[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]


 
                         COMBATING PRETEXTING: 
                        PREVENTION OF FRAUDULENT 
                      ACCESS TO PHONE RECORDS ACT 

=======================================================================

                                HEARING

                               BEFORE THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                                   ON

                                H.R. 936

                               __________

                             MARCH 9, 2007

                               __________

                           Serial No. 110-16


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

39-361 PDF                       WASHINGTON : 2008 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


























                    COMMITTEE ON ENERGY AND COMMERCE

                  JOHN D. DINGELL, Michigan, Chairman

HENRY A. WAXMAN, California          JOE BARTON, Texas
EDWARD J. MARKEY, Massachusetts          Ranking Minority Member
RICK BOUCHER, Virginia               RALPH M. HALL, Texas
EDOLPHUS TOWNS, New York             J. DENNIS HASTERT, Illinois
FRANK PALLONE, Jr., New Jersey       FRED UPTON, Michigan
BART GORDON, Tennessee               CLIFF STEARNS, Florida
BOBBY L. RUSH, Illinois              NATHAN DEAL, Georgia
ANNA G. ESHOO, California            ED WHITFIELD, Kentucky
BART STUPAK, Michigan                BARBARA CUBIN, Wyoming
ELIOT L. ENGEL, New York             JOHN SHIMKUS, Illinois
ALBERT R. WYNN, Maryland             HEATHER WILSON, New Mexico
GENE GREEN, Texas                    JOHN B. SHADEGG, Arizona
DIANA DeGETTE, Colorado              CHARLES W. ``CHIP'' PICKERING, 
    Vice Chairman                    Mississippi
LOIS CAPPS, California               VITO FOSSELLA, New York
MIKE DOYLE, Pennsylvania             STEVE BUYER, Indiana
JANE HARMAN, California              GEORGE RADANOVICH, California
TOM ALLEN, Maine                     JOSEPH R. PITTS, Pennsylvania
JAN SCHAKOWSKY, Illinois             MARY BONO, California
HILDA L. SOLIS, California           GREG WALDEN, Oregon
CHARLES A. GONZALEZ, Texas           LEE TERRY, Nebraska
JAY INSLEE, Washington               MIKE FERGUSON, New Jersey
TAMMY BALDWIN, Wisconsin             MIKE ROGERS, Michigan
MIKE ROSS, Arkansas                  SUE WILKINS MYRICK, North Carolina
DARLENE HOOLEY, Oregon               JOHN SULLIVAN, Oklahoma
ANTHONY D. WEINER, New York          TIM MURPHY, Pennsylvania
JIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina     MARSHA BLACKBURN, Tennessee
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana

                                 ______

                           Professional Staff

                 Dennis B. Fitzgibbons, Chief of Staff

                   Gregg A. Rothschild, Chief Counsel

                      Sharon E. Davis, Chief Clerk

                 Bud Albright, Minority Staff Director

                                  (ii)


















                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. John D. Dingell, a Representative in Congress from the State 
  of Michigan, opening statement.................................     1
Hon. Hon. Fred Upton, a Representative in Congress from the State 
  of Michigan, opening statement.................................     3
Hon. Edward J. Markey, a Representative in Congress from the 
  Commonwealth of Massachusetts, opening statement...............     4
Hon. Cliff Stearns, a Representative in Congress from the State 
  of Florida, opening statement..................................     5
Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................     6
Hon. Joe Barton, a Representative in Congress from the State of 
  Texas, opening statement.......................................     6
Hon. Rick Boucher, a Representative in Congress from the 
  Commonwealth of Virginia, opening statement....................     7
Hon. J. Dennis Hastert, a Representative in Congress from the 
  State of Illinois, opening statement...........................     7
Hon. Albert R. Wynn, a Representative in Congress from the State 
  of Maryland, opening statement.................................     8
Hon. Joseph R. Pitts, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................     8
Hon. Gene Green, a Representative in Congress from the State of 
  Texas, opening statement.......................................     9
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     9
Hon. Anthony D. Weiner, a Representative in Congress from the 
  State of New York, opening statement...........................    10
Hon. Diana DeGette, a Representative in Congress from the State 
  of Colorado, opening statement.................................    10
Hon. Edolphus Towns, a Representative in Congress from the State 
  of New York, opening statement.................................    11
Hon. Jay Inslee, a Representative in Congress from the State of 
  Washington, opening statement..................................    12
Hon. Tammy Baldwin, a Representative in Congress from the State 
  of Wisconsin, opening statement................................    12
Hon. Barbara Cubin, a Representative in Congress from the State 
  of Colorado, opening statement.................................    13
Hon. Jan Schakowsky, a Representative in Congress from the State 
  of Illinois, opening statement.................................    13
H.R. 936, To prohibit fraudulent access to telephone records.....    14

                               Witnesses

Lydia Parnes, Director, Bureau of Consumer Protection, U.S. 
  Federal Trade Commission.......................................    32
    Prepared statement...........................................    34
Thomas Navin, Chief, Wireline Bureau, Federal Communications 
  Commission.....................................................    45
    Prepared statement...........................................    47
Marc Rotenberg, executive director, Electronic Privacy 
  Information Center.............................................    56
    Prepared statement...........................................    56
Hon. Steve Largent, president, chief executive officer, CTIA-the 
  Wireless Association...........................................    67
    Prepared statement...........................................    69
Walter McCormick, president and chief executive officer, United 
  States Telecom Association.....................................    79
    Prepared statement...........................................    81
David Einhorn, president, Greenlight Capital, Incorporated,......    84
    Prepared statement...........................................    86


COMBATING PRETEXTING: PREVENTION OF FRAUDULENT ACCESS TO PHONE RECORDS 
                                  ACT

                              ----------                              


                         FRIDAY, MARCH 9, 2007

                          House of Representatives,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The committee met, pursuant to call, at 10:30 a.m., in room 
2123 of the Rayburn House Office Building, Hon. John D. Dingell 
(chairman) presiding.
    Members present: Representatives Markey, Boucher, Towns, 
Rush, Stupak, Wynn, Green, DeGette, Schakowsky, Gonzalez, 
Inslee, Baldwin, Hooley, Weiner, Barrow, Barton, Hall, Hastert, 
Upton, Stearns, Cubin, Shimkus, Shadegg, Pickering, Radanovich, 
Pitts, Walden, Terry, Ferguson, Rogers, Sullivan, Murphy, and 
Burgess.

         OPENING STATEMENT OF HON. JOHN D. DINGELL, A 
     REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN

    The Chairman. The hearing will come to order.
    I thank you all for coming here to be with us and discuss 
these matters, our views on H.R. 936, the Prevention of 
Fraudulent Access to Phone Records Act.
    A certain major telecommunications company allegedly turned 
over detailed call records of millions of Americans to the 
National Security Agency. These phone customers were not 
informed that NSA had their records. Apparently, this may have 
been done without proper process. At least one company found it 
illegal and refused to comply.
    We also learned about pretexting, which occurs when a 
person obtains phone records through fraudulent means. 
Apparently, some of the largest companies in America, such as 
Hewlett-Packard Corporation, did not see any problems in using 
this deceptive practice. One of our witnesses discovered 40 Web 
sites that offered to sell phone records to anyone online.
    Last Congress, this committee's Subcommittee on Oversight 
and Investigations held several hearings on pretexting abuses 
and scandals, and I want to commend our two friends, Mr. Stupak 
and Mr. Whitfield for their extraordinary leadership in 
building a strong record on these matters.
    In a bipartisan manner, this committee passed the same 
legislation that we are discussing today. The legislation is 
bipartisan, and I intend to see that it remains so.
    We also commend Ranking Member Barton for his distinguished 
leadership and for his willingness to work to produce sound 
legislation.
    Unfortunately, after the committee reported the bill, for 
some strange reason, it mysteriously disappeared from the House 
floor schedule, and the House took no action before the 109th 
Congress adjourned, so today, we will continue our effort to 
ensure that call record information held by phone companies 
remains secure.
    In that regard, I am pleased that we have before us 
representatives of the Federal Communications Commission and 
the Federal Trade Commission to discuss these matters. The FCC 
is charged with ensuring that phone companies protect our 
calling records. And the FTC has the ability to crack down on 
fraudulent practices, such as pretexting. This legislation will 
provide more specific authority to both the FCC and the FTC to 
take appropriate action.
    We need to hear from the FCC what they are doing to protect 
these records. Every telecommunications company under the 
Communications Act has a duty to protect the sensitive, 
personal information of customers. Given the well-publicized 
breaches of customer privacy, we must address whether the 
statute adequately empowers the FCC to protect those records. I 
am aware that the FCC had expected to issue new rules governing 
phone record security by the end of the year. And we are 
encouraged that that is so, and we encourage the FCC to issue 
these new rules as quickly as they are able.
    Likewise, we need to hear from the FTC on whether or not 
they believe they have the authority, under existing law, to 
pursue those who engage in pretexting. The FTC has been 
aggressive in using section 5 of the Federal Trade Commission 
Act, which prohibits unfair and deceptive acts and practices in 
interstate commerce to bring enforcement actions against 
pretexters. But last year, they testified that more specific 
prohibitions were needed against pretexting soliciting and 
selling customer phone records. The agency also seeks enhanced 
authority to impose civil penalties.
    The Chair also looks forward to the testimony of the other 
distinguished members of our panel, the landline and wireless 
companies. And last, but, by no means, least, we will hear 
important testimony from a victim of pretexting. This is not a 
faceless crime, and it is not a crime that has no consequences. 
Mr. Einhorn, the committee thanks you for coming before us, and 
I am sorry, indeed, about what has happened to you and your 
family, and I pledge the best efforts of myself and the 
committee to make this kind of event less likely to happen to 
anyone else.
    In the interest of fairness, the committee will leave the 
record open for 30 days in case Allied Capital wants to submit 
a statement.
    This measure passed this committee in a bipartisan fashion 
last Congress. Just as Mr. Barton did last Congress so 
effectively well, I will work to address this issue in the same 
bipartisan manner. And as always, the committee will conduct 
the oversight necessary to ensure that the American people are 
protected in the privacy of their phone records.
    The Chair will follow the usual practices of the committee, 
and we will recognize the members for 3 minutes. And if the 
members choose to waive that 3-minute opening statement, they 
will be recognized for an additional 3 minutes at the time of 
the questioning.
    The Chair recognizes now the distinguished gentleman from 
Michigan, Mr. Upton, who has done a superb job on this 
legislation. Mr. Upton for 3 minutes.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. Well, thank you, Mr. Chairman. I know Mr. Barton 
is on the way as well.
    There have been great advances in technology since the days 
of the little black rotary phone. But the unfortunate reality 
is that, along with great advances in technology, there have 
been great advances in fraud as well.
    Over the last year, pretexting has garnered the national 
spotlight. Nearly a year ago, to the day, we marked up similar 
legislation in this committee, but hit a few minor bumps along 
the way. And I am hopeful that we will have a little more 
success this time, and consumers will, in fact, be the better 
for it.
    On the surface, pretexting seems harmless enough, but it is 
a violation of one's basic rights that can have grave 
consequences. Someone with bad intentions and a few bucks can 
get a hold of almost anyone cell phone record. It is alarming 
that our cell phone bills, a score sheet for our daily lives, 
can fall into the wrong hands with a simple phone call or even 
a click of the mouse.
    The consequences of firms trying to make a quick buck on 
the Internet are terrifying. Records can be used to track down 
someone's location, such as a woman in hiding from an abusive 
partner or stalker. Gangs and drug runners have been known to 
obtain phone records to determine if anyone in their group, in 
their gang, has been in contact with rival groups or even with 
the police.
    It doesn't matter what the motive is, no matter how 
barbaric or innocent the intentions, pretexting is wrong and a 
violation of an individual's basic right to privacy. Carriers 
do have a duty to protect their customers, and we have a duty 
to close the loophole once and for all.
    We have a quality piece of bipartisan legislation that will 
bring an end to this practice, once and for all. And the 
Nation's 190 million cell phone users will all be safer for it. 
And while we continue to make great advances in technology, one 
thing that will continue to remain constant is the consumer's 
right to privacy.
     I yield back my time.
    Thank you, Mr. Chairman.
    The Chairman. I thank the gentleman.
    The Chair recognizes now the distinguished gentleman from 
Massachusetts, Mr. Markey, for 3 minutes.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

    Mr. Markey. I thank the chairman very much.
    Mr. Chairman, personal privacy is the cornerstone of 
individual freedom. A person's telephone records can disclose 
some of the most intimate details of a person's life. 
information about who you call, when you call, how long you are 
on the phone can reveal a lot about a person, their 
relationships, their business dealings, their family members, 
their children. The public sale of this information can be 
embarrassing, awkward, and uncomfortable for a consumer. It can 
be dangerous when it is in the hands of stalkers, thieves, 
abusers, and others who intend to do harm.
    More troubling, in my mind, is the fact that last year this 
committee discovered that pretexting is not solely the province 
of individual, low-rent fraudsters who prey on vulnerable 
citizens. In a shocking revelation last September, Hewlett-
Packard, a Fortune 500 company, agreed to pay a $14 million 
penalty for illegal pretexting. Likewise, Washington hedge fund 
manager, David Einhorn, who is testifying here today, fell 
victim to pretexting when a financial service's firm hired 
someone to illegally obtain his phone records.
    In the last Congress, this committee passed this important 
bill to ensure that consumer phone records are not for sale in 
some cyberspace bizarre and to take action to shut down these 
practices. Last session's bill, however, mysteriously 
disappeared from the House suspension calendar prior to House 
floor consideration, reportedly due to concerns from the 
intelligence community. These concerns implicated the alleged 
disclosure of phone records by certain telephone companies to 
the National Security Agency or others. The pretexting bill's 
sudden disappearance represented a case of extraordinary 
legislative rendition.
    Under the Telecommunications Act, telephone companies are 
legally obligated to safeguard the confidentiality of phone 
records. After the scandals of last year, many phone companies 
certainly responded by tightening internal controls to prevent 
unauthorized disclosure of phone records. While the fraudsters 
may be acting illegally by using pretexting, the fact that 
these records are apparently so easily obtained on the Internet 
and elsewhere makes it self-evident that enforcement and 
security needs to be stepped up.
    The FCC has been developing new rules to do just that for 
several months, and we are eager for the Commission to finalize 
its action. Doing so may obviate the need to legislate portions 
of the bill before us. I also continue to believe it is 
important for the Commission, as an independent, regulatory 
agency, to investigate media reports regarding disclosure of 
consumer phone records by phone companies without legal process 
and in violation of the Communications Act. This is still 
timely, as this morning's newspapers indicate. There is still a 
lack of respect of a law of our country that privacy of 
Americans be protected and that only a judge, ultimately, can 
authorize the compromise of these important communications 
records.
    I look forward to working with you, Mr. Chairman, Mr. 
Barton, Mr. Upton, with Chairman Rush, and Mr. Stearns, and our 
other committee colleagues on this important legislation.
    I thank you.
    The Chairman. The Chair thanks the distinguished gentleman.
    The Chair recognizes now our good friend from Florida, Mr. 
Stearns, for 3 minutes.

 OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF FLORIDA

    Mr. Stearns. Mr. Chairman, thank you very much. This is 
deja vu all over again. I mean, we have been talking about this 
bill. We have had the hearings on it in my subcommittee that I 
chaired in the last Congress, Commerce, Consumer Protection and 
Trade with the Federal Trade Commission having jurisdiction 
over this. Unfortunately, the Telecom Act of 1996 exempted 
common carriers, which allowed this to be under the 
jurisdiction of the FCC rather than the Federal Trade 
Commission. I think many of us on this side were sorely 
disappointed that we couldn't have reached a compromise and had 
this bill on the floor under suspension, perhaps with 
amendment, and got this through. I think we all realize, no 
matter what we talk about, the stark reality is that there is 
always going to be con artists and cyber thieves to keep us 
busy. And so we have got to pass this bill. We must recognize 
the importance of securing and protecting personal data from 
exploitation by fraudsters, whether the preferred technique is 
pretexting, hacking, or good old-fashioned fraud. Likewise, 
ensuring the public is informed about the need to protect 
personal data will also help thwart the fastest-growing 
criminal enterprise in America, which is identity theft.
    So, Mr. Chairman, our subcommittee that I chaired and now 
that Mr. Rush chairs are eagerly looking forward to passing 
this. And I think under your leadership, Mr. Dingell, 
hopefully, we will have this on the floor in short order. I 
think it is an issue that, for a long time, has been in 
agreement that it should pass. I am a cosponsor of this bill, 
this H.R. 936. As we all know, it is not perfect. Perhaps as it 
works its way through the process out of our committee and to 
the House floor and to the Senate, we will have that 
opportunity to improve it. Hopefully, the intelligence 
community will come on board and not thwart and prevent this 
from passing. I think the good of this is overwhelming, and we 
must not restrict legitimate marketing practices that can 
benefit consumers, but we also might understand that there is a 
need to identify and protect the consumers' privacy.
    So I look forward to working with you, Mr. Chairman, and 
obviously Mr. Upton, who is chairman of the Telecommunications 
Committee, and the ranking member of our full committee, Mr. 
Barton.
    Thank you.
    The Chairman. The Chair recognizes now the distinguished 
gentleman from Illinois, Mr. Rush, for 3 minutes.

 OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Rush. Thank you, Chairman Dingell, for conducting this 
hearing. And I want to commend you and Ranking Member Barton 
for your continued bipartisan leadership on this issue.
    Mr. Chairman, pretexting is a serious problem that can have 
devastating effects on the average consumer. And I am sure Mr. 
Einhorn's testimony will further illustrate the devastating 
effects that pretexting can have.
    Mr. Chairman, H.R. 936, the Prevention of Fraudulent Access 
to Phone Records Act, is a hard-hitting but deliberative 
response to this widespread crime. Most of today's discussion 
in our hearing will center around title 2 of the bill. But as 
chairman of the Subcommittee on Commerce, Trade, and Consumer 
Protection, I want to highlight the provisions of title 1.
    Title 1 of the bill grants the FTC specific authority to 
crack down on pretexters by explicitly declaring the practice 
of fraudulently obtaining or selling customer proprietary 
network information as an unlawful conduct and an unlawful act. 
The FTC will enforce this provision as a violation of the 
Federal Trade Commission Act and its prohibition on unfair or 
deceptive practices. The Commission is to be lauded for its 
past and ongoing enforcement actions under its existing 
authority under Section 5 of the FTC Act. But last year, in 
hearings, we heard testimony that the Commission needed more 
specific statutory authority to better protect the public. 
title 1 fulfills this need.
    Mr. Chairman, every returning member of this committee 
voted for this bill in the last Congress, and it is my sincere 
hope that every member of this committee will repeat that vote.
    Too many consumers remain vulnerable to pretexting and its 
devastating effects, and H.R. 936 will go a long way in 
addressing this basic consumer protection issue. Last Congress, 
we did our job. We reported a good bill out of our committee 
for consideration on the House floor only to see it go nowhere 
and die. I hope this year's bill won't meet the same fate. Let 
us make sure that today's hearing is the 110th Congress's first 
step toward eventually enacting this important measure into 
law.
    Thank you, Mr. Chairman. I yield back the balance of my 
time.
    The Chairman. Thanks to the distinguished gentleman from 
Illinois.
    It is with great pleasure that the Chair recognizes my good 
friend and colleague, the ranking member of the committee, Mr. 
Barton, who provided such extraordinary leadership in this 
matter last year. The gentleman is recognized for 5 minutes.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Mr. Chairman.
    I won't take very much time. I am submitting my full 
statement for the record. Suffice it to say that we worked 
together on this in the last Congress and didn't quite get over 
the finish line. I am proud to be an original sponsor with you 
and several other members in this Congress. Pretexting is 
something that we need to combat. And as we all know, 
pretexting is pretending to be someone you are not to get 
something you shouldn't have to use in a way that is probably 
wrong.
    So I am sure, on a bipartisan basis, we can move this bill 
and move it to the floor and move it to the Senate and put it 
on the President's desk and strike a blow for individual 
privacy in this Congress.
    And with that, I would yield back.
    The Chairman. The Chair thanks the gentleman, and without 
objection, his full statement will appear in the record, as 
will the statements of our other colleagues, who so desire.
    The Chair recognizes now our good friend and colleague, the 
gentleman from Virginia, Mr. Boucher, for 1 minute. Mr. 
Boucher.

  OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF VIRGINIA

    Mr. Boucher. Well, thank you very much, Mr. Chairman.
    It is my pleasure to join with you and other members of the 
committee in cosponsoring this measure. And I commend the 
bipartisan process that has produced this bill. Pretexting was 
rendered unlawful by action in the last Congress, but there is 
an ongoing need to make sure that the integrity of customer 
proprietary information is protected by local exchange carriers 
and by the wireless industry. That information should never be 
sold, and there should be ongoing steps taken by the carrier to 
make sure that that information is appropriately safeguarded.
    That said, I think it is also important that we carefully 
evaluate the exemptions to make sure that none of the 
provisions about sharing information with third parties would 
prohibit normal and effective operations by the 
telecommunications carrier. They need to contract out certain 
information to third parties, including engineers and 
information technology specialists of various kinds. And the 
ability to do that is absolutely essential to the effective 
functioning of their operations. And so I would simply urge the 
committee to take care, as we have this hearing, to listen to 
the representatives of the telecommunications industry and heed 
their recommendations with regard to what the scope of those 
exemptions should be.
    Thank you, Mr. Chairman, and I yield back.
    Ms. DeGette [presiding]. The Chair is now delighted to 
recognize Mr. Hastert for 1 minute.

 OPENING STATEMENT OF HON. J. DENNIS HASTERT, A REPRESENTATIVE 
             IN CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Hastert. Well, thank you, Madame Chairwoman.
    I would like to thank the witnesses for coming this morning 
to speak about pretexting and the sale of phone records. Since 
the development of the Internet, our personal information has 
been more readily available and increasingly easier to obtain. 
In fact, there is a growing market for the sale of phone 
records. These records provide detailed information about who 
and what and when we call and how long we spend on the phone. 
Fraudulently obtaining this information is an invasion to our 
personal privacy, and it cannot be allowed to continue.
    But at the same time, we need to provide for equal 
treatment for all those who collect that data. As we move 
forward, we should ensure that this bill will not hamper lawful 
and necessary means to protect our country from foreign 
terrorism. I look forward to hearing from each witness as we 
address these concerns.
    And I thank you, and I yield back my time.
    Ms. DeGette. The Chair now recognizes the distinguished 
gentleman from Maryland, Mr. Wynn, for 1 minute.

 OPENING STATEMENT OF HON. ALBERT R. WYNN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MARYLAND

    Mr. Wynn. Thank you, Madame Chairman, for holding this 
hearing on an issue of such importance to American consumers. 
Pretexting, the unlawful, false, fictitious or fraudulent 
statements or representations in order to obtain the personal 
proprietary information of a consumer poses serious threats to 
the privacy of consumers and to the integrity of the 
telecommunications industry. The ease with which one can obtain 
private information on other individuals concerns me, 
especially when we know the harm that can be done with such 
records. The improper use of customer propriety network 
information, CPNI, have been used in the past by suspected 
mobsters to intimidate police officers and by stalking in the 
murder of Amy Boyer in 1999.
    As a matter of public policy, we must ensure that this type 
of information cannot be easily bought over the Internet. We 
need to pass legislation to make sure that those who illegally 
purchase CPNI are aggressively prosecuted, but, at the same 
time, we need to make sure this bill does not hamstring 
telecommunication providers who use CPNI in a responsible 
manner to better target their consumers for new products or 
services and ultimately pass savings along to them.
    I look forward to this hearing and hearing from the 
witnesses. It is critical that we safeguard individuals from 
pretexting. I thank you for this time, and I yield back.
    Ms. DeGette. The Chair now recognizes the distinguished 
gentleman from Illinois, Mr. Shimkus, for 1 minute.
    Mr. Shimkus. I will waive.
    Ms. DeGette. The gentleman waives.
    The Chair now recognizes the gentleman from Pennsylvania, 
Mr. Pitts.

OPENING STATEMENT OF HON. JOSEPH R. PITTS, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Pitts. Thank you, Madame Chairman.
    I am looking forward to hearing what our witnesses have to 
say this morning. Everyone agrees that pretexting needs to be 
stopped, but we need to do it in a way that does not ensnare 
legitimate business practices. We have a good bill before us, 
and I will be interested to hear what our witnesses have to say 
about how we can improve it when we mark it up.
    I am also grateful to the sponsors of this bill for 
including the wireless directory assistance language that I and 
my friend Chairman Markey worked so hard on over the last two 
Congresses. While telephone numbers are not, strictly speaking, 
considered customer proprietary network information, wireless 
telephone numbers are definitely considered personal 
information by the vast majority of consumers, and I expect 
this language will become law this year, and I am very happy 
about that. This hearing will also be a chance for us to make 
sure that that part of the bill is written the best way 
possible and will not have any unintended consequences.
    Thank you, Madame Chairman.
    Ms. DeGette. The Chair now recognizes the distinguished 
gentleman from Texas, Mr. Green, for 1 minute.

   OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Green. Madame Chairman, I am glad we are considering 
H.R. 936, and I am a proud cosponsor of it. Our committee has a 
history of privacy protections, going back to the legislation 
on banking in the last decade, and we are concerned about the 
privacy of our own information, whether it is good banking 
records or our cell phones and our own hard lines. And 
pretexting should have passed last time, as most of my 
colleagues said. I think there is an issue we are going to have 
to deal with on the contracting out, as I heard our chair of 
the Energy Subcommittee talk about. I would just hope that 
whatever we do about contracting out would have the same 
restrictions as the person who is doing the contracting.
    And I yield back my time.
    Ms. DeGette. The gentleman yields back.
    The Chair now recognizes the distinguished gentleman from 
Oregon, Mr. Walden, for 1 minute.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. Thank you, Madame Chair.
    I am looking forward to this hearing, and while I supported 
this legislation last year and certainly participated in the 
oversight hearings on pretexting, I want to make sure that, as 
we move forward, that we aren't doing something that has 
unintended consequences when it comes to legitimate marketing 
issues so that consumers can get access to information for 
offers and things they may want to take advantage of. And so I 
am going to raise a few of those questions. I think there have 
been some points raised since this bill was passed out of this 
committee last year and sent to the full House, which never 
took it up, that need to be addressed to make sure we are doing 
the right thing, which is protecting the rights of consumers, 
not to be ripped off and not to be abused, as we witnessed in 
our hearings. And there are some very serious legitimate 
problems out there that we need to address. In doing so, let us 
make sure that we don't go overboard.
    So thank you for this hearing and for your work on the 
Oversight Committee as well, and I look forward to the 
testimony of our witnesses.
    Ms. DeGette. The gentleman yields back.
    The Chair now recognizes the gentleman from Texas, Mr. 
Gonzalez, for 1 minute.
    Mr. Gonzalez. I waive.
    Ms. DeGette. The gentleman waives.
    The Chair now recognizes the distinguished gentle lady from 
Oregon, Ms. Hooley, for 1 minute.
    The gentle lady waives.
    The gentleman from New York, Mr. Weiner.

 OPENING STATEMENT OF HON. ANTHONY D. WEINER, A REPRESENTATIVE 
             IN CONGRESS FROM THE STATE OF NEW YORK

    Mr. Weiner. Thank you, Madame Chair. And I look forward to 
this hearing, and I want to commend the committee for the work 
that they have done last year.
    There are some foundational principles that we should keep 
in mind. One is there has to be a reasonable understanding that 
consumers expect the information to be shared. In this case, I 
think most, as Mr. Markey said, consumers don't even realize 
this information is available to be shared. And this is not 
like some other data in our lives that we kind of sense maybe 
someone else is going to get a hold of.
    And second, if the administration has concerns about 
national security, concerns about the legislation, let us hope 
this year they confront it in a more forthright fashion, rather 
than in the dark of night, simply killing a bill that should 
have been on the suspension calendar, as many of us would agree 
with. If a court gets an opportunity to view these concerns, I 
am convinced that they will make the right decisions. But 
simply making these privacy decisions in the dark of night by 
security officials, we have learned over and over again, this 
administration cannot be trusted with that much authority.
    And I yield back my time.
    Ms. DeGette. The gentleman yields back.
    The Chair now recognizes the gentleman from Nebraska, Mr. 
Terry, for 1 minute.
    Mr. Terry. Waive.
    Ms. DeGette. The gentleman waives.
    The Chair now recognizes the gentleman from Texas, Mr. 
Hall, for 1 minute.
    Mr. Hall. Chairman, there is nothing I can add to this. I 
voted for it the last time. I don't know why we don't run it on 
through now and pull our hat down over our ears and try to get 
it out of the Senate and listen to these five young men and 
this lovely lady to tell us what they think about this, and 
especially to welcome Mr. Largent, a former member here.
    I yield back.
    Ms. DeGette. The Chair recognizes herself for 1 minute.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Last year, we had a series of hearings in the 
Oversight and Investigations Subcommittee on pretexting, and 
really, what we learned was disturbing. Your personal data is 
out there for sale, and, as we have heard, it just takes a few 
minutes and a little money for someone to get access to your 
telephone records and other pieces of private information.
    What seemed worse to me, though, was there are a number of 
prominent citizens in this country and lawyers who don't seem 
to understand that this is, at best, unethical, in many 
situations, and, at worst, and probably, in many States, 
illegal. And that is why we need to clarify the Federal law. 
That is what H.R. 936 was intended to do.
    Last year, this committee passed that bill unanimously, and 
somehow between this committee and the House floor, it got 
lost. And we never did find it. But this year, it is a new 
year. It is a new Congress. And it is going to be a new fate 
for H.R. 936.
    I look forward to hearing the witnesses about this bill. 
And most importantly, I look forward to passing this bill 
through the committee and through the House of Representatives.
    With that, the Chair now recognizes Mr. Burgess from Texas 
for 1 minute.
    Mr. Burgess. Thank you, Madame Chairman. I think, in the 
interest of time, I will submit my statement for the record and 
reserve time for questions.
    Ms. DeGette. Without objection.
    The Chair now recognizes Mr. Sullivan from Oklahoma.
    Mr. Sullivan. Madame Chairman, I, too, shall submit mine 
for the record.
    Ms. DeGette. The chairman now recognizes the gentleman from 
New York, Mr. Towns, for 1 minute.

 OPENING STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEW YORK

    Mr. Towns. Thank you very much, Madame Chair.
    Let me thank all of the witnesses for coming. And I 
especially want to thank my former colleague, Steve Largent for 
being here.
    Also, what I would like for these fine witnesses to do for 
me is to clarify the issues that the industry has with the bill 
and to show us how companies use customer proprietary network 
information to assist them in providing better choices and 
products to our constituents.
    Although consumers enjoy all the new options they have, 
they want to believe that their personal details will not be 
abused. And of course, I would like to hear. Some of that makes 
me feel comfortable in that regard, and at the same time, we 
recognize that we do not want to eliminate progress, but we 
also have to be concerned about fraud.
    On that note, I yield back, Madame Chair.
    Ms. DeGette. The gentleman yields back.
    The Chair now recognizes the gentleman from Mississippi, 
Mr. Pickering.
    Mr. Pickering. Thank you, Madame Chairman.
    In the interest of time, I will yield back.
    Ms. DeGette. The Chair now recognizes Mr. Inslee from 
Washington State.

   OPENING STATEMENT OF HON. JAY INSLEE, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF WASHINGTON

    Mr. Inslee. Thank you. I think it is about time to do it 
since I first heard about people stealing your personal records 
over the Internet a couple of days after Christmas 2005. So I 
am glad to finally be here.
    I want to note the opt-in provision of this bill that I 
think is important to give consumers the right to opt in rather 
than have to opt out so their records will be protected unless 
they specifically give advanced approval for their information 
to be divulged. But I think I am interested in looking at how 
we do that without interfering with the legitimate operational 
activities of the carriers. What my vision is we could have an 
opt-in requirement for any marketing purposes, and the like. 
But let us get this job done this year. Thanks.
    Ms. DeGette. The Chair now recognizes the gentle lady from 
Wisconsin, Ms. Baldwin, for 1 minute.

 OPENING STATEMENT OF HON. TAMMY BALDWIN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF WISCONSIN

    Ms. Baldwin. Thank you, Madame Chairwoman.
    I hope that hearings like this will generate enough 
momentum to actually move the bill through Congress this year, 
and I echo my colleagues' concerns that pretexting not only 
violates a person's right to privacy, but it poses serious 
risks to people's safety, such as some of the high-profile 
cases that we have heard of victims of domestic violence and 
stalking and police officers who are doing undercover work.
    Furthermore, last fall's revelations at that corporate 
sector has been using pretexting to obtain personal records of 
employees, board members, journalists and critics further 
injected a renewed sense of urgency in addressing this issue. 
Imposing penalties on the actions of pretexters is certainly a 
necessary component of stemming the problem, but it is not the 
only one. That is why I am particularly pleased that this bill 
not only makes pretexting to obtain, solicit, sell, or disclose 
customer proprietary network information illegal, but it also 
gives the FTC the enforcement power, and it also amends section 
222 of the Telecommunications Act to cover joint venture 
partners, et cetera. I do hope that we will promptly get about 
to the task of passing this legislation.
    Thank you, Madame Chairwoman.
    Ms. DeGette. The Chair now is pleased to recognize the 
distinguished gentle lady from Wyoming, Ms. Cubin.

 OPENING STATEMENT OF HON. BARBARA CUBIN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF WYOMING

    Ms. Cubin. Thank you, Madame Chairman.
    I cosponsored this legislation, because I have no doubt 
that it, excuse me, takes the right approach in banning the 
practice of pretexting and giving the FTC enforcement authority 
to halt this practice. And I am looking forward to hearing the 
Commission's enforcement efforts today.
    However, I do have some concerns regarding how this 
legislation will affect rural carriers. Often, important, well-
meaning legislation, such as this, affects rural areas in ways 
that Congress may not have anticipated, and I am very 
interested in hearing from the panel about how this legislation 
will impact rural carriers and rural customers. And I do 
appreciate the Commission's efforts to enforce section 222 of 
the Telecommunications Act. And I believe this bill takes 
positive steps to do so.
    However, I would not like to see rural companies face 
unnecessary, and I would like to underline, disproportionate 
costs as a result of enforcement of this.
    So I would appreciate remarks from the panel on that.
    So thank you, Madame Chairman.
    Ms. DeGette. The Chair now recognizes the distinguished 
gentle lady from Illinois, Ms. Schakowsky, for 1 minute.

 OPENING STATEMENT OF HON. JAN SCHAKOWSKY, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Ms. Schakowsky. I thank you, Madame Chairman.
    As has been mentioned before, our committee passed an 
identical bill by unanimous vote in the last Congress, and I 
hope that we can get this bill, which would allow the FTC to 
assess civil penalties for pretexting for phone records and 
require phone companies to better secure customer records, and 
that we will get it signed into law.
    A number of States, including my own State, and our 
attorney general, Lisa Madigan, was here at the first hearing 
we had last session and actually was invited today, but her 
schedule didn't permit, have used their general consumer 
protection and consumer fraud statutes to file lawsuits against 
the practice, but because there was not a clear Federal statute 
outlining this anti-consumer practice, there were those who 
still chose to dabble in what they claim was a gray area of the 
law. Last year, a bill that would allow for criminal penalties 
for pretexting was signed into law, but we still need to give 
the FTC the extra authority it needs to impose civil penalties.
    But another important concern goes to the reason that con 
artists who pretext are so successful, when we started our 
investigation into pretexting in February 2006, there were over 
40 sites selling other's phone records. And in the most 
infamous case to date--let me just conclude with this, the 
quick and easy access to phone records raises the question of 
what phone companies are doing or not doing to protect our 
consumers' records, and that is a very important piece of this.
    So I look forward to passing this important legislation. 
Thank you.
    Ms. DeGette. The Chair recognizes the distinguished 
gentleman from Louisiana, Mr. Melancon.
    The gentleman waives. Are there any other Members who wish 
to make an opening statement?
    Statements will be accepted for the record as well as the 
text of H.R. 936.
    [H.R. 936 follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. DeGette. I would like to welcome our panel today of 
distinguished witnesses, most especially our former colleague, 
Mr. Largent, who we are delighted to have appear in front of 
the committee. The witnesses are now recognized, and we will 
start with Ms. Lydia Parnes.
    Ms. Parnes.

    STATEMENT OF LYDIA PARNES, DIRECTOR, BUREAU OF CONSUMER 
           PROTECTION, U.S. FEDERAL TRADE COMMISSION

    Ms. Parnes. Good morning, Madame Chairman, Ranking Member 
Barton, members of the committee.
    I appreciate your invitation to appear today to discuss the 
privacy and security of consumers' telephone records.
    Although my written statement is that of the Commission, my 
oral testimony and responses to questions reflect my own views 
and not necessarily those of the Commission or any individual 
commissioner.
    Protecting the privacy and security of consumer-sensitive 
personal information is one of the Commission's highest 
priorities, and aggressive law enforcement is at the center of 
our efforts to protect consumers' telephone call records from 
pretexting.
    Last May, the Commission announced five lawsuits against 12 
defendants who obtained and sold consumers' telephone records 
without their knowledge or authorization. The Commission 
alleged that these practices were unfair and prohibited by 
section 5 of the FTC Act. In each of these cases, the defendant 
advertised on its Web site that it could obtain confidential, 
customer phone records from telecommunications carriers for 
fees ranging from $65 to $180.
    To date, the Commission has settled two of these cases, 
obtaining strong, permanent injunctions that bar the defendants 
from selling phone records or personal information taken from 
those records. In addition, the settlements require the 
defendants to disgorge their profits. The remaining three cases 
are still in active litigation.
    These five cases were the culmination of extensive 
investigations of this industry. Commission staff surfed the 
Internet for companies that offer to sell consumers' phone 
records, sent warning letters, and then identified appropriate 
targets for investigation and completed undercover purchases of 
these records. The Commission worked closely with the Federal 
Communications Commission in developing these cases. We are 
committed to coordinating our work on this issue, as we have 
done successfully in other areas.
    Last month, the Commission filed a sixth case against six 
defendants that allegedly conducted or directed actual 
pretexting. Again, the FTC alleged that the defendants obtained 
and sold consumers' confidential phone records without their 
knowledge or consent. This case connects the actual pretexters 
to the middlemen who sell the records to third parties. In 
addition to alleging that the unauthorized sale of phone 
records is an unfair practice, the FTC's complaint alleges that 
the defendants engaged in deception by obtaining the records 
through the use of fraud and misrepresentations.
    These telephone-pretexting cases follow a long line of 
actions against defendants charged with the pretexting of 
financial records. We filed our first financial pretexting case 
in 1999 against a company that offered to provide consumers' 
bank account numbers and balances for a fee. Congress later 
enacted the Gramm-Leach-Bliley Act, which expressly prohibits 
pretexting for financial records. The FTC has followed up with 
more than a dozen cases.
    Let me turn briefly to the subject of legislation.
    The proposed Phone Records Act contains several important 
provisions that would assist the Commission in combating phone 
pretexting.
    First, it applies not only to pretexters, but to those who 
solicit their services and know, or should know, that the 
records are obtained through false pretenses. Second, it grants 
the FTC the power to seek civil penalties against violators. 
And third, it contains an important exemption for law 
enforcement. These provisions would provide the Commission with 
useful, additional tools for combating telephone records 
pretexting.
    In addition to the Phone Records Act, two recently-passed 
statutes will assist in the fight against phone pretexting.
    First, in December 2006, Congress enacted the U.S. Safe Web 
Act, which allows greater cooperation and information sharing 
between the Commission and its counterparts in other countries. 
The U.S. Safe Web Act will assist the Commission in pursuing 
data brokers, who are operating outside the United States. 
Second, Congress passed the Telephone Records and Privacy 
Protection Act, which criminalizes obtaining confidential 
records by making false statements to a telephone service 
provider. In light of this new law, we anticipate developing 
criminal law enforcement referrals to our sister agency, the 
Department of Justice.
    Again, thank you for the opportunity to testify today. We 
look forward to working with the committee and its staff on 
this very important issue, and I would be happy to answer any 
questions you may have.
    [The prepared statement of Ms. Parnes follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. DeGette. Thank you.
    Mr. Navin.

  STATEMENT OF THOMAS NAVIN, CHIEF, WIRELINE BUREAU, FEDERAL 
                   COMMUNICATIONS COMMISSION

    Mr. Navin. Thank you.
    Good morning, Madame Chairman, Ranking Member Barton, and 
members of the committee.
    I appreciate the opportunity to speak with you today about 
the ongoing work of the Federal Communications Commission to 
ensure the privacy of American consumers' sensitive telephone 
call records.
    Section 222 of the Communications Act requires 
telecommunications carriers to protect the confidentiality of 
their customers' personal information collected in the course 
of providing telephone service. This information is commonly 
referred to as ``customer proprietary network information'' or 
CPNI. As you are aware, third parties, known as ``data 
brokers'' or ``pretexters'', had invaded consumers' privacy by 
gaining unauthorized access to this very personal data for 
profit.
    The Commission has taken several steps to curb the 
unauthorized disclosures and sale of consumers' personal 
telephone records. Specifically, FCC Chairman Martin has 
proposed imposing stricter security standards for CPNI for all 
providers of telephone service, including mandatory passwords 
for accessing customer call records. Further, the Commission 
has investigated, and will continue to investigate, this 
unlawful activity and take strong enforcement action to address 
any violations by telecommunications carriers of their 
obligations to protect CPNI.
    The Commission began its investigation of the data broker 
problem in late summer 2005. In August 2005, the Electronic 
Privacy Information Center, or EPIC, filed a petition for 
rulemaking at the FCC to address the sufficiency of carrier 
privacy practices in light of the fact that online data brokers 
were selling consumers' private telephone data. In early 2006, 
the Commission issued a Notice of Proposed Rulemaking, inviting 
comment on the EPIC petition and whether additional Commission 
rules are necessary to strengthen the carriers' safeguards for 
customers' records.
    Based on the evidence submitted in its rulemaking 
proceeding, and gathered in its enforcement investigations, the 
Commission has learned about the methods that data brokers 
routinely use to seek to obtain unauthorized access to CPNI. 
The Commission also has learned of a variety of steps carriers 
can take to further protect the privacy of customer account 
information.
    Significantly, we also recognize the importance of this 
issue to law enforcement, particularly in light of the new 
Telephone Records and Privacy Protection Act of 2006, which 
makes pretexting a criminal offense. The Commission has an item 
for consideration before it which would address these issues by 
requiring providers to adopt additional safeguards to protect 
customers' phone record information from unauthorized access 
and disclosure.
    The chairman has circulated an order that, for example, 
proposes prohibiting providers from releasing call detail 
information except when the customer provides a password, or by 
sending it to an address of record or by calling the customer 
at the telephone of record. To protect against possible efforts 
to circumvent these requirements, the order proposes to require 
carriers to notify the customer immediately when information 
such as passwords or the address of record is created or 
changed. The chairman also proposed a notification process for 
both law enforcement and customers in the event of a breach of 
CPNI.
    In addition, Chairman Martin proposed to modify our current 
rules to require providers to obtain affirmative customer 
consent before disclosing any of that customer's phone record 
information to a provider's joint venture partner or 
independent contractor for marketing purposes. Further, the 
order proposes to extend all CPNI obligations to interconnected 
voice over Internet protocol, or VoIP, providers. These 
additional privacy safeguards should sharply limit pretexters' 
ability to obtain unauthorized access to CPNI.
    The Commission also has used its enforcement authority to 
help address this problem. The Commission has issued subpoenas 
to a number of data brokers seeking information about how 
companies obtained phone record information and then sold it.
    Additionally, the Commission has investigated 
telecommunications carriers' practices to fulfill section 222's 
duty to protect customer information through numerous meetings 
with the carriers, a review of the carriers' annual section 222 
compliance certifications, and through formal letters of 
inquiries that have been issued to nearly 20 carriers.
    Throughout these investigations, the Commission closely 
coordinated with the Federal Trade Commission staff. In 
addition, the Commission has offered assistance to State 
attorneys general in their efforts to combat pretexting. The 
Commission takes very seriously any breach of consumers' 
privacy, as well as carriers' statutory duty to protect the 
customer information that they collect. The Commission also 
remains committed to strengthening its rules as warranted to 
help ensure that carriers implement adequate practices to 
protect their customers' privacy, as required by the 
Communications Act. We, likewise, will continue to coordinate 
with the Federal Trade Commission, State and Federal attorneys 
general, and other law enforcement authorities about our 
findings, and work with them in any way we can to take legal 
action against data brokers and pretexters. We look forward to 
working collaboratively with the members of this committee and 
other Members of Congress to ensure that consumers' personal 
phone data remains confidential.
    Thank you for the opportunity to testify, and I would be 
pleased to respond to your questions.
    [The prepared statement of Mr. Navin follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. DeGette. Thank you, Mr. Navin.
    Mr. Rotenberg.

  STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
                   PRIVACY INFORMATION CENTER

    Mr. Rotenberg. Madame Chairman, Ranking Member Barton, 
members of the committee, thank you so much for the opportunity 
to testify before you on the very serious problem of 
pretexting.
    As you may know, in the summer of 2005, EPIC undertook an 
extensive investigation of the problem of pretexting in the 
United States. We found that personal information, call detail 
information, was available for sale at more than 40 businesses 
on the Internet. We filed a petition with the Federal Trade 
Commission in which we asked the FTC to begin an investigation, 
and because it was so clearly the case that the information at 
issue concerned personal calling records, we petitioned the FCC 
to open an investigation and to establish stronger security 
standards to safeguard the privacy of the call detail 
information of American telephone consumers.
    We provided very specific recommendations for the FCC: the 
use of passwords, the use of encryptions, and the use of audit 
trails that would ensure that when personal information in the 
possession of the telephone carriers was disclosed, it was 
disclosed for an appropriate purpose and not to a pretexter for 
a nefarious purpose.
    I recall a year ago at this time having the honor to appear 
before this committee with the chairman and to discuss our 
petition, and at that time, he expressed support for our 
recommendations. He said that he was going forward and issued 
the petition in February, more than a year ago, recommending 
that stronger security standards be established for telephone 
record information.
    We filed our comments. The telephone industry filed their 
comments. We filed our reply comments, and then nothing 
happened. No final rule was ever issued by the FCC, though, 
remarkably, as recently as January 2007 the Commission 
continued to warn consumers about the ongoing problem of 
pretexting of personal telephone record information.
    I am here before you today to urge you to ensure that the 
FCC act on this petition. And because they have failed to act 
on this petition, we think it is absolutely vital for the 
legislation that you are considering now, which would establish 
these security standards by law, to go forward. The 
safeguarding of this personal information is absolutely 
crucial, as we have described in our testimony.
    Some will raise the question regarding the legislation that 
was passed by the Congress during the last session, which 
criminalized the act of pretexting, but it did not deal with 
the source of the problem, and that concerns the information 
that is collected and maintains CPNI data that is used in the 
telecommunication sector, and that is the information that is 
being made available to pretexters to commit fraud, identity 
theft, and other types of crime. That is the information that 
we believe needs to be protected.
    I thank you, again, for the opportunity to be here, and I 
would be pleased to answer your questions.
    [The prepared statement of Mr. Rotenberg follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. DeGette. Thank you, Mr. Rotenberg.
    Mr. Largent.

  STATEMENT OF HON. STEVE LARGENT, PRESIDENT, CHIEF EXECUTIVE 
             OFFICER, CTIA-THE WIRELESS ASSOCIATION

    Mr. Largent. Thank you, Chairwoman and Ranking Member 
Barton and members of the committee.
    On behalf of CTIA, I am pleased to testify on H.R. 936 and 
the steps the wireless industry is taking to ensure the safety 
and security of wireless customers and consumers.
    At the outset, I want to be clear. CTIA's member companies 
take seriously their obligation to protect customers' CPNI. In 
that sense, your goal is our goal, too.
    In addition to meeting their duties under section 222, 
every carrier has a market-based interest in seeing that 
customer records are not disclosed without proper permission. 
Carriers employ a broad range of security measures to prevent 
unauthorized access to these records. In general, the system 
works well, as there are literally hundreds of millions of 
positive customer service interactions every year.
    Nonetheless, well-publicized instances of pretexting and 
the legislative and oversight activities that followed in this 
committee and elsewhere served as a wake-up call for all of us. 
I am pleased to say that the wireless industry did not wait 
idly by for someone else to solve the problem. In addition to 
offering our assistance to the committee, each of CTIA's 
national carriers filed and obtained injunctions to shut down 
data thieves. The carriers also teamed with law enforcement to 
identify individuals and companies involved in fraudulent 
activities to help put these criminals out of business.
    CTIA also supported legislation approved by the 109th 
Congress to criminalize the act of pretexting. Since the 
President signed the bill, the market for pretexting services 
has evaporated under the threat of Federal prison time and 
sizable financial penalties. The positive effect of this 
legislation cannot be overstated.
    CTIA's members have not relied exclusively on the legal 
process to address pretexting. In the past year, wireless 
carriers have adopted a variety of procedures and tools to stop 
unauthorized access to CPNI. As is true in every other facet of 
the business, flexibility and innovation make a difference in 
the effort to defeat pretexters. Some carriers have focused on 
process. Others have chosen to use technology to help solve the 
problem. This variation between carriers is a positive, as 
static practices can become outmoded or avoided by third 
parties with ill intent. CTIA and its member companies strongly 
support additional enhanced security measures that can help to 
better protect consumers.
    I detail each of these points in my written testimony, but 
let me briefly explain what CTIA supports.
    We support giving customers the option of using pass codes 
to protect account detail. We support restricting disclosure of 
customers' Social Security numbers, tax ID, entire credit card 
number, or billing name and address in response to inbound 
customer calls. We support policies that preclude the release 
of call detail records via fax or e-mail, and we support 
confirmation of the FTC's jurisdiction in this area.
    While CTIA supports reasonable measures to enhance the 
security of CPNI, any legislation the committee proposes should 
be narrowly targeted and responsive only to actual problems. 
Carriers must continue to have the flexibility to innovate and 
compete.
    With this in mind, I have several specific observations to 
offer.
    First, CTIA members are concerned about any provisions in 
H.R. 936 that would require carriers to obtain specific 
customer consent before they can share CPNI with affiliates and 
joint venture partners that provide marketing and other 
services to carriers that are otherwise permissible under the 
law. In instances where CTIA member companies share CPNI with 
third parties to aid in marketing, billing, and customer 
service efforts, they impose strict contractual obligations to 
protect customer information. There are also existing FCC 
requirements that cover such arrangements. Limiting the ability 
of carriers to share CPNI with third parties is burdensome and 
has no connection with the goal of preventing fraudulent access 
to phone records. We believe that an approach focused on 
enhanced security rather than introducing additional customer 
consent mechanisms is the best way to protect CPNI from 
unauthorized use.
    Second, if Congress opts to act in this area, it should do 
so in the way that promotes uniformity and efficiency. We are 
seeing increased attention being paid to these issues at the 
State level, where, at last count, 34 different pieces of 
legislation related to call records have been introduced this 
year. Even when these bills are similar, they often contain 
variances that can make them difficult and costly to implement. 
What is needed is a uniform, national policy that properly 
balances consumer protection and carrier flexibility.
    Let me conclude by underscoring the wireless industry's 
commitment to protecting CPNI. I can assure you that we will 
continue to enhance and improve our safeguards for sensitive 
customer information. It is already the law, it is common 
sense, and it is good business.
    Thank you.
    [The prepared statement of Mr. Largent follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. DeGette. Thank you, Mr. Largent.
    Mr. McCormick.

 STATEMENT OF WALTER MCCORMICK, PRESIDENT AND CHIEF EXECUTIVE 
           OFFICER, UNITED STATES TELECOM ASSOCIATION

    Mr. McCormick. Madame Chair, Mr. Barton, members of the 
committee, on behalf of the member companies of the United 
States Telecom Association, I want to thank you for this 
opportunity to testify on the important issue of safeguarding 
consumers' phone records from fraudulent use by pretexters.
    This committee has a long history of working to protect 
consumers. Our industry shares your concern for protecting 
customer information. Protecting privacy is a critical 
component of our customer care.
    In today's highly-competitive marketplace, no industry 
should take the privacy of its customers lightly. As our member 
companies begin offering a variety of new, advanced broadband 
services, we see our reputation for delivering quality service 
and protecting the privacy of our customers as a competitive 
advantage.
    There is a strong business incentive to protect customer 
privacy. There is an existing legal obligation as well. Section 
222 of the Communications Act provides that telecommunications 
carriers have a duty to protect the confidentiality of customer 
proprietary network information.
    This legal obligation is taken very seriously by our member 
companies. We educate and train our customer service employees. 
We observe strict security protocols, and we tightly define our 
agreements with marketing firms.
    We believe the best way to address the problem of 
fraudulent access to phone records is through the enforcement 
of existing laws and the strengthening of penalties on bad 
actors. In this regard, we applaud title I of this legislation, 
which would explicitly ban the practice of pretexting and give 
the Federal Trade Commission authority to enforce this 
prohibition. This provision complements and strengthens the 
action taken by Congress last year in establishing criminal 
penalties for pretexting.
    We are concerned, however, that the broad approach taken in 
title II of the bill will have a number of negative 
consequences, consequences that appear to be unintended ones, 
ones that would impact legitimate marketing practices that are, 
in many ways, pro-consumer. Consumers benefit when their 
communications carriers offer them new discount packages and 
innovative services. The information we typically rely upon in 
pursuing marketing opportunities focuses on purchasing patterns 
and the types of services that a customer is receiving, 
information that is of little or no use to pretexters, the kind 
of pretexters that this bill seeks to target.
    For example, if a customer has caller ID in order to avoid 
unwanted calls at dinnertime, CPNI enables our marketers to 
identify a customer that might have an interest in receiving a 
bundle discount that could include call management or call-
blocking features. If a customer has subscribed for both voice 
service and high-speed Internet access, this is a customer that 
might have an interest in learning about savings that could be 
obtained by broadening this bundle to include video.
    The provisions proposed in title II could significantly 
impede this pro-consumer outreach, all without addressing any 
identifiable problem of fraudulent access to phone records. We 
are aware of no evidence to suggest that marketing of services, 
either directly or through joint venture partners, has resulted 
in any abuse of customer proprietary information. Indeed, FCC 
regulations require that confidentiality agreements be in place 
before CPNI is shared with joint venture partners or 
contractors. Businesses succeed by being responsive to their 
customers.
    As currently drafted, however, title II would severely 
impede the ability of our industry to bring to the attention of 
its customers the opportunity to take advantage of improved 
services or increased savings. We have been informed that this 
is not the committee's intent, that instead the committee 
intended to only impose new restrictions on the sharing and 
disclosure of detailed customer telephone records. There is 
currently an FCC proceeding underway that is considering the 
same thing.
    if it is, in fact, the committee's intention to only 
address this limited, call-detailed information, information 
related to matters such as individual locations, duration, 
time, and date of specific customer communications, then we 
would suggest that the bill language be clarified so that our 
industry can continue offering to its customers new services 
and bundled savings, as it does under current rules, while 
affording new protection to detailed customer telephone 
records.
    Our industry also has significant concerns with section 
203, which would prescribe burdensome audit trail requirements. 
The last time the FCC looked at this issue, the cost of 
complying was enormous. It could range anywhere from $12 to $64 
per line, which would clearly be a hardship for many consumers.
    Madame Chair, again, thank you for the opportunity to 
testify today, and we look forward to working constructively 
with you to prevent pretexting and identity theft.
    [The prepared statement of Mr. McCormick follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. DeGette. Thank you, Mr. McCormick.
    Mr. Einhorn.

STATEMENT OF DAVID EINHORN, PRESIDENT, GREENLIGHT CAPITAL, INC.

    Mr. Einhorn. Good morning, Madame Chairman and members of 
the committee, and thank you for holding this hearing. And I 
appreciate your sympathy.
    Although I did not ask to participate in this hearing, I 
appreciate the invitation to describe my experience as a victim 
of pretexting.
    My testimony is about a corporation and management team 
that, in attempting to ensure their survival, placed no limits 
on the exercise of their power.
    Pretexting is a brazen invasion of privacy when a large 
corporation has its agents spy on private citizens in order to 
intimidate then and silence criticism that threatens more than 
just the sanctity of the individual's privacy. It threatens the 
freedom of the securities markets for which we take for 
granted.
    I am the president of Greenlight Capital, a long-term, 
value-oriented investment company. One of our long-term 
investments is Allied Capital. Our research showed Allied 
suffered from significant accounting and operational 
deficiencies, and Greenlight took a short investment position 
based upon that belief.
    Our research indicated that, among other things, Allied 
misled the public about the value of its investments, valuing 
them at original cost, even after the investments go bankrupt. 
We later found that small business lending unit defrauded the 
SBA and the USDA Government lending programs, costing taxpayers 
hundreds of millions of dollars.
    In 2002, I voiced my concerns about Allied at an investment 
research conference, which was part of a charity fundraiser for 
a pediatric cancer hospital. I told the audience why I had sold 
Allied short and pledged to give half of my personal profits on 
this investment to the children's hospital sponsoring the 
event.
    In response to my speech, instead of examining and cleaning 
up these problems, Allied attacked me. The company conducted a 
campaign to discredit me, attacking my reputation and my 
motivations. But ultimately, regulators and prosecutors have 
begun to see through Allied's tactics. The FCC began an 
investigation in 2004, and later that same year, the U.S. 
Attorney from the District of Columbia began a criminal 
investigation.
    Some time that year, Herb Greenberg, a respected financial 
journalist for Dow Jones, who had written critically about 
Allied, told me that his phone records had been stolen. I 
subsequently learned a woman, unknown to me, had called my long 
distance provider, identified herself as my wife, provided her 
Social Security number, and opened an online account to obtain 
our home telephone records.
    Somebody also stole the phone records of other known 
critics of Allied, including hedge fund managers, a journalist, 
a research analyst, an individual investor, and a former media 
relations advisor to Greenlight.
    In March 2005, I wrote a private letter to Allied's Board 
of Directors, asking the Board to fully investigate what had 
happened. A week later, I received a brush-off response. Last 
fall, after the Hewlett-Packard's chairman admitted to 
pretexting and later resigned, I again asked Allied's Board to 
investigate. Allied responded, saying they had found no 
evidence to support my claim.
    Then Allied's management went on the offensive, yet again. 
On the company's November 8, 2006 quarterly earnings conference 
call, chief executive officer William Walton spent several 
minutes attacking my motivations and stating that my concerns 
about my stolen phone records were ``yet just another example 
of Mr. Einhorn's tactics''. And he issued his own denial that 
anyone at Allied had accessed my records, saying, ``There is 
simply no evidence to support a claim that Allied tried to 
access Einhorn's phone records. We never received his 
records.''
    In December 2006, Allied was served with a grand jury 
subpoena, and then their story changed. In a press release 
dated February 6, 2007, Allied admitted that its agent had 
stolen not only my home phone records but also Greenlight's 
records. The press release, itself, was a model of evasion, 
however, and not at all consistent with the disclosure expected 
of a public company. It left unanswered a number of questions: 
who had obtained the records, who else's records did they 
steal, who had authorized the theft, and for what purpose, what 
did they do with this information, and what else did these 
agents do to gather information about their critics?
    After the Hewlett-Packard pretexting scandal, HP 
immediately apologized to the victims and promised to give the 
victims a full account. But I have not heard from Allied. 
Nobody has contacted me to apologize or explain who invaded my 
privacy or for what purpose.
    In conclusion, Allied's behavior strikes at the ethical 
heart of the securities markets, which are based on the free 
and fair flow of ideas, critical and otherwise. It is a cold 
reality that companies left to their own devices will rarely 
divulge the full truth about their problems. It is left to 
others, regulators, analysts, the media, and investors like 
myself to hold companies accountable. The free exchange of 
ideas in our market system depends on the very people who were 
pretexted in this case. There are many valuable voices in the 
marketplace who will choose not to criticize companies for fear 
of being retaliated against. Nobody wants their privacy 
invaded.
    As the committee has noted this very legislation, action, 
such as pretexting, can lead to harassment and intimidation. It 
can also lead to less information in the marketplace. A line 
must be drawn. I support this legislation.
    Thank you, Madame Chairman, and I am available to answer 
any questions you might have.
    [The prepared statement of Mr. Einhorn follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. DeGette. Thank you very much, Mr. Einhorn.
    The Chair recognizes herself for 5 minutes.
    I am wondering, Ms. Parnes, if you can tell us what the 
position of the Department of Justice is on this legislation, 
because I know your agency works closely with the DOJ.
    Ms. Parnes. We do work very closely with the Department of 
Justice, but unfortunately, I don't have their position on this 
legislation, on this bill.
    Ms. DeGette. And are you aware of any objection by any law 
enforcement agency to this legislation?
    Ms. Parnes. I am not, but honestly, we have not, at the 
FTC, done a kind of review of other Federal agencies and 
whether they have any concerns on this. We have worked with the 
committee's staff on technical issues, and as you know, we 
generally support this.
    Ms. DeGette. Yes. And there is an exemption in the bill for 
law enforcement, I believe.
    Ms. Parnes. Yes, there is.
    Ms. DeGette. Ms. Parnes, I am wondering. Can you give me an 
update? And I am going to ask you, Mr. Rotenberg, also this 
question. What is the status of pretexting in America today? 
Have we seen the problem worsening since last year or 
improving?
    Ms. Parnes. It is hard to know exactly what is going on in 
the industry generally. I can tell you what some of our 
experiences have been in investigations.
    The targets that we have sued, we identified them, as I 
indicated, by going online and then by making some undercover 
purchases of phone records. And I should note, we bought the 
records of FTC employees.
    Ms. DeGette. With their consent?
    Ms. Parnes. Yes, absolutely with their consent. But we have 
done that. We have attempted some undercover buys more 
recently, and we have been told, ``Oh, we don't do that 
anymore.'' Or, ``We simply can't get that for you.'' So we have 
some sense that certainly the criminal law that was passed may 
be having a real impact here.
    Ms. DeGette. Right.
    Mr. Rotenberg.
    Mr. Rotenberg. Our understanding, Madame Chairman, is that 
the type of very brazen pretexting where the services were 
provided over the Internet in a 24-hour turnaround, for 
example, was guaranteed, there is much less of that today than 
there was in the past, in part because of the FTC 
investigation. The private investigators continue to use 
pretexting, as do others, as a way to obtain personal 
information about others.
    Ms. DeGette. And have you seen any change in the type of 
information these private investigators are seeking?
    Mr. Rotenberg. That would be a difficult question to 
answer, but I will say, because people sometimes don't 
understand exactly what the significance of the call detail 
information is, those monthly billing statements that consumers 
receive from the wireless phone companies in particular, that 
listing is the type of information that is still very easy to 
get from the telephone companies by going, for example, to an 
online Web site that is set up to provide that type of 
information. So we are still seeing the availability of the 
monthly call detail information being made available.
    Ms. DeGette. Mr. Einhorn, you would have never known 
anything about the pretexting of your family and business 
records unless a market watch journalist told you what Allied 
Capital was doing, is that correct?
    Mr. Einhorn. That is correct. I would not have had any way 
to know.
    Ms. DeGette. And this is, by the way, what we also found 
last year in our investigation that people found out 
inadvertently that they had been pretexted. Do you know how 
many other people had their phone records pretexted by an agent 
of Allied Capital besides you and the journalist?
    Mr. Einhorn. I believe, at least that we have been able to 
identify, at least six individuals.
    Ms. DeGette. And can you identify, for the record, who the 
phone carrier who surrendered your records to the imposter 
pretending to be your wife?
    Mr. Einhorn. It was AT&T.
    Ms. DeGette. Have you talked to AT&T?
    Mr. Einhorn. My wife talked to AT&T.
    Ms. DeGette. And what was their response?
    Mr. Einhorn. They were able to identify when the pretexting 
had occurred, how it was done, that her Social Security number 
had been provided, what date that happened at, where the 
records were sent in terms of an Internet e-mail account where 
they were e-mailed to, and when the account was most recently 
accessed. Beyond that, they had no other information for us.
    Ms. DeGette. Do you agree with the bill's provisions that 
enhance the FTC's enforcement tools against pretexting, 
soliciting pretexting, or selling stolen phone records?
    Mr. Einhorn. Absolutely. I think that there is really no 
place for this, and I would support all of the efforts that are 
being contemplated to cut down and eliminate this practice.
    Ms. DeGette. Thank you very much.
    The Chair now recognizes the distinguished ranking member, 
Mr. Barton, for 5 minutes.
    Mr. Barton. Thank you, Madame Chairman.
    Mr. Rotenberg, is there any reason an individual would tend 
to want his or her phone records shared without them knowing 
about it?
    Mr. Rotenberg. Well, generally speaking, I don't think so, 
sir. A person who wants to disclose personal information to 
someone else would typically do that affirmatively. To get a 
bank loan, for example, you provide a lot of information to the 
bank so that they can make a determination, but that is a 
process you would initiate.
    Mr. Barton. But just as a matter of course, most normal 
human beings would rather they know if somebody wants that 
information so that they can make a decision whether to give it 
to them or not, would you agree?
    Mr. Rotenberg. Yes, I think that is correct.
    Mr. Barton. Now, I think we have general support for this 
bill, but Mr. Largent and Mr. McCormick, their trade groups 
seem to not like section 202, which changes current law from 
saying the phone company can share that information without 
letting the individual know, unless the individual tells them 
ahead of time not to share it. That is the current law. section 
202 changes it that Mr. Largent's company's trade groups and 
Mr. McCormick's would have to go to the individual and say, 
``May we share your information?'' That seems to be the most 
controversial element in this new bill. It would seem, if we 
are trying to protect privacy, that changing this from opt-out 
to opt-in makes a lot of sense. Do you agree with this section 
202?
    Mr. Rotenberg. Yes, I do, Mr. Barton, and if I may also 
say, while we are critical of the FCC's delay on our petition, 
we were nonetheless heartened, you may recall that Chairman 
Martin, when he spoke to this issue at the hearing last year, 
said that he thought the opt-in was important for consumer 
privacy. And I think there would be, certainly among consumers, 
recognition right away that the right way to do this is opt-in, 
based on permission.
    Mr. Barton. Now I want to give Mr. Largent and Mr. 
McCormick, who are both good friends of mine, an opportunity to 
expand if I understood incorrectly in their prepared testimony 
why they have a problem with section 202.
    Mr. McCormick. Thank you, Mr. Barton. I think that our 
concerns are fairly narrow and focused.
    Let me give you an example.
    We, today, look at purchasing patterns. For example, if a 
customer is taking telephone service and Internet access, as we 
move into new broadband applications, like video, we would like 
to be able to go to that customer and offer to that customer a 
promotional offering where we would add in video as part of a 
bundled package. In that regard, we would be competing against 
the cable industry, who is going to its video customers and 
saying, ``We will add on voice service. Since you are already a 
cable customer, we will offer you a promotional offering to add 
on voice service.'' In that regard, no call-detail information 
is shared with anyone. There is nothing other than the 
knowledge of what kind of package that customer currently has 
and whether or not that customer would benefit from a broader 
package. And we believe that it would lead to a competitive 
imbalance if we were unable to approach our customers in that 
way.
    Mr. Barton. I don't understand. I have got a little bit of 
a cold, so maybe I am just not clued in, but there is nothing 
in the bill, if it becomes law, that prevents anybody from 
soliciting for new services to people that they have the 
addresses of, whether it is a hard-line address, a regular mail 
address, or a phone number, or an e-mail. All this says is if 
you want to share that individual's information, you have got 
to get their permission before you share it. I don't see how 
this bill would prevent what you just said you wanted to do.
    Mr. McCormick. Mr. Barton, if that is the intent, I think 
that it would be easy to come up with clarifying language that 
would clarify that we are permitted to engage in that kind of 
broader market.
    Mr. Barton. OK. Steve?
    Mr. Largent. Yes, Mr. Barton. I just would say that there 
is some ambiguity about what the language actually does and 
what it does not do. And the fact is that many of our companies 
utilize third parties to offer services just because it is less 
expensive. We can offer that type of discount to our customers. 
So if the legislation would get in the way of our use of third 
parties to offer services from our company, not anybody else's 
company but from our company's perspective, then that would be 
a problem, but if you are saying it is not going to get in the 
way of that, then perhaps we could work with you on the bill's 
language.
    Mr. Barton. My staff says there is some ambiguity, so maybe 
we can work on this.
    My time is expired. Thank you.
    Ms. DeGette. The Chair now recognizes the distinguished 
chairman of the Telecommunications Subcommittee, Mr. Markey, 
for 5 minutes.
    Mr. Markey. OK. first let me say that the five FCC 
Commissioners will be appearing before the Telecommunications 
and Internet Subcommittee on Wednesday of next week, so we 
certainly hope that the CPNI order will be completed by then 
and that it will have been done well by them, because that will 
be a central part of that hearing on Wednesday.
    Mr. Einhorn, is it important that victims be notified 
immediately that their carrier has learned that the privacy of 
the phone calls of an individual have been compromised?
    Mr. Einhorn. I would support the notion of the immediate 
notification of anybody whose information was compromised in 
that fashion, yes.
    Mr. Markey.Mr. Navin, do you think that is a good idea that 
immediate notice be given to people like Mr. Einhorn that their 
information has been compromised and that that becomes the rule 
for the telephone carriers?
    Mr. Navin. I do agree that it is important that consumers 
get prompt notification.
    Mr. Markey. I am saying immediate.
    Mr. Navin. As I understand it, States that have addressed 
this issue typically have an exception for notification of law 
enforcement, and it calls for prompt notification, but there is 
some provision, specifically for law enforcement.
    Mr. Markey. But what should be the deadline for calling law 
enforcement?
    Mr. Navin. What should be the precise deadline?
    Mr. Markey. See, what I want you to say is we call law 
enforcement and the customer immediately and let them know that 
they have been compromised and that law enforcement might be 
calling. But why should there be a delay?
    Mr. Navin. In the record in front of the Commission right 
now, the Deputy Attorney General sent a letter to the 
Commissioners, indicating the Department of Justice's 
preference for law enforcement to be notified first, before 
the----
    Mr. Markey. I have no problem with that, but what I am 
saying is Mr. Einhorn should get the next call, don't you 
think?
    Mr. Navin. After law enforcement, yes, I think consumers 
should be notified.
    Mr. Markey. Yes. How long do you think a gap should be? 
Seven days, 1 day, or 1 hour?
    Mr. Navin. I believe the Department of Justice has 
advocated for allowing them 7 days.
    Mr. Markey. I don't think the Department of Justice should 
be listened to on that issue, and I think Mr. Einhorn should be 
listened to and the millions of Americans whose information is 
compromised. I think that the FCC should listen to the 
consumer, listen to this committee. The CPNI laws are ours. We 
created them. We want the customer protected. Justice should 
not be given 7 days to wait to notify people who have an 
ongoing crime being committed against them. They should be 
notified immediately, as anyone whose house was burgled that it 
occurred. And if you don't want to do that, then I think we are 
going to have a real problem next Wednesday.
    Mr. Largent, Mr. McCormick, a general question. Do you 
agree that customers have an ownership interest in their own 
personal information? Mr. McCormick?
    Mr. McCormick. I would say they have a strong privacy 
interest.
    Mr. Markey. Do they have an ownership interest?
    Mr. McCormick. Yes.
    Mr. McCormick. I would agree that customers have a strong 
privacy----
    Mr. Markey. No, do they have an ownership interest in their 
own personal information? It is called the customer proprietary 
network information law. Do they own that information?
    Mr. McCormick. We have always regarded that information as 
the customers' information, that is correct.
    Mr. Markey. OK. Mr. Largent, do you agree that it is the 
ownership interest of the consumer, his or her own information?
    Mr. Largent. I think Mr. Markey asked me that question last 
year at this hearing, and I said the same thing: yes, it is.
    Mr. Markey. OK. Thank you. I appreciate it.
    Mr. McCormick, what percentage of your member companies 
outsource customer support or billing or marketing functions to 
foreign countries?
    Mr. McCormick. I do not know, Mr. Markey, but I would be 
happy to provide that information for the record.
    Mr. Markey. I would appreciate that.
    Mr. Largent, do you know what percentage of your companies 
outsource this information to other countries?
    Mr. Largent. No, I am not aware of what the exactly number 
would be, but we would be glad to get back to you on that.
    Mr. Markey. Obviously, that is a good question. We will 
shut down a lot of regional FCC offices, but we don't have any 
FCC offices in India or Pakistan, so what happens with the 
information of the people in this room and watching this 
hearing is a good question when it is put overseas, so we would 
like to know what happens to that.
    Mr. Navin, does the FCC intend to impose a minimum system 
security requirement on the transfer of customer information?
    Mr. Navin. The proposed rule that the chairman has put 
before the Commission are prescriptive relating to access to 
the CPNI records, which deals directly with the pretexting 
issue. For example, they require a mandatory password to get 
access to call detail records. Relating to the security or 
safeguards, the proposed rules ban the sharing of the CPNI with 
a joint venture partner or independent contractor without the 
express consent of the consumer.
    On the issue of transferring the security among affiliated 
companies, the record is sparse on that issue. And right now, I 
am not sure if the Commission will determine to address that 
issue in this order or not.
    Mr. Markey. OK. I would like to get back to you, and thank 
you, Madame Chairman.
    Ms. DeGette. Thank you, Mr. Markey.
    The Chair now recognizes the distinguished gentle lady from 
Wyoming, Mrs. Cubin, for 5 minutes.
    Mrs. Cubin. Thank you, Madame Chairman.
    I would like to ask Mr. Navin and Ms. Parnes, under the 
scope of your Commissions' investigations into this issue, I 
wonder if you could tell the committee if any specifically-
rural companies have been investigated, or does this seem to be 
a problem that is most prevalent in large companies with large 
lists of personal data?
    Ms. Parnes. I am told that one of the cases that we brought 
actually is located in Wyoming.
    Ms. Cubin. Could you comment, just for a moment, on the 
state of rural carriers' privacy protection measures, if you 
are able to right now? I know you have a full plate.
    Ms. Parnes. I would actually have to defer to my colleague 
at the FCC about security practices by carriers.
    Ms. Cubin. Mr. Navin, can you offer the committee an 
update, if it is available, on how much you believe sections 
202 and 203 of the bill will cost small and rural carriers?
    Mr. Navin. Unfortunately, we do not have an estimate on 
what it will cost carriers.
    In answer to your first question, I know that the agency 
has issued 20 letters of inquiry to various carriers. I imagine 
some of those carriers are smaller carriers, given the number 
of large carriers, both on the wireless and wireline side. I 
don't know specifically what size of rural carrier the 
Commission has made those inquiries of. I know that the 
Commission is always sensitive as it relates to implementation 
of its rules in rural areas and tends to give special 
consideration. In the rulemaking that is pending before the 
Commission, the rural carriers have pointed out that they have 
more limited resources, and my sense is that the Commissioners 
will be sensitive to that.
    Ms. Cubin. That is my main concern, that possibly they be 
included before any final rules are initiated, because it is a 
whole different country out there.
    So I have no more questions, Madame Chairman.
    Ms. DeGette. The gentle lady yields back.
    The Chair now recognizes the distinguished gentleman from 
Illinois, Mr. Rush, for 5 minutes.
    Mr. Rush. Thank you, Madame Chairman.
    Ms. Parnes, I have three questions, and I am going to ask 
all three so that you can answer these questions, as you will.
    First of all, it is good to see you again.
    And the first question is, do I understand correctly that 
the FTC supports the thrust of this legislation, that you 
support this legislation?
    The second question, in September, the FTC testified before 
the O&I Subcommittee that you needed more specific prohibitions 
against pretexting for consumer phone records and soliciting or 
selling consumer phone records obtained through actual or 
reasonably-known pretexting activities. Does this legislation 
adequately address that request? And if it doesn't, then what 
specific changes do you recommend.
    And lastly, my question is you also recommended in that 
testimony that Congress give the FTC authority to seek civil 
penalties against violators, a remedy that the FTC does not 
currently have in cases involving matters such as pretexting. 
And for the record, I just want to know why the civil fine 
authority over at FTC does not apply in this situation and then 
whether or not our proposed legislation adequately addresses 
this need that you have voiced.
    Those are the three questions. Would you respond to them, 
please?
    Ms. Parnes. Absolutely. And thank you.
    The FTC does support this legislation. And in terms of the 
specific prohibitions and the earlier testimony of the 
Commission, the legislation does address those issues.
    What the Commission's concern has been is that, as I 
indicated, we have used our section 5 authority to go after 
both actual pretexters and those who solicit pretexting, the 
middlemen, so to speak. But we will want to make sure that any 
legislation that was adopted addressed both parts of this 
transaction, both the pretexters who call up the phone 
companies, engaging misrepresentations and get phone records 
and the middlemen, the data brokers who make claims and promise 
that they can get this information. The data brokers and the 
pretexters may sometimes be the same entity, but sometimes they 
may be separate entities, and we were just concerned, but this 
bill does address both sides of that. And we think that is a 
very good thing.
    In connection with the Commission's civil penalty 
authority, the Commission has civil penalty authority in two 
circumstances. One is if conduct violates an order that the 
Commission has already obtained against a company. And the 
second is if conduct violates a role that the Commission has 
issued. We are able to get civil penalties only when we have 
engaged in rulemaking authority. And while we do have general 
rulemaking authority under the Federal Trade Commission Act, as 
you know, the FTC Act is very broad. It gives us authority over 
unfair or deceptive acts or practices in or affecting commerce. 
And in exchange for the ability to get civil penalties once we 
had adopted a rule, Congress set very specific procedures that 
the Commission has to go through in rulemaking. And they are 
very comprehensive. It takes a fairly long time for us to 
engage in. And so actually, what has happened since the 1990's 
is that Congress, when they have wanted the FTC to obtain civil 
penalties and to engage in rulemaking, they have used a model 
very similar to the model used here. They have either said that 
the law shall be enforced by the FTC as if it is a rule or they 
have given the Commission very specific authority to engage in 
rulemaking a particular area. Congress did that with the 
Telemarketing Act, with the Can Spam Act, and it has actually 
been a very successful approach.
    Ms. DeGette. The gentleman's time has expired.
    Mr. Rush. Thank you, Madame Chairman.
    Ms. DeGette. Thank you.
    The Chair now recognizes the gentleman from Mississippi, 
Mr. Pickering, for 6 minutes.
    Mr. Pickering. Thank you, Madame Chairman.
    Earlier, Mr. Largent and Mr. McCormick, you all mentioned 
the issue of whether you would be able to joint market a bundle 
of services. Is there language that you would have that could 
clarify that issue so that those types of services, which I 
think the Committee would want to see continued with the other 
protections as it relates to information, regardless of 
legitimate use of information, and is that something that you 
could supply the committee with?
    Mr. Largent. Yes, it is. We can get you that kind of 
information, and that is our concern with the legislation.
    Mr. Pickering. You often raise in your testimony, Mr. 
Largent, that as we go across the country, there is a patchwork 
of different initiatives on different things. Recently, the 
Commission has indicated a possible proposal that would move 
all wireless services into title I, which would give a Federal 
framework. And if that happens, would you support consumer 
protections like this as part of a Federal framework?
    Mr. Largent. Well, what we are talking about specifically 
that Chairman Martin has mentioned this year is just moving the 
broadband portion of the wireless industry into title I from 
title II that would put us on the same ground with DSL and 
cable offerings and broadband over power line. They are already 
in title I. Our services that are being rolled out over 
wireless are not in title I, so we are kind of competing on 
unleveled ground, and we are just trying to get to that level 
ground.
    Does that answer your question?
    Mr. Pickering. And broadband services under title I, if 
that were to occur, you would support a national consumer 
protection standard on these types of issues?
    Mr. Largent. Absolutely. Yes.
    Mr. Pickering. I thank you, Mr. Largent.
    Mr. Largent. Mr. Navin, let me follow-up on a question that 
Mr. Markey asked.
    If there are third parties that are being used to joint 
market and they are based overseas, whether it is Pakistan or 
India, are the U.S. laws still applicable and enforceable in 
those situations?
    Mr. Navin. That is an issue that the Commission is 
considering as part of a reconsideration of the order that it 
had put out in 2002. I believe that the Department of Justice 
in its reply comments raised that exact issue. The Commission 
hasn't yet resolved it. I think it gets into issues of treaty 
law and international law and not to be the primary subject 
certainly of my bureau, but I know that the Commission is 
studying that issue. And I can also tell you that it is not an 
issue that we address in the order that Chairman Martin has 
proposed for the Commission.
    Mr. Pickering. Ms. Parnes, do you have any comment on that 
issue of whether you would be able to enforce the law that we 
pass here if a third party is based in a country like India or 
Pakistan?
    Ms. Parnes. The Commission does not have any jurisdiction 
over common carriers, but if we are talking about other 
entities, I think that if a business was located in the United 
States and they moved data outside of the country, we would 
take the position that the entity in the United States is 
responsible for their own data. In terms of looking at data 
brokers, as I mentioned, smaller businesses that may be located 
here or entities that may be outside of the United States, we 
would use the new authority that Congress gave us in the 109th 
session, the U.S. Safe Web Act, to go after those individuals.
    Mr. Pickering. All right. Thank you very much.
    Madame Chairman, I yield back the rest of my time.
    Ms. DeGette. The gentleman yields back.
    The Chair now recognizes the distinguished gentleman from 
Texas, Mr. Green, for 5 minutes.
    Mr. Green. Thank you, Madame Chairman.
    Mr. Largent and Mr. McCormick, are any of your companies 
now selling the information to third parties that you have on 
your customers?
    Mr. Largent. No.
    Mr. Green. OK.
    Mr. McCormick. No.
    Mr. Green. OK. That is one of the concerns. I think years 
ago when we had jurisdiction, and I mentioned it to you before 
the committee hearing over what became Oxley-Bliley. In fact, 
Steve, you might have been on the committee when we had that 
battle over the privacy issue. And I was told, at that time, by 
some of our financial institutions that it was such a profit 
center for them to market that information that they would have 
killed the bill, which is something they had been working on 
for 10 years before that. And so that takes care of part of the 
concern. And I guess I have the same concern that both the 
chairman on our Telecom Committee and Mr. Pickering mentioned 
is enforcement of these privacy restrictions outside the United 
States. And I am glad the FTC said that you would hold 
responsible the person or the entity here, although you don't 
have jurisdiction over common carriers. But again, I guess we 
can provide that jurisdiction that would go with that 
contracting to somewhere else, because I know now it is a laugh 
line on late night television that whether it is your computer 
you bought or your Internet service provider, you very well may 
be talking to someone in Pakistan or India or no telling where, 
and they probably have as much private information on your use 
as the telephone companies or wireless companies would have.
    I know numerous industries share information for marketing 
purposes, and that is part of our concern is Mr. Markey said 
that the consumers think it is their information, and they 
ought to be able to give permission to share it. This 
legislation, I know, puts restrictions on telephone companies 
as compared to cable because of where we are at today in our 
technology. And I know you have been asked for information on 
how we can address that issue, because obviously our committee 
wants that competition between cable and hard-line, both for 
video and over the air and computer, high-speed, and also 
telephone service. Is there a standard that could be set across 
the multiple industries? What information could be shared? Is 
there a standard anyone? And again, not just for the two 
representatives in wireless and the hard-line, but anybody on 
the panel, is there a standard that could be dealt with where 
I, as the consumer, could say, ``Yes, I am your customer. You 
can contact me, but I don't want you to share it with anyone 
else.''
    Mr. McCormick. Well, Congressman, I think that that kind of 
a standard would be a very, very broad standard. I mean, in 
effect, it would be a do-not-call standard, because virtually 
every business in the United States contacts its customers to 
talk to its customers about ability to take advantage of new 
offerings or discounts that it might have available. And so the 
real focus of the bill that we heard in the opening statements 
is really to protect that information that is call-detailed 
information.
    Mr. Green. OK. I am not talking about AT&T contacting me, 
but for AT&T providing my information to someone else or having 
access to it. so I don't have any trouble with, if I have a 
contract with a cell phone company, we get contacts all of the 
time for other every 6 months to come in and renew your 
contract. I don't mind that, because I am a customer, but for 
my information to be shared, and I think that is the concern of 
the committee and ultimately why we have this legislation.
    Mr. Largent. I would just say, Mr. Green, that I think 
where you are going is right, that we don't have any problem 
saying, you know, that you can't sell customer information to 
the automobile industry or an automobile dealer, because that 
is not the way we are using the information anyway. We are 
using it to market more services from our carriers, and that is 
it. And that is what we worry that the legislation may go a 
step too far in impeding our ability to market our services to 
our customers. And that is what we want to try to protect is 
the ability to market our services to our customers only. We 
are not talking about we want the ability to market balloons or 
baseballs or cars.
    Mr. Green. OK.
    Mr. Einhorn, I know your situation is not that, but as the 
consumer sitting at the table along with, what is your feeling? 
And well, I have run out of time, but Madame Chairman, if he 
could just be allowed to answer.
    Ms. DeGette. Yes, without objection, the gentleman will be 
allowed to answer.
    Mr. Einhorn. I am not actually clear what the question I am 
being asked is.
    Mr. Green. The question was your situation was different. I 
know you are here on, really, part one of the bill, and I don't 
think there is any question at all about support for that, but 
to also try to expand it to where consumers shouldn't have 
their information shared with someone else, do you think there 
is a standard that you, as a consumer, would feel comfortable 
with that they could share your information across industries, 
which----
    Mr. Einhorn. I think my general view is that, who I am 
calling for how long at what time and what those people's phone 
numbers are, is information that really doesn't belong to 
anybody and really shouldn't be used for any purpose, in my 
mind, other than sending me a bill to tell me how much to pay 
the phone company.
    Mr. Green. Well, I think we agree on that that who I call 
and whatever ought to be my own information, and I need to 
share that.
    Ms. DeGette. Thank you, Mr. Einhorn.
    The Chair now recognizes the distinguished gentleman from 
California, Mr. Radanovich, for 5 minutes.
    Mr. Radanovich. Thank you, Madame Chairman.
    I do have one question regarding the opt-in/opt-out impact 
of this kind of legislation, and if something like that were 
required in this bill, would it set this industry apart from 
other industries. In, for example, health medical records, it 
is an opt-out thing. Does anybody have any comment on that?
    Mr. Largent. Well, Congressman Radanovich, I would just say 
that previous attempts to require opt-in consent have been held 
to be unconstitutional. And but to be fair, those instances did 
not involve cases where Congress had spoken on this issue, so 
we are talking about two different cases where Congress's, 
obviously, intent to speak on this issue, it may not be 
unconstitutional or found unconstitutional, but it could be, 
and I think that is an open question.
    Mr. Radanovich. Well, and if it did become part of the 
language of the bill and come into law, it would be different 
than other industries, it does sound like, though, right?
    Mr. Largent. Yes.
    Mr. Rotenberg. Congressman, could I respond?
    Mr. Radanovich. Sure.
    Mr. Rotenberg. Two points. Just to clarify what Mr. Largent 
said, the U.S. West case from 1999 concerning an earlier opt-in 
rule was narrowly struck down, as Mr. Largent described, 
because it was based on the regulation and not statute, and so 
of course, if you have a statute, I think that problem goes 
away. And in subsequent cases, I should point out, other 
Federal appellate courts have upheld similar rules.
    Now as to your original question, is there a reason for 
having opt-in here where there might not be opt-in in other 
privacy statutes, I think the answer to that question is the 
sensitivity of this information, that this is the real-time 
data associated with who you are calling, when, and for how 
long, and that is information that is specifically protected in 
section 222 of the Communications Act. That actually has a 
long, long history of privacy protection, and I think that is 
the reason you would want opt-in.
    Mr. Radanovich. All right. Thank you.
    If no other response, then I yield back.
    Ms. DeGette. The gentleman yields back.
    The Chair recognizes the distinguished gentleman from 
Texas, Mr. Gonzalez, for 8 minutes.
    Mr. Gonzalez. Thank you very much, Madame Chairman.
    And quickly, just a kind of general observation so you know 
basically where I am coming from, and then I will get into 
specific questions.
    But the way I view what we do here, and I know that we are 
visiting the same territory, is what Mr. Markey established 
from the beginning. No witness here and no witness in previous 
hearings, and those were representatives and CEOs from the 
telecommunications industries themselves, that acknowledged 
that the property belongs to the customers. So let us start off 
with that basic premise. The information belongs to the citizen 
and to the customer.
    As to disparate treatment of that information and the 
requirements, the Government may impose as to safeguards and 
security measures, that, I believe, is basically, established 
by what I think is the hierarchy of information depending on 
the type of information.
    First and foremost, I think, it is always going to be 
medical records. And how we arrive at that is just, basically, 
human nature.
    Second, I think you are going to run into telephone 
records.
    And then third, financial records.
    And the fact that we may treat the type of information, how 
we safeguard it and disseminate it differently is because there 
is that hierarchy. And I think we have to acknowledge that.
    Now does it place any particular business that operates in 
those different areas at a disadvantage from those other 
businesses? The answer is going to be yes, because there are 
higher standards for healthcare providers and so on.
    What I am getting at, and I am going to address Mr. Largent 
and Mr. McCormick's concern that it would place certain members 
of a specific industry at a disadvantage. That I think we can 
address within this hierarchy: telephone records, 
telecommunications, everything that is going out there in the 
telecom industry. And surely, we don't want to do something 
that does place you at a disadvantage regarding the marketing 
of your services and such and to expand and to be successful. 
So I am familiar with that.
    Now the reason that the legislation we address to all of 
you is because you are the gatekeepers, and that is the most 
obvious starting point, and we are going to deal with the 
criminals and the scammers and everybody else. And we can do 
that criminally. But I think it still goes back to what Mr. 
Rotenberg pointed out is that if we really start with the 
safeguarding measures, we probably could avoid quite a bit, 
which leads me to the first question of the entire panel, not 
Mr. Einhorn, I am sorry, because you are actually the citizen 
victim, but I will reserve a question for you, and this 
involves you.
    A yes or no answer, because I think you can answer this yes 
or no. To the extent that you understand this piece of 
legislation that we are attempting to pass, had it been in 
place at the time of the Einhorn family, what borders on a 
tragedy, actually, but their experience, would it have 
prevented that experience by the Einhorn family? Ms. Parnes, 
had it been in place, would it have made any difference?
    Ms. Parnes. Well, to the extent that you are asking about 
the operation of title II, it is not an area for us.
    Mr. Gonzalez. If you can't answer, that is fine.
    Mr. Navin?
    Mr. Navin. Yes, I am afraid I have to tread carefully here, 
too. There is typically a protocol and procedure for the 
Commission to give technical assistance to the committee, 
which, of course, we are always happy to do. I don't believe we 
were asked for it on this particular bill, but I would prefer 
to use that process.
    Mr. Gonzalez. OK. The Federal Government at work.
    Mr. Rotenberg?
    Mr. Rotenberg. Well, Mr. Gonzalez, since we initiated the 
petition of security standards, while I can't say with 
certainty it would have prevented what happened to Mr. Einhorn, 
I think it is clear that if stronger security standards were in 
place, it would have been much more difficult for someone to 
improperly get access to Mr. Einhorn's family's calling 
records.
    Mr. Gonzalez. And this bill would have accomplished that?
    Mr. Rotenberg. Yes, I believe it would have.
    Mr. Gonzalez. Mr. Largent?
    Mr. Largent. I would say that the security measures that 
the companies have enacted since this came to light, and it was 
about the same time that he had his problems, are going a long 
way to prevent it from happening again. I would tell you that 
the threat of prosecution of pretexters has essentially 
evaporated the Internet solicitation for people to get numbers 
through pretexting. So we have already come a long way, but 
whether it would have actually addressed his concern, I think 
that is an open question, and I am not sure.
    Mr. Gonzalez. Mr. McCormick?
    Mr. McCormick. Yes, Congressman. I would agree with Mr. 
Largent. I received a briefing the other day on the security 
protocols that had been implemented by the companies during the 
course of the last year, and the protocols would directly 
address the way in which an inbound call under pretexter-
obtained information. Our concern, under this legislation, 
though, is that it also addresses outbound calls. There has 
never been a situation where one of our companies has called a 
pretexter to give them information. This marketing on the 
outbound, those provisions of the bill, would do nothing to 
address the situation that Mr. Einhorn had.
    Mr. Gonzalez. All right.
    Ms. DeGette. The gentleman's time has expired.
    Mr. Gonzalez. I think my time is up, and I just thank you, 
Mr. Einhorn, for your participation.
    Ms. DeGette. The Chair now recognizes the distinguished 
gentleman from Florida, Mr. Stearns, for 5 minutes.
    Mr. Stearns. I thank my colleague.
    I think we have touched on this issue before, but there is 
some confusion. At least some of the staffs indicate there is 
confusion, so I would like to ask this question. Mr. Navin, you 
first. And then I will ask all of you, if you would, to comment 
on it. And I guess it is dealing with the bill's affect on the 
ability to use phone records to market other products. In your 
mind, does this bill prohibit the usage of just detailed 
information or all information from phone records?
    Mr. Navin. Yes, I am the one that deferred on the last 
question involving an interpretation of your legislation.
    Mr. Stearns. Right. Yes.
    Mr. Navin. What I can tell you is that the proposed rules 
that the Commission is considering would get at the situation 
that concerns disclosure of Mr. Einhorn's records in two ways. 
Number 1, by virtue of the use of mandatory passwords, the 
person who set up the account would not have been able to do. 
And No. 2, because the proposed rules in front of the 
Commission provide for notification to the customer any time 
their information is changed or their call detail records are 
mailed. As it relates to the legislation, I would prefer to 
allow the other panelists to address that issue.
    Mr. Stearns. OK. Mr. Largent, go ahead.
    Mr. Largent. Would you restate your question?
    Mr. Stearns. Yes. In your opinion, does the bill prohibit 
the use of detailed information or other information from phone 
records from the ability to market other products?
    Mr. Largent. I think that is the open question that we are 
really concerned about this legislation, that it could possibly 
be read that way.
    Mr. Stearns. And that is what my staff is trying to 
understand. Do we need to change this bill so that you have 
this flexibility? And it is not clear. I guess, the confusion 
is whether we can do this, and do you feel it is strong enough 
that, in your mind, there is this confusion and you can't 
market information without breaking the law? And so we don't 
want to do that. We don't want to hurt the ability to market, 
so I think that is what we are trying to understand.
    Mr. Largent. I think clarity is the key word that we would 
like to see in this bill.
    Mr. Stearns. And so you would like to see a change?
    Mr. Largent. Yes.
    Mr. Stearns. OK.
    Mr. McCormick?
    Mr. McCormick. Absolutely, Congressman. We see this 
ambiguity as creating a situation where we are potentially 
engaged in an illegal activity if we use our knowledge about 
the fact that an individual is a telephone customer and use 
that knowledge in order to go to that customer and offer them a 
bundled package of Internet access or video or even to add on a 
wireless service. We don't think that that was the intent of 
the committee. We understand that the intent of the committee 
was to protect the kind of information that was taken from Mr. 
Einhorn, but we believe that the bill goes much farther than 
that and does prevent these kinds of marketing activities.
    Mr. Stearns. Well, and we are in the early stages here, and 
so we are all listening, so this is the time to say, 
specifically, yes or no. Now the two of you are saying that 
this bill does make it a little bit dubious whether you can 
continue your marketing practices.
    Anyone else?
    Mr. Rotenberg. Mr. Stearns, if I could speak to that issue.
    Mr. Stearns. Yes.
    Mr. Rotenberg. I think there really are two distinct 
questions here that need to be clarified. The first is whether 
or not a telephone company can communicate with their customers 
about their service offerings. There is nothing in this bill 
that prevents that, and every phone company is free to make 
available information about related services. The second 
question is whether the companies can take advantage of the 
call detail information, who people are calling, what they are 
doing, how they are communicating, and use that private 
information to determine what type of marketing to direct to 
the customer. Now in my view, and I think the view of most 
American consumers, they would have no problem learning about 
new service opportunities from their current provider or from a 
competitor. That is obviously a good thing for the consumer and 
for the marketplace. I think the specific concern here, which 
the bill appropriately addresses, is that the companies take 
advantage of access to this detailed information and use that 
as part of the marketing determination, and that is where I 
think we need a stronger safeguard.
    Mr. Stearns. So would you, in your mind, then, based upon 
what you said, change the bill?
    Mr. Rotenberg. No, I would leave the bill as it is. I would 
leave it with the opt-in requirement, because if there is going 
to be use of CPNI information for that purpose, then I think 
the customer has the right to say, ``Well, that is----
    Mr. Stearns. So the opt-in requirement would nullify the 
need to change the bill, because the customer is still in 
control?
    Mr. Rotenberg. Yes, that is correct.
    Mr. Stearns. Now I guess, Mr. Largent and Mr. McCormick, 
what do you say to that?
    Mr. Largent. Well, I just think that it violates the basic 
marketing principle that exists in our world today. If we have 
got a company that, say, has 60 million customers and we want 
to target the 12 million that we think would be most inclined 
to want Internet service or download music or do whatever, and 
I mean, our companies do so many things today from music, 
video, television, as well as your basic phone service, but if 
we have got a group of 12 million customers out of 60 million 
that we think are kind of the heart of the market for accessing 
whatever service it might be, why would we have to market to 60 
million customers when we know that 12 million are our real--
that is the heart of our marketing strategy. Why should we have 
to market to 60 million when we know that these 12 million are 
the ones that are going to be most interested in the service?
    Ms. DeGette. The gentleman's time has expired.
    Mr. Stearns. Yes, I just ask 30 seconds to let Mr. 
McCormick finish.
    Ms. DeGette. Without objection.
    Mr. McCormick. Yes, thank you very much.
    Congressman, several years ago, Congress provided for a do-
not-call list. If you do not want to be solicited, it was an 
opt-out. The way we read this legislation is that for our 
industry alone, it would be a do not call unless the customer 
opts in. And so all we want to do is to make sure that our 
industry is not treated in an entirely unique and 
discriminatory way.
    Mr. Stearns. I thank you and the gentle lady.
    Ms. DeGette. The Chair now recognizes the distinguished 
gentleman from Michigan, Mr. Stupak, for 5 minutes.
    Mr. Stupak. Thank you, Madame Chairman. I apologize for not 
being here. I have been on the floor with an amendment and 
argument down there.
    So Mr. McCormick, the FCC rules require telecommunication 
carriers to have an officer of the company certify annually 
personal knowledge that the company has established operating 
procedures that are adequate to ensure compliance with privacy 
regulations. And each of the companies certified that they have 
had adequate procedures, yet this appears to be a pervasive 
problem. Doesn't that indicate that something is slipping 
through the cracks of the current system? It would seem we 
cannot rely on either the certification requirement or the 
current FCC rules to adequately protect consumers.
    Do you care to comment on that?
    Mr. McCormick. Yes, Congressman.
    What we have in the pretexting community is that we have 
very sophisticated lawbreakers. Security protocols in the past, 
many of the companies were using Social Security numbers as 
identifiers. Since individuals like Mr. Einhorn had their 
records taken through pretexting, through the use of Social 
Security numbers, our companies have established protocols that 
no longer use that. In fact, the authentication procedures used 
by our companies are constantly being changed and upgraded in 
ways to protect against the increasing sophistication of 
pretexters. So it is a continuing battle. It is an ongoing 
battle, but we believe that it is important to our relationship 
with our customer to be able to protect our customers' privacy, 
and we take that very seriously.
    Mr. Stupak. But in response to Mr. Stearns, when I came in 
here, you were talking about opting in and opting out. And in 
our proposal, you have to opt in, which gives the consumer 
greater protection--or opt out, whatever it is there. But the 
consumer is going to hold the key here. Wouldn't that help to 
defeat this, what you call, sophisticated pretexters?
    Mr. McCormick. No, it would have nothing to do with that, 
because pretexting are calls that come in and the opt-in 
requirement today says that we cannot share the information 
with anybody beyond selling communication services unless the 
customer opts in. This opt-in requirement doesn't have to do 
with calls that are coming in, pretexting calls that are coming 
in asking us for information. This opt-in requirement has to do 
with forcing a customer to first say to us, ``You may contact 
me about offering new services, and if I don't give you express 
authorization beforehand, do not call. Hands off.''
    Mr. Stupak. That isn't related to a third party and not to 
your company? The opt in? Isn't that related to the third party 
that wants to use it?
    Mr. McCormick. The way we read this bill, no, the law 
already requires opt in with regard to sharing information with 
third parties. With regard to this bill, the way we read it is 
that our own companies would not be allowed to market services 
beyond the bucket that they have, the telecom service, without 
opt in.
    Mr. Stupak. In the investigation here, the way I remember, 
the summary of it, if I will, was the record reflected that it 
was in which where administration sloppiness by the carriers. 
And in our investigation, we saw this as sort of like the key 
part of the program. So I mean, if the carriers are going to be 
sloppy, no matter how sophisticated you are going to be, but if 
you are going to be sloppy in the way you administer it, you 
are still going to have this pretexting problem, correct?
    Mr. McCormick. Again, I think that we are in full agreement 
with the committee with regard to the need for inbound calls 
requesting customer proprietary network information, 
particularly call data information, be authenticated so that 
you do not have people who should not be getting that 
information are getting that information. What we don't want to 
do, though, is to go on the other side where we are making 
calls out to our customer to offer them services that may be 
offering them greater discounts or savings, for those to get 
swept up. There has never been an instance where there has been 
a problem with pretexting or identify theft on the part of 
marketing calls from our companies out.
    Mr. Stupak. Well, having sat through that pretexting 
investigation, I would say you are right. There is none that we 
know of, because we still get back to this administration 
sloppiness.
    Mr. Navin, if I may, the FCC order, which prohibits the 
carriers, I am sorry, prohibits providers from releasing call 
detail information. And that order has been circulated to other 
commissioners, when do you anticipate the order being issued, 
when it will be completed, and what is sort of the hold-up 
here?
    Mr. Navin. I can tell you that, first of all, it is not a 
complete ban on the release of the call details. It just put in 
place some security measures, like the use of mandatory 
passwords.
    Mr. Stupak. OK.
    Mr. Navin. I don't want to totally frustrate consumers in 
their endeavor to get access to the information. The chairman 
circulated the order at the end of last year. I know that he 
has been working actively with his Commissioner colleagues to 
try to build consensus on the item. He tends to take a 
consensus approach, because he believes that these two stronger 
opinions by the FCC. That said, I am sure that there are many 
at the Commission who are anxious and interested in the 
Commissioners all being----
    Mr. Stupak. Can you give me a timeframe or a guess of when 
this order may be--a consensus on it? It has been a while.
    Mr. Navin. I know that one of the tools that the chairman 
has to bring an item to a vote is by an agenda meeting.
    Mr. Stupak. Right.
    Mr. Navin. So I know that is available to the chairman. I 
don't know if he has made that decision with regard to this 
item.
    Ms. DeGette. The gentleman's time is expired.
    Mr. Stupak. Thank you, Madame Chairman.
    Ms. DeGette. The Chair now recognizes the distinguished 
gentleman from Pennsylvania, Mr. Pitts, for 5 minutes.
    Mr. Pitts. Thank you, Madame Chairman.
    First, a question for Ms. Parnes.
    Section 202(a)(1)(E) on page 10 of the bill is similar to 
the legislation that the gentleman, Mr. Markey, and I 
introduced last session, the Wireless 411 Privacy Act, which 
seeks to keep wireless services from disclosing wireless 
numbers without the affirmative consent of the consumer. And we 
have heard of the unintended consequences from Mr. Largent and 
Mr. McCormick that we may need to tweak this language to keep 
it from having these unintended consequences regarding 
marketing of services. But phone numbers can be used to help 
prevent fraud and identity theft, because they can be cross 
checked with information on credit and loan applications. And 
we certainly don't want to make it harder to prevent fraud. 
Your bureau has a mandate to protect consumers, so I would 
appreciate your thoughts on that.
    Ms. Parnes. Thank you. We do have a mandate to protect 
consumers from identity theft. And we actually are very focused 
on how consumers can authenticate themselves in ways to prevent 
the misuse of their own personal information.
    But because this is in title II and it is a part of the 
bill that falls outside the scope of the FTC's jurisdiction, we 
would have to really go back and look at this and consult with 
our colleagues at the FCC to understand how this would operate. 
And we would be happy to get back to you on that.
    Mr. Pitts. All right.
    Steve, it is great to see you. You are a good friend and 
former colleague, and it is always good to work with you. And I 
understand that you are willing to work with us on 
clarification regarding marketing of services, but the phone 
number is not CPNI. That refers to data about the phone records 
and the behavior. Phone numbers can be cross checked on 
applications for credit, and other critical services. And do 
you see the unintended consequences regarding that that we need 
to tweak this language about?
    Mr. Largent. We would be glad to work with you on that, 
Congressman. And I would just tell you that on the other issue, 
on the wireless directory assistance, that there is no 
evidence----
    Mr. Pitts. I was just going to ask you, is there still any 
interest in creating a directory?
    Mr. Largent. None that I am aware of.
    Mr. Pitts. Good. I am happy to hear that. And thank you for 
agreeing to work with us and providing language to work out any 
unintended consequences.
    Thank you, Madame Chairman.
    Ms. DeGette. The gentleman yields back.
    The Chair now recognizes the distinguished gentleman from 
Washington State, Mr. Inslee, for 5 minutes.
    Mr. Inslee. Thank you. I would like to ask about this third 
party sharing of information for marketing and other purposes 
to make sure I understand it.
    Just give a hypothetical. XYZ Phone Company wants to enter 
into a joint venture with Acme Travel Company, and they want to 
share databases so that the travel company can focus their 
marketing efforts to see who is traveling and who is calling 
Paris, and maybe they want to market these people. I want to 
ask, Mr. Navin, Mr. Largent, and Mr. McCormick, under want 
circumstances should the phone company be able to share that 
information with Acme Travel Company? What would happen to 
happen first or second in that regard? And in particular, Mr. 
Navin, if you could tell me about the relationship between your 
proposed rule and this legislation and how they contrast or 
compare or are similar? If I could ask you three gentlemen that 
question.
    Mr. Navin. Well, currently, as has been discussed, the rule 
that the Commission has as it relates to joint venture partners 
is an opt-out rule. In other words, the carriers do not need 
the express consent by consumers to use this CPNI to market 
communications-related services. So that is the current state 
of the Commission's law. What the chairman has proposed to do 
is to change that from an opt-out approach to an opt-in 
approach, in other words, you would need express consent from 
the consumer to use this CPNI to market communications-related 
services. So that is specifically what the chairman has 
proposed in the order in front of us.
    Mr. Inslee. And I am sorry. I would think these would be 
non-communication-related services.
    Mr. Navin. I believe under our existing rules, they would 
not be allowed to market or be allowed to disclose the 
information to joint venture partners for non-communication-
related services on an opt-out approach. They would not be 
allowed to do that.
    Mr. Inslee. So what your proposed rule under consideration 
now would be to treat non-communication services and 
communication services the same, which is you would have to opt 
in before it was allowed? Is that the current play?
    Mr. Navin. That is correct. I would like to get back to you 
on whether or not the carriers could actually disclose the 
information to a joint venture partner for non-communications-
related services.
    Mr. McCormick. I think I can answer that, Mr. Inslee. Our 
reading of the law is that the law would not allow us to share 
any information with an allied travel without the express 
consent of the customer, and that, as a matter of practice, 
none of our companies do it anyway. The legislation under 
consideration would, instead, say that with regard to any 
communications-related services, for example, if a local 
company, one of our local companies, wanted to offer to its 
customer a bundle package that included local and long 
distance, we would not be able to contact that customer unless 
the customer first opted in and allowed us to use the fact that 
it was a local customer for us to then say, ``You are paying 
$25 for local service. We will offer you a bundle package with 
long distance for $35.'' Or to add that customer in for DSL 
service. And if that is not the intent of the committee, then 
what we would hope is that the bill would be clarified so that 
that ambiguity would not be there.
    Mr. Largent. Yes, I would just ditto everything Walter 
said. We feel the same way. Our companies are not taking 
customers' names or numbers and marketing them or selling them 
to third parties that don't have anything to do with 
telecommunications. We use those to market our services to our 
own customers only.
    Mr. Inslee. Mr. McCormick, you discussed this, you would be 
discriminated against if this was an opt-in. I am thinking 
about this, so I don't show you any position that I have right 
now, but I do want to say that, at least I have taken a 
position that if other industries should be an opt-in, for 
instance, I believe you should have to opt in to get my 
checking account records. I lost that battle in the past couple 
of Congresses. If I come down and it sounds differently, it is 
not to discriminate against you but to remain consistent, of 
course, according to what I think most of my constituents want 
at the moment.
    Mr. McCormick. Well, I understand the desire to opt in in 
order to get checking account records, call detail information. 
What we are really talking about here is kind of like a do-not-
call list. And as I said before, Congress passed the do-not-
call law that was an opt-out. If you don't want to be called, 
you can opt out. This would say, with regard to our industry 
alone, customers would have to opt in before we were allowed to 
call our own customer. And I don't think that is the 
committee's intent, and that is what we would like to clarify.
    Mr. Inslee. OK. Is there any middle ground here where you 
would not disclose specific identity of the callers or callee 
but certain general characteristics if you reach some joint 
venture marketing situation? Is that possible?
    Mr. McCormick. Yes, there is a lot of middle ground here. I 
think that all of the concerns that the committee has about 
identity theft and pretexting and privacy of customer records 
are concerns that we share. And what we want to be able to do 
is to simply be able to work in an effective way to market new 
services, particularly bundled services, in a way that competes 
with all of the other businesses out there that are looking for 
new and innovative ways of offering consumers a package that 
the consumers will find more efficient, higher savings, and 
more convenient.
    Mr. Inslee. Thank you.
    Ms. DeGette. The Chair now recognizes Mr. Burgess, 
distinguished gentleman from Texas, for 6 minutes.
    Mr. Burgess. Thank you, Madame Chairman.
    Let me just follow-up on Mr. Inslee's comments. Mr. 
McCormick, why do you need the CPNI information to market to 
your customers? Can't you just do this from other data that you 
would have?
    Mr. McCormick. There is a difference between CPNI, customer 
proprietary network information, and call-detail information. 
Customer proprietary network information is, arguably, 
everything about that customer: his service package, does he 
take a local service, does he take call answering, does he take 
call forwarding, does he also take Internet access, does he 
take long distance? That is different than the call-detail 
information. Call-detail information, we don't even keep call-
detail information for local calls. On long distance calls, 
call-detail information is kept only for billing purposes. It 
is the call-detail information that is sought by pretexters. It 
was sought in the case of Mr. Einhorn. We understand the desire 
of the committee to afford additional safeguards to third 
parties being able to come in and access that call-detail 
information, people who should not have access to it. but for 
purposes of our being able to use joint venture partners to go 
out and to market for us add-on services like Internet access, 
video, or even new pricing packages for long distance, family 
plans, favorite five plans, that information for being able to 
market outward has never been used for pretexting. There is not 
any case whatsoever where there has ever been an inappropriate 
use of that information that has violated the privacy of an 
individual for outward marketing purposes.
    Mr. Largent. And I would just add to that, not even when 
third parties were located not in the United States. Those 
third-party agreements that they had with the carriers are 
sacrosanct to those third parties, because if they violate 
them, then they are out the door, their business is out the 
door.
    Mr. Burgess. I guess it was in the O&I Subcommittee, I 
think we had 17 people take the fifth one morning. And I can't 
even do the math to figure out what number that would be, 17 
times 5. But I am very glad that you don't call those 
individuals and provide them information. Mr. Stupak was here 
that morning. That was an unbelievable arrangement of 
individuals. I still have nightmares about Ma Bell from 
Arizona.
    Well, then, so I understand we are obviously trying to 
craft a piece of legislation that will endure, and your 
industry moves and changes very fast, and our legislation will 
be there in perpetuity for the rest of my natural lifetime, so 
we want it to be done correctly. And I guess I get the 
impression from the way the questions have been going back and 
forth, that you have some concerns about the overly-broad 
drafting of the language in title II of this bill, is that 
correct?
    And I assume you have made those concerns available to the 
appropriate committee staff?
    And Mr. Navin, you are not allowed to help in that or at 
some point will you be able to help us in that?
    Mr. Navin. No, the Commission would be happy to help and 
happy to provide technical assistance on the bill, but I just 
reviewed the bill for purposes of preparing for this hearing, 
and I don't want to simply give my impressions. I would rather 
coordinate with the folks at the Commission.
    Mr. Burgess. OK. But that information or that technical 
assistance is going to be available to the committee staff and 
committee members as we go through the process of marking up 
and delivering this bill?
    Mr. Navin. Absolutely.
    Mr. Burgess. OK. Mr. Einhorn, you have been so kind to sit 
with us all morning, and I appreciate your involvement in this. 
It won't do any good for me to apologize to you, but I will do 
it anyway, that you suffered the problems that you did.
    Now just so that I understand clearly when Mr. Markey was 
asking you the question, and he is gone, but I will try to 
paraphrase it, and I hope I am accurate, where he said 
shouldn't the company have notified you immediately about a 
breach of security or the pretexting that occurred. How did 
they know that the pretexting had occurred? When these guys 
have sat in front of us and gave us examples of pretexting, 
they were so cleaver about how they did stuff, how did they 
know that your information had been delivered to the wrong 
hands?
    Mr. Einhorn. Well, I am glad you came back to that, because 
I wanted to elaborate on the question that was asked before. I 
am actually a victim of pretexting in two separate 
circumstances. The first relates to my home telephone records 
where the company did not, in any way, notify us that we were 
pretexted. What actually happens is----
    Mr. Burgess. Well, let me just interrupt you there. How did 
they know?
    Mr. Einhorn. Who is ``they''?
    Mr. Burgess. The company, AT&T, I guess.
    Mr. Einhorn. AT&T did not notify us or even necessarily 
know that we had been pretexted.
     What happened was we tried to sign up for an online 
account to pay our bills, and they said, ``You can't do that, 
because the account has actually already been opened.'' And 
then you say, ``Well, who opened the account?'' And then AT&T 
was able to tell us the details of how the account was opened.
    Mr. Burgess. So they did not verify that with mailing that 
information back to you after the new account was opened?
    Mr. Einhorn. That is correct. I was not contacted.
    And then second, our business records were involved with 
pretexting. And in that particular case, we only learned about 
that when Allied Capital put out a press release saying they 
had things that were purported to be our business records in 
response to an investigation they were conducting in response 
to a grand jury subpoena. So if they hadn't been asked that by 
the Justice Department or by the grand jury to find out whether 
or not they had actually taken our records, we never would have 
known until this day that these records were taken.
    Mr. Burgess. And the same situation, that company that was 
pretexted did not call back for verification after? Did they 
open a new account as well?
    Mr. Einhorn. Well, even now we don't know how they did it. 
We don't know whether they did this somehow online. We don't 
know if they bribed an official at the phone company. We have 
no idea what records they have or how they obtained those 
records or for what use they made. And that is still true to 
this moment, because we have gotten no explanation from Allied 
Capital as to what they have done.
    Mr. Burgess. So if Allied Capital hadn't issued a press 
release, you wouldn't even, in fact, know about it until this 
day?
    Mr. Einhorn. Relating to the business records, that is 
correct.
    Ms. DeGette. The gentleman's time is expired.
    Mr. Burgess. Thank you, Madame Chairman.
    Ms. DeGette. Yes. The Chair would inquire of the Federal 
Trade Commission. Are you investigating these business 
practices by Allied Capital?
    Ms. Parnes. Madame Chairman, the Commission investigations 
are non-public, so we would be happy to talk to you in a non-
public briefing.
    Ms. DeGette. Thank you. The Chair wants to thank all of the 
witnesses today. And following up on some questioning by Mr. 
Burgess, I would say, we are not in the initial stages of 
developing this legislation. We are in the final throws, and so 
if witnesses today or other members of the audience wish to 
give specific suggestions on development of this legislation, 
the committee would much appreciate those efforts.
    And again, I want to thank everybody for coming, and the 
hearing is adjourned.
    [Whereupon, at 1:30 p.m., the committee was adjourned.]

                                 
