to explain just how pretexting is accomplished 
and what kinds of records are vulnerable.  
	Mr. David Gandal refers to himself as a "skiptracer" who has 
been involved in the auto repossession industry for much of his 
life.  When our investigation began, Mr. Gandal contacted the 
Committee and offered to informally provide us with information 
about the data broker industry, its key players, and the practice 
of pretexting.  His information has been very helpful to our 
understanding of the industry, and we appreciate his coming forward 
and voluntarily providing that insight to the investigation.  
	Our last panel today includes 11 witnesses from the various 
data broker companies to which the Subcommittee wrote.  All 11 of 
these witnesses have informed us that they will invoke their Fifth 
Amendment rights against self-incrimination today, and refuse to 
answer our questions.  This is regrettable, because we have some 
very important questions to ask about their activities.  The 
American people whose private records they exploit - the numerous 
victims of their profits - deserve answers.  We will give them an 
opportunity to answer some of our questions today, and I think 
their responses will show the American people and the Congress 
that this industry needs to be shut down as soon as possible. 
	I note that our investigation has also sought to determine 
who the customers are that purchase cell phone call records and 
other personal information and who drive this multi-million dollar 
market.  As one might naturally think, many private investigators, 
lawyers, and tabloids purchase these records.  Our work has also 
revealed, however, a surprising "who's who" of major corporations - 
large banks, auto finance companies, and repossession companies.  
Americans will also be interested to learn that law enforcement 
agencies are sometimes customers of data brokers.  At tomorrow's 
hearing we intend to explore this issue with several federal and 
local law enforcement officials, and I will have more to say about 
that then. 
	These hearings do not mark the end of our work.  We have 
been in contact with the nation's major cell phone carriers, and in 
the coming weeks we will be meeting with them to learn what they are 
doing to prevent data brokers from obtaining access to their 
customers' records and to remedy their databases' vulnerabilities. 
Additionally, we intend to meet with some of the major banks and 
corporations who are purchasers of cell phone records and other 
personal consumer information, to learn about why they are buying 
these records. 
	Finally, I would like to thank the Minority and their staff 
for working with us shoulder-to-shoulder on this investigation.  
Just as the efforts to move meaningful anti-pretexting legislation 
have been unified, our investigation has been completely bipartisan 
and I commend everyone for working in this spirit to make a 
difference for the American people and help keep their personal 
records private. 
	I look forward to today's testimony and I thank the witnesses 
for their attendance.  	I now turn to the distinguished Ranking 
Member, Mr. Stupak, for the purposes of an opening statement. 

MS. DEGETTE.  Thank you very much, Mr. Chairman.  
Mr. Chairman, data that is acquired through pretexting is often sold, 
and it can be used for many nefarious purposes. 
The result of the misuse of this information can range from being a 
mere annoyance all the way to creating a potentially life-threatening 
situation.  Such information, for example, could allow a stalker to 
find a victim or a threatening husband to track down a spouse who is 
attempting to seek shelter from an abusive relationship. 
We will hear today how this practice is often built on a web of 
deception.  Pretexters will call an unwitting phone company and 
cajole information out of customer service.  From there, there is 
no telling how this information can or will be used or how it will 
be sold.  
And, Mr. Chairman, everyone on this committee understands about how 
dangerous this practice can be because, on March 8th of this year, 
this committee unanimously reported H.R. 4943.  Here it is.  It is 
called the Prevention of Fraudulent Access to Phone Records Act, 
and on May 2, 2006, this bill was scheduled for consideration on 
the floor of the House of Representatives. 
But somehow, mysteriously, that bill disappeared from the suspension 
calendar never to be seen again. 
And, frankly, Mr. Chairman, that bill addresses in large part many 
of the problems that we are going to discuss over the next few days. 
Now I have been in elected office for 14 years, 4 years in the State 
legislature, and I am in my 10th year in Congress.  And usually, the 
way it goes is you have a hearing, you identify a problem, someone 
writes a bill, you do the bill, you pass the bill, and then you 
solve the problem. 
I can't remember in my 14 years a situation like this where we 
passed the bill, then we have the hearing to see how bad the problem 
is. 
And I guess my question, Mr. Chairman, and I think you probably agree 
with me, I don't see the purpose of having a hearing if we pass new 
laws and they go nowhere.  So I would urge my colleagues to search 
with me high and low until we find H.R. 4943 which already passed 
the full committee without objection, get it scheduled on the floor 
and get it passed to solve this lurking problem. 
Now, on May 11, 2006, the Minority members of this committee sent 
the Chairman of the full committee a letter asking him to hold a 
hearing about the matters that caused the bill to be pulled. 
We think that the problems that we are talking about today are 
serious.  We think they can be solved, and we think that H.R. 4943 
would effectively address many of them. 
But it doesn't do any good to do this kind of work if we then pass 
legislation and it disappears. 
And so, Mr. Chairman, I would hope we could work together to get this 
bill scheduled if not before the July 4th recess, at least before 
the August recess. 
And, finally, Mr. Chairman, I would be remiss if I didn't discuss 
another important piece of legislation which we also passed in this 
committee and which would address the issues we are talking about 
today. 
As we are all know, pretexting is not always limited to obtaining 
telephone records from unwitting carriers, and so, consequently, on 
March 29th of this year, the committee voted 41 to 0, again 
unanimously, to pass H.R. 4127, the Data Accountability and Trust 
Act, which prohibits pretexting of all personal information by data 
brokers.  
Now, unfortunately, that bill seems to be stuck somewhere, too.  So 
I would urge us to aggressively follow up on that bill's status as 
well and consider sending a bipartisan letter to the Speaker asking 
him to make both pieces of legislation a priority, put them on the 
floor, and pass them. 
Mr. Chairman, thank you for holding this hearing.  I know the 
witnesses will confirm what a serious problem pretexting is, and I 
look forward to working with everyone to ensure these pieces of 
legislation get a full hearing on the House floor and wing their way 
to the Senate.  I yield back. 
MR. WHITFIELD.  Ms. DeGette, thank you for your opening comments, 
and all of us are perplexed that legislation sometimes gets hung up. 
 And it is our hope that this series of hearings on this very 
serious problem will rejuvenate the efforts to get these bills, both 
bills, to the floor.  
At this time, I recognize the Chairman of the full committee, 
Mr. Barton of Texas. 
CHAIRMAN BARTON.  Thank you, Mr. Chairman.  
I have a meeting today at 2 o'clock with the Majority Leader on some 
of the issues Ms. DeGette just raised.  Sometimes it is not policy 
issues that cause a problem; it is committee jurisdictional issues 
and stakeholder issues.  They don't like the results of this 
committee's work, and they try to change it or bottle it up in 
other committees. 
So, I mean, that is--I didn't hear your whole statement, but-- 
MS. DEGETTE.  You got the gist of it.  
CHAIRMAN BARTON.  Okay, so I am with you, and we are working to free 
some of these bills, and I have got a 2 o'clock meeting with the 
Leader to work on that. 
Chairman Whitfield, I want to thank you for holding this hearing 
today.  Americans can and should be proud of the bipartisan work 
that this committee has done to put a stop to illegal and unethical 
activity in the data broker industry and to better protect citizen's 
privacy.  Investigations so far have confirmed the truth that we 
had earlier just suspected; there is a large and growing market on 
the Internet for people's personal cell phone and landline call 
records.  Buyers want--and they can get--credit card transactions, 
employment and salary information, bank account activity, and many 
other personal records.  For the right price, you can even engage 
a data broker to trace the location of a cell phone as the owner 
goes about his or her daily life. 
I doubt very many Americans know that their personal or professional 
lives are this vulnerable to casual examination by strangers even 
in the age of the Internet. 
Unfortunately, brokers routinely lie to get their hands on this 
information and then sell the records to buyers who evidently don't 
care.  Right now, some of this or maybe even all of it, seems to be 
legal.  This sort of thing used to be the province of the 
neighborhood snoop who gathered gossip by sneaking through a look 
at your Venetian blinds.  Now anybody can be a private Internet 
spy. 
What data brokers collect lays bare people's hopes, dreams, 
successes, and failures for the curious and the malicious to poke 
through.  This subcommittee's work, Mr. Chairman, has shown that 
data brokers through either in-house efforts or their third-party 
vendors gain access to all this information through impersonation 
and deceit. 
People will likely be shocked at the information that is bought and 
sold on the Internet.  While shining a light on data brokers through 
our oversight work, our legislative efforts have moved forward in 
parallel.  Crafting the Prevention of Fraudulent Access to Phone 
Records Act, H.R. 4943, which was unanimously reported out of this 
committee, among other things, that bill would make it illegal to 
obtain cell phone records fraudulently as well as to solicit or sell 
such records.  It would also give the Federal Trade Commission and 
the Federal Communications Commission the tools they need to shut 
down data brokers and to ensure that the telephone carriers are 
doing enough to keep consumer's information and records secure. 
Mr. Chairman, what your leadership and this subcommittee's 
investigation has made clear is that Congress needs to pass the 
Act as soon as possible. 
I am also open to the prospect that we may have to take additional 
legislative action in order to protect Americans from data brokers 
exploiting and selling other personal consumer information besides 
telephone call records.  
I am glad that this subcommittee has aggressively pursued these 
companies and the individuals who operate them to learn as much as 
we can about exactly how they acquire the data, to whom it is being 
sold.  I have heard that data brokers are beginning to say that 
this congressional investigation invades their privacy.  Can you 
believe that?  People who cheat and lie for the purpose of making 
money are now complaining that they cannot cheat and lie in 
private.  What delicious irony.  The further irony is that many 
data brokers or their attorneys have insisted that they have done 
nothing wrong and that the brokering of call records and other 
information is not illegal.  Many of these individuals attempt to 
distance themselves from third party vendors who procure call 
records and other information by requiring the vendor to sign 
disclaimers that they did not violate the law in acquiring the 
records. 
In spite of this position, I understand that during this hearing, 
11 individuals, 8 of whom had to be subpoenaed to appear, may 
invoke their Fifth Amendment right against self-incrimination and 
refuse to testify when we direct questions to them about their 
business activities.  They have every right to do so.  But let's 
be perfectly clear that their silence will not prevent this 
subcommittee from doing its job and uncovering the facts. 
I understand that one individual, Mr. Carlos Anderson, attempted 
to duck service of a subpoena that I had issued for his appearance 
before this subcommittee.  His attorney, Mr. Hanan Isaacs, declined 
to accept service on Mr. Anderson's behalf, and for the last 2 
weeks, three U.S. Marshals have been trying to locate Mr. Anderson. 
 This past Monday, the Marshals served Mr. Anderson.  I do not take 
the issue of subpoenas lightly.  For that reason, I am very troubled 
by Mr. Anderson's obstruction.  We should not permit people who 
have information necessary to accomplish the work of this 
subcommittee to avoid legitimate inquiries, and I want to underline 
legitimate inquiries. 
We certainly respect Mr. Anderson's full constitutional rights and 
would work with Mr. Anderson's attorney to protect those rights.  
But we also understand the rights of the people of the United States 
of America, delegated through the Constitution, through the House 
of Representatives, through this committee through this subcommittee 
to protect the legitimate rights of the people of the United States. 
Let me also echo your comments, Mr. Chairman, about the companies 
that have stonewalled or ignored our subpoenas for records.  We will 
continue to persue the necessary information to develop a full record 
of the data broker industry. 
Mr. Chairman, I look forward to today's testimony and yield back the 
remainder of my time. 
[The prepared statement of Hon. Joe Barton follows:] 

PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON 
ENERGY AND COMMERCE 

Thank you, Chairman Whitfield, for holding this hearing today.  
Americans can be proud of the bipartisan work we are doing to put 
a stop to illegal and unethical activity in the data broker 
industry, and to better protect citizens' privacy.  
The investigation has confirmed the truth that we had earlier 
just suspected.  There is a large and growing market on the 
Internet for people's personal cell phone and landline call 
records.  Buyers want, and they can get, credit card transactions, 
employment and salary information, bank account activity, and 
many other records.   For the right price, you can even engage a 
data broker to trace the location of a cell phone as the owner 
goes about his daily life. 
I doubt many Americans know that their personal and professional 
lives are this vulnerable to casual examination by strangers, even 
in the age of the Internet.  Brokers routinely lie to get their 
hands on information, and then sell the records to buyers who 
evidently don't care.  And all of this may even be legal. 
This sort of thing used to be the province of the neighborhood 
snoop who gathered gossip by sneaking a look through the Venetian 
blinds.  Now anybody can be a private spy.  What data brokers 
collect lays bare people's hopes, dreams, successes and failures for 
the curious and the malicious to poke through. 
Your Subcommittee's work, Chairman Whitfield, has shown that data 
brokers - through either "in-house" efforts or their third-party 
vendors -gain access to all of this information through 
impersonation and deceit.  People will likely be shocked at the 
information that is bought and sold on the Internet.  
While shining the light on data brokers through our oversight 
work, our legislative efforts have moved forward in parallel, 
crafting the "Prevention of Fraudulent Access to Phone Records 
Act," (H.R. 4943), which was unanimously reported out of this 
Committee.  Among other things, our bill would make it illegal 
to obtain cell phone records fraudulently, as well as to solicit 
or sell such records.   It also gives the Federal Trade Commission 
and the Federal Communications Commission the tools they need to 
shut down data brokers and to ensure that the telephone carriers 
are doing enough to keep consumers' information and records 
secure.  Mr. Chairman, what your investigation makes clear is 
that Congress needs to pass the Act as soon as possible.  I am 
also open to the prospect that we may have to take other 
legislative action in order to protect Americans from data brokers 
exploiting and selling other personal consumer information besides 
telephone call records.  
I am glad that we have aggressively pursued these companies, and 
the individuals who operate them, to learn as much as we can about 
exactly how they acquire the data, and to whom it is being sold.  
I've heard that data brokers are beginning to say that this 
congressional investigation invades their privacy.  People who cheat 
and lie for the purpose of making money are now complaining that 
they cannot cheat and lie in private.  What delicious irony.  
The further irony is that many data brokers or their attorneys have 
insisted that they have done nothing wrong, and that the brokering 
of call records and other information is not illegal.  Many of 
these individuals attempt to distance themselves from the 
third-party vendors who procure call records and other information 
by requiring the vendors to sign disclaimers that they do not 
violate the law in acquiring the records. 
And yet in spite of this position, I understand that, during this 
hearing, eleven individuals - eight of whom had to be subpoenaed to 
appear - may invoke their Fifth Amendment rights against 
self-incrimination and refuse to testify when we direct questions 
to them about their business activities.  They have every right to 
do so, but let me make clear that their silence will not prevent 
this Subcommittee from doing its job and uncovering the facts. 
On a related note, I understand one individual - Mr. Carlos 
Anderson - attempted to duck service of a subpoena that I issued 
for his appearance before this Subcommittee.  His attorney, 
Mr. Hanan Isaacs, declined to accept service on Mr. Anderson's 
behalf, and for the last two weeks three U.S. Marshals have been 
trying to locate Mr. Anderson.  This past Monday, the Marshals 
served Mr. Anderson.  I do not take the issuance of subpoenas 
lightly, and for that reason I am very troubled by Mr. Anderson's 
obstruction.  I will not permit people who have information 
necessary to accomplish our work to avoid our legitimate inquiries.  
Today Mr. Anderson will stand to account for his knowledge before 
this Committee.  
Let me also echo your comment, Mr. Chairman, about the companies 
that have stonewalled or ignored our subpoenas for records - we 
will not hesitate to pursue contempt proceedings if necessary. 
Mr. Chairman, I look forward to today's testimony and yield back the 
remainder of my time. 

MR. WHITFIELD.  Thank you, Chairman Barton.  
At this time, I recognize the Ranking Member, Mr. Dingell of 
Michigan, for his opening statement. 
MR. DINGELL.  Mr. Chairman, thank you, and I commend you for holding 
this hearing.  
Illegally obtaining or selling telephone records or any other 
sensitive personal information poses a serious threat to all 
Americans. 
It can lead to identity theft, harm to victims of domestic violence 
and stalking, and harm to law enforcement and Homeland Security 
personnel, especially those operating under cover.  This is a crime, 
and we need to put a stop to it. 
This committee did just that, or so we thought.  And I want to 
commend our Chairman for his leadership on this matter, because 
it was important. 
On March 8, 2006, the Committee on Energy and Commerce unanimously 
reported H.R. 4943, the Prevention of Fraudulent Access to Phone 
Records Act.  On May 2, 2006, this bill was scheduled for 
consideration on the floor of the House of Representatives.  Yet, 
for some strange reason, with no notice or explanation, H.R. 4943 
mysteriously disappeared from the suspension calendar.  And it has 
neither been seen nor heard from since.  It apparently has fallen 
into some kind of legislative black hole. 
Members of this committee, and the members of the public at large, 
should be told why the Republican leadership yanked this bill which 
was passed from this committee unanimously. 
I suspect that a clue can be found in the May 11th USA Today article 
reporting that the National Security Agency, NSA, had persuaded 
AT&T, Verizon, and BellSouth to, quote, "voluntarily," close quote, 
hand over their customer records without customer knowledge or 
consent so that the agency could analyze calling patterns in an 
effort to detect terrorist activity. 
The Democratic members of this committee wrote a letter to Chairman 
Barton asking for a hearing.  We have not had that hearing, and I do 
not see any phone companies on the witness list today or tomorrow. 
Why would that be?  
Also, illegally pretexting, that is, the use of false or fraudulent 
statements or representation, is not limited to consumer telephone 
records, as our witnesses will testify.  With that in mind, on 
March 29, 2006, this committee voted unanimously, 41 to nothing, to 
approve H.R. 4127, the Data Accountability and Trust Act, which 
expressly prohibits pretexting for personal information by data 
brokers. 
That bill is, again, in some kind of curious legislative limbo with 
reports that important consumer protections may be eliminated.  I 
hope that that is not the case, and I hope that the process on that 
matter is open. 
I commend you, Mr. Chairman, for your leadership in this 
subcommittee for holding 2 days of hearings on this issue.  It is 
important.  But I am concerned that also important witnesses have 
not been heard from. 
I am deeply concerned by what appears to have befallen both 
bipartisan products of this committee's timely legislative efforts 
to address serious issues within its jurisdiction.  The problem of 
pretexting will not go away; neither will consumer demands for 
protection.  And I suspect as the situation becomes more apparent, 
those complaints by consumers in the public at large will grow. 
I look forward to the comments of our witnesses today, and I 
commend you, Mr. Chairman, for this hearing.  Thank you. 
MR. WHITFIELD.  Thank you, Mr. Dingell. 
And I might add that, right before you came in, in my opening 
statement, I did mention that we are talking right now to the major 
cell phone companies, the major carriers, and that the staff on 
both sides of the aisle know that those discussions are going on.  
And I agree with you; it is imperative that we bring them in, 
because they can play a vital role in this, and I appreciate your 
raising that.  
At this time, I recognize the Vice Chairman of the committee, 
Mr. Walden of Oregon. 
MR. WALDEN.  Thank you very much, Mr. Chairman. 
Mr. Chairman, I appreciate your work and that of our staff and the 
Chairman of the full committee and the Minority in trying to expose 
this industry, to pull back the curtain on this unnerving process 
that is going on in America that I think most Americans aren't aware 
of.  And I had no idea that people in this audience had the ability 
to go out and talk their way through human firewalls if you will, 
and get access to people's Visa records, their cell phone records, 
their location at any given moment.  I mean, I have got a bit of 
an engineering background.  I know that these cell phones never 
stop transmitting; you can electronically triangulate.  I didn't 
realize you could con people to figure out where somebody is sitting 
and, for as little as $50, sell that personal data to anybody, to 
law enforcement, to credit bureaus, to jealous spouses or tabloids. 
 I just think this is atrocious.  And yet I know there are many in 
this industry who will allege that they are partners with law 
enforcement.  
If you are a partner with law enforcement in this endeavor, then I 
ask the question, why are so many people, leaders in this industry, 
taking the Fifth Amendment today and refusing to participate in 
our investigation?  We do have legislation pending before the full 
House.  There are jurisdictional issues that will be dealt with.  
Mr. Chairman, this issue and this legislation is not going to go 
away. 
What we are doing here and now is not only educating Americans and 
other companies out there who may have been participants in this 
process to how abhorrent it is and how at risk their records are; 
we are also I think affecting the relationships of some of those 
agencies, some of those companies, in how they use these data miners 
to access this information. 
I dare say that if I were a customer with a company and found out 
that that company was willing to engage some of these services, I 
would not be a customer with that company long.  And I think most 
Americans will react that way.  So we do see, in fact in the 
newspapers and in the media today, companies are ending their 
relationships now that we, this committee, under your leadership, 
Mr. Chairman, have exposed and pulled back the curtain on this 
industry. 
So the bill may have temporarily disappeared, I have every confidence 
in our full committee Chairman, Mr. Barton, that in his meeting at 
2 o'clock today, we will get some answers about how to move it 
forward. 
There is no hesitation on the Republican side of the aisle not only 
to expose this industry but also to do something about it 
legislatively.  And I commend the work of this committee and I look 
forward to hearing from those witnesses who will testify, and I'm 
certainly looking forward to hearing from Mr. Rapp, who will be most 
helpful in this endeavor.  For the public's benefit, this is a book 
called "American Information Brokerage Seminar Handbook," that 
Mr. Rapp wrote, which is a fascinating read as a teaching tool of 
how to go con somebody out of information, your information, your 
private information. 
And I look forward to learning more from Mr. Rapp about the 
behind-the-curtain nature of how this process has worked and how 
at risk all of us are for our personal medical records, our Social 
Security data.  In here, you can even find out how much somebody is 
getting paid.  Now for Members of Congress, that is public anyway, 
but for the rest of America, it should be as private as they want 
it to be, just as private as their Visa records or their phone 
records or where they are sitting at any given moment, just because 
they have a cell phone, should be private unless they want it some 
other way.  
So, Mr. Chairman, thanks for the work you are doing on this.  I 
think we are going to change America for the better, legislation or 
not, as a result of these hearings. 
[The prepared statement of Hon. Greg Walden follows:] 


PREPARED STATEMENT OF THE HON. GREG WALDEN, A REPRESENTATIVE IN 
CONGRESS FROM THE STATE OF OREGON 

MR. WHITFIELD.  Thank you, Mr. Walden.  
At this time I recognize Mrs. Schakowsky for her opening statement. 
MS. SCHAKOWSKY.  Thank you, Mr. Chairman.  
And Chairman Barton, I think all of us look forward to getting a 
report in tomorrow's hearing on the progress that you are making 
today.  
I want to congratulate the Chairman and our Ranking Member and this 
committee for having really done its job in responding to what is a 
growing concern of the American people about the privacy of their 
phone records and other records.  And what we did was hold hearings. 
 I am looking at the witness list from February 1st where we had a 
hearing on, "Phone Records For Sale, Why Aren't Phone Records Safe 
From Pretexting?"  I remember it well because my Attorney General 
from the State of Illinois, Lisa Madigan, came in and talked about 
the pretexting of phone records, talked about how the Chicago 
Police Department had to put out a warning to its undercover 
officers that drug dealers could use those records to identify 
them.  And as a consequence of the work we did on the committee, 
we did produce the bill that everyone is talking about, the 
Prevention of Fraudulent Access to Phone Records, H.R. 4943, which 
is now in some undisclosed location that we would like to figure 
out, and I hope that you do, Mr. Chairman. 
But and while it seemed very mysterious to us that the bill got 
pulled on May 2nd, since it passed out of our committee, as has 
been mentioned, unanimously, not a single opposition, another 
example of how our committee has successfully worked in a bipartisan 
fashion, but I felt less confused when, 8 days later, the USA Today 
did break the story that Mr. Dingell referred to that the National 
Security Agency was acquiring the public's phone records from three 
of our major carriers without subpoenas, without warrants or any 
approval of the courts and thought, well, maybe because the NSA is 
getting these phone records, maybe that is the reason why this 
bill became suddenly too sensitive.  I hope that is not the issue.  
But we did, as Mr. Dingell also mentioned, and Ms. DeGette, send 
a letter signed by all of the Democrats on the full committee 
asking that we have a full committee hearing on perhaps that 
relationship or the reasons why this bill disappeared.  
And Mr. Chairman, we didn't get any response that I am aware of to 
the letter that we sent on May 11th. 
Nevertheless, we also did pass the Data Act out of committee; that 
is a little clearer how it has gotten caught in some kind of a 
jurisdictional fight.  But clearly, this is under the purview of 
our committee, and we passed a bipartisan piece of legislation, a 
real quality piece of legislation that I hope that we are going to 
be able to move forward. 
So, in many ways, our committee has done our job.  I look forward 
to the hearing today because we are going to go as I understand it, 
beyond phone records.  The Internet has provided all of these 
opportunities to peer into the personal lives of Americans, and we 
need to address this issue.  While it is the Internet that has 
provided so many opportunities for entrepreneurs and to stimulate 
our economy, it has also provided opportunities for fraudsters who 
sometimes are a step ahead of the rest of us.  So we need to look 
into that. 
So I think that our investigations won't end.  But in the meantime, 
I think it is very important to make sure that the products that 
have come out of this committee move forward.  We already have two 
of them.  And I look forward to the day that those become law, even 
as we continue to explore the other issues that we are looking into 
today.  
Thank you, Mr. Chairman. 
MR. WHITFIELD.  Thank you, Ms. Schakowsky. 
At this time, I recognize Dr. Burgess of Texas. 
MR. BURGESS.  Thank you, Mr. Chairman, and thank you, 
once again, to you and the committee staff for having this 
important hearing.  
This committee has worked diligently to protect Americans and our 
private records, and today's hearing will further expand on why 
legislation is crucial to solving the problem. 
Through investigation by this subcommittee, we have obtained 
numerous examples, very troubling examples, of records that are 
available for sale to the highest bidder. 
Mr. Chairman, I don't mind telling you that I was shocked by some 
of the examples that I was shown by committee staff last week in 
preparation for this hearing and the fact that these very personal 
records can be obtained so easily as people fraudulently 
misrepresent themselves to obtain phone records, credit card 
statements and even the results of a post mortem examination. 
In an age where identity theft can wreak havoc on innocent 
consumers, it is my hope that today's hearing will not only help 
expose the pretexting problem but also, as so often is the function 
of this committee, educate Congress and educate the public of this 
situation and the absolute need for legislation to help solve it. 
Mr. Chairman, I am a cosponsor of H.R. 4943 as are many people on 
this committee, many members on the committee, the Prevention of 
Fraudulent Access to Phone Records Act, and I look forward to its 
prompt passage in the full House of Representatives.  This 
legislation is needed to ensure that our constituents' private 
phone records are not available to the highest bidder.  
Congress expressly prohibited pretexting for financial data under 
the Gramm-Leach-Bliley Act.  But that law does not preclude 
telephone records. 
Fortunately, this bill closes that loophole by prohibiting 
pretexting for telephone records and strengthens the security 
requirement for proprietary customer information, customer calling 
information, held by telephone companies.  Over the next 2 days, 
this committee will have the opportunity to question various parties 
connected to pretexting including data brokers, Federal agencies, 
and State and local law enforcement officers. 
We have been able to identify some of the major data brokers 
operating in this country, and today, many of them will have the 
opportunity to testify before us and explain the legal reasons for 
their business. 
One such data broker is located in a small town right outside of my 
district in the town of Granbury, Texas. 
It is troubling that these companies are prevalent throughout the 
country, even in small town Texas. 
From my understanding, many of these data brokers have indicated 
that they will invoke their Fifth Amendment right and refuse to 
answer our questions.  Of course, they have the constitutional 
right not to incriminate themselves, but it is my hope that they 
will cooperate with us to the fullest extent possible so that we 
can solve this problem for the American people. 
Once again, Mr. Chairman, thank you for your leadership on this 
issue.  Our constituents and Americans across the country will all 
benefit from these new protections of their private records. 
MR. WHITFIELD.  Thank you, Dr. Burgess. 
If there are no further opening statements, then I would like to 
call the first witness, Mr. Adam Yuzuk. 
Mr. Yuzuk, we appreciate very much your willingness to testify today 
and to give us your personal experience of being a victim of the 
data brokers.  And I will tell you that this is the Oversight and 
Investigations Subcommittee, and it is our practice to take 
testimony under oath.  Do you have any difficulty testifying under 
oath?  
MR. YUZUK.  No. 
MR. WHITFIELD.  And do you have a legal attorney with you today 
that you want to assist in any way?  
MR. YUZUK.  No.
MR. WHITFIELD.  If you would stand, I would like to swear you in. 
[Witness sworn.] 
MR. WHITFIELD.  Thank you, Mr. Yuzuk, you are now under oath, and 
you are recognized for 5 minutes for an opening statement. 
 
STATEMENT OF ADAM YUZUK OF ATLANTIC BEACH, NEW YORK 
 
MR. YUZUK.  Chairman Whitfield, Ranking Member Stupak, thank you for 
inviting me to testify before this subcommittee today. 
My name is Adam Yuzuk, and I appreciate this opportunity to explain 
what has happened to me and the possible consequences of Steve Kahn 
and Michelle Gambino's actions.  The fiasco that has unfolded is a 
truly sad state of affairs, and I will attempt to explain it.  
I apologize, I am a little bit nervous. 
On or about June 6, 2006, I contacted Cingular Wireless with a 
question concerning my bill.  The Cingular rep informed me that I 
could get the same information online.  And I asked how could that 
be possible.  She explained by using my online account.  I informed 
her that I did not have an online account.  She was very insistent 
that I did have one and that I had just set it up a couple weeks 
prior.  
She and I proceeded to go through the personal information needed to 
set up the online account, as I knew I had not set up such an 
account.  The personal information matched until we got to the 
e-mail address.  My e-mail address is [email protected], and the 
e-mail address on the account was [email protected].  At this 
point, I knew there was a problem.  My understanding from the 
Cingular rep was that someone set up this online account and had 
not made any changes, just viewed my account history. 
I couldn't understand how this had happened.  Shortly thereafter, 
I spoke with a Cingular supervisor.  We went through all the 
information on the false account again.  It became clear that 
someone was pretending to be me and reviewing my cell phone record.  
I was adamant that I wanted my information protected and this 
situation was unacceptable.  I wanted the highest level of security 
possible.  I was assured by putting a password on the account and 
having the account flagged, this could not happen again. 
On June 2, 2005, I also filed a police report with the Nassau County 
Police with an Officer Brennan, and it was assigned to a Detective 
Gildbride.  Detective Gildbride tried to track down the e-mail 
address, [email protected], by subpoenaing the information from 
Yahoo!.  This turned out to be a dead end.  Since we had no other 
information, we were stuck.  
On September 22, 2005, I spoke to a Cingular employee named Brad to 
inquire if anyone had tried to access my account again.  He informed 
me that someone did try to get in on September 14th but was 
unsuccessful.  It would appear in retrospect that his information 
was wrong.  I called him repeatedly as he promised to check and see 
if, on the off chance, the phone call was recorded.  He was 
e-mailing Little Rock, Arkansas, to see if this had occurred.  He 
would not return my phone calls.  I dropped the issue thinking no 
harm was done and Cingular had kept whoever it was out. 
On September 26th, I called Detective Gildbride back and asked him 
to add the September 14th incident to the police report.  We also 
determined that his spelling of the e-mail address was wrong and we 
would resubmit it to Yahoo!.  Upon sending Yahoo! the correct 
address, they informed me that [email protected] was shut down 
2 years ago, and they had no further info.  
On October 17, 2005, my lawyers filed a Federal lawsuit/complaint 
in the United States District Court for the Southern District of 
New York with Judge Karas presiding.  The lawsuit alleges fraud by 
former partners at Cipriani Accessories, Steve Kahn, Jarrod Kahn, 
and Evan Mittman.  Also named in the complaint were the accountants 
that handled the company's accounting and my own tax returns, Sol 
and Mark Karpman of Karpman and Co. 
We had started the discovery process and requested, "All documents 
concerning any investigator or other investigative service that 
performed any investigation of the plaintiff on your behalf."  They 
initially responded that they objected to this request as it seeks 
information which is protected by the work product privilege.  We 
pushed them, and by mid-April of 2006, we got the documents in 
their possession.  It was a retainer agreement dated May 9, 2005, 
from Gambino Information Services and the Max Leather Group signed 
by Michelle Gambino and Steve Kahn.  It states that, "cellular 
phone records shall be conducted as part of the request by the 
client.  For the company's fees for this investigation will be 
$300."  There was a packet of information dated June 9, 2005, 
File 9288, stating that they conducted an investigation to my, 
Adam Yuzak's, phone records, and following their report, attached 
is my cell phone bill with 17 pages obviously printed from my 
online account.  It was my billing cycle from May 3rd to June 
2nd. 
On 6/16, there was another invoice for, "2 telephone information"; 
I am assuming that they broke into someone else's account, keeping 
in mind that there might be a different phone company that they 
went to, there were canceled checks from Cipriani Accessories and 
the Max Leather Group to pay for the invoice that was split between 
the two companies.  There was my phone bill with the details of 
the time period of July 3rd to August 3rd, it was missing pages 1 
through 4 and 10 through 14; there was my phone bill for the time 
period of August 3rd through September 2nd; there was my phone 
bill from September 3rd through October 2nd. 
From the paperwork, it is clear that the July and August records 
were printed from my online account on September 14, 2005.  The 
September record was printed on October 12th.  This means that 
someone broke into the Cingular account two additional times after 
my account was password protected and after I was given what I 
believed to be the highest level of security. 
When I realized the severity of what had occurred, I started 
calling Cingular to get explanations and help.  This was extremely 
frustrating.  While the Cingular employees were unfailingly polite, 
they refused to push my request any higher up the chain. 
In the process, I also spoke to the private investigator--his name 
was Robert Douglas--who was extremely helpful in unraveling how this 
occurred.  He was very familiar with all of these issues.  He 
actually put me in touch with your committee's staff. 
A CNBC reporter also contacted me for a documentary that they would 
run in July regarding privacy issues.  We conducted the interview 
in my lawyer's office on Monday, May 15. 
I also spoke with the FTC, who wants me to send them documents, but 
they will not tell me what they will do with the documents; who put 
me in touch with the FCC, who also asked me to send documents but 
won't tell me what they will do with the documents.  The FCC gave 
me the phone number to a Jim Bugel who is Vice President of 
Government Affairs at Cingular.  After I had a strong conversation 
with him, he in turn put me in touch with Cingular's General 
Counsel, Mr. Tom Meiss. 
Cingular is now suing Cipriani Accessories and Steve Kahn and 
Gambino Information Services in Federal court in the Northern 
District of Georgia.  They are requesting damages and replevin of 
the documents.  I will say that Cingular, as soon as they fully 
understood the gravity of the problem, because I am involved in a 
multi-million dollar lawsuit with these people and their entire 
counter claims are based on my stolen cell phone records, which is 
utterly ridiculous, ridiculous; once they understood it, they 
jumped on it and got right in. 
Mr. Meiss at Cingular also ran the fake e-mail address 
[email protected] through the Cingular system and found several 
more accounts that this e-mail is listed.  We can only assume that 
all these accounts, these people, have had their information taken. 
Additionally, we have gone back to Cipriani, which is the company 
I am suing, requesting more documents regarding Gambino that must 
exist.  We want the invoices and to date haven't received the 
information. 
So I guess, from a human face, I would like to relay to you guys, 
how is it possible that they can open up an account in my name so 
easily?  How is this possible?  How is it possible that after my 
account was protected, it happened two more times?  After I made 
everybody aware of it?  Why is it that if you went to my mailbox 
and stole my cell phone records or stole anything from my mailbox, 
that is clearly illegal, but it is okay to pretend to be me and 
print out my information and sell it?  
It is crazy. 
Why is it so seemingly acceptable that Gambino and Steve Kahn would 
enter into a legal contract that I have, a retainer agreement 
stating that they will get cell phone records, which invoices 
indicate are clearly mine?  When you Google this company, Gambino 
Information Services, you immediately come up with another name 
called Amy Boyer.  They were apparently involved in a very similar 
thing where they gave information about a woman named Amy Boyer, to 
someone who then went and killed her. 
So, I find it incredible that these people are still in business. 
And now I had to be the--I am just angry.  And I apologize.  But 
I am just really angry that these people steal information, and 
now I am caught up in it, and I am defending counterclaims that 
are utter nonsense, that the other side has clearly stated that 
they have nothing, but now I have to go through and fight over 
something like this because the information was stolen, especially 
from just my point of view, they could have even gotten the 
information legally.  But they instead wanted to take an easier 
route for $300 and go have my information stolen.  And to top this 
off, I have spoken to the attorneys general.  Nobody knows what to 
do with this.  I have spoken to law enforcement.  Nobody can seem 
to figure out where to go with this.  It seems clear to me that 
they did something wrong, but nobody seems to understand what to 
do.  
Is it identity theft?  What did they take?  What did they take from 
me?  I keep screaming, they stole my cell phone records.  My 
attorney keeps explaining to me, they didn't steal your cell phone 
records; they stole Cingular's business records, but Cingular's 
business records are my phone records.  But, legally, it is 
Cingular's records.  So I sit before you, and I'll answer as many 
questions as I possibly can. 
This is ridiculous.  This is really ridiculous.  And I am listening 
to what you guys are saying, and I am hearing it, but I honestly 
don't understand how these people can do this and cause so much 
harm.  For me, it is monetary harm.  It is not physical harm.  It 
is not just monetary.  But it is very intrusive.  And it is 
allowing--I can keep going. 
[The prepared statement of Adam Yuzuk follows:] 

PREPARED STATEMENT OF ADAM YUZUK OF ATLANTIC BEACH, NEW YORK 

Chairman Whitfield, Ranking Member Stupak, thank you for inviting me 
to testify before the Subcommittee today.  My name is Adam Yuzuk, 
and I appreciate this opportunity to explain what has happened to 
me and the possible consequences of Steve Kahn and Michelle Gambino's 
actions.  The fiasco that has unfolded is a sad state of affairs, 
as I will attempt to explain.  
1) On or about June 6, 2006, I contacted Cingular wireless with a 
question concerning my bill; the Cingular rep informed that I could 
get the same info online.  I inquired how that would be possible and 
she explained by using my online account.  I informed her I did not 
have an online account.  She was very insistent that I did have one 
and that I had just set it up a couple of weeks prior. 
2) She and I proceeded to go thru the personal information needed to 
set-up the on-line account, as I knew I had not set up such and 
account.  The personal information matched until we got to the 
e-mail address.  My e-mail address is adam [redacted] @yahoo.com 
the e-mail address on the account was [email protected].  At 
this point I knew their was a problem.  My understanding from the 
Cingular rep was that someone set up this online account and had 
not made any changes, just viewed my account history. 
3)  I couldn't understand how this had happened.  Shortly 
thereafter, I spoke with a Cingular supervisor and as we went thru 
all the information on the false account again, it became clear 
someone was pretending to be me to review my cell phone records.  
I was adamant that I wanted my information protected and that this 
situation was unacceptable. I wanted the highest level of security 
possible.  I was assured that by putting a password on the account 
and having the account flagged this could not happen again. 
4) On or about June 2, 2005, I also filed a Police report with the 
Nassau County Police an Officer Brennan, Case # CK-47835-05.  It 
was assigned to a Detective Gildbride.  Detective Gildbride tried 
to track down the e-mail address [email protected] by subpoenaing 
the info from Yahoo.  This turned out to be a dead end.  Since we 
had no other info we were stuck. 
5) On September 22, 2005, I spoke to a Cingular employee named Brad 
to inquire if anyone had tried access my account again.  He informed 
me that someone did try to get in on September 14, 2005, but was 
unsuccessful (it would appear in retrospect his information was 
wrong).  I called him repeatedly as he promised to check and see if 
on the off chance the phone call was recorded.  He said he was 
e-mailing Little Rock to see if this had occurred.  He would not 
return my phone calls and I dropped the issue, thinking no harm was 
done and that Cingular kept them out. 
6) On September 26, I called Detective Gildbride back asking him to 
add the September 14 incident to the Police Report.  We also 
determined that his spelling of the e-mail address was wrong and 
that he would resubmit to Yahoo.  Upon sending Yahoo the correct 
address they informed us that they [email protected] was shutdown 
two years earlier and they had no info. 
7) On October 17, 2005, my lawyers filed a Federal Lawsuit 
/Complaint, in the United States District Court For The Southern 
District of New York, Judge Karas presiding, 05 CV 8802.  The 
lawsuit alleges fraud by former partners at Cipriani Accessories, 
Steve Kahn, Jarrod Kahn and Evan Mittman.  Also named in the 
Complaint were the Accountants that handled the Company's accounting 
and my own Tax Returns, Sol and Mark Karpman of "Karpman and Co."  
I have additionally filed a complaint against the Accountants with 
New York "Office of Professional Discipline" Case #2603687 
8) We started the discovery process and we requested "All documents 
concerning any investigative or other investigative service that 
performed any investigation of the Plaintiff on your behalf"  they 
initially responded that they "objected to this request as it seeks 
information which is protected by the work product privilege" 
9) We pushed and got them in mid April of '06 to give us the 
documents in their possession, these include 
A) a retainer agreement dated May 9, 2005 between Gambino 
information Services and The Max Leather Group signed by Michelle 
Gambino and Steve Kahn.  It states "Cellular Phone records shall 
also be conducted as part of the request of the CLIENT, The 
COMPANY'S fee for this investigation will be $300.00 (Three Hundred 
Dollars" 
B) a packet of information dated June 9, 2005 File #9288 stating 
that the have conducted an investigation to my (Adam Yuzuk) phone 
records and the following is their report.  Attached is my Cell 
phone bill detail, 17 pages obviously printed from my online 
account.  Billing Cycle 5/3/05-6/2/05. 
C)  6/16/05 invoice #6965, including "2 telephone information," I am 
assuming they broke into someone elses account, keeping in mind that 
it may be a different phone company. 
D) Cancelled Checks from Cipriani Accessories and The Max Leather 
Group to pay the invoice, it was split between the two companies. 
E) My phone bill with detail for time period  7/3/05-8/3/05, missing 
pages 1-4 and 10-14. 
F) My phone bill with detail for time period  8/3/05-9/2/05. 
G) My phone bill with detail for time period  9/3/05-10/2/05. 
10) From the paperwork it is clear that the July and August records 
were printed from my online account on 9/14/05. 
11) The September record was printed on 10/12/05. 
12) This means that someone broke into my Cingular account two 
additional times after my account was password protected and I was 
given what I believed was the highest level of security. 
13) When I realized the severity of what had occurred, I started 
calling Cingular to get explanations and help.  This was extremely 
frustrating, while Cingular employees were unfailingly polite they 
refused to push my request higher up the chain. 
14) In the process I also spoke with a private investigator who was 
very familiar with all of these issues, he put me in touch with 
your Committee's staff. 
15) A CNBC reporter also contacted me for a documentary they will run 
in July regarding  privacy issues. We  conducted the interview in my 
lawyers' office on Monday 5/15/06. 
17) I also spoke with the FTC who wants me to send them the 
documents (I haven't yet) and the FCC who also wants the documents. 
The FCC in turn gave me a phone number to a Jim Bugel who is a Vice 
President of Government Affairs at Cingular, he in turn put me in 
touch with Cingular's General Counsel, Mr. Tom Meiss. 
18) Cingular is now suing Cipriani Accessories/Steve Kahn and 
Gambino Information Services in Federal court in the Northern 
District of Georgia.  They are requesting damages and "replevin 
of the documents."  
19) Mr. Meiss at Cingular also ran the fake e-mail address 
([email protected]) thru Cingulars system and found several more 
accounts that this e-mail was listed, we can only assume that all 
these accounts (PEOPLE) had their information taken. 
20) Additionally we have gone back to Cipriani requesting more 
documents regarding Gambino that must exist, we want the invoices 
for the 9/14/05 and 10/12/05 incidents. To date we have not 
received the requested information. 

QUESTIONS 
Why is it they so easily opened an on line account in my name ? 
Why is it they could so easily break into my account after it was 
was protected and Cingular knew of the problem? 
Why is it illegal to steal my phone records from my mailbox or my 
home but seemingly ok to pretend to be me (pretext) access my 
information, print it out and then sell it? 
Why is it so seemingly acceptable that they (Gambino & Kahn) would 
enter into a legal contract the "retainer agreement" stating they 
will get "Cellular Phone Records," which invoices and paperwork 
clearly indicate are mine? 
After the Amy Boyer murder case in New Hampshire, how is Gambino 
still in business and openly selling telephone information? 
       Respectfully Yours, 

        Adam Yuzuk  

MR. WHITFIELD.  Well, Mr. Yuzuk, we appreciate your testimony and 
certainly understand your emotional feeling about this and your 
intensity in the way you feel about it, and of course, that is one 
of the reasons we are having this hearing today.  You have heard 
that two pieces of legislation have already been reported out of 
this committee, but the more we look into it, we certainly 
understand the complexity of this.  And we recognize that law 
enforcement is also having difficulty with the prosecution of a lot 
of these cases because the State laws, the Federal law, and the 
whole area is sort of murky.  And so your testimony, along with 
others, can go a long way in helping us try to develop a real 
solution to protect the American people. 
So I want to thank you for being here.  I am assuming from your 
testimony that you would not have known anything about this except 
that you had a question about your account; is that correct?  
MR. YUZUK.  Correct.  I called up.  I was checking something on my 
phone bill, and she just suggested, why don't you look at it online? 
Otherwise, this could have gone on indefinitely.  And I guess what 
needs to be made clear is that I then protected the account. 
MR. WHITFIELD.  When you say protected, you mean a password? 
MR. YUZUK.  I password protected it, and they red-flagged the 
account that you had to be talking to me to get through with a 
password, everything; it was very clear.  On top of that, I had my 
cell phone bill set up so that there was no detail on it because I 
was worried whoever it was would steal it out of my mail because, 
at the time, I didn't know who it was.  So I have no detail on my 
cell phone bill, yet they went back in September and October, pulled 
it off online with all the detail.  So they had more information 
about me than my own cell phone bill. 
MR. WHITFIELD.  Do you have any idea how they obtained your password? 
MR. YUZUK.  Cingular was suggesting to me that maybe I told somebody 
what the password was.  And I informed them that not only has it not 
been written down, but I am in a pretty nasty fight with these 
people. 
The last thing I am about to do is hand over my password to them.  
And they said, maybe they overheard you or something.  It was just, 
no real answer.  And where we got to was that they believe that 
there was something they termed to me as social engineering, that 
the private investigator would call back over and over and over 
until they found somebody in Cingular who was sympathetic that they 
could get through. 
MR. WHITFIELD.  That is the explanation that Cingular gave to you?  
MR. YUZUK.  Yes. 
MR. WHITFIELD.  Now, how would you characterize your relationship 
with Cingular as you went through this process?  You touched on that 
they didn't really become serious about it until they discovered 
about the lawsuits, but-- 
MR. YUZUK.  I will tell you that my feelings with Cingular, going 
from the bottom up, they would not allow this to go up.  I called, 
20, 30 times, I begged, for help.  I literally begged and said, 
could you please put me in touch with the general counsel?  Please 
put me in touch with somebody in your company that I can talk to 
that will know how to deal with this situation.  They refused to 
push it any higher.  They were polite, but they would not push it 
any higher.  It wasn't until I got the private investigator that 
I mentioned, Rob Douglas, put me in touch with the FTC who 
was--there was no place to go with that either, which I was kind 
of surprised, and then they gave me the FCC, and they gave me 
somebody at Cingular.  And Cingular from the top down, to be quite 
honest, once I ripped into them, he all of a sudden woke up and 
then had the general counsel call me. 
And to be quite honest, you can see, I am not afraid to come out.  
I can't imagine how anybody else would be trying to deal with 
this.  I can't even get the Attorney General moving on this. 
Like, it is just amazing because nobody can figure out, is it an 
economic crime?  Is it an identity theft?  You know, everybody 
bounces me from one person to the next because nobody knows what 
to do with it. 
MR. WHITFIELD.  And you live in New York. 
MR. YUZUK.  Yes, Nassau County. 
MR. WHITFIELD.  Now let me ask you--if I were you, of course I would 
be upset about realizing my private records are out there but then 
maybe even more apprehensive when I found out that the name Gambino 
was involved in trying to get this information.  How did you find 
out the name of Gambino? 
MR. YUZUK.  It was through the discovery process of the lawsuit 
because we asked them for any document of any investigations that 
were done to me.  And this is something, you know, to me is a big 
question which I can't get an answer to.  They asserted an 
attorney-client privilege, and I am curious how their attorneys 
are protecting stolen information that any reasonable person would 
know is stolen, because I did not give it to them.  I obviously did 
not call them up and say, here, here are my phone records. 
MR. WHITFIELD.  But now this agreement between Cipriani 
Accessories--that agreement was for $300, and they used that--that 
was a contract to obtain your information. And Cipriani, are those 
your former partners in business or some other-- 
MR. YUZUK.  Yes. 
MR. WHITFIELD.  So you all separated and they took it on themselves 
to-- 
MR. YUZUK.  They knew that I am alleging fraud against them.  They 
know that I have everything dead on.  They needed something to base 
their counterclaims on because they had nothing.  
In addition, I just want to add that, besides these stolen cell 
phone records, they have nothing for their counterclaims.  They have 
admitted they have absolutely nothing to base their counterclaims 
on other than these cell phone records which to me.  Honestly, I 
don't even understand the process, how this stuff can be used 
against me -- 
MR. WHITFIELD.  Right. 
MR. YUZUK. --in this way. 
MR. WHITFIELD.   Right.  But the only way you have really been able 
to obtain the specific information to know exactly who requested 
this information was through a lawsuit.  You were not able to obtain 
it prior to that, were you?  
MR. YUZUK.  No, because I wouldn't have known who was looking at 
my information. 
MR. WHITFIELD.  So you had this lawsuit with your former partners 
and, through the discovery process, realized that they were the ones 
that did it?  
MR. YUZUK.  Yes, and once they asserted the attorney-client privilege 
over it, we knew something was wrong. 
MR. WHITFIELD.  Right. 
MR. YUZUK.  So we just kept digging at it and got the records and 
from there--I actually was in a discovery meeting yesterday with 
them for about 9 hours, and Cipriani still asserts they did 
absolutely nothing wrong, and they can't even understand how this 
is a problem because they went legally to somebody and got the 
information. 
MR. WHITFIELD.  Well, the thing that is so perplexing about this, 
the average victim out there who may not be involved in a lawsuit 
may never be able to find out who is requesting this information. 
MR. YUZUK.  Once I spoke with the General Counsel over at Cingular, 
 Tom Meiss, we had the e-mail address that they used on my account, 
and when I asked him and pushed him and I said, why don't you run it 
through your system because, obviously, there are going to be other 
people this happened to, after a little bit of pushing, he did that. 
 All of a sudden, a bunch of other things popped up; and I don't 
think they really wanted to share them with me because that could 
put them in a bad position. 
MR. WHITFIELD.  Now you made one comment in your opening statement, 
Gambino, and that was linked with the name Amy Boyer.  Now who is 
Amy Boyer?  
MR. YUZUK.  Amy Boyer, from what I understand--and it is only from 
newspaper articles, from what I have read--was a woman that was 
killed in New Hampshire because Gambino Information 
Services--Michelle Gambino had pretexted to get her information.  
I guess somebody from her old high school--I am just telling you 
what the article says.  Somebody from her old high school had 
wanted to find this woman, was obsessed with her, had an information 
broker find the person and got all the information, called the woman 
at work, found out when she worked, all this stuff by pretexting.  
The person who bought the information then went to her workplace as 
she came out and killed her. 
So I just found it very interesting.  And I guess the way that I 
even got started on this whole thing is, once I Googled the Gambino 
Information Service and this came up, I figured they had to be on 
somebody's radar.  How could it be they are doing this to me and 
they have been involved in this and they are not on anybody's radar? 
 So I called the lead prosecutor in New Hampshire that prosecuted 
that case.  He, in turn, put me in touch with the private 
investigator who led me to you guys. 
MR. WHITFIELD.  Okay.  At this time, I will recognize Ms. DeGette. 
MS. DEGETTE.  Thank you, Mr. Chairman. 
Well, Mr. Yuzuk, you are understandably frustrated.  Frankly, I 
used to practice law for a long time; and anybody involved in a 
lawsuit like you are, it is like double the frustrations.  So I can 
really understand.  
After hearing your testimony and your answers to the Chairman's 
questions, it would seem to me that it would be a super good idea to 
get the telephone companies in here to talk about how they are 
disclosing this information.  Wouldn't you agree with that? 
MR. YUZUK.  Yes. 
MS. DEGETTE.  If we got Cingular in here under oath, that would be a 
good step towards figuring out what they know about how this 
information is freely given out about their customers records, 
wouldn't it?  
MR. YUZUK.  I believe that to be true. 
MS. DEGETTE.  Okay.  Have you looked at this bill that we keep 
talking about, H.R. 4943, the Prevention of Fraudulent Access to 
Phone Records Act? 
MR. YUZUK.  To be quite honest with you, I have never heard about 
it until -- 
MS. DEGETTE.  As a lot of us said, we actually passed this bill 
from this committee in May, and then it was supposed to be 
unanimously bipartisan, and then it was supposed to go to the 
floor, and somehow it mysteriously got pulled.  Did you hear that? 
MR. YUZUK.  Yes, I heard. 
MS. DEGETTE.  One thing you talked about in your testimony, you 
talked about how the problem seems to be no one can quite identify 
what the crime is or what the cause of action is as to what has 
happened to you.  Is it identity theft?  Is it other things?  Right? 
MR. YUZUK.  It is exactly it.  Now I am embroiled in this lawsuit. 
MS. DEGETTE.  Right. 
MR. YUZUK.  So what have they done to me?  I am angry at my former 
partners for hiring these people to go do this.  So what do I go 
after them for? 
MS. DEGETTE.  Right.  So I was sitting here while I was listening 
to you looking at this bill.  Let me just read you a couple of 
sections of the bill, and you can tell--I know you are not a legal 
or a legislative expert, but just in your layman's view do you think 
this might help, if we pass this bill, with your satisfaction?  
Section 101.  It is called "Prohibition on Obtaining Customer 
Information by False Pretenses.  It shall be unlawful for any 
person to obtain or attempt to obtain or cause to be disclosed or 
attempt to cause to be disclosed to any person, customer, 
proprietary network information related to any other person by 
making a false, fictitious, or fraudulent statement or 
representation to an officer, employer, agent of a 
telecommunications officer, or providing any document or other 
information to these same people that the person knows or should 
know to be forged, counterfeit, lost, stolen, or fraudulently 
obtained or to contain a false, fictitious, or fraudulent statement 
and representation."  
That would help, don't you think?  
MR. YUZUK.  That would be hugely helpful. 
MS. DEGETTE.  Hugely helpful. 
MR. YUZUK.  My only question is, because I don't understand and I am 
learning, is that also civil and criminal? 
MS. DEGETTE.  It is civil. 
Now let me read you just the first little part of Section 202, which 
is called expand--because the section I just read you, it talks 
about people who are getting customer information for--so Section 
202 talks about expanded provisions for detailed customer records. 
 And subsection (a)(1) of that says, "privacy requirements for 
telecommunications carriers."  Then it says, "except as required by 
law, permitted by this paragraph, a telecommunications carrier that 
receives or obtains individually identifiable customer proprietary 
network information, including detailed customer telephone records 
by virtue of its provision of the telecommunications service, shall 
only use, disclose, or permit access to such information or records 
in the provision of such carrier of the telecommunications service 
from which information is derived or services necessary to or used 
in the provision of such telecommunications services." 
That would be helpful to you, too, wouldn't it? 
MR. YUZUK.  I wish you guys would have done this 2 years ago. 
MS. DEGETTE.  Well, it would be good if we did it now. 
MR. YUZUK.  It would help the next person. 
MS. DEGETTE.  A year ago would have been good, but now-- 
So those things would directly address what your problem is, right? 
MR. YUZUK.  Yes, it would directly address what happened to me. 
MS. DEGETTE.  And have you--in your mission here, have you had the 
opportunity to talk to other people or do you have some sense of 
how many other people this is happening to?  
MR. YUZUK.  The best gauge I get of that is by talking to that 
private investigator, Rob Douglas.  Because he seems to have his 
fingers in a lot of pots with this and seems to see a lot of it 
going on, and he was the one that sort of connected a lot of the 
dots as to what was happening.  It was kind of interesting it was 
a private investigator that did that.  But he seems to understand 
that he thinks it is fairly widespread.  He informed me that 
Gambino Information Services mainly focuses on financial 
information, and I was probably more of a fluke that they went 
after my telephone stuff.  
Now I am also pretty upset that my former company, I am speculating, 
gave all my personal information over, my Social Security number, 
to these people.  Obviously, there is something wrong with that; and 
now God only knows what they could be doing with that. 
MS. DEGETTE.  Right. 
MR. YUZUK.  So the telephone thing might be the tip of an iceberg 
that is going to take years to unravel. 
MS. DEGETTE.  This is the whole reflection of something this 
committee has been looking at, a lot which is what do we do in this 
area of technology which helps people to also protect their privacy, 
and it seems to me that we need to really pass real laws that deal 
with this. 
MR. YUZUK.  You know, from what I have learned in speaking and 
talking to the Attorney General's office numerous times in New York, 
everybody is a little confused as to what to do with it.  They kind 
of think, well, it could fit into this and it could fit into this, 
but it is not quite this and not quite that.  And I apologize for 
being simplistic about it.  Why is it clear if you steal it from my 
mailbox that is a problem, but if you take it off the Internet 
pretending to be me, it is okay? 
MS. DEGETTE.  Right.  That is what this is supposed to address.  I 
agree with you, and we are going to keep pushing to try to get this 
passed. 
Thank you, and I yield back the balance of my time. 
MR. WHITFIELD.  I might say, Ms. DeGette, our staff has 
uncovered--we know there are tens and tens of thousands of victims 
out there.  And I might just say for your benefit, Mr. Yuzuk, 
unfortunately, Congress is pretty fragmented and balkanized; and 
while this committee can pass legislation dealing with civil 
penalties and so forth in the area of jurisdiction when we get 
involved in the criminal side of it, then it goes over to the 
Judiciary Committee and they work those sides.  So that we always 
get frustrated by the lack of progress that we are making as well. 
MS. DEGETTE.  Mr. Chairman, if you would yield.  This bill was 
scheduled on the floor for at least the civil part, and at least 
that would help.  Then the Judiciary Committee, if they wanted to, 
could do a criminal companion bill. 
But it is not like this bill had a referral to the Judiciary 
Committee and got stuck there.  It was actually scheduled for a 
vote on the floor.  
MR. WHITFIELD.  Absolutely.  There was a jurisdictional dispute.  
And, anyway, hopefully, that is going to be resolved this 
afternoon. 
At this time, I recognize Mr. Walden. 
MR. WALDEN.  Mr. Yuzuk, thank you again.  Sorry we have to meet like 
this, as they say.  But you have really helped us better understand 
the plight of an individual who has been victimized by these data 
mining companies and apparently by others. 
You have mentioned trying to get some action out of an Attorney 
General.  Who is that?  Which Attorney General? 
MR. YUZUK.  I contacted Eliot Spitzer's office.  I went through, I 
think, three different attorneys there--I have it all written 
down--but three different attorneys there, of which two of them 
were civil, one was criminal.  After we had gone through and 
explained the stories over and over and over--it went from like 
an economic bureau to identity theft bureau that doesn't have 
jurisdiction because I live in Nassau County but it happened in 
Queens where I live.  So they couldn't help, and then they sent 
me -- 
MR. WALDEN.  So you really got the runaround. 
MR. YUZUK.  Now I have the Nassau County Attorney General.  I spoke 
with him 2 weeks ago.  I mean, I am happy I got this invitation so I 
could fax it to the Attorney General and say hey, wake up, please. 
MR. WALDEN.  This is the State Attorney General in New York? 
MR. YUZUK.  Yes. 
MR. WALDEN.  Just for the record, my understanding is we have 
got--our staff has scheduled two interviews for next week with 
Telco-Telephone Companies to do the kind of background interviews 
I assume they did with you and they are doing with others; and 
they are working on scheduling at least three others for the 
committee's work.  This is going on.  We are going to continue.  
There is no calling off our investigators there.  They are the 
best in the country at what they do, and they are not going to 
quit until we get all the answers. 
I am curious.  What else has Cingular done for you since the facts 
about the Gambino came to light?  Have they worked with you on 
establishing a safeguard?  What is your trust level now?  I can 
appreciate your frustration to say I got this fixed, I got 
password protection, now things are good to go, and then you 
discover they are not. 
MR. YUZUK.  I got to the point where there is a regional supervisor 
that I made be put on the account.  The account is red-flagged, that 
nobody can go on to that account without first getting approval 
from the regional supervisor, which is obviously a little 
impractical and silly, but it is the only thing I could possibly 
think of to deal with this.  Because, obviously, the password was 
being bypassed, which-- 
MR. WALDEN.  How did that happen?  I know you talked about that you 
must--they think you must have given it out or something, but, 
obviously, there would be no incentive for you to do that. 
MR. YUZUK.  If I may speculate-- 
MR. WALDEN.  Sure. 
MR. YUZUK.  I believe that they called Cingular over and over and 
over:  "I can't remember my password, I can't remember what 
happened, it is me, here is my address, here is my Social Security 
number." 
MR. WALDEN.  So they give them everything else? 
MR. YUZUK.  This is speculation.  It was my former employer.  They 
gave all of my information over.  The investigative service would 
know virtually everything about me. 
MR. WALDEN.  I think we are going to hear from Mr. Rapp later on, he 
is one of the masterminds and was in this industry, and I think can 
really help us better understand this concept of social whatever-- 
MR. YUZUK.  Social engineering. 
MR. WALDEN. --where you work somebody down, you beg, you plead, you 
do everything legitimately to get help.  Only they are doing it in 
a con to get access to somewhere they don't belong. 
MR. YUZUK.  Correct. 
MR. WALDEN.  And that some good-intentioned, well-intentioned person 
on the other end says, oh, Mr. Yuzuk, okay here, yeah, you have 
given me 99 percent.  Here is the other one. 
MR. YUZUK.  They can call on a ton of different pretenses, so to 
speak.  It is a frustrating process. 
MR. WALDEN.  What has happened, I am curious, on Detective Gildbride 
and the Nassau County police end?  Have they been making any 
progress?  
MR. YUZUK.  I realized very quickly this is not something very high. 
There wasn't any place to go with it.  At the time, we weren't able 
to trace back the e-mail address, and we didn't have the discovery 
documents available yet.  The discovery documents literally in the 
last 2 months have come to light. 
MR. WALDEN.  I know the police agencies are terribly overloaded, but 
I think you mentioned something earlier in your comments about an 
iceberg, and icebergs aren't very high out of the water.  Sometimes 
they can run really deep, and perhaps if they looked into your case 
as we are doing, they might find this whole other piece of the 
iceberg that is affecting a lot more Mr. Yuzuk's out there. 
MR. YUZUK.  To me, the logical thing to do, which is what I 
expressed to Cingular, run that e-mail through your system.  I don't 
know why Cingular doesn't talk to MCI or Sprint or whatever and say, 
guys, look out for this; run it through your system.  Because 
anybody that gets hit with this e-mail, you know something is wrong. 
 You could probably ferret out a tremendous amount of these people 
very quickly by doing this.  At least you would get that first-- 
MR. WALDEN.  A wave of them. 
MR. YUZUK.  Some of them would be smart enough to go deeper, but you 
would get that first shot at them.  That is the kind of stuff--I 
don't know whether Cingular did advise other phone companies or 
anybody--maybe there needs to be a way that they let somebody know 
this happened. 
MR. WALDEN.  That is a good point.  I have been in small business 
for 20 years in a small town, and our chamber and others have a 
checkflash that goes around.  When somebody passes a bad check, 
they let everybody else in the community know that.  So if checks 
have been stolen or something, other merchants are made aware right 
away.  You wonder if there isn't some data mining flash that could 
go out to other phone companies.  I don't know. 
Do you know why the pages were missing from the copy of your July 
phone bill that Gambino was able to acquire? 
MR. YUZUK.  No.  After yesterday, I got--when I was in discovery I 
made them pull out the records, and mysteriously they reappeared, the 
pages reappeared.  So it turned out to be just the regular phone 
records.  So I don't know why they were hiding it to begin with, 
but we asked their attorneys three or four times for the missing 
pages, and they kept saying that they didn't have it; it was thrown 
away.  Yet yesterday, literally yesterday, when I went through it 
and I flipped through it in their offices, it was there.  I think 
it was just an oversight. 
MR. WALDEN.  So you don't suspect anything beyond oversight? 
MR. YUZUK.  No.  But, honestly, they are using the counterclaims.  
They are using the cell phone records to give me a hard time, and 
it was a further way to make an arc. 
MR. WALDEN.  I am curious.  How did CNBC find out about you? 
MR. YUZUK.  Through the private investigator. 
MR. WALDEN.  Mr. Douglas. 
MR. YUZUK.  He knew a lot of different people who are interested in 
this.  What was good at least, that they liked and they were able to 
use, I had everything documented.  I have all of the records; and, 
you know, I can definitely explain it and it was still fresh.  I 
mean, this has happened in the last year.  It is still going on. 
MR. WALDEN.  So you are the possible poster boy for this nonsense. 
Did you have something else? 
MR. YUZUK.  We haven't gone in front of the Federal judge yet, and I 
am curious what his take on this is going to be. 
MR. WALDEN.  I sure appreciate this cooperation with this panel and 
your investigation, and we are hopefully going to change this law or 
create a new law which protects people like you and other Americans 
who have suffered untold hardship from credit issues to literally 
perhaps of their own life as a result of what happens here.  So we 
look forward to that. 
Mr. Chairman, I have to go to another committee that is marking up a 
bill.  I have an amendment on.  So I will return as soon as we are 
done with that, and I appreciate your leadership on this. 
MR. WHITFIELD.  Thank you. 
At this time, I recognize Ms. Schakowsky. 
MS. SCHAKOWSKY.  Thank you, Mr. Chairman. 
The wonders of the Internet.  We just got an e-mail of the article in 
the San Francisco Chronicle.  Let me read this to you.  While it 
doesn't directly bear on your case, it is relevant to this issue. 
AT&T has issued an updated privacy policy that takes effect 
Friday.  The changes are significant because they appear to give 
the Telecom giant more latitude when it comes to sharing customers' 
personal data with government officials.  The new policy states that 
AT&T, not customers, owns customers' confidential information and can 
use it, quote, "to protect its legitimate business interest, 
safeguard others or respond to legal process."  
Policy also indicates that AT&T will track the viewing habits of the 
areas of its new video service, something that cable and satellite 
providers are prohibited from doing.  Moreover, AT&T is requiring 
customers to agree to its updated privacy policy as a condition for 
service, a new move that legal experts say will reduce customers' 
recourse for any future data sharing with government authorities or 
others.  
So in order to--you know, you are saying, how could this not be 
illegal when someone can't go into your mailbox?  At least AT&T, 
formerly SBC, is trying to, as a matter of its company policy and 
very contrary to the legislation that we are passing, hopefully, 
trying to set a policy that says it is just fine.  It is not yours 
anymore.  When you sign the agreement, they own it.  They can do 
what they want with it. 
What is your reaction to that?  I am assuming it exacerbates your 
frustration. 
MR. YUZUK.  Ma'am, it is comical.  It is absolutely comical.  They 
are not stealing my records or even your records, so to speak.  But 
they are stealing AT&T's records or something like that.  But this 
whole explanation just defies logic of how this is going and how 
they can't think that that information is not valuable to whoever 
really owns it.  It is terrible.  
MS. SCHAKOWSKY.  I am wondering if you can estimate--I am trying to 
imagine your life in dealing with this.  How much time have you had 
to try and spend on this to rectify that and what kind of costs, if 
you care to share that, you have incurred in trying to deal with 
this.  
MR. YUZUK.  Well, we have a--now I have a lawsuit that was clean on 
my side, that I was going in and there really was nothing that they 
could do; and now they have muddied the water with counterclaims 
that are utter nonsense because of these cell phone bills that, if 
some craziness occurred, could cost me millions of dollars based on 
what their counterclaims are.  Which is incomprehensible to me.  It 
really is-- 
MS. SCHAKOWSKY.  How much of your life is involved now in doing this? 
MR. YUZUK.  This is daily.  It is--and you are talking about the 
cell phone part of it.  It is dealing with whether it is Cingular 
and getting them moving, whether it is who is calling the attorney 
generals, whether it is discussing it continually with my own 
lawyers.  You know, it is getting everybody sort of lined up in 
this.  It was me getting together with this committee, getting all 
of that put to bed, all of these different parts of the puzzle.  I 
was probably spending an hour or 2 almost every day just dealing 
with this. 
MS. SCHAKOWSKY.  And all of this really gets back to the breach of 
your private information, I mean, the problems that you have had.  
Obviously, it has gone into some other directions, but it is the 
breach of your private information that has led down this path. 
MR. YUZUK.  Yes.  Them having information about me that they--which 
is a shame that all of this, which I mentioned earlier, which they 
could have legally gotten this and it could have been fine.  They 
would have just had to wait.  And this was a quick fix to creating 
counterclaims. 
So, you know, while this is not a case like a murder case or 
something like that, to me it is very, very personal; and I am sure 
all of the people that I have spoken to on the phone were not 
thrilled that their phone numbers were now given out to these 
people. 
MS. SCHAKOWSKY.  Has Cingular--they seem to have at least partially 
addressed your issue by having it go through, what, this regional 
supervisor or whatever.  Is there any indication that they have 
improved their security for others?  
MR. YUZUK.  Quite honestly, I wouldn't know.  Because I have been 
dealing with them strictly on my issue.  Obviously, I have had 
conversations with them, and I have suggested this is a problem, but 
they are a very big company and they -- 
MS. SCHAKOWSKY.  Well, you asked questions at the end of your 
testimony.  Did Cingular ever give you answers to these questions? 
MR. YUZUK.  Yes.  They said, with my Social Security number, my home 
address, with my mother's maiden name, things like that, anybody 
could open up the account for me.  And to me, the first faux pas, 
the first accident was one thing.  After I password protected it, 
red-flagged it, I don't know what else I should have done, and they 
got in again and again.  So like on my side of the table, what am I 
supposed to do? 
MS. SCHAKOWSKY.  You may have answered that already.  So how could 
that have happened?  Did Cingular explain that to you?  
MR. YUZUK.  They didn't have, from my point of view, a very good 
explanation.  They explained to me that maybe I gave them my 
password.  I gave the other side my password, the private 
investigator my password so they could break in, which I didn't 
quite find really believable.  They said maybe you were having a 
conversation and somebody overheard you say it.  I was like, that 
there was no way.  It was, maybe you wrote it down.  I said, no, it 
is not written down anywhere.  I shred every document.  There is no 
way it is not possible. 
MS. SCHAKOWSKY.  So they did not take responsibility and suggested 
that you perhaps inadvertently had given the information. 
If you were--I mean, I realize this isn't your business--I mean, 
your profession--but I am wondering if you had, as a result of 
this experience, had any thoughts of what carriers could do to 
strengthen their internal controls against this kind of fraud. 
MR. YUZUK.  Yes.  Obviously, just using somebody's Social Security 
number and it being a male--like a man on the phone calling, saying 
I am this person, is really not acceptable.  It can't function like 
that.  Because these types of things can happen.  So that would be 
the first thing. 
I would also think that they should go after these people rather 
harshly.  And what was surprising to me was, from the bottom up, 
when I was going after Cingular, why I am sure the people who are 
sitting here today who do this for a living don't worry about it, 
because Cingular didn't move.  They didn't want to know from this. 
 It wasn't from when I went from the top down and I pushed, all of 
a sudden they woke up and started moving.  Now I will say that they 
jumped on it, and they are going full force.  But it was not 
happening for me as a customer going up the ladder.  That did not 
happen.  Which is why I would imagine so many of these people are so 
brazen in what they are doing, because they know nobody is going to 
come after them. 
MS. SCHAKOWSKY.  Thank you very much.  Appreciate your testimony. 
I yield back. 
MR. WHITFIELD.  Thank you. 
At this time, I recognize Dr. Burgess. 
MR. BURGESS.  Thank you, Mr. Chairman.  I appreciate you being here 
today. 
I won't take the entire time allotted to me.  I guess the 
question-- I apologize for being out of the room.  How was your 
Social Security  
number obtained?  
MR. YUZUK.  At this point, we do not know, until I guess we depose 
Michelle Gambino and ask her if my former partners gave her my 
information.  I speculate that that is exactly what happened. 
MR. BURGESS.  So they would have had access to your payroll data 
because of your prior partnership? 
MR. YUZUK.  Everything, everything about me. 
MR. BURGESS.  Now your Cipriani Associates that you are in the legal 
dispute with, they said they obtained this information legally.  
They went and bought it from a company, and so it is not their 
fault. 
I guess the question that I would ask, in your opinion, who is really 
at fault here for your personal information being divulged to a 
party who is opposing you in a lawsuit? 
MR. YUZUK.  It is a very, very interesting question.  Because when 
I have asked the attorneys this type of stuff, I get different 
answers.  Because one of the things that comes up which I have 
gotten from some of them is what would a reasonable person assume?  
Wouldn't a reasonable person know that you can't go get somebody's 
phone records and have my phone records?  There is no legal way to 
do that because how could you have it if I didn't give it to you?  
They didn't steal it.  How could you possibly have it?  
They seem to think because I went and spoke to this person who spoke 
to that person, that now all of a sudden it is okay to get the 
phone records.  And this is stuff I honestly don't understand. 
So, from my point of view, a reasonable person knows if all of 
a sudden somebody handed you my phone bill, you would know if I 
didn't give it to you, there is a problem. 
I apologize if I am not answering. 
MR. BURGESS.  I think that is satisfactory, and it points to the 
fact why they tried to blame you for having perhaps divulged your 
Social Security number or your e-mail address in a conversation 
that you didn't remember. 
Well, let me ask you this--and I think we have been through most of 
your story.  There is a possibility that we will have some of the 
phone companies here to talk to at some point.  Is there a question 
that you would like us to ask on your behalf of Cingular or the 
phone companies in general?  
MR. YUZUK.  Not from me so much as a person, because the milk is 
already spilled.  I would tell you that they need to have some 
division or something set up within the phone companies so when 
this happens there is a path you can go down so it can reach high 
up enough in the chain that they address the situation.  Because I 
can tell you that I was on the phone pounding, and I could not move 
it forward.  I was not afraid to go in again and again and again, 
and I just kept hitting a ceiling over and over. 
So if you would ask me one concrete thing that the phone company has 
to have is, when somebody calls up with a complaint like this, it 
has to have a way of going up the chain. 
MR. BURGESS.  So they have to assign a much higher priority to this 
complaint. 
MR. YUZUK.  It has to reach a level that they realize it is a huge 
jeopardy.  In my case, from my personal point of view, it is millions 
of dollars at stake; and I can't get them to wake up.  I am begging 
them on the phone to help me. 
MR. BURGESS.  But, on the other hand, someone who calls persistently 
and drives over and over again to get your information was 
apparently successful at doing so. 
MR. YUZUK.  Because they could get that at the level. 
MR. BURGESS.  At the other level. 
MR. YUZUK.  But they were clear they couldn't put things higher.  
They could give away my personal stuff, but they couldn't give me 
to the next guy up. 
MR. BURGESS.  Very good. 
Mr. Chairman, as always, fascinating and certainly look forward to 
hearing the other witnesses. 
Thank you, Mr. Yuzuk, for giving us your time. 
MR. WHITFIELD.  Thank you. 
At this time, recognize Mr. Inslee. 
MR. INSLEE.  Thank you. 
I just principally want to thank you for being here in the hopes 
that your effort will jog Congress as you have not been able to jog 
the phone company.  
Mrs. Blackburn and I introduced a bill January 31st of this year.  
It is what we call around here a "no-brainer" bill that basically 
makes pretext calling a wrongful act to get to the bottom of this. 
 And Congress is still fiddling around this many months later while 
there are thousands of other people we believe in exactly your 
condition out there calling their phone companies today trying to 
fix this problem. 
I want to thank you for coming, and I hope you will light a fire 
under Congress by your willingness to come here today that you 
couldn't light a fire under your phone company.  So I want to thank 
you for being here and give you a free thought.  If there is 
something you want to tell us that you haven't already-- 
MR. YUZUK.  I would like to thank you all; and, as a person on this 
side of the table, I need help.  And it is not only me.  I am sure 
there are a lot other people that need help.  Whatever the 
jurisdiction and fighting that is going on, I just need help. 
MR. INSLEE.  We would like to have that cry of help answered in 
getting this bill on the suspension calendar and pass this.  Thanks 
for being here. 
MR. WHITFIELD.  Mr. Yuzuk, I also want to thank you on behalf of 
the committee.  We wish you the very best in your efforts to get all 
of this cleared up; and if you feel any information that you may 
come across as you move forward would be helpful to the committee, 
we would really appreciate your getting back in touch with us.  We 
look forward to working with you as we try to pass legislation to 
help solve this problem for the American people. 
So you are dismissed, and thank you again. 
MR. YUZUK.  Thank you all.  Thank you all for your time. 
MR. WHITFIELD.  At this time, we will move to the second panel. 
On the second panel, we have two people.  First of all, 
Mr. James Rapp, who is the former owner of Touch Tone Information. 
I have read a couple of newspaper articles about Mr. Rapp, and I 
would say that he is a real expert at being a data broker in 
obtaining information.  In fact, the Rocky Mountain News in 
Colorado wrote an article about him and said that, at his peak, his 
million dollar information broker business was thought to be one of 
the largest of its kind in the country. 
So, Mr. Rapp, if you would come forward, we appreciate your being 
here. 
And then Mr. David Gandal, if he would come forward.  He is the 
owner of Shpondow.com, and I know that his business has been 
focused upon helping automobile financiers repossess automobiles. 
But, as you gentlemen know, this is an Oversight and 
Investigations Subcommittee hearing, and we do take testimony under 
oath.  Under the rules of the House and rules of the committee you 
are entitled to be advised by legal counsel.  Do either of you have 
legal counsel with you today? 
MR. RAPP.  No. 
MR. GANDAL.  No. 
MR. WHITFIELD.  And you don't have any difficulty testifying under 
oath? 
MR. RAPP.  No. 
MR. GANDAL.  No. 
[Witnesses sworn.] 
MR. WHITFIELD.  Both of you are now under oath, and we appreciate 
very much your cooperating with the committee and being here.  
Testimony from people like you who are real experts in this can go 
a long way in helping us perfect some of our solutions. 

TESTIMONY OF JAMES RAPP, TOUCH TONE INFORMATION, PARKER, COLORADO; 
AND DAVID GANDAL, SHPONDOW.COM, LOVELAND, COLORADO 

MR. WHITFIELD.  So, at this time, Mr. Rapp, I will recognize you for 
your 5-minute opening statement, after you have your glass of water 
there.  
MR. RAPP.  Thank you, Mr. Chairman. 
MR. WHITFIELD.  And if you would be sure to hit the button so the 
microphone would be on. 
MR. RAPP.  All right, sir.  Thank you, Mr. Chairman. 
Many years ago, back in the early '80s, I discovered a way to 
acquire information at that point helping where the--the position I 
was in at that point was in an incarceration position back in '82.  
Many inmates wanted to contact family members, ex-girlfriends, and 
other things; and they had no way to do so.  They had no way to get 
out to do anything with anybody.  And I discovered a way that I 
could contact various utility companies, phone companies, or the 
relatives themselves and find out where they were and get the 
information.  The inmates weren't going to do any harm.  These were 
people at that point that was a platonic relationship or a 
lovesick relationship. 
Things started from there, and from the '80s it progressed to where 
we started a company and had many different companies, my wife and 
I did, to the point where, during the '90s, we had many employees 
in our office and the ones that I had trained, that were able to, 
they went to their own homes and they worked and we provided 
information from anybody and everybody consistently throughout the 
country. 
There were many times that we were contacted by attorneys to try and 
track down judgment debtors.  The majority of our work dealt with 
people that incurred debts such as finance loans or other such debts 
that they didn't pay, and we just couldn't do anything.  There is 
no sense in going through with a process of interrogatories or 
discovery after you issue a summons and try to get somebody's money, 
try to get a judgment, if you don't know where they are and you 
don't know where their money is.  That is where we came into play. 
 We found the people.  We tracked them down.  We found out where 
they banked.  We found their account numbers, balance, savings, 
checking, money markets, everything, so that they could go ahead 
and decide if they wanted to execute a judgment, if the person was 
worthwhile to get the money from. 
So, to begin with, I think our intentions were somewhat noble with 
the aspect of trying to make sure that people that had debts paid 
those debts.  Bankruptcies were going crazy, and at this point I 
know some of the bankruptcy laws have been changed, but there are 
so many people out there that can get away with so much, there had 
to be some kind of a stopgap.  At least that was my initial thought, 
and we were that stopgap. 
There was nowhere you could run or hide that we couldn't track you 
down.  There were no moneys that you could put in the Cayman Islands 
Barclays Bank that I couldn't find.  And that was maybe a little 
cocky of an attitude, but that is pretty much how we ran our 
business for many, many years and very successfully.  
We never dealt with the Internet.  The Internet at that point wasn't 
that big of an issue, wasn't a necessity for us.  The telephone was 
my key to the world, and that is everything I needed.  
We pretty much tried to tie in with private investigators.  I would 
go through the phone books in every major city in the United States 
and I would contact the PIs and solicit my business to them, say let 
me help you provide the information, quick, easy, and for a price 
you can afford.  That is when we started faxing off our information, 
and we got a tremendous amount of response.  Business was great.  
We had all of the work in the world that we could handle.  
Then, during the Clinton era, we were working a lot.  I think our 
business started to change during that era from the judgment debtors 
to more the media issues, the tabloids, entertainment, 60 Minutes, 
20/20.  People wanted to know, and if they wanted to know the 
information, somebody had to provide that information.  We didn't 
want to be the car that went and ran off Princess Di.  We didn't 
want to be that aggressive of the paparazzi, but we wanted to 
provide the information to the media that needed it. 
So, during the Clinton era, we did a lot of the work on the 
Monica Lewinsky/Bill Clinton--all of those issues; and that brought 
us to light to the FBI.  They came out to us, and they wanted to 
find out who we were working for.  At that point, my wife and I 
asked, is there anything illegal that we are doing in any respect?  
Here is my complete list of what I do and who I do it for and how 
I do it.  And we were told by the Federal law at that point 
absolutely nothing you are doing is wrong or illegal, so we felt 
reassured, and we continued on. 
Unfortunately, a few years ago, there was a young lady that 
apparently--I don't know if it was a young lady or man--but it was 
a client of ours.  A private investigator contacted us to break a 
pager number, something we had done thousands of times before.  The 
pager number, unbeknownst to us, went to an undercover Los Angeles 
police detective that was then killed at some point once he was 
tracked down to his home location. 
That is the kind of thing that gives at least my former industry 
a tremendously bad name.  There are a lot of good aspects to data 
brokers.  There are a lot of negatives as well.  Unfortunately, the 
negative is what the press hears, and that is what we are here for 
today, because of the negative aspects.  We can't allow people to 
go around getting into debt, doing things they shouldn't be doing 
without something, if the law enforcement isn't going to help, some 
kind of a stopgap, and that is what we were. 
But it flourished from there, and everybody wanted to know 
everything about everybody else.  There are no more secrets, and 
that is the truth of the matter.  We were a big proponent of that 
to the extent that we provided anything and everything for anybody, 
and we really weren't that concerned with who or why. 
When we were brought to D.C. just a few years ago by the law firm 
Butera and Andrews, we were brought here because the Federal Trade 
Commission said, oh, wait a minute now.  You're getting too much 
financial information.  Too many people are upset about the fact 
you were finding their bank accounts.  
They are not concerned about the fact they owe tons of money.  They 
are only concerned that we found out where the money was. 
But the Private Investigators Association of America paid for us to 
have a good law firm behind us.  In such case, they dissolved the 
whole matter.  Probation.  Don't acquire banks, and everything is 
fine.  So again we were reassured again by another branch of the 
Federal government that everything we were doing was okay.  Just 
don't get banking information. 
We continued at that point until such time that we were contacted 
by the Colorado Bureau of Investigations after little JonBenet 
Ramsey died.  We did a lot of work there.  They said, you are going 
to stop, and we are looking into RICO statutes on you, and that was 
pretty much the end.  That was back in '99, and I haven't picked up 
a phone professionally since that time. 
MR. WHITFIELD.  Thank you, Mr. Rapp.  And that was enlightening 
testimony. 
[The prepared statement of James Rapp follows:] 

PREPARED STATEMENT OF JAMES RAPP, TOUCH TONE INFORMATION, PARKER, 
COLORADO 

Chairman Whitfield, Ranking Member Stupak, thank you for inviting me 
to testify before the Subcommittee today.  I appreciate this 
opportunity to briefly introduce myself and explain my former role 
in the data broker industry, and I ask that my full written 
statement be entered into the record. 
My name is James Rapp, and I used to own and operate several 
companies in the data broker industry, including Touch Tone 
Information.  Early during the 1980's, I was incarcerated for an 
auto theft in the Colorado State Penitentiary, where I discovered 
that I was adept at acquiring and providing information.  Various 
inmates would come to me and ask to find their estranged girlfriends 
or wives, or something to that effect, and I would proceed to take 
their old disconnected phone number and acquire the new number and 
address for these men to make contact with. 
One thing led to another and after I was released in 1982, I started 
working for various attorneys to provide them with process service 
as well as to provide them with the employment and banking 
information of the individuals that they had acquired judgments 
upon.  During that time my business was known as "Mile High 
Investigative Service" and as such solicited private investigators 
in addition to the attorneys that we mainly worked for. 
Things progressed fairly well until 1991 when my ex-wife Holly, 
left and I decided to downsize completely and went to Texas to work 
for a client in the city of Conroe.  After a short time I met my 
everlasting wife, Regana and we started up our business again.  We 
started out to contact our old clientele and arraigned a cross 
country trip to do "Investigative Seminars" to teach (for a cost 
of course) the "how to's" of acquiring information relevant to the 
private investigator realm.  
We then moved to Florida, and from Florida we moved to Utah and then 
to Montana where we then decided based upon my father's failing 
health to move back home to Colorado.  The reason for all these 
moves was simple; most states required a license to do the 
investigative work that we were doing.  One problem was that my 
felony convection literally shot me out of the water with any 
chance to achieve a license in any state that we tried, except for 
good old Colorado. 
During this time we went through many name changes - Phantom 
Investigation, Dirty Deeds done dirt cheap, Scanners, etc.  The 
lasting name that we kept was Touch Tone Information, which was 
initiated once we returned to Colorado. 
Our name as well as our success rate drew us national attention, 
along with working on such nationally known cases such as Bill 
Clinton and Monica Lewinski, Columbine and other atrocities, as 
well as various media celebrities and stars around the world.  
Our business was constantly changing, for we started out just 
working to locate the judgment debtors, but wound up working for 
other information brokers throughout the country to provide the 
most current and up to date goings on of the media world.  
During the 1990's, we were maintaining a staff of over 20 on site 
as well as anywhere from 5 to 15 people working from home.  Our 
yearly billings were over 1 million for the years 1995 to 1998.  
Our quantity of clients exceeded 1,500 during our peak.  During 
that time, we were contacted by such news shows as 20/20 and 60 
minutes, all of which our counsel told us the best action was 
to say nothing about anything. 
I felt good about the good work that we did do, for we assisted in 
the locating of many missing children as well as helping many of 
the bail bondsman to locate the ones that got away.  During this 
time our clientele type was as follows: 
A.  Attorneys 
B.  Private Investigators 
C.  Bail Bondsman 
D.  Information Brokers 
E.  Investigative contacts for news and media organizations 

Unfortunately, the more notoriety that we achieved, the more the 
press, both newspaper and T.V., we had on our heels to get whatever 
scoop they were chasing.  The idea of pretexting or scamming someone 
on the phone has been around since the days of the old James Cagney 
movies. 
I would teach our employees and clients if they wanted to learn, 
how to impersonate someone so that the person on the other end of 
the line would feel either sympathy or pressure, whatever it took 
for them to release to me the information that I needed.  Anyone 
can impersonate anyone else if they sincerely make an effort, the 
person or customer service representative on the other end of the 
line truly wants to help, (most of the time anyway) so I use that 
to my advantage and convince them that they need to give me certain 
specific data.  This was how I achieved the majority of all my 
information, for back in the 1980's and early 1990's, the Internet 
was not that big into personal information. 
During the time of the Bill Clinton and Monica scandal, we were 
contacted by the F.B.I, I believe from the Baltimore office.  The 
agent wanted to know specifically who our client was that requested 
the information on why the White House was paying for Ms. Lewinsky's 
apartment as well as tracking down various cell phone and landline 
contacts of Ms. Lewinsky's.   After review with our counsel, we made 
available all records to that case to the agent who specifically 
informed us that we were within the legal limits on all work that 
we were doing! 
Thus we continued on blindly believing that we were literally 
assisting good people with good information.  This went on until 
the day that the Colorado Bureau of Investigation stepped through 
our doors and informed us that they had been tapping our lines and 
they believed that they had enough information on us for an 
indictment under the charge of Racketeering.  Immediately, we shut 
our doors, having been advised by our attorney that we should - for 
why should we make the case against us any worse than it already was? 
We left with a host of clientele still wanting their information on 
unsolved cases, as well as a healthy remaining balance in our 
"accounts receivable file."  During this time I was featured on 
"Americas most wanted" as being the #1 con man in America, what a 
crock, if they only knew the truth I thought. 
The truth was however that we never committed fraud in our own 
minds, for we never used the information to steal a single penny, 
but only used the information as a marketable product to sell and 
distribute. 
This, we were informed, was a crime, and since we had done this so 
many times over the years, we (Regana & I) were both looking at 
doing serious time.  The only solution according to our attorney 
was to cease all business activities including any additional 
efforts at collecting our own past due debts and to walk away 
clean.  
This we did, for as it turned out the Lord literally freed up our 
time for my father got to the point with his cancer that we had to 
care for him full time at our house, where 4 months later he died. 
The final disposition was only 30 days in work release along with 
5 years probation - which was shortened to 3 years due to our 
sincere efforts at working elsewhere, not in our business, nor were 
we any risk whether flight, or criminal.  Then later in 1999 after 
my dad died, the lot fell to us once again to care for my mother.  
We worked out an arrangement with her and her attorneys so that 
we could receive funds from the trust set up by my father's 
departure which afforded us the time to care for her. 
Earlier this year, the Colorado Bureau of Investigation again 
contacted me, but this time they wanted to know if I would sit down 
with your Committee's staff to discuss my former business, the ins 
and outs of how I achieved the information, and how I targeted my 
clientele.  This I was more than happy to do, for I hold no 
animosity toward any law enforcement agency for our ouster of 
the investigative business. 
I informed Mr. Brown from the "CBI" as well as your Committee's 
staff that I honestly feel that this business is a necessity in our 
world, and that as long as people get in debt, there must be people 
to help collect that debt. 
In addition, the media will always want to know the latest scoop, 
whether trivially how drunk the young Ms. Bush got the night before 
or any information related to any newsworthy event. 
The answer then is NO, the business will never cease, but you as 
being the governmental body that can affect the way things are 
accomplished, I can tell you that you are having an actual effect 
on how the investigative world is handling their affairs today. 
This is occurring as we speak, for many data broker agencies that 
I have contacted over the past few months, have informed me that 
some information is getting tougher to achieve, due to the fact 
of the involvement of both state and federal authorities. 
The customer service aspects of the Utility Companies such as 
Telephone, Electricity, Cable and Satellite, etc. are the only 
ones that can make or break most of these attempts to acquire the 
information - for without sources to acquire the information, the 
quantity of success will go drastically down. 
While I personally do not advocate the elimination of either 
these investigative techniques or the agencies themselves, I must 
admit that many cross the line into the illegal realms, thus giving 
a bad name to all investigators. 
As of the date of this letter, my mother is also in severe physical 
shape to the extent that she is presently in a nursing home and 
will be some coming to stay with us until the inevitable occurs. 
These are the basic facts of my life from the time of my entrance 
to the investigative world in 1982 until the termination of Touch 
Tone in 1999.  Thank you for your willingness to listen to me 
today, and I sincerely hope that my experience and knowledge in 
these investigative matters will be of help to you, to further 
understand both the good and the bad of my former business, the 
acquisition of information. 

Sincerely, 

James J. Rapp 
Former director, Touch Tone Information network 

P.S.  Please note that I have submitted to the Subcommittee an 
original copy of my training seminar handbook.  As an attachment to 
this testimony, I have included the following pages that outline the 
basic list of services that we provided to our clients during the 
operation of Touch Tone, and brief outlines of the ways that we 
utilized to acquire the requested information.  I am happy to 
describe for the Committee any of the following methods for 
obtaining records and information. 

Attachment A (Testimony of James Rapp, Outline of Training Handbook) 

Landline telephone numerical investigations 
The Local Carrier variations 
1. Residential Repair 
2. Business Repair 
3. Residential Orders 
4. Business Orders 
5. Residential Billing 
6. Business Billing 
7. Yellow Pages assistance 
8. Utilizing the CNL or CAN bureau of the Local telephone carrier 
9. Learning the carrier's terminology, Elmos, Orion, Boss, Premis 
etc. 

Utilizing the long distance carrier to obtain local information: 
1. The infamous "Quickcheck" 
2. 800 install assistance 
3. Foreign speaking operator assistance 

Cellular & Pager numerical investigations: 
1. Determining the carrier 
2. Identifying the local shop for both the Cellular carrier and the 
pager 
3. Utilization of trap lines to identify pager ownership 
4. Repair and sales of the Cellular company 
5. Resellers, the worst nightmare 
6. Use the "CAP" code on the pager for assistance, one office 
vs. another 

Independent Voice Mail number investigations: 
1. American voice mail, automated vs. verbal set up 
2. Land line direct voice mail accounts 

Toll Free & Remote call forwarded number Investigations: 
1. Determining the carrier of the initial number 
2. Acquiring the ring to number 
3. Breaking the ring to number 

International number breaks, Cellular and Landline: 
1. Breaking down the number into a country and city, determining the 
language and time element 
2. ATT Language line services 
3. Determining the carrier and acquiring their direct dial numbers 
4. Knowing your culture, varied holiday and other observances 

Physical Location Investigations: 
Non published address and telephone number investigation 
1. Getting accurate information from directory assistance 
2. Utilizing the non-published bureau of the local carrier 
3. Getting all your source ducks in a row 
4. Local cable company 
5. Local gas and electric company, propane if rural area 
6. Local newspaper company 
7. Local water department 
8. Trash service 
9. County voters registration 
10. County clerk & recorder, property, tax info etc. 
11. Local area hospital records 
12. Local video and grocery store information 
13. Credit Card records 
14. Reverse 911 assistance 
15. Playing the game to determine the address on file with 
information, know the city info as well as numeric basics 

Physical address break 
1. Getting all your source ducks in a row 
2. Local cable company 
3. Local gas and electric company, propane if rural area 
4.  Local newspaper company, circulation & classified 
5.  Local telephone carrier, your only guarantee 
6.  Local water department 
7.  Trash service 
8.  County voters registration 
9.  County clerk & recorder, property, tax info etc. 
10.  Local area hospital records 
11.  Local video and grocery store information 
12.  Reverse 911 assistance 

Telephone and Credit Card toll records investigations: 
Landline toll record acquisition  
1. Residential vs. Business 
2. Knowing the subjects plan 
3. Determining the breakdown of the bill (Custom calling features, 
etc.), using the local carrier to get to the long distance 
carrier. 
4. Finding the long distance carrier, usage of "PIC" numbers 
5. Calling the subject to acquire the long distance carrier 
6. Acquiring the long distance carriers page numbers 
7. Getting the true local calls, determining your subjects mileage 
radius 
8. Avoiding the dogs of war, the operators noting the account 
9. Putting them in a position where they cannot say "NO" 

Cellular toll record acquisition  
1. Determining the carrier 
2. Knowing the subjects plan 
3. Customer service vs. the local store 
4. Picking up and faxing in 
5. Internet usage acquisition 

Credit Card statement acquisition  
1. Determining the institution 
2. Acquiring the statement without the card number 
3. Customer service vs. Local bank 
4. Getting the breakdown (date, merchant, time & location) then the 
charges 

Governmental Investigations:  
Social Security information  
1. Going federal 
2. Knowing your subject, what's your goal (SSN, Address, 
Banking, etc) 
3. Acquiring the number to the local office, get names and address's 
4. Knowing the terminology 
5. Going local to federal 
6. Going local to local 
7. Credit headers 
8. Creating confusion with similarities 
9. Disability, Medicare, Medicaid & Benefit information 
10. Utilizing the appeals section of the Social Security  
administration  
11. Acquiring relative information 

The Welfare system: 
1. Food stamps 
2. A.F.D.C. (Aid to families with dependent children) 
3. County assistance 
4. L.E.A.P. (Low income energy assistance program) 
5. Public housing authority 

Military information  
1. The standard DD-214 form 
2. Determining the whereabouts of any individual 
3. Financial aspects, how much, where are the funds deposited or the 
check cashed 
4. Utilizing the aggressive recruiter to do your search for you 

Department of Immigration and Naturalization  
1. Alien Identification information 
2. Relative status 
3. Current location and employment information 

Post Office Box breaks, both public and private 
1. Determining the type of box 
2. Acquiring the names and address on file 
3. Utilizing the forwarding information 
4. The box clerk vs. the station manager 
5. The postal inspector & the receipt of inappropriate materials 
6. Getting the private MBE (Mail Box's etc.) to talk to you 

Department of Motor Vehicle information 
       1.  License plate information 
       2.   	VIN number information 
       3.   	Track down through the name alone 
       4.   	Going directly in 
       5.   	Station to station 
       6.   	Dealership and insurance information 

Specialized Investigations: 
1.  	Clientele List acquisitions 
2. 	Medical history information  
Employment information, both current and past 
1. Who does the subject work for? 
2. Telephone research vs. surveillance 
3. Quantity of the paycheck 
4. Self Employment:  Determining where the funds are coming from 

Financial Investigations: 
1. Banking, both Individual and Corporate information 
2. Various contacts with the subjects banking information 
3. Contact of the subject directly 
4. Brokerage house investigations 
5. Individually owned stocks, bonds, mutual funds etc. 
6. Real estate holdings 

MR. WHITFIELD.  Mr. Gandal. 
MR. GANDAL.  We are on the air.  Okay, good. 
I would like to thank the committee for allowing me to appear before 
you.  You may already know this, but I want to firstly bring home 
the point that I contacted the committee, not the other way around. 
 I did this almost immediately after the committee sent out the 
first group of letters to data brokers and informally provided the 
investigation with information and explanations about the data 
broker industry.  In fact, my name would not have come up along the 
avenues the committee used in compiling the data for their 
investigation.  The reason for this is, I work in a very small 
corner in the data broker industry.  I work for automobile 
financiers and their respective repossession companies.  I do not 
market or offer any services to the general public.  
I have been a skip tracer and an information broker in this small 
corner of the data broker industry for more than 20 years.  I should 
note that, after speaking with a representative of the committee at 
great length, I decided to suspend my operations with regards to 
cellular call information detail.  
A few years ago, I saw these websites popping up which offered 
private telephone information to anyone with a credit card.  To 
begin with, I found this practice terribly irresponsible of the 
information brokers involved.  They did not control where the 
sensitive information was going or what it was going to be used 
for.  Nor, honestly, did they seem to care.  I also felt that 
their existence would shake up the wireless companies where skip 
tracers had worked quietly for so long. 
So I called the committee, and I asked the committee if they were 
trying to shut down the repossession industry.  And it didn't seem 
their focus was really recovery agencies, but without a common 
understanding I felt the committee had no chance of seeing a 
permissible purpose here.  So I wanted to help.  I assisted the 
committee by helping it understand how pretexting is done and what 
clients are soliciting this information for what I see is for 
permissible purposes.  I drew a line of distinction between the 
auto financiers searching for a vehicle and the "plain Joe" who 
wants this information for his own personal and possibly dangerous 
reasons. 
I am proud of my service to dozens of financial institutions for 
over two decades, and it shook me to the core that my profession 
was to be effectively criminalized.  So please allow me to speak of 
another profession that I feel should be criminalized before the 
only support for every auto financier in America receives this 
fate: the professional debtor.  This is the individual who uses 
true name fraud in order to purchase dozens of vehicles which he 
has no intention of paying for.  He may give the cars to friends 
or family, but, many times, he will sublease the vehicles and 
pocket the money that the third-party lessee gives him. 
The sweeping changes and credit granting that took place in the 
1970s opened new opportunities in the '80s and '90s, these being 
the subprime auto lenders.  They charge the highest interest rates 
allowed by law, and they do this proudly as they keep the mass of 
Middle America with dependable transportation. 
There was a time not long ago when a consumer with questionable 
credit did not get a car loan, plain and simple.  Now it is an 
educated guess that nearly 50 percent of American consumers have 
questionable credit.  I have checked this figure with several 
experienced managers in lending offices, and they concur.  The 
subprime lender is the only friend a guy's got after two previous 
repossessions and a bankruptcy.  He is going to need a car in order 
to dig himself out of the hole he finds himself in.  And forgive me 
for the gender choice.  It could have been a single mother as well. 
The subprime lender will give that man a second or even third chance, 
and they do this because they have the ability to recover the 
vehicle should the payments get too far behind.  Well, take away 
that last tool of their career salvation, the skip tracer at the 
repossession company, and you will see those with questionable 
credit will no longer be getting cars financed.  No longer buying 
those cars, nearly 50 percent of America, and it is all on the 
coattails of that professional debtor I spoke of.  He is the one 
who laughs at the repossessor when he is finally located. 
So the skip tracer fights back on the only battleground available, 
and that is the way it has been for 50 years in this industry.  As 
an expert skip tracer in the repossession field, I would like to 
offer two options to the committee to be considered as solutions 
to the problem.  
First, allow financial institutions and their agents thereof to 
continue the use of pretext in order to garner information otherwise 
not available in order to effectuate a legal and timely repossession. 
The other option is to create a liaison between the U.S. Government 
and the auto finance industry and recovery industry where 
information could be relayed to the telephone companies via their 
subpoena compliance departments and the needed info forwarded back 
to the recovery agency.  In fact, to take this a step further, true 
name fraud is so prevalent in this day and age that I feel a 
liaison representative should be able to contact these debtors and 
demand that the cars be returned immediately.  
In summary, there is a need for this information, just as there is 
a need for the subprime auto financier.  I, again, honestly and 
humbly thank you for this opportunity today. 
MR. WHITFIELD.  Thank you, Mr. Gandal; and we appreciate the 
testimony of both of you. 
[The prepared statement of David Gandal follows:] 


PREPARED STATEMENT OF DAVID GANDAL, SHPONDOW.COM, LOVELAND, COLORADO 

I would like to thank the committee for allowing me to appear before 
you.   You may already know this, but I want to firstly bring home 
the point that I contacted the committee.  I did this almost 
immediately after the committee sent out their first group of 
letters to data brokers and informally provided the investigation 
with information and explanations about the data broker industry.  
In fact, my name would not have come up along the avenues the 
committee used in compiling data for their investigation.  The 
reason for this is I work in a small corner of the data broker 
industry.  I work for automobile financiers and their respective 
repossession companies.  I do not market or offer any services to 
the general public. 
I have been a skip tracer and information broker in this small 
corner of the data broker industry for more than twenty years.  I 
should note that after speaking with a representative of the 
committee at great length,  I decided to suspend my operations with 
regards to cellular call detail information.   A few years ago I 
saw these web sites popping up which offered private telephone 
information to anyone with a credit card.  To begin with, I found 
this practice terribly irresponsible of the information brokers 
involved.  They did not control where this sensitive information 
was going or what it was going to be used for.  Nor did they seem 
to care.  I also felt that their existence would shake up the 
wireless companies where skip tracers had worked quietly for so 
long.  So I called the committee and I asked the committee if they 
were trying to shut down the repossession industry and it didn't 
seem that their focus was really recovery agencies, but without a 
common understanding I felt the committee had no chance of seeing 
a permissible purpose here.  So I wanted to help.  I assisted the 
committee by helping it understand how pretexting is done and what 
clients are soliciting for this information for what I see as 
permissible purposes.  I drew a line of distinction between the 
auto financiers searching for a vehicle and the 'Plain Joe' who 
wants this information for his own personal and possibly dangerous 
reasons.  I am proud of my service to dozens of financial 
institutions over the past two decades and it shook me pretty bad 
to find that my profession was to be effectively criminalized.  
So please allow me to speak of another profession that I feel 
should be criminalized before the only support for every auto 
financier in America receives this fate: The Professional Debtor.  
This is the individual who uses true name fraud in order to purchase 
dozens of vehicles which he has no intention on paying for.  He may 
give the cars to friends or family but many times he will sub-lease 
the vehicles and pocket the money that the third party lessee gives 
him. 
The sweeping changes in credit granting that took place in the 
1970's opened new opportunities in the 80's and 90's, these being 
the sub-prime auto lenders.  They charge the highest interest rates 
allowed by law and they do this proudly as they keep the mass of 
Middle America with dependable transportation.  There was a time 
not long ago when a consumer with questionable credit did not get a 
car loan, plain and simple.  Now, it is an educated guess that 
nearly fifty percent of American consumers have questionable credit. 
 I have checked this figure with several experienced managers in 
lending offices and they concur.  The sub prime lender is the only 
friend a guy's got after two previous repossessions and a 
bankruptcy.  He's going to need a car in order to dig himself out 
of the whole he finds himself in, and forgive me for the gender 
choice; it could have been a single mother as well.  The sub prime 
lender will give that man a second and even third chance.  And they 
do this because they have the ability to recover the vehicle should 
the payments get too far behind.  Well, take away the last tool of 
their career salvation, the skip tracer at the repossession company 
and you will see that those with questionable credit will no longer 
be getting cars financed.  No longer buying those cars then...nearly 
fifty percent of America, and it's all on the coattails of that 
professional debtor I spoke of.  He is the one who laughs at the 
repossessor when he finally is located.  So the skip tracer fights 
back on the only battleground available and that is the way it has 
been for fifty years in this industry.  As an expert skip tracer 
in the repossession area, I would like to offer two options to the 
committee to be considered as solutions to this problem. 
First, allow financial institutions and their agents thereof to 
continue the use of pretext in order to garner information 
otherwise not available in order to effectuate a legal and 
timely repossession. 
The other option is to create a liaison between the US government 
and the auto finance and recovery industry where information could 
be related to the telephone companies via their subpoena compliance 
departments and the needed info then forwarded back to the recovery 
agency.  In fact to take this a step further, true name fraud is so 
prevalent in this day and age that I feel a liaison representative 
should be able to contact these debtor and demand that the units 
be returned immediately.  
In summary, there is a need for this information, just as there is a 
need for the sub prime auto financier.  I again honestly and humbly 
thank you for this opportunity today. 

MR. WHITFIELD.  Mr. Rapp, it is my understanding that you are one of 
the, for lack of a better term, leaders of this industry.  You are 
one of the early data brokers in the country; is that correct? 
MR. RAPP.  Yes, I was. 
MR. WHITFIELD.  And you even have a training manual and you went 
around the country training other data brokers on the most effective 
way of obtaining this information. 
MR. RAPP.  There was a period of time that I realized that better 
funds could be better acquired by me going out and addressing the 
issues on how to specifically--breaking it down, showing people how 
to acquire the information throughout the country of the clients 
we had already established.  Thinking at that point--delusions of 
grandeur--that I could then leave the business, have enough funds, 
and life would be good.  
Unfortunately, things don't work out the way you want.  And I 
trained many, many clients.  We made a tremendous amount of money.  
But they still continued to use us; and at that point they said, 
well, we don't want to do it on our own.  We want to understand more 
of what you do, but we still want to use you. 
MR. WHITFIELD.  Okay.  During your testimony in articles that I 
have read about you, you mentioned President Bill Clinton and Monica 
Lewinsky.  You referred to an undercover officer out of Los Angeles 
who was murdered-- 
MR. RAPP.  Correct. 
MR. WHITFIELD. --because of information you were able to obtain.  
And you mentioned the National Enquirer, The Globe, and even 
indirectly mainstream media.  And I would just ask you, were any 
of the mainstream media ever your clients in obtaining information 
about people?  
MR. RAPP.  In roundabout ways they were.  Such organizations such 
as 20/20, Entertainment Tonight, weekly news or nightly news, NBC, 
CBS, and ABC, they would have their private investigator on staff; 
and those investigators, some of which would contact us relating 
to different--small pieces of information they would need.  Where 
is an individual going to be at a certain time?  This individual 
apparently is driving a Porsche but works as a busboy at a 
restaurant.  How come?  Where is the money coming from? 
MR. WHITFIELD.  Right. 
Now you also mentioned that at one time you were pretending to be 
John Ramsey, the father of JonBenet Ramsey; is that correct?  
MR. RAPP.  Yes, sir. 
MR. WHITFIELD.  Now who was your client in that situation?  
MR. RAPP.  We had many clients, many different clients of ours 
that worked with media outlets when anything big were to happen, 
whether it was Columbine, whether it was Monica Lewinsky, whether 
it was John Ramsey, they would all contact us pretty much for 
the same basic information.  They would want to know the whos and 
the whys.  Who did Mr. Ramsey call the minute he found out his 
daughter was missing?  You know, was it an airline to be able to 
get a trip to Michigan?  
MR. WHITFIELD.  Were these law enforcement agencies? 
MR. RAPP.  No, law enforcement agencies used us rarely.  We 
had--apparently, it was an ex-FBI agent out of Texas that utilized 
our services and there were other local law enforcement agencies 
that would contact sporadically, very, very minimally.  I would say 
half a percent of our business would have been from law enforcement. 
MR. WHITFIELD.  Right. 
MR. RAPP.  The majority was all from the private sectors. 
MR. WHITFIELD.  The murder of JonBenet Ramsey was such a national 
story.  So many of the news media used you in that? 
MR. RAPP.  Correct. 
MR. WHITFIELD.  And what were you trying to do by impersonating 
Mr. Ramsey?  You were just trying to find out who he called first 
and -- 
MR. RAPP.  Just the basic information:  Who he called, why did he go 
to a hardware store to buy tape and rope, that apparently tape and 
rope were used on his daughter to tie her up.  Why was that purchase 
made at a hardware store with his credit card? 
MR. WHITFIELD.  Now you probably heard the testimony of Mr. Yuzuk 
earlier today, and we were talking about how in the world can you 
obtain a password on an on-line account.  So tell us how do you do 
that. 
MR. RAPP.  Persistence.  Intelligence of knowing these people, these 
customer service reps that are sitting--whether it be for Verizon, 
T-Mobile or any cell or local landline carrier, they are in a 
position to want to help you.  Their job is to satisfy the 
customer.  Not to spend a lot of time, but when we get our point 
across to them, you need to help us, this is what I need, if I 
need a breakdown on my bill because I am going to be in a 
subcommittee meeting in Congress and I need to get a breakdown of 
this bill in the next 20 minutes, what is their option but to say 
yes, let's go over your bill.  What is your first call?  
MR. WHITFIELD.  Even though you are not the person you were 
representing to be?  
MR. RAPP.  Yeah.  They have no clue.  Credit headers are legal.  All 
credit reporting agencies in this country make headers legal.  
Headers being the first part of the information.  I can take your 
name and your address and put it in and get your Social Security 
number without even a problem. 
MR. WHITFIELD.  It is easy to get my Social Security number legally? 
MR. RAPP.  Yes, legally through the credit reporting agencies or, 
if I wish, utility agencies.  The phone company, of course, has it, 
that I am going after.  But utility agencies, any and all things 
pretty much have your Social Security number; and it is a question 
of which one is going to give it to me first? 
MR. WHITFIELD.  What if the numbers are truncated? 
MR. RAPP.  Truncated? 
MR. WHITFIELD.  Like the last four numbers. 
MR. RAPP.  That has no bearing, not to me.  When I am going into 
these carriers and everything, if I have the majority of it, I am 
going to convince them they are wrong and I am right.  But if I 
have the majority of it when I go in, if I need it all, I am going 
to go into a utility department--you have given your Social Security 
number, I have no doubt, to the electric company, gas, cable.  They 
all have it. 
MR. WHITFIELD.  So if I ask you to get Mr. Inslee's password on his 
account at such and such a bank, what is the likelihood that you 
would be successful in getting that? 
MR. RAPP.  Give me an hour, and I am sure we can do that very 
successfully.  It is not--don't take me wrong.  It is not a prideful 
issue.  It is just a fact.  They are there for a resource to help 
the people.  
My job was to provide information, and we did it very successfully 
just because if one option set you down, you didn't sweat about it.  
You went right to the next one.  Somebody is going to give you the 
information you need. 
MR. WHITFIELD.  Well, in some ways, this is kind of humorous, but, 
in other ways, it is not humorous at all; and I think it is important 
that the American people recognize that, as you said in your 
testimony, there are no secrets.  You can find out information 
about anybody, about anything. 
MR. RAPP.  For the most part.  
MR. WHITFIELD.  And one other part, in this training manual you had, 
you mentioned the infamous Quick Check and 800 install assistance.  
You mentioned both of those in your testimony.  What does that refer 
to? 
MR. RAPP.  Let me give you an example, if I may.  Let's assume your 
long distance carrier is MCI, for example.  I have a listing of 
telephone numbers that was a very common form of what we did in 
Denver and in Parker and the work we did.  Clients would give us 
phone numbers to break.  They would want a name and an address, what 
normally is referred to as a CNA, on a whole host of numbers.  This 
was before the advent of Google and the two brothers and all of that. 
I would utilize and go in--and you can still do this today.  Before 
I came to the committee I was making a few phone calls to find out 
what was still available; and, surprisingly, nothing has changed. 
If I contacted MCI saying I was Chairman Whitfield and I said I 
had a few questions about my bill, they would be more than happy 
to want to help me.  At that point, I would take my list of numbers 
and I would say, I don't recognize these numbers as being dialed.  
And they would respond, well, we don't see those on your bill.  
I would say, do you have a page 7, knowing that I have already 
gone in before to find out how much you owe and find out you only 
have 6 pages on your bill.  They would say, no, I only see 6. 
 I said, well, on page 7, and they are not going to question me 
and say, well, apparently we are missing something.  What can we 
do to help you?  
I would give them these numbers, and now they have an automated 
system, but, before, they would run those numbers through their 
long distance network and bring up who they showed was the name and 
address of each and every one of those phone numbers. 
That is called the Quick Check.  You could utilize that service 
prior to AT&T breaking up and still parts of AT&T where it is an 
automated system, where you go in and put in your home phone 
numbers and you can enter phone numbers you want to have 
identified.  They make that service available to people because 
there might be times on the bill your wife made a phone call long 
distance and you want to know who they are going to, and they will 
provide that information to people.  
So it is not just the numbers on the bill.  If you convince them 
the numbers are there and they don't see them, they are still going 
to give you a listing of whatever numbers you want.  That is what 
I utilize as a Quick Check. 
MR. WHITFIELD.  And that is the 1-800-Install Assistance is what you 
were talking about? 
MR. RAPP.  You call an 800 number to reach AT&T or MCI.  You have 
to understand when I contacted my brokers throughout--the private 
investigators that I taught this manual up, they didn't have a 
basic understanding or working knowledge of how to acquire 
information.  That is one of a host of steps, and that is one of 
the first steps.  It is a quick one, because you get through to 
customer service quicker, and they are more apt to want to help you 
because they are not the local carrier. 
MR. WHITFIELD.  My time has just about expired, but before I 
recognize Ms. DeGette, I want to ask unanimous consent that we 
enter the document binder into the record.  So moved. 
 [The information follows:] 


MR. WHITFIELD.  At this time, I recognize Ms. DeGette. 
MS. DEGETTE.  Thank you, Mr. Chairman; and welcome to both 
of you.  
Mr. Rapp, I want to start with you.  We are calling what you did 
and I think, Mr. Gandal, what your folks do pretexting, which is 
kind of a prettied word for pretending that you are someone that 
you are not, right? 
MR. RAPP.  That is correct. 
MS. DEGETTE.  Like, for example, in the JonBenet Ramsey case, which 
all of us in Colorado are even more familiar with than the Chairman 
is, you were not hired by the police officers or the law enforcement 
agencies.  You were hired by an independent entity, correct? 
MR. RAPP.  Correct. 
MS. DEGETTE.  Can you tell us who that was? 
MR. RAPP.  There were many different agencies at that point.  
I don't remember.  It has been 7 or 8 years. 
MS. DEGETTE.  Some of the people who hired you were tabloid 
newspapers? 
MR. RAPP.  They didn't hire me directly.  They went through other 
private investigators. 
MS. DEGETTE.  Right, but when you say "agencies," you sort of imply 
that it was like a law enforcement agency.  Do you see what I am 
saying?  You were hired by independent investigators, not by law 
enforcement agencies. 
MR. RAPP.  Correct. 
MS. DEGETTE.  And what you were doing when you, for example, were 
trying to go to the hardware store and find out about the rope and 
tape and so on.  You weren't doing that in the assistance of a law 
enforcement agency.  You were hired by a private investigator who 
then gave that information to others, right? 
MR. RAPP.  Correct. 
MS. DEGETTE.  In fact, subsequently, the Boulder--I guess it must 
have been the Boulder police, they raided your office, and they said 
that you impeded their investigations; is that right? 
MR. RAPP.  Well, yes, that is the story we heard, too.  They did 
come in and confiscate the computers. 
MS. DEGETTE.  Did you ever find out anything that helped to crack 
the case?  
MR. RAPP.  The information that we found out that I have verifiable 
facts for apparently never made it to the media, never made it 
to--past the law enforcement usage of it for what examples, we have 
no idea.  We were told that this-- 
MS. DEGETTE.  Now, according to the Rocky Mountain News this is what 
they said.  So, you know, the press, with all due respect, doesn't 
always print exactly what you say, as I know, but what this says is, 
Rapp says "he has no regrets about his work which found its way 
into supermarket weeklies," is that true? 
MR. RAPP.  True. 
MS. DEGETTE.  Now also in that same Rocky Mountain News article you 
said there were times when you tracked down phone numbers to battered 
women's shelters but you refused to give the information to the 
client. 
MR. RAPP.  That is correct.  When it was obvious, at least to me--the 
folks on the committee might say, well, it is all obvious, or it 
should be.  Well, if you are in that business of providing the 
basic information to PIs, the majority of which PIs were looking 
for people on behalf of their clients and it didn't become media 
until-- 
MS. DEGETTE.  It is obvious when you get the phone number of a 
battered women's shelter maybe this is not where I should go, but 
the rest of the time you don't really know for sure. 
MR. RAPP.  That is correct. 
MS. DEGETTE.  So you were a hired gun and getting information and 
giving it to whoever paid you. 
MR. RAPP.  For the most part yes. 
MS. DEGETTE.  So in your testimony--I mean, this is what we are 
trying to grapple with, is--and Mr. Gandal talked about it too, 
sometimes there is a legitimate use for this information, but 
sometimes there is not.  And what it can do is it can wreak havoc 
with somebody's privacy, right? 
MR. RAPP.  It can. 
MS. DEGETTE.  So you testified that there is a positive use for the 
data broker industry, and I am wondering if you can tell me that, 
through your years of experience involved in the good and bad parts 
of this industry, there would be any way you could differentiate. 
MR. RAPP.  If I knew that the client was working on behalf of a 
judgment debtor, and there were many private investigators who would 
work on behalf of clients if they actually had a copy of the 
judgment, that to me is a legitimate use to acquire the person's 
information if they have gone through the process. 
MS. DEGETTE.  Right.  But that is based on your judgment, right? 
MR. RAPP.  It is based on the court's judgment. 
MS. DEGETTE.  You are the private investigator or you are the person 
who is doing this technique.  You are deciding, okay, I have got a 
copy of the judgment that seems legitimate, right?  
MR. RAPP.  Correct. 
MS. DEGETTE.  Well, the problem is we are the ones that write the 
laws.  We can't write a law like that.  We can't write a law that 
says you can't go in and impersonate JonBenet Ramsey's father, but 
it is okay if you use pretexting to enforce a judgment.  Do you see 
what I am saying?  
MR. RAPP.  I understand. 
MS. DEGETTE.  So how do we differentiate? 
MR. RAPP.  That is a good question.  It is a necessary evil that is 
going to continue, regardless of the laws that you write. 
MS. DEGETTE.  Do you think it is a necessary evil?  You don't think 
there are other ways we can get this information that we need? 
MR. RAPP.  No.  When people don't want to pay their debts, pay 
their car notes, or pay other things and want to abscond with the 
money and not pay their debts, no.  There is no other way that you 
are going to get them to pay up unless we physically go in and take 
that money from them.  If they wanted to pay their bills, they would 
pay it, or else bankruptcy courts wouldn't be full. 
MS. DEGETTE.  So the only way we can get that money is to pretext so 
we can get this information so-- 
MR. RAPP.  That is one way, yes. 
MS. DEGETTE.  That is not the only way. 
MR. RAPP.  I am sure there are other ways, but they haven't paid 
their bills before that. 
MS. DEGETTE.  That brings me to you, Mr. Gandal.  Now these 
companies that extend credit for the automobiles, I would assume 
that they have written agreements with these, with these, what do 
you call--the debtors; is that correct?  
MR. GANDAL.  Yes, they are signing a security contract. 
MS. DEGETTE.  And I would assume those contracts include language 
that allows the automobile finance companies to get access to certain 
information about these debtors, correct?  
MR. GANDAL.  I have never seen language that would allow the auto 
financers to get information that I am getting.  Basically, it says, 
you pay this much a month; if you don't pay it, we have a right to 
go back and get your vehicle.  
A lot of people don't like to give back their vehicles.  A lot of 
people will get downright violent about it.  
A lot of people will take off and laugh at you.  So will their 
entire family, because they were taught by their parents how to do 
this. 
MS. DEGETTE.  So you think the only way to get these cars back is to 
pretend, pretexting. 
MR. GANDAL.  Only way, no.  No, ma'am, of course not.  There are so 
many ways to do so many things. 
MS. DEGETTE.  Exactly. 
MR. GANDAL.  This is a way that has worked for a long time because 
when you are dealing with a debtor, you don't go above them.  You 
get down at their level, or you don't work with them; you don't get 
anything.  There are replevins available, banks don't even look at 
them because they are too expensive. 
MS. DEGETTE.  They don't look at them because they don't have to 
because they can hire you, right?  
MR. GANDAL.  Okay, that is one way to look at it.  But it is a much 
deeper problem than that in the finance industry. 
MS. DEGETTE.  Let me ask you the same question I asked Mr. Rapp, 
because you are a law-abiding citizen. 
MR. GANDAL.  Yes, I am. 
MS. DEGETTE.  What would happen if somebody pretexted your identity 
and got all of your information and then used it for an illegal 
 purpose? 
MR. GANDAL.  That would be wrong.  I don't do that kind of thing. 
MS. DEGETTE.  The problem is, if we don't pass a law that covers 
all of these issues, then we can't pass a law saying you can only 
go after the evildoers; and you can still use pretexting, but the 
legitimate, law-abiding people, you can't do it.  We can't pass 
that law. 
MR. GANDAL.  That is a problem.  And that is why I suggest to-- 
MS. DEGETTE.  Do you think it is better that we allow these tens of 
thousands of cases where people use pretexting for illegitimate 
reasons in order for your clients to be able to repossess those 
cars?  
MR. GANDAL.  No, I don't think it is better.  I think there needs to 
be control in the entire system, and on the other end also.  There 
should be laws against professional debtors.  There should be laws 
against opening a home improvement company, buying 60 cars, 
subleasing them and then just doing it again and again and again. 
MS. DEGETTE.  I completely agree with you.  And in most States 
there are laws like that, and I think we need to make sure we 
enforce them. 
MR. GANDAL.  Those aren't enforced, just like if there is a law 
against me, it is not enforced either. 
It seems to me, a brick wall maybe you're taking down. 
MS. DEGETTE.  I think the brick wall will be torn down, because I 
think the consumers of America are getting very concerned about 
their privacy, and they are seeing pretexting as just one aspect 
of identity theft.  And privacy concerns, which the Chairman will 
tell you, we are increasingly on this committee feeling those 
pressures every day, because it is just getting out of control. 
Now, Mr. Rapp, you have been operating in Colorado for quite some 
time; is that correct?  
MR. RAPP.  Yes, ma'am. 
MS. DEGETTE.  And Colorado has no laws that cover private 
investigators?  
MR. RAPP.  Correct. 
MS. DEGETTE.  Do you know offhand how many States do regulate 
private investigators?  
MR. RAPP.  The majority of States do.  During our early years, we 
would move to Utah, Montana, other States because of the fact of the 
lax laws. 
MS. DEGETTE.  And you ended up in Colorado, in part--aside from the 
great natural beauty and wonderful aspects of the State, which I 
know well, you ended up there, in part, because we have no laws 
that cover private investigators?  
MR. RAPP.  Truthfully, I was born and raised there, so that was 
always home.  But I wanted to go back there to the extent that we 
could do this work always knowing they were a little harder, 
however, on the prosecution of people like us, even though there 
were no set laws.  That is why they charged us with RICO.  They 
said, we do that when we don't know what to charge you with; we 
just don't like what you are doing. 
MS. DEGETTE.  One last question, Mr. Chairman. 
Do you think tougher laws by States regarding private investigators 
would help with some of the edgier and even illegal practices?  
MR. RAPP.  You know, that is a tough question.  It is going to keep 
the law-abiding people, law abiding; and the ones that are going to 
break it are going to do it anyway, regardless of the law. 
MS. DEGETTE.  Thank you, Mr. Chairman. 
MR. WHITFIELD.  Thank you.  
At this time, I would recognize Mr. Burgess. 
MR. BURGESS.  Thank you, Mr. Chairman.  
Mr. Rapp, your last comment reminded me of what a mechanic told me 
one time that an ignition key was just to keep an honest person 
from driving off with your car. 
This line of questioning has just been fascinating. 
Mr. Rapp, you said early in your testimony that your work in this 
field actually predated the Internet becoming a big deal.  
How--have you thought at all about how the Internet would have 
changed your line of business?  
MR. RAPP.  We have.  When it started back in the early 1980s, that 
wasn't a big deal, the Internet wasn't.  In the 1990s, many of my 
employees that went off on their own, and we had trained--many of 
which, as people do, went off and got their own clientele and 
lived life.  They said, it is so easy on the Internet. 
But there is always a track back to you; that was my advice back to 
them.  I would hesitate on using it and never did.  Today, when I 
go online, there is not much you don't see.  But the majority of 
it, if you read in the small print, the fine print, they don't 
guarantee anything.  
When we were in business, guarantee was everything.  If I don't get 
the information, I don't get paid.  Online, if they don't get the 
information, you still have to pay a surcharge, which is stupid 
enough for them to put it out, but people buy into it. 
And, yes, it is available and AT&T, Verizon, all the carriers, have 
to make things accessible to people; and if you make it accessible, 
there is going to be that element and, I hate to say, the negative 
element a lot of us that are in the field go into, and you are 
going to tie into it and expand upon it and use it. 
MR. BURGESS.  So just like everything else, the Internet has the 
ability to accelerate the-- 
MR. RAPP.  Absolutely, it is. 
MR. BURGESS. --dark side of this process? 
MR. RAPP.  Correct. 
MR. BURGESS.  If you don't mind me asking, since 1999, when you left 
your profession, what is your line of work currently? 
MR. RAPP.  Well, at this point--in 1999, my dad developed cancer, 
and 5 months later he died; and right after that time, 2 months 
later, I started taking care of Mom, who is now living in our 
house.  So I have been, I want to say "relished to," but at this 
point that has been my line of work, as a caretaker.  
Fortunately, we have enough funds in savings, and we are okay to 
survive.  But that is the line of work. 
MR. BURGESS.  So you have not involved yourself in any of these 
activities that you were apparently--you were gifted, as you got 
out of your higher education institution in 1982, you were gifted 
in this field?  
MR. RAPP.  I wasn't necessarily gifted.  If you do some things 
so repetitively, you are going to get good at it, or you are going 
to get out of the business and find something else.  But I still 
train--every now and then, I haven't done it for years, but a client 
will fly in somebody and ask me if I will spend a day or two and 
train them.  Go after the aspects of how do you do it, how do you 
find it?  
Especially re-po people, when you track down a vehicle, you have to 
do it.  You want to try and make an effort of get your vehicle back, 
or what's the point of the whole game?  You have to.  So there is 
a very legitimate need that is still maintained here. 
Yes, I did still do that once in a while.  I haven't done that in a 
few years, but that is about the extent of it. 
MR. BURGESS.  Looking through the information provided to us in the 
evidence book, under Tab 12, it looks almost like you are giving 
directions on how to go through this process.  And it looks fairly 
well thought out, if you even made--someone made some handwritten 
notes here on perhaps how to even improve upon the process. 
MR. RAPP.  I don't believe Tab 12 is mine.  Which are you relating 
to, which page in Tab 12?  
MR. BURGESS.  I beg your pardon, Tips For Performing Pretext, 
prepared by James Rapp; would that be yours?  
MR. RAPP.  Where are you looking at?  Again, I apologize. 
MR. BURGESS.  I thought I was looking at Tab 12, or maybe someone 
pretexted it.  I don't know; maybe it is in code.  In any case, 
the actual document is not relevant to the question.  Would there 
be a role for someone with your facility to work through these 
problems, to work on the good side, to help protect from this type 
of intrusion into their private data?  
Could you put your efforts to good use in society? 
MR. RAPP.  Absolutely.  If you limited phone companies, cellular 
companies--you all are very concerned about that--to only speak to 
the person on their cell phone, end of story, period, you would 
eliminate 95 percent of the issue; the only way that they would 
talk to anybody is if they called them at their specific cell 
number, and then addressed them and made sure they had all their 
individual specs. 
The only way-- 
MR. BURGESS.  A representative would have to call back on the cell 
phone-- 
MR. RAPP.  Correct. 
MR. BURGESS. --to get around the problem of spoofing and putting a 
fake phone number into the system?  
MR. RAPP.  That's correct. 
MR. BURGESS.  So that is going to--and that may be what they 
internally need to do.  That obviously increases the cost of their 
customer service significantly to add those extra steps, but it is 
a valid thought.  
I appreciate your sharing it with us. 
Mr. Gandal, you heard Ms. DeGette in her line of questioning and I, 
you know, being on this side of the equation for the first time in 
my life, looking at your business, yes, it is difficult to regulate 
what you guys do and, of course, being in government we love to 
regulate. 
I get the impression that you feel that people who do your type of 
work will, of necessity, have to continue--Mr. Rapp alluded to 
it--that to get the vehicle repossessed, you have to know where 
to go, where to go to find it. 
Is that your feeling as well?  
MR. GANDAL.  Yes, it is.  There are a lot of vehicles out there 
that are not going to be found unless you go ahead and work the 
account in such ways to obtain sensitive information. 
MR. BURGESS.  So when you initiated your career into this type of 
work, you were working for people who were, in fact, law abiding 
and trying to keep their legitimate businesses going by locating 
vehicles, where people had skipped?  
MR. GANDAL.  That is correct.  I was actually a private 
investigator doing workman's comp in Colorado.  And we couldn't 
find claimants because claimants used the lawyer's address in the 
mid-80s--'84-85--and you have to pick up a claimant at a 
State-ordered medical appointment in order to follow him and do 
a workman's comp surveillance.  And those are very difficult to 
do because they are in big buildings you don't know where they 
parked, et cetera, et cetera.  
And I decided, well, you have to learn how to find people.  I 
developed these ways to find people at that time. 
MR. BURGESS.  And I appreciate that, but you see our difficulty 
now is that the criminal element has adopted some of your 
techniques, and some of your ways and some of Mr. Rapp's, so there 
has to be a way of putting parameters around it and guarding the 
innocent public.  
Mr. Rapp had one suggestion.  Do you have in your--with your 
experience in this industry, do you have ways that you see that 
would be at our disposal for putting those barriers, those 
boundaries, in place?  
MR. GANDAL.  Yes, I do.  First of all, I agree with Mr. Rapp as 
far as telephone companies calling back the cell phones.  I said 
that a long time ago, and even tried to speak with some wireless 
companies about that in the past. 
As far as from my angle, the repossession angle, as I said, I 
believe there should be some sort of a liaison, some sort of a 
person on the repossession and lien holder's side of this dilemma, 
because all laws are out there to protect the debtor.  There are 
no laws to protect the repossessor.  They get shot at whatever 
happens; they were on the property, whatever happens. 
There should be somebody that can circumvent the issue without 
waiting 6 months in a court when the vehicle disappears; and even 
with replevins, a lot of replevins don't work.  You have to bring 
them into court and find out where the vehicle is.  
If the vehicle is not around, still people have avoided the issue.  
And many, many hundreds and thousands of vehicles are actually never 
located; and I mean, hundreds and thousands over the years.  And 
the way to handle that is to have a liaison, or some sort of a 
control group that can reach this person and say, look, I have the 
authority to force you to tell me where this vehicle is; where is 
the vehicle?  We will leave you alone; all we want is the car.  You 
signed a contract.  We want the car. 
It is a legal contract with a titled vehicle, and everything is 
legal, and yet, still, the vehicle isn't there.  And, they are 
effectively stealing the vehicle.  
And I am not talking about the person who gets a couple months 
behind.  Those are good people, and there's a lot of good people 
out there that have to go subprime because they got sick and have no 
medical insurance, because they lost their job.  There are so many 
reasons; now, in this economy, it keeps on going.  But those are 
not the people I am talking about, because those people call the 
bank and say, I can't afford my car; I really need you to come and 
get it. 
It is the people, the people that I speak of are the professional 
debtors, and there are a lot of them out there. 
MR. BURGESS.  Now, Mr. Rapp says he got into the business, or 
concluded his activities before the Internet.  You are still 
actively engaged in it?  
MR. GANDAL.  I no longer get cellular telephone records, but yes, 
I still locate vehicles and I still assist law-- 
MR. BURGESS.  How has the Internet changed your practice? 
MR. GANDAL.  The Internet changed my practice completely.  Cellular 
telephone records and things like that weren't even available until 
the Internet.  There were ways to pretext, to get calls over the 
telephone, but the Internet has changed everything because, as you 
said, you have to make it simple for people.  And that is what the 
wireless companies did is, they said that customer service is more 
important than customer security. 
Now, I will tell you also at this time that a few of the wireless 
companies have made changes, on their own, in the past 6 months, 
because they realized what was happening. 
And now the information is still available, but you have got to be 
very good and you have got to know other things where, if I might 
speak about the gentleman that had his records taken from Cingular. 
 All you need for Cingular is the five-digit ZIP Code and the last 
four of the Social Security number and you are in.  If you put a 
password on there, I can explain what happened there.  It wasn't 
me that did it, but I know what it does.  
When you go into these wireless companies, they have retrained a 
lot of their staff--a lot of it, not all of it.  So sure you can 
keep on going in.  A lot of these companies use people in 
Thailand or Bangkok.  Do you think they care what they are being 
told?  No, they are just going to answer whatever questions you 
want. 
But when you really need to get information, you leave Cingular; 
and what they did to get that password is, they went to one of the 
Cingular stores and called one of the Cingular stores instead of 
Cingular wireless and they probably went in as customer service 
from Cingular and were able to get that information that way, "Our 
system is down right now; can you help us?" 
The stores are not regulated nearly as much as customer service, so 
just to help that gentleman out, that is probably what happened; and 
once they have that password, they quietly went back into the 
Cingular Web site whenever they needed the information. 
MR. BURGESS.  Thank you, Mr. Gandal.  That is very thorough and 
helpful.  We have unfortunately gotten the gavel, so I will yield 
back. 
MR. WHITFIELD.  I recognize Ms. Schakowsky. 
MS. SCHAKOWSKY.  Mr. Gandal, I am glad you acknowledge at some point 
that there are those people who have gotten into financial trouble 
not because they are professional debtors.  Fifty percent of the 
individual bankruptcies are people who have health care debt. 
And yet the obvious contempt that you have for some of the people 
that you have gone after makes me wonder how much you don't just 
believe that the ends justify the means and that you are doing some 
sort of a public service. 
What I wanted to ask you, though, is, since 1999, when 
Gramm-Leach-Bliley passed, pretexting for financial information is, 
in fact, against the law.  So how do you do that?  
MR. GANDAL.  I have never picked up financial information.  I am a 
skip tracer.  I am looking for somebody, and that is really all I am 
doing.  I might use a cell phone record as a tool in order to locate 
somebody, or a utility record or whatever, but I have never offered 
financial information.  
I know how to do it, basically the same way you do anything else, 
but I have never been an information broker in that I have always 
assisted in looking for vehicles. 
MS. SCHAKOWSKY.  But you know how to do it in a legal way?  
MR. GANDAL.  No.  
MS. SCHAKOWSKY.  Did you do it after--Mr. Rapp, after the law 
passed?  
MR. RAPP.  No, ma'am. 
MS. SCHAKOWSKY.  I think all of us would be interested--you did-- 
Mr. Gandal, give an example now of how you can get a password.  You 
are saying someone pretends they are calling from Cingular to a 
Cingular store and ask for some help.  
I wondered if you could give us what--Mr. Rapp, what's your rap in 
order to get someone to turn over the kind of information that you 
need?  What does the phone call sound like, to get this sensitive 
information? 
MR. GANDAL.  That one is on you. 
MR. RAPP.  Thanks.  Give an example.  If I wanted to find out--if 
you are familiar with Cook County, Chicago, Illinois, if I wanted 
to find out, let's just take your credit card, and let's say a 
client-- 
MS. SCHAKOWSKY.  You know where I live.  Now I am nervous about what 
else you know.  Go ahead. 
MR. RAPP.  Let's say I want to look at your Visa; your husband was 
concerned about some of your purchases that he didn't recognize.  
That may be the story that is given to me.  We don't know. 
We had at one point over 1,500 clients that were private 
investigators throughout the country, and they would bombard us 
literally with 10 to 20 cases a day, not all of them, but we had a 
tremendous amount of work.  So we didn't have time to look into each 
and every aspect. 
But if a case came across my desk from you, and they said, we know 
she has a Visa, this is her home address, that is all we have on 
her; that is all I need.  I don't even need that much.  But if I 
have your name, your name alone, I have no doubt somewhere there is 
a utility, whether it be electric, cable, newspaper, something in 
your name, that is going to have your address on file. 
I am going to go there and get your address; I am then going to get 
your Social Security. 
MS. SCHAKOWSKY.  Tell me how do you do that? 
MR. RAPP.  For example, if I call the electric company, and I call 
them up and I tell them I am you, and I talk real sweet to them and 
explain to them that my electricity is out and there is a fire in 
my breaker box, for an example, they are going to have to do 
something.  They are going to want to help.  
I will say-- 
MS. SCHAKOWSKY.  You create a kind of urgent situation?  You don't 
have time to fool around? 
MR. RAPP.  Correct.  We are talking 10 to 15 minutes per case, on 
average, per person.  
MS. SCHAKOWSKY.  But you convince them that this is urgent. 
MR. RAPP.  I convince them that there is a situation I need to 
address.  "Lights out" is the most common, or "I smell gas."  
Either way, they will say "what is your address?"  
"I am over here at Route 4, Box 18, right here in Cook County." 
They will say, "we don't have an address like that."  
I will say, "yes, you do.  This is one of the new ones; they just 
came out and renumbered it with the 911 system out here.  We didn't 
used to have it; now we do."  
They say, "we can't pull it up that way.  What is your name?"  
You give them your last name, the correct spelling.  
They say, "oh, well, we have you over here, 144 Northwest whatever."  
And I am saying, "oh, well, it is the same thing."  
Now that I've got the address, I will push them a little more, get 
your home phone number, whatever they have on file going in; and my 
goal-- 
MS. SCHAKOWSKY.  You are calling.  Why are they going to give you 
your home phone number?  
MR. RAPP.  Because I am going to explain to them, we run a business 
in our home.  "We have multiple lines in here, and want to make sure 
you can reach me.  I have a sick kid upstairs.  Do me a favor, do 
you have a 4912 or 4913 number?" 
"Huh?  What are you talking about?  This is the number we have on 
file."  
"Great.  Thank you very much." 
Then I will do the same basic thing with Social Security number.  
When I go back in, at a different point--it may be 5 minutes 
later--once I have the exact address and I have verified it, if I 
call directory assistance and you are nonpublished, they still to 
this day will verify the location of that nonpublished listing, 
which they can do with me so I make sure I have the right party, 
you, that I am going after. 
Once I have that down, and I have acquired the Social Security 
number from the same company, or cable or whoever, I go in to 
Visa-- 
MS. SCHAKOWSKY.  Is a Social Security number any harder to get than 
address or phone number?  
MR. RAPP.  No. 
MS. SCHAKOWSKY.  No. 
MR. RAPP.  Every utility company has it on file.  Most now, if you 
sign up with a brand-new account-- 
MS. SCHAKOWSKY.  Tell me how you get a Social Security number. 
MR. RAPP.  I do the same exact thing.  If I have gone into the 
utility company, I'm going to say, "wait a minute now.  You had 
a listing on my credit, or Equifax sent me a copy of my credit 
report as they do every year.  I had a negative report listed from 
you folks."  I am going to say, "there shouldn't be that."  
They are going to take a look.  "Well, you have always paid your 
bills on time."  
"Now, wait a minute, that is correct, but my father and I, Junior 
and Senior; I think you may have him confused with me."  
They will say, "well, we don't have your father.  We have you."  
I say, "well, this is my Social."  
"No, that is not the one we have.  Here is the one we have."  
It is just playing the game.  And when you convince them that they 
are wrong, they want to prove to you that they are right.  Or they 
want to help. 
Once I have your Social, I call in to Visa, and I don't even need 
to know the card number, or have it with me; and just calling Visa, 
I don't need to know which bank you got your credit card number 
from.  If I run your name and Social, they are going to tell me 
which bank it is that you have an account; and they are going to 
want to speak to you because they believe I am a man, which is 
fine. 
Once I find out which bank it is, I can go back and have a little 
more ammunition, and I will have one of my girl operatives be you 
and acquire every call, every charge you had the last 90 days 
without ever having the credit card number or anything. 
But again there is no fraud in the respect that I am not stealing 
anything.  I am just finding out what is on it.  
If you haven't done anything wrong, you have nothing to fear from 
me is pretty much how I looked at it to begin with.  And I know with 
the advent of the media and all the news and magazines we did, 
everything went out the window, everything was people just wanting 
to know. 
MS. SCHAKOWSKY.  Mr. Gandal, tell me how you get the information 
you need. 
MR. GANDAL.  Social Security numbers, I already have in almost every 
case. 
MS. SCHAKOWSKY.  Because you are working for-- 
MR. GANDAL.  I am dealing with a financial institution.  I probably 
have the Social.  And once you have a Social, you can get any 
information on anybody, pretty much. 
MS. SCHAKOWSKY.  And so you call up, you are that person and you 
have the Social Security number?  
MR. GANDAL.  Yes.  Social engineering, I would say, yes, I will use 
that many, many times.  I will go in as the person just to find out 
how much I owe.  Once you find out how much somebody owes, you are 
in.  
MS. SCHAKOWSKY.  Thank you.  I yield back. 
MR. WHITFIELD.  At this time, I recognize Mr. Stearns of Florida. 
MR. STEARNS.  Thank you, Mr. Chairman.  
Mr. Rapp, I was just reading through your opening statement, and at 
one time, you had indicated, "during this time, I was featured on 
America's Most Wanted as being the number one con man in America."  
And, of course, you went on to say that you sort of discounted that 
a bit. 
But have you ever been conned yourself?  Has someone ever conned you?  
MR. RAPP.  I am sure they have.  And if they are good, I will never 
know it. 
MR. STEARNS.  Let me ask you a question.  In your statement you talk 
about during the President Clinton and Monica Lewinsky scandal you 
were contacted by the FBI, you say, from the Baltimore office.  
"The agent wanted to know specifically who our client was that 
requested the information on why the White House was paying for 
Ms. Lewinsky's apartment, as well as tracking down various cell 
phones and landline contacts of Ms. Lewinsky." 
MR. RAPP.  Correct. 
MR. STEARNS.  Did you take that as legitimate?  Did you check out 
to see if the FBI had a legitimate reason for doing that?  
MR. RAPP.  If the FBI-- 
MR. STEARNS.  Let me see here, you say the FBI contacted you? 
MR. RAPP.  Right.  They wanted to know why I was looking into, when 
you start looking into phone calls on the President, or his 
associate, you are going to get contacted by somebody.  And I did.  
MR. STEARNS.  And you felt sure at this point these were the FBI?  
MR. RAPP.  The gentleman called me.  I believe, actually, they 
showed up unannounced, but he gave me a number to the Baltimore 
field office.  And, of course, I never used that number.  I called 
directory assistance, got the number to the Baltimore field office, 
verified the agent and the basic appearance, because anybody could 
make up a badge.  So, yes, I am pretty confident it was the FBI. 
MR. STEARNS.  So then you made available all those records?  
MR. RAPP.  Correct.  
MR. STEARNS.  And I guess that is the problem, sometimes when you 
get that high profile.  When you are doing these for different 
clients, you sometimes move into areas that perhaps you realize 
you probably shouldn't have got into? 
MR. RAPP.  Correct. 
MR. STEARNS.  Would you say that in retrospect? 
MR. RAPP.  You know, in retrospect, the money was enjoyable; the 
fame was just part of the job.  But a good data broker is very 
quiet, underneath the radar.  And the committee is not going to 
know about him, for the most part; nor is the American public, 
because they are utilizing the services for the majority of the 
part. 
If they haven't done anything wrong, they have nothing to fear from 
them.  If they owe money, you may wake up one morning and find your 
bank account $5,000 less.  But again it is because they had a 
legitimate judgment. 
So, yes, the fame caused a lot of problems.  And in retrospect, I 
think it turned out to be a good thing and ended when it did, as 
things transgressed. 
MR. STEARNS.  So if you had to do it again, would you do it the 
same way?  
MR. RAPP.  Tough question.  Tough question.  I definitely-- 
MR. STEARNS.  Think about that for a second and let me go back. 
The person who asked you--who was the client, that asked you to 
specifically get this information--I am not asking you to reveal 
who that client was; but that client, you had to reveal to the FBI, 
too, didn't you?  
MR. RAPP.  Correct, yes. 
MR. STEARNS.  And did that client immediately tell you to stop and 
desist?  Or did that client-- 
MR. RAPP.  Oh, no.  All my clients understand when law enforcement 
is there, we are in business to make money on a grand scale.  And 
if you shut down one avenue, I am going to concentrate on the 
others. 
So he wanted to know who the client was, just for national security 
reasons, as he said.  This has nothing to do with that. 
MR. STEARNS.  So he wanted to know specifically who was paying 
for Ms. Lewinsky's apartment, as well as tracking down various 
cell phone and landline contacts of Ms. Lewinsky?  
MR. RAPP.  That is correct.  It was for a news magazine.  I don't 
know if it was Entertainment Tonight or which one of the news 
magazines, but they wanted to know. 
MR. STEARNS.  And they hired you to do it?  
MR. RAPP.  Right.  They thought it was interesting that the 
Government was paying for Ms. Lewinsky's apartment at the Watergate 
Hotel.  So something like that. 
MR. STEARNS.  I also read in some of the testimony that both of 
you--or you, specifically Mr. Rapp, can find out a post office box. 
MR. RAPP.  That is correct.  
MR. STEARNS.  Just briefly tell me how you would find out my post 
office box.  I have a post office box for business.  Tell me, 
briefly, how you do it and then tell me what is the reason for 
knowing the post office box?  
MR. RAPP.  To me, it was a case, tracking people down. 
MR. STEARNS.  What is the reason why?  Is it like a banking 
institution or a lawyer?  Why would they want to know?  
MR. RAPP.  Somebody wants to track you down.  
MR. STEARNS.  So they are going to stand there so when I come up to 
that post office box they will be able to get me; is that it?  
MR. RAPP.  No.  What it was leading my clients to, the majority 
of the time, was to get more information on you, a physical 
address.  Most of the time you have to actually show an ID to get 
a post office-- 
MR. STEARNS.  So if a person doesn't have a physical address, then 
you want the post office box. 
MR. RAPP.  That is right.  The idea, to "break" in the Post Office, 
it is to get whatever information they have on their hard card.  
That is what we are looking for. 
MR. STEARNS.  So tell me then you want to get my post office box, 
and I am in Ocala, Florida.  How would you go about it?  
MR. RAPP.  First of all--I will be blunt.  
MR. STEARNS.  You had a last name. 
MR. RAPP.  I don't need that.  All I need is the box number. 
If I find out who the postal inspectors are for your region, 
impersonate one of those postal inspectors; and if I call up and 
say, you know, we have had-- 
MR. STEARNS.  So you would use the actual name of the postal 
inspector.  Let's say his name is Jim Moore. 
MR. RAPP.  Okay, let's say it is. 
I would call up and be Mr. Moore.  Or I would be one of his 
associates.  And I would say, "you know, we have had some child 
pornography coming into this box.  And we have had some pictures of 
kids doing things they shouldn't be doing." 
"Now, we have traced it back; we have already identified the box is 
on the West Coast.  Do me a favor."  
Now I am talking to a lowly box clerk, of course, that is bored with 
her job, and once I get to build up a 30-second relationship, I am 
going to tell them what I need. 
"Do me a favor.  Take a look at and see if you have"--I will use a 
example of a company name-"see if you have Photography Unlimited 
listed on the box, or how it is titled." 
MR. STEARNS.  You would make up something to get some credibility? 
MR. RAPP.  Correct.  
They go in there and they say, "oh, no, it is not a business.  It 
is a residential box listed as an individual." 
"Now, are you spelling his name with an "st" or just a "ph"?" 
They will say, "oh, no; "st," what are you talking about?  We 
have it as a Jim J. Rowe at 134 17th Street." 
MR. STEARNS.  They continue volunteering information because they 
think you are credible? 
MR. RAPP.  They think you have the authority to be able to acquire 
this.  That is one of the quickest and easiest ways, as just one 
of many examples.  
MR. STEARNS.  Take me through another quick scenario.  You are 
trying to find my credit card, and what would you need to find out 
like in exhibit--Exhibit Number 3, here you have the credit card 
for John Ramsey, and you have a list of all the descriptions, the 
places and the amounts.  How would you go about getting this 
information for--let's say for me, how would you go about getting 
it? 
MR. RAPP.  Mr. Stearns, first of all, I would make sure that my 
client at least had given me your full legal name, preferably your 
address, preferably something else.  Most of the time, the clients 
gave us a credit card, they had a Social. 
MR. STEARNS.  Most the time you had the name of the credit card--you 
didn't even have the credit card?  Whether it is Bank of America 
or Capital One? 
MR. RAPP.  Again, think global; that is too small. 
We are thinking Visa, Master Card, Discover, American Express, or 
Diners Club, which isn't used very much--one of those five are the 
Big Five.  And when a client came to me and said, "we would like to 
find out the credit card purchases they made on this date," the 
client always seemed to have a necessary--they knew exactly what 
they were looking for, but they didn't know how they came to either 
get it or how they wanted it broken down.  They didn't know exactly 
which card the person may have used, but they said, "we know this 
person used a credit card on this day." 
MR. STEARNS.  Invariably you had a date and a description?  
MR. RAPP.  Something.  They gave me something.  I would go in and 
utilize just what I had, your name-- 
MR. STEARNS.  Where would you go in to do that?  
MR. RAPP.  I would go into Visa or Master Card and I would make up 
a nice little story.  I would call them directly and explain to 
them "I have a bill in the mail here for $2,418,000 and I don't 
understand why, since my wife's homebound and I haven't left the 
house in the last 2 months." 
MR. STEARNS.  And she would tell you, "We don't show in our records 
that you have this." 
MR. RAPP.  To begin with, they would say, "Well, what is your card 
number?"  And I won't know, of course.  And I would know something, 
and what I didn't know I would fudge, and I would get them to the 
point where they would just look up what I wanted them to do by my 
name, tie it in with the address. 
And if Visa said-- 
MR. STEARNS.  They would reveal the credit card number to you?  
MR. RAPP.  Not at that point.  At that point they would verify 
they did in fact have it.  
First of all, it is a process.  My first part is to find the 
institution that has it.  Now, if I know you have a Visa, the idea 
now is which agency specifically, or which--again the word "agency"--
but which department issued that Visa, which bank.  So they will say 
"oh yes you have one here from Capital One." 
"Oh, Capital One?  Wrong one.  Let me look into it." 
If I didn't like the way the conversation was going, I will call 
them back.  Now I know it is Capital One.  Now I have other 
options.  I can find out which bank you utilize it from and go 
into the individual branch even.  Just like Chase Manhattan, you 
can pay your bills at any Chase Bank, I can go into the branch, I 
can go into Capital One directly, or I can go back to Visa, and I 
would work the people until I would get your complete card number 
or not.  Most of the time I would solve the case without ever 
having the card number.  I would go in and find out the basics.  
"How much do I owe you?"  
Again, then put them in a position where they have to help you, and 
if I owe them X amount of dollars, I say, "Do me a favor, break that 
down.  I am a committee member; I need to get reimbursed, so let's 
break it down." 
"Okay, well, what do you want to know?" 
MR. STEARNS.  Then you get them to actually fax you-- 
MR. RAPP.  No. 
MR. STEARNS.  How would you get all this information?  This is just 
over the phone? 
MR. RAPP.  Just over the phone.  I would have them go over it, say 
"The first purchase last month, what was the date?" 
MR. STEARNS.  Would you have a phone number that you could be 
traced 
back to? 
MR. RAPP.  Most of the time it was just our landlines sitting in 
Parker, Colorado, or in Aurora most of the time; and no, I didn't 
have a line.  I didn't have the new phones and new technology that 
was available that showed you were calling from somewhere else.  
I didn't worry about it the majority of the time.  They don't know 
unless you are calling a local carrier what number you are coming 
in on.  And even if you do, it is easy enough to get them to look 
past it.  
MR. STEARNS.  Mr. Chairman, I want to say I want to commend the 
witnesses here, because in their telling these stories, it reveals 
to all of us--and I think, hopefully, the consumers too will 
understand--how easy it is to get this information.  And in a 
large sense, they are doing a very good action here and are to be 
commended for just trying to help us weed through this. 
And so I thank you for getting these two witnesses. 
MR. WHITFIELD.  Thank you, Mr. Stearns, and I just have a couple 
more questions here.  
Mr. Rapp, you talked a number of times today about, you had a lot 
of clients who were private investigators, and many of these 
private investigators represented the news media, whether the 
National Enquirer or the Globe or 20/20 or Entertainment Tonight 
or whatever.  And you established a relationship with them so you 
knew who these private investigators were representing, if they 
were representing news companies; is that correct? 
MR. RAPP.  To some extent I did.  Some of my clients, they gave 
me an indication of who they were working for, but that was 
fairly proprietary; they didn't want me subletting them and 
going directly to the company itself and, of course, cutting them 
out of the profit. 
MR. WHITFIELD.  Absolutely. 
Mr. Gandal, after we release the two of you, we are going to bring 
up another panel of witnesses and these are actual data brokers.  
And I understand most of them are going to take the Fifth Amendment, 
but I would like to ask you a couple of questions about some of 
them. 
First of all, I ask you, are you familiar with any of the other 
witnesses that are scheduled to testify today?  The other data 
brokers, are you familiar with any of them? 
MR. GANDAL.  A few of them I know, just a few. 
MR. WHITFIELD.  Do you know anything about the data brokers Ken 
Gorman, Chris Gorman, or Bob Gorman? 
MR. GANDAL.  I know of them.  I have never met them. 
I know they were in the business and that they, at one time, were 
doing a lot of work; and just shop talk between me and other 
people, I would hear that those people, in fact, were getting a 
large amount of work. 
MR. WHITFIELD.  Do you know anything about Mr. John Strange and 
Worldwide Investigations?  
MR. GANDAL.  I know Mr. Strange.  I live in Colorado, and we have 
talked and we have had dinner.  
MR. GANDAL.  And what sort of customers would Mr. Strange sell 
to? 
MR. GANDAL.  I believe that Mr. Strange had a Web site that anybody 
could go into.  And Mr. Strange doesn't get the work, he just 
brokers it.  He doesn't do the work himself.  
MR. WHITFIELD.  Do you know anything about Jim Welker and Universal 
Communications Company?  
MR. GANDAL.  Yes, I know Mr. Welker. 
MR. WHITFIELD.  And what does Mr. Jim Stegner do for the company, 
or Larry Clark?  Do you know either of them?  
MR. GANDAL.  Jim Stegner runs the side of the company that I worked 
with, and worked for for a short time.  Larry Clark does nothing. 
MR. WHITFIELD.  And does Jim Welker--is he still in the State 
legislature in Colorado or-- 
MR. GANDAL.  I believe he is our District 51 representative at this 
time.  I live in the same city as Mr. Welker so. 
MR. WHITFIELD.  Has Mr. Welker ever made claims to you that his 
company does work for Federal law enforcement agencies? 
MR. GANDAL.  Yes, and I know it to be a fact.  I turned some FBI 
agents on to his trap line company several years ago. 
MR. WHITFIELD.  So do you know anything about Michele Yontef and 
her company, TelcoSecrets?  
MR. GANDAL.  I have never met Michele Yontef, but I've heard of her 
throughout my entire career.  She is basically a legend; they call 
her "Ma Bell." 
MR. WHITFIELD.  They call her "Ma Bell?"  Why is that?  
MR. GANDAL.  I don't know.  She is someone who has been in this 
business a long, long time. 
MR. WHITFIELD.  Do you know her, Mr. Rapp? 
MR. RAPP.  No, I am familiar with TelScan, which is the name of 
Jim Welker's company, which we knew it by and utilized them for 
their services, but that is pretty much it. 
MR. WHITFIELD.  But Michele Yontef is known as "Ma Bell." 
What do you know about Global Information Group and Ed Herzog? 
MR. GANDAL.  I know that I always thought his name was David 
Geller.  
MR. WHITFIELD.  David Geller?  
MR. GANDAL.  And I know they were a company in Tampa, Florida; and 
they also were able to get into a lot of--again, what I feel is 
permissible purposes--but the auto financers, gave them a very good 
price that nobody could match, so I know that they took a lot of 
business from a lot of us. 
MR. WHITFIELD.  Do you know whether Global is still operating?  
MR. GANDAL.  Not under Global.  I heard that they are under 
another name now.  
MR. WHITFIELD.  Would that be Romano & Simson?  
MR. GANDAL.  Yes. 
MR. WHITFIELD.  That is the name they are operating under today?  
MR. GANDAL.  Again, this is information I hear through talking 
with other peers.  
MR. WHITFIELD.  Have you seen a price sheet from them?  
MR. GANDAL.  Boy, I think I had one at one time.  I think someone 
had sent me one, just trying to compare prices, trying to stay 
competitive. 
MR. WHITFIELD.  Do you know Barry Glantz?  
MR. GANDAL.  Wow.  I don't know him, but when I ran a repossession 
company in the late '80s in Cincinnati, Ohio, Barry was the person 
I would contact in order to get phone information.  
But he was very difficult to deal with.  And he compelled me to 
learn more about this industry so I could do it myself, because I 
couldn't deal with him anymore. 
MR. WHITFIELD.  What about Steven Schwartz of First Source 
Information Specialists?  
MR. GANDAL.  He is another gentleman I believe was doing this for 
a number of agencies.  I think he was out of Florida at the time. 
MR. WHITFIELD.  Last question.  
Do you know anything about Joe Depante and Action Research Group?  
MR. GANDAL.  Yes, they were located in the Fort Lauderdale area, 
and I used to run a repossession company in that area.  And Joe 
would supply information to repossession companies the same way I 
do; and I patterned some of the things I do after his company. 
MR. WHITFIELD.  Mr. Rapp, do you know Joe Depante?  
MR. RAPP.  I do. 
MR. WHITFIELD.  How do you know him?  
MR. RAPP.  He was a client of ours and a friend of ours for many 
years. 
MR. WHITFIELD.  Is he a data broker?  
MR. RAPP.  He was.  I don't know at this point.  I know things have 
changed for him, but I don't know what he does. 
MR. GANDAL.  He is still running the company, Mr. Whitfield. 
MR. WHITFIELD.  Did you ever try to sell your client list to Mr.-- 
MR. RAPP.  Oh, yes, when we got out of business in 1999, when we 
were forced out, so to speak, I contacted a few of my clients.  A 
few had expressed interest to take over our clientele list with 
recommendations from us; and Action, the company we knew Joe by, 
seemed to be the best bet to go.  And we agreed upon a price, and 
unfortunately, we never received a penny.  
Things were going to work out and, as I guess goes with this 
business, we were deceived; and so they got the benefit of all the 
client lists and all the contacts, and that is fine. 
MR. WHITFIELD.  They got all the information and you don't get any 
of the money?  
MR. RAPP.  That is correct, not a penny. 
MR. WHITFIELD.  You were prosecuted under RICO; is that correct?  
MR. RAPP.  I believe so. 
MR. WHITFIELD.  And it is your understanding that you were 
prosecuted under RICO because they were not clear under what other 
specific statute they could prosecute you under?  
MR. RAPP.  Right.  When Mr. Feddo, your counsel, came out, and we 
just spoke with Bob Brown, who is the agent of the Colorado Bureau 
of Investigation, that was their emphasis to us:  We wanted you to 
stop, and we didn't know how we were going to force you to do it, 
and this is what we charged you with.  They took a class 2 felony 
all the way down to a couple of years of probation if you would 
quit the business.  
So it was apparent there was no real teeth behind it; or if there 
was, they just didn't exercise them, thankfully.  They wanted us 
to end, and we did. 
MR. WHITFIELD.  Can you give us some idea of the gross revenues of 
Touch Tone during your peak years?  
MR. RAPP.  Well, the peak years, our gross, as far as billings out, 
were well over a million for the latter half of the 1990s.  Prior 
to that, it was minimal, anywhere from a couple hundred thousand, 
half a million or whatever.  But the ability to earn the funds 
and the necessity of the information is enormous; given enough 
clientele and enough employees, there is no limit. 
You know, I appreciate the validity of what your committee is trying 
to do, but there is necessity for this.  And I understand you can't 
regulate it and say, well, this we will allow and this we won't.  
I understand that.  
But--you are not going to stop it, but hopefully you will put an 
end to the people--I don't know about Mr. Gandal, but we have never 
committed fraud in the respect of ever taking anybody's privacy and 
taking a penny that wasn't ours.  We would never do that. 
MR. WHITFIELD.  You didn't take their money-- 
MR. RAPP.  Just the information, if you haven't done anything wrong. 
That was our premise until the media, but-- 
MR. WHITFIELD.  Would you agree with the statement that, maybe if 
you had never become involved in JonBenet Ramsey murder case that 
you might still be in business?  
MR. RAPP.  Oh, yes, I definitely.  I would believe that, yes. 
MR. WHITFIELD.  Does anybody else have any questions? 
MS. DEGETTE.  I do. 
Sitting here, it seems to me Colorado is sort of a hotbed of 
pretexting, Mr. Chairman, and I am going to talk to some of my 
colleagues in the legislature about that. 
Mr. Gandal, I asked Mr. Rapp, but I didn't ask you:  Do you think 
Colorado's lack of laws enable you to do more than you might be 
able to do in other States?  
MR. GANDAL.  No.  I live in Colorado because I love it, no other 
reason.  
MS. DEGETTE.  You don't think that if Colorado enacted oversight 
on private investigators or data miners or things like that, that 
would affect your business?  
MR. GANDAL.  Well, it would affect my business if I looked at it 
and said, gee, everything I am doing is illegal.  I would stop, 
absolutely; I don't want to break the law.  I always believed I was 
a law-abiding citizen, assisting banks. 
MS. DEGETTE.  Great.  
Mr. Rapp, now, you told the Chairman that you were charged under 
RICO, but then you did plead guilty to a lesser offense, correct?  
MR. RAPP.  It is possible.  I truthfully-- 
MS. DEGETTE.  You are under probation right now, right? 
MR. RAPP.  No.  No.  They started out with class 2 felony.  They 
ended up with 5 years probation of which, after 3 years they said, 
you are not a threat to anybody and you are released. 
MS. DEGETTE.  But you had probation?  
MR. RAPP.  For 3 years. 
MS. DEGETTE.  So you must have pled guilty to something-- 
MR. RAPP.  At that point whatever they wanted me to, that was fine. 
MS. DEGETTE.  We all think you are very good and we would hire you 
for any sales position we might have in our organization.  But I am 
just asking you, if you got 5 years probation that was then reduced 
to 3, you must have pled guilty to something. 
MR. RAPP.  Yes, I did. 
MS. DEGETTE.  And your--was part of your agreement of probation that 
you would never engage in this business again, or-- 
MR. RAPP.  Not during the time of probation. 
MS. DEGETTE.  So you could go back to this business?  
MR. RAPP.  Theoretically. 
MS. DEGETTE.  Do you intend to do that?  
MR. RAPP.  No, ma'am.  
MS. DEGETTE.  Why? 
MR. RAPP.  I can't rationalize like I did at that point.  You can 
ignore some things so long, and it just got to the point where I 
felt guilty. 
MS. DEGETTE.  What were you ignoring?  
MR. RAPP.  Lying, conning, scamming. 
MS. DEGETTE.  So you just decided not to do that anymore?  
MR. RAPP.  That is not the best way to go. 
MS. DEGETTE.  What are you doing now?  
MR. RAPP.  I am a caretaker for the elderly, for my mom--and dad 
when he died--now for my Mom until she passes on, and then we will 
get back to life. 
MS. DEGETTE.  And I mean, you understand it is one thing to be doing 
what you were doing, which is pretexting, and getting the data, 
selling it--not for profit other than getting the data, not to 
steal someone's bank account or something. 
MR. RAPP.  Correct.  Correct.  
MS. DEGETTE.  But you understand the risks when this is done, and I 
think both you and Mr. Gandal would agree, it's been made much easier 
by the Internet and computerization, correct?  
MR. GANDAL.  Absolutely. 
MS. DEGETTE.  So it is not just people who are doing it for 
legitimate reasons, like repossessing automobiles, or even 
quasi-legitimate reasons like newspaper tabloids.  It is being 
done by criminals who are stealing people's data and stealing their 
identities and their assets, correct?  
MR. GANDAL.  Yes.  That is why I called the committee in the 
beginning and talked.  
MS. DEGETTE.  Now, I think, Mr. Gandal, you testified that you 
know Representative Welker, correct?  
MR. GANDAL.  Yes. 
MS. DEGETTE.  And you said that you referred some FBI agents to his 
company for use of these pretexting services, correct?  
MR. GANDAL.  Yes. 
MS. DEGETTE.  What were the names of the FBI agents? 
MR. GANDAL.  I don't know those names.  I know the name of the FBI 
agent that was in my office because we worked the case together.  
He is in New York City. 
MS. DEGETTE.  What is that person's name?  
MR. GANDAL.  His name is Neil Caldwell. 
MS. DEGETTE.  What office is he with? 
MR. GANDAL.  He is with Financial Crimes in New York City.  We 
worked a Nigerian fraud ring together, which he busted and recovered 
millions of dollars; and then on September 12, 2001, I assisted him 
in learning how to use one of the databases.  I had to look at the 
terrorists' addresses that were in Newark at the time and determine 
who else might still be out there.  And at that point I believe the 
FBI was given free access to these databases, and they no longer 
needed my assistance.  In fact, I haven't spoken to these 
agencies. 
MS. DEGETTE.  Was Agent Caldwell, was he the person that you 
referred to Mr. Welker?  
MR. GANDAL.  No.  He knew some-- I wasn't prepared for these 
questions, as far as having dates, but I would say-- 
MS. DEGETTE.  I am not asking you for a date. 
MR. GANDAL.  It was a long time ago.  Late '90s, I believe, he--I had 
shown him. 
MS. DEGETTE.  This was before September 12th?  
MR. GANDAL.  Yes.  Neil would come in my office and he would watch 
me work, and I would help him with information when he needed it. 
And he said these trap lines are really important, and I know DEA 
guys that could really use this.  And I believe he went to a 
Chicago office, who then contacted Mr. Stegner who worked for 
Mr. Welker.  
I don't think Mr. Stegner works there anymore. 
MS. DEGETTE.  I don't think so either.  But you don't know if, in 
fact, the FBI ever actually hired Representative Welker's company? 
MR. GANDAL.  To do trap lines, I know they did. 
MS. DEGETTE.  Do you know that Mr. Welker's company was compensated 
by the FBI for that?  
MR. GANDAL.  I know that I went to church with Mr. Welker one day, 
and they asked everyone in the--it was actually the first 
anniversary of 9/11--and they asked everyone in the audience to 
stand up who was in the military, and they called out the different 
things.  When they got to Army, I stood up. 
And they said, anyone else that works with the Government, and 
Mr. Welker stood up next to me.  And I kind of looked at him, and 
he said, "I have clients."  He said, "FBI is my client;" and that is 
why he stood up. 
MS. DEGETTE.  Mr. Welker said, "FBI is my client?"  
FBI told us they never hired Mr. Welker, so I guess that will be 
figured out later on. 
MR. GANDAL.  The information is just what I gave you.  
MS. DEGETTE.  Do you know any other government agencies who hired 
either your firm or these types of firms? 
MR. GANDAL.  I have done work for law enforcement before, but never 
hired.  I did favors.  I have assisted law enforcement. 
MS. DEGETTE.  So you are not compensated by a law enforcement 
agency? 
MR. GANDAL.  Right.  I had friends that were law officers.  
MS. DEGETTE.  Which agencies did you do favors for?  
MS. DEGETTE.  Nassau County Police Department, I had friends that 
were detectives with them in the '90s, in 1999 to 2000.  
MS. DEGETTE.  Did you ever do any favors for Federal, where you 
talked about-- 
MR. GANDAL.  Just the gentleman that came into my office; sometimes 
he would need an address to a telephone number, and I could get it 
for him a lot quicker than anybody else. 
MS. DEGETTE.  And that was it?  
MR. GANDAL.  That was it. 
MS. DEGETTE.  Mr. Rapp, what about you, were you ever hired by my 
law enforcement agencies?  
MR. RAPP.  I believe we were.  And I have to apologize; my honesty 
here is, hopefully, unquestionable, but my memory may be.  
Back during the '80s or '90s there were agencies--when we worked in 
Utah, we lived up in Cache County in Logan, Utah; and we did work 
for some of the agencies, I believe, there--just basics.  There was 
a nonpublished listing of a party, and they wanted the address, 
something generic to that account.  
But for the majority--that is the only one I can think of because 
very rarely, I don't think we were ever contacted except by 
Mr. Crosby, who was an FBI agent, I believe, at the time out of 
Texas.  
MS. DEGETTE.  This was like the late '80s, early '90s?  
MR. RAPP.  I believe it was, and at that point--Mr. Feddo has 
informed me he was ex-FBI, but that wasn't made clear to me at 
that point. 
MS. DEGETTE.  So you now don't know of any direct hiring by FBI?  
MR. RAPP.  No, I don't think there ever was. 
MS. DEGETTE.  And the only other law enforcement agency you can 
remember being hired was this Utah--was it a local or State?  
MR. RAPP.  Local.  Local. 
MS. DEGETTE.  And that's it?  
MR. RAPP.  Yes. 
MS. DEGETTE.  I am trying to figure out the scope of law enforcement 
agencies that hire these types of firms.  It doesn't sound to me to 
be very great.  
MR. RAPP.  No.  We were always told--contrary to popular belief, 
we were told--and a lot of my information came from Mr. Crosby and 
from the FBI agent that came to our office about the Monica Lewinsky 
deal, that if the Feds wanted to know something, they would know 
it.  That is the end of the story.  If they want to know it, they 
know it, they don't need to utilize any other agency or any other 
company to get it. 
MS. DEGETTE.  Thank you very much.  
Thank you, Mr. Chairman. 
MR. WHITFIELD.  Mr. Stearns, do you or Dr. Burgess have any 
additional questions?  
MR. BURGESS.  Yeah, the issue of the stores being a site for 
information transfer:  At the retail outlets, are there particular 
security measures they take at those stores?  
MR. GANDAL.  Not that I know of, no.  There are not a lot of 
security measures that the wireless service companies take in any 
respect. 
MR. BURGESS.  So the sales people in those stores wouldn't have any 
special training or expertise?  
MR. GANDAL.  No.  That is the reason they are targeted on a problem 
account.  
MR. BURGESS.  Would you agree with that, Mr. Rapp?  
MR. RAPP.  Yes.  
And if I can, Mr. Burgess, I have taken this cell phone, any cell 
phone to any company, I don't have to open it, I don't have to take 
out the SIM card inside if I say, "I need to see a copy of my last 
month's bill and, by the way, I think I would like to get two or 
three additional lines."  
They are more than happy to want to help.  They say, "what is your 
number?"  
And I throw out the number.  
They are not going to call it and verify it.  They are not going to 
say, "I need your ID."  They believe they see my ID in my hand.  
And I say, "You know, when I talked to customer service"--and from 
experience I would know the name of their computer system, whether 
it be CBIZ or BOSS or Elmo's or whatever--see, they tell me 
something like Elmo's is down.  They said, "oh, that again; what 
do you need?"  
I say, "Can you do me a favor and print out the last 3 months from 
me?"  Never even seen an ID, never seen anything.  It is that easy. 
 And there are so many branch offices, and you can go to any mall 
and you will see two or three.  It is that easy to acquire the 
information, and you don't need to know anything. 
MR. BURGESS.  So would the kiosks at the malls be the most 
vulnerable point, or are the retail stores just as vulnerable?  
MR. RAPP.  I don't know if the kiosks at the malls could print 
out an actual bill, but they can give me the specs on the bill.  
They can give me enough information to help me, so I can go back 
in to customer service and say, hey, here is my account number 
now.  Here is this, here is that.  So--they are all kids, though; 
they are staffed by people that have been there at the most a 
couple of years. 
MR. BURGESS.  Seems like the most basic type of security measures 
would at least stop some of that, maybe not 100 percent but some 
of that.  
Is the cost of those security measures a barrier to those being 
implemented?  
MR. RAPP.  Truthfully, I never ran across any security measures, so 
to speak, with any cell companies, landline companies.  I had more 
security at a cable company than I did at a bank. 
It is just the aspect they are not expecting.  And even today, even 
with all this, they are not prepared for Joe Blow calling in and 
saying, "Hey, wait a minute, now I know I got a check into my 
checking account.  And you guys told me I bounced one."  
"What is your account number?"  
And I don't know my account number.  
"What is your name?  I don't know.  I don't know.  What is your 
name?  I don't know."  It gets to that extent to where, "Did you 
spell my name correctly with an "sh" or with a "c"?"  
And then once you have them utterly confused they are going to want 
to start at the beginning and help you.  And it is the same way 
with every company out there. 
And I would hate for this committee to make it so tough that we 
have to sit on hold for 2 hours to get through to AT&T, because they 
have got to be so sure of all the security.  And I hate the fact I 
screwed that up in part. 
But it is a fact of the matter, you are going to always have people 
like us and you are going to always have people who are going to 
give out the information.  I would hope they are not going to hurt 
anybody with the information.  That is my goal. 
MR. BURGESS.  What about the--you addressed the issue of the 
overseas operators.  Is that a particular point of vulnerability, 
the outsourcing of the call center?  
MR. GANDAL.  Absolutely.  They barely speak English. 
MR. RAPP.  My wife worked for General Motors for 5, 6 years, and 
during that time, they transitioned from America to India to have 
all their customer service.  I never found it was any easier to 
get information out of India than here.  I am sure it might be. 
But when I reference overseas, clients came to us with overseas 
requests. 
Now, you try getting information out of a Barclay's Bank from 
somebody named Gambino, you are going to run into a little bit of 
difficulty just because of the situation, it is international.  
That is what I refer to as overseas.  That is why a lot of the call 
centers now are everywhere in the world. 
It doesn't matter except for the fact it takes a little bit more 
time and you have to be able to understand their dialect a little 
better to get what you want.  And it is tougher to be friendly, it 
seems like with them, or get them to understand you and what your 
needs are.  They are in a Third World country.  They can't 
appreciate what we are going through as far as trying to get the 
information.  
MR. BURGESS.  You are--I am just astounded your degree of 
imagination.  The fuse box is smoking.  The cleverness is just 
absolutely astounding.  
But I thank both of you for being here and for your candor.  
And, Mr. Chairman, I will yield back.  
MR. WHITFIELD.  Mr. Stearns.  
MR. STEARNS.  Thank you, Mr. Chairman.  I won't take too much 
longer.  
As I understand it, Mr. Rapp--let me just list some, if I came to 
you, if you could provide these.  
Could you provide disability benefits for a person?  
MR. RAPP.  Sure. 
MR. STEARNS.  Could you determine their Social Security benefits?  
MR. RAPP.  Yes, where the check is being sent, what bank it is 
being sent to, the account number. 
MR. STEARNS.  Welfare benefits?  
MR. RAPP.  Sure. 
MR. STEARNS.  Could you locate where a person used a hospital and 
what the expenses were at that hospital?  
MR. RAPP.  Absolutely, medical records. 
MR. STEARNS.  Could you find an e-mail for anybody?  
MR. RAPP.  You know, truthfully, I never had to delve much into the 
Internet world, thankfully; and no, I have never really dealt with 
e-mails that much. 
MR. STEARNS.  Mr. Gandal, do you think it is possible for anybody 
to find anybody's e-mail?  
MR. GANDAL.  You have to be much more computer literate than 
myself.  I'm telephone literate, like Mr. Rapp.  That's my tool. 
MR. STEARNS.  Mr. Rapp, could you find a brokerage account for 
anybody in America?  
MR. RAPP.  Absolutely.  
MR. STEARNS.  Well, that is pretty clear, Mr. Chairman.  I don't 
think we have any privacy at all, if these gentlemen could find any 
one of those things.  
Mr. Gandal, you mentioned in your testimony, you said that "please 
allow me to speak for another profession I feel should be 
criminalized before the only support for every auto financer in 
America receives this fate, the professional debtor.  This is the 
individual who uses a true name, fraud, in order to purchase dozens 
of vehicles which he has no intention of ever paying for.  He gives 
these cars to his friends or family, but many times he will sublease 
the vehicles, pocket the money that the third-party lessee gives 
them." 
So, tell me what you might reinforce, what you are trying to say 
here, and what we should do.  
MR. GANDAL.  Well, the professional debtor is someone making a lot 
of money doing it, and it's-- 
MR. STEARNS.  There are people doing this?  
MR. GANDAL.  Absolutely.  Listen to Sports Talk tomorrow and listen 
to their advertisements about the Nevada corporate ideas that they 
have got now.  Anybody can incorporate in Nevada. 
Anybody can incorporate in Nevada and probably other ones.  It's 
just a commercial that I have heard several time listening to Sports 
Talk, and they say you can go ahead and anybody can incorporate and 
then get corporate credit which has nothing to do with personal 
credit.  So these people have already trashed their name.  They go 
to a subprime or even the C&D paper of a major auto financier which 
isn't subprime.  They go in as a company, a hearing aid sales 
company, any of these things, and all of a sudden they've got 25, 
30 vehicles and they are gone.  They are gone.  Now one way to 
find those vehicles -- 
MR. STEARNS.  So simply a corporation of these auto dealers will 
lease or sell on credit for somebody who comes in with a corporate 
name. 
MR. GANDAL.  Sure.  They are trying to sell cars.  And they really, 
I believe in the beginning it was looked at like, look, we have got 
a giant portfolio here and this little bit is trickling down, is 
going to--we are going to lose. 
MR. STEARNS.  That's a cost of business. 
MR. GANDAL.  But as time has gone by, it is no longer a little bit 
that's trickling down, and a lot of these subprime dealers are gone 
because of it, and the ones that are still here are fighting to stay 
there to offer the product that has got to be there for a lot of 
people. 
MR. STEARNS.  What would you do besides criminalizing it?  What 
would you do in terms of legislation in terms of-- 
MR. GANDAL.  Control it.  Allow a replevin to be served right in 
town within a couple of days, knock on the doors, here's the 
papers.  I want the car.  I want it now without having to play games 
and chase people literally down the street like cops and robbers.  
Repossessor is a--it's a rough business, and he is doing a service 
and a good repossessor is not fighting.  A good repossessor does not 
carry a gun and get into a shootout over the vehicle.  He is 
respectful.  He talks to the people when he has to.  He picks up 
the vehicle because that's what is supposed to be done.  
Unfortunately, over and over and over again, and it's not a small 
problem and maybe the subprime companies don't even want to admit 
it.  But I have talked to them, and I have talked to a lot of them 
and let them know I was going to be here and what I was going to 
say, and they said go for it because they know it is true.  
There are problems.  A liaison would be great.  Somebody that has 
some power.  Repossessors look at that like some fat slouchy guy.  
It's not that way.  They are professional adjusters.  They are 
good investigators.  They are family men.  They are going out 
there and they are doing a job and making a little bit more money 
than they would if they are working at a toll booth or a body shop. 
It is a hard living.  There should be some laws to protect them.  
That would take away my job, but, you know, take away my job and 
I'll apply for a job in the liaison department. 
MR. STEARNS.  You could be the supervisor. 
MR. GANDAL.  Absolutely. 
MR. STEARNS.  Just on another note, could you explain prepaid 
calling cards, sir?  
MR. GANDAL.  Sure.  They are a very good and what I would imagine is 
a very legal tool.  You send out the prepaid calling card to a 
target.  You don't know their phone number or too much about them 
at this point.  You send it out.  They use the calling card, and 
then you have a copy of where they called from and where they called 
to, which is a good investigative tool in locating somebody. 
MR. STEARNS.  And that's used for what purpose?  
MR. GANDAL.  For skip tracing.  One percent of all vehicles are 
going to be repossessed this year.  Fifty percent of those vehicles 
are going to be skips.  And half of those, again, you are going to 
find the guy and you found him the whole time.  Why?  Because the 
car isn't parked out front because he doesn't have it any more.  
They are either straw purchases or whatever.  It doesn't mean it's 
going to help you.  But that is when the call records come into 
hand and that is why so many repossession companies and auto 
financiers like to look at the call records and see where he's 
calling to 10 times a day, 15 times a day.  Get a picture of 
somebody's life like that and maybe you'll get your car back. 
MR. STEARNS.  Do you have any idea how the carriers could put a 
stop to data broker accessing consumer information?  Do you 
understand what I am asking?  
MR. GANDAL.  Stopping my job? 
MR. STEARNS.  Yes. 
MR. GANDAL.  It would be very difficult.  It is very bureaucratic 
and although I've seen some changes in some companies, wireless 
companies, you can hang up and call back and get what you want and 
eventually I am afraid that the movement that they have made to 
secure is just going to fall apart again.  Right now it is big.  
They are talking about it is something that they want to do.  In a 
year's time it is all new people doing the job.  Most of these 
people can't even work 40 hours because they don't want to get 
paid for benefits.  So they keep everyone in all these companies 
underneath it.  The managers don't care.  The employees don't care. 
So the information is still readily available. 
MR. STEARNS.  Mr. Chairman, thank you.  I am done. 
MR. WHITFIELD.  Thank you, and I want to thank Mr. Rapp and 
Mr. Gandal for your testimony.  I think we already had an impression 
that there were no secrets anymore and now we know for sure there 
are not.  So with that, you all are dismissed.  We appreciate your 
cooperation very much.  
And at this time I would like to call forward the following 
witnesses on the third panel.  
Mr. John Strange, the owner of World Wide Investigations.  
Ms. Laurie Misner, owner of Global Information Group.  
Mr. Jay Patel, owner of Abika.com.  Mr. Tim Berndt, owner of Relia 
Trace Locate Services.  Mr. Ed Herzog, owner of Global Information 
Group.  Mr. James Welker, owner of Universal Communications 
Company.  Mr. Skipp Porteous, owner of Sherlock Investigations.  
Mr. Patrick Baird, owner of PDJ Services.  Ms. Michele Yontef, 
owner of TelcoSecrets.com.  Mr. Steven Schwartz, former owner of 
First Source Information Specialists and Mr. Carlos Anderson, owner 
of C.F. Anderson, PI. 
All of you know, the subcommittee takes testimony under oath, and I 
would like you all to right now raise your right hand and be sworn. 
[Witnesses sworn.] 
MR. WHITFIELD.  You are all under oath now, and under the rules of 
the House and the rules of the Energy and Commerce Committee, you do 
have the right to be advised by legal counsel as to your 
constitutional rights, and I would ask you do any of you have legal 
counsel with you today?  Okay.  All right.  
Those that have legal counsel, and we can start with you, 
Mr. Strange.  Do you have legal counsel with you?  
MR. STRANGE.  No.  
MR. WHITFIELD.  Ms. Misner, will you give us the name of your 
attorney?  
MS. MISNER.  Sanford Saunders. 
MR. WHITFIELD.  Mr. Patel, do you have legal counsel?  
MR. PATEL.  No, sir. 
MR. WHITFIELD.  Mr. Berndt?  
MR. BERNDT.  No.  
MR. WHITFIELD.  Mr. Herzog?  
MR. HERZOG.  Timothy Fitzgerald. 
MR. WHITFIELD.  Mr. Welker?  
MR. WELKER.  Yes.  
Mr. Bearden.  Yes, sir.  Jim Bearden.  
MR. WHITFIELD.  Thank you.  Mr. Porteous?  
MR. PORTEOUS.  Yes. 
MR. WHITFIELD.  Mr. Baird? 
MR. BAIRD.  No. 
MR. WHITFIELD.  Ms. Yontef.  
MS. YONTEF. No. 
MR. WHITFIELD.  Mr. Schwartz?  
MR. SCHWARTZ.  I have legal counsel.  He's in the hospital.  He 
asked that we postpone and reconvene so he can testify and he was 
refused.  
MR. WHITFIELD.  What's his name?  
MR. SCHWARTZ.  Richard Rosenbaum.  
MR. WHITFIELD.  Mr. Anderson?  
MR. ISSACS.  I represent Mr. Anderson.  I am Hanan Issacs. 
MR. WHITFIELD.  Thank you.  
Now I'm going to ask all of you, we'll start with you Mr. Strange.  
Do you have an opening statement that you'd like to make? 
MR. STRANGE.  No. 
MR. WHITFIELD.  Ms. Misner. 
MS. MISNER.  No. 
MR. WHITFIELD.  Mr. Patel?  
MR. PATEL.  No.
MR. WHITFIELD.  Mr. Berndt? 
MR. BERNDT.  No.
MR. WHITFIELD.  Mr. Herzog?  
MR. HERZOG.  No.
MR. WHITFIELD.  Mr. Welker?
MR. WELKER.  No.  Nothing. 
MR. WHITFIELD.  Mr. Porteous?  
MR. PORTEOUS.  No. 
MR. WHITFIELD.  Mr. Baird? 
MR. BAIRD.  No, sir. 
MR. WHITFIELD.  Ms. Yontef?  
MS. YONTEF. No. 
MR. WHITFIELD.  Mr. Schwartz?
MR. SCHWARTZ.  Yes, I do.  
MR. WHITFIELD.  You are recognized for 5 minutes.
MR. SCHWARTZ.  Up until a couple of years ago, I was listed as a 
broker.  We sold names.  Somebody would call like an ADT company 
to find people buying new homes.  I was introduced to this business 
3 or 4 years ago.  And I've been reading the newspapers and I've 
been in a lot of articles, and I've only actually owned the websites 
for a couple of months.  I shut them down 6 months ago when I found 
out that this might be illegal.  I had no clue that this might be 
illegal.  But when I first went into the business and I was told 
about it, I looked into it and I looked on the Internet. There was 
over 2 or 300 companies doing this, okay, and then I looked under 
the pretexting laws and it clearly stated that. 
MS. DEGETTE.  Can I interrupt you?  Are you intending to assert 
your Fifth Amendment rights against self-incrimination?  
MR. SCHWARTZ.  Yes, I am. 
MS. DEGETTE.  Counsel, and I feel like--I am not a practicing lawyer 
anymore, but I used to do a fair amount of criminal defense in the 
15 years I did practice.  By making this opening statement, you are 
waiving your Fifth Amendment rights. 
MR. SCHWARTZ.  I didn't know that. 
MS. DEGETTE.  Since your attorney is not here, he is in the hospital. 
MR. SCHWARTZ.  Then I will stop. 
MR. WHITFIELD.  Okay.  Mr. Anderson, do you have an opening 
statement?  
MR. ANDERSON.  No, Mr. Chairman. 
MR. WHITFIELD.  Since there are no opening statements, what I am 
going to do is ask all of you a question.  I am going to do it 
individually because--depending on the facts of the case.  I would 
like to start with Mr. Strange first and ask you, Mr. Strange, and 
Ms. Misner, if you would mind giving him that document book.  If 
you could move it down there to him.  And under Tab 68 in the 
binder, if you wouldn't mind turning to Tab 68 and it is on the 
screen, on both screens, if you can see it.  It is a price sheet 
from your web site, Informationbrokers.net, which you own through 
your company, Worldwide Investigations.  And the on-line price 
sheet offers outgoing cell phone calls, cell tolls without CNA 
landline tolls, with or without CNA and post office box 
information, among other services.  And so Mr. Strange, the question 
I would ask you, did you and your company Worldwide Investigations 
obtain and sell consumer cell phone records and other non-public 
personal information that was obtained through pretext, lies, 
deceit, or impersonation?  
MR. STRANGE.  Mr. Chairman, at this time I would like to assert my 
Fifth Amendment right not to testify.  
MR. WHITFIELD.  Okay.  So you are refusing to answer all of our 
questions on the right against self-incrimination afforded to you 
under the Fifth Amendment of the U.S. Constitution? 
MR. STRANGE.  Yes, Mr. Chairman. 
MR. WHITFIELD.  And it is your intention to assert that privilege if 
we ask any additional questions? 
MR. STRANGE.  Yes, sir. 
MR. WHITFIELD.  Okay.  Now I would like to go to Ms. Misner.  And 
Ms. Misner, if you wouldn't mind turning to Tab 41 in the binder 
which I request will be put upon the screen.  Now this document is 
a listing of the top 20 customers during the year 2005 for your 
company, Global Information Group, which you purchased in March 
of 2005.  
You produced this list as an attachment to your response to the 
committee's letter dated March 31st, 2006, which asked questions 
about Global's business activities.  This list includes many large 
bank lenders and auto finance companies.  So Ms. Misner, my question 
would be did you and your company, Global Information Group, obtain 
and sell customer cell phone records and other non-public personal 
data by pretexting cell phone carriers and impersonating technical 
service representatives, financial service representatives, or 
customers? 
MS. MISNER.  Mr. Chairman, upon the advice of counsel I invoke my 
right under the Fifth Amendment under the United States Constitution 
not to be compelled to testify against myself. 
MR. WHITFIELD.  So you are refusing to answer any and all questions 
we may ask under your Fifth Amendment privileges of the Constitution? 
MS. MISNER.  Yes. 
MR. WHITFIELD.  And it is your intention to assert that right on any 
of the other questions we might ask? 
MS. MISNER.  That is correct. 
MR. WHITFIELD.  Mr. Patel, if you would look at Tab 97.  This is the 
same price sheet for Mr. Strange's web site, Informationbrokers.net, 
that we saw earlier except that this is tailored for the web site 
Abika.com which you own through Accu-Search Incorporated.  I think 
you could also see it up on the screens as well.  
But on this price list, the check boxes designate the services which 
Abika.com purchased from Mr. Strange, including outgoing cell phone 
calls, cell tolls without CNA, landline tolls, with or without CNA, 
and post office box information, among others.  
So Mr. Patel, my question is did you and your company, Accu-Search, 
obtain and sell consumer cell phone records and other non-public 
personal information that was obtained through pretexting, lies, 
deceit, or impersonation?  
MR. PATEL.  Mr. Chairman, I would like to invoke my Fifth Amendment 
rights. 
MR. WHITFIELD.  So you are refusing to answer all of our questions 
on the right against self-incrimination afforded to you under the 
Fifth Amendment of the U.S. Constitution?  
MR. PATEL.  Yes, sir.  
MR. WHITFIELD.  And it is your intention to assert that right on all 
future questions? 
MR. PATEL.  Yes, sir. 
MR. WHITFIELD.  Mr. Berndt, if you wouldn't mind turning to Tab 100.  
In this copy of a chatroom posting, a private investigator named 
Damon Woodcock inquires whether someone can obtain for him both 
residential and cell phone toll records.  In response, on the next 
page an investigator named Jim Zimmer states "I use Tim Berndt at 
Relia Trace.  He is very fast, highly accurate, and his prices are 
competitive."  
At Tab 98 in another chatroom posting you describe the Relia Trace 
difference and state "we will guarantee the accuracy of what you 
receive 100 percent with the carrier of record."  
So Mr. Berndt, my question to you would be did you and your company 
Relia Trace Locate Services, obtain and sell consumer cell phone 
records and other non-public personal information that was obtained 
through pretext, lies, deceit, or impersonation? 
MR. BERNDT.  Mr. Chairman, I respectfully assert my privilege 
against self-incrimination secured to me by the Fifth Amendment to 
the United States Constitution. 
MR. WHITFIELD.  So you are refusing to answer these questions based 
on your Fifth Amendment right, and it is your intention to reassert 
that right if we ask additional questions? 
MR. BERNDT.  Respectfully, Mr. Chairman, that is correct. 
MR. WHITFIELD.  Mr. Herzog, if you would please turn to Tab 40. 
This document also is a price sheet used by Global Information 
Group, a company you formerly owned and operated, to advertise the 
information it could obtain and sell, including Social Security 
benefits, disability benefits, college class schedules, cell phone 
and landline calling records.  
So my question, Mr. Herzog, to you would be did you and your 
company, Global Information Group, obtain and sell consumer cell 
phone records and other non-public personal data by pretexting cell 
phone carriers and impersonating technical service representatives, 
financial services representatives, or customers?  
MR. HERZOG.  Mr. Chairman, upon advice of counsel I assert my Fifth 
Amendment privileges. 
MR. WHITFIELD.  So you are refusing to answer any questions today 
pursuant to your Fifth Amendment protections of the U.S. 
Constitution and it is your intention to assert that right on any 
future questions we may ask?  
MR. HERZOG.  Yes, sir.  Mr. Chairman. 
MR. WHITFIELD.  Mr. Welker, if you would not mind turning to Tab 
57.  This is a price sheet from Universal Communications Company, 
which you own, offering post office box breaks, out-of-state toll 
calls, including dates, times, and durations, cell tolls and cell 
phone breaks, among other services, and I would ask you, 
Mr. Welker, did you and your company, Universal Communications, 
obtain and sell consumer cell phone records and other non-public 
personal information that was obtained through pretext, lies, 
deceit, or impersonation?  
MR. WELKER.  Mr. Chairman, I respectfully invoke my Fifth Amendment 
rights under the Constitution and decline to answer any questions. 
MR. WHITFIELD.  So you are also refusing to answer any questions 
under the Fifth Amendment protections that you have, and it is your 
intention to assert that right on any additional questions we may 
have? 
MR. WELKER.  Yes, sir. 
MR. WHITFIELD.  At this time we'll go to Mr. Porteous.  
Mr. Porteous, Tab 73.  In this copy of a chatroom posting, Ryan 
Wroblewski, a former employee of your company, Sherlock 
Investigations, offers a special of $200 for unlimited cell 
records, all months on bills, with absolutely no add-ons, and at 
Tab 74 when asked by Tim Berndt of Relia Trace whether or not the 
offer includes business phone accounts, Mr. Wroblewski explains, 
"yes, business lines are complex but I do them for $200."  
So Mr. Porteous, my question would be to you and your company, 
Sherlock Investigations, did you and your company Sherlock 
Investigations obtain and sell consumer cell phone records and 
other non-public personal information that was obtained through 
pretext, lies, deceit, or impersonation?  
MR. PORTEOUS.  Mr. Chairman, I respectfully invoke my Fifth 
Amendment rights under the Constitution and decline to answer. 
MR. WHITFIELD.  So you're asserting your Fifth Amendment rights 
and it is your intention to reassert that right on any additional 
questions we may ask?  
MR. PORTEOUS.  Yes, sir. 
MR. WHITFIELD.  Thank you.  
Mr. Baird, at Tab 19 you will see that on February 14th, 2006, your 
attorney, Mr. Brian Corcoran of the law firm Katten Muchin Rosenman, 
responded on your behalf to this committee's letter requesting 
information about the business activities of PDJ Services, Inc.  
In that response, Mr. Corcoran stated, in particular, "the assertion 
about PDJ's collection of cell phone call records is false as PDJ 
voluntarily ceased gathering information last year."  Mr. Corcoran 
also stated that, "the information that PDJ obtains from its client 
is information that is publicly available to any person willing to 
put in the necessary time and effort."  
However, if you would turn to Tab 22, this is an e-mail document 
dated April 7, 2006, sent by your company, PDJ Services, to one of 
its customers and it contains several hundred cell phone calls 
from a Verizon Wireless bill.  In fact, in response to this 
committee's subpoena, you produced tens of thousands of e-mails 
reflecting transactions containing cell phone records throughout 
this year.  
So my question, Mr. Baird, would be did you and your company, PDJ 
Services, obtain and sell consumers' cell phone records and other 
non-public personal information that was obtained through pretext, 
lies, deceit, or impersonation? 
MR. BAIRD.  Mr. Chairman, I respectfully invoke my Fifth Amendment 
rights under the Constitution and decline to answer the questions. 
MR. WHITFIELD.  So you are invoking your Fifth Amendment rights 
and it is your intention to reassert your rights if we ask any 
additional questions? 
MR. BAIRD.  Yes, sir. 
MR. WHITFIELD.  Ms. Yontef, on Tab 79 of that same book is an e-mail 
that you sent to an employee at Patrick Baird's company PDJ 
Services, and in the e-mail you wrote "I was shot down four times 
on Nextel's CNA.  I keep getting Northwestern Call Center and they 
must have had an operator meeting about pretexts as every operator 
is cued in."  You then ask, "Can you guys try this for me?  Maybe 
you will get another call center that did not have the meetings."  
So Ms. Yontef, did you and your company, TelcoSecrets.com, obtain 
and sell consumer cell phone records and other non-public personal 
information that was obtained through pretext, lies, deceit, or 
impersonation? 
MS. YONTEF. I respectfully invoke my Fifth Amendment rights. 
MR. WHITFIELD.  So you are invoking your Fifth Amendment rights 
guaranteed by the Constitution, and it is your intention to assert 
that right if we ask any additional questions? 
MS. YONTEF. Yes, sir. 
MR. WHITFIELD.  Okay.  At this time we'll go to Mr. Schwartz.  
And Mr. Schwartz, at Tab 50, there are invoices from First Source 
Information Specialists, a company that you and Mr. Ken Gorman own, 
submitted to Patrick Baird's company, PDJ Services, in 2004.  
The invoices show that during the week ending August 13, 2004, your 
company sold to PDJ $720 worth of phone records, including CNAs, 
cell tolls, cell tolls with times, and information on nonpublished 
numbers.  
So Mr. Schwartz, a question I would ask you is did you and your 
company, First Source Information Specialists, obtain and sell 
consumer cell phone records and other non-public personal 
information that was obtained through pretext, lies, deceit, or 
impersonation?  
MR. SCHWARTZ.  I take the Fifth Amendment. 
MR. WHITFIELD.  So you are asserting your Fifth Amendment right, and 
it is your intention to reassert that if we ask any additional 
questions? 
MR. SCHWARTZ.  My lawyer told me to say, since we asked for a 
postponement because he is in the hospital, that I can't speak 
without him being here. 
MR. WHITFIELD.  Thank you very much. 
Now Mr. Anderson, if you would turn to Tab 88.  This is a summary of 
invoices, credits, and charges from your account with 
Mr. Jim Welker's company, Universal Communications.  According to 
this summary, the company that you own, C.F. Anderson, made dozens 
of requests for phone records in the first 4 months of 2006.  These 
requests included CNAs, which is listed as item info 1 on the 
invoice summary, cell phone breaks, item info 2, cell tolls, item 
info 9, and out-of-state tolls, item info 8.  
Mr. Anderson, did you and your company, C.F. Anderson, obtain and 
sell consumer cell phone records and other non-public personal 
information that was obtained through pretext, lies, deceit, or 
impersonation?  
MR. ANDERSON.  Mr. Chairman, with all respect, on advice of legal 
counsel I would like to exercise my rights under U.S. Constitution 
Fifth Amendment. 
MR. WHITFIELD.  So you're invoking your Fifth Amendment rights, and 
it is your intention to reassert those rights if we ask any 
additional questions? 
MR. ANDERSON.  Yes, sir. 
MR. WHITFIELD.  Given the witnesses' response, if there are no 
further questions from the members, I would dismiss all of you at 
this time subject to the right of the subcommittee to recall you 
if necessary.  So at this time, you are excused.  
That will terminate the hearing for today.  We will be regathering 
tomorrow, I believe at 2:00 o'clock tomorrow, to continue this 
hearing with another panel of witnesses.  And at this time the 
hearing is recessed. 
[Whereupon, at 1:35 p.m., the subcommittee was adjourned.] 

INTERNET DATA BROKERS:  WHO HAS ACCESS TO YOUR PRIVATE RECORDS 


THURSDAY, JUNE 22, 2006 

HOUSE OF REPRESENTATIVES, 
COMMITTEE ON ENERGY AND COMMERCE, 
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS, 
Washington, DC. 


The subcommittee met, pursuant to notice, at 2:11 p.m., in Room 
2123 of the Rayburn House Office Building, Hon. Ed Whitfield 
[Chairman] presiding. 
Members present:  Representatives Whitfield, Stearns, Walden, 
Burgess, Barton (ex officio), Stupak, DeGette, and Inslee.  
Staff Present: Mark Paoletta, Chief Counsel for Oversight and 
Investigations; Tom Feddo, Counsel; Clayton Matheson, Analyst; 
John Halliwell, Policy Coordinator; Matthew Johnson, Legislative 
Clerk; Chris Knauer, Minority Counsel; Alec Gerlach, Minority 
Research Assistant; and Consuela Washington, Senior Minority 
Counsel.  
MR. WHITFIELD.  This hearing will come to order, and good 
afternoon, and welcome to all of you.  This afternoon's Oversight 
and Investigations Subcommittee hearing will continue our focus 
on data brokers and the procurement and sale of cell phone call 
records and other personal and confidential information.  
We will hear testimony today from representatives of two State 
attorneys general from Florida and Missouri about the actions 
those States have taken to shut down data brokers operating on 
the Internet, including some of the same brokers who yesterday 
asserted their Fifth Amendment rights against self-incrimination. 
The State witnesses will also suggest ways that consumers' cell 
phone records and other personal information might be better 
protected from data brokers. 
Our second panel will include representatives from five Federal 
law enforcement agencies to speak to the Federal government's use 
of data brokers.  We have anecdotal information that law enforcement 
was an occasional customer of data brokers, and so we sought to 
learn of this aspect of data brokers' business activities.  
In response to the committee's subpoena for records, one data 
broker, Patrick Baird, and his company, PDJ Services, produced 
documents showing that a Drug Enforcement Administration Task Force, 
the U.S. Marshals Service, and U.S. Immigration and Customs 
Enforcement, as well as some local law enforcement, had 
occasionally used those services. 
In addition, bureau representatives of the Bureau of Alcohol, 
Tobacco, Firearms, and Explosives and the FBI will testify today. 
My hope with both the Federal and local law enforcement panels is 
that the subcommittee may gain a better understanding of exactly 
why law enforcement might be turning to these data brokers who 
operate on the Internet.  In that context, it is important to 
understand why they turn, the kinds of information being requested 
or purchased.  And if law enforcement is turning to data brokers 
on the Internet because they lack the necessary tools to do their 
jobs under the law, then perhaps Congress should explore additional 
action and legislation to ensure law enforcement is adequately 
equipped to obtain the investigative leads and information they 
need. 
I look forward to today's testimony, thank the witnesses for being 
here, and at this time, I will recognize the distinguished Ranking 
Member, Mr. Stupak, for his opening statement. 
[The prepared statement of Hon. Ed Whitfield follows:] 

PREPARED STATEMENT OF THE HON. ED WHITFIELD, CHAIRMAN, SUBCOMMITTEE 
ON OVERSIGHT AND INVESTIGATIONS 

Good afternoon and welcome.  This afternoon's Oversight and 
Investigations Subcommittee hearing will continue our focus on data 
brokers, and the procurement and sale of cell phone call records and 
other personal information.  
	At the outset today, we will hear testimony from 
representatives of two state attorneys general, Florida and 
Missouri, about the actions those states have taken to shut down 
data brokers operating on the Internet - including some of the same 
brokers who yesterday asserted their Fifth Amendment rights against 
self-incrimination.  The state witnesses will also suggest ways that 
consumers' cell phone records and other personal information might 
be better protected from data brokers. 
	Our second panel will include representatives from five 
federal law enforcement agencies to speak to the Federal government's 
use of data brokers.  When our data broker investigation began, we 
inquired whether law enforcement agencies were among the customers 
of the data brokers in question.  We had anecdotal information that 
law enforcement was an occasional customer of data brokers, and so 
we sought to learn more about this aspect of data brokers' business 
activities.  
	In response to the Committee's subpoena for records, one 
data broker, Patrick Baird and his company PDJ Services, produced 
documents showing that a Drug Enforcement Administration task force, 
the U.S. Marshals Service, and U.S. Immigration and Customs 
Enforcement all had requested cell phone related information from 
that data broker.  Each of those agencies will testify today, and 
we are pleased to also have representatives from the Bureau of 
Alcohol, Tobacco, Firearms, and Explosives, and the Federal 
Bureau of Investigation testify.  
	The records produced by Mr. Baird also showed that several 
local police departments around the country were among PDJ's 
clients.  Our third panel will include representatives of the 
Austin, Texas and Miami-Dade, Florida police departments.  The 
Subcommittee also requested that a third police department 
testify - Orem City, Utah - but, unfortunately, Police Chief 
Michael Larsen declined our invitation.  
	My hope with both the federal and local law enforcement panels 
is that the Subcommittee will gain an understanding of exactly why law 
enforcement officers might be turning to these data brokers who 
operate on the Internet.  Let me be clear: the data brokers who 
invoked the Fifth Amendment yesterday are not necessarily 
information sources of "first resort."  They are not 
subscriber-based repositories of public information like Lexis-Nexis 
or Choicepoint.  Instead, they procure and sell information that is 
not publicly available, and which may have been acquired through 
lies and impersonation.  
	In that context, it is important to understand how often 
law enforcement turns to data brokers, the kinds of information 
being requested or purchased, whether the use of data brokers is 
permitted by statute and regulation in the jurisdiction of the 
particular law enforcement agency, and whether the various 
departments sanction the use of data brokers.  If law enforcement 
is turning to data brokers on the Internet because they lack the 
necessary tools to do their jobs under the law, then perhaps the 
Congress needs to take action and legislate to ensure that law 
enforcement is adequately equipped to obtain the investigative 
leads and information they need.  
	I look forward to today's testimony, and I thank the 
witnesses for their attendance.  	I now turn to the 
distinguished Ranking Member, Mr. Stupak, for the purposes of an 
opening statement. 

MR. STUPAK.  Thank you, Mr. Chairman, for holding this second day of 
hearings related to the privacy of our personal records.  These 
hearings have been a wake-up call to the American people.  They 
should be a wake-up call to Congress.  It became shockingly clear 
yesterday that, in today's Internet age, there is no such thing as 
a private personal record.  Yesterday, the committee heard two 
witnesses nonchalantly describe how easy it is for criminals to 
obtain Social Security information, Medicare and other benefits 
information, medical records, telephone records, post office box 
information and even location, and even an individual's location 
at any given time and date.  You and I, our most private and 
personal information is out there for the world to invade and 
steal. 
The committee learned the ease with which these criminals can 
side-step common security measures put in place by businesses and 
agencies.  Mr. Chairman, yesterday's witnesses said they believed 
that what they were doing was legal.  They were even told by law 
enforcement that what they were doing was legal.  But we know 
from the committee's work that the Federal Trade Commission says 
their work is illegal.  Let's remove any confusion.  This Congress 
needs to send an unequivocal message that pretexting is illegal.  This committee has already done excellent work in drafting two 
comprehensive bipartisan bills endorsed by consumer groups to combat 
pretexters.  Both bills passed the committee unanimously.  
Mr. Chairman, Democrats and Republicans need to stand side by side 
in saying to the House leadership that these two bills need to go 
to the floor as soon as possible.  We had them scheduled for the 
floor, and suddenly, they were withdrawn from the calendar, so 
let's not hold two good consumer protection bills hostage to 
politics. 
Turning to the topic of today's hearing, I am disturbed that our 
committee investigation found several examples of Federal law 
enforcement agents using pretexting.  As a former police officer 
and a Michigan State Trooper, I know that there are adequate means 
to conduct an investigation.  I am interested in hearing why law 
enforcement believes they need to use these pretexters who may use 
fraudulent means to obtain information.  I look forward to hearing 
from the agencies today about the scope of this problem and what 
each agency is doing to investigate and stop the use of pretexting 
within their agencies.  
With that, Mr. Chairman, I will yield back the balance of my 
time. 
MR. WHITFIELD.  Thank you.  
At this time, I will recognize the full committee Chairman, 
Mr. Barton of Texas. 
CHAIRMAN BARTON.  Thank you, Mr. Chairman, for holding the second 
day of hearings about data brokers and their many nefarious 
activities.  I look forward to hearing today what some of the 
States are doing to tackle the problems in their own jurisdictions 
and maybe get suggestions and ideas about what else this committee 
and this Congress can do through Federal legislation to put these 
companies out of business. 
As I mentioned yesterday, this committee's bill making it illegal to 
obtain consumers' cell phone call records fraudulently, which has 
already passed the committee and is awaiting action on the floor, 
is a good and important start.  In the meantime, your investigation 
has revealed that some law enforcement agencies around the country 
use data brokers to acquire cell phone-related information, both 
calling records and subscriber information, like the consumer's 
name and address. 
It is my understanding that when these records and information are 
not public, the Government must have a warrant, a subpoena, or an 
administrative subpoena to obtain access to such information.  If 
law enforcement agencies use their existing powers to get these 
warrants and subpoenas, it would seem to me they don't have to go 
to a data broker.  They can legitimately get the information they 
need directly from the carriers through normal legal processes. 
It is also my understanding that the law enforcement agencies we 
have contacted have told staff and will testify to that effect 
today that, one, there is no reason for their officers or agents to 
use a data broker company like PDJ Services because they already 
have the necessary tools to get the information. 
Two, the agencies do not sanction or approve the use of data brokers 
on the Internet.  This makes sense to me because using a data broker 
might compromise sensitive law enforcement information, compromise 
operational security, or just maybe violate the Constitution and 
void the use of certain information as evidence in court. 
I don't think anybody on our committee or subcommittee wants to make 
law enforcement's job more easy--I mean more difficult, excuse me.  
More difficult, and we do want to make it easier. 
You all are listening.  That is good. 
But at the same time, I think we do want to protect the 
constitutional rights of our citizens, and you can argue that it is 
unfair, the good guys with the white hats at various levels of law 
enforcement from the Federal Bureau of Investigation down to the 
local police department sometimes do have to fight with one hand 
tied behind their back because we have to defend the Constitution, 
and all of our citizens whether they be law-abiding or law-breaking 
have the same constitutional rights. 
So I hope that we can agree, even though it may be tougher, to go 
get a warrant, to go get a subpoena; that is the way the good guys 
do these things. 
While there may be an occasional law enforcement officer or 
department who want to cut corners, I just don't think that is 
appropriate. 
I am very concerned by this week's press reports that some law 
enforcement agencies frequently--frequently--use data brokers on 
the Internet to acquire nonpublic information.  I hope that this 
is not a widespread occurrence, and I hope that the law 
enforcement agencies here today and the others that are not here 
but are paying attention come away from this hearing with the 
decision to stay away from these data brokers.  Again, I will 
stipulate, our law enforcement guys are good guys.  They wear white 
hats.  We are all for them.  But there is a little thing called 
the Constitution that does give our citizens constitutional 
guarantee of due process.  And if there is a reason to get 
somebody's cell phone record or some of his personal information, 
records, you can always go to a judge; you can always go to a 
magistrate; you can get the proper warrant, the proper subpoena 
to get that information.  
I understand that the nature of law enforcement sometimes entails 
a close contact with the seedy side of society.  I might say I 
am very grateful that we have our law enforcement undercover 
officers and agents.  They are doing that.  They protect me.  
They protect my family.  They protect my children.  However, this 
business of data brokering is barely this side of legal.  
In fact, I think it is in many cases illegal.  And it is plainly 
wrong, and I hope that our police departments will rule it out of 
bounds for their investigators. 
I recall this problem first came to light when the Chicago Police 
Department discovered that its undercover officers were at risk of 
being outed by data brokers to drug dealers.  Can you imagine?  
When one set of law enforcement officers trying to do their job, 
undercover, risking their lives, are outed or threatened to be 
outed by data brokers who are selling records to other law 
enforcement officers; what kind of a deal is that?  It is a bad 
deal. 
I want to make data brokering illegal, as well as reprehensible.  
In the meantime, I hope our friends in the police agencies and the 
various law enforcement agencies will find a more efficient way to 
go that extra step to get the warrants, to get the subpoenas, to 
go to the courts instead of data brokers to get the information 
they need.  If we need Federal legislation to facilitate that 
process, I am sure on a bipartisan basis this committee will work 
to make that happen.  And if we need to go to other committees of 
jurisdiction, we will work with the other committees of 
jurisdiction. 
Mr. Chairman, thank you for this second day of hearings, I look 
forward to the testimony.  
[The prepared statement of Hon. Joe Barton follows:] 

PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON 
ENERGY AND COMMERCE 

Thank you, Chairman Whitfield, for holding this second hearing 
about data brokers today.  I look forward to learning what some of 
the States are doing to tackle this problem in their own 
jurisdictions, and to maybe get some suggestions and ideas about 
what else this Committee and the Congress can do through federal 
legislation to put these companies out of business.  As I mentioned 
yesterday, this Committee's bill making it illegal to obtain 
consumers' cell phone call records fraudulently is a good and 
important start.  
In the meantime, your investigation has revealed that some law 
enforcement agencies around the country use these data brokers to 
acquire cell phone related information - both calling records and 
subscriber information, like the customer's name and address.  It 
is my understanding that when these records and information are 
not public, the government must have a warrant, a subpoena, or an 
administrative subpoena to obtain access to such information.  If 
law enforcement uses these subpoena or search warrant tools, then 
they don't have to go to a data broker; they can legitimately get 
the information directly from the carriers.  
It is also my understanding that the law enforcement agencies we 
have contacted have told staff, and will testify today that: 
1) there is no reason for their officers or agents to use a data 
broker company like PDJ Services because they already have the 
necessary tools to get the information; and 2) the agencies do not 
sanction or approve of the use of data brokers on the Internet.  
This makes sense to me, because using a data broker might 
compromise sensitive law enforcement information, compromise 
operational security, or violate the Constitution and void the use 
of certain information as evidence in court.  
Nonetheless, there will be the occasional law enforcement officer 
who may cut corners.  I am concerned by this week's press reports 
that some law enforcement frequently use data brokers on the 
Internet to acquire non-public information.  I hope that this is 
not widespread, and that the law enforcement agencies here today, 
and other ones paying attention to this hearing, stay away from 
these data brokers.  
I understand that the nature of law enforcement necessarily entails 
a close contact with the seamy side of society.   However, this 
business of data brokering is barely this side of illegal, and it 
is so plainly wrong that I hope police departments will rule it out 
of bounds for their investigators.  I recall that this problem came 
to light when the Chicago Police Department discovered that its 
undercover officers were at risk of being outed by data brokers to 
drug dealers.   When one set of law enforcement officers are using 
and encouraging a service that endangers other officers, 
something's very wrong.  I want to make data brokering illegal as 
well as reprehensible.  In the meantime, I hope the police will 
find efficient ways to use warrants and courts instead of data 
brokers to get at the information they need. 
Mr. Chairman, I look forward to today's testimony and yield back 
the remainder of my time. 

MR. WHITFIELD.  Thank you, Mr. Barton.  
At this time, I recognize Ms. DeGette of Colorado. 
MS. DEGETTE.  Thank you very much, Mr. Chairman.  
Yesterday's hearing was indeed illuminating and frightening.  I was 
sort of amazed by the end of the hearing that my bank account 
hadn't been cleaned out and all the other committee members, 
although I suppose that is yet to be seen.  But pretexting as we 
learned from the witnesses yesterday can allow somebody to gain 
almost any kind of information from folks.  
And this ranges from being a mere annoyance to even potentially 
a life-threatening situation.  A stalker could easily find a 
victim.  A threatening husband could try to track down a spouse 
who is attempting to seek shelter.  And Mr. Rapp who was the 
investigator who spoke yesterday said that he, most of the time 
when he was doing this work, he never bothered to try to figure 
out whether the purpose was legitimate or not, other than he never 
gave people phone numbers to battered women's shelters which 
I thought was kind of a bright line, and I am glad he used that 
test.  But I was wondering what other information he was giving 
to people and for what purpose. 
I was horrified to find out that the witnesses yesterday and 
several of the other witnesses who asserted their right to Fifth 
Amendment privileges were from my home State of Colorado.  And I 
found out, Mr. Chairman, that five, only five out of 50 States, 
including my State, don't supervise private investigators and 
oversee them, which is one reason a lot of these nefarious types 
have come to States like my State.  And I intend to work with my 
State legislators before the next session to see if they can put 
some laws in place.  But there is a broader issue.  And the issue 
is that there are no clear brightline tests.  There is no law 
where you can say some of these activities are illegal. 
In fact, Mr. Rapp was prosecuted under the RICO statutes, and he 
later pled guilty to a much lesser offense.  The reason is, it is 
almost impossible to convict somebody of a RICO violation, and 
that is really an inaccurate, and not a complete fit. 
So, I think everybody agrees on a bipartisan basis that we need to 
have legislation to prevent this activity. 
And of course, we have legislation, as I mentioned yesterday, 
H.R. 4943, which passed the committee unanimously on March 8th of 
this year and on May 2nd was scheduled for consideration on the 
House floor. 
And I asked yesterday, and I ask again, what ever happened to this 
bill?  I was thinking later after the hearing we could have had 
Mr. Rapp try to track down the bill, and I bet he could have found 
it for us, Mr. Chairman, because it seemed like he could find out 
about any information he wanted.  
But for whatever reason, whether it was because of jurisdictional 
issues or stakeholder issues, as Chairman Barton said yesterday, 
or some other issues about news breaking about the same time in 
the USA Today story, whatever reason, that bill was taken off the 
suspension calendar and we haven't seen it since. 
I was hoping that Chairman Barton would tell us today the result 
of his meeting yesterday he said he was having to find out the 
status of the bill, because I think it is extremely important that 
we pass this legislation, and I am hoping that this series of 
hearings will give us the impetus to once and for all get this 
bill up on the floor and get it passed.  And just one last thing.  
We also need to pass H.R. 4127, which is an important piece of 
legislation, again, also passed by this committee and again in 
legislative limbo.  And so I think we were all--whenever we have 
an investigative hearing like this, Mr. Chairman, we learn so 
much, and I am so glad we have them, and I am so glad this lights 
a fire to bring these bills up on the suspension calendar to pass 
them and to urge the Senate to pass them.  
With that, Mr. Chairman, I yield back. 
MR. WHITFIELD.  Thank you, Ms. DeGette.  
At this time, the Chair recognizes the gentleman from Florida, 
Mr. Stearns.  
MR. STEARNS.  Thank you, Mr. Chairman.  And I appreciate your 
continuing efforts on these hearings.  
And I look forward to the witnesses today. 
I think, from yesterday, I came away with the impression that these 
data brokers are middlemen, and some of the things that they do, 
you, it is going to be very difficult to draft up legislation to 
stop them. 
Some of it is just pure being con artists, but in many ways, this 
middleman is a data broker; they are able to help and find evidence 
that helps law enforcement.  So the question is, what kind of 
legislation could be provided to make sure that they don't cross 
the line?  And for example, when I talked to one of the data 
brokers yesterday, we were talking about cell phone records.  And 
I guess the question I would be asking these folks are, how can 
cell phone records and other personal consumer information be 
protected from these middlemen or these data brokers who operate 
on the Internet?  
So this is going to be very difficult to try and come up with 
legislation.  I think a lot of these data brokers thought they were 
operating legally, and they were just ferreting out information by 
ingenious methods of conning the corporation's customer service. 
I think it is an interesting hearing.  And obviously, in some 
cases, these data brokers did things which, although appalling, 
if the other person is not under evil intent, these data brokers 
are helping law enforcement to extricate these people, find them 
and put them in jail.  So there is a side to this hearing that I 
think all of us should realize that there is some aspect about 
it that the law enforcement community needs.  They use data brokers 
to acquire this information, and without a warrant or subpoena to 
acquire the records, and the people who do it in many ways do 
something they think is legal. 
But I notice that the staff had provided that there is an Act 
called the Stored Communications Act, lays out specific requirements 
for government entities that want access to cell phone call records 
and even customer name and address information.  I did not know 
that.  So perhaps this is the vehicle that we should look at more 
carefully, Mr. Chairman, if we intend to offer legislation.  
Thank you, Mr. Chairman. 
MR. WHITFIELD.  Thank you, Mr. Stearns.  
At this time, I recognize Dr. Burgess of Texas. 
MR. BURGESS.  Thank you, Mr. Chairman, and again, these have been 
enlightening and intriguing hearings, and I am confident our 
committee will continue to work diligently to protect Americans 
and their private records. 
Today, the second part of our hearing on the Internet data brokers 
and pretexting begins.  Yesterday, our primary focus was on the 
victims and on the actual data brokers themselves.  And today our 
focus shifts to government practices.  It will be an interesting 
dynamic to not only hear from States' attorneys general and their 
efforts to stop the business of data brokers, but we will also be 
hearing from the Government agencies that actually do business with 
data brokers.  There must be a way to better provide law 
enforcement agencies with the data needed to fight crime and pursue 
justice while at the same time continuing to protect the 
constitutional right to privacy of our citizens. 
I look forward to discussing this issue in greater detail with the 
law enforcement agencies in trying to determine if they need 
additional tools, if they need additional Federal legislation or 
administrative action to better balance these compelling needs. 
During yesterday's hearing, I entered into an interesting and 
troubling discussion about the lack of security at telephone 
kiosks in shopping malls.  According to Mr. David Gandal and 
Mr. James Rapp, the security measures at stores, retail outlets, 
and kiosks are practically nonexistent.  Data brokers, even 
those without much sophistication, can easily use the kiosk as 
an uncontrolled supply of customer information.  I was not even 
aware that this was a potential problem. 
And I would very much like to hear from the attorneys general on 
our panel today whether or not they viewed this as problematic 
and, if so, what they are doing to control this as a potential 
source of data on American citizens.  
Mr. Chairman, again, I thank you for your leadership on this issue, 
and I look forward to today's hearing.  I yield back. 
MR. WHITFIELD.  Thank you, Dr. Burgess. 
And there are no further opening statements. 
 
STATEMENTS OF PETER LYSKOWSKI, ASSISTANT ATTORNEY GENERAL, OFFICE 
OF THE ATTORNEY GENERAL, STATE OF MISSOURI; AND JULIA HARRIS, 
SENIOR ASSISTANT ATTORNEY GENERAL, OFFICE OF THE ATTORNEY GENERAL, 
STATE OF FLORIDA  

MR. WHITFIELD.  I would like to call the first panel and apologize 
for the delay in getting started this afternoon.  On the first 
panel, we are quite fortunate to have Mr. Peter Lyskowski, who is 
Assistant Attorney General at the Missouri Attorney General's 
Office of Jefferson City, Missouri; and also, Ms. Julia Harris, 
who is the Assistant Attorney General from the State of Florida 
out of Tallahassee.  So if they would please come forward and take 
a seat at the table, we appreciate that. 
I want to thank you all very much for taking the time to come up and 
provide us with assistance on this important subject.  We know that 
your States have been quite active in this arena, and we are hoping 
that maybe we can learn some things from you.  And as you may or 
may not know, the Oversight and Investigations Subcommittee takes 
testimony under oath, and I would ask you, do either one of you 
have difficulty testifying under oath today?  
MR. LYSKOWSKI.  No.  
MS. HARRIS.  No, Mr. Chairman. 
MR. WHITFIELD.  And I feel quite confident that you don't need legal 
counsel, so if you would stand, I will swear you in. 
[Witnesses sworn.]  
MR. WHITFIELD.  Thank you very much.  You are now under oath. 
And Mr. Lyskowski, we will start with you if you will give us 
your 5-minute opening statement. 
MR. LYSKOWSKI.  Thank you, Mr. Chairman, for holding this and 
yesterday's hearings and the previous hearing held by the full 
committee on this important issue.  I thank also the Members for 
showing the interest in this important law enforcement and consumer 
issue. 
We have seen in Missouri as in other places that the emergence of 
new technologies that increase efficiency and ease of use of basic 
services has allowed citizens in our State, Missouri, like all 
Americans, to participate in an information revolution.  
And while the dramatic changes we have seen in recent years have in 
many ways made our lives easier, they have also provided new ways 
for wrongdoers to take advantage of our reliance on these new 
technologies.  The safeguards provided by face-to-face interaction 
have been replaced online by a host of authentication measures.  
Now, no doubt, most of these measures may be effective in securing 
consumers' information, but law enforcement officials at every 
level throughout history know that no security system is 100 
percent effective, and thieves have adapted so that they can 
operate in the information age. 
In the attorney general's office in Missouri, we investigate and 
prosecute both civilly and criminally those who would seek to 
endanger, defraud, and exploit Missouri citizens.  Investigators 
and attorneys in our office are constantly on the lookout for the 
latest methods and practices employed by those trying to take 
advantage of Missourians.  This is especially true when it comes 
to the theft of consumers' private information which, in the hands 
of the wrong person, can be put to a number of nefarious uses. 
We recently began investigating the practice of selling cell phone 
records over the Internet.  We discovered that numerous websites 
advertised by simply providing a phone number and a fee.  Someone 
could obtain the account's originating address as well as a list 
of the calls placed from and received at that number, sometimes 
in a matter of hours. 
And so we took action.  On January 20th of this year, we filed suit 
against the operators of locatecell.com, a site which we believed 
to be perhaps the biggest player in this industry.  On February 
15th of this year, we obtained a court order prohibiting these 
defendants from engaging in this practice; this site is currently 
not operating.  On February 21st, we sued the operators of 
completeskiptrace.com and, 2 days later, obtained a court order 
prohibiting operators of this site from obtaining or selling cell 
phone records.  The offensive portions of completeskiptrace.com 
are now disabled.  
On March 6th, we sued the operators of datatraceusa.com and 
obtained a temporary retraining order and then a preliminary 
injunction against those operators; datatraceusa.com is no longer 
operational.  
Just a week ago, on June 15th, a judge in Jefferson City, Missouri, 
approved an agreement that we reached with a Joplin, Missouri, man 
who was operating a Web site called nainfo.com.  This center will 
no longer offer for sale or sell consumer cell phone records, and 
that portion of the Web site has been disabled. 
Mr. Chairman, our cases in this area are based on Missouri's 
consumer protection laws which include a prohibition on the use of 
practices that are unethical, oppressive, or unscrupulous and pose 
a risk or cause substantial harm to consumers.  Those laws also 
prohibit the concealment, suppression, or omission of a material 
fact in connection with the sale of goods or services. 
These defendants' conduct violates both of these provisions.  
Additionally, some of the sides actually make a misrepresentation 
that the information is obtained legally, a statement which is, of 
course, completely false and in violation of Missouri law. 
Mr. Chairman, we currently have other investigations under way, and 
we will not hesitate to take appropriate action to curb violations.  
So that is what we have done in Missouri to sort of try to eliminate 
some of these sites.  We have also asked the question that has been 
asked by other participants in this discussion about the role of 
the carriers.  And on April 28th of this year, we joined with 47 
other attorneys general in urging the FCC to require phone carriers 
to implement additional and stronger safeguards.  We signed on 
because we believe phone carriers can and should take the necessary 
steps to put adequate safeguards in place to protect the information 
they amass on their customers.  By most accounts, as has been 
indicated, these records are obtained by thieves through pretexting, 
a practice which you may have heard has also been called, Dialing 
for Dummies, where individuals actually call the carrier of the 
number for which he wishes to retrieve records and pose as actual 
consumers, the actual customers.  These pretexters ask for the most 
recent bill of the customer they are impersonating, and if they 
fail in any way in providing authentication information, they just 
hang up and try again and they bounce back and forth from attendant 
to attendant until they succeed.  We were shocked to discover the 
ease with which they were able to accomplish this. 
But we also recognize that putting the operators of these websites 
out of business is not a panacea.  If carriers are to act to 
implement safeguards as we have suggested with the other attorneys 
general, the low hurdles that pretexters have to cross will be 
replaced by substantial barriers making it far more difficult.  
I don't want there to be any doubt that we view the bad actors 
here as the operators of these websites.  However, we know that the 
carriers are in a position where they can either continue being part 
of the problem or they can adapt new measures to become part of 
the solution.  
Thank you again for your time, and we are very pleased to be here 
today and I would be happy to answer any questions you may have. 
[The prepared statement of Peter Lyskowski follows:] 

PREPARED STATEMENT OF PETER LYSKOWSKI, ASSISTANT ATTORNEY GENERAL, 
OFFICE OF ATTORNEY GENERAL, STATE OF MISSOURI 

The State of Missouri's response to the sale of cell phone records 
and personal identifying information on the internet: 

I.	Missouri's Investigations and Litigation 
The emergence of new technologies that increase efficiency and ease 
of use of basic services has allowed Missourians - like all 
Americans - to participate in an information revolution.  And 
while the dramatic changes we have seen in recent years have in 
many ways made our lives easier, they have also provided new ways 
for wrongdoers to take advantage of our reliance on these 
technologies.  The safeguards provided by face-to-face interaction 
have been replaced online by a host of authentication measures.  
No doubt most of these measures are effective in securing 
consumer's information.  But law enforcement officials at every 
level throughout history know no security system is 100% effective, 
and thieves have adapted so that they can operate in the information 
age. 
We investigate and prosecute, both civilly and criminally, those who 
seek to endanger, defraud, and exploit Missouri citizens.  
Investigators and attorneys in our office are constantly on the 
lookout for the latest methods and practices employed by those 
trying to make money by taking advantage of Missourians.  This is 
especially true when it comes to the theft of consumers' private 
information which, in the hands of the wrong person, can be put to 
a number of nefarious uses.  
Recently, we began investigating the practice of selling people's 
cell phone records over the internet.  We discovered that numerous 
web sites advertised that by simply providing a phone number and a 
fee, someone could obtain the account's originating address as well 
as a list of calls placed from and received at that number in a 
matter of hours.  We quickly took action: 
-	On January 20 of this year, we filed suit against the 
operators of locatecell.com, a site which we to believe to be 
perhaps the biggest player in this industry.  On February 15, we 
obtained a court order prohibiting these Defendants from engaging in 
this practice.  This site is currently not operating. 
-	On February 21, we sued the operators of 
completeskiptrace.com, and two days later obtained a court order 
prohibiting the operators from obtaining or selling cell phone 
records.  The offensive portions of completeskiptrace.com are now 
disabled.  
-	On March 6, we sued the operators of datatraceusa.com, 
obtaining a temporary restraining order and then a preliminary 
injunction against those operators.  Datatraceusa.com is no longer 
operational.  
-	A week ago, on June 15, a Missouri judge approved an 
agreement we reached with a Joplin, Missouri man who was operating 
the web site nainfo.com.  He will no longer offer for sale or sell 
consumers' cell phone records, and that portion of his web site 
has been disabled. 

Our cases in this area are based on Missouri's consumer protection 
laws, which include a prohibition on the use of practices that are 
unethical, oppressive, or unscrupulous and pose a risk of or cause 
substantial harm to consumers.   Those laws also prohibit the 
concealment, suppression, or omission of a material fact in 
connection with the sale of goods or services.  These defendants' 
conduct violates both of those prohibitions.   Additionally, some 
of these sites actually make the misrepresentation that the 
information is obtained legally - a statement which is of course 
totally false and in violation of Missouri law.  
We currently have other investigations underway, and will not 
hesitate to take appropriate action to curb these violations.  

II.  	NAAG Sign-on 
On April 28 of this year, we joined with 47 other attorneys general 
in urging the Federal Communications Commission to require phone 
carriers to implement additional and stronger safeguards.  We 
signed on because we believe the phone carriers can and should 
take the necessary steps to put adequate safeguards in place to 
protect the information they amass on their customers.  By most 
accounts, these records are obtained by thieves through 
"pretexting" - a practice also referred to as "dialing for 
dummies" - where individuals actually call the carrier of the 
number for which they wish to retrieve records and pose as actual 
customers.  These "pretexters" ask for the most recent bill of the 
customers they're impersonating, and if they fail in providing 
accurate authentication information, they simply hang up and try 
again.  They bounce from attendant to attendant until they succeed. 
We were surprised to discover the ease with which these pretexters 
are able to obtain very personal and private information.  Putting 
these operators out of business is not a panacea.  If carriers act 
to implement safeguards such as those suggested by state attorneys 
general, whether voluntarily or under federal mandate, the low 
hurdles that pretexters now must cross will be replaced by 
substantial barriers, thus making it far more difficult for them 
to ply their craft.  
Let there be no doubt that the pretexters and those who employ them 
are the bad actors here; they are the ones we have sued and continue 
to investigate.  But the carriers are uniquely poised to either 
continue to be part of the problem, or to adopt new measures that 
allow them to be part of the solution. 

III.  	Federal Proposals
We have confidence that the legal theories underlying our state 
actions are sound.  We would not have brought these cases if that 
weren't so.  
We in state law enforcement always welcome the assistance and support 
of those at the federal and local level.  As long as it does not 
pre-empt the Missouri statutes we use in pursuing these actors, we 
would welcome the strengthening of federal law in this area. 

IV.	Conclusion
We are pleased with the progress we have made in Missouri, and we 
applaud the work of our colleagues in other states in going after 
these folks.  We will continue to work diligently to protect 
consumers' privacy when these and other practices occur.  And we 
call on those with the capability to do the same. 

MR. WHITFIELD.  Thank you very much.  
At this time, Ms. Harris, you are recognized for your opening 
statement. 
MS. HARRIS.  Thank you, Chairman Whitfield, Ranking Member Stupak, 
and members of the subcommittee. 
My name is Julia Harris, and on behalf of Attorney General Charlie 
Crist of the State of Florida I want to thank you for the 
opportunity to address this committee. 
Attorney General Charlie Crist has filed two lawsuits against data 
brokers in 2006.  The first was filed on January 24th of this year 
against 1st Source Information Specialists, and Steven Schwartz and 
Kenneth Gorman.  You may be more familiar with this company as it 
operated the websites locatecell.com, celltolls.com, datafind.org, 
and peoplesearchamerica.com, and is subject to other litigation 
throughout the Nation and by carriers. 
This company advertised telephone records over the Internet. 
In the course in the investigation, an Internet order was placed for 
telephone records, and those records were e-mailed within 24 hours 
to the purchaser of those records. 
The Attorney General filed a complaint against 1st Source on the 
basis that they unlawfully obtained and sold telephone records.  The 
complaint was based on Florida's Deceptive and Unfair Trade Practices 
Act and also alleged violations of Florida's law on criminal use of 
personal identification.  The complaint also alleged civil 
conspiracy.  
The websites have since been taken down, but litigation is pending, 
and no further comment would be appropriate at this time. 
Attorney General Crist's second lawsuit was filed against Global 
Information Group on February 23rd of 2006. 
The complaint also filed an action against Laurie Misner and Edward 
Herzog.  These were individuals that appeared yesterday. 
The Attorney General's complaint alleged that Global unlawfully 
obtained and sold confidential telephone records.  Specifically, the 
complaint alleged that Global obtained information by impersonating 
telephone company employees and customers in order to obtain that 
information.  In one specific example, Global employees posed as an 
employee of a telecommunications carrier who was assisting a 
disabled consumer.  The complaint also alleged that Global made over 
5,000 calls to a telephone company customer service toll free number 
in about 1 month period of time. 
The complaint also alleged thousands of other calls to telephone 
company customer service centers.  In April, the Attorney General 
obtained a consent judgment and permanent injunction against Global 
and Laurie Misner and Edward Herzog.  We obtained $250,000 in 
monetary relief.  However, there are potential penalties of 
$2.5 million against any offending individual defendant if certain 
conditions are met. 
The injunctive relief is broad, because Global participated in a 
number of practices and pretexting outside of phone records. 
The injunction prohibits all pretexting. 
Outside of enforcement, the Florida legislature has been active. 
 Effective July 1st of this year, Florida specifically criminalizes 
the obtaining of telephone calling records through fraudulent means 
from a telecommunications company.  This will be located at Section 
817.484 of the Florida Statutes.  The law will prohibit a person 
from obtaining or attempting to obtain calling records without 
permission, for making a false, fictitious, or fraudulent statement 
to a telecommunications company or customer.  It prohibits the 
providing of a document knowing that that document is forged, 
counterfeit, lost or stolen, or fraudulently obtained.  It also 
prohibits asking another person to obtain, sell, or offer to sell 
a call record obtained illegally. 
I must point out that we have seen that private investigators have 
been a large part of this industry.  Private investigators will be 
subject to Florida's new law. 
In addition, Florida's law provides that voice-over Internet 
protocol providers are within the definition of telecommunications 
companies.  In addition to Florida's new law specifically addressing 
telephone records, Florida's existing law, the Criminal Use of 
Personal Identification Information Law, is available today, as it 
has been, as a felony.  Effective July 1st of last year, Florida's 
legislators specifically provided that telephone numbers are 
 protected personal identification information. 
Outside of State action, the Federal Communications Commission 
through its rulemaking authority and telecommunication carriers 
should enhance carrier protections as noted by my fellow assistant 
 attorneys general.  Florida and 47 other attorneys general filed 
comments in April to the FCC in response to their notice of 
proposed rulemaking strongly encouraging enhanced protections for 
consumers.  Front-end protections are needed to be implemented by 
carriers.  They can prevent the pretexters at the outset and 
eliminate and reduce the need for back-end investigation and 
prosecution well after the harm has occurred. 
Why is immediate access to telephone records necessary?  That may be 
something that should be looked at further.  Consumers do need to 
have a choice about expedited access to their confidential records. 
 And telecommunication carriers should voluntarily provide consumers 
with this choice.  If a consumer does not require or desire 
expedited access to their telephone records through phone, fax, or 
e-mail, a consumer should be able to require the carrier to secure 
the records.  For those consumers needing expedited access, they 
should be able to direct carriers to permit access with appropriate 
checks and balances.  Therefore, only consumers who are willing to 
assume the inherent risk of that increased access and the 
vulnerabilities that go with that should gain the records in that 
manner. 
This is akin to a security freeze.  And consumers now can use that 
to protect their credit bureau reports.  The recommendations of the 
attorneys general and the comments filed to the FCC warrant 
additional review by the subcommittee to assist in addressing those 
issues involving consumer consent, bolstered safeguards, a revamp 
of consumer notices, requiring voice-over Internet providers to 
protect consumer information, addressing the release of cell phone 
locations, and particular security mechanisms. 
We have learned that all consumer records are vulnerable, not just 
the phone records.  But a cohesive approach is required.  
Responsible business practices, consumer education, regulatory 
oversight, legislative action, and enforcement all have a role in 
addressing the consumer data industry issues.  However, Federal 
legislation should not impede the efforts of the States under State 
law remedies.  
On behalf of Attorney General Charlie Crist, I thank you for the 
opportunity to address the subcommittee. 
[The prepared statement of Julia Harris follows:] 

PREPARED STATEMENT OF JULIA HARRIS, ASSISTANT ATTORNEY GENERAL, 
OFFICE OF ATTORNEY GENERAL, STATE OF FLORIDA 

Chairman Whitfield, Ranking Member Stupak, members of the 
Subcommittee on Oversight and Investigations, Committee on Energy 
and Commerce, U.S. House of Representatives, I am Julia Harris, and 
on behalf of Attorney General Charlie Crist of the State of Florida, 
I thank you for the opportunity to appear before the Subcommittee 
to address its concerns which resulted in this hearing on Internet 
Data Brokers and Pretexting: Who has Access to Your Private Records? 

I.  	Background 
	I am a Senior Assistant Attorney General with the State of 
Florida Office of the Attorney General, Economic Crimes Division.1  
I am the attorney who filed litigation on behalf of Attorney General 
Charlie Crist against Global Information Group, Inc. on 
February 23, 2006 in state court in Tampa, Florida for unlawfully 
obtaining and selling confidential telephone records without the 
knowledge of the consumers whose records were being sold.  

II. Attorney General's Litigation Against Data Brokers 
A. State of Florida vs. 1st Source Information Specialists, Inc., 
et al	
	Attorney General Crist filed Florida's first lawsuit 
against data brokers trafficking in phone records on 
January 24, 2006 against 1st Source Information Specialists, Inc. 
et al, which conducted its Ft. Lauderdale, Florida based operations, 
in part, through the websites: locatecell.com, celltolls.com. 
datafind.org and peoplesearchamerica.com.2 These websites advertised 
the sale of telephone records, including records of outgoing calls 
from landline and wireless phones, and accepted orders for telephone 
records from any person with internet access, with no questions 
asked.  In fulfilling orders, 1st Source unlawfully obtained and 
sold telephone records without consumer consent.  
Through investigative coordination with the Florida Public Service 
Commission (the state regulatory authority responsible for 
telecommunications providers), a State investigator ordered 
telephone records on a Florida telephone number through the internet 
website peoplesearchamerica.com with a credit card payment of 
$185.00.  Before 24 hours had elapsed, the telephone records of the 
desired telephone number were e-mailed to the purchaser.  The 
person subscribing to the telephone number that was the subject 
of the purchase did not consent to the sale of records.  

	B.	State of Florida vs. Global Information Group, Inc., 
et al:  
	The Attorney General sued Global Information Group, Inc. 
("Global"),  Laurie Misner7, Global's President and majority 
shareholder, and Edward Herzog8, a shareholder, officer, and owner 
of the predecessor business, alleging that the Global defendants 
violated Florida's Deceptive and Unfair Trade Practices Act9, 
including the Criminal Use of Personal Identification Information 
law10 as per se violations11 of the Deceptive and Unfair Trade 
Practices Act.12   The Attorney General alleged that Global 
obtained information  by impersonating either customers or telephone 
company employees in order to obtain consumers' personal calling 
information.   Exhibits "C" and "D" to the complaint append 
transcripts of calls logged to customer service centers, one of 
which used the ploy of assisting a voice-impaired customer as a 
means to manipulate the release of customer information.  In 
particular, the complaint alleged that Global made over 5,100 calls 
from its Florida-based operations to a telephone company customer 
service number in a span of just over a month period.  Thousands 
of other calls originating from telephone numbers to which Global 
subscribed were made to several telephone companies' toll free 
customer service numbers.13  Global represented itself as  
"a leading provider of skip tracing services, asset recovery and 
information research" and that it "serves principally financial 
institutions, providing them with information necessary for 
recovery of lost assets from delinquent debtors." 14 
On April 12, 2006, the Attorney General obtained a Consent Judgment 
 and Permanent Injunction against Global, and defendants Misner 
and Herzog, individually.15  The Attorney General's litigation 
constituted civil enforcement, with the judgment providing for 
monetary relief of $250,000 and potential penalties of $2.5 million 
against an offending individual defendant if certain conditions are 
met. The Attorney General required broad permanent injunctive relief 
due to the range of Global's conduct involving pretexting.  In 
addition to procuring a variety of telephone records, Global 
marketed, offered and/or provided services facilitated through 
pretexting which included: 

skip tracing 
utility searches 
employment 
unemployment 
p.o. box / pr ivate mail boxes 
social security benefits 
disability benefits 
welfare benefits 
child support 
social security number trace 
school class schedules 
cell phone triangulation 

with performance of such services without the consent of the 
individual about whom an investigation was instituted.  As a result 
of the terms required by the Attorney General's permanent 
injunction, Global ceased operations and the individuals vowed to 
leave the phone record and pretexting business practice.16 
The Consent Judgment and Permanent Injunction broadly provides 
that the following conduct is prohibited: 

Defendants are permanently restrained and enjoined from making, or 
assisting others in making, expressly or by implication, any false 
or misleading oral or written statement or representation in 
connection with the marketing, advertising, promotion, offering for 
sale, sale or provision of any products or services in any trade or 
commerce, as follows (directly from the Judgment17): 
A.	Initiating, assisting, facilitating, procuring, obtaining, 
or engaging, directly or indirectly, in any act or further attempts 
to obtain customer information including, but not limited to, 
calling or billing records, from any "telephone company" (as defined 
in paragraph 3.4 of this Section III) doing business in Florida 
through use of a telephone company customer's "personal 
identification information"(as defined in paragraph 3.4 of this 
Section III); 
B.	Directly or indirectly using any telephone company 
employee's "identity" (as defined in paragraph 3.4 of this Section 
III) or purported identity for any purpose, specifically including  
any representation that one is a telephone company employee, agent 
or independent contractor; 
C.	Directly or indirectly using any consumer or public utility 
customer's identity or purported identity for any purpose, 
specifically including any representation that one is a person 
other than himself; 
D.	Directly or indirectly using any identity of a person or a 
business or purported identity for any purpose, specifically 
including any representation, through any means, that one is a 
person other than himself or maintains a telephone number other 
than his own number; 
E.	Directly or indirectly making, or assisting others in 
making, expressly or by implication, any false or misleading oral 
or written statement or representation, intentional false 
statement, misrepresentation or omission of a material fact to 
induce reliance on such statement or omission with intent to use 
personal identification information of consumers without their 
knowledge or consent; 
F.	Initiating, assisting, facilitating, procuring, or engaging, 
directly or indirectly, in any further contact with the customer 
service centers of any telephone company doing business in the State 
of Florida pertaining to any matter that is not directly related 
to Defendant's own account(s); 
G.	Selling, transferring or disclosing to third parties any 
consumer information, including personal identification information 
and telephone calling records obtained from telephone companies, 
currently in Defendants' possession or under their control; 
H.	Using confidential consumer information, including personal 
identification information and telephone calling records obtained 
from telephone companies, contained in any documents, regardless of 
form or manner of storage for marketing or for purposes inconsistent 
with the terms of this Judgment; 
I.	Initiating, assisting, facilitating, participating, 
procuring, or engaging in any transaction with any other person or 
entity engaging in or performing in any of the activities prohibited 
by each of the paragraphs A. through G. of this Section III, 
paragraph 3.1.; and 
J.	Forming, controlling, operating or participating in the 
control, operation or formation of a business or organizational 
identity as a method of avoiding the terms and conditions of this 
Judgment. 

III.	Florida Legislation and Existing Laws
A.   Florida's New Law: Effective July 1, 2006:

Obtaining Telephone Calling Records by Fraudulent Means Prohibited 
as a Criminal Act 

Florida has specifically criminalized the obtaining of telephone 
calling records through fraudulent means from a telecommunications 
company, as a bill unanimously approved by the Florida Legislature 
was signed into law on Friday, June 9, 2006 by Governor 
Jeb Bush.18  
	The new law will be inserted in Chapter 817, Fraudulent 
Practices, and will be located at Section 817.484, Fla. Stat. The 
content, in pertinent part, provides: 
It is unlawful for a person to - 
(a) 	Obtain or attempt to obtain the calling record of another 
person without the permission of that person by: 
1.	Making a false, fictitious or fraudulent statement or 
representation to an officer, employee, or agent of a 
telecommunications company; 
2.	Making a false, fictitious or fraudulent statement or 
representation to a customer of a telecommunications company; or 
3.	Providing any document to an officer, employee, or agent 
of a telecommunications company, knowing that the document is 
forged, is counterfeit, was lost or stolen, was fraudulently 
obtained, or containing a false, fictitious, or fraudulent 
statement or representation. 
(b)	Ask another person to obtain a calling record knowing that 
the other person will obtain, or attempt to obtain, the calling 
record from the telecommunications company in any manner described 
in paragraph (a). 
(c)	Sell or offer to sell a calling record that was obtained in 
any manner described in paragraph (a). 

Violation of this law carries a 1st degree misdemeanor charge for a 
first offense resulting in sentencing up to a year imprisonment and 
up to $1,000,  but a second or subsequent offense imposes the 
heightened charge of a 3rd degree felony, resulting in a sentence of 
up to 5 years imprisonment and up $5,000. 
	Law enforcement agencies are exempt from the provisions of 
the new law; but an exemption for private investigators was 
eliminated in the legislative process.19   As private investigators 
appear to have played significant roles in the procurement of 
consumers' private information through unlawful means, they are 
clearly subject to the new law. 

B.	 Florida's Existing Criminal Use of Personal 
Identification Information law 
Existing law including, but not limited to, Section 817.568, 
Fla. Stat., addresses the fraudulent conduct encompassing pretexting 
and other identity theft related conduct, as set forth in the 
Attorney General's complaints and by the Consent Judgment entered 
in the Global litigation. 

The foregoing specific laws are merely illustrative of one or more 
specific laws applicable to such unlawful conduct and other criminal 
and civil laws may apply given the circumstances of a particular 
course of conduct. 

IV.	Federal Communications Commission Rulemaking Authority and 
Telecommunications Carriers Should Enhance 
	Telecommunications Carrier Protection of Private Consumer 
Information 

Florida and forty-seven other state Attorneys General submitted 
comments to the Federal Communications Commission ("FCC") on 
April 28, 2006,  in response to the agency's Notice of Proposed 
Rulemaking 20 to strongly encourage enhanced protections for 
consumers based on the ample experience of the Attorneys General 
in addressing consumer protection issues and employing enforcement 
measures.21  The discussion relates to telecommunications 
providers ("carriers") disclosure and protection of Customer 
Proprietary Network Information ("CPNI"), more generally described 
as sensitive personal information, including logs of calls made and 
received by telephone customers.  
Minimizing the security risks facing consumers, whose information is 
released to those skilled in deception, is an important focus 
for telecommunications carriers, regulators and legislators at the 
federal and state levels.  Front-end protections created and 
implemented by carriers can prevent pretexters from plying their 
trade at the outset and eliminate investigative and prosecutorial 
functions deployed after the harm has occurred and the evidentiary 
trail compromised or obfuscated and impeded by the fact that a 
consumer may not even be able to identify that a compromise of 
their personal information has occurred.  Deployment and 
implementation of heightened front-end consumer protections by 
telecommunications carriers as well as prosecutorial zeal are 
critical in stemming the tide of this industry.  Prosecutorial 
resources require prudent use to keep all consumers safe from 
physical and economic harm. However, it is also fair and just that a 
substantial burden be shouldered by telecommunications carriers and 
all businesses subject to vulnerability through pretexting or other 
fraudulent conduct.  	Why is immediate access to telephone records 
necessary?  This is the real issue underlying access to consumer 
phone records. Consumers need to have a choice about access to 
their confidential records.  Telecommunications carriers should 
voluntarily provide consumers with this critical choice. Should 
carriers fail to voluntarily provide consumers with an ability to 
exercise an informed choice, appropriate regulatory rulemaking or 
legislative action may become necessary.   For example, if a 
consumer does not desire to access their records in an expedited 
manner such as by phone, fax or e-mail, they should be able to 
require the carrier to secure them appropriately.  Alternatively, 
consumers desiring to obtain expedited access to their records 
could direct the carrier to permit internet or other access with 
appropriate checks and balances.  Therefore, only those consumers 
willing to accept the inherent risks are subjected to increased 
vulnerability that a third party posing as a consumer might be able 
to access their records. 
Akin to imposition of a security freeze on a credit report22 to 
protect unauthorized access  or placement of a fraud alert on a 
credit report if one suspects identity theft, consumers must have a 
say in whether their confidential telephone records should be 
closed or be kept available for access by the consumer. 
The recommendations of the Attorneys General to the FCC warrant 
brief reiteration here for further emphasis and consideration of 
the responsibilities of telecommunications carriers: 
1.  Require Consumer Consent: Prior to a carrier's use, disclosure, 
or permitting access to a consumer's personal telephone records, 
consumers need to "opt-in" with affirmative express consent to 
permit their records to be accessed.  While the comments address 
access to records for marketing, the next step in protecting 
disclosure of consumer records even outside of marketing is to 
require consumer consent to release the records in an expedited 
manner, as articulated above. 
2. 	Bolster "safeguard rules" to adequately protect the 
confidentiality of consumer information.  While Florida and many 
states have enacted security breach notification laws, a breach of 
security mechanisms through fraud may not invoke the notification 
provisions of the laws and consumers will not be alerted to review 
their personal accounts for theft or other wrongdoing. 
3.  	Provide for revamp of consumer notices to permit informed 
consumers to make a choice about their personal information. 
4.  	Extend requirements imposed on traditional 
telecommunications carriers to VoIP providers or Voice over 
Internet Protocol type technology.  Florida's new law specifically 
provided for this technology. 
5.  Release of cell phone location should be treated cautiously to 
further safety concerns. 
6.  Engage in further review of the Safeguard Rule promulgated by the 
Federal Trade Commission in furtherance of the protections imposed 
on financial institutions, particularly information security as it 
relates to (a) employee management and training; (b) information 
systems; and (c) managing system failures. 

V.	Vulnerability of Consumer Records Requires Evolving 
Strategies 
Telephone records cases, including Global and others active in the 
consumer information industry, illustrate that the security of 
private consumer information beyond telephone records is at risk.  
Responsible corporate citizens and responsible consumers all have 
a role in protecting information from fraud and security 
vulnerabilities.  Through responsible business practices, consumer 
education, regulatory oversight, as appropriate, and carefully 
considered legislation, the services sector and the consumer sector 
of the economy can meld to adjust to the changing world of consumer 
data.  Federal legislation, however, should not impede any action 
by the states, pursuant to state law remedies.  Congress, the FCC, 
state Legislatures and Public Service Commissions, and numerous 
others have taken positive steps to assess appropriate actions 
necessary to facilitate the process of positive change, as a 
cohesive approach will best serve all in the long run. 
	On behalf of Attorney General Charlie Crist, I appreciate 
the opportunity to participate in this hearing to address these 
important consumer protection issues and will respond to any further 
questions of the Subcommittee. 

MR. WHITFIELD.  Thank you, MS. HARRIS.  
And we appreciate the testimony of both of you. 
Mr. Lyskowski, you mentioned in your testimony that 47 State 
attorneys general had gone to the, I guess, the FCC and asked them 
to adopt regulations putting more safeguards, mandating more 
safeguards for phone carriers to protect individual records.  And 
I was curious, did you all present the safeguards that you suggested 
they would need to institute, or did you leave it up to them, or 
could you elaborate on it?  
MR. LYSKOWSKI.  We, in the comments--and I provided a copy of the 
comments to staff, but I believe there were six enumerated specific 
steps, safeguards changes that should be put in place, all of which 
would help in great measure to curb the use of pretexting.  
MR. WHITFIELD.  All right.  And I notice both of you in your 
testimony I think referred to Steven Schwartz, at least in one of 
them, and maybe Ken Gorman; are those names familiar to the two of 
you?  
MS. HARRIS.  Yes. 
MR. WHITFIELD.  And you prosecuted both Ken Gorman and Schwartz or 
the companies that they own; is that true?  
MR. LYSKOWSKI.  In Missouri, our case was against 1st Source 
Information Specialists, which is a company that ran the Web site 
 locatecell.com, and that company is owned by Steven Schwartz and 
Kenneth Gorman.  We also in that same suit filed against a company 
called DataFind Solutions out of Tennessee which is formerly run by 
a gentleman named James Kester.  He sold that company to 1st Source 
Information Specialists, so we are certainly familiar with 
Mr. Gorman and Mr. Schwartz.  That litigation is currently pending 
as far as Missouri is concerned.  
MR. WHITFIELD.  And then Mr. Schwartz sold an interest in one of his 
companies or one of his companies to Ms. Misner; are you familiar 
with her?  
MR. LYSKOWSKI.  I am not, Mr. Chairman.  I think Ms. Harris spoke to 
that. 
MR. WHITFIELD.  Are you familiar with Ms. Misner?  
MS. HARRIS.  Yes, I am familiar with Ms. Misner.  She is a defendant 
in the Global litigation. 
MR. WHITFIELD.  Could both of you explain quickly or briefly how 
this issue came to your attention and what led to your deciding to 
prosecute?  
MR. LYSKOWSKI.  Certainly.  In Missouri, we have a team of 
investigators who are--it's been a very high priority for our 
Attorney General to try to curb identity theft and other similar 
practices, and so we have investigators who really look at proactive 
ways to try to stop things before they become a huge problem.  And 
so, quite frankly, one of our investigators came on to us, you know 
came across one of those sites just patrolling the Internet and 
raised a red flag immediately and got the attention of the attorney 
general, and we moved.  
MR. WHITFIELD.  And what about in Florida?  
MS. HARRIS.  Likewise, the State of Florida caught wind of the 
situation, and through coordination with our Florida Public Service 
Commission, the State regulatory authority responsible for telephone 
carriers, we coordinated an investigation and actually made an 
undercover purchase of telephone records to basically confirm the 
suspicions that telephone records were available over the Internet, 
and actually tested out the proposition so we could see the speed 
at which they provided and exactly what happened there.  And that 
led to the 1st Source case.  And then as a result of other litigation 
that was filed by the telecommunications carriers, we became aware 
of the Global case.  And they have been sued by a number of 
telecommunications carriers, and quite honestly, the 
telecommunications carriers have been cooperative with us in 
bringing that type of litigation. 
MR. WHITFIELD.  As a result of those suits, have you noticed less 
data brokering going on?  Or do you think this is a continuing 
problem that continues to proliferate and present serious concerns 
for all of us, even today?  
MS. HARRIS.  I do believe that it is continuing.  And there are a 
lot of people watching these proceedings which I really applaud 
what the subcommittee is doing to raise the profile of this type 
of conduct.  If nothing else comes out of this than to raise the 
profile and to absolutely get the word out there that pretexting 
is illegal because some of these folks seem to have the misinformed 
impression that it wasn't illegal before, and it isn't illegal now.  
But I believe that it is continuing to go on.  There are 
investigations under way both on the civil and criminal side at 
this point. 
MR. WHITFIELD.  Yesterday's hearing we had a victim that testified.  
And he explained in some detail everything that he had been through 
as a result of the information stolen from him or the carriers 
about him, and he noted that some of the law enforcement agencies 
had difficulty deciding under which law they would prosecute.  And 
the impression that we have is its sort of nebulous about which 
particular law.  But from the testimony you give in both Missouri 
and Florida, it is quite clear that there are consumer protection 
laws out there that you feel like you can successfully prosecute 
under; is that correct?  
MR. LYSKOWSKI.  Absolutely.  
MR. WHITFIELD.  Now, is that a criminal law, or would that be a 
criminal violation or a civil violation or--
MR. LYSKOWSKI.  Our statute in Missouri provides for both.  It says, 
if we can establish and show the intent to defraud, that it becomes 
a class D felony in Missouri.  But otherwise, there is a whole host 
of remedies that we can seek civilly. 
MR. WHITFIELD.  And when you say, attempt to defraud, if I am a 
pretexter and I am calling some phone company and I am pretending 
to be somebody I am not, I am actually defrauding the phone company; 
is that correct? 
MR. LYSKOWSKI.  These are certainly cases which don't fall into the 
typical formula for a consumer protection case.  If you talk about 
somebody who is trying to take, to get an elderly woman to invest 
in his phony company, that is a much clearer-cut situation where 
we are going to establish that he is trying to defraud her.  And 
here you have sort of a question of, who is the real victim?  Is 
it the carrier who has been duped?  Or is it the consumer?  So you 
know, frankly, our laws allow us to move more quickly to obtain 
temporary restraining orders and injunctive relief under the civil 
side.  So we thought it was more important at this point to go 
forward and get that injunction active, relief in place. 
MR. WHITFIELD.  But, in Florida, beginning in July, there will be 
a clear criminal statute in place; is that correct?  
MS. HARRIS.  That's correct, effective July 1st, specific to 
telephone calling records.  Now in our 1st Source litigation as 
well as our Global case, these were both civil enforcement actions, 
and we had invoked Florida consumer protection laws, the Deceptive 
and Unfair Trade Practices Act as the primary vehicle we had 
pursued.  However, the other act we had referred to, the Criminal 
Use of Personal Identification Information Law is a criminal law; 
it is connected with our criminal identity theft laws and has been 
on the books for some time.  It is only last year that the 
definition of personal identification information was expanded to 
specifically include telephone records.  But this is a criminal 
law.  It is a third degree felony at the very least, and even last 
year, because our State feels so strongly about identity theft, 
they once again enhanced the protections on identity theft and even 
increased some of the maximum, minimum sentences, excuse me. 
MR. WHITFIELD.  And have a lot of people been prosecuted under that 
criminal statute?  
MS. HARRIS.  I honestly don't have the statistics to that. 
MR. WHITFIELD.  But you both talked a lot about phone records.  But 
we know that credit card statements are being obtained, Social 
Security numbers, all sorts of information, which I suppose that 
criminal statute is broad enough it would include all of those 
things. 
MS. HARRIS.  Right, specifically that statute makes the felony 
offense for any person to willfully and without authorization 
fraudulently use or possess with intent to fraudulently use 
personal identification information concerning an individual 
without first obtaining that individual's consent.  And personal 
identification information is defined very broadly. 
MR. WHITFIELD.  Now I notice both of you mentioned injunctions, and 
I would ask you, Ms. Harris, about Global and Global's employees.  
I don't know if the injunction was against the company or the 
individuals, but let's say some employees of Global went out and 
started a new company, would they face penalties in violating the 
injunction in that way or not?  
MS. HARRIS.  That conduct is being looked at at this point in time.  
There is not a whole lot I can say.  The injunction was actually 
against the company and two individuals, and it does have an 
umbrella effect with the language of that injunction as far as 
people who may be acting through them and with them and so forth.  
MR. WHITFIELD.  Ms. Harris, you specifically stated you hoped the 
Federal Government would not intervene in a way that would make 
it more difficult to prosecute under State law, but do either of 
you have a feeling--would you--could we assist if there was a very 
strong Federal law in place that in some way addressed this issue?  
Or is there a Federal law in place?  
MR. LYSKOWSKI.  Mr. Chairman, I am not aware of one.  I would echo 
what Ms. Harris said, so long as it does not preempt our ability, 
our tools that we use, we always welcome the assistance of Federal 
law enforcement. 
MR. WHITFIELD.  Well, my time is expired, so at this time I will 
recognize Mr. Stupak.  
MR. STUPAK.  I thank you, Mr. Chairman.  
Let's back up a little here and let's just start with some of the 
basic arguments we have heard on both sides of this issue.  Who owns 
the data?  Does the individual provider of the information own the 
data, or does the carrier owns the data?  
MR. LYSKOWSKI.  Well, I think it would depend who you would ask, 
Mr. Stupak.  
MR. STUPAK.  You both represent attorneys general.  What would your 
opinions be?  
MR. LYSKOWSKI.  My opinion would be the consumer who provides the 
data owns the data. 
I know that the carriers would probably argue that they have some 
proprietary interest in the data because of its marketability to 
other providers of other services, but our opinion would be that 
the consumers own the data.  
MR. STUPAK.  And even if that carrier provides it to a 
so-called--another legitimate carrier, it still would be your 
opinion that the individual owns that information, not necessarily 
the carrier?  
MR. LYSKOWSKI.  Well, that is correct.  But many of the carriers 
would say, well, they haven't opted out of this thing. 
MR. STUPAK.  A lot of us in a long time said it is the individual 
who has to opt in, not opt out. 
MR. LYSKOWSKI.  Right and that was the position taken by the 48 
attorneys general in the comments. 
MR. STUPAK.  Let me ask this question then. 
Under your laws, be it Florida or Missouri, is it the false 
impersonation which leads to someone giving the information; is 
it the obtaining of that information; or is it the use of the 
obtained information that is illegal?  You actually get three 
steps here.  Is each steps illegal?  
MR. LYSKOWSKI.  In Missouri, I would say, yes.  
MS. HARRIS.  In Florida, likewise.  I think you have to look at 
putting yourself in the shoes of the consumer whose information is 
being taken and that someone is portraying that consumer, 
essentially, you might have a carrier possess the physical data 
on their computer system, but it is consumers' information, and 
the information about that consumer which can be used for harm. 
MR. STUPAK.  So I hear you both saying the consumer.  Carriers 
would argue, well, once they give it to us, let's say, like I am 
looking at the article here, CNN, a couple of others, others 
that, prior to and after yesterday's hearing--and they talk about 
phone records, but in here, they mention like, Wachovia, Ford, 
Chrysler, Wells Fargo, a lot of the big corporations use this 
information, and then they obtain it probably on loan applications 
or something, and then they move it to other parties, other business 
entities. 
Again, you both would be of the impression that that information is 
personal and the consumer, if you will, would have to opt to allow 
that transaction?  
MR. LYSKOWSKI.  That would be my opinion. 
MR. STUPAK.  Ms. Harris?  
MS. HARRIS.  That is one of the issues that was put forth in the 
comments of the National Association of Attorneys General.  It 
really conducted a review of the opt-out situation and the problems 
that we have had as a result of, I will say, the Gramm-Leach-Bliley 
consideration.  The consumers don't really understand the opt in, 
opt out; what do these long forms mean?  They don't really 
understand the four-page notices you get that is the new privacy 
policy.  And there are a lot of issues there that need to be fleshed 
out and talked about, what we have learned from that situation and 
applying it forward to create a workable situation for consumers.  
MR. STUPAK.  If I am Wells Fargo and I give this information--it 
seems that your investigation of prosecutions have only been to 
individuals who may have obtained it fraudulently.  Have you 
prosecuted any legitimate businesses for selling the information 
to a pretexter?  Let's say, like Wells Fargo--I am not picking on 
Wells Fargo.  Ford, Chrysler, any of them, it seems like you have 
gone after individuals, not necessarily after businesses, who may 
be allowing the information of consumers to go to a third party 
without any type of consent.  Has any business, legitimate 
businesses been prosecuted?  You said, there were civil laws in 
Florida.  
Missouri,can you answer that?  
MR. LYSKOWSKI.  We have not, in Missouri, at this point, taken any 
action against any of the--for instance in this particular issue 
against any of the carriers for any sort of negligence or other 
wrongful conduct associated with the ease with which--
MR. STUPAK.  Have you contemplated it in Missouri?  Have you kicked 
it around?  
MR. LYSKOWSKI.  Certainly, we have kicked around everything we can 
think of to try to get this practice to stop.
MS. HARRIS.  In Florida, we have not gone upstream from basically 
the purchasers of the information, but we certainly reserve the right 
to look at it in an appropriate situation.  And as for the carriers, 
we believe that, you know strong responsibility lies with the 
carriers, and in fact, our Florida Public Service Commission, much 
like the FCC, is investigating whether carrier actions are sufficient 
and what needs to be done to implement the appropriate procedures. 
MR. STUPAK.  Do Florida and Missouri, do you license your private 
investigators?  Do they have to have a State license?  
MS. HARRIS.  Yes. 
MR. LYSKOWSKI.  I don't believe they do in Missouri.  
MS. HARRIS.  And in Florida, by the way, we do have substantial 
amount of private investigators that are involved in this practice, 
and my understanding is that that is being looked at at this point 
in time. 
MR. STUPAK.  How about, Florida just recently passed this law, have 
you looked at, in Florida, local, State, or Federal law enforcement 
agencies, and are they using these data brokers to get information 
in the operating in the State of Florida or Missouri?  
MS. HARRIS.  I'm not in a position to speak to that issue.  
I'm sorry.  
MR. LYSKOWSKI.  Sir, I have checked with our agency, the Attorney 
General's Office, just to make sure because I had never seen that 
happening.  And I was able to confirm with our Director of 
Investigations that we do not engage in that sort of thing.  The 
subpoena authority that we have is sufficient to accomplish the 
purposes. 
MR. STUPAK.  So your position in Missouri, it would be improper for 
law enforcement to engage these data brokers to obtain information 
about suspects or people of interest?  
MR. LYSKOWSKI.  I wouldn't commit myself to that broad of a 
statement.  I think it would be inappropriate for an investigator 
in the Attorney General's Office in the context of the work we do 
to engage those services.  It is a high priority of our office to 
put these guys out of business, so it would be inconsistent with 
that priority to give them business.  
MR. STUPAK.  Ms. Harris, anything on that?  
MS. HARRIS.  I would like to clarify because I don't want to give 
the misimpression to the subcommittee that we are committed to 
using our subpoena power and other law enforcement tool power in 
a proper fashion.  
MR. STUPAK.  The Federal agencies here, could a Federal agent, 
whoever it might be--FBI, DEA, anyone working in Florida, if they 
used a data broker in Florida, could they under Florida's new law 
here, could they be held criminally or civilly liable?  
MS. HARRIS.  There is an exception for law enforcement for use of 
their appropriate agency action.  But the law if someone-- 
MR. STUPAK.  The appropriate agency action, would that mean 
subpoena?  
MS. HARRIS.  Lawful subpoena, search warrant, and so forth.  
MR. STUPAK.  When I was in law enforcement and I went down to 
my friendly neighborhood banker and sat down there and said, 
hey, I need some information on so and so because I am doing an 
embezzlement at the local high school or something, that would 
be improper, right, under Florida law to do that without a 
subpoena?  
MS. HARRIS.  I'm not going to speak to that issue.  I'm sorry. 
MR. STUPAK.  Do you care to comment on it?  
MR. LYSKOWSKI.  I hadn't thought about that either and it would 
be premature for me to speak to that at this point.  
MR. STUPAK.  Thank you. 
MR. WHITFIELD.  Chairman Barton. 
CHAIRMAN BARTON.  Thank you.  I'm not going to take the 10 minutes 
because I think we just had a vote noticed.  
I want to ask each of you two, how hard is it for your office or 
the law enforcement agencies to go through the process of getting 
a warrant or a subpoena to get the type of information that the 
data brokers supply?  Is that a time consuming, complex problem 
or is it pretty routine?  
MR. LYSKOWSKI.  In Missouri I would say it falls under pretty 
routine.  The Attorney General has in a variety of contexts subpoena 
authority where the subpoenas can originate from our office called 
Civil Investigative Demands and we frequently use those in the 
course of our investigations to obtain information from telecom 
carriers and all sorts of other businesses.  And the only resistance 
we have ever run into, the only difficulty we have ever run into is 
just difficulty processing the request.  And I think we typically 
find that if we stress to the particular entity the urgency of the 
request that they are quick to comply and cooperate. 
CHAIRMAN BARTON.  What would the normal timeframe be in Missouri 
from the time a request was made to get a warrant or a subpoena to 
actually having that document or instrument granted?  Are you 
talking hours, days, weeks, months, years?  
MR. LYSKOWSKI.  It would depend on the type of information we are 
seeking, the amount of information we are seeking and the entity 
from which we are seeking it.  But considering that our Civil 
Investigative Demands can be signed by an Assistant Attorney 
General and are valid, they can be oftentimes faxed in to, say, 
a telecommunications carrier and we deal enough with 
telecommunications carriers and other entities that we have 
contacts there.  And I have seen it happen as quickly as half 
an hour, 45 minutes that we have gotten returns.  In other 
situations, it has taken days or weeks.  But typically we are 
able to get what we need to get I would say very quickly. 

CHAIRMAN BARTON.  Is that similar in Florida?  
MS. HARRIS.  In Florida we do have a prompt turnaround as far as 
issuing our subpoenas.  Now, my division is a simple enforcement 
division.  Perhaps some of the criminal enforcement agencies, 
prosecution agencies, investigations might be able to answer 
that a little better, but we haven't had that become a hurdle 
in our situation.  Oftentimes while we are in the process of 
preparing the subpoena, we will be in coordination with the 
company to alert them of our pending need and type of urgent 
circumstances, and so forth, and they are willing to work with 
us. 
CHAIRMAN BARTON.  But again, depending on the urgency of the 
situation.  If it was something that was vitally important and 
it was not the last 10 years or something of records required, 
could it normally be done within half a day?  Is that a normal-- 
MS. HARRIS.  Most likely. 
CHAIRMAN BARTON.  Is there any information that it would be 
preferable to go through a data broker as opposed to the more 
traditional subpoena warrant procedure?  Any special kind of 
information that, just seems to be, is just the best way to do 
it?  
MR. LYSKOWSKI.  As for Missouri, no. 
CHAIRMAN BARTON.  What about Florida?  
MS. HARRIS.  I think Florida is the same answer. 
CHAIRMAN BARTON.  Is there any Federal legislation that would be 
helpful to streamline certain terms and conditions, situations so 
that warrants and subpoenas are expedited?  Are the current laws 
sufficient?  
MS. HARRIS.  I think I need to defer for Florida to some of the 
criminal agencies that are going to be speaking later today.  
MR. LYSKOWSKI.  Mr. Chairman, as far as Missouri is concerned, 
enforcing Missouri law at the level of the Attorney General's 
Office I think our laws are sufficient in that regard. 
CHAIRMAN BARTON.  I do not want to, as I said in my opening 
statement, I do not want to make life any more difficult for 
our law enforcement agencies than it already is.  I know it is 
frustrating when you are on the street and somebody that you 
really believe is a bad guy can kind of thumb his or her nose 
at you because of the procedure you have got to go through to 
guarantee their constitutional rights, but having said that 
they are constitutional rights, I am very concerned that some 
law enforcement officials and departments have decided that 
this is an acceptable way to get information.  I know it may be 
an easier way, and it may be a cheaper way, but I do not think 
it is an acceptable way.  And I am going to try to come back 
and ask some questions of the next panel.  But in terms of this 
panel, neither one of you see any situation where it would be 
preferable to go through a data broker?  
MR. LYSKOWSKI.  No, Mr. Chairman, I don't.  And again that is 
based on the investigations and the work that we do in the 
Missouri Attorney General's Office. 
CHAIRMAN BARTON.  And you agree with that?  
MS. HARRIS.  Yes.  
CHAIRMAN BARTON.  Thank you. 
MR. WHITFIELD.  Thank you, Mr. Chairman.  At this time I recognize 
Ms. DeGette.  
MS. DEGETTE.  Thank you very much, Mr. Chairman.  Ms. Harris, I 
would like to follow up on some of Mr. Stupak's questioning because 
you had told him that law enforcement agencies were exempt from the 
new Florida law with respect to their subpoena power and other 
legal powers, but as I am reading your testimony, it looks to me 
like the new law exempts law enforcement from all the provisions 
of the new law.  And so the Chairman--and I am wondering if 
anybody has thought about why that provision remains in the law 
and if law enforcement in Florida intends to engage in these, with 
these data brokers and so on because they do seem to be exempted.  
MS. HARRIS.  I am going to be honest and tell you that I don't know 
the answer to that question.  It is something that I would need to 
look into with the legislative history, and so forth.  
MS. DEGETTE.  Mr. Chairman, I would ask unanimous consent that 
Ms. Harris be allowed to supplement her answer with that information 
because I think that is very important information as we continue. 
MR. WHITFIELD.  Without objection.  
[The information follows:] 

MS. DEGETTE.  Mr. Lyskowski, in Missouri do you know if law 
enforcement agencies are exempted from the provisions of the 
Missouri law in terms of not using somebody to use these data 
brokers?  
MR. LYSKOWSKI.  Well, again, our laws that we have in place, we do 
not have a law like Florida has.  
MS. DEGETTE.  Right.  
MR. LYSKOWSKI.  The laws that we have in place are consumer 
protection laws. 
MS. DEGETTE.  So they are more general laws.  What is your view?  
Do you think law enforcement could engage in these pretexting 
activities or hire other data broker companies to do that in 
Missouri?  
MR. LYSKOWSKI.  Again I can only speak for our agency at the 
Attorney General's Office, and I would say as I said earlier, it 
is a high priority of our Attorney General to put these data 
brokers out of business to the extent that they-- 
MS. DEGETTE.  So it is your policy not to use these businesses, 
but you do not know whether the Missouri law would prohibit you 
from using these businesses?  
MR. LYSKOWSKI.  I do not believe there is a Missouri statute on the 
books that would specifically prohibit. 
MS. DEGETTE.  But as far as you know law enforcement does not use 
these practices in Missouri?  
MR. LYSKOWSKI.  Again, just State Attorney General investigators.  
MS. DEGETTE.  You guys are the bosses.  You are the Attorney 
General's Office.  
MR. LYSKOWSKI.  That is correct.
MS. DEGETTE.  Do you know whether the other law enforcement is using 
these services in Missouri?  
MR. LYSKOWSKI.  I don't believe that they are.  However, again there 
could be departments at other levels, at local levels that-- 
MS. DEGETTE.  So you are not aware of any?  
MR. LYSKOWSKI.  I am not aware of any.
MS. DEGETTE.  Just to recap, and of course we have to go vote, but 
what both of you are saying is you don't think it is vital for 
legitimate law enforcement service to use these data broker 
services, correct?  
MR. LYSKOWSKI.  Again, at the State level in Missouri I do not 
believe it is.  
MS. DEGETTE.  Right.  Ms. Harris.  
MS. HARRIS.  I believe so as well.  
MS. DEGETTE.  Thank you.  Thank you very much, Mr. Chairman. 
MR. WHITFIELD.  Thank you, Ms. DeGette.  We do have a series of four 
votes on the floor.  So we have completed our questions for the 
first panel and, Ms. Harris, thank you, and Mr. Lyskowski, for being 
here.  We look forward to staying in touch with you as we move 
forward on this important issue.  Thank you for being here.  
When we come back we will immediately call up the second panel, 
and I will apologize in advance to the second panel for this delay, 
but we will be back just as quickly as possible and move forward.  
Thank you.  
MR. LYSKOWSKI.  Thank you, Mr. Chairman.  
MS. HARRIS.  Thank you, Mr. Chairman.  
[Recess.] 
MR. STEARNS.  The Subcommittee on Oversight will come to order.  I 
welcome the second panel: Mr. Paul Kilcoyne, Deputy Assistant 
Director of Investigations, U.S. Immigration and Customs 
Enforcement; Ms. Elaine Lammert, Deputy General Counsel, 
Investigative Law Branch, FBI; Mr. James Bankston, Chief 
Inspector, Investigative Services Division, U.S. Marshals Service; 
Ms. Ava Cooper Davis, Deputy Assistant Administrator, Office of 
Special Intelligence, Intelligence Division, U.S. Drug Enforcement 
Administration; and last Mr. W. Larry Ford, Assistant Director, 
Office of Public and Governmental Affairs, Bureau of Alcohol, 
Tobacco, Firearms, and Explosives.  Welcome all of you.  
You folks are aware that the committee is holding an investigative 
hearing and when doing so has had the practice of taking testimony 
under oath.  Do any of you have an objection to taking the 
investigation under oath?  The Chair then advises you that under 
the rules of House and the rules of committee you are entitled to 
be advised by counsel.  Do you desire to be advised by counsel 
during your testimony today?  
In that case, if you would please rise and raise your hands I will 
swear you in.  
[Witnesses sworn.]  
MR. STEARNS.  You are now under oath and we would like each of you 
to give your 5 minute opening statement and we will start with you, 
Mr. Kilcoyne. 

STATEMENTS OF PAUL KILCOYNE, DEPUTY ASSISTANT DIRECTOR OF 
INVESTIGATIONS, U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT, U.S. 
DEPARTMENT OF HOMELAND SECURITY; ELAINE LAMMERT, DEPUTY GENERAL 
COUNSEL, INVESTIGATIVE LAW BRANCH, FEDERAL BUREAU OF INVESTIGATIONS, 
U.S. DEPARTMENT OF JUSTICE; JAMES J. BANKSTON, CHIEF INSPECTOR, 
INVESTIGATIVE SERVICES DIVISION, U.S. MARSHALS SERVICE, 
U.S. DEPARTMENT OF JUSTICE; AVA COOPER DAVIS, DEPUTY ASSISTANT 
ADMINISTRATOR, OFFICE OF SPECIAL INTELLIGENCE, INTELLIGENCE DIVISION, 
U.S. DRUG ENFORCEMENT ADMINISTRATION, U.S. DEPARTMENT OF JUSTICE; 
AND LARRY FORD, ASSISTANT DIRECTOR, OFFICE OF PUBLIC AND 
GOVERNMENTAL AFFAIRS, BUREAU OF ALCOHOL, TOBACCO, FIREARMS, AND 
EXPLOSIVES, U.S. DEPARTMENT OF TREASURY 

MR. KILCOYNE.  Thank you very much.  Mr. Stearns and other 
distinguished Members of the Oversight and Investigations 
Subcommittee of the House Committee on Energy and Commerce, my name 
is Paul Kilcoyne and I am the Deputy Assistant Director for 
Investigative Services Division at the United States Immigration 
and Customs Enforcement, also known as ICE.  I would like to thank 
the subcommittee for their interest in Internet data brokers.  
The Internet has a huge depository of information that can be 
used by law enforcement agencies at every level.  However, care 
must be taken to ensure that the information is accurate and 
obtained by lawful means.  We appreciate the subcommittee's 
oversight and opportunities to address this issue. 
ICE representatives were contacted by the subcommittee staff in May 
of 2006 and were asked to provide a briefing on Internet data 
brokers.  The subcommittee staff provided some information from 
their oversight investigation concerning the ICE Denver field 
office's use of a company named Best411.com to obtain subscriber 
information on cellular telephones.  The ICE Headquarters Office 
of Investigations queried the Denver field office about letters 
signed by ICE agents that requested subscriber information and 
determined that four special agents had requested and received 
such information from Best411.  The ICE Cyber Crime Center, also 
known as C-3, then looked into the website and offered the opinion 
that while a law enforcement officer can use public Internet queries 
to obtain subscriber and other public information, the identifying 
information should be substantiated by the issuance of appropriate 
legal process to the company that retains the data in order to 
ensure the veracity of the evidence.  The ICE Office of 
Investigations Headquarters contacted the Denver field office to 
recommend that they not use Best411.com and to state that 
headquarters was working on a field review and subsequent guidance 
to further clarify the issue.  Guidance for our field offices is 
currently being drafted.  
ICE has longstanding robust guidelines in the special agent handbook 
to govern obtaining telephone, toll and subscriber information, but 
which does not currently fully cover all Internet technology.  We 
are working diligently to update our procedures.  
During a June 5, 2006 meeting, the subcommittee staff raised their 
concerns about law enforcement officers using Internet data brokers 
to obtain subscriber information on cellular telephones and provided 
several letters signed by the ICE employees requesting such 
information.  ICE agents involved appeared to have used these 
resellers to quickly filter out numbers that were not related to 
their investigation.  The data resellers were able to respond to 
these requests for information within a few days where cellular 
phone companies typically take several weeks.  I would like to 
note that the ICE Office of Investigations has recommended that 
the SAC Denver office not use these resellers in the future.  
Furthermore, we are currently drafting guidance on the issue for 
the ICE field offices nationwide.  As noted above, we intend to 
coordinate this guidance with the Department of Homeland Security 
Privacy Office.  
Finally, in response to the subcommittee's question on whether the 
agents acted improperly in obtaining the information, the ICE 
Office of Professional Responsibility reviewed the facts and 
circumstances of this situation and determined that the employees 
did not act improperly.  
Thank you for this opportunity to testify today and I look forward 
to the subcommittee's questions. 
[The prepared statement of Paul Kilcoyne follows:] 

PREPARED STATEMENT OF PAUL KILCOYNE, DEPUTY ASSISTANT DIRECTOR OF
INVESTIGATIONS, U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT, 
U.S. DEPARTMENT OF HOMELAND SECURITY 

INTRODUCTION 
Chairman Whitfield, Ranking Member Stupak and distinguished Members 
of the Oversight and Investigations Subcommittee of the House 
Committee on Energy and Commerce.  My name is Paul Kilcoyne and I 
am the Deputy Assistant Director for the Investigative Services 
Division at U.S. Immigration and Customs Enforcement (ICE).  I 
would like to thank the Subcommittee for their interest in Internet 
Data Brokers.  The Internet has a huge depository of information 
that can be used by law enforcement agencies at every level.  
However, care must be taken to ensure that the information is 
accurate and obtained by lawful means.  We appreciate the 
Subcommittee's oversight and the opportunity to address this 
issue.   

BACKGROUND 
ICE representatives were contacted by Subcommittee staff in May 2006 
and asked to provide a briefing on Internet data brokers.  The 
Subcommittee staff provided some information from their oversight 
investigation concerning the ICE Denver field office's use of a 
company named Best411.com to obtain subscriber information on 
cellular telephones.  The ICE Headquarters Office of Investigations 
queried the Denver field office about letters signed by ICE agents 
that requested subscriber information, and determined that 4 special 
agents had requested and received such information from Best411.com 
The ICE Cyber Crimes Center (C3) then looked into the website and 
offered the opinion that while a law enforcement officer can use 
public Internet queries to obtain subscriber and other public 
information, the identifying information should be substantiated 
by the issuance of appropriate legal process to the company that 
retains the data in order to ensure the veracity of the evidence. 
Even if no charge is incurred, the use of private investigators to 
obtain subscriber information by Federal law enforcement agents 
could compromise sensitive investigations.  The ICE Office of 
Investigations contacted the Denver field office to recommend that 
they not use Best411.com and to state that Headquarters was working 
on field guidance to further clarify the issue.  Guidance for the 
field offices is currently being drafted.   We are aware that the 
Government Accountability Office has issued a report on the use of 
commercial data recommending that the Department of Homeland 
Security establish a policy for such use and that the DHS Privacy 
Office is currently developing such a policy.  ICE intends to work 
closely with the DHS Privacy Office on this matter.  
ICE has long-standing robust guidelines in the Special Agent 
Handbook to govern obtaining telephone toll and subscriber 
information but which does not currently fully cover all Internet 
technology.  We are working diligently to update our procedures 
to cover this unforeseen situation. 

ISSUES AND RESPONSE 
During a June 5, 2006 meeting, the Subcommittee staff raised their 
concerns about law enforcement officers using internet data brokers 
to obtain subscriber information on cellular telephones and provided 
several letters signed by ICE employees requesting such information.  
The ICE agents involved appear to have used these resellers to 
quickly filter out numbers that were not related to their 
investigations.  The data resellers were able to respond to these 
requests for information within a few days, whereas cellular 
telephone companies typically take several weeks. 
I would like to note that the ICE Office of Investigations has 
recommended that the SAC Denver office not use these resellers in 
the future.  Furthermore, we are currently drafting guidance on 
this issue for the ICE field offices.  As noted above, we intend 
to coordinate this guidance within the Department with the DHS 
Privacy Office.  
Finally, in response to the Subcommittee's question of whether 
agents acted improperly in obtaining the information, the ICE 
Office of Professional Responsibility reviewed the facts and 
circumstance of this situation and determined that the employees 
did not act improperly.  
Thank you for the opportunity to testify today and I look forward 
to the Subcommittee's questions. 

MR. STEARNS.  I thank the gentleman.  
Ms. Lammert.  
MS. LAMMERT.  My name is Elaine Lammert.  I am the Deputy General 
Counsel for the FBI, Office of General Counsel, Investigative Law 
Branch.  I want to thank you today for the opportunity to discuss 
the acquisition and sale of mobile phone records by online data 
brokers.  
As the subcommittee is well aware, a significant number of online 
companies have openly advertised their ability to obtain and sell 
telephone call records.  There are compelling reasons for the 
Government to believe that these operations violate Federal law.  
News accounts as well as expert testimony before Congress reflect 
that these records are most often obtained unlawfully through 
pretexting or, in courtroom terms, fraud.  Numerous data brokers 
are suspected of calling up phone companies and intentionally 
misidentifying themselves and their purpose by lying about their 
identity and purpose.  By claiming they are a fellow employee, a 
customer or a customer's representative, they manage to acquire 
statutorily protected information to which they have absolutely 
no right.  
As you would expect, the FBI is actively investigating some of 
these practices as potential crimes.  
It is fair to say that the concern over how customer toll records 
are protected is widespread and that protecting such records affect 
a wide array of interests.  For example, similar to other 
individuals and businesses, law enforcement agencies also require 
that their call records be protected against unlawful disclosure.  
The FBI tested the ability of at least one online broker to gather 
information related to one of his own FBI telephone accounts and 
the results were unacceptable.  They obtained our records.  
It is easy to imagine how this type of data theft can negatively 
impact ongoing investigations and therefore our ability to enforce 
the law and protect the country.  And so the FBI is interested in 
these activities both in terms of investigating possible violations 
of law and in order to protect the integrity of its own operations.  
Of course a range of laws already exist to protect the 
confidentiality of telephone customer records.  The 
Telecommunications Act of 1996 generally precludes telecommunication 
carriers from using, disclosing, or permitting access to 
individually  identifiable customer proprietary network information 
except as required by law or with the approval of the customer.  
The Electronic Communication Privacy Act, ECPA, also provides 
important rights for customers and subscribers of telephone 
companies, Internet service providers, and e-mail providers.  
Under ECPA, for example, there are important restrictions on when 
a telephone company may voluntarily disclose customer records to 
the Government.  ECPA also describes in detail what information 
the Government may require a company to provide when the Government 
uses a warrant, subpoena or court order.  
As the statute relates to telephone records, in response to a 
subpoena, a telephone company must provide the Government with the 
relevant customer's name, address, local and long distance 
telephone connection records, length of the service, types of 
services utilized, telephone or instrument number or other 
subscriber name or identity, and that customer's means and source 
of payment.  
The FBI has significant interests in obtaining lawful access to 
telephone records in connection with investigations of all kinds, 
including terrorism, espionage, drug trafficking, child pornography, 
and more.  In those cases, our practice is to strictly comply with 
ECPA.  Indeed, it is part of the FBI's mission to prevent identity 
and information theft and to enforce the criminal laws designed to 
bring justice to those who do or would violate individual 
businesses and privacy.  
I also wish to advise the subcommittee that the Department of 
Justice has created a Privacy and Civil Liberties Board to ensure 
that the departmental programs and efforts adequately considers 
civil liberties and privacy.  
The Data Committee of this board on which the FBI is represented 
was established earlier this year to address issues related to 
information privacy within the Department.  The Data Committee 
members are analyzing the Department's use of all information 
reseller data, including Internet data brokers, and will evaluate 
potential Department-wide policy with regard to such use.  
Specifically, all members of the committee are currently assessing 
their agency's use of information reseller data, including 
Internet data brokers, identified by the subcommittee as employing 
pretexting and fraud to obtain information.  While the inquiry is 
ongoing to this point there is no evidence of widespread use of 
such services.  
The Data Committee meets on a monthly basis and expects to 
make recommendations to the Attorney General on this issue upon 
completion of this review.  
Mr. Chairman and members of this committee, the FBI fully supports 
the goal of protecting the privacy and security of customer 
telephone records from those who would acquire this information 
unlawfully.  We are committed to enforcing the privacy and fraud 
laws aimed at achieving that goal.  
I thank you for your time today, and I am happy to answer any 
questions.  
[The prepared statement of Elaine M. Lammert follows:] 

PREPARED STATEMENT OF ELAINE M. LAMMERT, DEPUTY GENERAL COUNSEL, 
INVESTIGATIVE LAW BRANCH, FEDERAL BUREAU OF INVESTIGATION, 
U.S. DEPARTMENT OF JUSTICE 

Good afternoon Mr. Chairman and members of the Subcommittee.  
My name is Elaine Lammert and I am Deputy General Counsel of the 
FBI's Office of the General Counsel, Investigative Law Branch.  I 
want to thank you for the opportunity to appear before you today 
to discuss the acquisition and sale of mobile phone records by 
online data brokers.  
As the subcommittee is well aware, a significant number of online 
companies have openly advertised their ability to obtain and sell 
telephone call records.  There are compelling reasons for the 
government to believe that these operations violate federal law.  
News accounts as well as expert testimony before Congress reflect 
that these records are most often obtained unlawfully through 
"pre-texting" or, in court room terms: fraud.  Numerous data 
brokers are suspected of calling up phone companies and 
intentionally mis-identifying themselves and their purpose.  By 
lying about their true identity -- perhaps by claiming that they 
are a fellow employee, or that they are the customer, or the 
customer's representative -- they manage to acquire statutorily 
protected information to which they have absolutely no right.  
As you would expect, the FBI is actively investigating some of 
these practices as potential crimes, including potential violations 
of the wire fraud provisions of 18 U.S.C.  ï¿½ 1343.  Under that 
statute, it is a felony -- punishable by up to 20 years in 
prison -- to falsely or under fraudulent pretenses obtain money 
or property by means of a wire communication in interstate or 
foreign commerce.  
In addition, on May 3rd of this year, the Federal Trade Commission 
announced that it filed court complaints charging five Internet 
web-based operations with surreptitiously obtaining and selling 
confidential customer phone records without the customer's 
knowledge or authorization in violation of 15 U.S.C.  ï¿½ 45(a).  
The FTC, with the assistance of the Federal Communications 
Commission and a number of telephone companies, is seeking to 
stop these data brokers in their tracks and have them disgorge 
their unlawfully obtained proceeds.  The privacy community also 
has raised concerns with the practices of these online data 
brokers.  
It is fair then to say that the concern over how customer toll 
records are protected is widespread, and that protecting such 
records affects a wide array of interests.  For example, similar 
to other individuals and businesses, law enforcement agencies 
also require that their call records be protected against unlawful 
disclosure.  The FBI tested the ability of at least one online 
broker to gather information related to one of its own FBI telephone 
accounts, and the results were unacceptable: they obtained our 
records.  It is easy to imagine how this type of data theft can 
negatively impact ongoing investigations, and therefore our ability 
to enforce the law and protect the country.  And so, the FBI is 
interested in these activities both in terms of investigating 
possible violations of law and in order to protect the integrity 
of its own operations.  
Of course, a range of laws already exist to protect the 
confidentiality of telephone customer records.  The 
Telecommunications Act of 1996 generally precludes 
telecommunications carriers from using, disclosing, or permitting 
access to "individually identifiable customer proprietary network 
information" except as required by law or with the approval of the 
customer.  47 U.S.C. 222(c)(1).  The Electronic Communications 
Privacy Act ("ECPA"), codified at 18 U.S.C. ï¿½ï¿½ 2701-2712, also 
provides important rights for customers and subscribers of 
telephone companies, Internet Service Providers, and e-mail 
providers.  
Under ECPA, for example, there are important restrictions on when a 
telephone company may voluntarily disclose customer records to the 
government.  Pursuant to 18 U.S.C. ï¿½ 2702(c), a telephone company 
may voluntarily provide the government with customer records only 
if it has the lawful consent of the customer or subscriber; as 
may be necessarily incident to the rendition of the service or 
to the protection of the rights or property of the service 
provider; or, if the provider in good faith believes that an 
emergency involving danger of death or serious physical injury to 
any person justifies disclosure of the information without delay.  
ECPA also describes in detail what information the government may 
require a company to provide when the government uses a warrant, 
subpoena or court order.  As the statute relates to telephone 
toll records, 18 U.S.C. ï¿½ 2703(c)(2) requires that -- in response 
to a subpoena -- a telephone company must provide the government 
with the relevant customer's name, address, local and long 
distance telephone connection records, length of service and types 
of services utilized, telephone or instrument number or other 
subscriber number or identity, and that customer's means and 
source of payment.  
The FBI has significant interests in obtaining lawful access to 
telephone records in connection with investigations of all kinds -- 
including terrorism, espionage, drug trafficking, child pornography, 
and more.  In those cases, our practice is to strictly comply with 
ECPA.  Indeed, it is part of the FBI's mission to prevent identity 
and information theft and to enforce the criminal laws designed 
to bring justice to those who do, or would, violate individual or 
business privacy.  
I also wish to advise the Subcommittee that the Department of 
Justice has created a Privacy and Civil Liberties Board to ensure 
that Departmental programs and efforts adequately consider civil 
liberties and privacy.  The Data Committee of the Privacy and Civil 
Liberties Board, on which the FBI is represented, was established 
earlier this year to address issues related to information privacy 
within the Department.  Its first task is to respond to 
recommendations in the April 2006 GAO report entitled "Personal 
Information Agency and Reseller Adherence to Key Privacy 
Principles." The Data Committee members are analyzing the 
Department's use of all information reseller data, including 
internet data brokers, and will evaluate potential Department-wide 
policy with regard to such use.  Specifically, all members of the 
committee are currently assessing their agencies' use of information 
reseller data, including the Internet data brokers identified by 
the Subcommittee as employing pretexting and fraud to obtain 
information.  While the inquiry is ongoing, to this point, there 
is no evidence of widespread use of such services.  The Data 
Committee meets on a monthly basis and expects to make 
recommendations to the Attorney General on this issue upon 
completion of its review.  
Mr. Chairman and members of the subcommittee, the FBI fully supports 
the goal of protecting the privacy and security of customer 
telephone records from those who would acquire that information 
unlawfully.  We are committed to enforcing the privacy and fraud 
laws aimed at achieving that goal.  I thank you for your time today 
and would be happy to answer any questions. 

MR. STEARNS.  Thank you.  
Mr. Bankston.
MR. BANKSTON.  Good morning, Chairman Stearns and Ranking Member 
DeGette and members of subcommittee.  Thank you for the opportunity 
to address the subcommittee on this important technology-related 
privacy issue.  
My name is James Bankston.  I am a Chief Inspector for the United 
States Marshals Service, Investigative Services Division.  As such 
I provide headquarter space, managerial direction, and oversight 
for the Service's criminal investigative mission.  The Marshals 
Service shares the committee's concern over the inappropriate, if 
not illegal collection and reselling of personal information by 
unscrupulous data brokers.  We commend the committee for exploring 
ways to ensure that consumers' private information remains private 
and secure.  
My written testimony, which has been submitted for the record, 
addresses three issues:  First, the USMS concerns about the 
unrestricted and unregulated use of data brokers who use pretexting 
and other nefarious means to obtain private records. 
Second, the USMS use of legitimate data banks and resellers of 
public and open source consumer information is just one of many 
investigative tools utilized.  
And third, the USMS internal audit to identify any instances where 
an employee may have used data brokers who are under investigation 
by this committee.  
The Marshals Service uses lawfully obtained public and open source 
records in order to fulfill our mandate to investigate and apprehend 
violent criminals wanted at the Federal, State, and local levels.  
We also use this information to investigate threats against 
thousands of Federal judges, U.S. Attorneys, witnesses, and other 
persons designated by Congress and the Department of Justice.  Such 
services are only used as needed and pursuant to a specific and 
legitimate law enforcement investigative inquiry.  
The timely acquisition, analysis, and reduction of voluminous open 
source records into actual intelligence plays a significant role in 
our swift and unparalleled success in apprehending some of the 
Nation's most notorious and dangerous fugitives.  
USMS investigators and analysts are trained to keep their information 
collection within established legal boundaries.  Moreover, the 
Department of Justice has created a Privacy and Civil Liberties 
Board to ensure that departmental programs and efforts adequately 
consider civil liberties and privacy.  The Marshals Service 
participates on the Board's Data Committee, which was established 
earlier this year to address issues related to information privacy 
within the Department.  The Department-wide inquiry is ongoing, but 
at this point there is no evidence of widespread use of such 
services.  
Mr. Chairman, this concludes my statement.  I would be happy to 
answer any questions you or other members of the subcommittee 
have. 
[The prepared statement of James J. Bankston follows:] 

PREPARED STATEMENT OF JAMES J. BANKSTON, CHIEF INSPECTOR, 
INVESTIGATIVE SERVICES DIVISION, U.S. MARSHALS SERVICE, U.S. 
DEPARTMENT OF JUSTICE 

Good afternoon, Chairman Whitfield, Ranking Member Stupak, and 
members of the Subcommittee. Thank you for the opportunity to 
address the Subcommittee on this important technology-related 
privacy issue. My name is James J. Bankston. I am a Chief Inspector 
for the United States Marshals Service (USMS or Marshals Service), 
Investigative Services Division. As such, I provide 
headquarters-based managerial direction and oversight for the 
Marshals Service's criminal investigative mission. 
The USMS shares the Subcommittee's concern over the inappropriate, 
if not illegal, collection and reselling of personal information by 
unscrupulous data brokers. In an age when consumers must cope all too 
often with the loss or mismanagement of their personal telephone, 
banking, credit card, and federal benefit information, the 
Subcommittee is to be commended for exploring ways to ensure that 
consumers' private information remains private and secure. 
These efforts should not overlook the value of those reputable 
companies that acquire information from public or open sources; have 
security policies in place that fully explain the methods of 
collection, sale, and dissemination; monitor their security systems 
for breaches; and do not engage in "pretexting." Such companies have 
proven to be one of many invaluable resources that law enforcement 
agencies rely upon when conducting criminal investigations. 

My testimony addresses three issues: 1) the USMS' concerns about 
the unrestricted and unregulated use of data brokers who use 
pretexting or other nefarious means to obtain private records; 2) 
the USMS' use of legitimate data banks and resellers of public and 
open-source consumer information as just one of many tools utilized 
during the Agency's hundreds of thousands of criminal 
investigations; and 3) the internal audit conducted by the USMS to 
identify those instances where its employees may have used the data 
brokers who are under investigation by this Subcommittee. 


Data Brokers 
Like Congress and many of the consumer groups that have taken an 
interest in the commercial use of "data brokers" who claim to have 
access to telephone subscriber, call, and cell site usage, the USMS 
also is concerned about the unauthorized collection, sale, and 
distribution of this type of information. Individually, every USMS 
employee, as well as their family members, has expectations of 
privacy that mirror those of every other member of the public who 
engages in private, lawful conduct. At the same time, each Deputy 
U.S. Marshal is entitled to protection from criminal retribution 
for the critical law enforcement duties we perform. The USMS is 
involved in virtually every federal law enforcement initiative. 
As an agency, we are charged with the primary responsibility for 
identifying and investigating threats and providing protection to 
thousands of federal judges, jurors, U.S. Attorneys, Assistant 
U.S. Attorneys, witnesses, and other persons designated by Congress 
or the Department of Justice. In addition to protecting the 
integrity of the federal justice system, the USMS operates the 
Witness Security Program, transports federal prisoners, and seizes 
property acquired by criminals through illegal activities. Further, 
 USMS is the federal government's primary agency for conducting 
fugitive investigations. We arrest more than half of all federal 
fugitives.  
Unregulated access to subscriber information, call detail records, 
and the dates and times that individual cell sites are accessed 
would wreak havoc on our efforts and ability to assure the 
operational security of our protectees and their families, 
associates, and routines, as well as our other law enforcement 
responsibilities. Restrictions that protect privacy are reasonable 
and necessary, and abuses should be thoroughly investigated and 
eliminated. 

USMS Investigations and the Use of Open-Source Information 
The USMS is a significant consumer of lawfully-obtained public and 
open-source records. In order to fulfill our mandate to investigate 
and apprehend violent criminals wanted at the federal, state, and 
local levels, as well as to investigate threats against the federal 
judiciary, the timely acquisition, analysis, and reduction of 
voluminous open-source records into "actionable intelligence" has 
played, and continues to play, a significant role in our swift and 
unparalleled success in apprehending some of the nation's most 
notorious and dangerous fugitives. 
The USMS, like other agencies, utilizes certain data banks and 
commercial sources of information under contractual agreements 
sanctioned by the Department of Justice. Such services are used only 
as needed and pursuant to a specific and legitimate law enforcement 
investigative inquiry. While federal law enforcement agencies like 
the USMS now have access to legitimately-collected information that 
was previously unavailable from a single-collection point, such 
access is absolutely essential to our ability to stay one step 
ahead of seasoned and resourceful criminals desperate to evade 
justice. 
One of the USMS' primary criminal investigative missions involves 
locating and apprehending fugitives who are on the run from the 
law. Our fugitive mission has a singular purpose - to swiftly 
apprehend a known fugitive to answer for the charges. Fugitives 
from justice have already experienced varying degrees of due 
process, from a grand jury indictment to a trial by peers to 
appellate review. Unlike law enforcement agencies that are 
responsible for investigating who committed a crime, the USMS 
does not seek to build a prosecutorial case against an individual. 
In nearly every case, we know exactly who is wanted; our goal is 
to end the investigation by fulfilling a court-ordered arrest 
warrant and bringing a wanted fugitive to justice. 
A violent fugitive - the most common target of a USMS 
investigation - is a unique target among law enforcement 
investigations in that, at a minimum, an independent grand jury 
or a neutral and detached judge already has determined that probable 
cause exists to believe that a crime has been committed and that the 
named fugitive committed the crime. Many of the individuals whom 
the USMS investigates are post-conviction fugitives (such as parole 
violators, probation violators, or failure to surrender fugitives) 
who have pled guilty or have been found guilty by jury or judge. 
The USMS also is responsible for apprehending the most dangerous 
class of fugitive - the violent escapee who will do just about 
anything to avoid apprehension. 
These investigations include not only the tens of thousands of 
federal fugitives that the USMS tracks and captures, but also the 
many more state, county, and local fugitives we investigate as part 
of our six regional fugitive task forces and more than 90 
district-based multi-agency task forces. In fiscal year 2005, the 
USMS arrested more than 35,500 federal fugitive felons and cleared 
38,500 federal felony warrants - more than all other federal law 
enforcement agencies combined. Together with our federal, state, 
and local partners, U.S. Marshals-led fugitive task forces arrested 
more than 44,000 state and local fugitives and cleared 51,200 state 
and local felony warrants. These results are unparalleled in law 
enforcement. 
As of June 13, 2006, the USMS fugitive caseload consisted of 36,464 
federal felony fugitives and 13,396 state felony fugitives. On any 
given day, USMS employees make hundreds of requests for information 
from a variety of sources. Many of those requests involve the use 
of data banks and open-source materials as a supplement to basic 
police investigative leg-work, and eventually aid in making an 
apprehension and taking a violent criminal off the streets. For 
example, in the last three months alone, criminal investigators 
and intelligence analysts assigned to the Criminal Information 
Branch of the Marshals Service's Great Lakes Regional Fugitive 
Task Force, based in Chicago, have used commercial databases and 
open-source data banks such as Lexis-Nexis/Accurint and ChoicePoint 
to obtain critical information that directly led to the arrests of 
the following violent fugitives: 
  Dimitrie Thomas, Sean Everett, and Andre Jones, who were wanted 
in Cabell County, West Virginia. Thomas and Jones were wanted for 
narcotics violations, while Everett was wanted on federal weapons 
charges. Deputies seized two fully-loaded handguns, a revolver and 
a shotgun, while searching Thomas' residence after his arrest. All 
three were arrested in Detroit, Michigan. 
  Roberto I. Lopez, who was wanted in Milwaukee, Wisconsin, for 
first-degree murder and armed robbery in a drug-related case. 
Marshals Service investigators determined that Lopez had fled to his 
native Dominican Republic, where he had been using a number of 
aliases to avoid detection. Lopez was arrested by local authorities 
with the assistance of the USMS Dominican Republic Foreign Field 
Office. 
 Corey Moss, who was wanted in Waukesha County, Wisconsin, for 
sexual assault. He was arrested in Milwaukee by Deputies who found 
him hiding in a basement of his mother's home. 

Open-source information also was critical to the success of the 
fugitive investigation of Timothy Berner, who was wanted in Sterling 
Heights, Michigan, for the July 2004 murder of Police Officer Mark 
Sawyer. Berner had committed several bank robberies with a shotgun, 
and he specifically targeted Officer Sawyer so that he could steal 
his service revolver and continue his criminal ways. As Officer 
Sawyer sat in a shopping center parking lot writing routine police 
reports, Berner approached and fired a single shot, killing him. 
He then stole Officer Sawyer's handgun and fled the scene. For 
three weeks, Deputy U.S. Marshals and task force officers from a 
variety of districts tracked Berner to Jacksonville, Florida, where 
he was located at the residence of a female acquaintance who was 
unaware of his real identity and crimes. As investigators approached 
to arrest him, Berner committed suicide. 
The cases I just cited are just four of tens of thousands of 
fugitive investigations that the Marshals Service undertakes each 
year. I could provide hundreds of similar examples where USMS 
criminal investigators and intelligence analysts have used these 
resources in fugitive investigations and made an arrest. 

USMS Data Broker Queries 
The Subcommittee has obtained a document signed by a Deputy U.S. 
Marshal requesting information from a company currently under the 
Committee's scrutiny. After thorough inquiry, we have ascertained 
that the Deputy's intent was to obtain subscriber information on 
a cell phone number as part of a fugitive investigation. Our survey 
of the 94 USMS districts, six regional fugitive task forces, five 
Regional Technical Operations Centers, and financial records has 
revealed only this isolated instance of use of the data brokers 
in question. 
While no formal policy currently exists specifically addressing the 
use of data brokers of the type under investigation by this 
Subcommittee, USMS investigators and analysts are trained to keep 
their information collection within established legal boundaries. 
Defined legal boundaries of investigative endeavors are present 
through USMS policy pertaining to fugitive investigations and 
technical operations. Moreover, the Department of Justice has 
created a Privacy and Civil Liberties Board to ensure that 
Departmental programs and efforts adequately consider civil 
liberties and privacy. The Data Committee of the Privacy and Civil 
Liberties Board, on which USMS is represented, was established 
earlier this year to address issues related to information privacy 
within the Department. Its first task is to respond to 
recommendations in the April 2006 GAO report entitled "Personal 
Information Agency and Reseller Adherence to Key Privacy 
Principles." The Data Committee members are analyzing the 
Department's use of all information reseller data, including 
internet data brokers, and will evaluate potential Department-wide 
policy with regard to such use. Specifically, all members of the 
committee are currently assessing their agencies' use of information 
reseller data, including the Internet data brokers identified by 
the Subcommittee as employing pretexting and fraud to obtain 
information. While the inquiry is ongoing, to this point, there 
is no evidence of widespread use of such services. The Data 
Committee meets on a monthly basis and expects to make 
recommendations to the Attorney General on this issue upon 
completion of its review. 

Conclusion
 The USMS has a legitimate need to investigate a wide variety of 
sources in order to obtain personal information that might lead to 
the ultimate apprehension of wanted fugitives. The need to acquire 
information quickly is critical to the success of our investigative 
efforts. Ultimately, the USMS needs information to locate and bring 
the wanted fugitive to justice. Today's fugitive is often a hardened 
criminal who has had the benefit of a few years in prison to sharpen 
and refine his skills, and is keenly aware of both our capabilities 
and our weaknesses. 
Just as the electronic age has brought with it great advances in the 
speed and accuracy with which information is collected, stored, and 
retrieved, so too has it brought increased risk to law enforcement, 
particularly agents operating undercover: 1) the virtual 
contemporaneous disclosure of investigative techniques; 2) the 
detailed disclosure of precisely what records are maintained and, 
therefore, available to law enforcement; 3) the disclosure of 
investigative technology, capability, and limitations; 4) the 
ability to communicate anywhere and anonymously behind "ported" 
numbers and prepaid phones with no listed subscribers; 5) off-shore 
calling cards obtained either through convenience stores or the 
Internet; and 6) point-to-point encrypted packet-data 
communications. 
Over time, we have had to refocus our investigative efforts and 
techniques to address this newly emerging class of experienced 
criminal. Access to legitimate resources must be retained in order 
to allow law enforcement to stay one step ahead of the individuals 
who are all too willing to circumvent the law. Similarly those 
would circumvent established legal or ethical principles to obtain 
private information must be prevented from doing so. 

MR. WHITFIELD.  Thank you.  
Ms. Cooper Davis.
MS. COOPER DAVIS.  Mr. Stearns, Ranking Member DeGette, distinguished 
members of the subcommittee, on behalf of DEA Administrator 
Karen P. Tandy, thank you for the opportunity to testify before 
you today regarding DEA's policy to obtain telephone transactional 
records and the use of Internet data brokers.  
For nearly the past 3 years I have served as DEA's Chief of 
Operations Management.  In this capacity I support the operations 
of the agency by managing the areas of operational procedures and 
policies, State and local programs, liaison with Federal agencies, 
and other operational concerns.  DEA is a single mission agency 
charged with enforcing the provisions of the controlled substances 
and chemical diversion trafficking laws and regulations of the 
United States.  The agency also serves as the Nation's competent 
authority with regard to national compliance with provisions of 
international drug control treaties.  
DEA's investigations are strictly focused on drug trafficking 
organizations and their facilitators at every juncture of their 
operations.  Our investigation strategies seek to disrupt and 
dismantle these organizations by identifying and attacking 
vulnerabilities in their methods of operation.  
DEA shares this committee's concern regarding Internet data brokers 
that employ fraudulent means to obtain private records.  These data 
brokers should not be confused with legitimate commercial resellers 
from which DEA obtains available information, such as public records 
in furtherance of their investigations.  
Even so, DEA recognizes the sensitivity of the data obtained from 
legitimate commercial data resellers and has measures in place 
intended to safeguard the security of personal information obtained 
from them.  
The use of electronic surveillance and drug investigations, 
specifically telephone wire intercept operations, is an 
investigative technique which the DEA uses to decimate drug 
trafficking organizations.  By linking co-conspirators through their 
telephone conversations and physical surveillance, drug trafficking 
groups are more susceptible to prosecution than in an undercover 
investigation which may yield only a small percentage of the 
organization.  
When targeting a telephone number for exploitation, investigative 
personnel must acquire telephone subscriber information and 
telephone toll data records.  The Congress granted DEA authority 
to issue and serve administrative subpoenas to obtain such data and 
DEA is cognizant that its investigations must be conducted within 
the constraints of law.  DEA has adopted policies and procedures, 
implemented practices through our training of investigative 
workforce to ensure information and evidence are appropriately 
obtained and citizens' privacy rights are not violated.  
The DEA Agents Manual requires the use of an administrative 
subpoena, grand jury subpoena, or court order or consent of the 
subscriber or customer to obtain telephone transactional records, 
otherwise known as subscriber and toll information.  However, the 
DEA Agents Manual does not specifically address Internet data 
brokers or their use in criminal investigations.  Rather, DEA 
policy specifically enumerates the authorized methods for DEA 
personnel to obtain telephone subscriber or transactional records 
which are limited to the administrative subpoena, grand jury 
subpoena, court orders, or consent of the subscriber or customer.  
The criminal investigator works directly with the custodian of 
records and there is no question as to the authenticity of the data 
or how the company acquired the data.  Because the DEA conducts 
numerous telephone wiretap investigations, our personnel are 
cognizant of how and from whom they collect telephone information.  
Since this information will ultimately be used in a court of law, 
it is not the policy or practice of DEA to obtain unverified 
information from unknown and untested open source Internet data 
brokers, particularly those that are known to employ pretexting as 
a business practice.  Rather, DEA policy specifically enumerates 
the authorized methods of obtaining subscriber and toll 
information.  The legality of those methods authorized by DEA has 
been clearly established.  
In sum, DEA relies upon lawful means to gather evidence regarding 
telephone transactional records directly from telephone service 
providers.  
Mr. Stearns, Ms. DeGette, members of the subcommittee, I want to 
thank you again for the opportunity to testify and will be happy 
to address any questions you may have. 
[The prepared statement of Ava Cooper Davis follows:] 

PREPARED STATEMENT OF AVA COOPER DAVIS, DEPUTY ASSISTANT 
ADMINISTRATOR, OFFICE OF SPECIAL INTELLIGENCE, INTELLIGENCE 
DIVISION, U.S. DRUG ENFORCEMENT ADMINISTRATION, U.S. DEPARTMENT 
OF JUSTICE 

INTRODUCTION
Chairman Whitfield and distinguished members of the House Energy and 
Commerce Committee - Subcommittee on Oversight and Investigations, 
on behalf of the Drug Enforcement Administration (DEA), I appreciate 
your invitation to testify today regarding Internet Data Brokers 
(IDBs).  

OVERVIEW 
The DEA, in its unique capacity as the world's preeminent drug law 
enforcement agency, identifies, investigates, and targets for 
prosecution organizations and individuals responsible for the 
production and distribution of illegal drugs.  DEA's mandate is to 
enforce the provisions of the controlled substances and chemical 
diversion trafficking laws and regulations of the United States 
and to serve as the nation's competent authority with regard to 
national compliance with provisions of international drug control 
treaties.  Further, DEA serves as the single point of contact for 
the coordination of all international drug investigations by 
providing clear, concise, and dynamic leadership in the national 
and international drug and chemical control effort.  
Drug syndicates operating today are far more sophisticated and 
dangerous than any of the other organized criminal groups in 
America's law enforcement history.  These new criminals operate 
globally by establishing transnational networks to conduct illicit 
enterprises simultaneously in many countries.  DEA is strictly 
focused on the drug trafficking organizations and their facilitators 
at every juncture of their operation-from cultivation and production 
of drugs, passage through transit zones, to distribution on the 
streets of America's communities.  Our investigations and strategies 
seek to disrupt and dismantle these organizations by identifying and 
attacking vulnerabilities in their methods of operation.  

POLICY AND PROCEDURE 
The DEA Agents Manual is the primary document for operational 
policies and procedures governing the conduct of investigative and 
enforcement operations.  Within this document are the rules and 
regulations that guide our Special Agents and Task Force Officers 
as they go about the business of disrupting and dismantling drug 
trafficking organizations. 
DEA Basic Agent Trainees (BATs) receive instruction on policy and 
procedure, constitutional law, and the rules of criminal procedure, 
during Basic Agent Training.  The curriculum is a 16-week resident 
program designed to train newly recruited agent-trainees.  The 
course places a strong emphasis upon leadership and ethics within 
the framework of rigorous academic, physical, weapons and 
operational training.  Throughout Special Agents' careers, the 
investigators receive advanced and specialized training to enhance 
the knowledge, skills, and abilities necessary to successfully 
perform assigned duties. 
DEA maximizes its force multiplier effect by managing the State and 
Local Task Force Program, whereby almost two thousand State and 
local law enforcement officials work as full partners in DEA Task 
Forces.  Combining Federal leverage and DEA's expertise with state 
and local officers' investigative talents and detailed knowledge of 
their jurisdiction leads to highly effective drug law enforcement 
investigations.  Participating state and local officers are deputized 
to perform the same functions as DEA Special Agents under the 
Controlled Substances Act (Chapter 13 of Title 21 of the United 
States Code).  Upon entering on duty with DEA, Task Force Officers 
(TFOs) attend a two-week TFO school at their respective local DEA 
field division.  During the two-week school, TFOs learn how to 
conduct DEA enforcement operations, prepare investigations for 
prosecution in federal court, and DEA operational policies and 
procedures.  TFOs also work closely with DEA Special Agents and 
are normally supervised by a DEA Group Supervisor.  For those task 
force groups not supervised by a DEA Group Supervisor, the State or 
local law enforcement supervisor also attends the TFO School and 
the four-week DEA Group Supervisor Institute (GSI).  At the GSI, 
supervisors are exposed to leadership and management principles, 
DEA personnel policy, and are taught how to supervise a DEA 
enforcement group.  

Telephone Communications 
The DEA Agents Manual contains a specific section which details 
DEA's policy regarding subscriber/toll information; use of telephone 
decoders; consensual monitoring; and nonconsensual monitoring.  
These policies have been developed and refined to ensure the 
information gathered during the course of an investigations is 
collected in a legal manner that will withstand court scrutiny 
and to establish adequate, appropriate oversight.  The policies 
also protect the investigators and the agency from any legal 
liability.  
The use of electronic surveillance in drug investigations, 
specifically telephone wire intercept operations, is an 
investigative technique which the DEA uses to decimate drug 
trafficking organizations.  By linking co-conspirators through 
their telephone conversations and physical surveillance, drug 
trafficking groups are more susceptible to prosecution than in 
undercover investigation which may yield only a small percentage 
of the organization.  In order to justify the use of a telephone 
wiretap, a criminal investigator must be able to articulate his 
probable cause in an affidavit to the court.  The success of this 
affidavit is dependent upon the field work that the Special Agent 
or TFO conducts, prior to seeking the courts approval for the 
collection of this information.  
When targeting a telephone number for exploitation, investigative 
personnel must acquire telephone subscriber information and 
telephone toll records.  The DEA Agents Manual requires the use 
of an administrative subpoena, grand jury subpoena, court order, or 
consent of the subscriber or customer to obtain telephone 
transactional records.  Because the DEA conducts numerous telephone 
wiretap investigations, our personnel are very cognizant of how and 
from whom they collect telephone information.  DEA has been granted 
administrative subpoena authority for use in drug investigations, 
and Special Agents and TFOs are trained to use that authority.  
When a criminal investigator acquires a telephone number for which 
the subscriber information is not immediately known, the 
investigator must first identify the telephone company (e.g., 
Verizon, Sprint, AT&T, etc.) that owns or controls that number.  
Once the telephone company is identified, the investigator will 
obtain an administrative subpoena, requesting subscriber name, 
billing information, and telephone toll records for a specific 
time frame.  The administrative subpoena must have a DEA case file 
number, be signed by the investigator's supervisor, and be given a 
sequential number for recording in a log book or computer database 
so that a particular field office can track and account for any 
administrative subpoenas issued by that office.  The telephone 
companies are given a period of ten days, from the date of 
issuance, to respond with the requested information.  Furthermore, 
each subpoena usually has an attached letter, signed by the office 
head, requesting the telephone company not to disclose the existence 
of the subpoena for a period of 90 days; as such disclosure could 
possibly interfere with an ongoing criminal investigation.  The 
investigator also has the option of seeking a court order to 
mandate that the telephone company comply with the non-disclosure 
request. 
The DEA Agents Manual does not specifically address IDBs or their 
use in criminal investigations.  Rather, DEA policy specifically 
enumerates the authorized methods for DEA personnel to obtain 
telephone subscriber or transactional records which are limited 
to administrative subpoenas, grand jury subpoenas, court orders, 
or consent of the subscriber or customer.  The criminal investigator 
works directly with the custodian of the records and there is no 
question as to the authenticity of the data or how the company 
acquired the data.  

CONCLUSION 
In conclusion, the DEA relies upon lawful means to gather evidence 
regarding telephone transactional records directly from telephone 
service providers.  The Congress has granted DEA this authority, 
and DEA is cognizant that its investigations must be conducted 
within the constraints of law.  DEA has adopted policy and 
procedures and implemented practices through training of our 
investigative and TFO workforces to ensure information and 
evidence are appropriately obtained.  Moreover, the Department has 
created a Privacy and Civil Liberties Board to ensure that 
Departmental programs and efforts adequately consider civil 
liberties and privacy.  The Data Committee of the Privacy and 
Civil Liberties Board, on which DEA is represented, was established 
earlier this year to address issues related to information privacy 
within the Department.  Its first task is to respond to 
recommendations in the April 2006 GAO report entitled "Personal 
Information Agency and Reseller Adherence to Key Privacy 
Principles." The Data Committee members are analyzing the 
Department's use of all information reseller data, including 
internet data brokers, and will evaluate potential Department-wide 
policy with regard to such use.  Specifically, all members of the 
committee are currently assessing their agencies' use of information 
reseller data, including the Internet data brokers identified by 
the Subcommittee as employing pretexting and fraud to obtain 
information.  While the inquiry is ongoing, to this point, there 
is no evidence of widespread use of such services.  The Data 
Committee meets on a monthly basis and expects to make 
recommendations to the Attorney General on this issue upon 
completion of its review.  
Thank you for the opportunity to appear before you today to discuss 
this important issue.  I will be happy to answer any questions that 
you may have. 

MR. STEARNS.  Thank you.  
Mr. Ford.
MR. FORD.  Good afternoon, Chairman Stearns and Ranking Member 
DeGette, and distinguished members of the subcommittee.  I am 
pleased to appear before you today to discuss the Bureau of Alcohol, 
Tobacco, Firearms and Explosives' Internet data broker policy.  
In late 2005, the availability of personal information from a 
multitude of Internet database sources came to the attention of 
ATF offices through field inquiries, the intelligence community, 
and the evaluations of operational security issues specifically 
related to undercover investigations.  
This information included services advertising the sale of 
individuals cell phone records, including the cell phone numbers a 
particular cell phone has connected to, the duration of call, as 
well as other personal subscriber information.  ATF headquarters 
received a number of inquiries from our field personnel pertaining 
to the applicability and legitimacy of such service.  As a result, 
we issued a notice to all personnel on January 25, 2006, providing 
guidance on this issue.  
Of paramount concern was the problem data broker services could 
present to law enforcement undercover operations and officer safety. 
 As we noted in our broadcast announcement to ATF employees, 
in undercover operations criminals themselves may likely be 
checking the undercover agents' cell phone records to determine 
whether the agents are who they claim to be, and tracing an ATF 
cell phone to a government purchase presents a serious hazard to 
agents under these circumstances.  In addition, tracing context to 
other phones could compromise an investigation, endanger agents and 
witnesses. 
There is also a question of the appropriateness of law enforcement 
agencies using data brokers to obtain subscriber information.  
During our review we noted that there were ongoing concerns by 
telephone companies regarding methods used by some within the 
Internet data broker community to collect data they maintained 
and disseminated.  The notice we sent to all personnel in January 
reminded agents that as law enforcement officers, we have the 
ability to subpoena these records, and it instructed them to 
continue utilizing this approach.  We have no indication that 
ATF has requested toll record information from data brokers.  
Furthermore, after querying our case management system we could 
find no record of the use of any data brokers under the 
subcommittee's review.  
ATF is committed to preserving the integrity of our operation and 
the safety of our agents and to using the best practices and 
appropriate tools when conducting investigations.  The rapidly 
evolving world of information technology will continue to present 
law enforcement with new issues and situations that require 
careful consideration.  We will closely examine each and apply 
our high standards and principles when providing guidance to our 
agents.  
As my colleagues have testified to, the Department has created a 
Privacy and Civil Liberties Board to ensure that departmental 
programs and efforts adequately consider civil liberties and 
privacy, on which ATF is represented.  We also welcome and 
appreciate any information and views the subcommittee would like 
to share on this matter.  
Once again, Mr. Chairman and members of the subcommittee, on behalf 
of ATF I thank you for the opportunity to testify today and I look 
forward to answering any questions you may have.  
[The prepared statement of W. Larry Ford follows:] 

PREPARED STATEMENT OF W. LARRY FORD, ASSISTANT DIRECTOR, OFFICE OF 
PUBLIC AND GOVERNMENTAL AFFAIRS, BUREAU OF ALCOHOL, TOBACCO, 
FIREARMS, AND EXPLOSIVES, U.S. DEPARTMENT JUSTICE 

Good afternoon Chairman Whitfield, Ranking Member Stupak, and 
distinguished members of the Subcommittee. I am pleased to appear 
before you today to discuss the Bureau of Alcohol, Tobacco, 
Firearms and Explosives' (ATF) policy on the use of Internet data 
brokers. 
In late 2005, the availability of personal information from a 
multitude of Internet-based sources came to the attention of several 
ATF offices in various ways. This information included services 
advertising the sale of individuals' cell phone records, including 
the telephone numbers a particular cell phone has connected to, 
the duration of calls, as well as other personal subscriber 
information. ATF Headquarters received a number of inquiries from 
our field personnel pertaining to the applicability and legitimacy 
of such services. As a result, we issued a notice to all ATF 
personnel on January 25th, 2006, providing guidance on the issue. 
Of paramount concern was the problem data broker services could 
present to law enforcement undercover operations and officer 
safety. As we noted in our broadcast announcement to ATF employees, 
"In undercover operations, criminals themselves may likely be 
checking undercover agents' cell phone records to determine 
whether [the agents] are who they claim to be, and tracing an ATF 
cell phone to a government purchase presents a serious hazard to 
agents in these circumstances." In addition, Mr. Chairman, tracing 
contacts to other phones could compromise an investigation and 
endanger agents and witnesses.  
There is also the question of the appropriateness of a law 
enforcement agency using data brokers to obtain subscriber 
information. During our review we noted that there were ongoing 
concerns by telephone companies regarding methods used by some 
within the Internet data broker community to collect the data 
they maintained and disseminated. The notice we sent to all ATF 
personnel in January reminded agents that, "As law enforcement 
officers, we have the ability to subpoena these records," and it 
instructed them to "continue to utilize this approach." 
Mr. Chairman, we have no indication that ATF has ever requested 
toll record information from data brokers. 
ATF is committed to preserving the integrity of our operations and 
the safety of our agents and to using the best practices and 
appropriate tools when conducting investigations. The rapidly 
evolving world of information technology will continue to present 
law enforcement with new issues and situations that require 
careful consideration. We will closely examine each and apply 
our high standards and principles when providing guidance to our 
agents. Moreover, the Department has created a Privacy and Civil 
Liberties Board to ensure that Departmental programs and efforts 
adequately consider civil liberties and privacy. The Data Committee 
of the Privacy and Civil Liberties Board, on which ATF is 
represented, was established earlier this year to address issues 
related to information privacy within the Department. Its first 
task is to respond to recommendations in the April 2006 GAO report 
entitled "Personal Information Agency and Reseller Adherence to Key 
Privacy Principles." The Data Committee members are analyzing the 
Department's use of all information reseller data, including 
internet data brokers, and will evaluate potential Department-wide 
policy with regard to such use. Specifically, all members of the 
committee are currently assessing their agencies' use of information 
reseller data, including the Internet data brokers identified by 
the Subcommittee as employing pretexting and fraud to obtain 
information. While the inquiry is ongoing, to this point, there 
is no evidence of widespread use of such services. The Data 
Committee meets on a monthly basis and expects to make 
recommendations to the Attorney General on this issue upon 
completion of its review. 
We also welcome and appreciate any information or views the 
Subcommittee would like to share on the matter. 
Once again, Mr. Chairman, Congressman Stupak, members of the 
Subcommittee, on behalf of ATF, I thank you for the opportunity to 
testify before you today. I look forward to answering any questions 
you might have. 

MR. BURGESS.  [Presiding.]  Thank you, Mr. Ford.  I want to thank all 
members of the panel.  I apologize for being out of the room.  
I apologize for Mr. Stearns having to depart.  
Ms. Lammert, I didn't get to hear your testimony, but I have your 
written testimony.  Can I ask you, would there ever be any need for 
the FBI to go to one of these data brokers for nonpublic information 
like toll records or financial records?  
MS. LAMMERT.  We strictly comply with ECPA.  In our cases we know 
that the statute requires the use of subpoena, court order, or grand 
jury or administrative subpoena, depending on what criminal 
investigation we are conducting.  So we always instruct our agents 
to comply with the statute.  
MR. BURGESS.  This week the Associated Press has reported that the 
FBI has used Internet data brokers, and yesterday both James Rapp 
and David Gandel briefly discussed assisting the FBI, and one of 
the companies that the committee wrote to, Advanced Research in 
Oregon, stated that it had done work for the FBI in the past.  So 
I will preface this question by noting that the subcommittee has no 
documents in its possession to show transactions between the FBI 
and Internet data brokers, but can you tell us in light of the 
anecdotal information just referenced whether the FBI used data 
brokers to acquire nonpublic information?  
MS. LAMMERT.  First, addressing what has been reported in the press, 
to date we have not developed any information that would support 
the use of the particular individuals that you have currently 
mentioned.  I know there was some testimony yesterday regarding 
one particular individual and an agent, and I am willing to respond 
to that if you have any questions regarding that particular aspect 
of that testimony.  
As far as data brokers are concerned, my concern here is that we 
do use brokers such as ChoicePoint and LexisNexis and Dun & 
Bradstreet, which do collect information from a variety of sources 
and we do use that extensively in our investigations. 
MR. BURGESS.  On the testimony delivered yesterday by Mr. Gandal 
and Mr. Rapp, can you expound upon that?  
MS. LAMMERT.  Sure.  Mr. Gandal discussed having had contact with an 
agent and providing him phone information, I believe, subscriber 
information, and if I am incorrect on that I apologize.  I think 
that is how I understand the testimony to have been.  The agent 
was a relatively new agent in the Bureau.  He had a one-time 
contact in that respect with that information pursuant to an 
investigation.  He did obtain that information from Mr. Gandal.  
When he reported back to his supervisor that he had obtained this 
information and this individual was capable of doing that, his 
supervisor immediately counseled him that that was not the 
appropriate way of obtaining that information, that did not comport 
with our policies, and he was to desist from doing that and he has 
never done that since then.  
MR. BURGESS.  To what extent is the FBI investigating or pursuing 
data brokers who operate in the manner of the ones who came to 
testify yesterday?  
MS. LAMMERT.  As my written testimony states, we are looking at them 
from a perspective of wire fraud, which is Title 18, Section 1343.  
Under that statute it is a felony to falsely or under fraudulent 
pretenses obtain money or property by means of wire communication 
and interstate or foreign commerce.  That is sort of the statute 
that in consultation with the United States Attorney's office 
that we are working with we are pursuing at this time.  
MR. BURGESS.  Well, in that regard are wire fraud statutes adequate 
to pursue the pretexters or does the FBI need a more explicit 
statute in making these activities illegal?  
MS. LAMMERT.  I think that is something we are exploring given the 
current investigations that we have.  We think that this is a good 
statute to work upon but we are looking at whether or not it is 
sufficient or that there are other things that we would need.  
That is all I can say right now. 
MR. BURGESS.  There was an individual who came yesterday to testify 
before us, Patrick Baird, who is from north Texas, as am I, and he 
declined to testify, but do you think if an agent were to share 
information related to an investigation with a data broker like 
Patrick Baird that there is considerable risk of compromising 
operational security?  
MS. LAMMERT.  I would think it depends on what the relationship is 
and why we are talking to Mr. Baird.  If you are talking, and I 
apologize, I would ask if you could explain sort of more about what 
you are trying to determine.  I apologize.  
MR. BURGESS.  Have you got the evidence book at your table?  
MS. LAMMERT.  Yes, sir.  
MR. BURGESS.  Under Tab 5 that is referenced, "faxed request from 
special agent."  
MS. LAMMERT.  Tab 5.  "I have received a fax from the U.S. Postal 
Inspection Service."  That one?  
MR. BURGESS.  Yes.  Although they are redacted on the page, they 
are disclosing telephone numbers and other information.  Now is 
that compromising the operational security of an ongoing 
investigation?  
MS. LAMMERT.  Without speaking to what the Postal Service may or may 
not have known about Mr. Baird, I think we always have to be 
cautious and cognizant that when we are trying to obtain 
information from individuals, regardless of what their position in 
society is, that we always run the risk that those individuals may 
disclose their association with us or provide that information to 
others.  We try very hard to ensure that our sources of information 
or people that we deal with are the type that we can trust and 
have credibility and understand the ability to work with us.  So 
we always have to be concerned about that and recognize that the 
risk exists.  
MR. BURGESS.  On the Stored Communications Act, which is referenced 
under Tab 4 in the book, does it require a certain level of process 
for government entities to get access to nonpublic subscriber 
information like a customer's name, address?  
MS. LAMMERT.  Yes, it requires a subpoena, whether grand jury or 
administrative subpoena, depending if you have administrative 
subpoena power, or even a court order. 
MR. BURGESS.  Even for name and address?  
MS. LAMMERT.  Subpoena for name and address. 
MR. BURGESS.  Which would mean in the case of these documents that 
the subcommittee subpoenaed from a data broker that show that Federal 
agents, not from the FBI, requesting names and addresses associated 
with a telephone number should have been acquired through the 
subpoena process if that information was not in a public database; 
is that correct?  
MS. LAMMERT.  It is the policy of the FBI to obtain subpoenas to 
obtain that type of information, yes.  
MR. BURGESS.  In the interest of time I will yield to the Ranking 
Member, Mr. Stupak of Michigan.  
MR. STUPAK.  Mr. Kilcoyne, I am curious, your testimony arrived 
very, very late last night and there was only three pages.  Was 
there a problem in clearing the testimony through DMB or OMB or 
DHS?  
MR. KILCOYNE.  Not that I am aware of, no. 
MR. STUPAK.  Okay.  Why did it take so long to get?  It is only a 
couple of paragraphs.  Why did it take so long to get it to the 
committee? 
MR. KILCOYNE.  I don't know, sir.  
MR. STUPAK.  Were you responsible for clearing it with anyone like 
DHS or OMB?  
MR. KILCOYNE.  Well, the Office of Congressional Affairs and the 
Department are responsible for clearing it.  I am just the witness 
and participated in some of the preparation of it. 
MR. STUPAK.  Do you know anything about the subject then or are you 
just here to recite the testimony?  
MR. KILCOYNE.  No, I believe I am an adequate witness to address 
some of the issues, yes. 
MR. STUPAK.  Let me ask this question of each of you.  There has 
been some concern.  Back in late April, this committee unanimously 
passed out two pieces of legislation, H.R. 4943, Prevention of 
Fraudulent Access to Phone Records Act, and H.R. 4127, Data 
Accountability and Trust Act.  
I will start with you, Mr. Kilcoyne.  Does your agency have any 
objection or concerns about that legislation.  
MR. KILCOYNE.  That I don't know, sir.  I am not an attorney.  We 
would have to have our legal staff get back to you with that answer. 
MR. STUPAK.  Okay.  Ms. Lammert.  
MS. LAMMERT.  The Department of Justice has received the 
legislation, is looking at it.  We don't currently have an 
administrative position on it. 
MR. STUPAK.  Any idea when you will have one?  
MS. LAMMERT.  I cannot speak for the Department.  I know they are 
working on it feverishly to get it done.  
MR. STUPAK.  Mr. Bankston.  
MR. BANKSTON.  To the best of my knowledge, I don't know anything 
about the bill and we have no objection to it to the best of my 
knowledge.  
MR. STUPAK.  Ms. Cooper Davis.  
MS. COOPER DAVIS.  Sir, I am aware of the bill.  I know it is still 
under review by the Department and DEA has not taken a position on 
the bill. 
MR. STUPAK.  Mr. Ford.
MR. FORD.  As far as I know, the Department has not cleared an 
administrative position on the bill.  
MR. STUPAK.  When do you expect to take a position?  We had the bill 
in committee, we had hearings, we had all this and we had it all 
primed for the floor.  It was scheduled to be on the floor and 
suddenly it gets pulled and we are told that law enforcement has 
objections.  So we would like to know what are the objections?  
MS. LAMMERT.  If I could speak to that for a moment.  
My understanding of what we were at so far in speaking sort of in 
these terms are, we obviously--I think the Department of Justice 
obviously supports enhanced security of this type of information.  
I think it is in the process of clearing it and obtaining an 
administrative position on this.  Some of the things that we are 
looking at that we support and find important to our mission but 
have some comments or would like to share some comments have to do 
with the sort of the language regarding law enforcement exception.  
We would like it to be more akin to the language that is already 
occurring in 1030 and not to be in contradiction to ECPA, which 
allows exception for this type of disclosures to law enforcement. 
MR. STUPAK.  You are talking about exceptions to this.  Are you 
saying law enforcement should be exempt from these pieces of 
legislation?  
MS. LAMMERT.  No, no, no.  I apologize if I am not being clear.  
MR. STUPAK.  We are trying to figure out the concerns.  We don't 
want like the Internet child pornography where we passed a law in 
1998 and you appear before our committee less than a month ago and 
say you have concerns 7 years later.  We are not going to wait 
7 years.  
MS. LAMMERT.  Then as I said, the position of the Department is we 
support the initiative.  It is being looked at and it has not been 
cleared yet.  That is the best we can say right now.  
MR. STUPAK.  Mr. Kilcoyne.  The FBI says in their testimony that they 
believe that pretexters might be guilty of violating the wire fraud 
provisions under 18 USC 1343.  In your testimony it says that your 
agency, Office of Investigations only, and I quote now, "recommended 
that the SAIC, Special Agent in Charge, Denver office not use these 
resellers in the future."  That does not appear to be a strong 
response.  
Can ICE agents use pretexters in the course of one of their 
investigations or not?  
MR. KILCOYNE.  I think we need to be able to take a step back here.  
Now that the committee has brought some of the collections methods 
and this is coming to light as to how they are getting this 
information and we are talking about some individuals, when we 
have a new agent or agents in the field that are going to the 
Internet, they are evidently, as I was, under the false impression 
that you are Googling or crisscrossing or using some sort of 
nationwide directory assistance type of a process to filter out 
numbers or names to try to point you in the right direction.  
MR. STUPAK.  Sure.  But what is the policy?  That is what I am 
asking.  Can ICE agents use pretexters in the course of their 
investigations?  
MR. KILCOYNE.  Well, certainly we are not going to condone the use 
of pretexters.  However, open source information-- 
MR. STUPAK.  That is one thing.  I agree with you.  I am not talking 
about going on the Internet and whatever you pull up.  I am talking 
about paying people, pretexters to help you in your investigation.  
MR. KILCOYNE.  No, we do not do that, no.  
MR. STUPAK.  Okay.  Let me ask this question.  For the record, let 
me ask each of you the following question:  Yesterday, and I held it 
up in my opening right here, CNN reported that Federal law 
enforcement agencies such as yourself spent about $30 million a 
year on data broker services.  The article was discussing mostly 
the kind of sketchy operations that were the discussion of 
yesterday's hearings, which are the pretexters.  Do any of your 
agencies spend money on hiring pretexters to find out certain 
information?  Do you use the services of pretexters?  
Let me start with you, Mr. Kilcoyne.  
MR. KILCOYNE.  I would say no, we don't.  We use open source 
information that is on the Internet and we pay for that in some 
instances.  
MR. STUPAK.  That is a pretexter then, right?  If I am advertising 
on the Internet $100 to get you any information you want if you pay 
me?  
MR. KILCOYNE.  We pay for and have negotiated contracts with 
LexisNexis, Dun & Bradstreet, ChoicePoint.  
MR. STUPAK.  Those are not pretexters?  
MR. KILCOYNE.  Those are the types of companies that we pay.  
MR. STUPAK.  Did you check before you testified today?  
MR. KILCOYNE.  Yes, I did.
MR. STUPAK.  And you don't use any?  
MR. KILCOYNE.  That is correct.  
MR. STUPAK.  Okay, Ms. Lammert?  
MS. LAMMERT.  No, we do not pay for those individuals that unlawfully 
obtain records through pretexting.  
MR. STUPAK.  Okay.  Mr. Bankston?  
MR. BANKSTON.  Congressman, we do not use pretexter services.  There 
was one attempt by an employee who sent a letter, that the committee 
is aware of, we requested for subscriber information relating to a 
telephone number.  He was not aware that that company used 
pretexting or any other illegal means to maintain that data. 
MR. STUPAK.  So you only know of one incident?  
MR. BANKSTON.  Yes, sir. 
MR. STUPAK.  Ms. Cooper Davis?  
MS. COOPER DAVIS.  Yes, sir.  Since being made aware of this, of 
the committee's concern, we quickly canvassed for any contracts 
through our financial database to determine if Internet brokers 
using fraudulent means, if we had any contract or any payments to 
them.  Those inquiries yielded a negative result, and as a result 
of the information you provided to us, we identified one instance 
in which a task force officer made an inquiry from an Internet data 
broker.  
MR. STUPAK.  So you don't have any contracts and as best you can 
determine your agents, other than this one task force, those do not 
use it.  
MS. COOPER DAVIS.  Yes, sir.  
MR. STUPAK.  Mr. Ford.  
MR. FORD.  Yes, sir.  ATF, we queried our case investigative system 
and we had a negative reply to those organizations that the 
committee had listed.  Also, the $30 million figure is derived from 
the GAO report entitled "Personal Information."  
MR. STUPAK.  Okay.  Did GAO in that report indicate your agency or 
any other agencies were using pretexters?  I am not talking about 
LexisNexis.  I am talking about pretexters.  
MR. FORD.  Not for ATF, no, sir.  
MR. STUPAK.  Ms. Lammert, you mention in a question of Mr. Burgess 
that although you are having ongoing inquiry and I believe you said 
to this point there is no evidence of widespread use of such 
pretexting services, and you mention in your statement, to use the 
same language, so what is the definition of widespread use?  Your 
statement says "to this point," and I am quoting now, "to this point 
there is no evidence of widespread use of such pretexting services."  
So is there a difference between widespread use or one-time use?  
MS. LAMMERT.  Yes is the short answer.  We to this day have not 
found that there is a systemic use on the part of our agents in 
the FBI to use these type of Internet data brokers.  We had the 
one incident that was brought to your attention during testimony 
yesterday which we provided information regarding.  We have checked 
our databases for any formal procurement or contract matters 
involving the individuals that you are interested in and have not 
found any.  So that is why to this point we have not seen this.  We 
are in the process of conducting a further survey to ensure what we 
know within our organization.  
MR. STUPAK.  I do not want to get hung up on contracts here because 
that is a pretty formal thing and you would have record of that.  
But I am talking about agents or task force or others using it 
without knowledge of headquarters.  
MS. LAMMERT.  Understood, and that is what I am alluding to, that 
besides the formal sort of contract we have so far we have no 
indication there is a systemic use.  We are in the process of 
surveying our field offices to ensure what information is out 
there. 
MR. STUPAK.  When you have that information will you provide it to 
the committee?  
MS. LAMMERT.  We will. 
MR. STUPAK.  Ms. Cooper Davis, you use basically the same kind of 
language in your testimony, widespread use.  So no widespread use 
with DEA?  
MS. COOPER DAVIS.  No, sir.  
MR. STUPAK.  Again, what context was that meant in, widespread use?  
MS. COOPER DAVIS.  Sir, again, I first became aware of this when 
the committee subpoenaed these Internet data brokers.  DEA has 
mandates, policy which enumerates the ways in which our criminal 
investigators would obtain this kind of information, and that is 
basically to the administrative subpoena, as I said, grand jury 
subpoena, the court orders, or the consent of the customer.  We 
have not to my knowledge found any, other than this one instance.  
That is the only one I can speak of.  
MR. STUPAK.  Mr. Chairman, my time is up.  Thanks for the time, but 
before we leave this point I would ask that the committee ask 
these representatives of the Federal agencies as they continue 
their investigation they let us know their findings as soon as 
possible so we can see the depth and scope of this issue, and 
hopefully it is not $30 million.  
MR. BURGESS.  Without objection. 
MR. BURGESS.  Just before going to recognizing Mr. Walden, I do want 
to enter the binder Tab 5, that I referenced earlier into the 
record, actually the entire binder into the record.  
[The information follows:] 


MR. BURGESS.  I recognize Mr. Walden of Oregon for 10 minutes.  
MR. WALDEN.  Thank you very much, Mr. Chairman.  I appreciate that.  
Mr. Kilcoyne, are you aware of how the special agents in the Denver 
field office first discovered Best411.com and the service it 
provided?  
MR. KILCOYNE.  Yes, I am.  The agents appeared to be through other 
law enforcement contacts and networking were made aware of this 
website.  This is an isolated incident in the Denver field office 
amongst a small group of four agents who evidently talked to each 
other and talked to some of their counterparts there in Denver. 
MR. WALDEN.  And I am curious how were they planning to use that 
information?  Why did they request it?  
MR. KILCOYNE.  As you would do in a case that has in some instances 
thousands and thousands of telephone numbers, they basically would 
use this service or the Internet as a way to perhaps filter out or 
as a pointer to point them and do through process of elimination 
numbers that may come back to public businesses or pay phones or 
known numbers or in some instances, with the cellular telephones, 
it may only identify who the carrier is, who the issuer of that 
particular cell phone is or in some instances where that cell phone 
would be carried.  For example, if they are prepaid phones, does 
Costco sell them, does Wal-Mart sell them, et cetera.  So they would 
just use it as a pointer and then once they were able to kind of 
make a determination that there was connectivity to their specific 
investigation, then they would go through the other processes that 
we have to ensure the integrity of the evidence and the information 
that you would obtain.  
MR. WALDEN.  Doesn't subscriber information that is not publicly 
available still require a warrant?  I am not an attorney but what 
are your standard procedures?  How would this have been handled 
pre-pretexting?  Is subscriber information that is not public 
available to you without a warrant?  
MR. KILCOYNE.  Yes. 
MR. WALDEN.  Really?  
MR. KILCOYNE.  Through telephone companies, through the publications 
that they publish, through crisscross directories.  You call 
Dominoes Pizza and they have everything that you have on your 
residence even if you have an unpublished telephone number.  
MR. WALDEN.  Okay.  But is that information that is only in some 
sort of public database?  
MR. KILCOYNE.  Correct. 
MR. WALDEN.  So information that is not in a public database would 
not be available to you absent a warrant?  
MR. KILCOYNE.  No, the telephone companies print crisscross 
directories or backwards directories that will include in some 
instances nonpublished telephone numbers.  
MR. WALDEN.  But if they do not do it that way, wouldn't you have 
to get some sort of warrant?  
MR. KILCOYNE.  Correct.  If you got the information back, if there 
was no information whatsoever from the Internet, whether you Google 
it or whatever, then we have an established process in place to 
send a summons or a subpoena, a trial subpoena, a grand jury 
subpoena, whatever stage you may be in in your investigation, to 
try to obtain that information. 
MR. WALDEN.  On Page 3, you state that cellular telephone companies 
typically take several weeks to provide requested phone records.  
Why does it take them so long?  
MR. KILCOYNE.  Well, the telephone companies, as with the majority 
of the people at the table here, have to deal with manpower, 
budgeting constraints and everything--and volume.  I mean, if 
you're dealing with a telephone company in a small town that 
services a small town in middle America, chances are your return 
is going to be very, very quickly.  If you go to some of the larger 
cities, your return is going to be 2 or 3 weeks, depending on the 
type of summons or subpoena or the urgency that you are explaining 
to the telephone company.  And they have their own process.  
When I was a field agent down in south Florida, Bell South 
Mobility--sometimes it would take a month to get just subscriber 
information from them.  Because when you would go over there, they 
had two employees that were handling thousands and thousands-- 
MR. WALDEN.  How long ago was that?  
MR. KILCOYNE.  That was 15 years ago. 
MR. WALDEN.  So today you would think with computer technology they 
would be able to access it a little quicker?  
MR. KILCOYNE.  In some instances, the input that we have gotten 
back from our field is that the timeframe is about 2 weeks 
turnaround for a standard summons or subpoena, depending on what 
is used.  However, if you are in the middle of a trial and you use 
a trial subpoena or you are in the grand jury process, they, being 
the service providers, will expedite those requests; and those go 
to the front of the line. 
MR. WALDEN.  I guess I would like to hear from each of you the 
answer to two questions.  One is your own definition of pretexting.  
Is this fraudulent acquisition of otherwise nonpublic data?  And 
then, what is your training for your agents so that they are not 
engaging in this?  
Because it looks to me like--I can figure out how to go to Google 
and look up my name and figure out things about me--some of which 
aren't true, by the way.  Can't believe everything on the Internet.  
But then there is this next course of action which would be to go 
to one of these data mining outfits, and they obviously can get 
through faster than your subpoena can, based on testimony we had 
here yesterday or during the week, the way they go through their 
con.  I am amazed that they can get just about anything by just 
begging and being very clever.  It strikes me as odd that they can 
figure out how to get through there quickly and it takes phone 
companies a couple of weeks to get back to you.  
But tell me what--each of you from your own--do you want me to start 
with Mr. Ford, since you have been on the hot seat?  
MR. KILCOYNE.  I would just as soon finish this. 
MR. WALDEN.  I have another 2 and a half minutes.  
MR. KILCOYNE.  I think, like I said previously, is the information 
and the evidence that subcommittee investigators have presented for 
ICE have identified a new challenge that we are going to have to 
look at.  I think there are agents in the field, as I am-- 
MR. WALDEN.  They are creative.  
MR. KILCOYNE.  Very creative in trying to find out and, like I 
said, filter out the information.  How those people get the 
information is what has been surprising to us. 
MR. WALDEN.  And us.  
MR. KILCOYNE.  Correct.  
MR. WALDEN.  Not just agents in the field.  We are surprised by all 
kinds of private and public sectors that have used it. 
MR. KILCOYNE.  Certainly we do not condone a strong-arm, fraudulent, 
thug approach to getting information from anybody; and I believe 
that is-- 
MR. WALDEN.  Is that how you define pretexting?  
MR. KILCOYNE.  I would think that that is fair.  
MR. WALDEN.  Let me go to Ms. Lammert.  
MR. KILCOYNE.  One other issue, I think that is exampled by the fact 
that our agents use ICE letterhead.  They were--thinking that they 
were dealing with a reputable company, so they weren't trying to do 
something subversive or something-- 
MR. WALDEN.  Understood.  
Ms. Lammert.  
MS. LAMMERT.  I think in the context of inquiry pretexting is the 
use of fraudulent means to obtain information that is statutorily 
protected.  This is what these data brokers are doing.  They are 
misidentifying themselves so as to obtain information that has 
statutory protections.  So that would be my definition for purpose 
of this inquiry. 
You asked what the training is that we provide our agents.  And being 
an agent myself as well as a lawyer, the training that we received 
and do receive and continue to receive is that, to obtain certain 
information, in this particular case phone-related information, 
subscriber address, toll records, so forth, we comply with ECPA.  
ECPA requires us to obtain certain processes, to obtain certain 
levels of information; and that is how we train our agents in our 
manual.  It is trained while you're in the new agents class, it's 
reinforced while you are in the field.  
MR. BANKSTON.  Congressman, my definition of pretexting would be a 
combination of fraud and identity theft.  Plain and simple.  And 
our agency doesn't use pretexting as a means of obtaining 
information.  
As far as agent training goes, it starts at basic training when we 
have rookie marshals going into the training academy; and it goes 
throughout refresher training all the way throughout their career, 
that they must adhere to the applicable agencies, the departmental 
policies and the laws.  Pretexting is not specifically defined in 
our policy manual, as I stated in our testimony. 
And my colleagues here today, the Department's Civil Liberties and 
Privacy Office has established a data committee which we are 
represented on; and it's ongoing working group established earlier 
this year.  They met as recently as like June 19th, 16th, something 
like that. 
MR. WALDEN.  Okay, Ms. Cooper Davis. 
MS. COOPER DAVIS.  Yes, sir.  In terms of the definition of 
pretexting, again, fraudulent means to gain information, personal 
information that would otherwise be protected by law. 
In terms of training of DEA agents and task force officers, our 
policy strictly identifies the authorities under which you are 
going to gain this kind of information; and, as I said, the 
administrative subpoena, your court order, the grand jury subpoena 
or, again, the consent of the individual.  
Through our academy, our agents are given specific--a block of 
instruction on how to prepare an administrative subpoena.  And, 
again, it goes to the authenticity--being able to gain the 
information from the right person.  Because the information that 
you obtain is going to be used in a court of law, and it's going 
to have to withstand the scrutiny.  So, therefore, that's the only 
thing that we use to gain any kind of information; and we teach 
the same thing to our task force officers. 
MR. FORD.  Pretexting is the practice of getting personal 
information under false pretenses.  As far as ATF agents, they 
receive their basic training at the Federal Law Enforcement Training 
Center; and during their basic school they are trained on rules of 
evidence, search and seizures, use of subpoenas and warrants.  
They also are assigned a training officer.  Until they demonstrate 
that they have practical working knowledge of the laws, they stay 
under the guidance of that training officer.  
MR. WALDEN.  Thank you, Mr. Chairman.  
MR. BURGESS. [Presiding.]  The gentlelady from California--Colorado 
is recognized for 5 minutes. 
MS. DEGETTE.  Never accuse me of that. 
MR. BURGESS.  I beg your pardon. 
MS. DEGETTE.  Thank you, Mr. Chairman.  
I want to follow up on something Mr. Ford just alluded to, and I 
want to start out asking Ms. Cooper Davis this question, but I want 
to ask everybody if you have an opinion on this.  All of you have 
testified that your agencies do not use pretexting or these data 
brokers because the information is gained by using illegal means.  
It's gained by getting information that is not in the public domain. 
And my question would be, if information like this was gained--and 
I think of you, Ms. Cooper Davis, because of the DEA's investigatory 
methods where you do get phone numbers for large drug rings 
from--well, you used a lot of phone numbers, if one of your agents 
was to get these numbers by pretexting, could that potentially 
compromise the evidence in a court of law?  
MS. COOPER DAVIS.  During our investigations, it's imperative that, 
whatever number we subpoena, that we do it through the means that 
I have already outlined. 
A number of things come to mind.  One is that going to a carrier and 
using your administrative subpoena, there is an authenticity to the 
records that you are receiving.  So understand how the information 
is gained. 
MS. DEGETTE.  So you can admit it under the rules of evidence. 
MS. COOPER DAVIS.  Absolutely.  
The other advantage, which is huge for us, because in a number of 
wiretap investigations what we do is, when subpoenaing a number, we 
also add a disclosure statement in our subpoena asking the telephone 
company not to release that information to the target of the 
investigation.  
MS. DEGETTE.  I am going to get to that in a minute.  But a third 
reason would be that if you did go to court with evidence that was 
obtained through illegal means, not through a subpoena as the 
statute requires, there is a potential that it could be excluded 
in court, right?  
MS. COOPER DAVIS.  I believe if you don't gain it through the means 
that I have outlined there is the possibility of that. 
MS. DEGETTE.  Because, as you said in your testimony, the statute 
says you have got to get it through an administrative or a judicial 
subpoena. 
MS. COOPER DAVIS.  Yes, ma'am. 
MS. DEGETTE.  And that is my next--and would anybody disagree with 
that?  
Ms. Lammert, would you agree with me that it could compromise the 
integrity of the evidence in court if you have agents going around 
getting it through these other means other than what is authorized 
in the statute?  
MS. LAMMERT.  I think you're right in the context of, if we want to 
obtain subscriber and toll records, the statute requires us to 
subpoena it.  And if we were to obtain it through some other--if we 
were to try to obtain that information in a way to circumvent what 
the statute requires, yes, we would have a potential problem in 
evidence.  And-- 
MS. DEGETTE.  And that is why you tell your agents in training--I am 
sure all of you do--that they need to go through the legal methods 
to collect their evidence.  
MS. LAMMERT.  Exactly.  
I think my only other comment would be that we are talking about 
pretexting in the terms of circumventing statutory requirements. 
If someone else has a phone number and an address for an individual 
who is not a service provider, is not a phone company, and we are 
able to obtain that from them, I don't want to get into too much 
investigative technique here--so I just want to make sure that, to 
us, pretexting in the context of your inquiry is that.  
MS. DEGETTE.  That is why I asked the question that way.  
Because you mentioned some of these other--LexisNexis and other 
legitimate-- 
MS. LAMMERT.  Other phone numbers through other lawful means-- 
MS. DEGETTE.  That is completely legal.  I used to practice criminal 
law a lot in Federal court, so I know exactly what you are talking 
about.  
MS. LAMMERT.  Thank you. 
MS. DEGETTE.  I wanted to ask you, Mr. Kilcoyne, the first question 
I had, the question related to what these two ladies said is a 
question--they talked about the integrity of the investigation 
being compromised, and there could also be a risk of witnesses being 
in danger or of people being tipped off by using unreliable data 
brokers and pretexters, wouldn't that seem that way to you?  
MR. KILCOYNE.  Yes, I would agree with that.  
MS. DEGETTE.  Take a look at Tab 7 in the notebook.  The Chairman 
was talking to someone else about Tab 5, but both of those tabs are 
your Department where--and this was the substance of your initial 
testimony--where someone was writing to this Best411.com and 
giving--writing to a data broker and saying, give me information 
on these phone numbers.  Do you see that there?  
MR. KILCOYNE.  Yes. 
MS. DEGETTE.  Now not only--that could tip this Chris from Best411 
off to numbers that were either being excluded or included in an 
investigation, and they could--and the agent would have no idea 
what was happening with that information.  Isn't that right?  
MR. KILCOYNE.  That is correct, yes.  
MS. DEGETTE.  So would you agree that that's one of the big 
problems with using these third parties to get this information?  
MR. KILCOYNE.  Well, I think in law enforcement, as far as ICE is 
concerned, I think that we walk a very fine line with who we get 
information from and the type of information and whether that 
information is going to point us in the right direction.  Whether 
it's informants or someone calling on a tip line or 911 or dealing 
with an established company or a company such as Best411, you have 
to be able to filter out the type of information and then what it's 
going to be used for.  
And certainly we would not go into court with the records that were 
submitted back from Chris at 411 and expect that to get introduced 
as evidence. 
MS. DEGETTE.  Right.  But the additional question is, I would assume 
that most of your agents and most of the FBI agents and all the way 
through the rest of the agencies that they--I think Ms. Lammert 
talked about this in her testimony--is that the agents who are doing 
an investigation have to be very careful to preserve the integrity 
of the investigation.  And what that means, an agent wouldn't go out 
to some informant and say, here is a list of telephone numbers-- 
Can you imagine, Ms. Cooper Davis, in a drug investigation, the 
agent goes out and says, here is a list of telephone numbers that 
we are interested in to an informant; can you clear these for me?  
No one would ever do that in an investigation because it would 
compromise the usefulness of those phone numbers as evidence, 
right?  Ms. Cooper Davis.  
MS. COOPER DAVIS.  Yes, ma'am.  Because--I mean, the information-- 
having a list of phone numbers--really, what does it mean?  In order 
for us to serve subpoenas, you've got to have a target that you are 
looking at.  So it would be a fishing expedition where you are just 
putting out telephone numbers at random and not having any 
background investigation. 
MS. DEGETTE.  Maybe I am not being clear.  
In addition, if they give this list of phone numbers--Mr. Ford 
understands what I am talking about--if they gave a list of phone 
numbers out to an informant, then that informant could well turn 
around and tip everybody off in the investigation that these were 
the phone numbers under investigation, right, Mr. Ford?  
MR. FORD.  Yes, that is possible.  Yes, one of the concerns we had 
with it was the fact that it would put our undercover operations in 
jeopardy.  Other customers could pretext as well and get that 
information. 
MS. DEGETTE.  Why is that your concern?  
MR. FORD.  Well, as we work different investigative techniques and 
make contacts, we have cell phone numbers and different tools that 
we will use in our investigation.  If that information is disclosed 
and shared by a criminal to a data broker, then they can trace that 
information back as well. 
MS. DEGETTE.  And it could endanger people. 
MR. FORD.  Yes. 
MS. DEGETTE.  I have one last, ultimate question to all of you; and 
that is, none of you feel that we need data brokers or pretexting 
for legitimate law enforcement purposes, do you?  Yes or no?  
Starting with Mr. Kilcoyne. 
MR. KILCOYNE.  Well, I think you have to be crystal clear on what 
your definition of data brokers is. 
MS. DEGETTE.  I will give you a definition.  The definition is the 
illegal obtaining of personal data that you could not get through 
legitimate means. 
MR. KILCOYNE.  I would agree with that.  
MS. LAMMERT.  Agree. 
MR. BANKSTON.  Agree. 
MS. COOPER DAVIS.  I agree.  And I would also like to take a moment 
to just clarify for the committee some discrepancies that have been 
reported in the press regarding the GAO report and the $30 million 
figure that was supposed to be spent by the agencies on personal 
information.  The $30 million figure came from a GAO report titled 
Personal Information Agency and Resaler Adherence to Key Privacy 
Principles.  
The GAO report looked at Government relationships with legitimate 
brokers to include ChoicePoint, Dun & Bradstreet, LexisNexis.  As 
Mr. Stupak noted, these services are not considered Internet data 
brokers as defined by the committee-- 
MS. DEGETTE.  And they don't obtain their data through illegal 
means, correct?  
MS. COOPER DAVIS.  Yes, ma'am.  
I wanted to make sure that there wasn't any confusion that the $30 
million in this report was being spent on the Internet data brokers 
that we are discussing today.  
MS. DEGETTE.  Thank you, Ms. Cooper Davis.  
And, Mr. Ford, if you can just answer my question.  
MR. FORD.  Yes, I agree. 
MS. DEGETTE.  Thank you.  
Thank you very much, Mr. Chairman. 
MR. BURGESS.  Mr. Inslee, you are recognized for 5 minutes--10 
minutes, beg your pardon. 
MR. INSLEE.  Thank you.  
You all are on a hunt for miscreants.  We are on a hunt for whoever 
has their foot on this bill that has would solve this problem.  You 
may know we have a bill that has been pending for some time.  It's 
passed the committee on a bipartisan basis.  It was on the 
suspension bill calendar.  We were able to pass it to solve this 
problem, to maybe short-circuit this.  And, instead of that, someone 
got to somebody in the leadership and had this bill pulled from the 
calendar that ought to have passed by now. 
I want to know, do any of you have any indication that any of your 
agencies were responsible for getting the Republican leadership to 
pull this bill from the suspension calendar?  Any of you? 
MS. LAMMERT.  No.  I can't speak for the FBI, but I don't think 
anybody in the Department of Justice is responsible for doing that. 
MR. INSLEE.  We are most curious.  If you get any tips, let us know.  
Call 1-800 tips on killing legislation, and maybe we could find out.  
I want to ask you about a concern you have all indicated in one form 
or another, that you didn't think it was appropriate to use 
pretexting services in pursuing your responsibilities or allow for 
a lie that had been generated by pretext calling.  
But the President of the United States basically has said he is not 
bound by the statutes of this country regarding privacy.  We have 
public information that he has advised the NSA to ignore statutes; 
and he, as Commander in Chief, has authority to tell Federal 
agencies that they are not bound by the law passed by Congress, 
that they are free to ignore the privacy of citizens at this moment 
because he is Commander in Chief and he has an inherent authority 
to ignore the law.  
So I need to ask you, if the President--Ms. Lammert, for instance, 
you have told us that you believe that ECPA, the Electronics 
Communication Privacy Act, may prevent this pretexting already, in 
essence.  Let me ask you, in general, do you have an answer to this 
yet?  Do you know or is that still a question?  
MS. LAMMERT.  ECPA in and of itself I don't think prevents 
pretexting.  ECPA was enacted so as to provide certain protection 
to these records, not just subscriber but also content and so 
forth.  It sets forth the ways by which a company may disclose this 
type of information.  
There are exceptions to requirements of having a warrant.  One of 
the exceptions is if the company in good faith believes there is 
danger to life or physical harm, they can, without delay, provide 
that information to law enforcement without a warrant.  
There are also exceptions in ECPA that say the phone company can 
provide information to a private entity.  So I think to us what 
ECPA does for us is it tells us how to obtain this information. 
MR. INSLEE.  Let's assume we have eventually passed this bill that 
is now pending that will clearly prevent pretexting and make it 
illegal in this country clearly, with no ambiguity whatsoever, 
and the President of the United States says, you are free--in fact, 
I am directing you to ignore that law.  Because I am Commander in 
Chief, and you can ignore what those folks did in Congress in 
passing that law.  Would you ignore that or would you honor this 
anti-pretexting law?  
MS. LAMMERT.  I think I would honor the appropriate lawful 
authority to conduct whatever investigation--and, therefore, if 
the President of the United States or my immediate supervisors 
provide me the authority, the legal authority to do so, I will 
conduct my investigations appropriately. 
I think the question itself, will the law prevent pretexting, I 
think it's--we have--we would follow what the law says.  We do 
have some comments regarding the legislation that I was talking 
about a little bit before so that you understand that we are 
looking at this.  We are not just logs sitting there.  
We do have some concerns with our comments regarding the fact 
that you do write law enforcement exception into the statute.  We 
feel that in Title II it might not be as strong--we would like to 
allow phone companies an exception to allow information that we are 
trying to protect.  
We do have some concerns and some comments regarding customer 
notification.  As you know, under ECPA, there is an ability to 
delay notification to customers, especially if the customers 
themselves are subjects of our investigation, and also the sort 
of the requirement of noticing customers that their records are 
being--there is a breach of their records.  We also would like to 
have that type of notice provided to us.  
So I just want to let the committee know that this bill is being 
looked at seriously and there are some comments that are through 
the process. 
MR. INSLEE.  What I want to know is whether the FBI is going to 
follow the law or not.  
MS. LAMMERT.  Of course we will follow the law. 
MR. INSLEE.  That is important.  Because the President is not.  
And my question is, if this Congress passes a law that says it's 
illegal for the FBI to buy information that has been generated by 
a pretext call--that's where someone calls the phone company, 
gives a false identification and purloins that personal information--
that it's illegal for the FBI to use that information in its 
investigations, but the President just tells you to go ahead and 
ignore the law, what are you going to do?  
MS. LAMMERT.  I will have to follow what is the appropriate way of 
conducting the investigation, sir. 
MR. INSLEE.  And that is determined, I hope you are going to answer, 
by what the law is passed by the Congress in statutes to the United 
States.  Would you agree with that?  
MS. LAMMERT.  The FBI will follow all laws, all statutes, all 
executive orders, all constitutional requirements, yes, sir. 
MR. INSLEE.  That is great news, and we hope you prevail upon the 
White House to stop violating the privacy rights of America.  
Because, frankly, it would be a shame for us to pass this 
anti-pretexting law, all of these agencies tell us you want to 
follow the law, and then the White House tells you to ignore the 
law.  And, frankly, that is what is going on with the NSA right 
now.  I hope you will stand up in moments of moral crises to the 
White House that is trying to get you all to violate the law, if 
that ever happens.  
Now if I can turn to a more prosaic question, if I can.  You all 
indicated in some way you don't want to use the fruits of pretexting 
in some fashion.  You talked about that.  But the question I have 
is, how does your agency assure that you are not using the fruits 
of pretexting?  
In other words, you get information from a whole variety of sources. 
 Are you intending to adopt regulations that you, for instance, 
get affirmative statements from the source of your information that 
this has not been obtained through pretexting?  Is that going to 
be part of your ongoing policies in the future?  
It's an open question.  I hope all of you will answer yes, but I am 
interested in that. 
MS. LAMMERT.  We are issuing guidance.  We are working on it right 
now. 
I want to premise this with the fact that there's already guidance 
out in the field through our manuals and through training as to 
the appropriate way of obtaining information such as consumer 
proprietary network information.  We are issuing guidance on how 
to handle data brokers as of the type that is of interest for the 
committee, and we will have that out shortly.  
MR. INSLEE.  Well, I am hoping that you can tell me that when you 
deal with data brokers you're not just going to take a "see no evil" 
approach, meaning, I buy this stuff from a data broker and as long 
as they didn't tell me affirmatively they did pretexting I will go 
ahead and buy it and I will hope they didn't.  I hope you are going 
to tell us it's part of your regulation in dealing with data brokers 
you are going to obtain a--if you get this information in any event, 
you will obtain an affirmative representation by the broker that 
this was not obtained through a pretext situation. 
MS. LAMMERT.  Our guidance, as in all our guidance, will always 
advise our agents that they have to ensure the information they have 
received is lawful, is credible, and is, as you know, the type of 
information that will withstand scrutiny. 
MR. INSLEE.  Any other agencies want to comment on that?  
MR. BANKSTON.  Congressman, that is a good suggestion we 
will pass to the newly created office in the Department that was 
created earlier this year.  As a representative from the Marshals 
Service, I will certainly convey that as a suggestion to recommend 
to that committee.  
MR. INSLEE.  And when you do that, which lawful code will you be 
referring to?  State law, your law, the Congress' law or what the 
President of the United States has--his own laws, as far as we can 
tell?  Which one are you going to pick?  
MR. BANKSTON.  Applicable law, fraud, identity theft. 
MR. INSLEE.  Anyone else like to add anything?  
MS. COOPER DAVIS.  Yes, sir.  Again, we are working--we are also a 
member of the Privacy Civil Board that--under the Department of 
Justice and will ensure that the information will be passed on as 
well as we're working with our agents--we have the information 
available through our manuals on what the policy is and, again, 
working with the department through the committee to either issue 
guidance-- 
MR. INSLEE.  I have a real quick question I want to make sure I get 
in here.  
Ms. Lammert, the issue of whether or not the Electronic 
Communications Privacy Act will already be an efficient tool to 
stop this pretexting is an important one I think.  My sense is 
since we have had this sort of epidemic of pretexting that has 
been in wide use in the commercial field and, in fact, has even 
been used in at least limited circumstances by several Federal 
agencies, that clearly we need additional legislation to remove 
any ambiguity that pretexting is illegal and that we don't have 
to worry about whether, quote, "property includes intangible 
information," which it apparently may be the issue, whether ECPA 
applies.  
Would you agree that it really makes sense for us to have that 
absolutely nailed down through clear legislation so that we don't 
have to have lawyers arguing about that?  
MS. LAMMERT.  I think that it is always important and helpful to 
find ways where we can clearly define what is an unlawful activity, 
not only obviously for the benefit of law enforcement so they know 
how to proceed but also for the benefit of the public.  So any 
legislation or proposals this committee would like to put forward 
on that we would gladly work with you in trying to resolve this 
particular issue which we all find to be very serious and needs 
to be addressed. 
MR. INSLEE.  Thank you very much. 
MS. LAMMERT.  Thank you.  
MR. WHITFIELD. [Presiding.]  Thank you.  I might say to the 
gentleman from Washington that it may be your opinion that the 
President is violating the law, but I am not aware of any judicial 
decision that has agreed with that.  I am not aware of any criminal 
investigation that is suggesting that or any indictments about that 
relating to this issue, relating to counterterrorism and 
counterintelligence.  
So we are all entitled to our opinions, and that is where we are. 
MR. STUPAK.  Since it's concerning this subject matter, maybe we 
should have him in and ask him questions and see where it goes.  
That way, we get a clear understanding of the law and what law 
enforcement needs to do their job and what the American public 
knows would be their protection.  So I suggest we bring the 
President in or his representatives in and let's talk about it, 
have a hearing on it.  
MR. INSLEE.  Mr. Chairman, may I ask a query?  
MR. WHITFIELD.  Absolutely. 
MR. INSLEE.  I do think this is an important issue, and I don't know 
if the Chair is thinking about having any of the other Federal 
agencies, particularly the NSA, which there are arguments, as you 
have indicated, about the legality of some of their activities.  
I think it would be helpful if at some point in this inquiry we 
ask some of these same questions to the NSA, to some of the 
defense intelligence agencies.  That might have to be in closed 
session, but I think it would be helpful to us in this regard.  
I hope you might consider that at some point.  
MR. WHITFIELD.  I appreciate that very much, and I appreciate the 
gentleman's concern about the issue and its importance.  
Are there any additional questions of this panel?  
Since I just arrived, I have one question at least. 
I would like to ask Ms. Cooper Davis--this relates to you, 
Ms. Cooper Davis--when our committee issued subpoenas, certain 
documents came in from a data broker, PDJ Services, and specifically 
Mr. Patrick Baird; and it showed that a DEA tri-State task force 
used Baird's company to acquire customer name and address 
information.  And I would ask if you could describe the facts 
and circumstances surrounding those documents, if you have 
familiarity with that.  
MS. COOPER DAVIS.  Yes, sir.  As you said once, the committee 
issued the subpoena, and the inquiry was made of DEA headquarters.  
Working in conjunction with the task force parent agency, what we 
found out was the task force office assigned to DEA was contacted 
by one of his department's officers who had stopped and arrested 
an individual who was trafficking in methamphetamine.  
The task force officer then--the target that had been arrested 
decided to cooperate.  He had a phone number of where the 
methamphetamine was supposed to be delivered to, had no additional 
information--which is very common in our investigations--contacted 
the task force officer to see if he could help him identify who the 
subscriber was for that telephone number. 
The task force officer then attempted to obtain the information 
through the telephone company.  When he called the telephone 
company, he was told that the information would not be available 
because it was around the holiday time, it was around Christmas 
time, and they would not be able to get that information back to 
him.  
The task force officer then, on his own, went to the Internet, found 
the site, clicked on a site, found a phone number and made contact 
with the Internet data broker and asked whether or not he could 
obtain that information.  He was told they could get him the 
information in about 3 hours at no cost, and all they needed was 
something on a letterhead.  The task force officer then took a 
fax cover sheet, wrote down what he requested, which was only the 
name and address on that telephone number, and shortly thereafter 
that received information. 
I must add that nothing came as a result of receiving that 
information.  The investigation by that task force officer's 
department ended at that time.  
Since then, we, working in conjunction with the parent agency, have 
advised the task force officer not to use Internet data brokers to 
obtain that information.  We have the ability, through our 
administrative subpoena, grand jury subpoena, or court order, to 
obtain the same information. 
MR. WHITFIELD.  Thank you, Ms. Cooper Davis.  
Mr. Kilcoyne, you had said earlier that your ICE agents learned 
about PDJ Services through another law enforcement agency or 
group.  Which agency was that?  
MR. KILCOYNE.  I believe in one of the references it was in a 
generic conversation with somebody from the Postal Service and 
perhaps FBI, but I am not 100 percent on that. 
MR. WHITFIELD.  Any names?  
MR. KILCOYNE.  As far as who?  No, unless it's referenced in these 
documents that I missed, but I don't believe so.  
MR. WHITFIELD.  I want to thank this panel for being here with us 
this afternoon.  I'm sorry for all the delay.  You are excused.  
We have one other panel, I believe, of two witnesses; and I would 
like to just go on and call this panel now.  
That would be Mr. Raul Ubieta, who is the Police Major for the 
Miami-Dade Police Department, and Mr. David Carter, who is the 
Assistant Chief of Police in Austin in the Austin Police Department. 
If you all would not mind coming forward, then I will swear you in. 
Mr. Ubieta and Mr. Carter, as you know, this is an investigative 
and oversight hearing.  We like to take testimony under oath.  Do 
either of you object to testifying under oath?  
MR. UBIETA.  No, sir. 
MR. CARTER.  No, sir.  
MR. WHITFIELD.  Do you have legal counsel with you? 
MR. UBIETA.  No, sir. 
MR. CARTER.  No, sir. 
[Witnesses sworn.]  
MR. WHITFIELD.  You are now under oath. 


TESTIMONY OF RAUL UBIETA, POLICE MAJOR, MIAMI-DADE POLICE DEPARTMENT,
ECONOMIC CRIMES BUREAU; AND DAVID L. CARTER, ASSISTANT CHIEF OF 
POLICE, AUSTIN POLICE DEPARTMENT 

MR. WHITFIELD.  I tell you what.  I would like to get one opening 
statement in before we adjourn.  So, Mr. Ubieta, if you would give 
us your opening statement, 5 minutes, please, sir. 
MR. UBIETA.  Yes, sir.  
Mr. Chairman, Ranking Member, and distinguished members of the 
committee, good afternoon and thank you for the opportunity to 
testify on this important issue before you.  I also thank the 
committee for their leadership in guarding our privacies.  
My name is Raul Ubieta.  I am a police major with the Miami-Dade 
Police Department in Miami, Florida.  I have been in law enforcement 
23 years.  Eleven of those years have been in conducting, 
supervising, and managing investigations.  
I am currently in charge of my department's Economic Crimes Bureau.  
My duties include the criminal investigations that inflict serious 
financial hardship on a community.  Typically, these crimes 
involve sophisticated theft schemes that include organized criminal 
groups that commit mortgage fraud, identity theft, bank fraud, and 
credit card fraud.  
I first became of aware of the committee's work last month when I 
was contacted by Mr. Thomas Feddo, Majority Counsel for the 
committee.  We spoke about the existence of the Internet data 
brokers and the means by which they obtain their information.  
More importantly, we spoke about how law enforcement, and in 
particular my department, obtains phone and subscriber records 
during the course of an investigation.  
Mr. Feddo also showed me documentation that a detective from my 
department had utilized PDJ Services, an online data broker from 
Texas, to obtain cellular phone information several times last 
year.  The usage of that service is not in line with established 
departmental practice and is not condoned by the Miami-Dade Police 
Department.  
In response to this information, a memorandum was prepared for my 
Director's signature, reminding our personnel of the proper 
procedures for obtaining such information.  The memorandum also 
cautioned that the use of confidential information obtained from 
Internet data brokers could place a criminal investigation in 
jeopardy.  
Our position is clear.  The Miami-Dade Police Department is governed 
by Florida State statutes and internal policies that confer law 
enforcement the authority to utilize subpoenas to obtain 
confidential information from the official custodian of 
records.  Information such as subscriber data, customer service 
records, and incoming and outgoing phone calls from either a 
traditional landline or a cellular phone can be obtained through 
the subpoena process.  
A typical request for confidential information is handled in the 
following manner:  An investigator obtains a telephone number that 
is relevant to his or her investigation.  That investigator then 
meets with an Assistant State Attorney to verbally present a 
synopsis of the case as well as an explanation as to why the 
telephone record is essential to the investigation. 
If the case is approved by the State Attorney's Office a subpoena 
duces tecum is prepared by the Assistant State Attorney and provided 
to the investigator.  The investigator then presents a subpoena 
to the official custodian of record who is directed to provide the 
requested information.  
The ability of the State Attorney's Office to deny an investigator's 
request for this information and to ask that additional 
investigation be conducted before a subpoena is granted creates a 
systems of checks and balances that helps to ensure the integrity 
of this process.  
I want to emphasize that our established procedures do not impede 
our ability to accomplish our job.  Even during a life-threatening 
emergency when cellular or traditional telephone number information 
must be obtained, the official custodian of records will provide 
law enforcement with the necessary information; and a subpoena or 
court order will be provided within 48 hours.  
Online data brokers openly advertise on the Internet that they can 
obtain confidential records.  This practice is of concern to the 
public and law enforcement in many ways.  
Information such as Social Security numbers, banking records, and 
personal financial records can be obtained for as little as $100 
and can be used to commit identity theft and schemes to defraud.  
Not only is this a threat to our citizens' privacy, but the 
availability of this information is an officer safety concern.  
The ability for criminals to obtain confidential information on 
an undercover officer and utilize that information to harm an 
officer or his family poses a serious threat to law enforcement. 
 These Internet brokers might state they are a service to law 
enforcement, but, as testified here today, they are not.  There 
is no compelling law enforcement need to obtain confidential 
records from Internet data brokers.  
According to the Federal Trade Commission, in 2005, 9.3 million 
Americans were victims of identity theft, with a loss of $52.6 
billion.  Your attention and investigation into the practices by 
which Internet data brokers obtain their information is vital to 
our citizens' ability to protect their confidential and personal 
information.  
I can attest that the primary source of most criminal fraud cases 
begins with some type of identity theft.  The access to confidential 
data provided by Internet data brokers can easily become a conduit 
for white collar criminals to further their schemes to defraud.  
I thank the distinguished committee for allowing me to address 
this important issue.  I want to assure you that the Miami-Dade 
Police Department takes the privacy of our citizens very 
seriously.  Procedures and safeguards are in place to ensure 
that law enforcement personnel comply with applicable laws 
regarding private information. 
MR. WHITFIELD.  Thank you very much. 
[The prepared statement of Raul Ubieta follows:]

PREPARED STATEMENT OF RAUL UBIETA, POLICE MAJOR, MIAMI-DADE POLICE 
DEPARTMENT, ECONOMIC CRIMES BUREAU 

Introduction 
Mr. Chairman, ranking member, and members of the Committee, good 
afternoon and thank you for the opportunity to testify on this 
important issue before you.  I also thank the Committee for their 
leadership in guarding our privacies.  My name is Raul Ubieta and 
I am a Police Major with the Miami-Dade Police Department in Miami, 
Florida.  I have been in law enforcement for 23 years; 11 of those 
years have been in conducting, supervising or managing 
investigations.  I am currently in charge of my Department's 
Economic Crimes Bureau.  My duties include the criminal 
investigations that inflict serious financial hardship on our 
community.  Typically these crimes involve sophisticated theft 
schemes that include organized criminal groups that commit mortgage 
fraud, identity theft, bank fraud, and credit card fraud. 

Testimony: 
I first became aware of this Committee's work last month, when I was 
contacted by Mr. Thomas Feddo, Majority Counsel for this committee.  
We spoke about the existence of Internet Data Brokers and the means 
in which they obtain their information.  More importantly, we spoke 
about how law enforcement, and in particular, my Department, obtains 
telephone and subscriber records during the course of an 
investigation.  Mr. Feddo also showed me documentation that a 
detective from my department had utilized PDJ Services, an online 
data broker from Texas, to obtain cellular telephone information, 
several times last year.  The usage of that service is not in line 
with established Departmental practice and is not condoned by the 
Miami-Dade Police Department.  In response to this information, a 
memorandum was prepared for my Director's signature, reminding 
our personnel of the proper procedures for obtaining such 
information.  The memorandum also cautioned that the use of 
confidential information obtained from Internet Data Brokers could 
place a criminal investigation in jeopardy.  
Our position is clear. The Miami-Dade Police Department is governed 
by Florida State Statues1 and internal policies that confer law 
enforcement the authority to utilize subpoenas to obtain 
confidential information from the official custodian of records.  
Information such as subscriber data, customer service records, and 
incoming and outgoing phone calls from either a traditional 
landline or a cellular telephone can be obtained through the 
subpoena process.  
A typical request for confidential information is handled in the 
following manner: an investigator obtains a telephone number that 
is relevant to his/her investigation, that investigator then meets 
with an Assistant State Attorney to verbally present a synopsis of 
the case, as well as an explanation as to why the telephone record 
is essential to the investigation.  If the case is approved by the 
State Attorney's Office, a Subpoena Duces Tecum is prepared by the 
Assistant State Attorney and provided to the investigator.  The 
investigator then presents the Subpoena to the official custodian 
of records who is directed to provide the requested information.  
The ability of the State Attorney's Office to deny an investigator's 
request for this information and to ask that additional 
investigation be conducted before the subpoena is granted creates 
a system of checks and balances that helps to ensure the integrity 
of this process.   I want to emphasis that our established 
procedures do not impede our ability to accomplish our job.  Even 
during life-threatening emergencies when cellular or traditional 
telephone number information must be obtained, the official 
custodians of records will provide law enforcement with the 
necessary information and a subpoena or court order will be 
provided within 48 hours. 
Online Data Brokers openly advertise on the internet that they can 
obtain confidential records.  This practice is of concern to the 
public and law enforcement in many ways.  
Information such as social security numbers, banking records and 
personal financial records can be obtained for as little as $100 
and be used to commit identity theft and schemes to defraud.  Not 
only are these "Internet Data Brokers" a threat to our citizens 
privacy, but the availability of this information is an officer 
safety concern. 
The ability for criminals to obtain confidential information on an 
undercover officer and utilize that information to harm the officer 
or their family poses a serious threat to Law Enforcement.  These 
Internet Data Brokers might state that they are a service to law 
enforcement, as I have testified today, they are not.  There is no 
compelling law enforcement need to obtain confidential records 
from Internet Data Brokers. 
According to the Federal Trade Commission, in 2005, 9.3 million 
Americans were victims of identity theft with a loss of 
approximately $52.6 billion dollars. Your attention and 
investigation into the practices by which these "internet data 
brokers" obtain their information is vital to our citizens' ability 
to protect their confidential and personal information.  I can 
attest that the primary source of most criminal fraud cases begins 
with some type of identity theft.  The access to confidential data 
provided from Internet Data Brokers can easily become a conduit 
for white collar criminals to further their schemes to defraud. 
I thank this distinguished Committee for allowing me to address 
this important issue.  I want to assure you that the Miami-Dade 
Police Department takes the privacy of our citizens very 
seriously.  Procedures and safeguards are in place to ensure 
that law enforcement personnel comply with applicable laws 
regarding private information. 


MR. WHITFIELD.  Mr. Carter, we have a vote on the floor; and we are 
going to go over there.  There are going to be three of them.  We 
will be right back.  
As I said earlier, I really apologize for all the delays today, but 
we do look forward to your testimony, and we will be right back. 
Thank you. 
[Recess.] 
MR. WHITFIELD.  Mr. Carter, I apologize once again, but I would like 
to recognize you now for your 5-minute opening statement. 
MR. CARTER.  Thank you, Chairman Whitfield.  
I am David Carter, Assistant Police Chief for the City of Austin, 
Texas.  I have been with the police department 20 years and am 
currently Chief of the Investigations Bureau.  During the course of 
my law enforcement career, I have served in capacities relating to 
homicide investigations, internal affairs, and a SWAT commander.  
I am pleased to appear before you today to discuss the issue of 
Internet and data brokers and pretexting.  
The members of the Austin Police Department are committed to 
providing excellent law enforcement to the nearly 700,000 citizens 
of Austin, Texas.  The Austin Police Department has nearly 300 
detectives and investigators who work on roughly 80,000 cases per 
year.  Like other police departments around the country, we often 
utilize modern technology to enhance our ability to fight crime. 
Technology, when used appropriately and effectively, not only 
helps us make the most of limited police resources but also 
provides us with crime-fighting tools that are not otherwise 
available.  When conducting investigations, law enforcement 
officers will use many sources of information that run the gamut 
from confidential informants to personal interviews to public 
data sources and the Internet.  As technology evolves, prudent 
police forces would be remiss in not availing themselves of 
powerful search engines and public data sources when such sources 
would help solve crimes.  
Commercially available databases of public records are a 
powerful investigative tool for local police forces.  These 
databases typically contain information that is readily available 
in the public domain from various sources.  
The utility of these Internet databases is that they consolidate 
public information into one database that can be quickly and easily 
searched by an investigator.  As such, these commercially available 
databases provide local police departments with critical information 
in a manner that not only saves time and money but also alerts us 
to other potential leads that help achieve successful prosecution 
of criminal offenses. 
Of course, our police officers recognize that we are bound in such 
matters by the protections afforded by the Constitution, various 
statutes, and case law.  We strive to gather information by legal 
means with the ultimate goal of achieving successful prosecution of 
criminals. 
Failing to do so would not only undermine the public trust of our 
department, but would also risk having evidence excluded at trial.  
To that end, I commend the members of the subcommittee for their 
efforts on this issue and am pleased to provide them with an 
overview of the measures undertaken by the Austin Police Department 
to ensure that we meet that standard.  
First, in light of the recent media focus on the issue of 
illegitimate data brokers who obtain personal information using 
false pretexts, the department has recently initiated an internal 
review of its officers' use of data brokers.  Although the 
investigation is still ongoing, we found no evidence to date 
that our detectives have engaged in illegal investigatory 
practices.  In addition, we have found no evidence to date that 
the department has paid for any services provided by data 
brokers or that individual call records were received from 
data brokers.  
Given the ongoing nature of the review, I will respectfully 
refrain from disclosing more detailed information until the 
investigation is completed so that I do not convey inaccurate 
or incomplete information.  
Our department is comprised of officers committed to carrying out 
their duties with the utmost integrity, and I would be very 
surprised if any of my detectives intentionally and knowingly 
purchased phone records from data brokers who gained such records 
through pretexting.  
Second, because of the ambiguity that exists on the Internet and 
sometimes misleading claims that are made by illicit online data 
brokers, I have issued a directive that makes clear that the Austin 
Police Department employees shall not purchase or access telephone 
records or personal information from data brokers unless they have 
been vetted by the Department. 
We currently have contracts with five data providers that we 
believe are committed to protecting individuals' privacy by 
following all relevant laws in this area.  
Of course, our officers will continue the practice of acquiring 
investigatory information from multiple sources and, when 
appropriate, obtain the proper legal authority--specifically being 
court orders, subpoenas and warrants--to do so.  
Finally, we will continue to present all discovered information 
to the appropriate criminal courts which vet the information and 
ultimately advise us on its admissibility as evidence.  
Mr. Chairman, information and technology are powerful tools for 
good; and, as noted in the committee report that accompanied 
Chairman Barton's legislation, they can also be powerful tools for 
those who wish to commit harm.  I commend the efforts of this 
committee and the efforts by the House to address the issue of 
pretexting by cracking down on those who illegally obtain 
citizens' personal information and try to profit from it.  
It is important that, as Congress focuses on the problems 
associated with those profiting from illegally obtained 
information, that it set clear guidelines to govern the ability 
of law enforcement to utilize technologies in an appropriate and 
lawful manner in order to aid our ability to fight crime. 
In closing, the Austin Police Department shares the concerns of 
the members of this subcommittee with respect to pretexting; and 
I thank the subcommittee for providing me an opportunity to 
testify today before you.  I will be happy to answer any 
questions.  
MR. WHITFIELD.  Thank you, Mr. Carter; and we certainly appreciate 
the great job that you all do in Austin and also in Miami in the 
area of law enforcement.  It's a difficult profession, and we 
certainly applaud you for the job that you do. 
[The prepared statement of David L. Carter follows:] 

PREPARED STATEMENT OF DAVID L. CARTER, ASSISTANT CHIEF OF POLICE, 
AUSTIN POLICE DEPARTMENT 

Chairman Whitfield, Ranking Member Stupak and Members of the 
Subcommittee: 
I am David L. Carter, Assistant Police Chief for the City of Austin, 
Texas and I am pleased to appear before you today to discuss the 
issue of Internet Data Brokers and "Pre-Texting".  
The members of the Austin Police Department are committed to 
providing excellent law enforcement to the nearly 700,000 citizens 
of Austin, Texas.  The Austin Police Department has nearly 300 
detectives and investigators who work on roughly 80,000 cases per 
year.  Like other police departments around the country, we often 
utilize modern technology to enhance our ability to fight crime. 
Technology, when used appropriately and effectively, not only helps 
us make the most of limited police resources, but also provides us 
with crime-fighting tools that are not otherwise available.  When 
conducting investigations, law enforcement officers will use many 
sources of information that run the gamut from confidential 
informants to personal interviews to public data sources and the 
internet.  As technology evolves, prudent police forces would be 
remiss in not availing themselves of powerful search engines and 
public data sources, when using such sources would help solve 
crimes. 
Commercially available databases of public records are a powerful 
investigative tool for local police forces.  These databases 
typically contain information that is readily available in the 
public domain from various sources.  The utility of these internet 
databases is that they consolidate such public information into one 
database that can be quickly and easily searched by an investigator. 
 As such, these commercially available databases provide local 
police departments with critical information in a manner that not 
only saves time and money but also alerts us to other potential 
leads that help us achieve successful prosecution of criminal 
offenses. 
Of course, our police officers recognize that we are bound in such 
matters by the protections afforded under the Constitution, various 
statutes and case law, and we scrupulously strive to gather 
information by legal means with the ultimate goal of achieving 
successful prosecution of criminals.  Failing to do so would not 
only undermine the public trust in this police department, but 
would also risk having evidence excluded at trial.  To that end, 
I commend the members of the Subcommittee for their efforts on this 
issue and am pleased to provide them with an overview of the 
measures undertaken by the Austin Police Department to ensure that 
we meet that standard. 
ï¿½ First, in light of the recent media focus on the issue of 
illegitimate data brokers who obtain personal information using 
false pretexts, the Department has recently initiated an internal 
review of its officers' use of data brokers.  Although the 
investigation is still on-going, we have found no evidence to 
date that our detectives have engaged in illegal investigatory 
practices.  In addition, we have found no evidence to date that 
the Department has paid for any services by data brokers or that 
individual call records were received from data brokers.1  Given 
the on-going nature of the review, I will respectfully refrain 
from disclosing more detailed information until the investigation 
is completed so that I do not convey inaccurate or incomplete 
information.  Our Department is comprised of officers committed 
to carrying out their duties with the utmost integrity and I would 
be very surprised if any of my detectives intentionally and 
knowingly purchased phone records from data brokers who gained such 
records through pre-texting. 
ï¿½ Second, because of the ambiguity that exist on the internet and 
the sometimes misleading claims that are made by illicit online 
data brokers, I have issued a directive that makes clear that 
Austin Police Department employees shall not purchase or access 
telephone records or personal information from data-brokers unless 
they have been vetted by the Department.  We currently have contracts 
with five data providers that we believe are committed to 
protecting individuals' privacy by following all relevant laws in 
this area. 
Of course, our officers will continue the practice of acquiring 
investigatory information from multiple sources and when appropriate 
obtain the proper legal authority (court orders, subpoenas or 
warrants) to do so.  Finally, we will continue to present all 
discovered information to the appropriate criminal courts which 
vet the information and ultimately advise us on its admissibility 
as evidence. 
Mr. Chairman, information and technology are powerful tools for good, 
and as noted in the Committee Report that accompanied Chairman 
Barton's legislation, they can also be powerful tools for those who 
also wish to commit harm.  I commend the efforts of this committee 
and the efforts by the House to address the issue of pre-texting by 
cracking down on those who illegally obtain citizens' personal 
information and then try to profit from it.  It is important that 
as Congress focuses on the problems associated with those profiting 
from illegally obtained information, that it set clear guidelines to 
govern the ability of law enforcement to utilize technologies in 
an appropriate and lawful manner in order to aid our ability to 
fight crime. 
In closing, the Austin Police Department shares the concerns of the 
members of this Subcommittee with respect to pre-texting, and I 
thank the Subcommittee for providing me with the opportunity to 
testify before it today. 

MR. WHITFIELD.  Now, Mr. Carter, in your opening statement, you 
mentioned that you issued a directive recently, I assume, to not 
use data brokers anymore unless it had been vetted with the 
department.  
MR. CARTER.  That's correct, sir.  As soon as we became aware of 
this issue--and, quite frankly, I wasn't aware of the issue of data 
brokers.  But when your subcommittee brought it to our attention, we 
had great concerns.  
MR. WHITFIELD.  And when you say "vetted with the department," what 
does that actually mean?  
MR. CARTER.  What we are looking for is, basically, we currently 
have five data sources that we currently use, and some of those 
have been mentioned today as far as LexisNexis and ChoicePoint and 
others.  What we wanted to do is immediately suspend the use of any 
of these practices.  
Our first concern was we are detectives possibly violating the law.  
We didn't find anything to that effect. 
Second, we looked for possible policy violations, or did we have to 
develop policy because this is an area that is somewhat new to us. 
MR. WHITFIELD.  Right.  
At first when you said vetted, I thought perhaps there may be 
some circumstance where it would make sense and it would be your 
view that maybe it was legal to use a data broker, even using 
pretexting, but I am assuming that you were talking about vetting 
and if it's necessary going to obtain a subpoena. 
MR. CARTER.  Mr. Chairman, let me make it clear one of the problems 
that we've had when we listened to the testimony over the past 2 
days is what a clear definition of data brokers is.  Actually, as 
of today, I understand what your definition is; and that basically 
is somebody that uses pretexting.  So, therefore, we don't consider 
LexisNexis or ChoicePoint to be data brokers based on your 
definition.  Maybe that would help a little bit.  I am not sure. 
MR. WHITFIELD.  Right.  I think all of us are becoming aware of 
data brokers.  It's not something I had really focused on until 
maybe a month or so ago.  
I know you've just issued your directive, and I am assuming that in 
Miami you all have the same directive.  Would that be correct, 
Mr. Ubieta?  
MR. UBIETA.  Ours was more of a reminder because our policies were 
clear that for confidential information, we use subpoena or search 
warrants, what the law dictates. 
MR. WHITFIELD.  As I had said earlier, during the course of this 
hearing, through anecdotal information as well as evidence, we know 
that local law enforcement as well as some Federal law enforcement 
have used data brokers periodically and before, maybe it was clear 
that it was illegal or not, but for example, in--do you all have our 
evidence binder on the table there?  
MR. UBIETA.  No, sir. 
MR. WHITFIELD.  Okay.  Well, before he brings it to you I know in 
Tabs 21, 23, 24, 25, 28 and 30, which you don't necessarily have to 
turn to, but it makes several requests for number checks, and I am 
assuming a number check is simply where you're verifying that the 
person that you're looking at actually that number is registered in 
his or her name.  Is that what a number check is Mr. Carter?  
MR. CARTER.  That would be my interpretation yes. 
MR. WHITFIELD.  Now, Tab 21 through 30 in the document binder it 
does show several instances of the Austin police officers and 
department employees using PDJ services to obtain phone records.  
And are you personally familiar with those instances?  
MR. CARTER.  I am personally familiar with a couple.  I would have 
to look at all of them to see if I am familiar with all of these. 
MR. WHITFIELD.  Now I'm assuming that--I probably should ask you 
the question--but I'm assuming the one reason that officers would 
go to data brokers is, you can obtain the information quickly.  
You don't have to wait as long as you would on a--
MR. CARTER.  I don't know that that is the case, Mr. Chairman.  
I think that we also expect and train our investigators to use 
the process, specifically grand jury subpoenas, to get 
confidential information.  I think there is a lot of 
misunderstanding with regard--in this particular area.  When we 
have initiated our investigation into our internal practices, one 
of the things that we found so far, and it certainly is not 
complete or an investigation has not been concluded yet, is that 
detectives went, as it was discussed by some other witnesses, 
operated exactly in the same manner, believing they were getting 
open record public data type information from open sources, 
believing they were legitimate.  
MR. WHITFIELD.  Have either one of you had evidence excluded by 
court because it came from a data broker?  
MR. UBIETA.  No, sir, not that I am aware of. 
MR. CARTER.  I am not aware of any case.  
MR. WHITFIELD.  Mr. Ubieta, in Tabs 15 to 20 of this document, it 
shows several instances of a Miami-Dade detective requesting 
phone-related records from Chris Garner who we now know is Patrick 
Baird, who is the owner of PDJ services.  As you look at those 
documents, are you familiar with them?  Have you had an opportunity 
to look into that at all or--
MR. UBIETA.  Yes, I am familiar with him, and no, we have not had 
the opportunity to look into it.  First time I saw them was for 
about 10 minutes when the majority counsel showed them to me in 
Miami.  At that time, I requested that he go back and seek 
permission to release those documents to me, at which time I would 
present them to our Professional Compliance Bureau for an 
internal investigation.  So that is the only dealing I have had 
with the documents. 
MR. WHITFIELD.  You all are doing an investigation about that at 
this time?  
MR. UBIETA.  As soon as these documents are in my possession without 
the redacting, obviously, we can see case numbers and other 
information; yes, sir, it will be. 
MR. WHITFIELD.  Okay.  I was curious, under the training procedures 
both at Miami and in Austin, how much emphasis is placed on this 
issue of evidence and using data brokers and the necessity of 
subpoenas and things like that?  
MR. UBIETA.  An officer, when he comes into the department, receives 
training through our Training Bureau.  A major block, and I don't 
have the exact number right now, but a major block of training is 
in legal--all legal aspects--which includes search and seizures 
and subpoenas and search warrants and so forth.  
MR. WHITFIELD.  So how long would a training period be for a 
beginning officer?  
MR. UBIETA.  Our training period right now is about 9 months.  
MR. WHITFIELD.  Nine months.  
MR. UBIETA.  Yes, sir. 
MR. WHITFIELD.  What about in Austin?  
MR. CARTER.  Austin, the initial training that an officer receives 
is approximately 6 months in duration, but what I would say is, 
detectives--detective is actually a rank.  And an officer must 
promote, and so they have to study to become a detective.  And once 
they are promoted to detective, they actually go to an 
investigation class that we put on, an in service class specifically 
for new detectives.  And at that time, there is more focus on issues 
of search and seizure, proper investigative methods, such as getting 
grand jury subpoenas and recognizing what confidential information 
is and the, as far as the public databases, the issue on data 
brokers--when I checked shortly before coming to this hearing, 
asking our training section exactly what we are teaching now is 
that what we train that is you are not to use illegal websites.  
Well, one of the issues that has kind of like come to light here 
in your hearing is also the difficulty in having police departments 
recognize what are legitimate sources of information versus 
illegitimate.  We would actually recognize if there were, if it 
is confidential information, for example, getting specific call 
records and trying to purchase that, that would be overtly illegal 
and wrong in our opinion. 
But the problem is, with the several hundred websites that are out 
there that some of these detectives have used thinking they are 
open-record sources like a phone book or something like that or a 
criss-cross, that is an issue that we hope we can get this guidance 
and assistance from you on. 
MR. WHITFIELD.  I would like to ask both of you in the case of an 
emergency and this, I assume, would relate to your relationship 
with local phone carriers, do you find them cooperative in times 
of emergencies or do you have to take special steps to obtain the 
records that you need?  Or how do you deal with that?  
MR. UBIETA.  Yes, sir, we have an excellent relationship.  I have 
no knowledge of any time when a carrier has refused us in an 
emergency situation.  We do have provisions for that.  There is a 
form that we fill out that basically says, these are exigent 
circumstances, and we elaborate as much as we can because it is 
obviously a life-threatening investigation or case at that point, 
as much as we can.  Most carriers will provide us the information 
immediately, at which point it is to be followed up 48 hours with 
a proper subpoena. 
MR. CARTER.  I would likewise say, if we have situations like a 
hostage barricade type of incident, that we have no trouble usually 
getting cooperation from the phone company.  
MR. WHITFIELD.  What would be the length of time for just an 
ordinary investigation where you send in a request for numbers from 
a local phone carrier?  Does it take 1 day or 6 hours or-- 
MR. UBIETA.  Unless we specifically--if it's something that we need 
to obtain relatively quick, we can get the State Attorney's office 
in Florida to actually put in a timeframe on the subpoena, and then 
they would have to adhere to that.  But for the most part, on just 
a typical run of the mill investigation from my unit, the fraud 
unit, anywhere between 3 to 7 days, maybe 2 weeks, depending on the 
amount of information that we are looking for. 
MR. CARTER.  In Texas, we usually--in Austin--we usually go the 
route of the grand jury subpoena.  And we can turn that around 
fairly quickly.  In some cases, it's a half day depending on the 
situation at hand.  Sometimes there is a longer delay, but it's--we 
don't consider it inordinate. 
MR. WHITFIELD.  But from your experiences, you have all the tools 
necessary to obtain evidence and leads that you need basically 
without using data brokers I am assuming?  
MR. UBIETA.  Yes, sir.  As far as we're concerned in my department, 
yes, we are fine.  
MR. CARTER.  Yes, sir.  I will agree with that. 
MR. WHITFIELD.  And in your view, is there anything that needs to be 
done at the Federal level to assist in any way, or do you think 
things are going pretty good for you right now?  
MR. UBIETA.  As far as the State of Florida, they pretty well take 
care of us.  I just got notified this morning just like you did 
with Ms. Harris saying we are getting a new statute on July 1st, 
and that's great.  There are more tools in our toolbox.  
MR. CARTER.  I can't answer that question as to what kind of 
statutory action that the legislature in Texas is taking.  I do 
think that it's pretty clear that there needs to be some kind of 
action taken against pretexters, and some clarity brought would 
certainly help us.  
MR. WHITFIELD.  I know that in the leadership of the local police 
departments, you all have annual meetings or State meetings in 
which all of the leaders of the various police departments come 
together.  I was just curious, is there any discussion at those 
meetings about the use of data brokers?  
MR. UBIETA.  I am not aware of it.  It would be the International 
Association of the Chiefs of Police.  They are holding their 
meeting coming up next year in Boston, but I am not aware of--
MR. WHITFIELD.  There hasn't been any discussion recently.  When I 
say, the use of them, I don't mean encouraging people to use them 
but that this is an issue and we have got to be careful about the 
legal ramifications of using those kinds of--
MR. UBIETA.  No.  Not to my knowledge. 
MR. CARTER.  I am not aware of any. 
MR. WHITFIELD.  I was curious, do you all have a legal counsel in 
your police department, or do you work through the local 
commonwealth's attorney or--
MR. UBIETA.  No.  In Miami-Dade, we do have a legal unit. 
MR. CARTER.  We have a legal adviser, yes. 
MR. WHITFIELD.  Well, I really want to thank you all very much for 
taking time to come up here.  Your testimony has been quite helpful 
to us, and we do thank you for your testimony.  And we are going to 
leave the record open for the appropriate number of days and would 
like to maintain contact with you all if we have additional 
questions or comments and so thank you very much.  And at this 
time, I would conclude the hearing. 
Thank you.  
[Whereupon, at 6:20 p.m., the subcommittee was adjourned.] 

RESPONSE FOR THE RECORD OF ELAINE LAMMERT, DEPUTY GENERAL COUNSEL, 
INVESTIGATIVE LAW BRANCH, FEDERAL BUREAU OF INVESTIGATION, U.S. 
DEPARTMENT OF JUSTICE; JAMES J. BLANKSTON, CHIEF INSPECTOR, 
INVESTIGATIVE SERVICES DIVISION, U.S. MARSHALS SERVICE, U.S. 
DEPARTMENT OF JUSTICE; AVA COOPER DAVIS, DEPUTY ASSISTANT 
ADMINISTRATOR, OFFICE OF SPECIAL INTELLIGENCE, INTELLIGENCE 
DIVISION, U.S. DRUG ENFORCEMENT ADMINISTRATION, U.S. DEPARTMENT 
OF JUSTICE; AND W. LARRY FORD, ASSISTANT DIRECTOR, OFFICE OF 
PUBLIC AND GOVERNMENTAL AFFAIRS, BUREAU OF ALCOHOL, TOBACCO, 
FIREARMS, AND EXPLOSIVES, U.S. DEPARTMENT OF JUSTICE 


RESPONSE FOR THE RECORD OF PAUL KILCOYNE, DEPUTY ASSISTANT DIRECTOR 
OF INVESTIGATIONS, U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT, 
U.S. DEPARTMENT OF HOMELAND SECURITY 


INTERNET DATA BROKERS:  WHO HAS ACCESS TO YOUR PRIVATE RECORDS? 



FRIDAY, SEPTEMBER 29, 2006 

HOUSE OF REPRESENTATIVES, 
COMMITTEE ON ENERGY AND COMMERCE, 
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS, 
Washington, DC. 


The subcommittee met, pursuant to notice, at 10 a.m., in Room 2123 
of the Rayburn House Office Building, Hon. Ed Whitfield [Chairman] 
presiding. 
Present:  Representatives Whitfield, Stearns, Bass, Walden, 
Blackburn, Barton (ex officio), Stupak, DeGette, Schakowsky, 
Inslee and Baldwin. 
Staff Present:  Mark Paoletta, Chief Counsel for Oversight and 
Investigations; Tom Feddo, Counsel; Peter Spencer, Professional 
Staff Member; Clayton Matheson, Analyst; Matt Johnson, Legislative 
Clerk; John Halliwell, Policy Coordinator; Chris Knauer, Minority 
Investigator; Consuela Washington, Minority Senior Counsel; and 
Chris Treanor, Minority Staff Assistant. 
MR. WHITFIELD.  Good morning, and I would like to call this hearing 
to order this morning.  And yesterday this subcommittee examined 
how Hewlett-Packard Company hired an investigative consulting firm, 
who, among other things, turned to a data broker to obtain 
individual phone records. 
Today we return to the broader issue of Internet-based data brokers, 
picking up where we left off in June when we held our first two 
oversight hearings on the issue.  
The Hewlett-Packard scandal and the eye-opening testimony we heard 
yesterday again brings home the fact that pretexting is a significant 
problem that must be fought on multiple fronts. 
One way to improve the security of phone records is to enact 
legislation.  And last March, the Prevention of Fraudulent Access 
to Phone Records Act was unanimously reported out of this committee. 
 H.R. 4943 would make it illegal to obtain cell phone records 
fraudulently as well as to solicit or sell such records.  It also 
gives the FTC and FCC further tools to shut down data brokers, while 
forcing phone companies to be more accountable for the security of 
their customers' data.  
Even with the new law, however, testimony in June and the 
interviews conducted by staff demonstrate that the demand for such 
records will not disappear, and many data brokers will continue to 
procure and sell the information.  They may charge more as 
a result.  
We know that wireless phone records are some of the most highly 
sought-after types of private data.  We have seen that the vast 
majority of business of the data brokers involves procuring and 
selling consumers' calling records and unpublished address 
information.  So today we are delighted that we have a panel of 
representatives of the carriers with us, and we are anxious to hear 
how they are taking steps to ensure that the information is not 
being sold on the black market by the hundreds of data brokers. 
I would like also like to welcome today representatives from the 
Federal Trade Commission and the Federal Communications Commission, 
who are here to speak to their respective agencies' efforts at 
combating Internet data brokers. 
Before we hear from the carriers and the independent agencies, 
however, we will hear from Mr. Doug Atkin, a private investigator, 
who was a frequent customer of Patrick Baird and PDJ Services, a 
data broker whose records the committee subpoenaed last April.  
The committee obtained dozens of e-mails showing that Mr. Atkin 
requested and received other people's private phone records from 
Mr. Baird, who asserted his Fifth Amendment privilege against 
self-incrimination at our hearing on June 21st. 
I also want to note that Mr. Atkin has refused to produce any 
documents in response to the committee's subpoena for records, and 
we expect that he is going to assert his Fifth Amendment rights. 
I would like to enter into the record and would ask unanimous 
consent a letter from Mr. Atkin's attorney explaining his refusal 
on that basis to produce responsive documents. 
[The information follows:] 


MR. WHITFIELD.  We will also hear today from Christopher Byron, a 
reporter for the New York Post who is here to discuss how in 2002 he 
learned that his records were obtained by a data broker, not at all 
unlike those of nine journalists who were investigated by 
Hewlett-Packard.  His testimony is especially intriguing and 
further evidence not only of the prevalence of pretexting, but 
also of the threat that data brokers pose to our Nation's 
journalists and the confidentiality of their sources. 
Now, Mr. Byron's story is significant because the pretexter who 
obtained his records had to make over 50 calls to AT&T before he 
found a customer care representative willing to verbally walk 
through Mr. Byron's call activity details over the phone.  So a 
persistent data broker calls 50 times, and finally he gets the 
information. 
I look forward to what promises to be an enlightening day of 
testimony.  We want to thank all of you for participating in this 
hearing today, and at this time I would like to recognize 
Ms. DeGette, who today is our Ranking Member. 
[The prepared statement of Hon. Ed Whitfield follows:] 


PREPARED STATEMENT OF THE HON. ED WHITFIELD, CHAIRMAN, SUBCOMMITTEE 
ON OVERSIGHT AND INVESTIGATIONS 

Good morning.  Yesterday, this Subcommittee examined how 
Hewlett-Packard Company hired an investigative consulting firm 
who, among other things, turned to a data broker to obtain 
individuals' private phone records.  I was shocked and dismayed to 
see some of the top officers at one of our nation's largest 
companies take advantage of data brokers to conduct a sophisticated 
year-long effort to spy on Board members, employees, and reporters.
Today we return to the broader issue of Internet-based data 
brokers, picking up where we left off in June when we held our 
first two oversight hearings on the issue.  The Hewlett-Packard 
scandal and the eye-opening testimony we heard yesterday again 
brings home the fact that pretexting is a serious problem that must 
be fought on multiple fronts. 
One way to improve the security of phone records is to enact 
legislation.  Last March, the "Prevention of Fraudulent Access to 
Phone Records Act," (H.R. 4943) was unanimously reported out of 
the full Committee.  H.R. 4943 would make it illegal to obtain cell 
phone records fraudulently, as well as to solicit or sell such 
records.  It also gives the FTC and the FCC further tools to shut 
down data brokers while forcing phone companies to be more 
accountable for the security of their customers' data.  I think 
that the Subcommittee's June oversight hearings made clear that 
H.R. 4943 would help bolster the security of Americans' private 
information. 
Even with a new law, however, testimony in June and the interviews 
conducted by staff demonstrate that the demand for such records 
will not disappear, and many data brokers will continue to procure 
and sell the information.  They will just charge more.  
The carriers will therefore have to play an important role in 
solving this problem and better protect the information.  This 
Subcommittee's work over the last eight months has demonstrated 
just how easily people can con a phone company's customer service 
representatives into giving up calling records, unpublished 
address information, and other personal data.  
So, it makes perfect sense to me to invite testimony from some of 
the country's largest wireless phone carriers, as we have today.  
Based on the Subcommittee's investigation, we know that wireless 
phone records are some of the most highly sought-after types of 
private data.  We have seen that the vast majority of the business 
of data brokers involves procuring and selling consumers' calling 
records and unpublished address information.  The detailed 
calling records from our cell phones, which we take with us 
everywhere and use constantly, can provide a very detailed picture 
of who we are and how we spend our time.  
How are the carriers - the custodians of those calling records - 
ensuring that the information is not being sold on a black market 
by the hundreds of data broker Web sites on the Internet?  I am 
interested to hear what the wireless carriers have done in response 
to this threat to privacy, and I thank them for appearing before us 
today.  
I also welcome representatives from the Federal Trade Commission 
(FTC) and the Federal Communications Commission (FCC) who are here 
today to speak to their respective agencies' efforts at combating 
Internet data brokers.  I want to commend the FTC and FCC for their 
aggressive approach to this issue, and look forward to an update 
on progress made since last February when they testified about this 
issue as the Committee began its work on legislation to combat the 
fraudsters who obtain others' private records. 
Before we hear from the carriers and the independent agencies, 
however, we will hear from Mr. Doug Atkin, a private investigator 
who was a frequent customer of Patrick Baird and PDJ Services, a 
data broker whose records the Committee subpoenaed last April.  The 
Committee obtained dozens of emails showing Mr. Atkin requesting and 
receiving other people's private phone records from Mr. Baird, who 
asserted his Fifth Amendment privilege against self-incrimination 
at our hearing on June 21st.   
While I suppose it should come as no surprise that Mr. Atkin is 
expected to also invoke his Fifth Amendment rights, I am disappointed 
that the Subcommittee will not get some answers.   I also want to 
note that Mr. Atkin refused to produce any documents in response 
to the Committee's subpoena for records, again relying on his Fifth 
Amendment right against self-incrimination.  I would like to enter 
into the record, when appropriate, a letter from Mr. Atkin's 
attorney explaining his refusal on that basis to produce responsive 
documents. 
We will also hear from Mr. Christopher Byron, a reporter for the 
New York Post, who is here to discuss how in 2002 he learned that 
his phone records were obtained by a data broker - not at all unlike 
those of the nine journalists who were investigated by 
Hewlett-Packard.  His testimony is especially intriguing and further 
evidence not only of the prevalence of pretexting, but also of the 
threat that data brokers pose to our nation's journalists and the 
confidentiality of their sources.  
Mr. Byron's story is also significant because the pretexter who 
obtained his records had to make over 50 calls to AT&T before he 
found a customer care representative willing to verbally walk 
through Mr. Byron's call activity details over the phone.  Even 
after three dozen failed attempts, the pretexter kept making 
calls, the reality of which reminds us how persistent and determined 
these thieves of personal information are. 
I look forward to what promises to be an enlightening day of 
testimony, and I want to thank all of our witnesses for being 
here. 
I now recognize the Ranking Member of the Subcommittee, Mr. Stupak. 

MS. DEGETTE.  Thank you very much, Mr. Chairman, and good to see 
you again this morning. 
Yesterday's testimony I thought was really illuminating.  It pointed 
out a couple of issues.  The first issue was even though most 
experts agree that pretexting is illegal under several Federal laws 
and a number of State laws, there seems to be confusion in the 
highest echelons of corporate America and among their legal counsel 
as to whether, in fact, pretexting, which, of course, is pretending 
to be someone you are not in order to get confidential personal 
information, is illegal. 
And what this says to me is that we really do need to pass 
legislation.  And in particular, we need to pass H.R. 4943, which 
was unanimously passed on a bipartisan basis by this committee, 
sent to the floor, scheduled for a vote on May 2nd of this year, 
and then fell into a black hole. 
It is clear to me that this bright line rule on pretexting will be 
necessary so that people will have no doubt that it is not just 
unethical, but also illegal to try to obtain this information.  
And with that, Mr. Chairman, I would ask unanimous consent to place 
a letter dated September 27th, 2006, from the Democratic members of 
this Committee to the Speaker and the Majority Leader asking them to 
call this legislation up. 
MR. WHITFIELD.  Without objection. 
[The information follows:] 


MS. DEGETTE.  Thank you. 
The second issue and that--and by the way, as the Chairman and I 
were discussing, we now hear we may be here through tomorrow and 
even Sunday, so there should be ample opportunity for us to bring 
up what should be a relatively noncontroversial bill on the 
suspension calendar before we leave. 
The second issue I really want to talk about briefly is the issue 
that I have been concerned about for quite a number of years ever 
since this subcommittee had hearings on corporate responsibility 
with Enron, WorldCom, Qwest, and so many other corporate evildoers.  
The issue really is how do we, and how does corporate America, 
break this ethos that if someone thinks that illegal or unethical 
activity in a corporate context is acceptable, that everybody else 
in that corporation goes along with it?  
What we saw yesterday was the Chairman of the Board, the CEO, the 
legal counsel, and the investigative body of HP all just going along 
with an investigation that their outside counsel, Mr. Sonsini, 
admitted was unethical at best, and parts of it illegal at worst; 
practices like spying on your Board members by going through their 
garbage, putting Board members and their board members' families 
under surveillance, finding phone records by pretexting, creating 
false entities to try to get information unwittingly from newspaper 
reporters, and on and on. 
Some of that is illegal, most of it is not, but it certainly is not 
the best way to conduct an investigation into leaks from corporate 
members.  Yet nobody at Hewlett-Packard stepped back and said, wait 
a minute, is this a way we should be acting as one of the preeminent 
corporate citizens in our country?  
I continue to be concerned about this issue.  I was terribly 
embarrassed by Hewlett-Packard, and I was gratified to see that they 
are now beginning to put some procedures in place to hopefully stop 
this kind of activity.  But I think the CEOs and the board chairmen 
of every major corporation need to look inside their corporation to 
see how they can put mechanisms in place to stop this kind of 
conduct, which ultimately hurts a very good corporate citizen and a 
model in the high-tech community. 
And so, Mr. Chairman, I am intending to look over the recess to see 
if there is something we need to do with Sarbanes-Oxley to beef up 
the obligations of corporate boards and directors.  And beyond 
that, I think corporate America really needs to take this as a 
wake-up call.  
With that, I look forward to the testimony today, and I yield back 
the balance of my time. 
MR. WHITFIELD.  Thank you, Ms. DeGette.  At this time I recognize 
Mr. Walden for his opening statement.  
MR. WALDEN.  Mr. Chairman, good morning, and we appreciate your work 
on this issue again, and like I think everybody on this committee, 
we are all hoping that H.R. 4943 can be brought to the floor and 
passed. 
I had a personal conversation with the Majority Leader myself 
yesterday to raise this issue, so I don't think there is any debate 
about the need to pass legislation, and I think we are all doing 
everything we can to get it passed, and I commend the Administration 
for its work to try to deal with this issue regulatorily.  
I know we are going to hear from both the FTC and the FCC about 
efforts they are taking in rulemakings to try and deal with this 
issue.  So I think the Bush Administration is stepping up to the 
plate as well.  
I think what we learned out of yesterday is that the only thing 
worse in corporate America than leaks is unethical ways to try and 
plug the leaks.  And I think the message went out loud and clear 
that pretexting is no way to go about solving boardroom problems 
and leaks.  And I hope that we can pass legislation, draw a clear 
line; but even if we haven't been able to do that yet, the spotlight 
that has been shown on the activities of those who go out and 
collect these data illegally has gone a long way. 
We saw that yesterday morning when 10 individuals took the Fifth 
Amendment, most of whom prior to yesterday had led others to want 
to believe that this was a legal course of action or right course 
of action.  And so I think this subcommittee has done good work in 
that respect. 
I am looking forward to today hearing what the phone companies are 
doing to address this, and I know some of them have stepped up to 
the plate.  I am encouraged by the fact that some of these companies 
have litigated, already filed suit, against the bad actors out there 
who will stop at nothing, certainly nothing legal or ethical, to 
try and fool people to give them information.  
I am disturbed that pretexting is not only occurring toward the 
phone companies, but toward the customers, and I think for the 
average American out there who still believes that their records 
are a matter of their personal privacy, it is even more disturbing 
to know that some of these pretexters and some of these investigative 
agents out there are trying to track down people's physical 
location--physical location--based on triangulating where they are 
on their cell phone right now, pretending to be the company, calling 
you on your cell phone once they have gotten your number and then 
say, gee, we are trying to shut down another phone here because 
somebody is using your account illegally, but we don't want to shut 
yours off, where are you?  And then they turn that data over to 
others, whether it is somebody trying to collect from you, a jealous 
lover perhaps, or who knows what. 
And so, Mr. Chairman, I appreciate what we are doing here.  I think 
the American public is appreciative of our efforts as well, I hope, 
and we can put an end to the illegal gathering and unethical use of 
private data that should remain private.  
And so I appreciate the opportunity to be here today, and I look 
forward to hearing from those witnesses who will be forthcoming.  
And unfortunately, I guess we are not going to get an inside look 
from the investigator types because they are going to take the 
Fifth. 
MR. WHITFIELD.  Thank you, Mr. Walden.  At this time I recognize 
Ms. Schakowsky for her 5-minute opening statement.  
MS. SCHAKOWSKY.  I thank you, Chairman Whitfield and Ranking Member 
DeGette, for holding today's hearing on pretexting. 
Because of the seriousness of this issue, our committee has 
devoted significant time into examining its various facets over 
the last 8 months.  In fact, we actually unanimously passed a bill 
that by now, except for unknown reasons, would have been law, 
I hope.  
In February, we held a hearing that mostly focused on the legality 
of pretexting.  Our witnesses, including the Federal Trade 
Commission and Illinois Attorney General Lisa Madigan from my 
State, explained how they believe pretexting was illegal already 
under general consumer protection statutes, but that it would be 
helpful to emphasize that point by passing explicit Federal 
legislation.  
In March, our committee did just that by passing H.R. 4943, the 
Prevention of Fraudulent Access to Phone Records Act, which 
not only prohibited pretexting from phone records, but would 
require phone companies to better protect their customers' 
records. 
In June, just 1 month after H.R. 4943 fell to extraordinary 
rendition and disappeared from the floor schedule, we held another 
hearing that looked into the methods pretexters use to get phone 
records. 
Yesterday we focused on how HP's zeal to plug a leaking board led 
them to pretexting to get board members' and journalists' personal 
phone records.  And now today we are focusing on the phone 
companies and how easy they have made it for scam artists to get 
the personal phone logs for others.  
Before we began our work, before the Federal Trade Commission filed 
complaints against five Web-based operations, and before three State 
attorneys general, including Ms. Madigan, brought suits against 
pretexters, there were over 40 websites offering phone call logs.  
With just a click of the mouse and about $100, anyone could get 
their hands on a month's worth of someone else's phone records.  
The only way that ill-gotten phone records could be such a 
lucrative business is if the phone companies did not have enough 
protection in place to stop pretexters in their tracks.  Although 
most of the websites dedicated to selling phone records have since 
been shut down, the HP scandal shows that phone companies still 
have serious security problems.  HP's investigative team should not 
have had such quick access and easy access to board members' and 
journalists' phone records.  
There is a lot more than disgruntled board members and public 
embarrassment at stake.  Pretexting violates innocent consumers' 
privacy.  Stalkers can buy phone records to keep tabs on their 
targets.  Abusive spouses can use pretexting to track their victims. 
As Mr. Barton pointed out yesterday, the Chicago Police Department 
recognized the dangers of it and warned that drug dealers can use 
pretexting to identify undercover cops.  The FBI also issued a 
warning to its agents, personal and public safety should not be 
for sale. 
Despite strong bipartisan agreement that we should make it 
abundantly clear that pretexting for phone records is illegal, 
H.R. 4943 is still being held at an undisclosed location.  What 
we do know about its detention is that 8 days after it was pulled 
from the floor schedule, USA Today broke the story that the National 
Security Agency was acquiring the public's phone records from three 
of the major carriers without subpoenas, warrants, or any approval 
from the courts. 
I must point out that I am disappointed that we do not have any of 
those three carriers with us today, AT&T, BellSouth, and Verizon, 
and I hope that we will have an opportunity to hear from them.  
However, we do know where they stand.  A number of the phone 
carriers, including some of those with us today, have made it clear 
that they oppose title 2 of the bill, which requires them to better 
protect their customers' personal private phone records.  While the 
carriers have been more than happy to have us go after the 
pretexters who dupe them, many--most--have been fighting our 
efforts to require them to correct their security problems. 
We know that the phone companies have made sure that their 
resistance to stronger consumer protections were heard.  With 
today's hearing, we are saying loud and clear that it is time for 
the phone companies to guard their customers' information.  I ask 
our witnesses, can you hear us now?  
Thank you. 
MR. WHITFIELD.  Thank you, Ms. Schakowsky.  At this time I recognize 
Mr. Stearns of Florida for his opening statement.  
MR. STEARNS.  Thank you, Mr. Chairman.  I would just comment on what 
my colleague and Ms. Schakowsky mentioned.  Why don't we have the 
land lines, particularly AT&T and Verizon?  As I understand it 
from staff, one of the reasons is that predominantly the efforts 
with pretexting have come from the wireless and cell phones, and 
this hearing is particularly centered on these.  And, of course, 
we do have Verizon here.  We have T-Mobile, we have U.S. Cellular, 
Alltel, Sprint, and Cingular.  So the hearing is concentrating on 
that, and I think that is good. 
I think what we saw yesterday is the--sort of the comment is if 
I--dealing with Hewlett-Packard and pretexting, if I don't see it 
or if I don't hear it, then it didn't happen.  That is how I sort 
of felt after this hearing. 
You know, a major question would be, Mr. Chairman, for these 
wireless carriers, why couldn't they institute, initiate themselves, 
a security system that prevented this information going to all these 
security people who were hired by Hewlett-Packard?  This widespread 
use of pretexting to fraudulently obtain someone else's personal 
data is a case of fraud, and these wireless companies should 
understand that it wouldn't have been hard for them after one of 
these to occur to initiate the procedures. 
Just for fun I went into the computer this morning and put into 
Google private personal information, and it came up with thousands 
of results.  So the stark reality is that there will always be con 
artists and cyberthieves to keep the enforcement community busy.  
So we here in Congress can pass all the legislation we want, but 
we have had a hearing and oversight under Mr. Whitfield where we 
even brought in a person from prison to talk about how he was able 
to obtain this information.  So I think legislation is important.  
We should do it.  But I think the responsibility, fiduciary 
responsibility, of these wireless carriers that I mentioned, six 
of them, they have to institute these procedures themselves.  And 
they can come up here and say we were conned by these cyberthieves 
and con artists, but that is going to be there all the time, 
tomorrow and the next day, no matter what we do here. 
So we can talk about Hewlett-Packard, but there is a certain amount 
of culpability dealing with these individuals, too, and it would 
be interesting to see what they feel and what they have instituted.  
Are the wireless companies doing their best to protect the 
consumers?  And then maybe we can get their suggestions.  Maybe 
the pretexting bill that we passed out of this committee should be 
amended, and in the lame-duck session we should try to change it 
based upon what they recommend. 
So I think the whole idea, Mr. Chairman, is a commendation to 
yourself for moving it beyond just looking at Hewlett-Packard, but 
also contacting under panel three all these wireless companies and 
seeing what they have to say here, too.  They have an interest, 
obviously, in protecting consumers and private information. 
I mentioned yesterday I have a data security bill that passed out 
of my subcommittee that I chair and out of the full committee and 
that puts in place protection within corporate America for 
protecting that security with audits to make sure there is a chief 
security officer and of records so that people can determine whether 
they are meeting the standards. 
So, Mr. Chairman, I commend you for moving this beyond just 
Hewlett-Packard, but trying to get to the larger issue of pretexting 
and how to stop it and have corporate America take responsibility, 
too. 
Thank you, Mr. Chairman. 
MR. WHITFIELD.  Thank you, Mr. Stearns.  And at this time I 
recognize the gentlelady from Wisconsin, Ms. Baldwin. 
MS. BALDWIN.  Thank you, Mr. Chairman.  
Many of the witnesses today represent wireless phone companies and 
Federal agencies that have appeared before this committee on the 
same topic not too long ago.  Indeed the committee has held a 
series of hearings over the past year examining the practice known 
as pretexting and the shadowy industry that has grown from such 
unscrupulous trafficking of personal information.  
After seeking input from industry players, consumer groups, and 
Federal agencies, we developed strong bipartisan legislation back 
in March that passed the committee unanimously.  While this 
legislation has stalled for reasons unknown to me, our 
committee's investigation has prompted many industry and government 
actions. 
And I am heartened to see from the submitted testimony of several of 
today's witnesses that wireless phone companies have taken new 
measures to strengthen privacy policies and improved customer 
service personnel training regarding phone service requests.  
The Federal Communications Commission has initiated a proposed 
new rulemaking process to implement industry-wide security 
standards, while the Federal Trade Commission has filed more 
lawsuits against pretexting companies under Section 5 of the FTC 
Act prohibiting unfair or deceptive practices in commerce.  We are 
making progress, although everybody in this room would probably 
agree that much more needs to be done. 
Stories of pretexting by data brokers will continue to surface.  
Just yesterday the committee held a hearing on the Hewlett-Packard 
scandal, which has ushered the word "pretexting" into everyday 
American lexicon. 
A lawsuit brought by the State of Florida against a pretexting firm 
has alleged that major banks such as Wells Fargo and Citigroup 
regularly hire investigators to obtain pretexted phone records for 
collection purposes.  The practice of pretexting may be far more 
widespread among corporations than previously thought, and we may 
be seeing just the tip of the iceberg. 
Going forward, phone companies, Federal agencies, and Congress must 
work to restore public confidence that their boundaries of privacy 
will not be violated, this time by big corporations. 
HP witnesses yesterday complained that there was not enough clarity 
in existing statutes to determine whether the highly unethical 
behavior of pretexting was, in fact, legal or illegal.  In fact, 
they claim that armies of corporate lawyers were misled into 
believing that pretexting was legal.  Congress should grant their 
wish by passing legislation already approved by this committee and 
offer them a bright line rule on pretexting. 
As I stated yesterday, Congress should also consider passing 
legislation that would encompass the full spectrum of 
telecommunications and communications services.  
Wireless phone companies should not only work to improve their 
customer service training to screen out data brokers, but also 
seriously consider steps to improve the privacy of customer 
proprietary network information, such as voluntarily adopting 
an opt-in regime that would more adequately inform consumers about 
their privacy options. 
The FTC and the FCC should continue exercising their enforcement 
authority and work to adopt rules that would, for example, enhance 
CPNI's security.  
Finally, I want to thank Mr. Christopher Byron for testifying today. 
You were a victim of pretexters, and I understand you had 
difficulties uncovering how your records could have been 
compromised.  But I believe there is also a larger issue here; 
since you are a reporter, freedom of the press was at stake.  And 
I am very disturbed that corporations would target journalists 
through pretexting, which also took place in the HP scandal.  I 
hope that the committee will consider future hearings that would 
address the specific form of attack on journalistic 
confidentiality.  
Mr. Chairman, I thank you, and I yield back my remaining time. 
MR. WHITFIELD.  Thank you. 
I just want to comment, I really appreciate you all advertising 
the Gone with the Wind movie in H.R. 4943. 
MS. DEGETTE.  Mr. Chairman, I was thinking we might enter it into 
the record. 
MR. WHITFIELD.  I recognize the gentlelady of Tennessee, 
Mrs. Blackburn.  
MRS. BLACKBURN.  Thank you, Mr. Chairman.  I want to thank you for 
the hearing today to follow up on yesterday's hearing, and again 
thanks to the staff for the great work they have done on this issue.  
Yesterday we talked a good bit about, and the committee noted 
and everybody admitted, pretexting is a problem.  It is a growing 
problem at that.  And today's inquiry we hope will help the 
committee determine that the private sector companies are vigilant, 
and that they are working to help combat the rise of pretexting. 
We all know the law regarding pretexting is ambiguous, and obviously 
some are taking advantage of that ambiguity.  Yesterday it was a 
bit disturbing to hear from board members and employees and 
corporate legal counsel who claim they didn't know what pretexting 
was or what spyware was or what tracers were, but that they had 
approved their use, and they did it because the law was ambiguous, 
and it was our fault.  
So if you want to have a tough law, we can give you a tough law, and 
that is probably what we need to do, draw some bright lines. 
And yesterday several times Representative Inslee and I mentioned 
the bill that he and I had introduced, the Consumer Telephone 
Records Privacy Act of '06.  We introduced it in January, and it 
had both civil and criminal penalties in that bill, obviously 
something we need to continue to look at when we have people, 
Mr. Chairman, who choose to come before us and take the Fifth, 
which leads us to believe that they know what they are doing is 
wrong.  And if they need more stringent guidelines, then so be it. 
We also hope to hear from today's panel on several points, 
including when they first noticed that some were using illicit 
means to gain access to their consumers' records, and then what 
means did they put in place to address the problem, and how have 
they continued to adapt.  
Also I hope we will hear how they, as private sector companies, are 
dealing with some of the bad actor companies who continue to use 
their product to break the law. 
Thank you, Mr. Chairman.  I yield back. 
MR. WHITFIELD.  That you, Mrs. Blackburn.  And that completes the 
opening statements of any Members present. 
[Additional statement submitted for the record follow:]


PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON 
ENERGY AND COMMERCE 

Thank you, Chairman Whitfield, for all your work on this issue.  Back 
in June of this year, the Subcommittee held hearings that threw 
open the doors of the Internet-based data broker industry.  
Yesterday's oversight hearing about Hewlett-Packard's pretexting 
scandal continued to highlight the problem of pretexting and the 
vulnerability of Americans' phone record to such practices.  The 
testimony about the events at H-P vividly demonstrated just how 
private phone records can be exploited.  I'm glad we're back today 
to continue exploring how phone records can be protected and kept 
private.  
Of course, one way to keep pretexters and data brokers out of 
Americans' phone records is for the Congress to pass this 
Committee's legislation regarding phone record pretexting and 
data security.  I am hopeful that our legislation will get a vote 
soon, perhaps in November.  Mr. Chairman, one point your 
Subcommittee's investigation makes very clear is that Congress 
needs to pass these bills.  I am also open to the notion that we 
may need to take further legislative action to protect Americans' 
privacy from identity thieves and data brokers.   
As you mentioned, the wireless carriers and the phone companies can 
also take steps to make it harder for data brokers to obtain 
consumers' confidential records.  I understand that many of the 
wireless carriers have been making an effort to better protect 
phone records.  I welcome their testimony today, and look forward 
to learning about what progress they have made. 
I also appreciate the FTC and the FCC taking the time to testify 
today.   I have been told that these agencies have been aggressively 
working on this issue with the tools currently at their disposal, 
and I anticipate learning what the Federal government has been 
doing to tackle this problem over the past year. 
Welcome to Mr. Christopher Byron, a journalist from the New York 
Post, who came forward to the Committee earlier this year to share 
his story about his telephone records being stolen by data brokers.  
And one last note, Mr. Chairman.  One of our witnesses today is a 
private investigator, Mr. Doug Atkin from Los Angeles.  Earlier 
this year, when we subpoenaed records from a data broker named 
Patrick Baird, we learned much from those records about how the 
data broker industry operates and who purchases consumers' 
personal information.  Mr. Atkin, it turned out, is a frequent 
customer of the data broker, PDJ Services.  According to 
Mr. Baird's records, Mr. Atkin was the 12th largest customer of 
Mr. Baird's company - out of nearly 1,100 clients.  
When we sought information about Mr. Atkin's use of data brokers 
and telephone records, Mr. Atkin refused to answer questions, 
either informally or in response to a letter that you and I wrote. 
 Afterward, I issued a subpoena compelling the production of 
documents, as well as Mr. Atkin's appearance today.  Mr. Atkin 
refused to produce any documents whatsoever, relying on his Fifth 
Amendment right against self-incrimination.  It is my understanding 
that Mr. Atkin will invoke the Fifth Amendment again today and 
refuse to testify. 
While I certainly don't begrudge him his constitutional rights, 
I am disappointed that the Committee will not get some answers.  
One thing I will say, however: on June 21st we had 11 data brokers 
invoke their Fifth Amendment rights against self-incrimination; 
yesterday, several more individuals in the Hewlett-Packard scandal 
did the same; and today, Mr. Atkin, a private investigator follows 
suit.  
My point is - going forward, I don't think anyone ought to be able 
to claim that they thought there was a perfectly legitimate way to 
get someone else's phone records without that person's consent, 
other than a subpoena.  I also hope that, based on the groundwork 
this Subcommittee has laid and the information it has made public, 
that the U.S. Justice Department starts making that point as well. 
I yield back the remainder of my time. 

MR. WHITFIELD.  We do have two votes on the House floor.  There are 
4 minutes left in the first vote, and then we will do the second 
one.  So I apologize to all of you.  And, Mr. Atkin, we will be 
back.  We are going to recess, and we will reconvene at about 5 
minutes to 11:00.  So I apologize to all of you, but we will be 
back in just a minute.  So we are recessed. 
[Recess.] 
MR. WHITFIELD.  The hearing will reconvene, and since we have 
finished all of the opening statements, we will now call the witness 
for the first panel, and that is Mr. Doug--is it At-kin or Ate-kin. 
MR. ATKIN.  At-kin.
MR. WHITFIELD.  Atkin.  
Mr. Doug Atkin who is with Anglo-American Investigations, Playa del 
Rey, California.  And as you may or may not know, Mr. Atkin, this 
is an Oversight and Investigations Subcommittee hearing, and we do 
take testimony under oath, and I would ask you, do you have any 
objection to testifying under oath?  
MR. ATKIN.  No, Mr. Chairman.  
MR. WHITFIELD.  Would you turn the microphone.  
Okay, if you would please stand and raise your right hand.  
[Witness sworn.] 
MR. WHITFIELD.  Thank you very much.  
You are now under oath, and I would ask you, under the rules of the 
House and the rules of the Committee, the witnesses are entitled to 
legal counsel, and do you have legal counsel with you today?  
MR. ATKIN.  Yes, Mr. Chairman.  
MR. WHITFIELD.  Okay.  Would you introduce him to us, please?  
MR. ATKIN.  Mr. Breuer.
MR. WHITFIELD.  What's his full name?
MR. ATKIN.  Lanny Breuer--
MR. WHITFIELD.  Lanny Breuer?  
MR. ATKIN. --and Ben Razi.
MR. WHITFIELD.  Lanny Breuer.  Okay.  Okay.
Well, Mr. Breuer, thank you for being here.  
Now, Mr. Atkin, is there an exhibit book or a document book on the 
table with you?  
MR. ATKIN.  No, there is not. 
MR. WHITFIELD.  Okay.  Let's get this document book over there.  I 
am going to ask you to please turn to Exhibit 2.  Exhibit 2 is a 
request made by you on February 2nd of this year for personal phone 
records that you submitted to Mr. Chris Garner, which we know as the 
alias of Mr. Patrick Baird, the owner of PDJ Services.  The e-mail 
also includes the reply from PDJ Services with the requested phone 
calls listed.  According to the client list provided to the 
committee by Mr. Baird, between 2000 and 2006, you were the 12th 
largest purchaser of information from PDJ Services out of almost 
1,100 clients that he had.  
So, Mr. Atkin, did you or your company, Anglo-American 
Investigations, Inc. request and obtain from Mr. Patrick Baird of 
PDJ Services personal phone records that were obtained through 
pretext, lies, and deceit or impersonation?  
MR. ATKIN.  Mr. Chairman, based on the rights and protections 
afforded me by the Fifth Amendment to the Constitution, I 
respectfully decline to answer that question. 
MR. WHITFIELD.  And is it your intention to assert that right for 
any additional questions that we may have for you?  
MR. ATKIN.  Yes, sir.  It is. 
MR. WHITFIELD.  Then if there are no further questions from any 
of the committee members at this time, we will dismiss you subject 
to the right of the subcommittee to recall you, if necessary.  And 
at this time, you are excused. 
MR. ATKIN.  Thank you.  
MR. WHITFIELD.  Now, at this time, I would like to call the second 
panel.  And on the second panel, we have Mr. Christopher Byron, who 
is a journalist with the New York Post in New York.  
So, Mr. Byron, we appreciate you being with us today, and as you 
know, we take testimony under oath, and I would ask you, do you have 
any objection testifying under oath?  
MR. BYRON.  No, sir.
[Witness sworn.]
MR. WHITFIELD.  Thank you very much, and you are now under oath.  I 
would also remind you that, under the rules of the House and the 
rules of this Committee, you are entitled to legal counsel, and I 
would ask do you have legal counsel?  
MR. BYRON.  No, sir.
MR. WHITFIELD.  Okay.
MR. BYRON.  I have my wife.  That's even better.
MR. WHITFIELD.  Well, what is her name?  
MR. BYRON.  Maria, right behind me here.
MR. WHITFIELD.  Maria, thanks for being with us today.  It's good to 
have someone here besides a lawyer.  
MS. DEGETTE.  Especially the wife, Mr. Chairman. 
MR. WHITFIELD.  Especially the wife.  Absolutely. 
So, Mr. Byron, you are recognized for 5 minutes. 
 
TESTIMONY OF CHRISTOPHER BYRON, JOURNALIST, THE NEW YORK POST 

MR. BYRON.  Well, Mr. Chairman, I want to thank you very much and the 
other committee members for inviting me to be here and listening to 
what I have to say.  This is a subject that is really important to 
me personally and professionally, and I am glad for an opportunity 
to discuss it in public, which I haven't really had before.  
As my written statements say, I am a working journalist.
MR. WHITFIELD.  Excuse me.  Would you mind just moving your mic a 
little bit closer, please?  
MR. BYRON.  Sure.  It's okay now?  Okay.  
As I said in my written statement, I am a working journalist.  I 
have a degree from Yale College and a law degree from Columbia 
University School of Law, and I have been in the business that I am 
now in for over 30 years.  
I was a victim of pretexting 4 years ago, and I've paid an awful lot 
of attention to this subject from that moment on.  I didn't know 
it to be known as "pretexting" then.  Yesterday, several of the 
committee members asked how widespread a practice phone records 
theft actually is in American business, because of the 
Hewlett-Packard matter.  And I can answer from my personal 
experience, anecdotally, that 4 years ago my phone records were 
stolen by agents that my own research has now connected to 
another corporation.  There is proof of this theft that ties it 
directly to the former outside director of the board of directors 
of a public company in the U.S., and that proof lies in the internal 
case files of the Securities and Exchange Commission's district 
office in Boston.  
I filed a complaint there, and in the course of bringing a case 
against this individual, these investigators from the SEC obtained 
his phone records and found among them phone calls from him to my 
sources in connection with research he was doing to find out where 
I had been getting information about him.  
The SEC has done nothing with this information.  Neither has the 
FBI.  They just sat there.  What they have done and what they 
haven't done is all spelled out in my written statement here.  
What I can say, just for summary purposes, is that their attitude 
from the start seemed to me at least to be that phone records 
thievery was no big deal.  It went on all the time.  It certainly 
wasn't something that they needed to be involved in in a crisis 
environment that faces law enforcement in this country today.  
Well, I have to tell you it was a big deal to me, and now that the 
same kind of thievery involving the same, exact sort of pretext 
lying has become a big, huge scandal for Hewlett-Packard, phone 
records thievery has suddenly become a big deal for the SEC and 
the FBI, too.  
When the same situation happened to me, the position of the SEC was, 
"We don't have jurisdiction."  How did they acquire it between then 
and now so that they've been able to assert a role in the 
Hewlett-Packard case?  I don't know.  I think they had it then.  
They just didn't want to pay attention to it.  
The evidence is really clear that my phone records were stolen to 
aid a company called Imagis Technologies, publicly traded in the 
United States on the Over the Counter Bulletin Board, in pursuing a 
defamation lawsuit that it had filed against me for a story I had 
written about the company.  The story was 100-percent accurate, and 
eventually the case was abandoned; but before they abandoned it, 
they wanted to find out who my sources for the story were.  And to 
do that, agents acting for them stole my phone records.  
The details of that are all in my written statement, too.  And as I 
said, the lawsuit itself, I think, was baseless and it certainly 
wasn't something that they wanted to pursue in court, and they 
didn't.  It just went away.  
I think it was filed entirely for the purpose of chilling press 
freedom for follow-up stories on this company.  That was certainly 
the effect that would have resulted had it become widely known that 
my confidential sources had been compromised by the theft of my 
phone records, and the Government wasn't going to do anything 
about it.  
The damage that this thievery did to my family, professionally and 
personally to me, it was huge.  It was huge.  My wife works as my 
research collaborator.  She is exposed day and night to the stresses 
of a journalistic environment.  My oldest daughter is a lawyer on 
Wall Street.  My middle daughter is a news editor at CNN.  My 
youngest son is still in college, so we'll let that go at that, 
but I'll say that this is not something that I wanted my family to 
grow up with, the experience of having your skin crawl every time 
the phone rings at an unexpected hour, wondering if your mail is 
being read, if your phone is tapped, if there's a bug in your 
bedroom.  
All these kinds of questions automatically flow out of the 
environment created by the theft of your phone records.  To a 
journalist, this is the basic tool he's got is his phone.  How can 
you possibly do your job without being able to have the confidence 
of sources that you won't divulge their identity if people ask 
where you got that information, and you promise that, and the 
promise has no credibility whatsoever because your phone records 
identify him, and they're stolen?  
For 4 years we worked really hard to find out who these people were 
and parade their names before the public, because we wanted our 
sources to know that our promises of confidentiality were extended 
seriously.  Otherwise, such a promise would be meaningless.  
Look, in my case, my stolen phone records were used by the 
perpetrators to track down two of my confidential sources, one of 
whom was subpoenaed in the SEC investigation by mistake and had 
nothing to do with this case at all.  The other one, his phone 
records were stolen to find out who he was talking to.  It was 
like a virus that broke loose in my life.  Details of all of that 
are in my written statement, too. 
MR. WHITFIELD.  Mr. Byron, you are about 2 minutes and 30 seconds 
over the 5 minutes. 
MR. BYRON.  Am I way over?  Okay.  I beg your pardon. 
MR. WHITFIELD.  No.  No.  Your testimony is important, and we do 
have the full statement, but if you want to summarize-- 
MR. BYRON.  Okay.  I will say that my phone records were stolen 
through persistence; 2-1/2 months of relentless impersonation over 
the phone to an AT&T call center finally produced somebody dumb 
enough to spend an hour on the phone, believing they were me, and 
then my wife and read out 96 of my phone calls during the period 
in question when I was researching this story.  This is known 
as "dialing for dummies."  
The internal case file at AT&T, which we finally obtained under 
threat of a civil rights lawsuit, shows that AT&T logged 46 of these 
calls in over a 10-week period before they even realized something 
was wrong.  When they called us up, they thought we were the ones 
who were calling, saying--and they asked us, "Well, is there 
something wrong with your phone bill, Mr. Byron?" and then told 
us that we called 46 times.  We hadn't called once.  
The committee has the results of their investigation into it.  
I have provided that to you, and you will see that it was content 
free.  It was the same thing with the FBI.  They did not do any 
meaningful investigation into this matter.  
Lastly, I would really call your attention to a point toward the 
end of my written statement where we talk about outsourcing and 
the capacity of individuals to acquire entire companies filled 
with phone records from AT&T, Verizon, and the rest of them and 
use those-- 
MR. WHITFIELD.  Okay. 
MR. BYRON. --as the basis for whatever they want to do with these 
numbers.  I'm sorry I ran over my time. 
[The prepared statement of Christopher Byron follows:] 


PREPARED STATEMENT OF CHRISTOPHER BYRON, JOURNALIST, THE NEW YORK 
POST 

Mr. Chairman and members of the Subcommittee: It is an honor and a 
privilege to appear here today in support of H.R. 4943 
("The Prevention of Fraudulent Access To Phone Records Act), which 
makes acts in furtherance of so-called telephone records pretexting 
an explicit offense enforceable by the Federal Trade Commission.  
I suggest only that the act of pretexting for phone records should 
carry the heavier sanction of the federal criminal law, as 
embraced in the Senate side bill introduced in March of this year 
as S.2178 ("The Consumer Telephone Records Protection Act of 2006.) 
Absent that, the Committee might want to consider expanding the 
scope of the civil sanctions in the current bill to embrace private 
rights of action, including class action law suits, by victimized 
citizens. 
I make these suggestions solely because of the first-hand 
experiences both I and my family have had as victims of this 
nefarious practice. Though I alone was targeted by these so-called 
pretexters (I prefer the more accurate and less sanitized phrase, 
"criminal impersonators") the activities they set in motion quickly 
enveloped my wife and our three children as well as myself. And 
during the four years that have followed, our lives have been 
convulsed in ways that set our nerves on edge even now, whenever 
the phone rings unexpectedly or at an odd hour in my home office. 
To discover that someone has spent weeks trying to obtain access 
to you and your family's most personal and private records, and 
finally succeeded at it, is like learning that a Peeping Tom has 
been spending weeks on end hovering at night outside your bedroom 
window, watching and videotaping everything that goes on inside. 
And it doesn't end there. When a pretexter goes unpunished, his 
victims can easily enough start to worry about things that never 
before concerned them - things they can ultimately do nothing 
about except worry even more, until all of life becomes a parade 
of imagined cvatastrophes. Is someone reading my mail? Is there a 
tap on my phone line? A bug in my bedroom? 
These are not the sorts of questions that law-abiding Americans 
should be asking of themselves, but they arise easily enough when 
the digital Peeping Tom is discovered with his eye to the bedroom 
window, and a combination of weak laws, public apathy, and 
conflicted law enforcers allows him to escape. 
In the 2003 U.S. Supreme Court case of Lawrence et al v. Texas, 
which overturned a Texas sodomy law, Justice Kennedy wrote, 
"Liberty presumes an autonomy of self that includes freedom of 
thought, belief, expression, and certain intimate conduct." But 
no such freedom can prevail in a world in which the theft of a 
person's telephone records is viewed as routine day-work by the 
private eyes who steal them, and is simply ignored by law 
enforcement. 
Pretexting for financial records has already been outlawed by the 
Financial Services Modernization Act of 1999 (aka the 
Gramm-Leach-Bliley Act), which carries heavy criminal penalties 
for violators of certain of its provisions. The principles of law 
and privacy imbedded in that Act need now to be extended to the 
the booming new business of digital Peeping Toms and phone records 
thieves. 
My name is Christopher Byron, I am 61 years of age, and I have been 
a working journalist my entire professional life. I am a graduate 
of Yale College and the Columbia University School of Law. I have 
worked as a foreign correspondent and editor for Time Magazine, 
and as assistant managing editor for Forbes Magazine. 
I have authored six books, one of which (Martha Inc.) was a New 
York Times bestseller and was made into an NBC Movie of The Week. 
A Russian language translation of my latest book, Testosterone 
Inc., Tales Of CEOs Gone Wild is scheduled to go on sale worldwide. 
For most of the last twenty years I have also written weekly 
commentary columns on Wall Street and business for a variety of 
publications. It was in connection with one such column, written by 
me for Red Herring magazine and published in September of 2002, that 
I became the victim of a pretexting conspiracy to obtain my 
telephone business records. 
The story that led to all this concerned a company in Vancouver, 
Canada called Imagis Technologies Inc., which claimed to be in the 
facial recognition software business. In the wake of the attacks 
of 9/11, the company began issuing press releases promoting its 
software products as weapons in the fight against international 
terrorism, and one of those press releases eventually crossed my 
desk. 
Looking further, I learned that the chairman of the company was the 
recently retired deputy chief of the F.B.I., Oliver ("Buck") 
Revell, whose name I recalled from his involvement in the Pan Am 
103 story, about which I had written extensively some years 
earlier.  
Yet aside from the presence of Revell on the board, the Imagis 
operation seemed unimpressive in every way - a typical Vancouver 
penny stock featuring limited revenues along with a history of 
large and continuing losses, and a shaky balance sheet. 
Two of the company's top officials particularly troubled me. One 
was the company's controlling shareholder - an individual named 
Altaf Nazerali -- who had already been linked in the Canadian 
press to the European operations of a notorious U.S. stock swindler 
named Irving Kott in the 1960s. Two decades later Nazerali's name 
surfaced as an alleged money courier in the infamous BCCI scandal. 
When I asked Revell in an interview in late July of 2002 why he 
had agreed to serve as chairman for a company controlled by a man 
like Nazerali, he said he had arranged to have Nazerali "vetted" 
and that the man "had never been involved in unethical or illegal 
activity."
Revell was even more enthusiastic about the bone fides of an 
individual named Treyton Thomas, whom Revell had appointed to the 
Imagis board only weeks earlier, on July 9th. Thomas enjoyed 
bombarding the press with self-celebratory publicity releases 
about himself. In them he claimed to be the head of a $600 million 
offshore hedge fund called the Pembridge Group, to hold a degree 
from Harvard and so on and so forth. In an interview with one 
gullible reporter, he even boasted of having back-channel lobbying 
access to the White House and the Bush Administration. 
Revell told me he had vetted Thomas as well, just as he had vetted 
Nazerali. But he certainly couldn't have done a very good job 
since utterly nothing Thomas claimed about himself was true. The 
so-called Pembridge Group hedge fund was nothing but a creature 
of Thomas's imagination. In short, it did not exist. 
To help fool Revell into thinking otherwise, Thomas had leased 
some swanky Boston office space from a company that rents space 
by the day to traveling salesmen. But he needn't have bothered 
because Revell never visited the premises. And it's just as well 
for Thomas that he didn't because this was a $600 million hedge 
fund with no employees, no back office, not even any Bloomberg 
terminals. 
It struck me as impossible for Revell not to have known all of 
this - especially when Thomas, just prior to being appointed to 
the Imagis board, orchestrated a much-publicized, but entirely fake 
buyout offer for Imagis through press releases issued by the 
non-existent Pembridge Group, then made a killing illegally from 
the resulting run-up in the shares that followed. 
Weighing these facts, I wrote a fair but distinctly negative story 
on Imagis, asking why Revell, trained as he was in the dark arts 
of the FBI investigator, had permitted such things to unfold right 
under his nose. Two weeks later, both Red Herring and I were sued 
for libel by Imagis in a Vancouver court. 
Being sued for libel is a traumatic experience for anyone, and this 
situation was even worse since the suit had been filed in a 
Canadian court, where libel laws are different from those in the 
U.S., thus affording defendants none of the normal Constitutional 
protections available to defendants in U.S. actions. 
Bad as that was, it got unexpectedly and immeasurably worse when, 
several weeks later, in the late afternoon of October 16, 2002, my 
home office telephone rang and my wife, Maria, who works as my 
research assistant and office manager, answered it and thereupon 
found herself in conversation with a person who purported to be 
a customer service representative from AT&T, our long distance 
phone carrier. 
Sitting at my desk nearby and absorbed in my own work, I paid no 
attention to the conversation that followed - though I did detect a 
certain wariness begin to creep into her voice as the conversation 
continued. A moment or two more passed and then suddenly she shrieked 
into the phone: "What?" and began stammering, "That's a lie! I've 
done no such thing!" 
It seemed that the AT&T Customer Service rep had called up to check 
on some problems we were apparently having obtaining copies of our 
July 2002 phone bill. In fact, we had been having no such problem 
and had never contacted AT&T about it at all.  
Yet AT&T's computer logs appeared to show otherwise. The logs 
showed that, beginning on August 1, 2002 - mere days after I had 
interviewed Revell and finished writing my story, and twelve days 
before Red Herring received its first law suit threat-letter from 
Imagis - AT&T's Customer Service Dept. began receiving telephone 
calls from persons claiming to be the AT&T customer for the account,
 seeking information of one sort or another about the account. 
Sometimes the caller would impersonate either me or my wife 
directly; on other occasions the caller would use a fake name such 
as "Jackie Byron" or vaguely, "Lynn." 
These calls went on without letup for 10 full weeks, sometimes at 
a rate of two and three a day, until they totaled an incredible 48 
different contacts. Yet it wasn't until October 15 when the 
impersonator/pretexters at last hit pay-dirt and got what they were 
after: access to our office phone records for the July 2002 billing 
period. That of course was the month during which I had interviewed 
Revell, submitted requests for interviews with Thomas and Nazerali 
(which were declined), and conducted other interviews for the 
story.
From research developed by the Subcommittee for these hearings, we 
now know that this practice is referred to among phone records 
thieves as "dialing for dummies," and basically amounts to a kind 
of craps shoot in which the pretexter phones up Customer Service 
"800 numbers" of telephone companies over and over again, trying 
one ruse after the next until he or she finally connects with a 
service rep gullible enough to swallow the bait and provide the 
information being sought. 
In our case, the pretexting payoff came on Oct 15th when AT&T's 
internal log file of incoming calls to its customer service help 
number shows that a female impersonator claiming to be "Mrs. Byron" 
succeeded in convincing a customer service rep named Shakela Felton 
who was employed by an Irving, Tex-based AT&T subcontractor called 
Aegis Communications Inc., to pull up our July 2002 phone record 
to her computer screen and read aloud from it, one after the next, 
each and every one of  94 separate phone calls made from the 
phone during the month of July - a task that took more than a 
hour. 
The AT&T log shows that soon afterward, a male impersonator claiming 
to be "Mr. Byron" called back, reached the same Aegis Customer 
Service Rep, Shakela Felton,  who had answered the earlier call, 
and got that person to repeat the entire exercise all over again, 
which went on for yet another hour. 
When I learned of all this I filed an immediate complaint with the 
FBI field office in Bridgeport, Conn., and simultaneously, a 
complaint with the FBI's financial crimes unit at the Bureau's 
national office in Washington. The officials with whom I spoke 
at both locations expressed immediate interest in the matter. But 
as soon as I mentioned my suspicion that a recently retuired top 
FBI official named Revell might be implicated, their eagerness to 
help seemed to dissipate and they stopped returning my calls. 
Officials at AT&T, where I also filed a complaint, expressed 
equally sincere-sounding interest in what had transpired. But 
they too subsequently proved to be persistently unhelpful, routinely 
providing evasive, non-responsive (and sometimes even contradictory) 
answers to my questions. For months I was kept in the dark as to 
what information they were even coming up with. 
In May of 2003, -- and acting in response to the threat of a 
federal civil rights suit to be filed on my behalf by News Corp., 
owner of the New York Post where I am a columnist -- AT&T's chief 
counsel for consumer marketing, Michael C. Lamb, disgorged to me 
what he represented to be the internal investigative case file that 
AT&T had  given to the FBI six months earlier in November of 2002. 
I have provided a copy of those documents to the Subcommittee. 
The case file AT&T gave me was clearly sanitized when I received 
it, and was missing information vital to identifying the pretexter. 
An accompanying cover letter from Lamb brushed aside the missing 
materials as basically a clerical error and promised to pass them 
along to me subsequently, but he never did. Lamb has since left 
AT&T, and he has not been replaced. I have since requested the 
documents from AT&T directly, but so far the company has produced 
nothing. 
In any event, the case file documents I did receive show AT&T's 
so-called investigation into my complaint to be haphazard, casual 
and effectively little more than a go-through-the-motions white-wash 
in which preposterously contradictory statements from those 
questioned in the probe were simply ignored - after which the 
whole file was tossed like a hot potato to the FBI and AT&T's own 
involvement in the affair ended. 
For example, on November 8, 2002, AT&T's chief counsel, Lamb, 
participated in a lengthy three-party conference call involving 
himself, myself, and the AT&T security official who had been assigned 
to conduct the investigation, David Lankford. The purpose of the 
call: to keep me updated on the progress of the investigation. 
In that call the question of AT&T's policy regarding the use of 
password protection on customer accounts came up. That policy is 
muddled and confusing and differs in several respects depending 
upon whether a person is trying to access phone records information 
online via the internet or orally over the phone with a customer 
service rep. 

Because of the way the internet itself operates, in order to gain 
online access to the information in an AT&T customer's account it is 
necessary to know the secret customer-assigned password that 
supposedly protects the account from the snooping eyes of 
intruders. 
But passwords are less important when it comes to protecting 
customer accounts from intrusion over the phone. That's because 
the customer service rep who winds up fielding the request can 
easily establish the identity of the caller by accessing the account 
and then asking the caller to answer questions related to 
information on the account itself. 
As a result, AT&T leavers it the customers themselves to decide 
whether they want to add an additional level of protection to their 
phone records by using passwords to restrict access to them over 
the phone as well as via the internet. 
In the November 8th conference call both Lamb and Lankford were 
emphatic and categorical that no customer service rep would provide 
account information over the phone to a caller by asking the person 
for the account's online password in order to establish his or her 
bone fides. "We would never ask for a password," said Lankford. 
`'It would not have been consistent with our practice," added Lamb. 
But when Lamb finally surrendered AT&T's case file to me the 
following May, it contained a handwritten statement from the 
service rep in the matter, Shakela Felton, revealing at a minimum 
that she had done precisely that. 
In her statement Felton said that on October 15, 2002 she had read 
aloud the details of the July phone bill to the caller because that 
person had first provided her with the password to the account. Yet 
our account contained no such password for over-the-phone access at 
that time, and one wasn't added until late the next day 
(October 16th) when the theft was discovered and an AT&T official 
advised us to do so. 
Two days later, on Oct. 18th, the service rep., Felton, gave the 
first of three statements on the matter, followed by a second one 
on November 5th and a third on November 7th.  In each statement she 
stuck by her story of having given the information to the caller 
only after the caller had provided her with the password to the 
account - a password that did not yet even exist. 
Shakela Felton's shaky password story was only one of many things 
AT&T failed to pursue. They never addressed the utterly implausible 
coincidence whereby Felton received two back-to-back calls from the 
same pretexters on October 15th, each lasting more than an hour, 
and each concerned with the same subject (my July 2002 phone calls). 
Nor did AT&T ever produce a satisfactory explanation as to why the 
company, with all its claimed cutting edge technology, proved unable 
to trace either call -- each lasting more than an hour -- back to 
its originating telephone. Week after week of insistent pressuring 
brought little beyond tech-world doubletalk and foot-dragging, 
ending finally when Lamb told me the company had traced one of the 
calls to the town of Alba, Texas, some 30 miles east of the Irving, 
Tex facility of AT&T's subcontractor, Aegis Communications, Inc., 
where Shakela Felton worked. 
It took months and even years of nonstop investigation on my part 
before it became possible to glimpse even the outlines of what I had 
become caught up in, and many questions remain unanswered to this 
day. But the key facts are by now clear. 
For starters, with the passage of time it has become increasingly 
obvious that the facts I had reported about Imagis Technologies Inc 
were all 100% true and accurate, and that the company's libel suit 
against me had been inspired entirely by the desire to discourage 
either Red Herring or any other publication from pursuing the matter 
any further. 
The judgment of the market regarding this atrociously run company 
has been devastating. Since my article first appeared in September 
of 2002, Imagis's share price has fallen from $4 per share to a 
current price of less than 20 cents per share. Meanwhile, the 
company's revenues, never strong to begin with, have flat-lined 
while losses have soared out of sight. In June of 2005 the company 
changed its name to Visiphor Corp. 
In the aftermath of the theft of my phone records, and with the FBI 
seeming to show no interest in the case, I filed a complaint against 
Imagis's rogue board member, Treyton L. Thomas, with the Enforcement 
Div. of the U.S. Securities and Exchange Commission's district 
office in Boston, where Thomas had run his pump-and-dump scam out 
of a rented office near Boston Harbor. 
By August of 2003, the SEC had opened an investigation into 
Thomas's activities and begun seeking his books and records as well 
as those of a woman he was living with in Boston named Cheryl Stone. 
On August 28, 2003, I reported this fact in the New York Post along 
with much else of what I had learned about Thomas since my original 
story on the man had first appeared in Red Herring a year earlier. 
Among the new revelations, which Revell had somehow managed to miss 
in his own vetting of the man, were these: 
 That Thomas's so-called $600 million offshore hedge fund was 
actually nothing more than a six-employee electrical equipment 
supply shop that Thomas had been running as a sideline business 
in Atlanta, Ga. while he bounced from one brokerage firm job to 
the next. 
 That Thomas had precipitated the breakup of the marriage of a 
well-known Atlanta, Ga. plastic surgeon and had run off with his 
wife, with whom he was now living in Boston. 
 That for most of his life Thomas had been known as Tracey Lee 
Thomas and had traveled the world under a U.S. Passport that 
identified him as a woman. 
 That while serving as an enlisted man in the U.S. Marines in 
Kenitra, Morocco in the 1970s, Thomas had carried on a torrid 
two-year love affair with an underage junior high school girl 
who was living with her family on the base, and finally  
 That Thomas had previously been arrested (though not convicted) 
on felony fugitive charges in Georgia, and finally, 

Soon after the New York Post reported these facts, Thomas's career 
as an outside member on Imagis's board of directors came to an 
abrupt end - without any public explanation for his departure. 
One reason for the lack of disclosure may be the SEC investigation 
itself. In the course of the Thomas probe, SEC investigators had 
obtained Thomas's telephone records for the period that covered 
the autumn of 2002, and had thereafter issued a document production 
request to a Wall Street stockbroker whose own phone number had 
appeared as an outgoing call from Thomas's phone. 
The broker was in fact a long-time confidential source of mine and 
I had spoken with him regularly over the years in the course of 
researching various Wall Street-related subjects. The broker did 
not know Thomas and had said so when I had mentioned Thomas's name 
to him during a phone call I had placed to him while preparing my 
September 2002 story for Red Herring. 
So, when the broker received a letter a year later, in August of 
2003, from the Boston District office of the SEC asking him to turn 
over all account records, trading tickets, statements and whatnot 
regarding one "Tracy (Treyton) Thomas ,"  the broker telephoned 
the Boston district office to ask why since he had no idea who 
the Thomas person even was. The investigator explained that the 
broker's phone number in New York had been called from Thomas's 
own phone in Boston, and the broker thereafter relayed that 
information to me. 
This of course led to only one conclusion: Thomas had either 
obtained my purloined phone records himself, or someone else had 
given them to him. Either way, he had apparently gotten his hands 
on them somehow and had set out to phone up the numbers on the list 
to see who my sources for the Red Herring story had actually been. 
As any journalist will tell you, the most valuable assets a reporter 
can have are his confidential sources, and to have the names of 
dozens of them suddenly drop into the lap of someone like the 
scruple-free Thomas was an appalling thought to say the least. 
What if the word began to get around that even Byron's most 
confidential sources risked turning up on the receiving end of 
a document production letter from the SEC? Who would return my 
phone calls then? 
Obviously this was something I wanted to keep as tight a lid on as 
possible. But trying to do so seemed futile when, a week or so after 
the theft of my records, I received a telephone call from a 
top - though highly confidential - source in the hedge fund world. 
The source knew nothing of what was going on between AT&T and me, 
 and had phoned up to discuss something else entirely. Yet just as 
I had done with the Wall Street broker, I had also spoken with my 
hedge fund source about Thomas for my Red Herring story the year 
before, so his phone number had appeared on my July 2002 phone 
records. 
As a result, one may easily enough imagine my alarm when the man 
proceeded to mention, in the course of our conversation, that he 
had recently experienced the oddest thing - then went on to describe 
how someone from AT&T had phoned his home only a day or two earlier 
to ask whether he had been having trouble accessing his phone 
records. 
One does not need to behold the rotting corpse of Jimmy Hoffa to 
accept that Hoffa is actually dead, so I will say on the basis of 
all the foregoing that I do not need to possess a signed confession 
and a Polaroid snapshot showing Treyton Thomas caught in the act 
of pretending to be me to believe that he was mixed up one way or 
another in the theft of my phone records. And I also don't need 
any more than is already available on the public record to suppose 
that Revell either had a hand in it himself or chose to look the 
other way. 
By the start of 2004 Thomas had left the Imagis board, and eleven 
months later, in in November of 2004, the SEC filed civil fraud 
charges against him for orchestrating his pump-and-dump scam in 
Imagis's stock. Eighteen months later, in May of this year, 
Thomas pleaded the civil law equivalent of nolo contendere and 
agreed to pay $282,400 in assorted fines and penalities, and 
promised never again in his life to serve as an officer or 
director of a public company, or to engage in or promote a 
securities offering. 
Unfortunately, the SEC chose not to proceed against Thomas in the 
phone records matter, claiming the Commission lacked jurisdiction, 
and advised me to approach the FBI instead. Yet as we have seen, 
the FBI has done nothing either, and I doubt it will without 
aggressive pressure from the Congress. 
There are plenty of reasons for the FBI to want to steer clear of 
this case, and the apparent involvement of Revell is only one of 
them. During a portion of the time that Revell served as a top 
official at the FBI, eventually acquiring the title of Associate 
Deputy Director, his counterpart at the Drug Enforcement Agency 
was an individual named Terrence M. Burke. Beginning his government 
career as a CIA intelligence officer in Southeast Asia in the 
1960s, Burke moved later to the DEA where he eventually acquired 
the title of Deputy Administrator of the entire Agency. In that 
capacity he was in frequent collaborative contact with Revell, 
and the two men were regarded in law enforcement circles as 
friends. 
In 1991 Burke left the government, joined a Washington D.C. firm 
of private investigators (The Investigative Group Intl.) and 
eventually left to launch his own firm, T.M. Burke International, 
in Colorado, at the end of the 1990s. In that capacity he turned 
up in Vancouver in the summer of 2002, where he tried to gain the 
confidence of a local business reporter by claiming that he had 
been hired by an unidentified client in Europe who was "seeking 
revenge" on Imagis's controlling shareholder, Altaf Nazerali - not 
revealing of course that Burke himself was a long-time, top level 
associate of Revell's in U.S. law enforcement and that Revell was 
presumably privy to vastly more dirt on Nazerali than was a local 
business reporter who had never even met Nazerali. 
Beyond the apparent involvement of Revell and the possible 
involvement of Burke looms a vast array of other matters that 
would help discourage an FBI investigation into the theft of my 
phone records. 
The AT&T subcontractor where Shakela Felton worked - Aegis 
Communications Inc. - is in the so-called outsourcing business, 
which means it handles back-office matters such as customer 
accounts management and the staffing of call centers for well-known 
corporate clients ranging from AT&T to American Express, Discover, 
and others. 
Over the years, Aegis has figured in several high-profile identity 
theft cases, including a much-publicized case in which a ring of 
Detroit area identity thieves paid Aegis phone reps to steal the 
credit card information of more than 2,300 American Express 
cardholders, then used the information to bilk Detroit area 
merchants out of an estimated $14 million in merchandise charged 
to the accounts then sold on the black market. 
As the Subcommittee's research has revealed, many in law 
enforcement at every level of government now routinely obtain 
the telephone records of investigative targets, while keeping 
their own fingers clean by hiring pretexters to do the dirty work 
for them. Companies such as Aegis are an attractive place for 
pretexters to go fishing, and because of that fact alone it seems 
unlikely that federal investigators would eagerly embrace the 
idea of digging into the sieve-like nature of Aegis's security 
procedures on behalf of corporate clients whose computers bulge 
already with the accumulated personal and financial records of 
virtually the entire American public. No one welcomes investigating 
a former colleague, in government or anywhere else - and that is 
certainly true when an investigation can undercut post-government 
business opportunities for the retired investigator. 
Outsourcing shops like Aegis are one of the weakest links in the 
chain of custody over the financial and personal records of the 
American people. It is fine to stress the importance of the U.S. 
Patriot Act and the need to crack down on financial fraud in the 
war on terrorism. But that is hardly enough when any enterprising 
group of terrorists with the desire to do so could quietly acquire 
control of an outsourcing shop like Aegis, move it abroad to a 
place like India, where operational oversight of such companies 
by the government is limited at best, and then begin the wholesale 
downloading of America's consumer records database. 
This is no idle speculation either. In September of 2003, at just 
the time the SEC had begun pursuing its investigation of Thomas, a 
U.K.-based outsourcing company called Allserve Systems Ltd. 
announced plans to acquire Aegis from the Washington D.C. investment 
fund that was Aegis's controlling shareholder, Thayer Capital 
Partners. But who owned Allserve? Not even the top officials at 
Aegis seemed to know. 
Yet by this time I was deeply immersed in researching everything 
possible regarding Aegis and the theft of my phone records, and by 
tracing out the evolution of the U.K.-based company in business 
databases around the world, I was able to establish that the man 
behind the planned purchase was an financier named Dinesh Dalmia, 
who was busy building up a Calcutta-based outsourcing business for 
corporate clients in the U.S., the U.K. and elsewhere. 
But there was more to Dalmia than just that. Further research 
revealed that Dalmia was actually an international financial 
fugitive, who had recently fled India and was now roaming the earth 
with a worldwide Interpol "Red Corner" arrest notice over his head 
for crimes that ranged from money laundering and forgery to stock 
market fraud. 
And there was more. From a confidential source in India I obtained 
e-mail traffic between Dalmia and an associate in the United Arab 
Emirates in the days following the terrorist attacks of 9/11. In 
those e-mails Dalmia and his man in the Gulf discussed plans to 
sell the Iraqi Ministry of Defense an array weapons-related 
computer programs, including a package of software tools for 
managing a biological warfare campaign. 
Before publishing these facts I asked a spokesman for Thayer Capital 
just how thoroughly the investment group had checked out Allserve 
Systems Ltd. before agreeing to sell it majority control of an 
outsourcing company that enjoyed routine access to some of the most 
sensitive and private consumer information in the country. I was 
told that Allserve was a fine company and basically to mind my own 
business. 
I also got no where when I asked for interviews with anyone on 
Thayer's blue-ribbon "advisory board," which boasted names like 
those of former Secy. of Defense William Cohen, Clinton 
Administration adviser Vernon Jordan, ex-head of Housing and Urban 
Development Jack Kemp, and the former chairman of American Express 
James Robinson. 
I explained to the Thayer spokesman that I wanted to know if any of 
these luminaries had heard of Dinesh Dalmia and whether they were 
aware that he was behind the Allserve acquisition and that he planned 
to hold the Aegis shares in an anonymous nominee account in the 
tax haven island nation of Tortola. To these questions I received 
no answers at all. 
I published these facts in the New York Post and the deal quickly 
fell apart - though not before both the newspaper and I received a 
retraction demand and libel lawsuit threat letter from a lawyer in 
New Jersey who claimed to represent Dalmia. The lawyer asserted that 
it was libelous to have reported that Dalmia had tried to negotiate 
the sale of a germ warfare software package to Iraq because, as the 
lawyer put it, "no such contract was ever executed." 
The Post's general counsel replied in a rebuttal letter that we 
intended to retract nothing, and that was the last we heard from 
this particular lawyer regarding Dalmia. 
Two years later Dalmia resurfaced, once again hidden behind his 
Allserve Systems mask and further protected this time by what 
amounted to a new defensive perimeter of offshore shell companies. 
Dalmia's goal, once again, was to take over control of a U.S. 
outsourcing company - in this case employing a convoluted scheme 
involving an array of companies in New Jersey that he secretly 
controlled and intended to merge with a NASDAQ-listed outsourcing 
company called the A Consulting Team Inc. 
Extensive reporting by the Post caused this deal as well to fall 
apart. And when the Post reported, based on a search of public land 
records in New Jersey, that this international fugitive, presumably 
hunted by Interpol wherever he went, was in fact living the life of 
Riley in a Fort Lee, N.J. mansion overlooking Manhattan, we received 
a second libel threat letter. 
This time the threat came by way of a lawyer better known for his 
criminal defense work than for his acumen in the law of defamation 
and libel: Atty. Lawrence Barcella of Washington. Barcella claimed 
the Post's coverage of Dalmia was a tissue of lies and distortions 
but failed to cite any evidence to support the assertion. Once again 
the Post replied that we would retract nothing, and it was the last 
we heard from Barcella as well. 
In January of 2006 Dalmia fled the U.S., one step ahead of the FBI, 
leaving behind a trail of personal aliases, false and forged 
financial statements, fake invoices, and bogus bank accounts in the 
names of non-existent companies. He had used these tools to swindle 
some of the most prestigious - and presumably savvy --financial 
institutions in America out of an estimated $130 million in computer 
leasing deals. 
When Dalmia defaulted on his loan payments in the deals and the 
creditors moved to repossess the computer equipment that 
collateralized the leases, they discovered that the equipment had a 
lready been shipped to India and sold. When they demanded to see 
the supporting paperwork they were told they could not. Reason: a 
sinkhole had opened in downtown Calcutta and swallowed up all the 
records. 
Dalmia's network of fraud - all of it based on front companies in 
the outsourcing business - stretched from Singapore to the U.S. to 
London and beyond. And it all ran the same way, at the same time 
in one country after the next. When Britain's Serious Frauds Office 
arrived at the doorstep of Dalmia's front operation in London to 
ask some questions, they found the offices deserted and the files 
in a shambles. Reason: the staff had headed for Heathrow airport 
and returned to India.  
Much as Dalmia's creditors may have felt they had been dealing with 
a ghost, the Indian swindler was real enough, and in early February 
of this year he was arrested by Indian government agents who had been 
tipped that he had reentered the country by crossing over from Nepal 
and was staying with relatives in New Delhi. 
Dalmia's arrest and subsequent detention, which continues to this 
day, proved a sensation in India, with the media exploding in 
seemingly nonstop coverage of each new charge the authorities have 
lodged against him - most of which relate to his role in a series of 
late 1990s stock swindles that climaxed in the collapse of the 
Calcutta and Bombay Stock exchanges. 
Yet except for coverage in the New York Post, Dalmia's three-year 
crime spree has received almost no attention at all in the U.S. - 
highlighting another of the many ways in which phone records 
thievery imperils all Americans. Dalmia didn't simply try to steal 
the phone records of one or two individuals, he tried to steal an 
entire company stuffed to the gills with the phone and financial 
records of Americans by the millions... and he nearly succeeded. 
So I commend the Subcommittee for its efforts on behalf of H.R. 
4943, and urge only that you stay mindful of the broad and 
encompassing risks posed by phone records thievery in all its 
many forms. Stealing one person's phone records is bad enough. 
This nation should not be at constant risk from scoundrels eager 
to steal the phone records of everybody, all at once. 
Thank you for your time. Respectfully, Chris Byron 

MR. WHITFIELD.  No.  That's fine.  
Now, Mr. Byron, it's my understanding that you now know that this 
pretexting of your phone records was initiated because of an article 
that you wrote, what, in Money Magazine? 
MR. BYRON.  I wrote it in Red Herring Magazine.  It appeared in the 
September 2002 edition.  That's right. 
MR. WHITFIELD.  And it was entitled "Feds Face Recognition in a 
Fishy Fund?"  
MR. BYRON.  That's correct.  It dealt entirely with a company called 
Imagis Technologies, which was publicly traded and which seemed to 
me, based on the research that I was able to obtain from the EDGAR 
Data System at the SEC, to be a very shaky company.  It had on its 
Board of Directors at least one very high-profile name in Washington 
at that time, and that was Oliver "Buck" Revell, who was the former 
head of counterterrorism for the FBI. 
MR. WHITFIELD.  And he was the Chairman of the Board of that 
company?  
MR. BYRON.  That's correct.  And I believe one of the principal 
reasons that the FBI never acted on my complaint is because they 
didn't want to entangle themselves with a problem that might either 
directly or indirectly have involved this Revell man. 
MR. WHITFIELD.  Now, in this article, another article that you wrote 
in the New York Post, "The Phone Thieves," which I guess was written 
after you found out about the pretexting-- 
MR. BYRON.  Yes. 
MR. WHITFIELD. --you referred to Treyton Thomas as a "pump and dump 
swindler." 
MR. BYRON.  Correct.  That's exactly what he was.  It was the 
allegations of that and the documentation that we provided for that 
that led to this lawsuit in the first place.  
Following a complaint to the SEC, they examined the information we'd 
published and brought charges against this Thomas man, and this was 
a civil case--they don't have criminal enforcement powers at the 
SEC--but he was fined not long ago, a few months ago in fact, and 
 has been banned for life from the securities industry.  
MR. WHITFIELD.  And this company went bankrupt; is that correct?  
MR. BYRON.  I don't know if it went bankrupt.  It changed its 
name.  After all of these events, it changed its name to a company 
called Visafor-- 
MR. WHITFIELD.  Okay. 
MR. BYRON. --and it is still in business.  I think it sells for 17 
cents a share or something like that. 
MR. WHITFIELD.  Yeah, but they subsequently did file a lawsuit 
against you-- 
MR. BYRON.  Yes. 
MR. WHITFIELD. --and that was dismissed. 
MR. BYRON.  It wasn't dismissed.  They just never pursued it. 
MR. WHITFIELD.  Oh, they never pursued it.  
MR. BYRON.  Right. 
MR. WHITFIELD.   But you never would have known anything about this 
pretexting of your phone records unless AT&T had called you one 
day; is that correct?  
MR. BYRON.  That's correct.  My wife took the call.  We weren't 
expecting it, and they asked us over the phone what kind of trouble 
were we having with our phone bill because we had been asking to get 
copies of it for so long now.  
MR. WHITFIELD.  Yeah. 
MR. BYRON.   And when my wife got that message, she shrieked into 
the phone, "What?" Because we hadn't been asking them for anything. 
MR. WHITFIELD.  Now, I think a lot of people that were victims like 
you and your wife probably would have just dropped the matter.  
MR. BYRON.  Yeah. 
MR. WHITFIELD.   But it looks like you all became pretty persistent 
in trying to find out what was going on. 
MR. BYRON.  We never let up.  We never let up-- 
MR. WHITFIELD.  Yeah. 
MR. BYRON. --and we found out the essential outline of it. 
MR. WHITFIELD.  And tell me a little bit about that.  The New York 
Post had to--did the New York Post file a lawsuit against AT&T to 
find out-- 
MR. BYRON.  They threatened to.  This event involved a magazine 
article that was not published in the New York Post.  It was 
published in Red Herring Magazine.  Red Herring Magazine soon went 
bankrupt itself because of the drop in advertising post-9/11, and I 
was a columnist, and still am, at the New York Post, and had been 
writing on this subject.  And what had happened at the Post-- 
MR. WHITFIELD.  Right. 
MR. BYRON. --was a year of stonewalling led the General Counsel of 
the Post in exasperation to threaten these people with a civil 
rights suit, and it was based on those threats that they turned over 
their case file on this matter to us. 
MR. WHITFIELD.  And in that case file, what sort of information was 
there that was helpful for you to identify who did the pretexting?  
MR. BYRON.  I had already figured that out before. 
MR. WHITFIELD.  Okay. 
MR. BYRON.  What the case file showed me is that they had been lying 
to me for the last year, the previous year. 
MR. WHITFIELD.  Now, who had been lying?  
MR. BYRON.  They had been--I beg your pardon, AT&T. 
MR. WHITFIELD.  Okay. 
MR. BYRON.  And they had been assuring us that they were continuing 
to investigate this matter, and they took it seriously and all of 
those kinds of confidence-inspiring gestures.  And they were all 
baseless because what that case file, in fact, showed was that weeks 
after I had filed this complaint, they had gone through a pro 
forma investigation that was full of internal inconsistencies 
that were not pursued.  And then the whole thing was dished off to 
the FBI, and they washed their hands of it.  And during all of the 
subsequent period of time when we were calling up, saying, "How's 
that investigation going, folks?"  "Oh, it's fine, MR. BYRON.  
It's going right along," there was no investigation.  They handed 
it to the FBI.  They were doing nothing. 
MR. WHITFIELD.  Okay.  Now, you are an attorney as well as a 
journalist, and you probably have done some research.  
Do you feel that under existing Federal law that pretexting is 
illegal today or not?  
MR. BYRON.  Yeah.  I think that it's illegal in a variety of ways, 
and I was stupefied to hear the testimony that came out yesterday 
and the previous facts that have been developed in the press on this 
Hewlett-Packard thing.  
I mean anybody--you don't have to be an attorney to know that this 
is wrong.  And from my perspective, looking at it from the point of 
view of the law, there was a massive conspiracy here that went on 
for 10 entire weeks.  It involved international transactions from 
Canada to the United States, interstate communications over the 
wires.  There's a huge fraud that went on here, and any one of 
those things could have been criminally pursued. 
MR. WHITFIELD.  But you feel that this activity would be illegal 
 under the existing Federal Wire Act?  
MR. BYRON.  What happened to me?  Absolutely. 
MR. WHITFIELD.  Okay.  Are you aware of any Federal prosecutions 
for anyone who has been arrested for pretexting?  
MR. BYRON.  None.  None.  We've looked as hard as we could.  
We haven't found any. 
MR. WHITFIELD.  Yeah.  And what are your unique concerns about 
journalists being singled out by people for pretexting?  
MR. BYRON.  If the word gets around that you can do this kind of 
thing with impunity--and it seems that it is now--the ability of 
a journalist to do his job will be fatally compromised.  If you 
can make promises of confidentiality that have utterly no meaning 
at all and the sanction that would protect you is not enforced by 
law-- 
MR. WHITFIELD.  Yeah. 
MR. BYRON. --you're dead in the water. 
MR. WHITFIELD.  Now, after yesterday's Hewlett-Packard hearing, 
I went over on the House floor, and two Members came up to me, and 
they said, "You know, if you all are going to do anything about 
these corporate leaks and the pretexting of board members"--these 
two Members said--"you've got to be really careful, because we 
think that the corporate boards should have a right to determine 
who's leaking information from their board," and--but--I mean my 
reply is that if it's illegal, it's illegal-- 
MR. BYRON.  You bet.
MR. WHITFIELD. --and I would assume that you--
MR. BYRON.  I would agree with both statements.  
Now, if you're the Chairman of the Board of a company, and leaks are 
coming out of that boardroom, you're bound.  You have a fiduciary 
responsibility to shareholders to find out what's going on.  
MR. WHITFIELD.  Right. 
MR. BYRON.   But you don't have the power to break the law to do 
it. 
MR. WHITFIELD.  Right. 
MR. BYRON.  Period. 
MR. WHITFIELD.  Right.  Right. 
MR. BYRON.  Case closed. 
MR. WHITFIELD.  At this time, I'll recognize Ms. DeGette for 10 
minutes.  
MS. DEGETTE.  Thank you so much, Mr. Chairman.  And, Mr. Byron, 
thank you so much for coming and sharing the other side of what 
happens with pretexting with us.  I just have a few questions for 
you.  
One of them is what I understand about this terribly botched 
investigation that AT&T did after you learned about the pretexting.  
What I want to know is if you have some views on what phone 
companies can do to prevent the pretexting in the first place, 
things that weren't done in your case and that aren't being done 
now. 
MR. BYRON.  Well, I'm not entirely certain that--I don't know who 
owns phone records.  It's a little unclear to me.  From what I've 
read, is the phone record owned by the phone company or is it owned 
by the person who uses that account?  I don't know.  And there may 
be a very clear answer to that, but I just don't know it.  If the 
phone company owns the record, it gets a little bit more confusing 
as to what that company can do with that record.  If you own the 
record, then they don't have the right to do anything with it 
without checking with you.  
And I guess what your question goes to is how could they establish 
it's you that they're talking to.  Well, short of going in there 
with--insisting, well, let's see your driver's license, I don't 
know what they can--what you could ask them.  I think what the 
best thing to do is simply say, "That's your problem.  But if you 
don't handle it properly, you're going to be in trouble with these 
sanctions."  And to the degree that my opinion means anything in 
this, I would say the tougher the penalty--put this thing into 
criminal law, and you'll get their attention. 
MS. DEGETTE.  To criminalize release of the records by the phone 
companies?  
MR. BYRON.  Yeah.  Sure.  Sure. 
MS. DEGETTE.  That probably would get their attention. 
MR. BYRON.  Absolutely.  And end the problem. 
MS. DEGETTE.  A second question I have for you is, as a newspaper 
reporter, how widespread is the fear of pretexting among your 
colleagues; because, as we heard yesterday with the Hewlett-Packard 
situation, reporters were targets of that investigation as well, 
and are people quite concerned that this is going on?  
MR. BYRON.  Oh, yeah.  Sure.  And more today than the day before 
yesterday.  And already this was a significant worry on the part 
of people in my line of work.  I think not long ago, a couple of 
weeks ago, The New York Times undertook some reevaluation of what 
its own editorial staff should be doing with its notes, with its 
phone records, and all the rest of it because of these kinds of 
compromised privacy questions.  If somebody can come and grab 
your phone records and nobody cares, there's a big problem here-- 
MS. DEGETTE.  Yeah. 
MR. BYRON. --a big problem. 
MS. DEGETTE.  And have you talked to colleagues who have had this 
happen to them?  
MR. BYRON.  Yes.  And I know a number of them.  
After this happened to me, I got calls from reporters all over the 
country, some of whom I knew, some of whom I now met for the first 
time, who had the same experience, not necessarily because of a 
lawsuit or something else, but because of something that somebody 
wanted to know about their line of work that the reporter didn't 
want to tell them. 
MS. DEGETTE.  Right. 
MR. BYRON.  So they'll just go steal it. 
MS. DEGETTE.  Yeah.  Okay.  Last question. 
Now, I presume that you still support H.R. 4943, which is the 
legislation that's mysteriously disappeared.  Counsel says maybe 
we could enlist your services as an investigative reporter.  But 
you still support that bill, right?  
MR. BYRON.  Absolutely.  I mean I think if after all of this, if 
that at least doesn't become law, that sends a signal, too. 
MS. DEGETTE.  Even though it is already illegal under other 
statutes, you think that would be helpful to have?  
MR. BYRON.  Absolutely.  I think it would just be a per se statement 
if this time we really mean it. 
MS. DEGETTE.  It would be that bright light cast that Ms. Dunn kept 
talking about? 
MR. BYRON.  Yes. 
MS. DEGETTE.  Thank you. 
Thank you, Mr. Chairman.  I yield back. 
MR. WHITFIELD.  I just have to ask one question that we were just 
discussing.  
If you heard the testimony yesterday, the Chairman of the 
Hewlett-Packard Board made the comment that she thought 
everyone's phone records were available to the public, that anyone 
would have access to anyone's, and that she wouldn't object to 
anyone having her phone records.  
Did you hear that comment?  
MR. BYRON.  I didn't hear her say that. 
What I read was the same thing in her written statement, and 
it amazed me.  I couldn't believe what I was reading, and that 
woman has a degree from Berkeley as a journalist.  It's a joint 
journalist-economics degree.  I know she reads and writes English-- 
MR. WHITFIELD.  Right.  
MR. BYRON. --and she said in her written statement that she thought 
all of this was fine-- 
MR. WHITFIELD.  Right. 
MR. BYRON. --because the private eye, this DeLia guy, had said to 
her he knew where you could get private phone records--I think I've 
almost got this memorized by now--where you could get private phone 
records legally from a public source. 
MR. WHITFIELD.  Yeah.  I wish we had had you here as a witness 
yesterday.  You could have been on the panel with Ms. Dunn.
MR. BYRON.  Well, I mean-- 
MR. WHITFIELD.  Okay. 
MR. BYRON. --just by the nature of it-- 
MR. WHITFIELD.  Yeah. 
MR. BYRON. --if private phone records are deposited in a public 
source, they're not private phone records. 
MR. WHITFIELD.  Yeah.  Yeah.  
I yield back the balance of my time and recognize the Chairman of 
the full Energy and Commerce Committee, Mr. Barton of Texas.  
CHAIRMAN BARTON.  Well, thank you, Mr. Chairman.  I'm not going 
to take the full 10 minutes.  I would like to make a report to 
the subcommittee.  
I see our poster over there "Gone With the Wind," H.R. 4943.  It's 
been found.  It's not gone.  It's awaiting floor action, and 
there's a good chance it might pop up today.  We may actually get 
to vote on it.  It may be midnight tonight, I'm not guaranteeing 
it, but it has been found.  The bill is alive and healthy, and-- 
MS. DEGETTE.  Mr. Chairman, maybe you can autograph the poster 
for us.  
CHAIRMAN BARTON.  I'd be happy to do that.  
The concern about it--and this is serious.  It goes to one of the 
comments that our witness made.  H.R. 4943 requires the phone 
company to get the permission of the individual who has the 
telephone number before their records are released to anybody, 
whether they're sold or whatever.  
So we asked all the phone companies at the hearing, the legislative 
hearing on the bill, whether they thought the phone records were 
the company's property or the individual's property, and the 
companies all answered--or the witness who represented the 
companies said that it was the individual's property.  And I think 
it is.  I think your phone number is yours, and the phone log--I 
don't see a real reason to keep a phone log unless it's for 
billing purposes.  And as we all know, with a lot of our telephone 
numbers today and telephone billing systems, you don't pay per 
minute or per call.  It's just a flat rate.  So there's an argument 
to be made that you don't even need to keep a phone record any time 
at all, but the concern that's kept the bill off the floor is that 
there are people who think the phone record is not your personal 
property, it it is the company's property.  And I think these 
hearings are highlighting the fact that our bill is not "Gone 
with the Wind."  It's more like "Mr. Smith goes to Washington."  
It's good government, and we need to move it, and so there's a 
reasonable chance--I'm not guaranteeing it, but we may get it 
out today.  
I do want to comment, Mr. Chairman, how odd it is that all of these 
people who claim what they're doing is legal continue to invoke 
the Fifth Amendment against self-incrimination.  I think your 
hearings have set a record for self-incriminating individuals who 
were afraid they may self-incriminate themselves, protecting 
themselves by the tremendous Fifth Amendment to our great United 
States Constitution.  If what they're doing is so legal, they 
shouldn't have to be afraid to talk about it in public before your 
committee.  
The only question that I have for the witness here is, what was the 
final resolution of the pretexter who stole your phone records 
without your permission?  
MR. BYRON.  There has been no resolution.  There have been no charges 
filed or civil complaint anywhere.  To this hour, nobody has been 
brought to justice on this thing.  And as I said at the opening 
here, a 4-year thing accumulates a really confusing, long, 
complicated record trail; and with the passage of time, it gets 
harder and harder to follow this.  But the evidence of who did 
what, who shot John, sits in the SEC Enforcement Division district 
office files in Boston, Massachusetts.  And I've asked them in the 
past, "Well, if you're not going to act on it, why don't you make 
a criminal referral?  Can't you give it to the FBI?"  "Well, we'll 
get back to you on Monday on that, Mr. Byron," and 6 months later, 
I call again and get the same answer. 
CHAIRMAN BARTON.  Well, we do have a bill that has passed the House. 
 It's a Judiciary bill which I support--it's in the Senate 
somewhere--that clearly makes pretexting illegal and sets criminal 
penalties at the Federal level for pretexting.  So we have got one 
House bill that's gotten to the Senate.  Our bill has not yet gotten 
to the floor.  
And before I yield back, since the Chairman of the Board of 
Hewlett-Packard yesterday indicated she didn't know what 
"pretexting" was and had never heard of it until June the 6th, I 
want to repeat what it is in case there's anybody here that doesn't 
know today.  Pretexting is pretending to be somebody you're not, 
to get something you probably shouldn't have, to use in a way 
that's probably wrong.  That's what pretexting is, and that's what 
this committee wants to make illegal.  We also want to make sure 
that your phone record is your phone record and cannot be used 
without your explicit permission.  
With that, Mr. Chairman, I yield back. 
MR. WHITFIELD.  Thank you, Mr. Barton.  
At this time, I recognize Mr. Walden of Oregon.  
MR. WALDEN.  Thank you, Mr. Chairman.  
Mr. Byron, like you, I too have a journalism degree, and I was 
astounded when I pressed Ms. Dunn yesterday as to whether or not she 
really believed and seriously believed that these records were 
available publicly.  And I have to confess, like you, I was amazed 
at the response.  It just was unbelievable.  
In your testimony, you say you initially discovered your records 
had been invaded when an AT&T representative called your wife-- 
MR. BYRON.  Yes. 
MR. WALDEN. --as I recall.  
Would you elaborate on this?  Was AT&T at that point investigating 
a problem?  Why would they call your wife?  
MR. BYRON.  What happened was, over the previous 2-1/2 months, 
unknown to my wife, myself, and anybody in our family, and 
apparently unknown to AT&T as well, criminal impersonators were 
calling up day after day, pretending that they were me or that 
they were my wife and asking for the July 2002 phone bill.  
MR. WALDEN.  Right.  
MR. BYRON.   And they kept getting one explanation as to why they 
wanted it after the next, and they never surrendered it to these 
people.  After 2-1/2 months of this, they finally hit pay dirt, and 
in the course of "dialing for dummies," they got one.  And this 
person sat there in her cubicle and read over the computer screen 
to these people, 96 phone calls that consisted of my office phone 
number, outbound from my phone during the month of July.  
Then, minutes later, another party called back and asked this 
person--this definitely retires the cup for being a dummy--if she 
could take the time to read again the same list because he wanted 
to check it.  And she did, and he did, and the computers now show 
2 full hours with going over one person's phone bills.  This came 
to the attention of this person's supervisor, who called us and 
said-- 
MR. WALDEN.  What's the problem with your phone bill. 
MR. BYRON. --"What's the problem with your July  
phone bill?"  We didn't know there was a problem.  Well, then we 
found out.  That's how we found these things out. 
MR. WALDEN.  And after you had that conversation with AT&T, what 
was their response to you once, this triggered that something was 
up here?  
MR. BYRON.  Oh.  Well, I mean we received an urgent and immediate 
and apparently heartfelt expression of "ain't it awful, and we'll 
get on this right after lunch," and that was pretty much it.  The 
next day, having gotten nothing more than that, I called AT&T, and 
couldn't even find the person we had spoken to, and just started 
pushing-- 
MR. WALDEN.  Right. 
MR. BYRON. --and I finally got the General Counsel on the phone at 
corporate headquarters, and told him, and he basically tried to put 
this off on his secretary.  
At that point, I called the FBI district office in Bridgeport, 
Connecticut, filed a complaint with them.  They said, "Well, this 
sounds serious.  You'd better take that down to Washington and give 
it to the national office."  I did.  We never heard anything more of 
it ever, and I-- 
MR. WALDEN.  From the-- 
MR. BYRON.  From the FBI.  And with AT&T, when I called back, 
eventually I made myself such a pest that they assigned some guy who 
was like their privacy Assistant General Counsel, and he dealt with 
me and with the New York Post, which took an active interest in this 
thing continuously from that moment on.  
The file that he eventually turned over to us that you now have was 
sanitized of the information in it that was the only really 
important information that we needed, which was to be able to 
identify who the pretexters were. 
MR. WALDEN.  Did they have in their file what number the person was 
calling in from as you? 
MR. BYRON.  Oh, yeah.  Oh, yeah. 
MR. WALDEN.  Did they ever go back and trace who that phone number 
was from? 
MR. BYRON.  They have a code number.  
In the materials you have--I could show one of your investigators 
or staff people, if you'd be interested--is the code number that 
identifies the two back-to-back, 1-hour calls that they said-- 
MR. WALDEN.  Right. 
MR. BYRON. --they could not trace. 
MR. WALDEN.  Why?  
MR. BYRON.  That will make you leave the room, it's so confusing.  
I can't answer that question, and they couldn't either.  I think 
the answer is because they didn't want to.  
What I finally got from them was the packet of information they sent 
to the FBI, absent the phone calls--the enumerate--the sources of 
the phone calls that would have tied this information to the 
pretexters, and they promised to give that to me the day they 
sent it to us. 
MR. WALDEN.  But they never did?  
MR. BYRON.  Not only did they not--I just tried again the other day. 
Now, the guy who I was assigned to, he's gone.  He's not there 
anymore, and I've got a new person there who's going to hold the 
pity party for me.  And I'm sure that we won't get what we need.  
I'm sure of it. 
MR. WALDEN.  Well, maybe after today, you will. 
MR. BYRON.  I hope so. 
MR. WALDEN.  It's very frustrating being on that end of it.  I've 
dealt with some issues involving phone bills in my company where 
charges have been added to lines by third-party billers that we 
never asked for service.  
MR. BYRON.  Right. 
MR. WALDEN.   And I think that's going on all over America right 
now.  
MR. BYRON.  Yeah. 
MR. WALDEN.   And there's a float out there of bad actors that I hope 
we take a real serious look at. 
MR. BYRON.  I'm very sorry that I ran out of time and was unable to 
call the committee's attention to what I think ultimately is the 
most expansive problem at risk here.  
It's terribly destructive to somebody to have his personal or 
business phone records stolen in this way, and it upends your life 
and causes all kinds of heartaches and miseries for you.  But 
it's a much worse problem and gets into national security areas 
when you have the possibility that somebody will wind up in control 
of an entire company filled with these phone records of millions 
of people, and that possibility is evident; it exists.  And a 
series of stories we wrote related to one such company identified 
an individual, an international bunco artist who was wanted by 
Interpol on a "red corner" notice, using nominees to try and 
acquire and then move to Chennai, India, the outsourcing company 
handling AT&T's phone records. 
MR. WALDEN.  So your concern is that the outsourcing to the 
customer service facilities opens the door in foreign countries-- 
MR. BYRON.  Yes. 
MR. WALDEN. --to espionage activities, in fact, both economic and 
security. 
MR. BYRON.  Absolutely.  This particular individual had an enormous 
track record that was easily obtained before getting into 
negotiations to sell this company to him.  We had obtained e-mail 
traffic showing that this guy, right after 9/11, sent his sales rep 
from Dubai into Baghdad to negotiate the sale of germ warfare 
software to the Iraqi Ministry of Defense.  Now, come on.  That's 
the guy who's trying to buy the outsourcing company for AT&T and 
move it to India. 
MR. WALDEN.  Because he wants to provide really good customer 
service?  
MR. BYRON.  Well, he fled the country after we wrote a series of 
stories about him.  He was on a worldwide arrest-on-sight notice 
from Interpol.  Although he was living the life of Riley in Fort 
Lee, New Jersey, it didn't seem to stop anybody; but he left, and 
he's now under arrest and in detention in India, and he's having to 
answer for some huge array of swindles he was involved in there.  
But there will be more like that is what I'm saying.  More of that 
is coming. 
MR. WALDEN.  It's very disturbing, very disturbing. 
Mr. Byron, thank you, and we appreciate your testimony and 
willingness to come before the committee today. 
MR. BYRON.  Thank you. 
MR. WHITFIELD.  Mr. Stearns, you're recognized for 10 minutes. 
MR. STEARNS.  Thank you, Mr. Chairman.  
Mr. Byron, I guess you were in the latter part of your conversation 
with my colleague, you were talking about the Delmi- -- 
MR. BYRON.  Dalmia. 
MR. STEARNS.  Dalmia. 
MR. BYRON.  Yes. 
MR. STEARNS. Who was this individual who was trying to control the 
U.S. outsourcing company-- 
MR. BYRON.  Yes. 
MR. STEARNS. --and in so doing, he was attempting to merge it with, 
I guess, NASDAQ-listed companies.  
MR. BYRON.  Yes. 
MR. STEARNS.   And I guess they tried to call you up.  It was one of 
the attorneys for him that tried to call you up and actually 
intended--Lawrence Barcella of Washington. 
MR. BYRON.  Yes. 
MR. STEARNS.  Barcella claimed the Post's coverage of Dalmia was a 
tissue of lies and distortions but failed to cite any evidence.  
MR. BYRON.  Right. 
MR. STEARNS.  And then you were able to respond to him, and then he 
backed off. 
MR. BYRON.  Yes, that's exactly what happened. 
He was not the first lawyer we heard from from that guy.  I've been 
writing about him for 2 years, and prior to the Barcella letter, we 
heard from another guy he had hired locally in New Jersey, and he 
threatened to sue us for libel and defamation based on our reporting 
that this man had tried to sell a germ factory software package 
to Saddam Hussein.  And his defense in the letter to us that said 
this was defamatory to have published that, was that the contract 
never actually got signed.  Hello?  I mean, the point was not that 
he succeeded.  The point was that he tried, and the man's lawyer 
sent us a letter.  
The lawyers for the New York Post responded, "Read what you said in 
your own letter.  You've confirmed the accuracy of the story."  
That's the last we heard from him. 
MR. STEARNS.  What was the connection between this guy and the 
outsourcing company in Texas?  
MR. BYRON.  The outsourcing company where my phone records were 
stolen was called--is called Aegis Communications, Inc.  
MR. STEARNS.  Right. 
MR. BYRON.  It is an outsourcing company that at that time had major 
back-office, records-keeping contracts with a whole array of very 
large U.S. companies, including AT&T, Discover Card, American 
Express, all of that.  
When you pick up the phone and call to ask for the 800 help number 
and somebody says, "American Express.  May I help you?" it's not an 
American Express person at all most times.  It's somebody from one 
of these outsourcing companies.  
MR. STEARNS.  Which could be anywhere. 
MR. BYRON.  Absolutely, and a lot of them are now located in 
Punjab.  They're in India and in Ireland and in southwest Asia, 
elsewhere.  The connection is that this Dalmia fellow has a large 
 and growing--or had until he went to jail--a large and growing 
presence with an outsourcing network based in Chennai, India, and 
tried to buy this Aegis Company in Texas.  Right at the time I was 
trying to get the FBI to investigate where my phone records--who'd 
stolen them--he was trying to buy the company, and he was using 
anonymous shell companies in Tortola and nominees and front men in 
London to pretend so that he was not--they had a beard and mustache 
on him, these guys, and so you couldn't see him, but we were able 
to trace--to peel back the mask. 
MR. STEARNS.  So you wrote the exposï¿½ about Dalmia. 
MR. BYRON.  Yeah. 
MR. STEARNS.  You wrote it, and that's what got Barcella to call you. 
MR. BYRON.  That's correct.  
MR. STEARNS.  So it's really a tribute to your persistence and 
tenaciousness that this fellow was exposed in the United States and 
eventually had to flee, and eventually, I guess, he was arrested in 
India, and he's in jail now. 
MR. BYRON.  He is.  He is, indeed. 
I would also have to say that I think that a lot of the credit is due 
to the Post, because there's not a lot of papers that would publish 
something like that.  He had not been arrested or charged with 
anything in this country, and the Post was publishing stories saying 
that he was an international criminal. 
MR. STEARNS.  Yeah.  What I don't understand is the Post stood in 
the gap there for you-- 
MR. BYRON.  Yes. 
MR. STEARNS. --with Barcella and handled that.  
Why doesn't the Post help you in civil suits to try and get 
defamation or damages or civil--why haven't you taken that route?  
MR. BYRON.  Well, the events that we're talking about here related 
to the theft of the phone records occurred with a story that was not 
published in the Post. 
MR. STEARNS.  Okay.  Okay. 
MR. BYRON.  I had written that as a freelance piece-- 
MR. STEARNS.  Okay.  
MR. BYRON. --for another publication which subsequently went 
bankrupt, Red Herring Magazine. 
MR. STEARNS.  Right.  
MR. WHITFIELD.  Would you excuse me, Mr. Stearns?  
MR. STEARNS.  Sure. 
MR. WHITFIELD.  I was just curious.  Did you consider a civil suit 
yourself?  
MR. BYRON.  It was not my idea.  It was the General Counsel of the 
Post.  She said that-- 
MR. STEARNS.  What the Chairman is saying is you could--for example, 
you could take a civil suit against AT&T for them.  In your estimation, 
they broke the law-- 
MR. BYRON.  Yes. 
MR. STEARNS. --when this woman sat in this cubicle, as you say, and 
spent 2 hours giving out all of this information.  I mean, surely 
the case could be made in a court that what AT&T did was against 
the law. 
MR. BYRON.  I believe it could be.  But to me, right now, that sounds 
like--with all I've been through, that's like saying, "Byron, go 
fight a land war in Asia."  I'll never come back.  
MR. STEARNS.  Yeah.  So it's just another aggravation you don't want 
to deal with.  
MR. BYRON.  Yeah. 
MR. STEARNS.  Okay. 
MR. BYRON.  I mean, to sue AT&T on my own, my God.  I would not want 
to undertake that.  I'm just--it's not that I would--I just--I'm 
already 61, you know?  
MR. STEARNS.  Has AT&T ever explained why the security measures in 
place at Aegis Communication Corporation, a third-party contractor 
to run some of AT&T's customer care call centers, failed to protect 
your records?  Have they at this point given you a definite written 
response?  
MR. BYRON.  No.  Never. 
MR. STEARNS.  Okay. 
MR. BYRON.  Never.  We've received nothing.  
MR. STEARNS.  We'll ask them that question when they come up for 
you.  
What has AT&T done for you since the facts about pretexting have 
occurred?  Have they worked to establish any additional safeguards 
to-- 
MR. BYRON.  Well, my wife called them the other day because we were 
just doing fact-checking for my written testimony and wanted to 
refresh our memories on how their password/coding rules work.  
MR. STEARNS.  Yeah. 
MR. BYRON.  And the person she got on the phone with accused her of 
being paranoid.  So that's what they've done for us since then.  In 
other words, nothing. 
MR. STEARNS.  Nothing.  
So here we are after the fact, and you're here.  Are you able to 
establish your career to go forward now and-- 
MR. BYRON.  Oh, absolutely. 
MR. STEARNS. --essentially reestablish the links with the people who 
are giving you information?  
MR. BYRON.  Yes. And I had to do it on a kind of case-by-case basis, 
because I just didn't know how broadly anything was actually 
compromised.  
What I knew is that all of my phone records for the month of July of 
2002 were gone.  They have gone into the hands of these people, and 
some of those phone numbers tied to sources in law enforcement and 
the Government related to entirely different issues or other 
stories, nothing related to this. 
MR. STEARNS.  So you don't feel intimidated at this point to write 
another exposï¿½ on a Dalmia-type of individual?  
MR. BYRON.  No.
MR. STEARNS.  Good.  So I mean, notwithstanding all that you went 
through, you've come through this, you and your wife, that you 
feel comfortable--you can continue your career and go forward and 
not have any trouble?  
MR. BYRON.  Yes.  Yes.  Yes, definitely. 
MR. STEARNS.  All right.  Thank you, Mr. Chairman. 
MR. WHITFIELD.  Thank you, Mr. Stearns; 
And I suppose, Mr. Byron, as you move forward, of course, it would be 
great if there was some sort of device that you could obtain so that 
you would know if your records were being pretexted.  But I mean, 
that pretexting could be going on right now in your records, and 
you wouldn't know it either, so-- 
MR. BYRON.  Exactly. 
MR. WHITFIELD.  But we genuinely appreciate your being here today and 
for your time and your testimony, and even though we didn't allow you 
to complete all of your opening statement, we do have it, and we've 
looked at it and all of the documents that you've provided.  
So, thank you very much.  
MR. BYRON.  Thank you. 
MR. WHITFIELD.   And we hope to see you again soon. 
MR. BYRON.  Thank you.  
MR. WHITFIELD.  At this time, I'd like to call up the third panel 
of witnesses.  
On the third panel, we have Mr. Thomas Meiss, who is the Associate 
General Counsel for Cingular Wireless from Atlanta, Georgia; 
Mr. Charles Wunsch, who is the Vice President for Corporate 
Transactions and Business Law for Sprint Nextel, Reston, Virginia; 
Mr. Greg Schaffer, Chief Security Officer for Alltel Wireless, 
Little Rock, Arkansas; Mr. Michael Holden, Litigation Counsel 
for Verizon Wireless in New York, New York; Ms. Lauren Venezia, 
Deputy General Counsel for T-Mobile USA, Bellevue, Washington; 
and Ms. Rochelle Boersma, Vice President for Customer Service, 
U.S. Cellular, Chicago, Illinois.  
I want to welcome all of you.  We thank you for joining us today 
and providing us with your views on this important issue.  As you 
know, this is an Oversight and Investigations hearing, and I'm 
assuming that none of you have any objection to testifying under 
oath.  And if that's the case, if you would, raise your right hand, 
and I'd like to-- 
[Witnesses sworn.] 
MR. WHITFIELD.  Thank you so much. 
In the rules of the House and the rules of the committee, you're 
entitled to legal counsel.  I'm assuming that none of you have legal 
counsel with you today; is that correct?  
MR. MEISS.  That's correct. 
MR. WUNSCH.  That's correct. 
MR. SCHAFFER.  That's correct. 
MR. HOLDEN.  That's correct. 
MS. VENEZIA.  That's correct. 
MS. BOERSMA.  That's correct. 
 
TESTIMONY OF THOMAS MEISS, ASSOCIATE GENERAL COUNSEL, CINGULAR WIRELESS; CHARLES WUNSCH, VICE PRESIDENT  FOR CORPORATE TRANSACTIONS AND 
BUSINESS LAW, SPRINT NEXTEL; GREG SCHAFFER, CHIEF SECURITY OFFICER, 
ALLTEL WIRELESS; MICHAEL HOLDEN, LITIGATION COUNSEL, VERIZON 
WIRELESS; LAUREN VENEZIA, DEPUTY GENERAL COUNSEL, T-MOBILE USA; 
AND ROCHELLE BOERSMA, VICE PRESIDENT FOR CUSTOMER SERVICE, U.S. 
CELLULAR  

MR. WHITFIELD.  Well, Mr. Meiss, we'll start with you, and you're 
recognized for 5 minutes for your opening statement.  
MR. MEISS.  I'll turn this on.  Now is it on?  Can you hear me?  
Okay, great.  
Good morning, Mr. Chairman and members of the committee.  My name 
is Tom Meiss.  I'm from Cingular Wireless.  I'm Associate General 
Counsel.  Thank you for investigating this troubling matter and 
thank you for inviting Cingular to talk about it.  
The title of today's hearing includes a question:  "Who Has Access 
to your Call Records?"  The only right answer to that question would 
be you, the customer.  Unfortunately, that has not always been the 
case, and that's why we're here today.  
It would be hard to find somebody today who hasn't heard about 
pretexting for call records; but a year ago, that was far from the 
case.  It would be helpful--in fact, it's necessary to put things 
in perspective by looking at a timeline of pretexting for call 
records over the past years to the present.  But before I do that, 
I want to make one point.  We're using the terms "pretexters" 
and "data brokers" a lot today.  That's for convenience.  These 
people are thieves, plain and simple.  They're not data brokers; 
they're data burglars, and the word "pretexter" is just far too 
innocuous for what these people do.  
As early as 2005, the practice of Web-based data brokers pretexting 
for call records had received little notice.  In spring and early 
summer of last year, Cingular began to hear that some customers' 
records had been obtained from websites.  Around the same time, 
stories were beginning to appear in the press that suggested that 
pretexting could be a growing problem for businesses.  Cingular 
notified its customer service representatives to be on the lookout 
for pretexting and also to be especially diligent in verifying 
customers seeking account information.  But by midyear, we'd only 
received a handful of complaints about this.  We had 50 million 
customers.  The numbers just did not suggest that pretexting for 
call records was a widespread problem at that time.  However, near 
the end of the summer, a series of events changed all of that 
completely.  EPIC, a leading privacy organization, notified the 
FTC and the FCC that they had identified more than 40 websites 
that were offering to sell phone records for a fee.  Soon a few, 
and then dozens of newspaper and television stories appeared, 
reporting that it was indeed possible to obtain records easily 
from these websites for a fee. 
At the same time, Cingular Wireless was investigating to see how 
this could possibly be happening.  We looked for internal leaks 
because how else could you explain the absolute certainty with 
which these websites offered to get your records.  It just did 
not seem possible that pretexting could be the foundation for so 
many Web site businesses.  
Without yet knowing exactly how they were obtaining records, we 
changed our policies such that no call detail could be given out 
over the phone to anybody, even a verified caller.  At the same 
time we filed lawsuits, first against LocateCell.com then, 
against, E-findoutthetruth.com.  We've since filed a total of 
6 lawsuits against more than 30 corporate and individual 
defendants, including 5 of the data brokers who appeared before you 
in June.  
By the end of 2006 our litigation was beginning to give us some 
insight into how the pretexters were operating.  We hired an ex-data 
broker to come to Atlanta, we got a firsthand account of specific 
ruses that had been used to pretext against us.  We used that 
information to create very real examples and a newly revamped 
training course for our service reps.  
A few months ago we engaged an ethical hacking firm to conduct 
planned pretexting attacks against us so we could evaluate the 
efficacy of that training, and we used the results of that to 
improve our training.  
Cingular has always been aware of and focused on its obligation to 
protect the privacy of customer records.  To secure information we 
employ a wide variety of technological, procedural, and physical 
safeguards to protect it, and we design them to be appropriate for 
the sensitivity of the information that's at hand.  
We have a privacy team that monitors new legislation and designs 
compliance programs, we have a physical security organization, we 
have an IT security organization.  We have a cross-departmental 
organization that looks at every aspect of security across the 
company.  It evaluates procedures and processes, then recommends 
improvements where it's needed.  Our internal audit department 
regularly performs audits of specific channels in the company 
that have sensitive information.  
As we continue to evaluate, refine, and improve our services, 
our security, we are mindful not only that it must be appropriate 
for the sensitivity but also we have to balance it with customers' 
convenient access to their own information, enable them to continue 
to get good customer service, and not, for example, hamstring 
them with another password that many would rather do without, a 
mandatory password.  
We know that this fight will never be over.  The data thieves will 
always be out there and continually evolving their methods of 
getting at our records.  We will be continually evolving our 
defenses to protect our records.  Cingular will always be committed 
to protecting the privacy of its customers' information.  Thank 
you. 
MR. WHITFIELD.  Thank you, Mr. Meiss. 
[The prepared statement of Thomas Meiss follows:] 


PREPARED STATEMENT OF THOMAS MEISS, ASSOCIATE GENERAL COUNSEL, 
CINGULAR WIRELESS 

MR. WHITFIELD. Mr. Wunsch, you're recognized. 
MR. WUNSCH.  Chairman Whitfield, Ranking Member DeGette. 
MR. WHITFIELD.  Be sure and turn your microphone on.  
MR. WUNSCH.  Thank you for the invitation to testify before the 
subcommittee today.  My name is Charles Wunsch and I'm the Vice 
President for Corporate Transactions and Business Law for Sprint 
Nextel Corporation.  I ask that my full written statement be 
entered in the record.  
I oversee Sprint Nextel's Office of Privacy.  We are proud of our 
privacy accomplishments at Sprint Nextel, given the difficulties of 
balancing the interests of customer privacy and customers' desire 
for easy access to their account information.  
Sprint Nextel devotes substantial resources to protecting the privacy 
of its customers' confidential information.  Consequently, Sprint 
Nextel views the stealing of customer information through 
pretexting as a wrong that should be stopped.  Sprint Nextel takes 
protecting customer information seriously.  
Providing protection for customer information is made difficult, 
however, by the need to balance the protection of the information 
against the customer's desire for ease of access to the information, 
all in a dynamic environment of technological and competitive 
change.  
Sprint's day-to-day practices reflect our commitment to protecting 
the security of our customers' private account information.  We 
understand that good information security cannot be achieved with 
any one safeguard, as human ingenuity is limitless.  This is why we 
are vigilant on all fronts. 
For instance, we retain customer information necessary for us to 
communicate with and bill our customers behind a series of firewalls 
and other intrusion protection systems.  We require our employees 
and contractors to abide by a code of conduct that requires them 
to safeguard confidential customer information.  Our thousands of 
care representatives who handle millions of transactions every 
month must constantly be on guard to distinguish genuine customer 
requests from efforts to steal information.  
Consequently, our representatives are trained to follow detailed 
authentication procedures when responding to customer requests 
relating to their accounts.  It is important to keep in mind that 
most customers demand fast and efficient customer service, yet 
customers often do not remember their pass codes.  Thus, Sprint 
Nextel's authentication procedures are designed to protect privacy 
while providing reasonably fast and efficient customer service.  
When it comes to call detail records or other customer proprietary 
network information, our company's policy is to allow access only 
to those Sprint Nextel employees or agents with a need to know.  
We continually modify our systems in response to changes in the 
industry and technology.  Right now we are in the process of 
combining our customer data bases into a new integrated billing 
platform, one that will include new, more robust customer 
authentication capabilities.  This is a massive undertaking.  
We believe the new system will be the single most important step 
to better protect confidential customer information while still 
meeting our customers' need for efficiency and convenience.  
Sprint Nextel encourages its customers to take specific precautions 
such as regularly changing their pass codes to protect their 
personal information from being accessed by others without their 
permission.  Despite all of these protections and the deterrent 
effect they produce, pretexters still try to obtain information by 
pretending to be people they are not.  They are skilled con artists 
who go to great lengths to circumvent carrier protections in their 
efforts to obtain personal information on their targets.  
We should all be clear on this point:  What pretexters are doing is 
wrong.  They should be stopped and punished.  To that end, Sprint 
Nextel has devoted substantial resources to combat the pretexters.  
We have taken aggressive legal action against companies we believe 
have fraudulently obtained, sold, or distributed our customers' 
personal account information.  Sprint Nextel filed lawsuits against 
three companies including former principals and employers of those 
companies that fraudulently obtained and sold customer information.  
In addition, Sprint Nextel has sent numerous cease and desist 
letters to other entities who have advertised their ability to 
obtain call detail records or other private customer information. 
We believe our efforts and those of other carriers and government 
agencies are helping to stop pretexting.  I appreciate the 
opportunity to appear before you today to share Sprint Nextel's 
perspective on its ongoing efforts to protect customer privacy and 
its efforts to combat the pretexting problem.  I would be happy to 
answer any questions.  
[The prepared statement of Charles Wunsch follows:] 

PREPARED STATEMENT OF CHARLES WUNSCH, VICE PRESIDENT FOR CORPORATE 
TRANSACTIONS AND BUSINESS LAW, SPRINT NEXTEL 

Summary of Major Points 
1.  Sprint Nextel appreciates the opportunity to share its views on 
protection of customer information and the problem of pretexting. 
2.  Sprint Nextel views pretexting as a wrong that should be 
stopped. 
3.  Sprint Nextel takes protecting customer information seriously 
and has received an award for its efforts. 
4.  Protecting customer privacy must be done in the context of 
customer demands for reasonable access to their account information. 
5.  Sprint Nextel protects customer information by implementing 
system protections combined with privacy training for appropriate 
employees.  
6.  Sprint Nextel encourages its customers to take actions to protect 
their information, such as frequently changing passcodes. 
7.  Sprint Nextel constantly reviews its privacy protections with 
the view to improving them. 
8.  To that end, Sprint Nextel has actively and successfully 
confronted pretexters through litigation and cease and desist 
letters. 

Chairman Whitfield, Ranking Member Stupak, thank you for the 
invitation to testify before the Subcommittee today.  I appreciate 
this opportunity to represent the third largest carrier in the 
wireless industry, Sprint Nextel Corporation.  I ask that my full 
written statement be entered into the record. 
My name is Charles Wunsch, and I am the Vice President for 
Corporate Transactions and Business Law at Sprint Nextel.  I oversee 
Sprint Nextel's Office of Privacy.  We are proud of our privacy 
accomplishments at Sprint Nextel given the difficulties of balancing 
the interests of customer privacy and customers' desire for easy 
access to their account information.  
Sprint Nextel devotes substantial resources to protecting the 
privacy of its customers' confidential information.  Our Corporate 
Security, Legal and Customer Care teams regularly evaluate existing 
safeguards to protect confidential customer information.  My 
testimony today is intended to condemn the activities of pretexters 
and tell you about some of the ways we protect our customers' 
privacy while still rendering quick and convenient service to our 
customers.  Providing additional protection for customer information 
is not difficult: the difficult part is balancing protection and 
the customer's desire for convenience in a dynamic environment 
of technological and competitive change.  The task is made more 
difficult by the ingenuity of those who would steal our customers' 
private information.  
For example, hypothetically we could implement an eighteen - digit 
passcode requirement before customers could access their calling 
records.  This act would make customer account information very 
secure --if anybody could remember and use it -- but I doubt anyone 
would.  Therefore, this extremely secure passcode would not serve 
the interests of many, if any, of our 50 million plus wireless 
customers and millions more of our wireline customers.  At Sprint 
Nextel we have sought to strike the proper balance between 
effective privacy protections and ease of access. 
Sprint Nextel has been recognized for having first-in-class data 
security.  In a June 2005 research report, the Aberdeen Group 
identified Sprint Nextel as the only telecommunications firm 
employing "Best Practice in Security for Governance in 2005." This 
award was based on Aberdeen Group's research involving 200 companies 
from various industries, known to be operating at best-in-class 
levels.  
	Sprint Nextel's day-to-day practices reflect our commitment 
to protecting the security of our customers' private account 
information.  We understand that good information security cannot be 
achieved with any one safeguard, as human ingenuity is limitless. 
 That is why we are vigilant on all fronts.  For instance, we retain 
customer information necessary for us to communicate with and 
bill our customers behind a series of firewalls and other intrusion 
protection systems.  Our certified information security specialists 
constantly work to enhance our information protection system as 
technology evolves.  
	We work hard to address the human element: customer care 
representatives are there to serve the customer's desires, so our 
thousands of care representatives must constantly be on guard to 
distinguish genuine customer requests from efforts to steal 
information.  We know from information obtained in litigation 
against data brokers that our efforts to train our customer care 
representatives to be on guard are effective.  We require our 
employees and contractors to abide by a Code of Conduct that 
requires them to safeguard confidential customer information.  We 
follow up by requiring them to take mandatory training on the 
protection of that information in accordance with the FCC's CPNI 
rules.    This training is required of all employees, including 
senior management. 
	We publicize through our website how we collect, use and 
secure customer information, to whom we disclose that information, 
and why (http:// www2.sprint.com/mr/consumertopic.do?topicId=680.).  
We regularly update our privacy policy and the consumer resources 
pointers on our website to answer frequently asked questions, 
address new issues, establish effective information protection 
practices, and advise customers how they can better protect their 
information.  We do the same thing through other channels, such as 
bill inserts.  
	Our customer service agents are trained to ask for passcodes 
and follow detailed authentication procedures when responding to 
customer inquiries or requests relating to their accounts.  It is 
important to keep in mind that most customers want fast and 
efficient customer service.  That is their primary concern.  Yet, 
customers often do not remember their passcodes.  Sprint Nextel's 
authentication procedures are designed to protect privacy while 
providing reasonably fast and efficient customer service. 
	When it comes to call detail records or other Customer 
Proprietary Network Information (CPNI), our company's policy, which 
goes beyond FCC requirements, is to allow access to the information 
only to those Sprint Nextel employees or agents with a "need to 
know."  For example, customer service agents need to view this type 
of information in order to service accounts or answer billing 
questions.  Customer service agents are trained to ask for a 
passcode during inbound calls.  If a passcode has not been 
established or the customer does not remember the passcode, the 
agent must obtain customer specific information before answering 
questions about the customer's account. 
	 We also contractually require our contractors and third 
party vendors to protect our customers' information, require them 
to take the same training our employees must take to protect 
customer privacy, and have threatened to terminate contracts for 
violation of those requirements. 
	We continually modify our systems in response to changes 
in the industry and technology.  Given heightened recent concerns 
over privacy, we've made data security a priority in our merger 
integration process.  In the process of combining our customer 
databases into a new, integrated billing platform, we're building 
new capabilities into that platform for authenticating persons who 
seek access to sensitive customer information.  Not only will we 
employ password protection for all customers, we will ask customers 
who forget their passwords to use shared secrets like "who was your 
second grade teacher?"  We will no longer employ private personal 
information that has become far too easy to obtain as one fall-back 
method to authenticate their identity and allow access to their 
confidential information.  
This is a massive undertaking that we will achieve through 
comprehensive systems.  We believe that those capabilities will be 
the single most important step to better protect confidential 
customer information while still meeting our customers' need for 
efficiency and convenience.  These changes, we believe, will give 
consumers the convenience they want while also providing the robust 
security they should have. 
	Sprint Nextel also encourages its customers to take 
specific precautions to protect their personal information from 
being accessed by others without their permission.  For example, 
Sprint Nextel's website recommends that customers regularly change 
passwords used to access account information on the Sprint.com web 
site or when calling customer care, and to select unique passwords 
to access voicemail messages on Sprint Nextel phones. 
	Despite all of these protections and the deterrent effect 
they produce, pretexters still try to obtain information by 
pretending to be people they are not.  They are skilled con artists 
who go to great lengths to obtain personal information on their 
targets in order to attempt to circumvent carrier protections.  We 
should all be clear on this point:  What pretexters are doing is 
wrong.  They should be stopped and punished.  
	Our Corporate Security department has never found it 
necessary to engage in pretexting, nor has it ever engaged others 
to pretext on Sprint Nextel's behalf.  We also do not believe that 
most pretexting is the result of dishonest employees.  Our Office 
of Privacy has found that instances of such activity are extremely 
rare, and when they have occurred, the employees involved have been 
disciplined or fired.  
	In addition to system and employee efforts already 
mentioned, Sprint Nextel has devoted substantial resources to combat 
the pretexters.  We have taken aggressive legal action against 
companies that we believe have fraudulently obtained, sold or 
distributed our customers' personal account information.  Sprint 
Nextel filed lawsuits against three companies and an individual 
engaged in fraudulently obtaining and selling customer information 
and is actively considering additional lawsuits.  The three lawsuits 
filed are:   
 In January 2006, we sued 1st Source Information Specialists.  This 
company engaged in the practice of pretexting for quite some time, 
and refused to stop selling Sprint Nextel customers' call detail 
records even after being sued by others.  We ultimately obtained a 
permanent injunction against 1st Source, under which the company 
agreed to never again acquire, offer, sell or advertise the ability 
to obtain Sprint Nextel customer account information.  Just last 
month, we reached a settlement with 1st  Source and one of its 
principals.  Although this settlement closes the case with respect 
to the corporate entity and one of its officers, the case continues 
against individual defendants who are also believed to be 
responsible for pretexting.  
 Also in January 2006, we sued All Star Investigations, Inc. in 
Florida state court. Sprint Nextel quickly obtained a permanent 
injunction and reached a settlement with this company in June.  
Both parties are in the process of implementing this settlement 
now, and the defendant has turned over useful information 
concerning the pretexting business, information which we are using 
to improve our information security.  
 In March 2006, Sprint Nextel sued San Marco & Associates, another 
Florida-based firm.  This case is pending. 

In addition to these lawsuits -- which have required us to expend 
substantial time and money- Sprint Nextel has sent scores of cease 
and desist letters to other entities who have advertised their 
ability to obtain call detail records or other private customer 
information.  While we continue to identify companies engaged in 
pretexting, our experience is that the problem is less widespread 
today than it was one year ago even as reports of past pretexting 
continue to arise.  Together with Congress, the Federal Trade 
Commission, the Federal Communications Commission, state Attorneys 
General, and the rest of the telecommunications industry, we have 
sent a message, loud and clear, that this fraudulent behavior will 
not be tolerated. 
I appreciate the opportunity to appear before you today and share 
Sprint Nextel's perspective on its on-going efforts to protect 
customer privacy and its efforts to combat the pretexting problem.  
I would be happy to answer any questions. 

MR. WHITFIELD.  Mr. Schaffer, you're recognized for 5 minutes. 
 	MR. SCHAFFER.  Thank you, Chairman Whitfield.  
Chairman Whitfield and members of the subcommittee, thank you for 
the opportunity to address this critically important topic of 
protecting customer information.  I commend you for your 
leadership in addressing the problem that jeopardizes the privacy 
of your constituents and our customers. 
My name is Gregory Schaffer and I am the Chief Security Officer at 
Alltel.  I joined the company in 2004 with substantial experience 
in information security issues.  Not only have I served as a 
director in the cyber crime prevention and response practice at 
PriceWaterhouseCoopers, but I previously prosecuted computer hacking, 
illegal wiretaps, and economic espionage while at the Department of 
Justice.  I was recruited by Alltel to organize and expand existing 
security resources into an enterprise security operation.  
Before I discuss how we protect our customers' records let me 
briefly tell you about Alltel.  Alltel is headquartered in Little 
Rock, Arkansas, and owns and operates a wireless network that covers 
more than half of the continental United States.  Our base of 
approximately 11 million customers, located primarily in rural 
America, is smaller and more diffuse than the national carriers.  
Nonetheless, Alltel faces the same security challenges that confront 
our competitors.  We have chosen to address those challenges 
aggressively by implementing strong data security policies, 
procedures and technologies.  Alltel takes the threats presented by 
pretexters very seriously.  
Although actions by the FCC, FTC, and the State attorneys general 
have caused some data brokers to close up shop, others continue to 
try to find ways to gain access to customer records.  But data 
brokers are not the only ones doing this.  Pretexting by ex-spouses, 
hackers, or so-called friends continue to be problematic. 
Alltel spends considerable time focusing on and understanding, 
anticipating, and attempting to prevent current and future threats 
to customer data.  To that end Alltel constantly evaluates its data 
security and customer validation methods to balance the data 
protection with our commitment to providing consumers with timely 
access to their account information, wherever they are, and however 
they contact us.  However, if our security measures become too 
complicated, it may cause real customers to be denied access to 
their information when they need it.  
As subcommittee staff knows, Alltel adopted an enterprise information 
security policy framework that establishes both the chief security 
officer position and the enterprise security office.  That office 
has over 100 full-time employees and is Alltel's one-stop shop for 
security and privacy issues.  It is responsible for defining and 
executing Alltel's enterprise information security program.  
By creating a senior executive position and a special office to 
focus exclusively on security and privacy issues, Alltel has shown 
its commitment to give data security the highest level of attention 
and resources.  Alltel also invests in technology to ensure that it 
protects customer data not just from pretexters but also from hackers 
and other threats.  For example, we are in the process of 
implementing, at substantial cost, security solutions that will 
encrypt data stored on laptops and on backup tapes to protect 
against theft or accidental loss.  
Many of the security measures that we use to verify customer 
identity were deployed well before the recent publicity about 
pretexters.  Indeed, we continuously refine our processes to respond 
to new threats.  For example, in 2005 we prohibited our call 
centers and retail stores from faxing call detail records 
internally.  Likewise, Alltel does not provide call detail 
information over the phone or by fax in response to a call center 
request.  We have also implemented strict authentication procedures 
for customers, employees, and agents.  Finally, Alltel offers 
password protection for home access to customer billing information. 
Of course our employees are still our first line of defense in 
defeating pretexting; therefore, we have taken steps to prevent 
employees from deliberately or accidentally releasing records to 
unauthorized persons.  
First, an employee's network access is restricted to the 
applications and customer information necessary for job 
performance.  
Second, all Alltel employees and agents receive information security 
training, including training on identifying pretexting tactics. 
Third, customer service supervisors randomly monitor customer 
service calls to ensure that proper security procedures are 
followed.  
Fourth, we make our employees aware of pretexting methods by placing 
notices on our intranet net portal and through e-mails.  Employees 
who are found to have violated Alltel policies are disciplined and 
may be terminated.  
In conclusion, although carriers must take steps to prevent 
pretexting, we cannot completely eliminate the practice without 
making it extremely difficult for real customers to obtain their 
account information.  Therefore, Alltel strongly supports 
Congress' effort to criminalize the fraudulent actions of the 
pretexters.  
Alltel remains committed to protecting customer information while 
providing the highest levels of service.  I look forward to 
continuing to work with the members of the subcommittee to combat 
the security threats posed by pretexters.  
Thank you for the opportunity to testify today.  
MR. WHITFIELD.  Thank you, Mr. Schaffer.  
[The prepared statement of Greg Schaffer follows:] 


PREPARED STATEMENT OF GREG SCHAFFER, CHIEF SECURITY OFFICER, ALLTEL 
WIRELESS 


MR. WHITFIELD.  Mr. Holden, you're recognized for 5 minutes.  
MR. HOLDEN.  Chairman Whitfield, members of the subcommittee, I am 
Michael Holden, Senior Counsel from Verizon Wireless.  I thank you 
for the opportunity to appear before this subcommittee to address 
your concerns about data pretexting.  I cannot emphasize enough how 
seriously Verizon Wireless takes the issue of consumer data theft 
and fraud.  The protection of our more than 54 million customers' 
private information is extremely important to us and we are doing 
all that we can to protect this data from those who seek to steal 
it.  
What we have done falls into three basic categories:  
First, we have sued and obtained injunctions against pretexters and 
 so-called data brokers.  In fact, we were the first to sue a 
pretexter over the theft of cell phone records in a case we filed 
over a year ago.  These lawsuits are important.  Not only do they 
target the bad guys but they also allow us to obtain information 
that helps us learn more about the fraudulent and deceptive 
techniques used against us and thereby improve our defenses against 
these attacks.  
Just yesterday we filed the John Doe complaint in Federal court in 
New Jersey to determine who pretexted Verizon Wireless customers in 
connection with the HP matter.  After we identify them we will 
seek an injunction against any further attacks, as well as monetary 
damages.  This is exactly how we have responded to other pretexting 
attacks against Verizon Wireless and our customers.  We identify the 
bad guys and then we go after them.  
The second thing we do is team with many law enforcement agencies, 
from State attorneys general to Federal prosecutors, to combat data 
thieves.  We have taken the lead role in partnering with law 
enforcement.  
Third, we have taken a hard look at our own internal safeguards to 
protect customer information and we have made improvements.  We 
train our employees, especially our customer service representatives 
on the importance of protecting customer data and on the 
sophisticated schemes used by data thieves to prey on them.  
This training takes many forms--face-to-face, online training 
modules, e-mail messages, alerts and so on--but all of it is 
designed to raise awareness and prevent our reps from being the 
next victim.  
We also have rules in place to make it harder for thieves to 
steal information.  No faxing or e-mailing of phone records, no 
disclosure of particularly sensitive information such as Social 
Security numbers, credit information to anyone, even the verified 
account holder; and customers have the option of placing a billing 
system pass code on their account which will then be required for 
access to the account over the phone, in the store, or online.  We 
have also upgraded the security of our online system.  
Now, in addition to the normal verification process, whenever an 
online account is established, or if the customer forgets the 
password, a temporary password is sent to the customer and that 
password must be input into the Web site to gain access, and a 
challenge question such as "Who was your favorite high school 
teacher?" Is associated with online accounts.  
Data thieves prey on the instinct of wireless carriers to help 
customers and to provide the best possible customer service.  They 
use trickery, deceit, and cunning to steal our customers' private 
information.  That is why Verizon Wireless has gone to such great 
lengths to educate its reps about data theft and improve the 
security of its online systems.  That is why we have taken 
aggressive legal action against the bad guys.  
In the end, our challenge is to screen out the relatively few 
pretexting calls to customer service while providing the best 
customer service to the over 100 million legitimate customer service 
calls we receive each year.  We share your concerns about this 
problem and are doing all that we can each day to prevent these 
thieves from stealing our customer data.  
Thank you for the opportunity to appear before you today and I'm 
happy to answer any questions.  
MR. WHITFIELD.  Thank you, Mr. Holden. 
[The prepared statement of Michael Holden follows:] 


PREPARED STATEMENT OF MICHAEL HOLDEN, LITIGATION COUNSEL, VERIZON 
WIRELESS 


MR. WHITFIELD.  Ms. Venezia, you're recognized for 5 minutes.  
MS. VENEZIA.  Thank you, Mr. Chairman.  
Good afternoon, Mr. Chairman, and distinguished members of the 
subcommittee.  My name is Lauren Venezia and I am Vice President and 
Deputy General Counsel of T-Mobile USA, Inc. Thank you for the 
opportunity to appear today.  
We at T-Mobile take seriously the protection of our customers' 
information.  Pretexters exploit what we have worked hard to 
achieve:  award-winning customer service.  Pretexters defraud us 
and our customers.  We are determined to combat pretexting through 
legal action and our internal policies, practices, and training.  
As the fourth largest and one of the fastest growing wireless 
carriers in the United States, T-Mobile has distinguished itself 
in the marketplace by dedicating itself to excellent and responsive 
customer service.  We are proud that JD Power and Associates 
recognized us four times in a row for the highest-ranked wireless 
customer service performance.  
In the highly competitive wireless industry, premier customer 
service, including the protection of customer information, is 
essential to retaining and attracting customers.  Consumers expect 
and deserve a high standard of care in the treatment of their 
private information.  
We agree with the subcommittee, the FCC, and the FTC that fraudulent 
data brokers must be stopped.  We have taken decisive action against 
these unscrupulous data brokers in several ways.  We investigate, 
pursue, and sue data brokers to force them to cease their 
fraudulent activities.  When we determined that data brokers were 
preying on us and our customers we issued cease and desist demands.  
When data brokers failed to comply with those demands, we took them 
to court and obtained restraining orders and permanent injunctions 
against five data brokers and their owners or principals.  
In the course of these lawsuits we learned firsthand how pretexters 
work, and we share that hard-won knowledge with our service 
representatives to help them defeat pretexters.  
We also have in place multiple internal mechanisms, policies, and 
safeguards designed to protect customer information.  From our most 
senior executives to our service representatives, we are committed 
to the privacy of customer information.  We have an Information 
Security and Privacy Council that consists of some of our most 
senior executives, including several chief officers of T-Mobile.  
The Council provides overall direction and guidance for T-Mobile's 
information, security, and privacy protection strategy.  Reporting 
to the Council is a leadership team that includes our principal 
privacy officer and leaders of our information security units.  
This leadership team works with managers from across T-Mobile's 
technical and business units to implement privacy and security 
policies in a unified and consistent way.  
Let me give you an example of how this Council and its leaders work 
to address issues relating to pretexting.  Following the recent 
pretexting activities of data brokers, we strengthened our policies 
prohibiting our customer service representatives from providing 
detailed call record information over the phone, even to those 
callers who properly authenticate themselves.  Instead, these 
records are sent only through the mail to the billing address on 
file for the customer.  
More generally, we use an array of technical, procedural, and 
physical tools to safeguard our customers' information.  We actively 
audit our privacy measures and investigate alleged violations of 
those measures.  We also train all of our more than 30,000 employees 
on privacy and security policies.  We have expanded our training on 
security and privacy to meet the challenges that pretexters and 
other fraudsters impose.  Employees face disciplinary action up 
to and including termination for failing to follow those policies 
and procedures.  
This training is especially important for T-Mobile's customer 
service representatives.  T-Mobile's customers should continue to 
have convenient and easy access to real people, our service 
representatives, for assistance with their accounts.  We train our 
service representatives to provide outstanding service while 
protecting customers' information.  
Mr. Chairman, legislation to criminalize the activities of pretexters 
and those who hire them is essential to stopping pretexting.  We will 
continue our effort to stamp out pretexters but, without legislation 
to deter them, these fraudsters likely will continue inventing new 
schemes to try to circumvent our efforts.  
We have publicly enforced Federal legislation that would create 
tough new laws directed at the pretexters to criminalize the sale 
or acquisition of wireless phone records without a customer's 
consent.  We at T-Mobile share the committee's concerns about 
pretexting activities of data brokers.  We look forward to working 
with Congress, the FCC, and the FTC to stop these pretexters.  
This concludes my statement, Mr. Chairman and members of the 
subcommittee.  Thank you, again, and I would be happy to answer 
any questions that you may have.  
MR. WHITFIELD.  Thank you, Ms. Venezia. 
[The prepared statement of Lauren Venezia follows:] 


PREPARED STATEMENT OF LAUREN VENEZIA, DEPUTY GENERAL COUNSEL, 
T-MOBILE USA 


MR. WHITFIELD.  Ms. Boersma, you're recognized for 5 minutes.  
MS. BOERSMA.  Good afternoon, Chairman Whitfield, Ranking Member 
DeGette, and members of the subcommittee.  On behalf of U.S. 
Cellular, thank you for the opportunity to appear before you today 
to discuss our company's effort to prevent the theft and illegal 
sale of phone records by data brokers.  
I am Shelly Boersma, Vice President of Customer Service at U.S. 
Cellular.  One of my primary responsibilities is to make sure that 
all of our customer service associates are committed to and 
effective at safeguarding our customers' privacy in every 
interaction.  U.S. Cellular is a Chicago-based wireless carrier 
serving more than 5.7 million customers in 26 States.  While we 
are clearly not the largest company to address you today, we are 
pleased to participate on this panel because customer satisfaction 
is the basis of everything we do at U.S. Cellular.  We have a 
longstanding belief that our customers' experience is truly more 
important than the products that we sell, and this belief is 
instilled in every one of our associates.  
At U.S. Cellular a key component of customer satisfaction is earning 
and maintaining our customers' trust.  We, like the wireless 
industry in general, take this responsibility very seriously and go 
to great lengths to protect our customers' privacy.  
The recent increased attention to pretexting has clearly underscored 
the responsibility wireless carriers face when maintaining customer 
records.  In fact, our home State of Illinois enacted a new law this 
past July making it a criminal offense to use identification 
information of another person pretending to be that person for the 
purpose of gaining unauthorized access to personal information.  We 
hope the new Illinois law will significantly deter pretexting by 
criminals, data brokers, and other miscreants.  
As a wireless carrier we recognize our obligation to implement 
safeguards to protect our customers' call records, a mandate found 
in Section 222 of the Communications Act.  We take this obligation 
to heart and address it in our Business Code which all associates 
are required to live by.  
We further reinforce the importance of privacy in regularly 
scheduled training sessions with associates.  In fact, we 
specifically instruct our associates to protect the customers' 
information the way you would want your own to be protected.  Our 
policy requires our associates to screen all individuals requesting 
records or other personal information to verify that the person is 
in fact the account holder or an authorized party by the account 
holder.  
We offer our customers the option of establishing a unique password 
to protect their account data.  I should emphasize that any 
associate who fails to adhere to U.S.  Cellular's customer privacy 
and verification policy is subject to immediate termination.  
At the present time U.S. Cellular does not provide online access to 
accounts, so digital pretexting, the process of illegally accessing 
customer information online, has not been an issue for us.  We are, 
however, actively exploring offering such electronic access as an 
added convenience to our customers.  If and when we do establish 
online accounts, we will do so only by implementing safeguards 
consistent with best industry practices.  
In January of this year, addressing media reports about the improper 
brokering of cell phone records, U.S. Cellular's Executive Vice 
President and Chief Operating Officer took immediate action to 
reaffirm the companywide commitment to data security.  A memo 
entitled "Protecting our Customers' Privacy" was issued to all 
customer associates, reminding them of their obligation to protect 
customer private information.  
In addition, since January of 2006, U.S. Cellular has implemented 
the following safeguards to protect customer privacy:  
We have ceased providing consumers with copies of past due bills by 
fax. 
We have ceased the practice of allowing associates to disclose their 
company ID number to outside callers.  
And effective October 2nd, U.S. Cellular will no longer provide any 
call detail information over the phone.  
I should also mention that U.S. Cellular does not currently use CPNI 
for any purpose requiring customer notice or consent under FCC rules. 
 We do not at present engage in any out-of-category marketing.  
Finally, while U.S. Cellular has not today filed suit against 
data brokers that may have engaged in unlawful pretexting, we have 
not ruled out doing so in the event that it appears necessary or 
appropriate to take legal action of that kind to protect the privacy 
of our customers' personal information.  
On behalf of U.S. Cellular, thank you for the opportunity to appear 
before you today.  I would be pleased to respond to your questions.  
MR. WHITFIELD.  Thank you, Ms. Boersma.  Thank you for all of your 
testimony. 
[The prepared statement of Rochelle Boersma follows:] 

PREPARED STATEMENT OF ROCHELLE BOERSMA, VICE PRESIDENT FOR CUSTOMER 
SERVICE, U.S. CELLULAR 

Good morning Chairman Whitfield, Ranking Member Stupak and members 
of the Subcommittee.  On behalf of U.S. Cellular, thank you for the 
opportunity to appear before you today to discuss our company's 
efforts to prevent the theft and illegal sale of phone records by 
data brokers. 
I am Rochelle Boersma, Vice President of Customer Service at U.S. 
Cellular.  One of my primary responsibilities is to make sure that 
all of our customer service associates are committed to and 
effective at safeguarding our customers' privacy in every 
interaction. 
U.S. Cellular is a Chicago-based wireless carrier, serving more 
than 5.7 million customers in 26 states.  We were established in 
1983, and last year reported service revenues of $2.8 billion. 
While we are clearly not the largest company to address you today, 
we are pleased to participate on this panel because customer 
satisfaction is the basis of everything we do at U.S. Cellular.  
We have a long-standing belief that our customers' experience is 
truly more important than the products that we sell, and this 
belief is instilled in every one of our associates. 
At U.S. Cellular, a key component of customer satisfaction is 
earning and maintaining our customers' trust.  We, like the wireless 
industry in general, take this responsibility very seriously and 
go to great lengths to protect our customers' privacy. 
The recent increased attention to "pretexting" has clearly 
underscored the responsibility wireless carriers face when 
maintaining customer records.  In fact, our home state of Illinois 
enacted a new law this past July, declaring that a "pretexter" 
commits the criminal offense of identity theft if he or she uses 
the identification information of another person to pretend to be 
that person for the purpose of gaining unauthorized access to 
personal information.  
We believe and hope the new Illinois law will significantly deter 
pretexting by criminals, data brokers and other miscreants. 
As a wireless carrier, we at U.S. Cellular are of course already 
obligated to implement safeguards to protect our customers' call 
records - a mandate found in section 222 of the Communications Act.  
Section 222 specifically provides that telecommunications carriers 
must protect the confidentiality of customer proprietary network 
information - known as CPNI.  As all of you are surely aware, CPNI 
includes, among other things, customers' calling activities and 
billing records.   We believe that existing FCC customer privacy 
rules are appropriately stringent, and that they require carriers 
like U.S. Cellular to uphold their customers' privacy. 
We take this obligation to heart, and address it in our Code of 
Business Conduct - which all associates are required to live by.  
We further reinforce the importance of privacy in regularly 
scheduled training sessions with associates.  In fact, we 
specifically instruct our associates to, "Protect the customer's 
information the way you would want yours to be protected." 
Our policy requires our associates to screen all individuals 
requesting records or other personal information to verify that 
the person is, in fact, the account holder or a party authorized 
by the account holder.  We offer our customers the option of 
establishing a unique password to protect their account data.  
Similar procedures exist for business accounts. 
I should emphasize that any associate who fails to adhere to U.S. 
Cellular's customer privacy and verification policy in accessing a 
customer's account and disclosing personal information is subject to 
immediate termination. 
At the present time, U.S. Cellular does not provide online access to 
customer accounts, so digital pretexting - the process of illegally 
accessing customer information online - has not been an issue for 
us.  We are, however, actively exploring offering such electronic 
access as an added convenience to our customers.  If and when we do 
establish online accounts, we will only do so by implementing 
safeguards consistent with best industry practices. 
In January of this year, addressing media reports about the improper 
brokering of cell phone records, U.S. Cellular's Executive Vice 
President and Chief Operating Officer emphatically reaffirmed our 
company-wide commitment to data security  by issuing a memo to 
associates titled "Protecting our customers' privacy."  
The memo noted that U.S. Cellular "always had security measures in 
place to protect our customers' privacy, [but] recent events 
present . . . an opportunity to review our Customer Service 
Verification Policy."  
The memo further notes that "Our customers depend on us to be their 
first line of protection, so it is important that everyone, whether 
in Customer Service, Sales or Financial Services, be thoroughly 
aware of these safety measures, [and] follow them consistently." 
In addition, as of January 2006, U.S. Cellular ceased providing 
consumers with copies of their past bills by fax - even if the 
customer persistently requests them. Instead, if a consumer 
requests past copies of his or her bill, we would only mail the 
records to the billing address listed on their account.  
U.S. Cellular has also ceased the practice of allowing employees 
to disclose their company ID number to outside callers.  We 
discontinued this practice in order to prevent pretexters from 
obtaining customer information by pretending to be authorized 
representatives of the company. 
One further change, effective October 2, 2006, U.S. Cellular will 
no longer provide any call detail information over the phone, even 
if a customer's identification is fully verified.  Such information 
 will only be mailed to the existing billing address. 
I should also mention that U.S. Cellular does not currently use CPNI 
for any purpose requiring customer notice or consent under FCC 
rules.  We do not, at present, engage in any "out of category" 
marketing. 
Finally, while U.S. Cellular has not to date filed suit against data 
brokers that may have engaged in unlawful pretexting, we have not 
ruled out doing so in the event that it appears necessary or 
appropriate to take legal action of that kind to protect the 
privacy of our customers' personal information.  
On behalf of U.S. Cellular, thank you for the opportunity to appear 
before you today.  I would be pleased to respond to your questions. 

MR. WHITFIELD.  Ms. Boersma, what is out-of-category marketing?  
MS. BOERSMA.  In category would mean talking to our customers about 
the wireless services that we have available for them, so educating 
them to the services that we have.  We specifically talk to our 
customers only.  
MR. WHITFIELD.  Okay.  I'm sure all of you heard the testimony of 
Mr. Byron on the second panel.  What is your policy--I mean, if you 
notice some irregular activities, a lot of calls about one 
particular account, and you call Mr. Byron--would most of you call 
him and ask what's the problem here?  Or once you discover there is 
problem, what is your specific procedure in dealing with that 
customer when it's clear that someone has been involved in 
pretexting their account?  
Would anyone like to respond?  Do you have a specific procedure in 
place to deal with Mr. Byron's situation?  
Mr. Meiss.  
MR. MEISS.  I have to say in every one of our cases where it has 
been detected, it has been the customer that's told us.  We can do 
an investigation.  
MR. WHITFIELD.  What do you all normally do when a customer calls 
you and says we have a problem?  
MR. MEISS.  When we have a problem with pretexting?  
MR. WHITFIELD.  If they called and said someone has been trying to 
get my records.  
MR. MEISS.  We investigate that and if the record indicates that it 
looks like that's what was happening, we file suit; we find out who 
did it, if we can find out.  In every case to date, where we have 
been able to find out who did it and whose records were taken, we've 
filed a lawsuit. 
MR. WHITFIELD.  How do you find out who did it?  
MR. MEISS.  The cases where we found out, we've been told who did 
it.  We got an indication from yesterday's hearings who got one of 
our records and we filed a lawsuit against them this morning.  
MR. WHITFIELD.  If I'm a pretexter--and we've had some pretexters 
testify and they're all quite good at what they do.  They're very 
good; I mean very good.  When they call in, most of them will talk 
to a customer service representative and they just get the 
information.  Do you have any technology in place that would be 
able to track where the call is coming from?  
MR. MEISS.  We're looking into that now.  Technologies are different 
at every company and it depends on how the call comes in, whether 
it goes through a call router or through an IVR.  That can make it 
virtually impossible to track the number.  
MR. WHITFIELD.  I get the sense, I mean I know you're focused on 
prevention which we commend you for, I get the sense that once it's 
occurred, there's not a lot of effort made or not a lot of resources 
available to assist the customer who's had the problem.  Is that a 
fair characterization of the situation?  
MR. MEISS.  I wouldn't say it's fair.  
MR. HOLDEN.  Mr. Chairman, when we at Verizon Wireless have become 
aware of instances where there's possibly unauthorized access, a 
possible pretexting attack, we have been able to track down who 
the pretexters were.  
MR. WHITFIELD.  You have been able to.  
MR. HOLDEN.  We are often able to capture the caller ID of the 
person making the phone call, and sometimes we can make a connection 
between the caller ID and the person who is making the call because 
it's publicly available.  Sometimes we need to serve subpoenas on 
another phone company to determine who it is.  But we have in the 
past been able to track down with law enforcement.  
MR. WHITFIELD.  When you track them down, what happens next?  
MR. HOLDEN.  Then we gather as much information as we can on that 
particular pretexter.  We have in the past sent out notices to our 
representatives to be aware of particular types of schemes if they 
see it, or be aware of particular caller IDs if they see it; to 
record the call and to bring it all to our attention.  We then have 
a package of information that we have.  We have the calls we're 
getting from a particular caller ID.  We will have recordings of 
those phone calls at times, and then commence civil suits and work 
with law enforcement to go after these guys.  
MR. WHITFIELD.  My understanding is your companies perhaps--and many 
companies today do outsourcing to India and elsewhere--and these 
customer representatives calls, customer service calls, go into 
these centers; and it would appear to me it may be more difficult 
to train someone in India to deal with pretexting perhaps.  
Am I accurate in that?  Or do you have outsourcing of your customer 
service business, or is it done here in the U.S.?  Mr. Meiss, what 
about your company?  
MR. MEISS.  We have both, and they get the exact same training.  We 
have no evidence that there's any difference between the two.  
MR. WHITFIELD.  Mr. Wunsch.  
MR. WUNSCH.  We have third-party vendors, primarily in the United 
States, that we provide training to; and they have contractual 
obligations and system protections on how we protect the 
information.  
MR. WHITFIELD.  How many of you outsource this outside the country 
to deal with this issue?  
MR. HOLDEN.  At Verizon Wireless we do not.  
MR. WHITFIELD.  I'm not saying there is anything bad, I'm just 
curious.  
MS. VENEZIA.  At T-Mobile USA, we do have some outsourcers located 
in both the United States and in Canada.  
MR. WHITFIELD.  Right.  Now it seems to me the most effective way to 
deal with this, since most of this pretexting is done on the phone 
talking to a customer service representative, is just refuse to 
send out any records or give out any records; just mail it to the 
address.  How many of your companies take that position?  
Okay.  So on this panel no one will give out verbally anything 
about phone records over the phone except Mr. Holden's company; 
is that correct?  
MR. HOLDEN.  Yes, we do continue to give out some information on 
phone records over the phone, to answer a customer's questions on 
a particular phone bill.  
MR. WUNSCH.  Mr. Chairman, we will not voluntarily give out 
information about the record, but if the customer raises a dispute 
on a specific item we will discuss that information over the phone 
with the customer.  But in terms of a request, as happened to the 
gentleman on the prior panel requesting all that information, it 
would be mailed to his address of record and would not be disclosed 
over the phone.  
MR. SCHAFFER.  That's consistent with what Alltel does. 
MR. WHITFIELD.  So there's no chance any of your customer service 
representatives would sit there for an hour and talk and give phone 
numbers out to some person.  
MS. VENEZIA.  We have a strict policy against that.  
MR. WHITFIELD.  So it would never happen then, right?  
MR. MEISS.  I would never say that.  
MR. SCHAFFER.  It would be a violation of policy.  
MR. WHITFIELD.  It would be a violation of policy because you're not 
supposed to do it.  You're supposed to mail it if it gets into that 
situation, correct.  Now, if you do not do it on the phone and you 
only mail it to the address of the phone holder of these calls, what 
are some other schemes that pretexters can obtain this information, 
or is there any other scheme?  
MR. WUNSCH.  One of the things we've become aware of is pretexters 
will pretext the customer at home and pretend to be an industry 
representative and get the person to reveal who their phone company 
is, and then go through a series of questions designed to elicit 
all of the pass codes and other information necessary to then dial 
into that carrier's system and look exactly like a legitimate 
customer and get the records; and either do that through an online 
access or even go so far as change the billing address if they get 
all the information necessary.  
MR. WHITFIELD.  So they are now pretexting the individual.  
MR. WUNSCH.  They are pretexting the individual, then using that 
information to then come to us and, from our standpoint, it looks 
like a perfectly legitimate call into our systems.  
MR. WHITFIELD.  And are they exploiting Internet accounts as well; or 
do we know?  
MR. WUNSCH.  Yes, they are.  
MR. HOLDEN.  They certainly have in the past.  
MR. WHITFIELD.  Just one other question.  Quickly.  How many of you 
have filed lawsuits against some pretexters as a result of the 
Hewlett-Packard case?  And what was the legal theory for the 
lawsuit?  
MR. HOLDEN.  The Computer Fraud and Abuse Act, because that was the 
principal basis; also common law fraud and trespass and other 
theories.  We've never had a problem filing our complaints and 
alleging that this activity is illegal, at least on the civil side 
of things.  
MR. WHITFIELD.  You said computer fraud?  
MR. HOLDEN.  The Federal Computer Fraud and Abuse Act, because our 
investigation has revealed that in the HP instance, or in the 
instance of the pretexting relating to the HP investigation-- 
MR. WHITFIELD.  The remedy you were seeking was simply an injunction? 
MR. HOLDEN.  And damages.  
MR. WHITFIELD.  My time has expired.  I recognize Ms. DeGette for 10 
minutes.  
MS. DEGETTE.  Thank you, Mr. Chairman.  I just want to clarify for 
the record and also for your edification the status of the law right 
now.  Currently under the Federal Trade Commission regulations, 
folks can file a civil suit seeking injunctive relief, which many 
of you had testified that your companies do.  H.R. 4943, the missing 
bill referenced in our "Gone with the Wind" chart which apparently, 
according to the Chairman, has now been found and may be voted on 
today or tomorrow, allows also civil damages to be obtained by 
pretexters.  
H.R. 4709, the Judiciary bill we have been talking about the last 
few days, which passed the House last spring, is a bill that sets 
up criminal penalties as well as the civil penalties.  So I just 
want to ask all of you a little bit about this.  Do all of you think 
that it would be helpful to have legislation that allowed damages 
to be obtained, as well as injunctive relief, specifically for 
pretexting?  I understand you can seek damages for fraud and other 
causes of action, but specifically for pretexting?  
If we can have a show of hands.  Everybody.  Do all of you also 
think that it would be helpful to have criminal penalties?  
Everybody.  Good.  Excellent.  
So I'll just ask you, Mr. Meiss, because you're at the end, so you 
would think that this would add a tool to the arsenal that the 
companies have.  Why would that be?  
MR. MEISS.  Two things.  One is that when we sue somebody in a civil 
matter, the only people we can stop them pretexting against is us.  
That means that Verizon has got to sue, Sprint has got to sue, 
T-Mobile has got to sue.  You have before you the six largest 
companies, but there are hundreds of small rural carriers and 
they've got to do the same thing.  We have such efficiencies that 
they don't, and it uses up a lot of resources. 
 
The other thing is I don't trust these people at all.  We sue them 
in civil court, we win, they're going to do a shell game, set up 
new corporations, move over there and continue it.  They need to be 
in jail.  
MS. DEGETTE.  So if they have the criminal penalties as well, you can 
go after the individual who is doing the pretexting as well as any 
corporate entity.  
MR. MEISS.  Right.  
MS. DEGETTE.  Now Mr. Meiss testified that the problems that they've 
seen with pretexting at his company have been identified by the 
consumers.  And in the previous panel what we had heard from 
Mr. Byron is that the company identified the problem for him.  
So I'm wondering if we can briefly have each of you talk about, 
has your company been able to identify pretexting or attempted 
pretexting?  
Mr. Wunsch.  
MR. WUNSCH.  I don't have personal knowledge if our customer care 
reps have identified it.  I know they are trained to, and if they 
do detect it or if a customer reports it, then we investigate it 
through our Office of Privacy and through our internal security 
people.  
MS. DEGETTE.  You're not aware of any kind of standards that you 
have in place for your customer service representatives to identify 
certain patterns that would help them.  
MR. WUNSCH.  I know they look for those things.  I don't know what 
they are, personally.  
MS. DEGETTE.  Mr. Schaffer.  
MR. SCHAFFER.  We collect information from our customer service reps 
who think that there may be an issue, and my team in security 
investigates those matters and tries to figure out if in fact 
there was pretexting occurring.  Obviously, when it's successful 
pretexting, it means that the customer service rep was defrauded 
and usually those don't come to our attention.  But sometimes the 
customers do report them, and we learn about most of the cases 
that we know because the customer has reported an issue. 
MR. HOLDEN.  We have absolutely identified on our own, pretexters 
who are attacking us.  A good example is Global Information Group, 
who I know was before this committee back in June, where you tried 
to have a closed committee back in June.  We noticed a certain 
pattern of suspicious calls that were coming in from a particular 
number in Tampa, Florida.  We sent out a notice to our customer 
reps to be aware, bring it to our attention.  We got recordings of 
the calls, we looked into the volume, we traced who it was, and 
we sued them.  
MS. DEGETTE.  Did you then also notify your customers about the 
attempted pretexting?  
MR. HOLDEN.  Well, once we learned--eventually we did, because once 
we obtained discovery from Global Information Group, we sent out 
notices to our customers as to those customers whose confidential 
information was in the hands of Global Information Group.  
MS. DEGETTE.  Ms. Venezia. 
MS. VENEZIA.  We've had both instances where customers have come 
to us and told us that they believe that their information may 
have been pretexted, and in those instances we commenced an 
internal investigation.  We have an internal investigations group 
that falls under the law department, and they work closely with 
the principal privacy officer to understand how it may have 
occurred.  And if that leads us to sufficient information, then 
we will issue a cease and desist letter and initiate litigation 
against the data broker in that case.  
We also have had instances wherein our customer service 
representatives have identified suspicious activity in accounts, and 
they use the same path.  They will send information up into the 
investigations group, and the investigations group will look at 
the account activity to see if that is suspicious.  
The way that our customer representatives are able to do that is 
through our training program.  We have given them scripts that we 
have obtained through the litigation against data brokers so that 
they would be able to see the tactics that are used by these 
fraudsters, so that they would be able to identify, if they did 
see it, when they receive a call.  
MS. DEGETTE.  Do you have any idea of how many instances where that 
has happened? 
MS. VENEZIA.  I really don't have numbers with me but I know of a 
couple instances personally.  
MS. DEGETTE.  Ms. Boersma. 
MS. BOERSMA.  We have not detected any on our own at U.S. Cellular, 
any pretexting.  But we have had a few complaints that have come in 
from customers and they have been--it's a small number of accounts 
and generally it has been someone else who is also on the account 
but potentially not authorized for that level of information to 
be provided.  
MS. DEGETTE.  I guess what concerns me is the case of Mr. Byron who 
testified, who would have had no idea that he was being pretexted.  
He might have maybe found out by accident down the road, but at 
the time he would have had no idea that his records were being 
sought and given to somebody if the company hadn't caught that.  
It would seem to me, and perhaps--we have such a short period to 
question, but it would seem to me that would be an area that 
customer service telephone companies could really beef up their 
techniques because we have the scripts being given to the customer 
service representatives by Ms. Venezia's company.  That's good.  
But it would also seem to me you could put some precautions in 
place; for example, if you saw a number of inquiries coming in 
from a certain phone number--I think it was Mr. Holden or 
Mr. Schaffer who talked about that.  
I'm wondering if any of you could give an opinion to me as to 
whether you think that techniques could be developed that are better 
for identifying pretexting from a company perspective instead of 
waiting for the consumers to come up with it.  
MR. MEISS.  We're working on them.  It's like fraud detection; you 
analyze pattern.  
MS. DEGETTE.  Mr. Schaffer, you're nodding.  
MR. SCHAFFER.  Same here.  We have done some searches through our 
system to see if we can identify patterns within the traffic.  
Most of those searches haven't yielded the kind of information 
that would suggest that there was a problem, but there are some 
ways that you can search through the data that you have in an 
attempt to identify patterns:  lots of calls coming from the 
same number or lots of Internet traffic coming from the same IP 
address.  
MS. DEGETTE.  Thank you.  Now, I think it was Mr. Holden's company 
that still continues to give out information on the telephone; is 
that correct?  
MR. HOLDEN.  That is correct.  
MS. DEGETTE.  What's the rationale behind continuing that policy, 
given that most of the pretexters are getting their information 
in this manner?  
MR. HOLDEN.  And we are continuing to look at whether we should be 
doing that, but here's where we are right now.  We will give out 
information over the phone on a particular bill, because a customer 
often has questions about their bill.  Our customers, a lot of our 
customers don't receive detailed billing anymore, and they may have 
questions about why their bill is $55 instead of $50.  We feel we 
need to be able to answer those questions.  
That said, we have sent out numerous, numerous warnings and messages 
to our reps, and really trained our reps to watch out for the kind 
of behavior that pretexters engage in; which is, can you tell me 
the last hundred numbers that were called on this number?  That's 
a different story.  
MS. DEGETTE.  Right.  So at least for Verizon, you wouldn't assume 
that the kind of call that we heard about from Mr. Byron would be 
information that would come out.  
MR. HOLDEN.  Today it should not.  
MS. DEGETTE.  Thank you. 
MR. WALDEN.  [Presiding.]  I have got some questions I want to ask 
each of you and they shouldn't take too long.  
One is following up.  Mr. Holden, you talked about how customers may 
have a no-detail bill, basically.  Is that an option all of you 
provide to your customers, no detail on the bill?  Does anybody 
not?  That's probably easier.  
All right.  So I could call my provider and say I would like no 
detail on my bill and you'd do that.  Would that be flagged then, 
so--
MR. WUNSCH.  One clarification.  We offer plans that have no detail.  
I'm not sure on every one of our billing plans you could ask for 
the no-detail option.  I would have to check on that.  
MR. WALDEN.  All right.  That would be helpful.  In your customer 
service organizations, have any of you ever discovered an insider 
who is working for one of these pretexters, or somebody sort of 
bought off by one of these pretexters?  Anybody?  
MS. VENEZIA.  Not that I'm aware of.  
MS. BOERSMA.  No.  
MR. SCHAFFER.  We had one instance of an individual that we have 
now terminated and sued, who sent some very small number of customer 
records to a fax number that we did not know where that fax number 
was.  We have not yet gotten even an answer in that complaint. 
MR. WALDEN.  It's an issue you're pursuing.  You said earlier-- 
does anybody on the committee--or, I'm sorry--anybody on the 
panel, none of you fax out billing data; correct?  
MS. BOERSMA.  Correct.  
MR. WALDEN.  You mail it out.  Now, I'm a wireless subscriber, I 
have got one on each hip.  What if I call in and say gosh, I just 
moved, I meant to tell you that, I need you to change the address.  
And I'm actually pretexting.  What happens?  How do you know it's 
me?  
MS. BOERSMA.  I can tell you what we do at US Cellular.  What we are 
doing now is in going through the verification process upfront, 
one of the things we ask for is the zip code.  They provide the 
zip code to us and after that we say:  And can you tell us, have 
you moved in the last 30 days?  Once they say no--and we move on 
with the call.  And then if someone were to say to us, "And can 
you send me the call detail?" we say, we'll provide you with that 
but it's going to go to the account holder on record. 
MR. WALDEN.  What if I said yes, I have moved in the last 30 days?  
MS. BOERSMA.  If you said you had, we would change the address.  
Yes, we would, and also send a letter out that would indicate the 
address has been changed as a confirmation.  
MR. WALDEN.  Right.  If I'm pretexting Greg Walden and I say hi, 
I'm Greg Walden and I just moved, I need you to send my bill, must 
have gotten lost at the old address, forgot to put a forwarding 
statement in the mail, and gee, I just moved from Hood River, 
Oregon, I'm using a P.O. Box now, could you send me last month's 
bill, I don't want to lose my service.  
MS. BOERSMA.  What we have trained our associates to do is think 
that through.  We would say on the phone to them, "We would be 
happy to send that to you."  We would then confirm with the 
account owner we could get on the phone.  
MR. WALDEN.  But I am the account owner.  
MS. BOERSMA.  We could confirm with you that you had moved in the 
last 30 days.  
MR. WALDEN.  If I'm a really good pretexter, which I want to put on 
the record I'm not and don't intend to be, can I convince you my 
cell phone is dead, I don't want my cell phone to get cut off, 
here's my new address, call back the number, it's 202 whatever?  
MS. BOERSMA.  Certainly I can't say that that would never happen, 
but we have educated our associates so that they feel comfortable 
questioning and knowing that they should not be sending out any 
call detail records without confirming the address information.  
MR. WALDEN.  So when I sign up for an account, do I give you some 
sort of password or PIN number that would help?  
MS. BOERSMA.  What we use is the last four digits of the Social 
Security number and we also suggest that a customer also have a 
password associated with them.  And they can have multiple 
passwords on the same account so people have different authority 
levels.  Different passwords can be associated.  
MR. WALDEN.  How about the rest of you?  I don't have a ton of 
time.  Tell me how that scenario would play out in your companies. 
MS. VENEZIA.  For the bill?  
MR. WALDEN.  I'm pretexting; the whole process.  
MS. VENEZIA.  A customer would call in, it would need to be fully 
authenticated, so they would need to provide us with  two pieces 
of information about themselves; for example, their name and their 
mobile number.  And they would also have to provide either the 
password on the account, which is optional, or their default 
password.  
MR. WALDEN.  Odds are I might have already gotten the cell phone 
number and I know the name on the account.  
MS. VENEZIA.  You need those two pieces of information to look up 
the account in the first instance, so that's why-- 
MR. WALDEN.  Seems like it would be a hole in the process.  I don't 
want to give pretexters any ideas.  
MR. SCHAFFER.  Very similar response.  But we would not send any 
information to the new address, even if the customer was verified 
based on that call.  The customer would have to call back at a 
subsequent time.  We would only send it to an address on the 
account when the call comes in.  
MR. WALDEN.  But if I'm a pretexter, that's not a problem.  I called 
Verizon, what, 5,000 times?  
MR. SCHAFFER.  A little extra deterrence never hurts.  Passwords 
are available too.  
MR. WALDEN.  But it's optional.  
MR. WUNSCH.  On address changes there's an authentication 
procedure.  You have to give us the appropriate authentication 
answers, and then the address would get changed.  
MR. WALDEN.  Mr. Meiss.  
MR. MEISS.  The same.  There is an authentication procedure which 
would include a password, but on the mandatory password--we've had 
lots of discussions about this because we've been looking at this 
problem for a long time.  I often hear people say, I have a boring 
life, I don't care if somebody looks at my call records.  It's not 
like the conversation that happened yesterday here.  But it's the 
fact that they don't want another password.  They're going to stick 
it on the yellow sticky thing on the computer with the other 28 
of them.  
MR. WALDEN.  Let me ask you each one other question before my time 
runs out.  You have heard yesterday and today a lot of discussion 
on this committee about the legislation that is so beautifully 
portrayed on the poster.  I want to ask you if your companies 
support or have any objection to any portions of H.R. 4943.  
Can we just go down?  
MR. MEISS.  We support a law that would criminalize it, and I'm not 
familiar with the laws because I'm not in legislative.  
MR. WUNSCH.  We support the criminalization of the pretexting, but 
as far as the specifics of any bill, my government affairs group 
can handle that.  
MR. SCHAFFER.  We support the criminalization of pretexting and, 
again, the particulars of the rest of the bill.  
MR. HOLDEN.  We support the criminalization of pretexting.  
MS. VENEZIA.  I can save you some time, Chairman Whitfield. 
MR. WALDEN.  It's actually Walden.  I'm pretexting.  
MS. BOERSMA.  Same thing; we support it, the criminalization, and 
the sale of records as well.  
MR. WALDEN.  So do you all have your government reps here today 
behind you?  I wonder if they--well, all right.  It will be on the 
floor anyway, hopefully soon.  
I don't think I have any other questions at this time.  So I would 
yield now to my friend and colleague from the what used to be 
Oregon, Mr. Inslee. 
MR. INSLEE.  It has improved substantially. 
I wonder if each of you would provide us your company's position on 
H.R. 4943.  And the reason I say that is this has been a mystery for 
some period of time.  I have been working on this since January.  
I introduced a bill at the end of January.  We passed it here in 
March.  It has been in this abyss, this black hole, since then.  
And we are trying to figure out who has their foot on it.  And I 
think it would be helpful if your companies could provide us in 
writing your position on that bill so that when we pass it and it 
goes over to the Senate, we can see who doesn't have their foot on 
it.  And I think it would be helpful.  
Would any of you be unwilling to provide us your company's position 
on H.R. 4943?  I will just ask it that way.  So everyone has 
volunteered, and I would ask in the next week or so if you could 
provide us with, Chairman, and your company's position on that bill. 
 That is something we do want to get done.  
Let me ask you, does anyone have any concerns or comments about 
that?  I want to be fair to everybody.  
Okay, Mr. Meiss and Mr. Holden, you have indicated you have brought 
lawsuits in the recent past.  Could you tell us how your resistance 
were penetrated in those cases, if you know?  
MR. MEISS.  There was social engineering.  There was no hacking.  
So it was social engineering and it looked like it involved social 
engineering--it is probably changing over time.  Originally it was 
social engineering to get call details.  Since we don't do that 
anymore, now what they try to do is use social engineering to 
change passwords or remove passwords.  So that is, I think, the 
new tack. 
MR. INSLEE.  So you think that what they accomplished in the case 
that gave rise to the lawsuit you would stop now with your new 
procedures?  Is that what you think?  
MR. MEISS.  Right.  Right.  It should be stopped with those 
procedures.  I mention in my comments they are constantly going to 
be evolving and changing.  One silver lining to this whole thing is 
that as we are looking at new security measures to put in place, 
we bat back and forth, what are the pretexters going to do?  What 
are they are going to tell us?  What is their ruse?  How are they 
going to get around it?  This is something, awareness we didn't 
have a year ago we have now.  So I think that is good. 
MR. INSLEE.  Mr. Holden, can you give us any thoughts?  
MR. HOLDEN.  Sure.  I can think of two separate sets of examples, 
both of them somewhat historical, because even the pretexting suit 
we filed yesterday in connection with the HP investigation is still 
somewhat historical.  It is looking at activity in 2005 and in 
early 2006. 
In the HP investigation, it looks to, our investigations revealed 
that the pretexters made some calls to customer service, and then 
ultimately obtained unauthorized access on-line.  And that, for 
us, is the first time we have seen people obtain unauthorized 
access on-line.  
MR. INSLEE.  So the key that got it is some identifiable information 
to go on-line then through a different on-line system?  
MR. HOLDEN.  That is right.  My sense is that they were missing some 
key component, maybe the mobile number or something and they were 
trying to make pretexting phone calls to obtain that additional 
information, and then you know, obtain access on-line.  
MR. INSLEE.  I may put you all in a little bit of a spot here, but 
give you a chance to brag too.  Which of you thinks they have the 
best anti pretexting system?  And tell me why you think it is the 
best?  You have heard your competitors tell us.  Who thinks they 
have the best system and what advantage their system has over 
others?  
It is not a time to be humble.  We are looking for good ideas 
here.  No takers?  
MR. HOLDEN.  I will start with at least one aspect.  I think we, 
all the carriers have their way of doing it.  And we do learn from 
each other.  I actually think a panel like this is very helpful 
too, you sort of see what everybody is doing.  I think we have made 
some nice improvements to our on-line access system that have made 
it much, much, much more difficult for pretexters to get through. 
As an example, we, if you are registering for that system, 
after you put in the verification information, we then send a 
temporary password text message to the hand set and then that needs 
to be put into the Web site.  I think that makes it very difficult 
for somebody that doesn't have access to the handset to actually 
obtain on-line access. 
MR. INSLEE.  Got you.  I just want to make a closing comment.  We 
are putting obligations on you to protect our constituents' 
privacy.  And it is a little bit like requiring a thicker steel 
on the doors of the banks against criminals who want to do bank 
robbery.  But I think it is entirely appropriate.  And I look 
forward to your companies' helping us to get this bill through to 
have a more uniform system so that we can have the highest level 
of anti pretexting technologies in use. 
I think that is a fair obligation on the industry.  It does involve 
costs.  It does involve management challenges.  But it is a fair one 
given the fact of how important privacy is to get into the 
interconnected world.  So good luck.  Thank you. 
MR. WHITFIELD.  Gentleman from Michigan is recognized.  
MR. STUPAK.  Thank you, Mr. Chairman.  We were told that one of the 
ruses used by the HP's investigators involved pretending not to be 
a customer but to be sales representatives from the company.  And 
the person posing as a sales representative then called company 
headquarters to ask that the customer's password be deleted.  What 
safeguards have you instilled to prevent this technique from working 
again in the future?  Mr. Holden, do you want to start?  
MR. HOLDEN.  We had seen that as a pattern as well, in other words, 
a pretexter pretending to be a fellow employee and so we have 
really emphasized in our training of our customer service reps and 
other customer facing employees that they need to fully authenticate 
that customer and not to rely on the authentication of a fellow 
employee, because often they call up with somebody--they have all 
the information they need on the fellow employee, if you looked 
them up on an org chart or something, the person would like 
genuine. 
MR. STUPAK.  Anyone else want to comment on that?  Mr. Schaffer?  
MR. SCHAFFER.  We actually have authentication requirements, not 
just for customers, but also for employees and for agents.  So when 
there are calls intra-company that involve getting access to call 
detail records, there needs to be authentication of the employee 
as well. 
I have not, however, heard of this attempt to try to get a password 
changed rather than trying to get at the records themselves.  So we 
will now go deal with that situation.  
MS. VENEZIA.  For T-Mobile if a customer says they have forgotten 
their password or lost their password, they need to go into a 
T-Mobile store and show photo ID before that password can be 
changed. 
MR. STUPAK.  They would have to physically go into the store?  
MS. VENEZIA.  Yes. 
MS. BOERSMA.  At U.S. Cellular as well, they have to show proof of 
photo ID to make that change. 
MR. STUPAK.  Okay.  Let me ask you this one.  I have heard, the 
little bit I have been able to be here the last 2 days, that it is 
a violation of your company policy, and that people can be 
terminated for violating your company policy if they give out 
information unauthorized, correct?  
MS. BOERSMA.  Yes.
MS. VENEZIA.  Correct.
MR. STUPAK.  Can you tell me what remedy does the customer have who 
was pretexted?  What remedy would I have?  What remedy would an 
American citizen have if you knew one of your employees gave out 
information wrongly?  You provide the customer with a remedy then?  
I didn't expect complete silence.  
Do you offer the customer anything?  This is basically identity 
theft.  I have heard you file lawsuits.  You seek injunction.  You 
seek civil damages.  What do you do for the customer?  What do you 
do for the American people?  
MS. VENEZIA.  We have provided our customers with information about 
how best to protect their account.  We have provided them with 
information about identity theft in the event that were to occur, 
we have given them phone numbers for the credit bureaus, major 
credit bureaus to assist them, should they want to take a look at 
their credit reporting, again, all in the interests of protecting 
their information.  
We also have a lot of discretion in terms of our customer service 
representatives, that they are able to assist a customer in any way 
with respect to giving a customer some credits or making other 
adjustments to the account.  We also can put a password on that 
account if the customer would like to have that done. 
MR. STUPAK.  But that is all after.  Back home when we talk 
about--when I say pretexting, they don't get it.  When I talk about 
identity theft, they get it.  And they tell us--at least they have 
told me, at least in Drummond Island, that it costs thousands and 
thousands of dollars to get your identity back.  
So if you are complicit--not voluntarily--so if your information 
leads to that identity theft, I would think there would be some 
kind of remedy available there for the customer then who has to go 
through all this, not only time consuming hassle and changing 
everything they have, but also the cost involved, and it is quite 
expensive with lawyers and everything else involved. 
MS. VENEZIA.  Really the issues that we have seen have to do with 
call detail records.  We provide that information to the customer 
as an abundance of caution, because we want to be a full service 
provider to that customer.  Using the call detail information 
really isn't an indicator as far as we have seen for identity 
theft.  We just have not seen that happen.  What we have seen is 
call detail. 
MR. STUPAK.  I was trying to use a logical one, but what remedy 
does the family have where they have got the cell phone number of 
the young lady, and the stalker stalked her down by using the phone 
number and killed her?  What remedy do they have?  I mean, it is 
much more than just some phone numbers once in a while. 
I am not trying to put you on the spot.  When we are back home in 
our districts, this is what people are asking us about.  I think 
The Washington Post had the article about the boyfriend girlfriend, 
and he stalked her and had their phone numbers, cell phone numbers 
and killed her.  What remedy do they have?  Not that--I hope that 
doesn't happen, but we know it happens in the real world, and I 
guess when I was on Drummond Island, a couple of people who had 
their identities stolen, it started with phone numbers.  That is 
how it started.  And then it just keeps going. 
So that is what I was wondering.  
How about the FCC's proposed rule-making on implementing 
industrywide security standards.  Do you all support them and which 
do you oppose? 
They are the next panel, right?  
MR. MEISS.  We are on the same side of this fight, obviously with 
the FCC against the data brokers.  And we would support certainly 
sort of the safe harbor approach in the Gramm-Leach-Bliley Act 
that has a good overview and good structure for it, and it seems 
to work there and we think that would be good.  I think I 
mentioned earlier that we don't support mandatory passwords for 
those customers who just don't want it and just don't care.  That 
should be their choice. 
 One thing ironically is that the stronger you make the security, 
the more likely it is that people are going to get locked out and 
there is going to be a lot more people claiming they are locked 
out, which could play into the data brokers', the pretexters' 
plans.  
The encryption of on-line stuff to us doesn't make sense because 
that just doesn't go to the problem that has been happening.  It 
would slow things down.  It would slow customer service.  We 
encrypt in transmission, but they have to access the records to 
help the customer.  
MR. STUPAK.  Mr. Wunsch. 
MR. WUNSCH.  That is something I am going to have to refer to our 
government affairs people to get back to you on.  
MR. STUPAK.  Mr. Schaffer. 
MR. SCHAFFER.  Very similar answer with respect to mandatory 
passwords.  We think that the pretexters will quickly go to the 
password reset functionality.  And so as a practical matter, we do 
make them available to our customers, but having them be mandatory, 
we think probably doesn't solve the problem, but does slow down 
the vast majority who are legitimate requests to get access to 
information.  
Similarly, encryption and audit trails are of concern because of 
the way our systems work.  That encryption is very difficult to do 
in all of the systems for CPNI as are audit trails.  But we are 
using encryption in places that it makes sense, and it really 
provides additional protection like Enterprisewide for laptops, 
Enterprisewide for backup tapes.  
So we are trying to deploy those technologies where they are 
effective means of providing protection.  But mandatory deployment 
in a wholesale way we are concerned about. 
MR. STUPAK.  Mr. Holden?  
MR. HOLDEN.  Our specific responses to the FCC's proposals are 
beyond my expertise, really my expertise is kind of what we have 
done in response to the data brokers, how we have gone after the 
data brokers and what we have done in response.  So I would have 
to also defer, and be happy to, my FCC group, and be happy to get 
back to you.  
I do know that our position is that some of the proposals don't 
really address the pretexting issue as we see it.  An example is 
document retention.  They have requirements about how long you 
can retain documents.  I just have not seen that in my experience 
with pretexters and data brokers.  They always want the last bill 
or the bill before that.  You know, the bill that is a couple of 
years old I think is of no use to them.  So that is an example 
of one where I don't really see a connection to the pretexting 
issue. 
MR. STUPAK.  Ms. Venezia.  
MS. VENEZIA.  I generally would defer as well to the folks closer 
to this on our term in terms of the legislative group, but a few 
general comments.  One would be maintaining a certain level of 
flexibility in how we change our policies and practices in systems 
I think is going to be important because this is an evolving 
process.  It is a learning process.  And we are going to continue 
to get better and better and better.  And unfortunately, so are 
the data brokers.  
So, we really need to find ways where we can stay nimble and 
flexible and not have a situation where rules are static and then 
those rules are learned and the data brokers just go around us.  
So that is just by means of a general principle. 
I agree with the other comments about encryption and document 
retention.  I think document retention really is an essential issue 
when it has to do with pretexting and some of us have requirements, 
government requirements, to maintain documents for a certain amount 
of time so we certainly wouldn't want to be in violation of a rule 
or have conflicting rules in some areas.  
MR. STUPAK.  Ms. Boersma.  
MS. BOERSMA.  I would have to defer as well, I can say but, we do 
believe strongly in customer-set passwords.  We are doing a lot of 
work around encryption right now as well, investigating things 
there.  But in general, it is the same comments that everybody else 
has spoken to already. 
MR. STUPAK.  Thank you.  
MR. WHITFIELD.  Yes, sir, Mr. Stupak.  I would like to ask one final 
question.  We have had a number of hearings on this subject and 
these so-called data brokers, pretexters, whatever we want to call 
them, frequently, make the case and advertise that they are able 
to locate physically where a cell phone is.  I guess they refer to 
it as cell phone pinging or cell phone locating. 
And I would ask you all, is that technically possible to do?  
MR. MEISS.  No, at least with respect to our phones, we filed a 
lawsuit against one of those companies and we can't even locate the 
slime balls.  But we will and we will get them. 
Those people claim, well, I just get that information from a third 
party.  So now we are trying to track down that third party.  They 
give us information about their Web site where they have a diagram 
of a GPS satellite talking to your phone. 
We don't use that technology.  It is absolutely false.  And I said 
we have got to sue these people because they are putting an alarm 
out there, getting people upset about something that is not real.  
That bothers me. 
MR. WHITFIELD.  Okay.  I am glad we got you excited. 
Well, if there are no further questions, I would remind you all, I 
think you all agree that you would get back to the committee, and 
Mr. Inslee's request on your position on H.R. 4943, so if you would 
do that, we would appreciate that.  
Thank you very much for your testimony.  We look forward to working 
with you as we continue to move forward. 
And at this time, I would like to call the fourth and last panel of 
witnesses.  And that is Mr. Joel Winston, Associate Director, 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, and Ms. Kris Monteith, 
Chief, Enforcement Bureau at the Federal Communications 
Commission. 

TESTIMONY OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF PRIVACY 
AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, FEDERAL 
TRADE COMMISSION; AND KRIS MONTEITH, CHIEF, ENFORCEMENT BUREAU, 
FEDERAL COMMUNICATIONS COMMISSION 

MR. WHITFIELD.  Thank you all for being with us today.
As you know, this is the Oversight and Investigations Subcommittee. 
 We take testimony under oath.  And I am assuming Mr. Winston, that 
you and Ms. Monteith do not have any difficulty with that.  So if 
you would please stand and raise your right hand. 
[Witnesses sworn.] 
MR. WHITFIELD.  I am assuming you do not have legal counsel today, 
so Ms. Monteith, if you would, you are recognized 5 minutes for your 
opening statement. 
MS. MONTEITH.  Thank you very much, Chairman Whitfield and members 
of the subcommittee.  I appreciate the opportunity to speak with 
you today about the ongoing investigation of the Federal 
Communications Commission into the issue of the unauthorized 
disclosure of consumers' call records.  
As FCC Chairman Martin testified before the full Committee on 
Energy and Commerce in February, the Commission is deeply concerned 
about this issue and is taking a number of steps to address it. 
First, we are investigating data brokers to determine how they 
are gaining access to confidential call records. 
Second, we are investigating telecommunications carriers to ensure 
that they are fully meeting their obligations under the law. 
And third, we have initiated a rule-making proceeding to determine 
what additional rules the Commission should adopt to further 
protect consumers. 
Since we initiated our investigation in the summer of 2005, we have 
issued subpoenas to over 30 data brokers seeking details regarding 
their methods of obtaining phone record information. 
We issued citations to those data brokers who failed to fully 
respond to our subpoenas, a notice of apparent liability against one 
of these companies for its continued failure to respond adequately, 
and referred the matter to the Department of Justice for 
enforcement. 
Although the data brokers almost universally denied any wrongdoing, 
our investigations revealed that data brokers routinely engage in 
pretexting, often by impersonating the account holder or a telephone 
company employee.  
Data brokers are also obtaining access to consumers' accounts 
on-line by overcoming carriers' data security protocols.  And we 
have seen some limited instances of carrier employee misconduct. 
We also have focused our attention on the practices of 
telecommunications carriers to determine whether they have 
implemented safeguards that are adequate to secure the privacy of 
consumers' confidential data.  The Commission's Enforcement Bureau 
has had numerous meetings with the major wire lines and wireless 
providers to discuss efforts they have undertaken to protect 
customer call data.  
The Commission has also issued formal letters of inquiry to these 
carriers.  These letters require the carriers to document their 
customer data security procedures, detail employee access to call 
records, identify security problems and breaches, and address any 
changes they have made in response to the data broker issue. 
We have also issued supplemental letters of inquiry to the largest 
carriers and our in-depth analysis is ongoing.  
Most recently, we issued letters of inquiry to a number of carriers 
asking for information related to whether any CPNI was disclosed 
without authorization in connection with Hewlett-Packard's 
activities. 
In January, we issued a public notice requiring all 
telecommunications carriers to submit their most recent annual 
certificate attesting to compliance with the Commission's CPNI 
rules. 
As a result of our investigations into carrier compliance with the 
annual certification requirement, we issued three notices of 
apparent liability for failure to comply with these important 
rules. 
We have reached consent decrees on CPNI issues with two of these 
carriers totaling $650,000. 
During the course of our investigations, we have learned that 
several carriers have taken further steps to protect the privacy 
of customer account information.  These steps include using better 
security and authentication measures with respect to on-line 
accounts, notifying customers of password or account changes, 
and greater monitoring of employee activities to detect breaches 
of corporate policies. 
Lastly, the Commission initiated a proceeding to determine what 
additional rules it should adopt to further protect consumers' 
telephone records from unauthorized disclosure.  The notice of 
proposed rule making, which grants a petition filed by the 
Electronic Privacy Information Center, seeks comment on five 
proposals to address the unlawful and fraudulent release of CPNI. 
These include customer-set passwords, audit trails, encryption, 
limiting data retention, and notice procedures to the customer on 
release of CPNI data.  The record in this proceeding closed in June. 
Chairman Martin intends to bring an order before the full commission 
for its consideration this fall. 
In conclusion, the disclosure of consumers' private calling records 
represents a significant invasion of personal privacy.  The 
Commission is acting to eliminate this troubling practice and give 
American consumers the privacy protections they expect. 
We look forward to working collaboratively with the members of 
this subcommittee, other Members of Congress, our colleagues at the 
Federal Trade Commission and other law enforcement authorities to 
ensure that consumers' personal phone records remain confidential.  
Thank you for the opportunity to testify, and I would be pleased to 
respond to your questions. 
MR. WHITFIELD.  Thank you, Ms. Monteith. 
[The prepared statement of Kris Anne Monteith follows:]


PREPARED STATEMENT OF KRIS ANNE MONTEITH, CHIEF, ENFORCEMENT BUREAU, 
FEDERAL COMMUNICATIONS COMMISSION

MR. WHITFIELD.  Mr. Winston, you are recognized for 5 minutes.  
MR. WINSTON.  Good afternoon, Mr. Chairman and members of the 
subcommittee.  I appreciate your invitation to appear today to 
discuss the privacy and security of telephone records. 
Although my written statement is that of the Commission, my oral 
testimony and responses to questions reflect my own views and not 
necessarily those of the Commission, or any individual commissioner. 
Protecting the privacy and security of consumers' sensitive and 
personal information is one of the Commission's highest priorities.  
And we have addressed this issue on many fronts, ranging from spam 
and spyware to data security and identity theft. 
Today, I will discuss the FTC's recent enforcement efforts against 
those who use fraud or other illegal means to obtain consumers' 
telephone call records and other confidential information. 
I will also provide some comments on possible legislation to stop 
this troubling practice. 
On May 1st of this year, the Commission filed lawsuits in Federal 
courts across the country against five companies and their 
principals for allegedly selling consumer call records that were 
obtained through fraud. 
The complaints charged that these practices violate Section 5 of the 
Federal Trade Commission Act which prohibits unfair or deceptive 
practices. 
In each of these cases, the defendants advertised on their websites 
that they could obtain confidential customer phone records from 
telephone carriers for fees ranging from $65 to $180. 
What we have since learned is that the data brokers, like these, 
often rely upon third parties who carry out the actual pretexting. 
Four of these five cases are pending in court.  In the fifth case, 
we will be releasing next week a settlement with the defendants 
that contains both injunctive and monetary relief. 
In addition to these cases, FTC staff continues to aggressively 
pursue investigations of both pretexters and the data brokers who 
purchase their services for resale.  We have been aided in these 
efforts by the FCC, State law enforcement, and several telephone 
carriers.  
Although many purveyors of consumer telephone records seem to have 
gotten the message and have moved on to other lines of work, there 
is still much work left for us to do.  The Commission has been 
aggressive in prosecuting those who pretext and sell financial 
records as well as telephone records.  We filed our first case in 
1999 against a company that offered to provide consumers' bank 
account numbers and balances to anybody for a fee. 
As you know, Congress later enacted the Gramm-Leach-Bliley Act, 
which expressly prohibits pretexting for financial records.  And 
the FTC has followed up with more than a dozen cases.  
But pursuing the fraudsters is only part of the solution.  It is 
equally important to send a message to the business community that 
it has a legal obligation to protect sensitive consumer 
information.  
Now, the Commission has conveyed this message in many ways, but most 
directly through 13 data security cases we brought over the past 
few years, against such prominent companies as Microsoft, Tower 
Records, ChoicePoint, and DSW Shoe Warehouse. 
I would like to turn briefly to the subject of legislation. 
Of course, earlier this year, the full committee approved H.R. 4943, 
a bill that would ban pretexting to obtain phone records and would 
authorize the FTC to bring civil actions against violators.  The 
Commission believes that a civil law that specifically prohibits 
telephone record pretexting would be useful in clarifying the 
illegality of this practice.  
In addition, I would recommend that any such legislation address 
three issues. 
First, the law should apply not only to pretexters, but to those who 
solicit their services when they know or should know that fraudulent 
means are being employed. 
Second, if the law provides for FTC enforcement, it should grant 
the Commission the power to seek civil penalties against violators, 
a remedy that the FTC does not currently have in cases like this. 
In this area, penalties generally are the most effective civil 
remedy. 
Third, Congress should consider an appropriately tailored exception 
for law enforcement. 
I would also note that our investigations have revealed that some 
sites offering pretexting services are registered to foreign 
addresses. 
This underscores the importance of the Commission's previous 
recommendation that Congress enact cross border fraud legislation. 
This proposal, called the U.S. Safe Web Act, would overcome many 
of the existing obstacles to information sharing in cross border 
investigations. 
Again, thank you for the opportunity to testify today.  We look 
forward to working with this subcommittee and its staff on this very 
important issue.  And I would be happy to answer any questions you 
may have.  
MR. WHITFIELD.  Well, thank you, Mr. Winston, and we certainly 
appreciate the work you all are doing at FTC and at the FCC on this 
issue and for taking time to be with us today. 
[The prepared statement of Joel Winston follows:] 


PREPARED STATEMENT OF JOEL WINSTON, ASSOCIATE DIRECTOR, DIVISION OF 
PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, 
FEDERAL TRADE COMMISSION 

MR. WHITFIELD.  I would like to just clarify for myself this 
seemingly confusion over the enforcement rights of the FTC on this 
issue and specifically as it relates to Section 5, because you made 
the comment that in this legislation, any legislation hopefully would 
make it clear about civil penalties. 
And I thought that you had authority to have civil penalties today 
on pretexting.  But could you elaborate on the existing law as it 
is today?  
MR. WINSTON.  Certainly.  We have civil penalty authority for certain 
kinds of cases in certain circumstances. 
We do not have civil penalty authority for violations of Section 5, 
such as the sorts of pretexting violations that we have brought cases 
against. 
We also don't have civil penalty authority under the 
Gramm-Leach-Bliley Act.  So in cases such as these, we are limited 
to remedies that are injunctive.  In some cases, we can require 
companies to give back their ill-gotten profits.  But we do not have 
penalty authority. 
MR. WHITFIELD.  Okay, so the 4 out of 5 lawsuits that are still 
pending in court right now, there are no civil penalties involved 
in those at all?  
MR. WINSTON.  Correct.  We are seeking, again, return of ill-gotten 
profits.  But in cases like this having that penalty authority is 
frankly much more effective. 
MR. WHITFIELD.  Okay.  Okay.  And, Ms. Monteith, you had mentioned 
in your testimony that you, the FCC had recently issued three 
notices of apparent liability for forfeiture under Section 222 
of the Communications Act and that some companies were fined a 
total of $650,000.  
Could you elaborate on this a little bit?  Specifically what is 
this apparent liability for forfeiture?  
MS. MONTEITH.  The notice of apparent liability for forfeiture is 
the first public type of enforcement action that the Commission 
takes in response to an investigation and an internal finding of 
a violation of our rules of the law. 
And this requires the company to respond to us and demonstrate to 
us in its response that it has or has not violated the law.  
In these particular cases, the notices of apparent liability were 
filed for violations of our annual certificate requirement, 
requiring the company to keep in place an annual certificate 
signed by a corporate officer that attests to their compliance 
with our rules. 
MR. WHITFIELD.  And so that was the only violation, not filing 
this certificate in a timely manner?  Is that right?  
MS. MONTEITH.  Yes, thus far.  We have ongoing investigations of 
other aspects of the CPNI rule, but to date, those are the 
violations. 
MR. WHITFIELD.  How many carrier certificates are filed each 
year?  
MS. MONTEITH.  The certificates, heretofore, have not been required 
to be filed with the Commission.  But in January, we issued a 
public notice upon inspecting several certificates and ascertaining 
that there may be some compliance issues.  
We required all of the carriers to file their certifications with 
us.  We have over 2,000 certificates on file that we are in the 
process of reviewing. 
MR. WHITFIELD.  And how did you determine the $650,000 figure?  How 
is that determined?  
MS. MONTEITH.  The Commission has discretion in terms of its 
forfeitures to determine the amount of forfeiture.  Here we thought 
that the type of violation was very significant, involving personal  
information and privacy types of rights and issued forfeitures 
accordingly. 
MR. WHITFIELD.  Now, Mr. Winston, you talked about H.R. 4943 and you 
talked about 4 points necessary to really make this law effective 
and from your perspective, do you all support H.R. 4943?  Or are you 
taking a position on it?  
MR. WINSTON.  The Commission has not taken a formal position, but 
H.R. 4943 contains the elements that I identified-- 
MR. WHITFIELD.  All 4. 
MR. WINSTON.  It has the three elements that I mentioned.  It does 
not have obviously the cross border fraud aspect.  But in terms of 
penalties and other authority, it delivers what we need. 
MR. WHITFIELD.  Okay.  I yield back the balance of my time and 
recognize Mr. Stupak. 
MR. STUPAK.  Thank you.  Ms. Monteith, you are currently undertaking 
the anti trust review of the proposed merger between AT&T and 
BellSouth, and earlier the FCC fined AT&T for failing to have 
adequate consumer protections and safeguards in place.  Do you 
think it would be reasonable, in light of the hearings we have had 
in the last few days, for the Commission to condition approval of 
that merger on a clear and effective policy by the company that 
protects consumers' privacy from pretexters or other fraudulent 
methods for breaching customer's privacy?  
MS. MONTEITH.  With all due respect, Mr. Stupak, I am not involved 
in the merger that is pending before the Commission.  I would be 
happy to take that question back to the folks that are and have 
them look at it.  
MR. STUPAK.  Would you have them get back with us in writing then 
if you would on that question?  
MS. MONTEITH.  Sure.  
MR. STUPAK.  Can I ask you this question, our bill there, the Rhett, 
Scarlett Butler is that what they call it, H.R. 4943, does the FCC 
take a position on that?  Are they supportive of the bill?  
MS. MONTEITH.  We have not taken a position on it, but Chairman 
Martin has been very clear that he does endorse in his testimony, 
he testified that he would support actions to prohibit, to ban 
outright the pretexting and the sale of consumers' phone 
records. 
MR. STUPAK.  In his statements, has he had any suggestions that 
we could improve it, like Mr. Winston, you said there was one part 
we should look at a little closer?  
MS. MONTEITH.  The legislation?  No, he has not.
MR. STUPAK.  I believe you mentioned that on pretexting, of course, 
you said that it is either customers or people posing as customers 
or telephone company employees that are involved in the pretexting. 
How often is it if you can give me a percentage, is it customer, 
I mean, excuse me, telephone company employees?  Is that a 
complaint you have had fairly often?  
MS. MONTEITH.  We don't know.  I don't have those figures in front 
of me.  I think the responses that we have gotten from the companies 
that we have investigated have indicated that it is both.  But I 
couldn't tell you on balancing.  
MR. STUPAK.  Equal or hard to say. 
MS. MONTEITH.  I really do not have that information.  
MR. STUPAK.  Mr. Winston could you add anything to that on company 
employees or individuals posing as customers?  Do you get a sense, 
is it equal, more or less, one over the other?  
MR. WINSTON.  We don't have any data, but the sense I have gotten is 
that it is more from people posing as customers and calling rather 
than some sort of insider fraud. 
MR. STUPAK.  FTC issued a report January 23, 2001, you mentioned on 
page 7 of your testimony in which you were surfing the Net, you 
found more than 1,000 websites and reviewed more than 500 
advertisements and print identifying firms offering to conduct 
searches for customers' financial data.  Have you gone back any 
more searching?  That was like 5 years ago.  Has it increased?  
Decreased?  Can you give us any sense of that?  
MR. WINSTON.  We do periodically go back and search and monitor.  
And I think, both in the case of financial pretexting and telephone 
record pretexting, the numbers of perpetrators have gone down 
substantially.  Now, how much of that is people actually abandoning 
the business versus going underground is hard to tell, but just 
looking at the websites, most of them have disappeared. 
MR. STUPAK.  In your settlements--I asked the question of the 
earlier panel, what about the victims of the identity theft that 
were pretext?  Is there any of that financial settlement that goes 
to the victims, the individuals?  I notice you had ChoicePoint 
where you were going to settle for, like, 10 million, and I thought 
5 million may go to individuals who have been pretexted?  
MR. WINSTON.  Yes, in cases where we found tangible consumer harm 
like being a victim of identity theft, we have tried to give money 
back to consumers who were the victims.  In the ChoicePoint case, 
we will be returning $5 million to those consumers. 
In the pretexting cases, we have not come up with a way of actually 
getting money back to people and having them be able to kind of 
quantify what their harm was. 
Instead, we focused on taking the profits away from the company that 
engaged in it.  I think that is the most effective deterrent, 
although, again, if we had penalty authority, I think we could 
get substantially more money. 
MR. STUPAK.  So without the FTC stepping in on behalf of the 
American consumer, there would be no way, really, there is no cause 
of action then for the American people to recover their damages?  
MR. WINSTON.  I think there may well be private causes of action. 
MR. STUPAK.  But nothing statutorily?  
MR. WINSTON.  Nothing statutorily that I am aware of.
MR. STUPAK.  Do you think there should be a separate remedy 
provision or something for consumers or families in H.R. 4943?  
MR. WINSTON.  That is something worth considering.  One issue 
that we have been thinking about is whether victims of identity 
theft should have the opportunity to get restitution from the 
perpetrators for the time they spend in repairing the damage.  
So in the identity theft situation, we are looking at, at the 
analog, is there a way of allowing victims to recover from 
perpetrators?  The same sort of thing might work here at as 
well.  
MR. STUPAK.  Let me ask this question, if you can answer it.  We 
mentioned a 2001 study you did where you had a thousand websites 
and 500 advertisements and approximately 200 firms that offered 
to obtain and sell asset or bank account information to third 
parties. 
And you said that has, that number has gone down since you have 
stepped up the enforcement actions, or gone underground, as we 
have seen in our child pornography hearings they oftentimes go 
offshore to other countries or multiple sites to do it.  Are you 
finding that same thing here with pretexting?  
MR. WINSTON.  Yes.  We have discovered, as I mentioned earlier, 
that some of these pretexters, some of these data brokers are 
associated with foreign criminal rings or other foreigners, and 
our ability to cooperate with the foreign authorities to go after 
these people is really hampered by existing law.  And that is why 
U.S. Safe Web Act is so critical to allowing us to be more 
effective. 
MR. STUPAK.  In your position, have you seen any other countries 
who have addressed this more aggressively, pretexting and the 
problem of obtaining false information in a different way or 
manner that would be helpful to us as a committee to-- 
MR. WINSTON.  I am not aware of any.  I suspect that law 
enforcement in the United States is probably about the most 
effective in the world at this point. 
MR. STUPAK.  I have no further questions, Mr. Chairman.  Thank you 
both for your testimony. 
MR. WHITFIELD.  Thank you, Mr. Stupak.  Chair recognizes Mr. Walden 
for 10 minutes. 
MR. WALDEN.  Thank you very much, Mr. Chairman.  And I don't know 
that I am going to take the full 10 minutes, but I do have a couple 
of questions.  What have you seen in terms of changes in data 
broker activity?  What have you noticed since all of this has been 
in the public?  
MR. WINSTON.  Well, I think, again, there has been some movement to 
at least stop the most blatant practices, which even as recently as 
several months ago, we were seeing advertisements on the Internet 
saying we can get anybody's telephone record.  We can get Social 
Security numbers.  We can get account information.  We can get 
credit card statements for a fee. 
MR. WALDEN.  And they could?  
MR. WINSTON.  And in some cases, they could, and in some cases, 
they were engaged in false advertising, which is its own problem. 
But that seems to have really, if not dried up, at least dissipated 
to a substantial extent.  
What we need to learn, and our investigations are continuing is, 
are these people really gone or are they just being more subtle 
and more careful about what they say?  
MR. WALDEN.  Did the lawsuits you filed recently, involve 
pretexting indirectly?  
MR. WINSTON.  In each of the cases, I believe the ones who actually 
engaged in the pretexting were not the people who were advertising 
and selling the records.  Like in the Hewlett-Packard case, there 
was a middle man.  
MR. WALDEN.  There was a middle person?  
MR. WINSTON.  Yes, we believe in each case, there was pretexting that 
went on. 
MR. WALDEN.  And what have you been learning about pretexting in the 
course of these recent investigations?  What should we know we 
haven't already heard about?  
MR. WINSTON.  Well, you probably already heard how ingenious these 
criminals are, and despite all of the protections that the phone 
companies may have put in place, ultimately, it is social 
engineering.  It is a matter of somebody convincing somebody else 
to give up records that they shouldn't. 
And they have a lot of different techniques that they have used.  
We have learned about some of those.  But ultimately, they have 
been successful. 
MR. WALDEN.  You heard the testimony from the panel of telephone 
folks, and you have probably observed what we went through 
yesterday with HP.  What is your counsel to phone companies?  What 
should they be doing they are not doing or haven't thought about 
doing and what about the consumers?  
MR. WINSTON.  Well, from the consumer standpoint, it is a little 
frustrating because ultimately, they can't prevent their records 
from being released.  
MR. WALDEN.  How?  
MR. WINSTON.  I think putting a password on is important.  It is 
not foolproof, but it is important. 
Also, consumers need to be aware of the possibility that they 
themselves might get pretexted.  We have seen instances where the 
pretexters will call the consumer and pose as the phone company 
or someone else and get their information.  "Phishing" is the 
common term for it.  We have been trying very hard to educate 
the public to not give up that information themselves. 
MR. WALDEN.  What is the next scam on the horizon?  What are you 
seeing that you are beginning to see little rays of light that 
are out there that we need to be aware of, consumers need to be 
aware of?  
MR. WINSTON.  There are so many.  I don't know where to begin. 
MR. WALDEN.  We will have lots of opportunities to get together 
here with other players. 
MR. WINSTON.  I plan on remaining gainfully employed for a while.  
I think more broadly what we are seeing is this kind of seamy 
cottage industry of information brokers.  And it is not just 
phone records anymore.  It is not just financial records.  
MR. WALDEN.  What is it?   
MR. WINSTON.  It is Social Security numbers.  It is any kind of 
information that you might have that you don't want other people 
to get.  There are people out there on the Internet who are 
selling it.  And it is something that we have been trying very 
hard to get a handle on.  As our economy becomes more high 
tech, so are the criminals.  
MR. WALDEN.  Should phone companies, phone carriers, be using 
Social Security numbers?  
MR. WINSTON.  Well, phone companies typically, if you want to 
open a phone account, the first thing they are going to do is pull 
your credit report.  In order to pull your credit report, you have 
got to give them your Social Security number.  So to that extent, 
yes, the phone companies need your Social Security number. 
MR. WALDEN.  Should they be using that as part of their data 
for authentication purposes?  
MR. WINSTON.  One thing we are looking at, there is a 
government-wide task force right now or identity theft that 
President Bush set up back in May.  And I have been serving on 
that.  And one of the things we have been looking at is are there 
gratuitous, unnecessary uses of Social Security numbers both in 
government and in the private sector?  And the answer is yes.  
There are a lot of people who are using Social Security numbers.  
MR. WALDEN.  Is that what consumers should look at first to 
minimize the use of is Social Security numbers?  Is that the most 
important number we should keep secure?  
MR. WINSTON.  Absolutely.  You know, 42 million Medicare cards in 
this country that consumers have, have their Social Security number 
on it and they carry it around in their wallet.  That is just a 
recipe for disaster.  
MR. WALDEN.  What about when all this moves offshore?  You know, we 
wrestle in this committee and the telecom subcommittee I am on with 
dealing with issues involving the Internet, and then you say we can 
do that here, but how do we get at it when it is offshore?  In this 
context?  What are you seeing in terms of foreign involvement and 
our ability to get at it?  Are we just going to drive this whole 
problem offshore and out of reach?  
MR. WINSTON.  I think that is a good point and a real concern.  
Certainly in the identity theft area, more and more we are seeing, 
mainly out of Eastern Europe, organized criminal rings that are 
hiring people to get this information and then selling it, so that 
is a problem. 
MR. WALDEN.  One way to be to get it would be that when we engage in 
treaties and trade agreements, that somehow we also lock down 
provisions to protect consumers and their identity?  
MR. WINSTON.  Absolutely.  And a lot of that work is ongoing. 
MR. WALDEN.  Do you do that now?  
MR. WINSTON.  We do some of that now.  And as part of our task force, 
we are going to be pushing for additional opportunities to do that. 
MR. WALDEN.  And Ms. Monteith, are carriers better protecting 
their CPNI?  
MS. MONTEITH.  I think we have seen, as a result of our 
investigations, that carriers are moving to take some additional 
safeguards, yes.  Certainly with respect to the kinds of information 
they require for access to accounts, we heard today that carriers 
are moving to not give information out over the telephone.  Those 
kinds of things, yes. 
MR. WALDEN.  Okay, well, I really appreciate your assistance to our 
efforts today.  I appreciate your comments your answers to our 
questions and that of the other panelists who have been willing to 
actually talk to us.  Are we batting 50-50 on panelists invited 
who talk us versus panelists who are invited who have decided not 
to talk?  
MR. WHITFIELD.  It is about 50-50. 
MR. WALDEN.  Well, thank you all very much, Mr. Chairman and I yield 
back the remainder of my time. 
MR. WHITFIELD.  We have had so many hearings on pretexting, we have 
given some thought to just going around and taking somebody by 
random and bringing them in and talk to them about it. 
But we genuinely thank you all for being here and for the work you 
are doing in this area and for your testimony.  And you all are 
dismissed and we look forward to continue to working with you. 
Without objection, we are certainly going to enter into the record 
our document book, which we have not done yet.  So with that, this 
hearing is adjourned, and thank you all so much. 
[The information follows:] 



[Whereupon, at 1:50 p.m., the subcommittee was adjourned.]


1  The views expressed in this statement represent the views of the 
Attorney General.  My oral testimony and responses to questions 
reflect my own views and do not necessarily represent the views of 
the Office of the Attorney General. 
2  State of Florida v. 1st Source Information Specialists, Inc. et 
al, Case No.:06-CA-234, Leon County Circuit Court (Honorable Lindy 
Lewis, Circuit Judge).  Steven Schwartz and Kenneth Gorman were 
also named as defendants in the action. A default has been entered 
against defendant Gorman.  
The 1st Source Complaint is available at: 
http://myfloridalegal.com/webfiles.nsf/WF/MRAY-6L8KGC/$file/1stSource_Complaint.pdf
The Subcommittee on Oversight and Investigations requested and 
subpoenaed documents from Steven Schwartz and subsequently subpoenaed 
Mr. Schwartz's appearance before the Subcommittee on June 21, 2006. 
7  Laurie Misner purchased the business known as Global Information 
Group, Inc. from Edward Herzog in 2005, with Mr. Herzog remaining an 
integral part of the business.  The Subcommittee on Oversight and 
Investigations requested information from Laurie Misner as part of 
its investigation.  Representatives from the Subcommittee have 
represented that Ms. Misner will appear before the Subcommittee for 
testimony on June 21, 2006. 
8  Representatives from the Subcommittee have represented that 
Mr. Herzog has been subpoenaed to appear before the Subcommittee for 
testimony on June 21, 2006. 
9  Chapter 501, Part II, Florida Statutes (2005).
10  Section 817.568(2), Florida Statutes (2005)
11  Section 501.201(3)(c), Florida Statutes (2005)
12  The Complaint is available at: http://myfloridalegal.com/webfiles.nsf/WF/MRAY-6M9RY3/$file/Global_Complaint.pdf
Press Release: Crist Charges Second Data Broker Over Sale of Phone Records - Global Information Group, Inc. Provided Private Telephone Records To Third Parties
http://myfloridalegal.com/__852562220065EE67.nsf/0/5DEE071447E329878525711F0051E195?Open&Highlight=0,global
13  In addition to Florida's action, Global has been sued by three telecommunications providers (Verizon Wireless, T-Mobile, and Cingular Wireless) as well as by an individual, Charles Jones, Sr., in Jones v. Global Information Group, Inc., et al in Indiana Federal court.  The providers have all obtained injunctions to date, specific to their entities.  The private cause of action is active and ongoing.
14  Cellco Partnership d/b/a Verizon Wireless v. Global Information Group, Inc, et al; Case No.: 05-09757; Hillsborough County Circuit Court; Motion to Dismiss Complaint Against Edward Herzog, filed Dec. 2, 2005
15   The Consent Judgment and Permanent Injunction is available at: http://myfloridalegal.com/webfiles.nsf/WF/MRAY-6NSLD8/$file/Global_Settlement.pdf
Press Release: Crist: Judgment to End Data Broker's Business
http://myfloridalegal.com/__852562220065EE67.nsf/0/F677BFA978E00C938525714E0059D49C?Open&Highlight=0,global
16 As a criminal investigation is underway, the Attorney General
 or his representative may be unable to address certain inquiries to 
avoid compromising the ongoing investigation.
17 The term "telephone company" is defined to specifically include Voice 
Over Internet Protocol (VoIP) and similar technological advancements; "Personal identification information" is defined to include the 
statutorily defined categories of information in section 817.568(1), 
such as telephone number, date of birth, etc; "Identity" is defined 
to include, inter alia,  employer issued identification and individual 
access codes for computer interaction with accounts.  
Certain language introducing the prohibited conduct has been paraphrased, and the foregoing definitions are paraphrased for convenience, but does not constitute an interpretation contrary to the Consent Judgment and Permanent Injunction entered by the court or an interpretation for substantive purposes as may be required at some future date.
18  2006-141, Laws of Florida, codified HB 871.  
19  House of Representatives Staff Analysis dated April 10, 2006 (noting Justice Council Amendment removing exceptions contained in the original bill including activities of private investigators)  http://www.flsenate.gov  
http://www.flhouse.gov/Sections/Documents/loaddoc.aspx?FileName=h0871d.JC.doc&DocumentType=Analysis&BillNumber=0871&Session=2006
20  RM-11277 relating to Telecommunications Carriers Use of Customer Proprietary Network Information (CPNI), CC Docket No. 96-115 (FCC NPRM)
21     The referenced comments submitted by the Attorneys General are available electronically at : http://www.naag.org/news/pdf/20060509-FinalCPNICommentstoFCC.pdf.  The comments address, generally: enhanced security and authentication standards; existing privacy protections of CPNI; effectiveness of notices to customers regarding use of CPNI; extension of CPNI requirements to VoIP providers; wireless customers' privacy expectations; adequacy of existing protections for privacy of CPNI; and the States recommendations.
22  A security freeze will be an available option for Floridians effective July 1, 2006 as Governor Bush signed HB37 into law on June 9, 2006.  2006-124, Laws of Florida, codifies HB37.
1 Florida State Statues Chapter 27.04 and Chapter 934.23
1 Call records contain such information as dates calls were made, numbers called and the duration of such calls. This type of information is provided to law enforcement by telephone companies upon service of a subpoena. This type of information should not be available in the public realm, unlike names, matched with telephone numbers and addresses.


























