[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
COMBATING PRETEXTING:
PREVENTION OF FRAUDULENT
ACCESS TO PHONE RECORDS ACT
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
ON
H.R. 936
__________
MARCH 9, 2007
__________
Serial No. 110-16
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
39-361 PDF WASHINGTON : 2008
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
JOHN D. DINGELL, Michigan, Chairman
HENRY A. WAXMAN, California JOE BARTON, Texas
EDWARD J. MARKEY, Massachusetts Ranking Minority Member
RICK BOUCHER, Virginia RALPH M. HALL, Texas
EDOLPHUS TOWNS, New York J. DENNIS HASTERT, Illinois
FRANK PALLONE, Jr., New Jersey FRED UPTON, Michigan
BART GORDON, Tennessee CLIFF STEARNS, Florida
BOBBY L. RUSH, Illinois NATHAN DEAL, Georgia
ANNA G. ESHOO, California ED WHITFIELD, Kentucky
BART STUPAK, Michigan BARBARA CUBIN, Wyoming
ELIOT L. ENGEL, New York JOHN SHIMKUS, Illinois
ALBERT R. WYNN, Maryland HEATHER WILSON, New Mexico
GENE GREEN, Texas JOHN B. SHADEGG, Arizona
DIANA DeGETTE, Colorado CHARLES W. ``CHIP'' PICKERING,
Vice Chairman Mississippi
LOIS CAPPS, California VITO FOSSELLA, New York
MIKE DOYLE, Pennsylvania STEVE BUYER, Indiana
JANE HARMAN, California GEORGE RADANOVICH, California
TOM ALLEN, Maine JOSEPH R. PITTS, Pennsylvania
JAN SCHAKOWSKY, Illinois MARY BONO, California
HILDA L. SOLIS, California GREG WALDEN, Oregon
CHARLES A. GONZALEZ, Texas LEE TERRY, Nebraska
JAY INSLEE, Washington MIKE FERGUSON, New Jersey
TAMMY BALDWIN, Wisconsin MIKE ROGERS, Michigan
MIKE ROSS, Arkansas SUE WILKINS MYRICK, North Carolina
DARLENE HOOLEY, Oregon JOHN SULLIVAN, Oklahoma
ANTHONY D. WEINER, New York TIM MURPHY, Pennsylvania
JIM MATHESON, Utah MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina MARSHA BLACKBURN, Tennessee
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
______
Professional Staff
Dennis B. Fitzgibbons, Chief of Staff
Gregg A. Rothschild, Chief Counsel
Sharon E. Davis, Chief Clerk
Bud Albright, Minority Staff Director
(ii)
C O N T E N T S
----------
Page
Hon. John D. Dingell, a Representative in Congress from the State
of Michigan, opening statement................................. 1
Hon. Hon. Fred Upton, a Representative in Congress from the State
of Michigan, opening statement................................. 3
Hon. Edward J. Markey, a Representative in Congress from the
Commonwealth of Massachusetts, opening statement............... 4
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, opening statement.................................. 5
Hon. Bobby L. Rush, a Representative in Congress from the State
of Illinois, opening statement................................. 6
Hon. Joe Barton, a Representative in Congress from the State of
Texas, opening statement....................................... 6
Hon. Rick Boucher, a Representative in Congress from the
Commonwealth of Virginia, opening statement.................... 7
Hon. J. Dennis Hastert, a Representative in Congress from the
State of Illinois, opening statement........................... 7
Hon. Albert R. Wynn, a Representative in Congress from the State
of Maryland, opening statement................................. 8
Hon. Joseph R. Pitts, a Representative in Congress from the
Commonwealth of Pennsylvania, opening statement................ 8
Hon. Gene Green, a Representative in Congress from the State of
Texas, opening statement....................................... 9
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 9
Hon. Anthony D. Weiner, a Representative in Congress from the
State of New York, opening statement........................... 10
Hon. Diana DeGette, a Representative in Congress from the State
of Colorado, opening statement................................. 10
Hon. Edolphus Towns, a Representative in Congress from the State
of New York, opening statement................................. 11
Hon. Jay Inslee, a Representative in Congress from the State of
Washington, opening statement.................................. 12
Hon. Tammy Baldwin, a Representative in Congress from the State
of Wisconsin, opening statement................................ 12
Hon. Barbara Cubin, a Representative in Congress from the State
of Colorado, opening statement................................. 13
Hon. Jan Schakowsky, a Representative in Congress from the State
of Illinois, opening statement................................. 13
H.R. 936, To prohibit fraudulent access to telephone records..... 14
Witnesses
Lydia Parnes, Director, Bureau of Consumer Protection, U.S.
Federal Trade Commission....................................... 32
Prepared statement........................................... 34
Thomas Navin, Chief, Wireline Bureau, Federal Communications
Commission..................................................... 45
Prepared statement........................................... 47
Marc Rotenberg, executive director, Electronic Privacy
Information Center............................................. 56
Prepared statement........................................... 56
Hon. Steve Largent, president, chief executive officer, CTIA-the
Wireless Association........................................... 67
Prepared statement........................................... 69
Walter McCormick, president and chief executive officer, United
States Telecom Association..................................... 79
Prepared statement........................................... 81
David Einhorn, president, Greenlight Capital, Incorporated,...... 84
Prepared statement........................................... 86
COMBATING PRETEXTING: PREVENTION OF FRAUDULENT ACCESS TO PHONE RECORDS
ACT
----------
FRIDAY, MARCH 9, 2007
House of Representatives,
Committee on Energy and Commerce,
Washington, DC.
The committee met, pursuant to call, at 10:30 a.m., in room
2123 of the Rayburn House Office Building, Hon. John D. Dingell
(chairman) presiding.
Members present: Representatives Markey, Boucher, Towns,
Rush, Stupak, Wynn, Green, DeGette, Schakowsky, Gonzalez,
Inslee, Baldwin, Hooley, Weiner, Barrow, Barton, Hall, Hastert,
Upton, Stearns, Cubin, Shimkus, Shadegg, Pickering, Radanovich,
Pitts, Walden, Terry, Ferguson, Rogers, Sullivan, Murphy, and
Burgess.
OPENING STATEMENT OF HON. JOHN D. DINGELL, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN
The Chairman. The hearing will come to order.
I thank you all for coming here to be with us and discuss
these matters, our views on H.R. 936, the Prevention of
Fraudulent Access to Phone Records Act.
A certain major telecommunications company allegedly turned
over detailed call records of millions of Americans to the
National Security Agency. These phone customers were not
informed that NSA had their records. Apparently, this may have
been done without proper process. At least one company found it
illegal and refused to comply.
We also learned about pretexting, which occurs when a
person obtains phone records through fraudulent means.
Apparently, some of the largest companies in America, such as
Hewlett-Packard Corporation, did not see any problems in using
this deceptive practice. One of our witnesses discovered 40 Web
sites that offered to sell phone records to anyone online.
Last Congress, this committee's Subcommittee on Oversight
and Investigations held several hearings on pretexting abuses
and scandals, and I want to commend our two friends, Mr. Stupak
and Mr. Whitfield for their extraordinary leadership in
building a strong record on these matters.
In a bipartisan manner, this committee passed the same
legislation that we are discussing today. The legislation is
bipartisan, and I intend to see that it remains so.
We also commend Ranking Member Barton for his distinguished
leadership and for his willingness to work to produce sound
legislation.
Unfortunately, after the committee reported the bill, for
some strange reason, it mysteriously disappeared from the House
floor schedule, and the House took no action before the 109th
Congress adjourned, so today, we will continue our effort to
ensure that call record information held by phone companies
remains secure.
In that regard, I am pleased that we have before us
representatives of the Federal Communications Commission and
the Federal Trade Commission to discuss these matters. The FCC
is charged with ensuring that phone companies protect our
calling records. And the FTC has the ability to crack down on
fraudulent practices, such as pretexting. This legislation will
provide more specific authority to both the FCC and the FTC to
take appropriate action.
We need to hear from the FCC what they are doing to protect
these records. Every telecommunications company under the
Communications Act has a duty to protect the sensitive,
personal information of customers. Given the well-publicized
breaches of customer privacy, we must address whether the
statute adequately empowers the FCC to protect those records. I
am aware that the FCC had expected to issue new rules governing
phone record security by the end of the year. And we are
encouraged that that is so, and we encourage the FCC to issue
these new rules as quickly as they are able.
Likewise, we need to hear from the FTC on whether or not
they believe they have the authority, under existing law, to
pursue those who engage in pretexting. The FTC has been
aggressive in using section 5 of the Federal Trade Commission
Act, which prohibits unfair and deceptive acts and practices in
interstate commerce to bring enforcement actions against
pretexters. But last year, they testified that more specific
prohibitions were needed against pretexting soliciting and
selling customer phone records. The agency also seeks enhanced
authority to impose civil penalties.
The Chair also looks forward to the testimony of the other
distinguished members of our panel, the landline and wireless
companies. And last, but, by no means, least, we will hear
important testimony from a victim of pretexting. This is not a
faceless crime, and it is not a crime that has no consequences.
Mr. Einhorn, the committee thanks you for coming before us, and
I am sorry, indeed, about what has happened to you and your
family, and I pledge the best efforts of myself and the
committee to make this kind of event less likely to happen to
anyone else.
In the interest of fairness, the committee will leave the
record open for 30 days in case Allied Capital wants to submit
a statement.
This measure passed this committee in a bipartisan fashion
last Congress. Just as Mr. Barton did last Congress so
effectively well, I will work to address this issue in the same
bipartisan manner. And as always, the committee will conduct
the oversight necessary to ensure that the American people are
protected in the privacy of their phone records.
The Chair will follow the usual practices of the committee,
and we will recognize the members for 3 minutes. And if the
members choose to waive that 3-minute opening statement, they
will be recognized for an additional 3 minutes at the time of
the questioning.
The Chair recognizes now the distinguished gentleman from
Michigan, Mr. Upton, who has done a superb job on this
legislation. Mr. Upton for 3 minutes.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. Well, thank you, Mr. Chairman. I know Mr. Barton
is on the way as well.
There have been great advances in technology since the days
of the little black rotary phone. But the unfortunate reality
is that, along with great advances in technology, there have
been great advances in fraud as well.
Over the last year, pretexting has garnered the national
spotlight. Nearly a year ago, to the day, we marked up similar
legislation in this committee, but hit a few minor bumps along
the way. And I am hopeful that we will have a little more
success this time, and consumers will, in fact, be the better
for it.
On the surface, pretexting seems harmless enough, but it is
a violation of one's basic rights that can have grave
consequences. Someone with bad intentions and a few bucks can
get a hold of almost anyone cell phone record. It is alarming
that our cell phone bills, a score sheet for our daily lives,
can fall into the wrong hands with a simple phone call or even
a click of the mouse.
The consequences of firms trying to make a quick buck on
the Internet are terrifying. Records can be used to track down
someone's location, such as a woman in hiding from an abusive
partner or stalker. Gangs and drug runners have been known to
obtain phone records to determine if anyone in their group, in
their gang, has been in contact with rival groups or even with
the police.
It doesn't matter what the motive is, no matter how
barbaric or innocent the intentions, pretexting is wrong and a
violation of an individual's basic right to privacy. Carriers
do have a duty to protect their customers, and we have a duty
to close the loophole once and for all.
We have a quality piece of bipartisan legislation that will
bring an end to this practice, once and for all. And the
Nation's 190 million cell phone users will all be safer for it.
And while we continue to make great advances in technology, one
thing that will continue to remain constant is the consumer's
right to privacy.
I yield back my time.
Thank you, Mr. Chairman.
The Chairman. I thank the gentleman.
The Chair recognizes now the distinguished gentleman from
Massachusetts, Mr. Markey, for 3 minutes.
OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS
Mr. Markey. I thank the chairman very much.
Mr. Chairman, personal privacy is the cornerstone of
individual freedom. A person's telephone records can disclose
some of the most intimate details of a person's life.
information about who you call, when you call, how long you are
on the phone can reveal a lot about a person, their
relationships, their business dealings, their family members,
their children. The public sale of this information can be
embarrassing, awkward, and uncomfortable for a consumer. It can
be dangerous when it is in the hands of stalkers, thieves,
abusers, and others who intend to do harm.
More troubling, in my mind, is the fact that last year this
committee discovered that pretexting is not solely the province
of individual, low-rent fraudsters who prey on vulnerable
citizens. In a shocking revelation last September, Hewlett-
Packard, a Fortune 500 company, agreed to pay a $14 million
penalty for illegal pretexting. Likewise, Washington hedge fund
manager, David Einhorn, who is testifying here today, fell
victim to pretexting when a financial service's firm hired
someone to illegally obtain his phone records.
In the last Congress, this committee passed this important
bill to ensure that consumer phone records are not for sale in
some cyberspace bizarre and to take action to shut down these
practices. Last session's bill, however, mysteriously
disappeared from the House suspension calendar prior to House
floor consideration, reportedly due to concerns from the
intelligence community. These concerns implicated the alleged
disclosure of phone records by certain telephone companies to
the National Security Agency or others. The pretexting bill's
sudden disappearance represented a case of extraordinary
legislative rendition.
Under the Telecommunications Act, telephone companies are
legally obligated to safeguard the confidentiality of phone
records. After the scandals of last year, many phone companies
certainly responded by tightening internal controls to prevent
unauthorized disclosure of phone records. While the fraudsters
may be acting illegally by using pretexting, the fact that
these records are apparently so easily obtained on the Internet
and elsewhere makes it self-evident that enforcement and
security needs to be stepped up.
The FCC has been developing new rules to do just that for
several months, and we are eager for the Commission to finalize
its action. Doing so may obviate the need to legislate portions
of the bill before us. I also continue to believe it is
important for the Commission, as an independent, regulatory
agency, to investigate media reports regarding disclosure of
consumer phone records by phone companies without legal process
and in violation of the Communications Act. This is still
timely, as this morning's newspapers indicate. There is still a
lack of respect of a law of our country that privacy of
Americans be protected and that only a judge, ultimately, can
authorize the compromise of these important communications
records.
I look forward to working with you, Mr. Chairman, Mr.
Barton, Mr. Upton, with Chairman Rush, and Mr. Stearns, and our
other committee colleagues on this important legislation.
I thank you.
The Chairman. The Chair thanks the distinguished gentleman.
The Chair recognizes now our good friend from Florida, Mr.
Stearns, for 3 minutes.
OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Mr. Stearns. Mr. Chairman, thank you very much. This is
deja vu all over again. I mean, we have been talking about this
bill. We have had the hearings on it in my subcommittee that I
chaired in the last Congress, Commerce, Consumer Protection and
Trade with the Federal Trade Commission having jurisdiction
over this. Unfortunately, the Telecom Act of 1996 exempted
common carriers, which allowed this to be under the
jurisdiction of the FCC rather than the Federal Trade
Commission. I think many of us on this side were sorely
disappointed that we couldn't have reached a compromise and had
this bill on the floor under suspension, perhaps with
amendment, and got this through. I think we all realize, no
matter what we talk about, the stark reality is that there is
always going to be con artists and cyber thieves to keep us
busy. And so we have got to pass this bill. We must recognize
the importance of securing and protecting personal data from
exploitation by fraudsters, whether the preferred technique is
pretexting, hacking, or good old-fashioned fraud. Likewise,
ensuring the public is informed about the need to protect
personal data will also help thwart the fastest-growing
criminal enterprise in America, which is identity theft.
So, Mr. Chairman, our subcommittee that I chaired and now
that Mr. Rush chairs are eagerly looking forward to passing
this. And I think under your leadership, Mr. Dingell,
hopefully, we will have this on the floor in short order. I
think it is an issue that, for a long time, has been in
agreement that it should pass. I am a cosponsor of this bill,
this H.R. 936. As we all know, it is not perfect. Perhaps as it
works its way through the process out of our committee and to
the House floor and to the Senate, we will have that
opportunity to improve it. Hopefully, the intelligence
community will come on board and not thwart and prevent this
from passing. I think the good of this is overwhelming, and we
must not restrict legitimate marketing practices that can
benefit consumers, but we also might understand that there is a
need to identify and protect the consumers' privacy.
So I look forward to working with you, Mr. Chairman, and
obviously Mr. Upton, who is chairman of the Telecommunications
Committee, and the ranking member of our full committee, Mr.
Barton.
Thank you.
The Chairman. The Chair recognizes now the distinguished
gentleman from Illinois, Mr. Rush, for 3 minutes.
OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Mr. Rush. Thank you, Chairman Dingell, for conducting this
hearing. And I want to commend you and Ranking Member Barton
for your continued bipartisan leadership on this issue.
Mr. Chairman, pretexting is a serious problem that can have
devastating effects on the average consumer. And I am sure Mr.
Einhorn's testimony will further illustrate the devastating
effects that pretexting can have.
Mr. Chairman, H.R. 936, the Prevention of Fraudulent Access
to Phone Records Act, is a hard-hitting but deliberative
response to this widespread crime. Most of today's discussion
in our hearing will center around title 2 of the bill. But as
chairman of the Subcommittee on Commerce, Trade, and Consumer
Protection, I want to highlight the provisions of title 1.
Title 1 of the bill grants the FTC specific authority to
crack down on pretexters by explicitly declaring the practice
of fraudulently obtaining or selling customer proprietary
network information as an unlawful conduct and an unlawful act.
The FTC will enforce this provision as a violation of the
Federal Trade Commission Act and its prohibition on unfair or
deceptive practices. The Commission is to be lauded for its
past and ongoing enforcement actions under its existing
authority under Section 5 of the FTC Act. But last year, in
hearings, we heard testimony that the Commission needed more
specific statutory authority to better protect the public.
title 1 fulfills this need.
Mr. Chairman, every returning member of this committee
voted for this bill in the last Congress, and it is my sincere
hope that every member of this committee will repeat that vote.
Too many consumers remain vulnerable to pretexting and its
devastating effects, and H.R. 936 will go a long way in
addressing this basic consumer protection issue. Last Congress,
we did our job. We reported a good bill out of our committee
for consideration on the House floor only to see it go nowhere
and die. I hope this year's bill won't meet the same fate. Let
us make sure that today's hearing is the 110th Congress's first
step toward eventually enacting this important measure into
law.
Thank you, Mr. Chairman. I yield back the balance of my
time.
The Chairman. Thanks to the distinguished gentleman from
Illinois.
It is with great pleasure that the Chair recognizes my good
friend and colleague, the ranking member of the committee, Mr.
Barton, who provided such extraordinary leadership in this
matter last year. The gentleman is recognized for 5 minutes.
OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Barton. Thank you, Mr. Chairman.
I won't take very much time. I am submitting my full
statement for the record. Suffice it to say that we worked
together on this in the last Congress and didn't quite get over
the finish line. I am proud to be an original sponsor with you
and several other members in this Congress. Pretexting is
something that we need to combat. And as we all know,
pretexting is pretending to be someone you are not to get
something you shouldn't have to use in a way that is probably
wrong.
So I am sure, on a bipartisan basis, we can move this bill
and move it to the floor and move it to the Senate and put it
on the President's desk and strike a blow for individual
privacy in this Congress.
And with that, I would yield back.
The Chairman. The Chair thanks the gentleman, and without
objection, his full statement will appear in the record, as
will the statements of our other colleagues, who so desire.
The Chair recognizes now our good friend and colleague, the
gentleman from Virginia, Mr. Boucher, for 1 minute. Mr.
Boucher.
OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF VIRGINIA
Mr. Boucher. Well, thank you very much, Mr. Chairman.
It is my pleasure to join with you and other members of the
committee in cosponsoring this measure. And I commend the
bipartisan process that has produced this bill. Pretexting was
rendered unlawful by action in the last Congress, but there is
an ongoing need to make sure that the integrity of customer
proprietary information is protected by local exchange carriers
and by the wireless industry. That information should never be
sold, and there should be ongoing steps taken by the carrier to
make sure that that information is appropriately safeguarded.
That said, I think it is also important that we carefully
evaluate the exemptions to make sure that none of the
provisions about sharing information with third parties would
prohibit normal and effective operations by the
telecommunications carrier. They need to contract out certain
information to third parties, including engineers and
information technology specialists of various kinds. And the
ability to do that is absolutely essential to the effective
functioning of their operations. And so I would simply urge the
committee to take care, as we have this hearing, to listen to
the representatives of the telecommunications industry and heed
their recommendations with regard to what the scope of those
exemptions should be.
Thank you, Mr. Chairman, and I yield back.
Ms. DeGette [presiding]. The Chair is now delighted to
recognize Mr. Hastert for 1 minute.
OPENING STATEMENT OF HON. J. DENNIS HASTERT, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF ILLINOIS
Mr. Hastert. Well, thank you, Madame Chairwoman.
I would like to thank the witnesses for coming this morning
to speak about pretexting and the sale of phone records. Since
the development of the Internet, our personal information has
been more readily available and increasingly easier to obtain.
In fact, there is a growing market for the sale of phone
records. These records provide detailed information about who
and what and when we call and how long we spend on the phone.
Fraudulently obtaining this information is an invasion to our
personal privacy, and it cannot be allowed to continue.
But at the same time, we need to provide for equal
treatment for all those who collect that data. As we move
forward, we should ensure that this bill will not hamper lawful
and necessary means to protect our country from foreign
terrorism. I look forward to hearing from each witness as we
address these concerns.
And I thank you, and I yield back my time.
Ms. DeGette. The Chair now recognizes the distinguished
gentleman from Maryland, Mr. Wynn, for 1 minute.
OPENING STATEMENT OF HON. ALBERT R. WYNN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MARYLAND
Mr. Wynn. Thank you, Madame Chairman, for holding this
hearing on an issue of such importance to American consumers.
Pretexting, the unlawful, false, fictitious or fraudulent
statements or representations in order to obtain the personal
proprietary information of a consumer poses serious threats to
the privacy of consumers and to the integrity of the
telecommunications industry. The ease with which one can obtain
private information on other individuals concerns me,
especially when we know the harm that can be done with such
records. The improper use of customer propriety network
information, CPNI, have been used in the past by suspected
mobsters to intimidate police officers and by stalking in the
murder of Amy Boyer in 1999.
As a matter of public policy, we must ensure that this type
of information cannot be easily bought over the Internet. We
need to pass legislation to make sure that those who illegally
purchase CPNI are aggressively prosecuted, but, at the same
time, we need to make sure this bill does not hamstring
telecommunication providers who use CPNI in a responsible
manner to better target their consumers for new products or
services and ultimately pass savings along to them.
I look forward to this hearing and hearing from the
witnesses. It is critical that we safeguard individuals from
pretexting. I thank you for this time, and I yield back.
Ms. DeGette. The Chair now recognizes the distinguished
gentleman from Illinois, Mr. Shimkus, for 1 minute.
Mr. Shimkus. I will waive.
Ms. DeGette. The gentleman waives.
The Chair now recognizes the gentleman from Pennsylvania,
Mr. Pitts.
OPENING STATEMENT OF HON. JOSEPH R. PITTS, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA
Mr. Pitts. Thank you, Madame Chairman.
I am looking forward to hearing what our witnesses have to
say this morning. Everyone agrees that pretexting needs to be
stopped, but we need to do it in a way that does not ensnare
legitimate business practices. We have a good bill before us,
and I will be interested to hear what our witnesses have to say
about how we can improve it when we mark it up.
I am also grateful to the sponsors of this bill for
including the wireless directory assistance language that I and
my friend Chairman Markey worked so hard on over the last two
Congresses. While telephone numbers are not, strictly speaking,
considered customer proprietary network information, wireless
telephone numbers are definitely considered personal
information by the vast majority of consumers, and I expect
this language will become law this year, and I am very happy
about that. This hearing will also be a chance for us to make
sure that that part of the bill is written the best way
possible and will not have any unintended consequences.
Thank you, Madame Chairman.
Ms. DeGette. The Chair now recognizes the distinguished
gentleman from Texas, Mr. Green, for 1 minute.
OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Green. Madame Chairman, I am glad we are considering
H.R. 936, and I am a proud cosponsor of it. Our committee has a
history of privacy protections, going back to the legislation
on banking in the last decade, and we are concerned about the
privacy of our own information, whether it is good banking
records or our cell phones and our own hard lines. And
pretexting should have passed last time, as most of my
colleagues said. I think there is an issue we are going to have
to deal with on the contracting out, as I heard our chair of
the Energy Subcommittee talk about. I would just hope that
whatever we do about contracting out would have the same
restrictions as the person who is doing the contracting.
And I yield back my time.
Ms. DeGette. The gentleman yields back.
The Chair now recognizes the distinguished gentleman from
Oregon, Mr. Walden, for 1 minute.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. Thank you, Madame Chair.
I am looking forward to this hearing, and while I supported
this legislation last year and certainly participated in the
oversight hearings on pretexting, I want to make sure that, as
we move forward, that we aren't doing something that has
unintended consequences when it comes to legitimate marketing
issues so that consumers can get access to information for
offers and things they may want to take advantage of. And so I
am going to raise a few of those questions. I think there have
been some points raised since this bill was passed out of this
committee last year and sent to the full House, which never
took it up, that need to be addressed to make sure we are doing
the right thing, which is protecting the rights of consumers,
not to be ripped off and not to be abused, as we witnessed in
our hearings. And there are some very serious legitimate
problems out there that we need to address. In doing so, let us
make sure that we don't go overboard.
So thank you for this hearing and for your work on the
Oversight Committee as well, and I look forward to the
testimony of our witnesses.
Ms. DeGette. The gentleman yields back.
The Chair now recognizes the gentleman from Texas, Mr.
Gonzalez, for 1 minute.
Mr. Gonzalez. I waive.
Ms. DeGette. The gentleman waives.
The Chair now recognizes the distinguished gentle lady from
Oregon, Ms. Hooley, for 1 minute.
The gentle lady waives.
The gentleman from New York, Mr. Weiner.
OPENING STATEMENT OF HON. ANTHONY D. WEINER, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW YORK
Mr. Weiner. Thank you, Madame Chair. And I look forward to
this hearing, and I want to commend the committee for the work
that they have done last year.
There are some foundational principles that we should keep
in mind. One is there has to be a reasonable understanding that
consumers expect the information to be shared. In this case, I
think most, as Mr. Markey said, consumers don't even realize
this information is available to be shared. And this is not
like some other data in our lives that we kind of sense maybe
someone else is going to get a hold of.
And second, if the administration has concerns about
national security, concerns about the legislation, let us hope
this year they confront it in a more forthright fashion, rather
than in the dark of night, simply killing a bill that should
have been on the suspension calendar, as many of us would agree
with. If a court gets an opportunity to view these concerns, I
am convinced that they will make the right decisions. But
simply making these privacy decisions in the dark of night by
security officials, we have learned over and over again, this
administration cannot be trusted with that much authority.
And I yield back my time.
Ms. DeGette. The gentleman yields back.
The Chair now recognizes the gentleman from Nebraska, Mr.
Terry, for 1 minute.
Mr. Terry. Waive.
Ms. DeGette. The gentleman waives.
The Chair now recognizes the gentleman from Texas, Mr.
Hall, for 1 minute.
Mr. Hall. Chairman, there is nothing I can add to this. I
voted for it the last time. I don't know why we don't run it on
through now and pull our hat down over our ears and try to get
it out of the Senate and listen to these five young men and
this lovely lady to tell us what they think about this, and
especially to welcome Mr. Largent, a former member here.
I yield back.
Ms. DeGette. The Chair recognizes herself for 1 minute.
OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF COLORADO
Ms. DeGette. Last year, we had a series of hearings in the
Oversight and Investigations Subcommittee on pretexting, and
really, what we learned was disturbing. Your personal data is
out there for sale, and, as we have heard, it just takes a few
minutes and a little money for someone to get access to your
telephone records and other pieces of private information.
What seemed worse to me, though, was there are a number of
prominent citizens in this country and lawyers who don't seem
to understand that this is, at best, unethical, in many
situations, and, at worst, and probably, in many States,
illegal. And that is why we need to clarify the Federal law.
That is what H.R. 936 was intended to do.
Last year, this committee passed that bill unanimously, and
somehow between this committee and the House floor, it got
lost. And we never did find it. But this year, it is a new
year. It is a new Congress. And it is going to be a new fate
for H.R. 936.
I look forward to hearing the witnesses about this bill.
And most importantly, I look forward to passing this bill
through the committee and through the House of Representatives.
With that, the Chair now recognizes Mr. Burgess from Texas
for 1 minute.
Mr. Burgess. Thank you, Madame Chairman. I think, in the
interest of time, I will submit my statement for the record and
reserve time for questions.
Ms. DeGette. Without objection.
The Chair now recognizes Mr. Sullivan from Oklahoma.
Mr. Sullivan. Madame Chairman, I, too, shall submit mine
for the record.
Ms. DeGette. The chairman now recognizes the gentleman from
New York, Mr. Towns, for 1 minute.
OPENING STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW YORK
Mr. Towns. Thank you very much, Madame Chair.
Let me thank all of the witnesses for coming. And I
especially want to thank my former colleague, Steve Largent for
being here.
Also, what I would like for these fine witnesses to do for
me is to clarify the issues that the industry has with the bill
and to show us how companies use customer proprietary network
information to assist them in providing better choices and
products to our constituents.
Although consumers enjoy all the new options they have,
they want to believe that their personal details will not be
abused. And of course, I would like to hear. Some of that makes
me feel comfortable in that regard, and at the same time, we
recognize that we do not want to eliminate progress, but we
also have to be concerned about fraud.
On that note, I yield back, Madame Chair.
Ms. DeGette. The gentleman yields back.
The Chair now recognizes the gentleman from Mississippi,
Mr. Pickering.
Mr. Pickering. Thank you, Madame Chairman.
In the interest of time, I will yield back.
Ms. DeGette. The Chair now recognizes Mr. Inslee from
Washington State.
OPENING STATEMENT OF HON. JAY INSLEE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF WASHINGTON
Mr. Inslee. Thank you. I think it is about time to do it
since I first heard about people stealing your personal records
over the Internet a couple of days after Christmas 2005. So I
am glad to finally be here.
I want to note the opt-in provision of this bill that I
think is important to give consumers the right to opt in rather
than have to opt out so their records will be protected unless
they specifically give advanced approval for their information
to be divulged. But I think I am interested in looking at how
we do that without interfering with the legitimate operational
activities of the carriers. What my vision is we could have an
opt-in requirement for any marketing purposes, and the like.
But let us get this job done this year. Thanks.
Ms. DeGette. The Chair now recognizes the gentle lady from
Wisconsin, Ms. Baldwin, for 1 minute.
OPENING STATEMENT OF HON. TAMMY BALDWIN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF WISCONSIN
Ms. Baldwin. Thank you, Madame Chairwoman.
I hope that hearings like this will generate enough
momentum to actually move the bill through Congress this year,
and I echo my colleagues' concerns that pretexting not only
violates a person's right to privacy, but it poses serious
risks to people's safety, such as some of the high-profile
cases that we have heard of victims of domestic violence and
stalking and police officers who are doing undercover work.
Furthermore, last fall's revelations at that corporate
sector has been using pretexting to obtain personal records of
employees, board members, journalists and critics further
injected a renewed sense of urgency in addressing this issue.
Imposing penalties on the actions of pretexters is certainly a
necessary component of stemming the problem, but it is not the
only one. That is why I am particularly pleased that this bill
not only makes pretexting to obtain, solicit, sell, or disclose
customer proprietary network information illegal, but it also
gives the FTC the enforcement power, and it also amends section
222 of the Telecommunications Act to cover joint venture
partners, et cetera. I do hope that we will promptly get about
to the task of passing this legislation.
Thank you, Madame Chairwoman.
Ms. DeGette. The Chair now is pleased to recognize the
distinguished gentle lady from Wyoming, Ms. Cubin.
OPENING STATEMENT OF HON. BARBARA CUBIN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF WYOMING
Ms. Cubin. Thank you, Madame Chairman.
I cosponsored this legislation, because I have no doubt
that it, excuse me, takes the right approach in banning the
practice of pretexting and giving the FTC enforcement authority
to halt this practice. And I am looking forward to hearing the
Commission's enforcement efforts today.
However, I do have some concerns regarding how this
legislation will affect rural carriers. Often, important, well-
meaning legislation, such as this, affects rural areas in ways
that Congress may not have anticipated, and I am very
interested in hearing from the panel about how this legislation
will impact rural carriers and rural customers. And I do
appreciate the Commission's efforts to enforce section 222 of
the Telecommunications Act. And I believe this bill takes
positive steps to do so.
However, I would not like to see rural companies face
unnecessary, and I would like to underline, disproportionate
costs as a result of enforcement of this.
So I would appreciate remarks from the panel on that.
So thank you, Madame Chairman.
Ms. DeGette. The Chair now recognizes the distinguished
gentle lady from Illinois, Ms. Schakowsky, for 1 minute.
OPENING STATEMENT OF HON. JAN SCHAKOWSKY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Ms. Schakowsky. I thank you, Madame Chairman.
As has been mentioned before, our committee passed an
identical bill by unanimous vote in the last Congress, and I
hope that we can get this bill, which would allow the FTC to
assess civil penalties for pretexting for phone records and
require phone companies to better secure customer records, and
that we will get it signed into law.
A number of States, including my own State, and our
attorney general, Lisa Madigan, was here at the first hearing
we had last session and actually was invited today, but her
schedule didn't permit, have used their general consumer
protection and consumer fraud statutes to file lawsuits against
the practice, but because there was not a clear Federal statute
outlining this anti-consumer practice, there were those who
still chose to dabble in what they claim was a gray area of the
law. Last year, a bill that would allow for criminal penalties
for pretexting was signed into law, but we still need to give
the FTC the extra authority it needs to impose civil penalties.
But another important concern goes to the reason that con
artists who pretext are so successful, when we started our
investigation into pretexting in February 2006, there were over
40 sites selling other's phone records. And in the most
infamous case to date--let me just conclude with this, the
quick and easy access to phone records raises the question of
what phone companies are doing or not doing to protect our
consumers' records, and that is a very important piece of this.
So I look forward to passing this important legislation.
Thank you.
Ms. DeGette. The Chair recognizes the distinguished
gentleman from Louisiana, Mr. Melancon.
The gentleman waives. Are there any other Members who wish
to make an opening statement?
Statements will be accepted for the record as well as the
text of H.R. 936.
[H.R. 936 follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. DeGette. I would like to welcome our panel today of
distinguished witnesses, most especially our former colleague,
Mr. Largent, who we are delighted to have appear in front of
the committee. The witnesses are now recognized, and we will
start with Ms. Lydia Parnes.
Ms. Parnes.
STATEMENT OF LYDIA PARNES, DIRECTOR, BUREAU OF CONSUMER
PROTECTION, U.S. FEDERAL TRADE COMMISSION
Ms. Parnes. Good morning, Madame Chairman, Ranking Member
Barton, members of the committee.
I appreciate your invitation to appear today to discuss the
privacy and security of consumers' telephone records.
Although my written statement is that of the Commission, my
oral testimony and responses to questions reflect my own views
and not necessarily those of the Commission or any individual
commissioner.
Protecting the privacy and security of consumer-sensitive
personal information is one of the Commission's highest
priorities, and aggressive law enforcement is at the center of
our efforts to protect consumers' telephone call records from
pretexting.
Last May, the Commission announced five lawsuits against 12
defendants who obtained and sold consumers' telephone records
without their knowledge or authorization. The Commission
alleged that these practices were unfair and prohibited by
section 5 of the FTC Act. In each of these cases, the defendant
advertised on its Web site that it could obtain confidential,
customer phone records from telecommunications carriers for
fees ranging from $65 to $180.
To date, the Commission has settled two of these cases,
obtaining strong, permanent injunctions that bar the defendants
from selling phone records or personal information taken from
those records. In addition, the settlements require the
defendants to disgorge their profits. The remaining three cases
are still in active litigation.
These five cases were the culmination of extensive
investigations of this industry. Commission staff surfed the
Internet for companies that offer to sell consumers' phone
records, sent warning letters, and then identified appropriate
targets for investigation and completed undercover purchases of
these records. The Commission worked closely with the Federal
Communications Commission in developing these cases. We are
committed to coordinating our work on this issue, as we have
done successfully in other areas.
Last month, the Commission filed a sixth case against six
defendants that allegedly conducted or directed actual
pretexting. Again, the FTC alleged that the defendants obtained
and sold consumers' confidential phone records without their
knowledge or consent. This case connects the actual pretexters
to the middlemen who sell the records to third parties. In
addition to alleging that the unauthorized sale of phone
records is an unfair practice, the FTC's complaint alleges that
the defendants engaged in deception by obtaining the records
through the use of fraud and misrepresentations.
These telephone-pretexting cases follow a long line of
actions against defendants charged with the pretexting of
financial records. We filed our first financial pretexting case
in 1999 against a company that offered to provide consumers'
bank account numbers and balances for a fee. Congress later
enacted the Gramm-Leach-Bliley Act, which expressly prohibits
pretexting for financial records. The FTC has followed up with
more than a dozen cases.
Let me turn briefly to the subject of legislation.
The proposed Phone Records Act contains several important
provisions that would assist the Commission in combating phone
pretexting.
First, it applies not only to pretexters, but to those who
solicit their services and know, or should know, that the
records are obtained through false pretenses. Second, it grants
the FTC the power to seek civil penalties against violators.
And third, it contains an important exemption for law
enforcement. These provisions would provide the Commission with
useful, additional tools for combating telephone records
pretexting.
In addition to the Phone Records Act, two recently-passed
statutes will assist in the fight against phone pretexting.
First, in December 2006, Congress enacted the U.S. Safe Web
Act, which allows greater cooperation and information sharing
between the Commission and its counterparts in other countries.
The U.S. Safe Web Act will assist the Commission in pursuing
data brokers, who are operating outside the United States.
Second, Congress passed the Telephone Records and Privacy
Protection Act, which criminalizes obtaining confidential
records by making false statements to a telephone service
provider. In light of this new law, we anticipate developing
criminal law enforcement referrals to our sister agency, the
Department of Justice.
Again, thank you for the opportunity to testify today. We
look forward to working with the committee and its staff on
this very important issue, and I would be happy to answer any
questions you may have.
[The prepared statement of Ms. Parnes follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. DeGette. Thank you.
Mr. Navin.
STATEMENT OF THOMAS NAVIN, CHIEF, WIRELINE BUREAU, FEDERAL
COMMUNICATIONS COMMISSION
Mr. Navin. Thank you.
Good morning, Madame Chairman, Ranking Member Barton, and
members of the committee.
I appreciate the opportunity to speak with you today about
the ongoing work of the Federal Communications Commission to
ensure the privacy of American consumers' sensitive telephone
call records.
Section 222 of the Communications Act requires
telecommunications carriers to protect the confidentiality of
their customers' personal information collected in the course
of providing telephone service. This information is commonly
referred to as ``customer proprietary network information'' or
CPNI. As you are aware, third parties, known as ``data
brokers'' or ``pretexters'', had invaded consumers' privacy by
gaining unauthorized access to this very personal data for
profit.
The Commission has taken several steps to curb the
unauthorized disclosures and sale of consumers' personal
telephone records. Specifically, FCC Chairman Martin has
proposed imposing stricter security standards for CPNI for all
providers of telephone service, including mandatory passwords
for accessing customer call records. Further, the Commission
has investigated, and will continue to investigate, this
unlawful activity and take strong enforcement action to address
any violations by telecommunications carriers of their
obligations to protect CPNI.
The Commission began its investigation of the data broker
problem in late summer 2005. In August 2005, the Electronic
Privacy Information Center, or EPIC, filed a petition for
rulemaking at the FCC to address the sufficiency of carrier
privacy practices in light of the fact that online data brokers
were selling consumers' private telephone data. In early 2006,
the Commission issued a Notice of Proposed Rulemaking, inviting
comment on the EPIC petition and whether additional Commission
rules are necessary to strengthen the carriers' safeguards for
customers' records.
Based on the evidence submitted in its rulemaking
proceeding, and gathered in its enforcement investigations, the
Commission has learned about the methods that data brokers
routinely use to seek to obtain unauthorized access to CPNI.
The Commission also has learned of a variety of steps carriers
can take to further protect the privacy of customer account
information.
Significantly, we also recognize the importance of this
issue to law enforcement, particularly in light of the new
Telephone Records and Privacy Protection Act of 2006, which
makes pretexting a criminal offense. The Commission has an item
for consideration before it which would address these issues by
requiring providers to adopt additional safeguards to protect
customers' phone record information from unauthorized access
and disclosure.
The chairman has circulated an order that, for example,
proposes prohibiting providers from releasing call detail
information except when the customer provides a password, or by
sending it to an address of record or by calling the customer
at the telephone of record. To protect against possible efforts
to circumvent these requirements, the order proposes to require
carriers to notify the customer immediately when information
such as passwords or the address of record is created or
changed. The chairman also proposed a notification process for
both law enforcement and customers in the event of a breach of
CPNI.
In addition, Chairman Martin proposed to modify our current
rules to require providers to obtain affirmative customer
consent before disclosing any of that customer's phone record
information to a provider's joint venture partner or
independent contractor for marketing purposes. Further, the
order proposes to extend all CPNI obligations to interconnected
voice over Internet protocol, or VoIP, providers. These
additional privacy safeguards should sharply limit pretexters'
ability to obtain unauthorized access to CPNI.
The Commission also has used its enforcement authority to
help address this problem. The Commission has issued subpoenas
to a number of data brokers seeking information about how
companies obtained phone record information and then sold it.
Additionally, the Commission has investigated
telecommunications carriers' practices to fulfill section 222's
duty to protect customer information through numerous meetings
with the carriers, a review of the carriers' annual section 222
compliance certifications, and through formal letters of
inquiries that have been issued to nearly 20 carriers.
Throughout these investigations, the Commission closely
coordinated with the Federal Trade Commission staff. In
addition, the Commission has offered assistance to State
attorneys general in their efforts to combat pretexting. The
Commission takes very seriously any breach of consumers'
privacy, as well as carriers' statutory duty to protect the
customer information that they collect. The Commission also
remains committed to strengthening its rules as warranted to
help ensure that carriers implement adequate practices to
protect their customers' privacy, as required by the
Communications Act. We, likewise, will continue to coordinate
with the Federal Trade Commission, State and Federal attorneys
general, and other law enforcement authorities about our
findings, and work with them in any way we can to take legal
action against data brokers and pretexters. We look forward to
working collaboratively with the members of this committee and
other Members of Congress to ensure that consumers' personal
phone data remains confidential.
Thank you for the opportunity to testify, and I would be
pleased to respond to your questions.
[The prepared statement of Mr. Navin follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. DeGette. Thank you, Mr. Navin.
Mr. Rotenberg.
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Rotenberg. Madame Chairman, Ranking Member Barton,
members of the committee, thank you so much for the opportunity
to testify before you on the very serious problem of
pretexting.
As you may know, in the summer of 2005, EPIC undertook an
extensive investigation of the problem of pretexting in the
United States. We found that personal information, call detail
information, was available for sale at more than 40 businesses
on the Internet. We filed a petition with the Federal Trade
Commission in which we asked the FTC to begin an investigation,
and because it was so clearly the case that the information at
issue concerned personal calling records, we petitioned the FCC
to open an investigation and to establish stronger security
standards to safeguard the privacy of the call detail
information of American telephone consumers.
We provided very specific recommendations for the FCC: the
use of passwords, the use of encryptions, and the use of audit
trails that would ensure that when personal information in the
possession of the telephone carriers was disclosed, it was
disclosed for an appropriate purpose and not to a pretexter for
a nefarious purpose.
I recall a year ago at this time having the honor to appear
before this committee with the chairman and to discuss our
petition, and at that time, he expressed support for our
recommendations. He said that he was going forward and issued
the petition in February, more than a year ago, recommending
that stronger security standards be established for telephone
record information.
We filed our comments. The telephone industry filed their
comments. We filed our reply comments, and then nothing
happened. No final rule was ever issued by the FCC, though,
remarkably, as recently as January 2007 the Commission
continued to warn consumers about the ongoing problem of
pretexting of personal telephone record information.
I am here before you today to urge you to ensure that the
FCC act on this petition. And because they have failed to act
on this petition, we think it is absolutely vital for the
legislation that you are considering now, which would establish
these security standards by law, to go forward. The
safeguarding of this personal information is absolutely
crucial, as we have described in our testimony.
Some will raise the question regarding the legislation that
was passed by the Congress during the last session, which
criminalized the act of pretexting, but it did not deal with
the source of the problem, and that concerns the information
that is collected and maintains CPNI data that is used in the
telecommunication sector, and that is the information that is
being made available to pretexters to commit fraud, identity
theft, and other types of crime. That is the information that
we believe needs to be protected.
I thank you, again, for the opportunity to be here, and I
would be pleased to answer your questions.
[The prepared statement of Mr. Rotenberg follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. DeGette. Thank you, Mr. Rotenberg.
Mr. Largent.
STATEMENT OF HON. STEVE LARGENT, PRESIDENT, CHIEF EXECUTIVE
OFFICER, CTIA-THE WIRELESS ASSOCIATION
Mr. Largent. Thank you, Chairwoman and Ranking Member
Barton and members of the committee.
On behalf of CTIA, I am pleased to testify on H.R. 936 and
the steps the wireless industry is taking to ensure the safety
and security of wireless customers and consumers.
At the outset, I want to be clear. CTIA's member companies
take seriously their obligation to protect customers' CPNI. In
that sense, your goal is our goal, too.
In addition to meeting their duties under section 222,
every carrier has a market-based interest in seeing that
customer records are not disclosed without proper permission.
Carriers employ a broad range of security measures to prevent
unauthorized access to these records. In general, the system
works well, as there are literally hundreds of millions of
positive customer service interactions every year.
Nonetheless, well-publicized instances of pretexting and
the legislative and oversight activities that followed in this
committee and elsewhere served as a wake-up call for all of us.
I am pleased to say that the wireless industry did not wait
idly by for someone else to solve the problem. In addition to
offering our assistance to the committee, each of CTIA's
national carriers filed and obtained injunctions to shut down
data thieves. The carriers also teamed with law enforcement to
identify individuals and companies involved in fraudulent
activities to help put these criminals out of business.
CTIA also supported legislation approved by the 109th
Congress to criminalize the act of pretexting. Since the
President signed the bill, the market for pretexting services
has evaporated under the threat of Federal prison time and
sizable financial penalties. The positive effect of this
legislation cannot be overstated.
CTIA's members have not relied exclusively on the legal
process to address pretexting. In the past year, wireless
carriers have adopted a variety of procedures and tools to stop
unauthorized access to CPNI. As is true in every other facet of
the business, flexibility and innovation make a difference in
the effort to defeat pretexters. Some carriers have focused on
process. Others have chosen to use technology to help solve the
problem. This variation between carriers is a positive, as
static practices can become outmoded or avoided by third
parties with ill intent. CTIA and its member companies strongly
support additional enhanced security measures that can help to
better protect consumers.
I detail each of these points in my written testimony, but
let me briefly explain what CTIA supports.
We support giving customers the option of using pass codes
to protect account detail. We support restricting disclosure of
customers' Social Security numbers, tax ID, entire credit card
number, or billing name and address in response to inbound
customer calls. We support policies that preclude the release
of call detail records via fax or e-mail, and we support
confirmation of the FTC's jurisdiction in this area.
While CTIA supports reasonable measures to enhance the
security of CPNI, any legislation the committee proposes should
be narrowly targeted and responsive only to actual problems.
Carriers must continue to have the flexibility to innovate and
compete.
With this in mind, I have several specific observations to
offer.
First, CTIA members are concerned about any provisions in
H.R. 936 that would require carriers to obtain specific
customer consent before they can share CPNI with affiliates and
joint venture partners that provide marketing and other
services to carriers that are otherwise permissible under the
law. In instances where CTIA member companies share CPNI with
third parties to aid in marketing, billing, and customer
service efforts, they impose strict contractual obligations to
protect customer information. There are also existing FCC
requirements that cover such arrangements. Limiting the ability
of carriers to share CPNI with third parties is burdensome and
has no connection with the goal of preventing fraudulent access
to phone records. We believe that an approach focused on
enhanced security rather than introducing additional customer
consent mechanisms is the best way to protect CPNI from
unauthorized use.
Second, if Congress opts to act in this area, it should do
so in the way that promotes uniformity and efficiency. We are
seeing increased attention being paid to these issues at the
State level, where, at last count, 34 different pieces of
legislation related to call records have been introduced this
year. Even when these bills are similar, they often contain
variances that can make them difficult and costly to implement.
What is needed is a uniform, national policy that properly
balances consumer protection and carrier flexibility.
Let me conclude by underscoring the wireless industry's
commitment to protecting CPNI. I can assure you that we will
continue to enhance and improve our safeguards for sensitive
customer information. It is already the law, it is common
sense, and it is good business.
Thank you.
[The prepared statement of Mr. Largent follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. DeGette. Thank you, Mr. Largent.
Mr. McCormick.
STATEMENT OF WALTER MCCORMICK, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, UNITED STATES TELECOM ASSOCIATION
Mr. McCormick. Madame Chair, Mr. Barton, members of the
committee, on behalf of the member companies of the United
States Telecom Association, I want to thank you for this
opportunity to testify on the important issue of safeguarding
consumers' phone records from fraudulent use by pretexters.
This committee has a long history of working to protect
consumers. Our industry shares your concern for protecting
customer information. Protecting privacy is a critical
component of our customer care.
In today's highly-competitive marketplace, no industry
should take the privacy of its customers lightly. As our member
companies begin offering a variety of new, advanced broadband
services, we see our reputation for delivering quality service
and protecting the privacy of our customers as a competitive
advantage.
There is a strong business incentive to protect customer
privacy. There is an existing legal obligation as well. Section
222 of the Communications Act provides that telecommunications
carriers have a duty to protect the confidentiality of customer
proprietary network information.
This legal obligation is taken very seriously by our member
companies. We educate and train our customer service employees.
We observe strict security protocols, and we tightly define our
agreements with marketing firms.
We believe the best way to address the problem of
fraudulent access to phone records is through the enforcement
of existing laws and the strengthening of penalties on bad
actors. In this regard, we applaud title I of this legislation,
which would explicitly ban the practice of pretexting and give
the Federal Trade Commission authority to enforce this
prohibition. This provision complements and strengthens the
action taken by Congress last year in establishing criminal
penalties for pretexting.
We are concerned, however, that the broad approach taken in
title II of the bill will have a number of negative
consequences, consequences that appear to be unintended ones,
ones that would impact legitimate marketing practices that are,
in many ways, pro-consumer. Consumers benefit when their
communications carriers offer them new discount packages and
innovative services. The information we typically rely upon in
pursuing marketing opportunities focuses on purchasing patterns
and the types of services that a customer is receiving,
information that is of little or no use to pretexters, the kind
of pretexters that this bill seeks to target.
For example, if a customer has caller ID in order to avoid
unwanted calls at dinnertime, CPNI enables our marketers to
identify a customer that might have an interest in receiving a
bundle discount that could include call management or call-
blocking features. If a customer has subscribed for both voice
service and high-speed Internet access, this is a customer that
might have an interest in learning about savings that could be
obtained by broadening this bundle to include video.
The provisions proposed in title II could significantly
impede this pro-consumer outreach, all without addressing any
identifiable problem of fraudulent access to phone records. We
are aware of no evidence to suggest that marketing of services,
either directly or through joint venture partners, has resulted
in any abuse of customer proprietary information. Indeed, FCC
regulations require that confidentiality agreements be in place
before CPNI is shared with joint venture partners or
contractors. Businesses succeed by being responsive to their
customers.
As currently drafted, however, title II would severely
impede the ability of our industry to bring to the attention of
its customers the opportunity to take advantage of improved
services or increased savings. We have been informed that this
is not the committee's intent, that instead the committee
intended to only impose new restrictions on the sharing and
disclosure of detailed customer telephone records. There is
currently an FCC proceeding underway that is considering the
same thing.
if it is, in fact, the committee's intention to only
address this limited, call-detailed information, information
related to matters such as individual locations, duration,
time, and date of specific customer communications, then we
would suggest that the bill language be clarified so that our
industry can continue offering to its customers new services
and bundled savings, as it does under current rules, while
affording new protection to detailed customer telephone
records.
Our industry also has significant concerns with section
203, which would prescribe burdensome audit trail requirements.
The last time the FCC looked at this issue, the cost of
complying was enormous. It could range anywhere from $12 to $64
per line, which would clearly be a hardship for many consumers.
Madame Chair, again, thank you for the opportunity to
testify today, and we look forward to working constructively
with you to prevent pretexting and identity theft.
[The prepared statement of Mr. McCormick follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. DeGette. Thank you, Mr. McCormick.
Mr. Einhorn.
STATEMENT OF DAVID EINHORN, PRESIDENT, GREENLIGHT CAPITAL, INC.
Mr. Einhorn. Good morning, Madame Chairman and members of
the committee, and thank you for holding this hearing. And I
appreciate your sympathy.
Although I did not ask to participate in this hearing, I
appreciate the invitation to describe my experience as a victim
of pretexting.
My testimony is about a corporation and management team
that, in attempting to ensure their survival, placed no limits
on the exercise of their power.
Pretexting is a brazen invasion of privacy when a large
corporation has its agents spy on private citizens in order to
intimidate then and silence criticism that threatens more than
just the sanctity of the individual's privacy. It threatens the
freedom of the securities markets for which we take for
granted.
I am the president of Greenlight Capital, a long-term,
value-oriented investment company. One of our long-term
investments is Allied Capital. Our research showed Allied
suffered from significant accounting and operational
deficiencies, and Greenlight took a short investment position
based upon that belief.
Our research indicated that, among other things, Allied
misled the public about the value of its investments, valuing
them at original cost, even after the investments go bankrupt.
We later found that small business lending unit defrauded the
SBA and the USDA Government lending programs, costing taxpayers
hundreds of millions of dollars.
In 2002, I voiced my concerns about Allied at an investment
research conference, which was part of a charity fundraiser for
a pediatric cancer hospital. I told the audience why I had sold
Allied short and pledged to give half of my personal profits on
this investment to the children's hospital sponsoring the
event.
In response to my speech, instead of examining and cleaning
up these problems, Allied attacked me. The company conducted a
campaign to discredit me, attacking my reputation and my
motivations. But ultimately, regulators and prosecutors have
begun to see through Allied's tactics. The FCC began an
investigation in 2004, and later that same year, the U.S.
Attorney from the District of Columbia began a criminal
investigation.
Some time that year, Herb Greenberg, a respected financial
journalist for Dow Jones, who had written critically about
Allied, told me that his phone records had been stolen. I
subsequently learned a woman, unknown to me, had called my long
distance provider, identified herself as my wife, provided her
Social Security number, and opened an online account to obtain
our home telephone records.
Somebody also stole the phone records of other known
critics of Allied, including hedge fund managers, a journalist,
a research analyst, an individual investor, and a former media
relations advisor to Greenlight.
In March 2005, I wrote a private letter to Allied's Board
of Directors, asking the Board to fully investigate what had
happened. A week later, I received a brush-off response. Last
fall, after the Hewlett-Packard's chairman admitted to
pretexting and later resigned, I again asked Allied's Board to
investigate. Allied responded, saying they had found no
evidence to support my claim.
Then Allied's management went on the offensive, yet again.
On the company's November 8, 2006 quarterly earnings conference
call, chief executive officer William Walton spent several
minutes attacking my motivations and stating that my concerns
about my stolen phone records were ``yet just another example
of Mr. Einhorn's tactics''. And he issued his own denial that
anyone at Allied had accessed my records, saying, ``There is
simply no evidence to support a claim that Allied tried to
access Einhorn's phone records. We never received his
records.''
In December 2006, Allied was served with a grand jury
subpoena, and then their story changed. In a press release
dated February 6, 2007, Allied admitted that its agent had
stolen not only my home phone records but also Greenlight's
records. The press release, itself, was a model of evasion,
however, and not at all consistent with the disclosure expected
of a public company. It left unanswered a number of questions:
who had obtained the records, who else's records did they
steal, who had authorized the theft, and for what purpose, what
did they do with this information, and what else did these
agents do to gather information about their critics?
After the Hewlett-Packard pretexting scandal, HP
immediately apologized to the victims and promised to give the
victims a full account. But I have not heard from Allied.
Nobody has contacted me to apologize or explain who invaded my
privacy or for what purpose.
In conclusion, Allied's behavior strikes at the ethical
heart of the securities markets, which are based on the free
and fair flow of ideas, critical and otherwise. It is a cold
reality that companies left to their own devices will rarely
divulge the full truth about their problems. It is left to
others, regulators, analysts, the media, and investors like
myself to hold companies accountable. The free exchange of
ideas in our market system depends on the very people who were
pretexted in this case. There are many valuable voices in the
marketplace who will choose not to criticize companies for fear
of being retaliated against. Nobody wants their privacy
invaded.
As the committee has noted this very legislation, action,
such as pretexting, can lead to harassment and intimidation. It
can also lead to less information in the marketplace. A line
must be drawn. I support this legislation.
Thank you, Madame Chairman, and I am available to answer
any questions you might have.
[The prepared statement of Mr. Einhorn follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Ms. DeGette. Thank you very much, Mr. Einhorn.
The Chair recognizes herself for 5 minutes.
I am wondering, Ms. Parnes, if you can tell us what the
position of the Department of Justice is on this legislation,
because I know your agency works closely with the DOJ.
Ms. Parnes. We do work very closely with the Department of
Justice, but unfortunately, I don't have their position on this
legislation, on this bill.
Ms. DeGette. And are you aware of any objection by any law
enforcement agency to this legislation?
Ms. Parnes. I am not, but honestly, we have not, at the
FTC, done a kind of review of other Federal agencies and
whether they have any concerns on this. We have worked with the
committee's staff on technical issues, and as you know, we
generally support this.
Ms. DeGette. Yes. And there is an exemption in the bill for
law enforcement, I believe.
Ms. Parnes. Yes, there is.
Ms. DeGette. Ms. Parnes, I am wondering. Can you give me an
update? And I am going to ask you, Mr. Rotenberg, also this
question. What is the status of pretexting in America today?
Have we seen the problem worsening since last year or
improving?
Ms. Parnes. It is hard to know exactly what is going on in
the industry generally. I can tell you what some of our
experiences have been in investigations.
The targets that we have sued, we identified them, as I
indicated, by going online and then by making some undercover
purchases of phone records. And I should note, we bought the
records of FTC employees.
Ms. DeGette. With their consent?
Ms. Parnes. Yes, absolutely with their consent. But we have
done that. We have attempted some undercover buys more
recently, and we have been told, ``Oh, we don't do that
anymore.'' Or, ``We simply can't get that for you.'' So we have
some sense that certainly the criminal law that was passed may
be having a real impact here.
Ms. DeGette. Right.
Mr. Rotenberg.
Mr. Rotenberg. Our understanding, Madame Chairman, is that
the type of very brazen pretexting where the services were
provided over the Internet in a 24-hour turnaround, for
example, was guaranteed, there is much less of that today than
there was in the past, in part because of the FTC
investigation. The private investigators continue to use
pretexting, as do others, as a way to obtain personal
information about others.
Ms. DeGette. And have you seen any change in the type of
information these private investigators are seeking?
Mr. Rotenberg. That would be a difficult question to
answer, but I will say, because people sometimes don't
understand exactly what the significance of the call detail
information is, those monthly billing statements that consumers
receive from the wireless phone companies in particular, that
listing is the type of information that is still very easy to
get from the telephone companies by going, for example, to an
online Web site that is set up to provide that type of
information. So we are still seeing the availability of the
monthly call detail information being made available.
Ms. DeGette. Mr. Einhorn, you would have never known
anything about the pretexting of your family and business
records unless a market watch journalist told you what Allied
Capital was doing, is that correct?
Mr. Einhorn. That is correct. I would not have had any way
to know.
Ms. DeGette. And this is, by the way, what we also found
last year in our investigation that people found out
inadvertently that they had been pretexted. Do you know how
many other people had their phone records pretexted by an agent
of Allied Capital besides you and the journalist?
Mr. Einhorn. I believe, at least that we have been able to
identify, at least six individuals.
Ms. DeGette. And can you identify, for the record, who the
phone carrier who surrendered your records to the imposter
pretending to be your wife?
Mr. Einhorn. It was AT&T.
Ms. DeGette. Have you talked to AT&T?
Mr. Einhorn. My wife talked to AT&T.
Ms. DeGette. And what was their response?
Mr. Einhorn. They were able to identify when the pretexting
had occurred, how it was done, that her Social Security number
had been provided, what date that happened at, where the
records were sent in terms of an Internet e-mail account where
they were e-mailed to, and when the account was most recently
accessed. Beyond that, they had no other information for us.
Ms. DeGette. Do you agree with the bill's provisions that
enhance the FTC's enforcement tools against pretexting,
soliciting pretexting, or selling stolen phone records?
Mr. Einhorn. Absolutely. I think that there is really no
place for this, and I would support all of the efforts that are
being contemplated to cut down and eliminate this practice.
Ms. DeGette. Thank you very much.
The Chair now recognizes the distinguished ranking member,
Mr. Barton, for 5 minutes.
Mr. Barton. Thank you, Madame Chairman.
Mr. Rotenberg, is there any reason an individual would tend
to want his or her phone records shared without them knowing
about it?
Mr. Rotenberg. Well, generally speaking, I don't think so,
sir. A person who wants to disclose personal information to
someone else would typically do that affirmatively. To get a
bank loan, for example, you provide a lot of information to the
bank so that they can make a determination, but that is a
process you would initiate.
Mr. Barton. But just as a matter of course, most normal
human beings would rather they know if somebody wants that
information so that they can make a decision whether to give it
to them or not, would you agree?
Mr. Rotenberg. Yes, I think that is correct.
Mr. Barton. Now, I think we have general support for this
bill, but Mr. Largent and Mr. McCormick, their trade groups
seem to not like section 202, which changes current law from
saying the phone company can share that information without
letting the individual know, unless the individual tells them
ahead of time not to share it. That is the current law. section
202 changes it that Mr. Largent's company's trade groups and
Mr. McCormick's would have to go to the individual and say,
``May we share your information?'' That seems to be the most
controversial element in this new bill. It would seem, if we
are trying to protect privacy, that changing this from opt-out
to opt-in makes a lot of sense. Do you agree with this section
202?
Mr. Rotenberg. Yes, I do, Mr. Barton, and if I may also
say, while we are critical of the FCC's delay on our petition,
we were nonetheless heartened, you may recall that Chairman
Martin, when he spoke to this issue at the hearing last year,
said that he thought the opt-in was important for consumer
privacy. And I think there would be, certainly among consumers,
recognition right away that the right way to do this is opt-in,
based on permission.
Mr. Barton. Now I want to give Mr. Largent and Mr.
McCormick, who are both good friends of mine, an opportunity to
expand if I understood incorrectly in their prepared testimony
why they have a problem with section 202.
Mr. McCormick. Thank you, Mr. Barton. I think that our
concerns are fairly narrow and focused.
Let me give you an example.
We, today, look at purchasing patterns. For example, if a
customer is taking telephone service and Internet access, as we
move into new broadband applications, like video, we would like
to be able to go to that customer and offer to that customer a
promotional offering where we would add in video as part of a
bundled package. In that regard, we would be competing against
the cable industry, who is going to its video customers and
saying, ``We will add on voice service. Since you are already a
cable customer, we will offer you a promotional offering to add
on voice service.'' In that regard, no call-detail information
is shared with anyone. There is nothing other than the
knowledge of what kind of package that customer currently has
and whether or not that customer would benefit from a broader
package. And we believe that it would lead to a competitive
imbalance if we were unable to approach our customers in that
way.
Mr. Barton. I don't understand. I have got a little bit of
a cold, so maybe I am just not clued in, but there is nothing
in the bill, if it becomes law, that prevents anybody from
soliciting for new services to people that they have the
addresses of, whether it is a hard-line address, a regular mail
address, or a phone number, or an e-mail. All this says is if
you want to share that individual's information, you have got
to get their permission before you share it. I don't see how
this bill would prevent what you just said you wanted to do.
Mr. McCormick. Mr. Barton, if that is the intent, I think
that it would be easy to come up with clarifying language that
would clarify that we are permitted to engage in that kind of
broader market.
Mr. Barton. OK. Steve?
Mr. Largent. Yes, Mr. Barton. I just would say that there
is some ambiguity about what the language actually does and
what it does not do. And the fact is that many of our companies
utilize third parties to offer services just because it is less
expensive. We can offer that type of discount to our customers.
So if the legislation would get in the way of our use of third
parties to offer services from our company, not anybody else's
company but from our company's perspective, then that would be
a problem, but if you are saying it is not going to get in the
way of that, then perhaps we could work with you on the bill's
language.
Mr. Barton. My staff says there is some ambiguity, so maybe
we can work on this.
My time is expired. Thank you.
Ms. DeGette. The Chair now recognizes the distinguished
chairman of the Telecommunications Subcommittee, Mr. Markey,
for 5 minutes.
Mr. Markey. OK. first let me say that the five FCC
Commissioners will be appearing before the Telecommunications
and Internet Subcommittee on Wednesday of next week, so we
certainly hope that the CPNI order will be completed by then
and that it will have been done well by them, because that will
be a central part of that hearing on Wednesday.
Mr. Einhorn, is it important that victims be notified
immediately that their carrier has learned that the privacy of
the phone calls of an individual have been compromised?
Mr. Einhorn. I would support the notion of the immediate
notification of anybody whose information was compromised in
that fashion, yes.
Mr. Markey.Mr. Navin, do you think that is a good idea that
immediate notice be given to people like Mr. Einhorn that their
information has been compromised and that that becomes the rule
for the telephone carriers?
Mr. Navin. I do agree that it is important that consumers
get prompt notification.
Mr. Markey. I am saying immediate.
Mr. Navin. As I understand it, States that have addressed
this issue typically have an exception for notification of law
enforcement, and it calls for prompt notification, but there is
some provision, specifically for law enforcement.
Mr. Markey. But what should be the deadline for calling law
enforcement?
Mr. Navin. What should be the precise deadline?
Mr. Markey. See, what I want you to say is we call law
enforcement and the customer immediately and let them know that
they have been compromised and that law enforcement might be
calling. But why should there be a delay?
Mr. Navin. In the record in front of the Commission right
now, the Deputy Attorney General sent a letter to the
Commissioners, indicating the Department of Justice's
preference for law enforcement to be notified first, before
the----
Mr. Markey. I have no problem with that, but what I am
saying is Mr. Einhorn should get the next call, don't you
think?
Mr. Navin. After law enforcement, yes, I think consumers
should be notified.
Mr. Markey. Yes. How long do you think a gap should be?
Seven days, 1 day, or 1 hour?
Mr. Navin. I believe the Department of Justice has
advocated for allowing them 7 days.
Mr. Markey. I don't think the Department of Justice should
be listened to on that issue, and I think Mr. Einhorn should be
listened to and the millions of Americans whose information is
compromised. I think that the FCC should listen to the
consumer, listen to this committee. The CPNI laws are ours. We
created them. We want the customer protected. Justice should
not be given 7 days to wait to notify people who have an
ongoing crime being committed against them. They should be
notified immediately, as anyone whose house was burgled that it
occurred. And if you don't want to do that, then I think we are
going to have a real problem next Wednesday.
Mr. Largent, Mr. McCormick, a general question. Do you
agree that customers have an ownership interest in their own
personal information? Mr. McCormick?
Mr. McCormick. I would say they have a strong privacy
interest.
Mr. Markey. Do they have an ownership interest?
Mr. McCormick. Yes.
Mr. McCormick. I would agree that customers have a strong
privacy----
Mr. Markey. No, do they have an ownership interest in their
own personal information? It is called the customer proprietary
network information law. Do they own that information?
Mr. McCormick. We have always regarded that information as
the customers' information, that is correct.
Mr. Markey. OK. Mr. Largent, do you agree that it is the
ownership interest of the consumer, his or her own information?
Mr. Largent. I think Mr. Markey asked me that question last
year at this hearing, and I said the same thing: yes, it is.
Mr. Markey. OK. Thank you. I appreciate it.
Mr. McCormick, what percentage of your member companies
outsource customer support or billing or marketing functions to
foreign countries?
Mr. McCormick. I do not know, Mr. Markey, but I would be
happy to provide that information for the record.
Mr. Markey. I would appreciate that.
Mr. Largent, do you know what percentage of your companies
outsource this information to other countries?
Mr. Largent. No, I am not aware of what the exactly number
would be, but we would be glad to get back to you on that.
Mr. Markey. Obviously, that is a good question. We will
shut down a lot of regional FCC offices, but we don't have any
FCC offices in India or Pakistan, so what happens with the
information of the people in this room and watching this
hearing is a good question when it is put overseas, so we would
like to know what happens to that.
Mr. Navin, does the FCC intend to impose a minimum system
security requirement on the transfer of customer information?
Mr. Navin. The proposed rule that the chairman has put
before the Commission are prescriptive relating to access to
the CPNI records, which deals directly with the pretexting
issue. For example, they require a mandatory password to get
access to call detail records. Relating to the security or
safeguards, the proposed rules ban the sharing of the CPNI with
a joint venture partner or independent contractor without the
express consent of the consumer.
On the issue of transferring the security among affiliated
companies, the record is sparse on that issue. And right now, I
am not sure if the Commission will determine to address that
issue in this order or not.
Mr. Markey. OK. I would like to get back to you, and thank
you, Madame Chairman.
Ms. DeGette. Thank you, Mr. Markey.
The Chair now recognizes the distinguished gentle lady from
Wyoming, Mrs. Cubin, for 5 minutes.
Mrs. Cubin. Thank you, Madame Chairman.
I would like to ask Mr. Navin and Ms. Parnes, under the
scope of your Commissions' investigations into this issue, I
wonder if you could tell the committee if any specifically-
rural companies have been investigated, or does this seem to be
a problem that is most prevalent in large companies with large
lists of personal data?
Ms. Parnes. I am told that one of the cases that we brought
actually is located in Wyoming.
Ms. Cubin. Could you comment, just for a moment, on the
state of rural carriers' privacy protection measures, if you
are able to right now? I know you have a full plate.
Ms. Parnes. I would actually have to defer to my colleague
at the FCC about security practices by carriers.
Ms. Cubin. Mr. Navin, can you offer the committee an
update, if it is available, on how much you believe sections
202 and 203 of the bill will cost small and rural carriers?
Mr. Navin. Unfortunately, we do not have an estimate on
what it will cost carriers.
In answer to your first question, I know that the agency
has issued 20 letters of inquiry to various carriers. I imagine
some of those carriers are smaller carriers, given the number
of large carriers, both on the wireless and wireline side. I
don't know specifically what size of rural carrier the
Commission has made those inquiries of. I know that the
Commission is always sensitive as it relates to implementation
of its rules in rural areas and tends to give special
consideration. In the rulemaking that is pending before the
Commission, the rural carriers have pointed out that they have
more limited resources, and my sense is that the Commissioners
will be sensitive to that.
Ms. Cubin. That is my main concern, that possibly they be
included before any final rules are initiated, because it is a
whole different country out there.
So I have no more questions, Madame Chairman.
Ms. DeGette. The gentle lady yields back.
The Chair now recognizes the distinguished gentleman from
Illinois, Mr. Rush, for 5 minutes.
Mr. Rush. Thank you, Madame Chairman.
Ms. Parnes, I have three questions, and I am going to ask
all three so that you can answer these questions, as you will.
First of all, it is good to see you again.
And the first question is, do I understand correctly that
the FTC supports the thrust of this legislation, that you
support this legislation?
The second question, in September, the FTC testified before
the O&I Subcommittee that you needed more specific prohibitions
against pretexting for consumer phone records and soliciting or
selling consumer phone records obtained through actual or
reasonably-known pretexting activities. Does this legislation
adequately address that request? And if it doesn't, then what
specific changes do you recommend.
And lastly, my question is you also recommended in that
testimony that Congress give the FTC authority to seek civil
penalties against violators, a remedy that the FTC does not
currently have in cases involving matters such as pretexting.
And for the record, I just want to know why the civil fine
authority over at FTC does not apply in this situation and then
whether or not our proposed legislation adequately addresses
this need that you have voiced.
Those are the three questions. Would you respond to them,
please?
Ms. Parnes. Absolutely. And thank you.
The FTC does support this legislation. And in terms of the
specific prohibitions and the earlier testimony of the
Commission, the legislation does address those issues.
What the Commission's concern has been is that, as I
indicated, we have used our section 5 authority to go after
both actual pretexters and those who solicit pretexting, the
middlemen, so to speak. But we will want to make sure that any
legislation that was adopted addressed both parts of this
transaction, both the pretexters who call up the phone
companies, engaging misrepresentations and get phone records
and the middlemen, the data brokers who make claims and promise
that they can get this information. The data brokers and the
pretexters may sometimes be the same entity, but sometimes they
may be separate entities, and we were just concerned, but this
bill does address both sides of that. And we think that is a
very good thing.
In connection with the Commission's civil penalty
authority, the Commission has civil penalty authority in two
circumstances. One is if conduct violates an order that the
Commission has already obtained against a company. And the
second is if conduct violates a role that the Commission has
issued. We are able to get civil penalties only when we have
engaged in rulemaking authority. And while we do have general
rulemaking authority under the Federal Trade Commission Act, as
you know, the FTC Act is very broad. It gives us authority over
unfair or deceptive acts or practices in or affecting commerce.
And in exchange for the ability to get civil penalties once we
had adopted a rule, Congress set very specific procedures that
the Commission has to go through in rulemaking. And they are
very comprehensive. It takes a fairly long time for us to
engage in. And so actually, what has happened since the 1990's
is that Congress, when they have wanted the FTC to obtain civil
penalties and to engage in rulemaking, they have used a model
very similar to the model used here. They have either said that
the law shall be enforced by the FTC as if it is a rule or they
have given the Commission very specific authority to engage in
rulemaking a particular area. Congress did that with the
Telemarketing Act, with the Can Spam Act, and it has actually
been a very successful approach.
Ms. DeGette. The gentleman's time has expired.
Mr. Rush. Thank you, Madame Chairman.
Ms. DeGette. Thank you.
The Chair now recognizes the gentleman from Mississippi,
Mr. Pickering, for 6 minutes.
Mr. Pickering. Thank you, Madame Chairman.
Earlier, Mr. Largent and Mr. McCormick, you all mentioned
the issue of whether you would be able to joint market a bundle
of services. Is there language that you would have that could
clarify that issue so that those types of services, which I
think the Committee would want to see continued with the other
protections as it relates to information, regardless of
legitimate use of information, and is that something that you
could supply the committee with?
Mr. Largent. Yes, it is. We can get you that kind of
information, and that is our concern with the legislation.
Mr. Pickering. You often raise in your testimony, Mr.
Largent, that as we go across the country, there is a patchwork
of different initiatives on different things. Recently, the
Commission has indicated a possible proposal that would move
all wireless services into title I, which would give a Federal
framework. And if that happens, would you support consumer
protections like this as part of a Federal framework?
Mr. Largent. Well, what we are talking about specifically
that Chairman Martin has mentioned this year is just moving the
broadband portion of the wireless industry into title I from
title II that would put us on the same ground with DSL and
cable offerings and broadband over power line. They are already
in title I. Our services that are being rolled out over
wireless are not in title I, so we are kind of competing on
unleveled ground, and we are just trying to get to that level
ground.
Does that answer your question?
Mr. Pickering. And broadband services under title I, if
that were to occur, you would support a national consumer
protection standard on these types of issues?
Mr. Largent. Absolutely. Yes.
Mr. Pickering. I thank you, Mr. Largent.
Mr. Largent. Mr. Navin, let me follow-up on a question that
Mr. Markey asked.
If there are third parties that are being used to joint
market and they are based overseas, whether it is Pakistan or
India, are the U.S. laws still applicable and enforceable in
those situations?
Mr. Navin. That is an issue that the Commission is
considering as part of a reconsideration of the order that it
had put out in 2002. I believe that the Department of Justice
in its reply comments raised that exact issue. The Commission
hasn't yet resolved it. I think it gets into issues of treaty
law and international law and not to be the primary subject
certainly of my bureau, but I know that the Commission is
studying that issue. And I can also tell you that it is not an
issue that we address in the order that Chairman Martin has
proposed for the Commission.
Mr. Pickering. Ms. Parnes, do you have any comment on that
issue of whether you would be able to enforce the law that we
pass here if a third party is based in a country like India or
Pakistan?
Ms. Parnes. The Commission does not have any jurisdiction
over common carriers, but if we are talking about other
entities, I think that if a business was located in the United
States and they moved data outside of the country, we would
take the position that the entity in the United States is
responsible for their own data. In terms of looking at data
brokers, as I mentioned, smaller businesses that may be located
here or entities that may be outside of the United States, we
would use the new authority that Congress gave us in the 109th
session, the U.S. Safe Web Act, to go after those individuals.
Mr. Pickering. All right. Thank you very much.
Madame Chairman, I yield back the rest of my time.
Ms. DeGette. The gentleman yields back.
The Chair now recognizes the distinguished gentleman from
Texas, Mr. Green, for 5 minutes.
Mr. Green. Thank you, Madame Chairman.
Mr. Largent and Mr. McCormick, are any of your companies
now selling the information to third parties that you have on
your customers?
Mr. Largent. No.
Mr. Green. OK.
Mr. McCormick. No.
Mr. Green. OK. That is one of the concerns. I think years
ago when we had jurisdiction, and I mentioned it to you before
the committee hearing over what became Oxley-Bliley. In fact,
Steve, you might have been on the committee when we had that
battle over the privacy issue. And I was told, at that time, by
some of our financial institutions that it was such a profit
center for them to market that information that they would have
killed the bill, which is something they had been working on
for 10 years before that. And so that takes care of part of the
concern. And I guess I have the same concern that both the
chairman on our Telecom Committee and Mr. Pickering mentioned
is enforcement of these privacy restrictions outside the United
States. And I am glad the FTC said that you would hold
responsible the person or the entity here, although you don't
have jurisdiction over common carriers. But again, I guess we
can provide that jurisdiction that would go with that
contracting to somewhere else, because I know now it is a laugh
line on late night television that whether it is your computer
you bought or your Internet service provider, you very well may
be talking to someone in Pakistan or India or no telling where,
and they probably have as much private information on your use
as the telephone companies or wireless companies would have.
I know numerous industries share information for marketing
purposes, and that is part of our concern is Mr. Markey said
that the consumers think it is their information, and they
ought to be able to give permission to share it. This
legislation, I know, puts restrictions on telephone companies
as compared to cable because of where we are at today in our
technology. And I know you have been asked for information on
how we can address that issue, because obviously our committee
wants that competition between cable and hard-line, both for
video and over the air and computer, high-speed, and also
telephone service. Is there a standard that could be set across
the multiple industries? What information could be shared? Is
there a standard anyone? And again, not just for the two
representatives in wireless and the hard-line, but anybody on
the panel, is there a standard that could be dealt with where
I, as the consumer, could say, ``Yes, I am your customer. You
can contact me, but I don't want you to share it with anyone
else.''
Mr. McCormick. Well, Congressman, I think that that kind of
a standard would be a very, very broad standard. I mean, in
effect, it would be a do-not-call standard, because virtually
every business in the United States contacts its customers to
talk to its customers about ability to take advantage of new
offerings or discounts that it might have available. And so the
real focus of the bill that we heard in the opening statements
is really to protect that information that is call-detailed
information.
Mr. Green. OK. I am not talking about AT&T contacting me,
but for AT&T providing my information to someone else or having
access to it. so I don't have any trouble with, if I have a
contract with a cell phone company, we get contacts all of the
time for other every 6 months to come in and renew your
contract. I don't mind that, because I am a customer, but for
my information to be shared, and I think that is the concern of
the committee and ultimately why we have this legislation.
Mr. Largent. I would just say, Mr. Green, that I think
where you are going is right, that we don't have any problem
saying, you know, that you can't sell customer information to
the automobile industry or an automobile dealer, because that
is not the way we are using the information anyway. We are
using it to market more services from our carriers, and that is
it. And that is what we worry that the legislation may go a
step too far in impeding our ability to market our services to
our customers. And that is what we want to try to protect is
the ability to market our services to our customers only. We
are not talking about we want the ability to market balloons or
baseballs or cars.
Mr. Green. OK.
Mr. Einhorn, I know your situation is not that, but as the
consumer sitting at the table along with, what is your feeling?
And well, I have run out of time, but Madame Chairman, if he
could just be allowed to answer.
Ms. DeGette. Yes, without objection, the gentleman will be
allowed to answer.
Mr. Einhorn. I am not actually clear what the question I am
being asked is.
Mr. Green. The question was your situation was different. I
know you are here on, really, part one of the bill, and I don't
think there is any question at all about support for that, but
to also try to expand it to where consumers shouldn't have
their information shared with someone else, do you think there
is a standard that you, as a consumer, would feel comfortable
with that they could share your information across industries,
which----
Mr. Einhorn. I think my general view is that, who I am
calling for how long at what time and what those people's phone
numbers are, is information that really doesn't belong to
anybody and really shouldn't be used for any purpose, in my
mind, other than sending me a bill to tell me how much to pay
the phone company.
Mr. Green. Well, I think we agree on that that who I call
and whatever ought to be my own information, and I need to
share that.
Ms. DeGette. Thank you, Mr. Einhorn.
The Chair now recognizes the distinguished gentleman from
California, Mr. Radanovich, for 5 minutes.
Mr. Radanovich. Thank you, Madame Chairman.
I do have one question regarding the opt-in/opt-out impact
of this kind of legislation, and if something like that were
required in this bill, would it set this industry apart from
other industries. In, for example, health medical records, it
is an opt-out thing. Does anybody have any comment on that?
Mr. Largent. Well, Congressman Radanovich, I would just say
that previous attempts to require opt-in consent have been held
to be unconstitutional. And but to be fair, those instances did
not involve cases where Congress had spoken on this issue, so
we are talking about two different cases where Congress's,
obviously, intent to speak on this issue, it may not be
unconstitutional or found unconstitutional, but it could be,
and I think that is an open question.
Mr. Radanovich. Well, and if it did become part of the
language of the bill and come into law, it would be different
than other industries, it does sound like, though, right?
Mr. Largent. Yes.
Mr. Rotenberg. Congressman, could I respond?
Mr. Radanovich. Sure.
Mr. Rotenberg. Two points. Just to clarify what Mr. Largent
said, the U.S. West case from 1999 concerning an earlier opt-in
rule was narrowly struck down, as Mr. Largent described,
because it was based on the regulation and not statute, and so
of course, if you have a statute, I think that problem goes
away. And in subsequent cases, I should point out, other
Federal appellate courts have upheld similar rules.
Now as to your original question, is there a reason for
having opt-in here where there might not be opt-in in other
privacy statutes, I think the answer to that question is the
sensitivity of this information, that this is the real-time
data associated with who you are calling, when, and for how
long, and that is information that is specifically protected in
section 222 of the Communications Act. That actually has a
long, long history of privacy protection, and I think that is
the reason you would want opt-in.
Mr. Radanovich. All right. Thank you.
If no other response, then I yield back.
Ms. DeGette. The gentleman yields back.
The Chair recognizes the distinguished gentleman from
Texas, Mr. Gonzalez, for 8 minutes.
Mr. Gonzalez. Thank you very much, Madame Chairman.
And quickly, just a kind of general observation so you know
basically where I am coming from, and then I will get into
specific questions.
But the way I view what we do here, and I know that we are
visiting the same territory, is what Mr. Markey established
from the beginning. No witness here and no witness in previous
hearings, and those were representatives and CEOs from the
telecommunications industries themselves, that acknowledged
that the property belongs to the customers. So let us start off
with that basic premise. The information belongs to the citizen
and to the customer.
As to disparate treatment of that information and the
requirements, the Government may impose as to safeguards and
security measures, that, I believe, is basically, established
by what I think is the hierarchy of information depending on
the type of information.
First and foremost, I think, it is always going to be
medical records. And how we arrive at that is just, basically,
human nature.
Second, I think you are going to run into telephone
records.
And then third, financial records.
And the fact that we may treat the type of information, how
we safeguard it and disseminate it differently is because there
is that hierarchy. And I think we have to acknowledge that.
Now does it place any particular business that operates in
those different areas at a disadvantage from those other
businesses? The answer is going to be yes, because there are
higher standards for healthcare providers and so on.
What I am getting at, and I am going to address Mr. Largent
and Mr. McCormick's concern that it would place certain members
of a specific industry at a disadvantage. That I think we can
address within this hierarchy: telephone records,
telecommunications, everything that is going out there in the
telecom industry. And surely, we don't want to do something
that does place you at a disadvantage regarding the marketing
of your services and such and to expand and to be successful.
So I am familiar with that.
Now the reason that the legislation we address to all of
you is because you are the gatekeepers, and that is the most
obvious starting point, and we are going to deal with the
criminals and the scammers and everybody else. And we can do
that criminally. But I think it still goes back to what Mr.
Rotenberg pointed out is that if we really start with the
safeguarding measures, we probably could avoid quite a bit,
which leads me to the first question of the entire panel, not
Mr. Einhorn, I am sorry, because you are actually the citizen
victim, but I will reserve a question for you, and this
involves you.
A yes or no answer, because I think you can answer this yes
or no. To the extent that you understand this piece of
legislation that we are attempting to pass, had it been in
place at the time of the Einhorn family, what borders on a
tragedy, actually, but their experience, would it have
prevented that experience by the Einhorn family? Ms. Parnes,
had it been in place, would it have made any difference?
Ms. Parnes. Well, to the extent that you are asking about
the operation of title II, it is not an area for us.
Mr. Gonzalez. If you can't answer, that is fine.
Mr. Navin?
Mr. Navin. Yes, I am afraid I have to tread carefully here,
too. There is typically a protocol and procedure for the
Commission to give technical assistance to the committee,
which, of course, we are always happy to do. I don't believe we
were asked for it on this particular bill, but I would prefer
to use that process.
Mr. Gonzalez. OK. The Federal Government at work.
Mr. Rotenberg?
Mr. Rotenberg. Well, Mr. Gonzalez, since we initiated the
petition of security standards, while I can't say with
certainty it would have prevented what happened to Mr. Einhorn,
I think it is clear that if stronger security standards were in
place, it would have been much more difficult for someone to
improperly get access to Mr. Einhorn's family's calling
records.
Mr. Gonzalez. And this bill would have accomplished that?
Mr. Rotenberg. Yes, I believe it would have.
Mr. Gonzalez. Mr. Largent?
Mr. Largent. I would say that the security measures that
the companies have enacted since this came to light, and it was
about the same time that he had his problems, are going a long
way to prevent it from happening again. I would tell you that
the threat of prosecution of pretexters has essentially
evaporated the Internet solicitation for people to get numbers
through pretexting. So we have already come a long way, but
whether it would have actually addressed his concern, I think
that is an open question, and I am not sure.
Mr. Gonzalez. Mr. McCormick?
Mr. McCormick. Yes, Congressman. I would agree with Mr.
Largent. I received a briefing the other day on the security
protocols that had been implemented by the companies during the
course of the last year, and the protocols would directly
address the way in which an inbound call under pretexter-
obtained information. Our concern, under this legislation,
though, is that it also addresses outbound calls. There has
never been a situation where one of our companies has called a
pretexter to give them information. This marketing on the
outbound, those provisions of the bill, would do nothing to
address the situation that Mr. Einhorn had.
Mr. Gonzalez. All right.
Ms. DeGette. The gentleman's time has expired.
Mr. Gonzalez. I think my time is up, and I just thank you,
Mr. Einhorn, for your participation.
Ms. DeGette. The Chair now recognizes the distinguished
gentleman from Florida, Mr. Stearns, for 5 minutes.
Mr. Stearns. I thank my colleague.
I think we have touched on this issue before, but there is
some confusion. At least some of the staffs indicate there is
confusion, so I would like to ask this question. Mr. Navin, you
first. And then I will ask all of you, if you would, to comment
on it. And I guess it is dealing with the bill's affect on the
ability to use phone records to market other products. In your
mind, does this bill prohibit the usage of just detailed
information or all information from phone records?
Mr. Navin. Yes, I am the one that deferred on the last
question involving an interpretation of your legislation.
Mr. Stearns. Right. Yes.
Mr. Navin. What I can tell you is that the proposed rules
that the Commission is considering would get at the situation
that concerns disclosure of Mr. Einhorn's records in two ways.
Number 1, by virtue of the use of mandatory passwords, the
person who set up the account would not have been able to do.
And No. 2, because the proposed rules in front of the
Commission provide for notification to the customer any time
their information is changed or their call detail records are
mailed. As it relates to the legislation, I would prefer to
allow the other panelists to address that issue.
Mr. Stearns. OK. Mr. Largent, go ahead.
Mr. Largent. Would you restate your question?
Mr. Stearns. Yes. In your opinion, does the bill prohibit
the use of detailed information or other information from phone
records from the ability to market other products?
Mr. Largent. I think that is the open question that we are
really concerned about this legislation, that it could possibly
be read that way.
Mr. Stearns. And that is what my staff is trying to
understand. Do we need to change this bill so that you have
this flexibility? And it is not clear. I guess, the confusion
is whether we can do this, and do you feel it is strong enough
that, in your mind, there is this confusion and you can't
market information without breaking the law? And so we don't
want to do that. We don't want to hurt the ability to market,
so I think that is what we are trying to understand.
Mr. Largent. I think clarity is the key word that we would
like to see in this bill.
Mr. Stearns. And so you would like to see a change?
Mr. Largent. Yes.
Mr. Stearns. OK.
Mr. McCormick?
Mr. McCormick. Absolutely, Congressman. We see this
ambiguity as creating a situation where we are potentially
engaged in an illegal activity if we use our knowledge about
the fact that an individual is a telephone customer and use
that knowledge in order to go to that customer and offer them a
bundled package of Internet access or video or even to add on a
wireless service. We don't think that that was the intent of
the committee. We understand that the intent of the committee
was to protect the kind of information that was taken from Mr.
Einhorn, but we believe that the bill goes much farther than
that and does prevent these kinds of marketing activities.
Mr. Stearns. Well, and we are in the early stages here, and
so we are all listening, so this is the time to say,
specifically, yes or no. Now the two of you are saying that
this bill does make it a little bit dubious whether you can
continue your marketing practices.
Anyone else?
Mr. Rotenberg. Mr. Stearns, if I could speak to that issue.
Mr. Stearns. Yes.
Mr. Rotenberg. I think there really are two distinct
questions here that need to be clarified. The first is whether
or not a telephone company can communicate with their customers
about their service offerings. There is nothing in this bill
that prevents that, and every phone company is free to make
available information about related services. The second
question is whether the companies can take advantage of the
call detail information, who people are calling, what they are
doing, how they are communicating, and use that private
information to determine what type of marketing to direct to
the customer. Now in my view, and I think the view of most
American consumers, they would have no problem learning about
new service opportunities from their current provider or from a
competitor. That is obviously a good thing for the consumer and
for the marketplace. I think the specific concern here, which
the bill appropriately addresses, is that the companies take
advantage of access to this detailed information and use that
as part of the marketing determination, and that is where I
think we need a stronger safeguard.
Mr. Stearns. So would you, in your mind, then, based upon
what you said, change the bill?
Mr. Rotenberg. No, I would leave the bill as it is. I would
leave it with the opt-in requirement, because if there is going
to be use of CPNI information for that purpose, then I think
the customer has the right to say, ``Well, that is----
Mr. Stearns. So the opt-in requirement would nullify the
need to change the bill, because the customer is still in
control?
Mr. Rotenberg. Yes, that is correct.
Mr. Stearns. Now I guess, Mr. Largent and Mr. McCormick,
what do you say to that?
Mr. Largent. Well, I just think that it violates the basic
marketing principle that exists in our world today. If we have
got a company that, say, has 60 million customers and we want
to target the 12 million that we think would be most inclined
to want Internet service or download music or do whatever, and
I mean, our companies do so many things today from music,
video, television, as well as your basic phone service, but if
we have got a group of 12 million customers out of 60 million
that we think are kind of the heart of the market for accessing
whatever service it might be, why would we have to market to 60
million customers when we know that 12 million are our real--
that is the heart of our marketing strategy. Why should we have
to market to 60 million when we know that these 12 million are
the ones that are going to be most interested in the service?
Ms. DeGette. The gentleman's time has expired.
Mr. Stearns. Yes, I just ask 30 seconds to let Mr.
McCormick finish.
Ms. DeGette. Without objection.
Mr. McCormick. Yes, thank you very much.
Congressman, several years ago, Congress provided for a do-
not-call list. If you do not want to be solicited, it was an
opt-out. The way we read this legislation is that for our
industry alone, it would be a do not call unless the customer
opts in. And so all we want to do is to make sure that our
industry is not treated in an entirely unique and
discriminatory way.
Mr. Stearns. I thank you and the gentle lady.
Ms. DeGette. The Chair now recognizes the distinguished
gentleman from Michigan, Mr. Stupak, for 5 minutes.
Mr. Stupak. Thank you, Madame Chairman. I apologize for not
being here. I have been on the floor with an amendment and
argument down there.
So Mr. McCormick, the FCC rules require telecommunication
carriers to have an officer of the company certify annually
personal knowledge that the company has established operating
procedures that are adequate to ensure compliance with privacy
regulations. And each of the companies certified that they have
had adequate procedures, yet this appears to be a pervasive
problem. Doesn't that indicate that something is slipping
through the cracks of the current system? It would seem we
cannot rely on either the certification requirement or the
current FCC rules to adequately protect consumers.
Do you care to comment on that?
Mr. McCormick. Yes, Congressman.
What we have in the pretexting community is that we have
very sophisticated lawbreakers. Security protocols in the past,
many of the companies were using Social Security numbers as
identifiers. Since individuals like Mr. Einhorn had their
records taken through pretexting, through the use of Social
Security numbers, our companies have established protocols that
no longer use that. In fact, the authentication procedures used
by our companies are constantly being changed and upgraded in
ways to protect against the increasing sophistication of
pretexters. So it is a continuing battle. It is an ongoing
battle, but we believe that it is important to our relationship
with our customer to be able to protect our customers' privacy,
and we take that very seriously.
Mr. Stupak. But in response to Mr. Stearns, when I came in
here, you were talking about opting in and opting out. And in
our proposal, you have to opt in, which gives the consumer
greater protection--or opt out, whatever it is there. But the
consumer is going to hold the key here. Wouldn't that help to
defeat this, what you call, sophisticated pretexters?
Mr. McCormick. No, it would have nothing to do with that,
because pretexting are calls that come in and the opt-in
requirement today says that we cannot share the information
with anybody beyond selling communication services unless the
customer opts in. This opt-in requirement doesn't have to do
with calls that are coming in, pretexting calls that are coming
in asking us for information. This opt-in requirement has to do
with forcing a customer to first say to us, ``You may contact
me about offering new services, and if I don't give you express
authorization beforehand, do not call. Hands off.''
Mr. Stupak. That isn't related to a third party and not to
your company? The opt in? Isn't that related to the third party
that wants to use it?
Mr. McCormick. The way we read this bill, no, the law
already requires opt in with regard to sharing information with
third parties. With regard to this bill, the way we read it is
that our own companies would not be allowed to market services
beyond the bucket that they have, the telecom service, without
opt in.
Mr. Stupak. In the investigation here, the way I remember,
the summary of it, if I will, was the record reflected that it
was in which where administration sloppiness by the carriers.
And in our investigation, we saw this as sort of like the key
part of the program. So I mean, if the carriers are going to be
sloppy, no matter how sophisticated you are going to be, but if
you are going to be sloppy in the way you administer it, you
are still going to have this pretexting problem, correct?
Mr. McCormick. Again, I think that we are in full agreement
with the committee with regard to the need for inbound calls
requesting customer proprietary network information,
particularly call data information, be authenticated so that
you do not have people who should not be getting that
information are getting that information. What we don't want to
do, though, is to go on the other side where we are making
calls out to our customer to offer them services that may be
offering them greater discounts or savings, for those to get
swept up. There has never been an instance where there has been
a problem with pretexting or identify theft on the part of
marketing calls from our companies out.
Mr. Stupak. Well, having sat through that pretexting
investigation, I would say you are right. There is none that we
know of, because we still get back to this administration
sloppiness.
Mr. Navin, if I may, the FCC order, which prohibits the
carriers, I am sorry, prohibits providers from releasing call
detail information. And that order has been circulated to other
commissioners, when do you anticipate the order being issued,
when it will be completed, and what is sort of the hold-up
here?
Mr. Navin. I can tell you that, first of all, it is not a
complete ban on the release of the call details. It just put in
place some security measures, like the use of mandatory
passwords.
Mr. Stupak. OK.
Mr. Navin. I don't want to totally frustrate consumers in
their endeavor to get access to the information. The chairman
circulated the order at the end of last year. I know that he
has been working actively with his Commissioner colleagues to
try to build consensus on the item. He tends to take a
consensus approach, because he believes that these two stronger
opinions by the FCC. That said, I am sure that there are many
at the Commission who are anxious and interested in the
Commissioners all being----
Mr. Stupak. Can you give me a timeframe or a guess of when
this order may be--a consensus on it? It has been a while.
Mr. Navin. I know that one of the tools that the chairman
has to bring an item to a vote is by an agenda meeting.
Mr. Stupak. Right.
Mr. Navin. So I know that is available to the chairman. I
don't know if he has made that decision with regard to this
item.
Ms. DeGette. The gentleman's time is expired.
Mr. Stupak. Thank you, Madame Chairman.
Ms. DeGette. The Chair now recognizes the distinguished
gentleman from Pennsylvania, Mr. Pitts, for 5 minutes.
Mr. Pitts. Thank you, Madame Chairman.
First, a question for Ms. Parnes.
Section 202(a)(1)(E) on page 10 of the bill is similar to
the legislation that the gentleman, Mr. Markey, and I
introduced last session, the Wireless 411 Privacy Act, which
seeks to keep wireless services from disclosing wireless
numbers without the affirmative consent of the consumer. And we
have heard of the unintended consequences from Mr. Largent and
Mr. McCormick that we may need to tweak this language to keep
it from having these unintended consequences regarding
marketing of services. But phone numbers can be used to help
prevent fraud and identity theft, because they can be cross
checked with information on credit and loan applications. And
we certainly don't want to make it harder to prevent fraud.
Your bureau has a mandate to protect consumers, so I would
appreciate your thoughts on that.
Ms. Parnes. Thank you. We do have a mandate to protect
consumers from identity theft. And we actually are very focused
on how consumers can authenticate themselves in ways to prevent
the misuse of their own personal information.
But because this is in title II and it is a part of the
bill that falls outside the scope of the FTC's jurisdiction, we
would have to really go back and look at this and consult with
our colleagues at the FCC to understand how this would operate.
And we would be happy to get back to you on that.
Mr. Pitts. All right.
Steve, it is great to see you. You are a good friend and
former colleague, and it is always good to work with you. And I
understand that you are willing to work with us on
clarification regarding marketing of services, but the phone
number is not CPNI. That refers to data about the phone records
and the behavior. Phone numbers can be cross checked on
applications for credit, and other critical services. And do
you see the unintended consequences regarding that that we need
to tweak this language about?
Mr. Largent. We would be glad to work with you on that,
Congressman. And I would just tell you that on the other issue,
on the wireless directory assistance, that there is no
evidence----
Mr. Pitts. I was just going to ask you, is there still any
interest in creating a directory?
Mr. Largent. None that I am aware of.
Mr. Pitts. Good. I am happy to hear that. And thank you for
agreeing to work with us and providing language to work out any
unintended consequences.
Thank you, Madame Chairman.
Ms. DeGette. The gentleman yields back.
The Chair now recognizes the distinguished gentleman from
Washington State, Mr. Inslee, for 5 minutes.
Mr. Inslee. Thank you. I would like to ask about this third
party sharing of information for marketing and other purposes
to make sure I understand it.
Just give a hypothetical. XYZ Phone Company wants to enter
into a joint venture with Acme Travel Company, and they want to
share databases so that the travel company can focus their
marketing efforts to see who is traveling and who is calling
Paris, and maybe they want to market these people. I want to
ask, Mr. Navin, Mr. Largent, and Mr. McCormick, under want
circumstances should the phone company be able to share that
information with Acme Travel Company? What would happen to
happen first or second in that regard? And in particular, Mr.
Navin, if you could tell me about the relationship between your
proposed rule and this legislation and how they contrast or
compare or are similar? If I could ask you three gentlemen that
question.
Mr. Navin. Well, currently, as has been discussed, the rule
that the Commission has as it relates to joint venture partners
is an opt-out rule. In other words, the carriers do not need
the express consent by consumers to use this CPNI to market
communications-related services. So that is the current state
of the Commission's law. What the chairman has proposed to do
is to change that from an opt-out approach to an opt-in
approach, in other words, you would need express consent from
the consumer to use this CPNI to market communications-related
services. So that is specifically what the chairman has
proposed in the order in front of us.
Mr. Inslee. And I am sorry. I would think these would be
non-communication-related services.
Mr. Navin. I believe under our existing rules, they would
not be allowed to market or be allowed to disclose the
information to joint venture partners for non-communication-
related services on an opt-out approach. They would not be
allowed to do that.
Mr. Inslee. So what your proposed rule under consideration
now would be to treat non-communication services and
communication services the same, which is you would have to opt
in before it was allowed? Is that the current play?
Mr. Navin. That is correct. I would like to get back to you
on whether or not the carriers could actually disclose the
information to a joint venture partner for non-communications-
related services.
Mr. McCormick. I think I can answer that, Mr. Inslee. Our
reading of the law is that the law would not allow us to share
any information with an allied travel without the express
consent of the customer, and that, as a matter of practice,
none of our companies do it anyway. The legislation under
consideration would, instead, say that with regard to any
communications-related services, for example, if a local
company, one of our local companies, wanted to offer to its
customer a bundle package that included local and long
distance, we would not be able to contact that customer unless
the customer first opted in and allowed us to use the fact that
it was a local customer for us to then say, ``You are paying
$25 for local service. We will offer you a bundle package with
long distance for $35.'' Or to add that customer in for DSL
service. And if that is not the intent of the committee, then
what we would hope is that the bill would be clarified so that
that ambiguity would not be there.
Mr. Largent. Yes, I would just ditto everything Walter
said. We feel the same way. Our companies are not taking
customers' names or numbers and marketing them or selling them
to third parties that don't have anything to do with
telecommunications. We use those to market our services to our
own customers only.
Mr. Inslee. Mr. McCormick, you discussed this, you would be
discriminated against if this was an opt-in. I am thinking
about this, so I don't show you any position that I have right
now, but I do want to say that, at least I have taken a
position that if other industries should be an opt-in, for
instance, I believe you should have to opt in to get my
checking account records. I lost that battle in the past couple
of Congresses. If I come down and it sounds differently, it is
not to discriminate against you but to remain consistent, of
course, according to what I think most of my constituents want
at the moment.
Mr. McCormick. Well, I understand the desire to opt in in
order to get checking account records, call detail information.
What we are really talking about here is kind of like a do-not-
call list. And as I said before, Congress passed the do-not-
call law that was an opt-out. If you don't want to be called,
you can opt out. This would say, with regard to our industry
alone, customers would have to opt in before we were allowed to
call our own customer. And I don't think that is the
committee's intent, and that is what we would like to clarify.
Mr. Inslee. OK. Is there any middle ground here where you
would not disclose specific identity of the callers or callee
but certain general characteristics if you reach some joint
venture marketing situation? Is that possible?
Mr. McCormick. Yes, there is a lot of middle ground here. I
think that all of the concerns that the committee has about
identity theft and pretexting and privacy of customer records
are concerns that we share. And what we want to be able to do
is to simply be able to work in an effective way to market new
services, particularly bundled services, in a way that competes
with all of the other businesses out there that are looking for
new and innovative ways of offering consumers a package that
the consumers will find more efficient, higher savings, and
more convenient.
Mr. Inslee. Thank you.
Ms. DeGette. The Chair now recognizes Mr. Burgess,
distinguished gentleman from Texas, for 6 minutes.
Mr. Burgess. Thank you, Madame Chairman.
Let me just follow-up on Mr. Inslee's comments. Mr.
McCormick, why do you need the CPNI information to market to
your customers? Can't you just do this from other data that you
would have?
Mr. McCormick. There is a difference between CPNI, customer
proprietary network information, and call-detail information.
Customer proprietary network information is, arguably,
everything about that customer: his service package, does he
take a local service, does he take call answering, does he take
call forwarding, does he also take Internet access, does he
take long distance? That is different than the call-detail
information. Call-detail information, we don't even keep call-
detail information for local calls. On long distance calls,
call-detail information is kept only for billing purposes. It
is the call-detail information that is sought by pretexters. It
was sought in the case of Mr. Einhorn. We understand the desire
of the committee to afford additional safeguards to third
parties being able to come in and access that call-detail
information, people who should not have access to it. but for
purposes of our being able to use joint venture partners to go
out and to market for us add-on services like Internet access,
video, or even new pricing packages for long distance, family
plans, favorite five plans, that information for being able to
market outward has never been used for pretexting. There is not
any case whatsoever where there has ever been an inappropriate
use of that information that has violated the privacy of an
individual for outward marketing purposes.
Mr. Largent. And I would just add to that, not even when
third parties were located not in the United States. Those
third-party agreements that they had with the carriers are
sacrosanct to those third parties, because if they violate
them, then they are out the door, their business is out the
door.
Mr. Burgess. I guess it was in the O&I Subcommittee, I
think we had 17 people take the fifth one morning. And I can't
even do the math to figure out what number that would be, 17
times 5. But I am very glad that you don't call those
individuals and provide them information. Mr. Stupak was here
that morning. That was an unbelievable arrangement of
individuals. I still have nightmares about Ma Bell from
Arizona.
Well, then, so I understand we are obviously trying to
craft a piece of legislation that will endure, and your
industry moves and changes very fast, and our legislation will
be there in perpetuity for the rest of my natural lifetime, so
we want it to be done correctly. And I guess I get the
impression from the way the questions have been going back and
forth, that you have some concerns about the overly-broad
drafting of the language in title II of this bill, is that
correct?
And I assume you have made those concerns available to the
appropriate committee staff?
And Mr. Navin, you are not allowed to help in that or at
some point will you be able to help us in that?
Mr. Navin. No, the Commission would be happy to help and
happy to provide technical assistance on the bill, but I just
reviewed the bill for purposes of preparing for this hearing,
and I don't want to simply give my impressions. I would rather
coordinate with the folks at the Commission.
Mr. Burgess. OK. But that information or that technical
assistance is going to be available to the committee staff and
committee members as we go through the process of marking up
and delivering this bill?
Mr. Navin. Absolutely.
Mr. Burgess. OK. Mr. Einhorn, you have been so kind to sit
with us all morning, and I appreciate your involvement in this.
It won't do any good for me to apologize to you, but I will do
it anyway, that you suffered the problems that you did.
Now just so that I understand clearly when Mr. Markey was
asking you the question, and he is gone, but I will try to
paraphrase it, and I hope I am accurate, where he said
shouldn't the company have notified you immediately about a
breach of security or the pretexting that occurred. How did
they know that the pretexting had occurred? When these guys
have sat in front of us and gave us examples of pretexting,
they were so cleaver about how they did stuff, how did they
know that your information had been delivered to the wrong
hands?
Mr. Einhorn. Well, I am glad you came back to that, because
I wanted to elaborate on the question that was asked before. I
am actually a victim of pretexting in two separate
circumstances. The first relates to my home telephone records
where the company did not, in any way, notify us that we were
pretexted. What actually happens is----
Mr. Burgess. Well, let me just interrupt you there. How did
they know?
Mr. Einhorn. Who is ``they''?
Mr. Burgess. The company, AT&T, I guess.
Mr. Einhorn. AT&T did not notify us or even necessarily
know that we had been pretexted.
What happened was we tried to sign up for an online
account to pay our bills, and they said, ``You can't do that,
because the account has actually already been opened.'' And
then you say, ``Well, who opened the account?'' And then AT&T
was able to tell us the details of how the account was opened.
Mr. Burgess. So they did not verify that with mailing that
information back to you after the new account was opened?
Mr. Einhorn. That is correct. I was not contacted.
And then second, our business records were involved with
pretexting. And in that particular case, we only learned about
that when Allied Capital put out a press release saying they
had things that were purported to be our business records in
response to an investigation they were conducting in response
to a grand jury subpoena. So if they hadn't been asked that by
the Justice Department or by the grand jury to find out whether
or not they had actually taken our records, we never would have
known until this day that these records were taken.
Mr. Burgess. And the same situation, that company that was
pretexted did not call back for verification after? Did they
open a new account as well?
Mr. Einhorn. Well, even now we don't know how they did it.
We don't know whether they did this somehow online. We don't
know if they bribed an official at the phone company. We have
no idea what records they have or how they obtained those
records or for what use they made. And that is still true to
this moment, because we have gotten no explanation from Allied
Capital as to what they have done.
Mr. Burgess. So if Allied Capital hadn't issued a press
release, you wouldn't even, in fact, know about it until this
day?
Mr. Einhorn. Relating to the business records, that is
correct.
Ms. DeGette. The gentleman's time is expired.
Mr. Burgess. Thank you, Madame Chairman.
Ms. DeGette. Yes. The Chair would inquire of the Federal
Trade Commission. Are you investigating these business
practices by Allied Capital?
Ms. Parnes. Madame Chairman, the Commission investigations
are non-public, so we would be happy to talk to you in a non-
public briefing.
Ms. DeGette. Thank you. The Chair wants to thank all of the
witnesses today. And following up on some questioning by Mr.
Burgess, I would say, we are not in the initial stages of
developing this legislation. We are in the final throws, and so
if witnesses today or other members of the audience wish to
give specific suggestions on development of this legislation,
the committee would much appreciate those efforts.
And again, I want to thank everybody for coming, and the
hearing is adjourned.
[Whereupon, at 1:30 p.m., the committee was adjourned.]
�