[Senate Hearing 110-1139]
[From the U.S. Government Publishing Office]






                                                       S. Hrg. 110-1139

                           CALLER ID SPOOFING

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 21, 2007

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation















       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                   DANIEL K. INOUYE, Hawaii, Chairman
JOHN D. ROCKEFELLER IV, West         TED STEVENS, Alaska, Vice Chairman
    Virginia                         JOHN McCAIN, Arizona
JOHN F. KERRY, Massachusetts         TRENT LOTT, Mississippi
BYRON L. DORGAN, North Dakota        KAY BAILEY HUTCHISON, Texas
BARBARA BOXER, California            OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida                 GORDON H. SMITH, Oregon
MARIA CANTWELL, Washington           JOHN ENSIGN, Nevada
FRANK R. LAUTENBERG, New Jersey      JOHN E. SUNUNU, New Hampshire
MARK PRYOR, Arkansas                 JIM DeMINT, South Carolina
THOMAS R. CARPER, Delaware           DAVID VITTER, Louisiana
CLAIRE McCASKILL, Missouri           JOHN THUNE, South Dakota
AMY KLOBUCHAR, Minnesota
   Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
Lila Harper Helms, Democratic Deputy Staff Director and Policy Director
   Christine D. Kurth, Republican Staff Director and General Counsel
Kenneth R. Nahigian, Republican Deputy Staff Director and Chief Counsel
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 21, 2007....................................     1
Statement of Senator Klobuchar...................................    19
Statement of Senator Nelson......................................     1
Statement of Senator Stevens.....................................     2
Statement of Senator Sununu......................................    22

                               Witnesses

Cerasale, Jerry, Senior Vice President, Government Affairs, 
  Direct Marketing Association, Inc..............................     6
    Prepared statement...........................................     8
Jones, Hon. Ron, Commissioner, Tennessee Regulatory Authority; 
  Chairman, Consumer Affairs Committee, National Association of 
  Regulatory Utility Commissioners...............................    16
    Prepared statement...........................................    17
Knight, Allison, Staff Counsel and Director, Privacy and Human 
  Rights Project, Electronic Privacy Information Center (EPIC)...    12
    Prepared statement...........................................    13
Monteith, Kris Anne, Chief, Enforcement Bureau, FCC..............     3
    Prepared statement...........................................     5

                                Appendix

Inouye, Hon. Daniel K., U.S. Senator from Hawaii, prepared 
  statement......................................................    27

 
                           CALLER ID SPOOFING

                              ----------                              


                        THURSDAY, JUNE 21, 2007

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 11:03 a.m., in 
room SR-253, Russell Senate Office Building, Hon. Bill Nelson, 
presiding.

            OPENING STATEMENT OF HON. BILL NELSON, 
                   U.S. SENATOR FROM FLORIDA

    Senator Nelson. Good morning. Over the past few years, 
consumers have been hit with a number of new scams that seek to 
use our Nation's telecommunications network for fraudulent 
purposes, from pretexting to spyware. Fraudsters are always 
looking for new ways to invade our privacy and personal and 
financial information and one of the newest scams is called 
Caller ID Spoofing.
    It's a technique that allows a telephone caller to alter 
the telephone number and other information that appears on the 
recipient's Caller ID system. It's an easy scam to pull. All an 
individual needs to do is go to one of a number of Internet 
sites with names like Tricktell.com and SpoofTell.com, to gain 
access to spoofing services and on these sites, an identify 
thief can pay money to order a spoofed telephone, tell the 
website what telephone number they wish to reach and then place 
a spoofed telephone call through a toll-free line. A number of 
recent news stories have highlighted the serious harm that is 
caused by this practice.
    One recent example--fraudsters used Caller ID spoofing to 
pose as court officers calling to say that the individual had 
missed jury duty. The caller then says that a warrant will be 
issued for their arrest unless they pay a fine with a credit or 
bank card during the call and you know what the result is going 
to be.
    In another case, identity thieves and criminals have used 
Caller ID spoofing to hack into a bank account and into 
voicemail accounts to steal sensitive personal information.
    Now while these examples are serious enough, just think 
what could happen if a stalker used Caller ID spoofing to trick 
someone into answering their phone and providing information on 
where they are and the results could be tragic. So it's time to 
put an end to Caller ID spoofing.
    The bipartisan Truth in Caller ID Act of 2007 will plug the 
hole in the current law and make it clear that spoofing is a 
scam and is not legal. So it is my privilege to chair this 
hearing on behalf of Senator Inouye and the Vice Chairman of 
the Committee, I would turn to him, Senator Stevens.

                STATEMENT OF HON. TED STEVENS, 
                    U.S. SENATOR FROM ALASKA

    Senator Stevens. Thank you very much, Senator. I'm grateful 
to Senator Inouye for calling this hearing. These ID services 
provide us all with information that we need. Really, I'm 
delighted to have the information. When I see who is calling 
me, I can tell whether to pick it up right away or ask my staff 
to deal with it if it is something that I don't have the time 
for.
    This idea that some people can alter that ID information 
bothers me considerably because it means that a loss of privacy 
means identity theft possibilities and really as Senator Nelson 
has mentioned, can compromise personal safety. We need to 
understand those concerns and to try to make a record and 
that's what we're going to do today with your help so that 
others will review what this panel gives us to determine what 
holes are in our laws and if they can be filled to address and 
prevent this spoofing practice.
    I'm particularly worried about the fraudulent aspects that 
Senator Nelson has mentioned, particularly where it could lead 
to obtaining money under totally false pretenses. It ought to 
be against the law already but I want to find out if there is 
any way and anyone in law enforcement working to deal with that 
directly at this time. Senator Nelson, Senator Snowe and 
Senator McCaskill have introduced this bill. It's going to come 
before the Committee next week and this will be the only 
hearing, the only opportunity we have to get a record for other 
members to learn about this. So I'm particularly concerned 
about the law enforcement actions that have been taken. I 
congratulate the sponsors but will it provide the tools that 
law enforcement needs to really improve enforcement activities 
and will it provide the information that is necessary?
    I'd like to see something developed and invented so that if 
I see something on my Caller ID that I want to preserve then I 
could transfer it. We lose that immediately--once we hang up, 
we've lost that ID. What the telephone records might show would 
be one thing but what has shown on ID is another thing, is my 
understanding. Though somehow or another, we've got to be able 
to find a way to preserve that information to show the 
fraudulent activities involved. And we get a great many calls 
from around the country and when we get a Caller ID that 
indicates to us it's a governor or it's someone from major 
organization and we're working on that legislation, we ought to 
be able to rely on that ID.
    This fraudulent ID concept goes to really, I think contact 
violating the Constitutional concept that people have the right 
to contact Congress to redress wrongs, but if they are 
contacting us under false pretences, we've got to have a way to 
know it. So I think this is a very important piece of 
legislation. I do hope the record will help us convince the 
other members of the Committee of that fact.
    I look forward to the hearing. Unfortunately, I have to go 
somewhere at half past, so I'll wrap up.
    Senator Nelson. Well, Senator Stevens, thank you for your 
encouraging and supportive comments. And here's another 
example. A couple of years ago, a sharp-shooting SWAT team shut 
down a neighborhood in New Brunswick, New Jersey, after they 
received what they thought was a distress call coming from an 
apartment in the neighborhood and it turned out it was a spoof 
call and it put a lot of lives at risk, time after time.
    Well, we've got a distinguished panel. Ms. Kris Monteith, 
Chief of the Enforcement Bureau of the FCC, Mr. Jerry Cerasale, 
Senior Vice President of Government Affairs of the Direct 
Marketing Association, Ms. Allison Knight, Staff Counsel and 
Director of Privacy and Human Rights Project, Electronic 
Privacy Information Center and Mr. Ron Jones, Director of the 
Tennessee Regulatory Authority and Chairman of the Consumer 
Affairs Committee of the National Association of Regulatory 
Utility Commissioners. So welcome, all.
    Your written statements are entered into the record and 
because of the constraints of time, I would appreciate it if 
you could talk directly to us. We'll go right in the order in 
which I introduced you, without you reading your testimony to 
us because we're going to have it as part of the record, if you 
would give us your thoughts. So let's start with you, Ms. 
Monteith.

STATEMENT OF KRIS ANNE MONTEITH, CHIEF, ENFORCEMENT BUREAU, FCC

    Ms. Monteith. Good morning. Thank you very much, Vice 
Chairman Stevens, Senator Nelson and members of the Committee. 
Thank you for the opportunity to speak with you today about the 
problem of caller identification spoofing. As you've stated, 
Caller ID services lets customers identify who's calling them 
before they pick up the phone, such as by a telephone number, a 
name or business number displayed on the customer's equipment. 
Caller ID spoofing refers to the practice in which the Caller 
ID information is manipulated in a manner that misleads the 
call recipient about the identity of the caller.
    The Commission is deeply concerned about reports that 
Caller ID information is being manipulated for fraudulent or 
deceptive purposes and the impact of those practices on the 
public trust and confidence in the telecommunications industry.
    We are particularly concerned about how this practice may 
affect consumers as well as public safety and law enforcement 
communities. I think you're aware of some of the technical 
means by which caller identification travels with the phone 
call so I won't go into detail and I think that information is 
in my written testimony.
    The Commission also has addressed caller identification on 
the public switched telephone network in rules that were 
adopted in 1995 and generally, those rules require all carriers 
using Signaling System 7--SS7--to transmit the calling party 
number associated with an interstate call to interconnecting 
carriers. This same Commission rule also requires telemarketers 
to transmit accurate Caller ID information.
    With the development of the Internet and IP technologies, 
Caller ID spoofing has apparently been made easier--even easier 
than it used to be. Now entities using IP technology can 
generate false calling information and pass it to the PSTN via 
SS7.
    The Commission's Enforcement Bureau has been investigating 
this practice since it came to our attention in the summer of 
2005, having come to our attention in the context of junk fax 
spoofing. To date, we have initiated investigations on 13 
companies engaged in the marketing and selling of Caller ID 
spoofing services to customers. One investigation has resulted 
in a citation against a telemarketer called Intelligent 
Alternatives for rule violations including violations of the 
Caller ID rules under Section 64.1601 of our rules.
    We've sent formal Letters of Inquiry to these entities and, 
at the same time, served subpoenas on them to compel them to 
respond to our inquiries. In some cases, we followed up with 
subsequent Letters of Inquiry to uncover additional evidence of 
possible violations.
    Importantly, our investigations have revealed that the 
companies that are engaged in these practices are of varying 
degrees of sophistication that employ disparate methods and 
technologies to provide service to different types of 
customers. Some of the companies, for example, claim that they 
are involved in legitimate activities, providing spoofing 
services only to customers such as law enforcement officials, 
private investigators, or to others that are engaged in the 
furtherance of debt collection or other similar types of 
activities.
    The companies allow customers to customize, so to speak, 
the services that they select. For example, in some cases, the 
spoofing companies claim that they do not allow the customer to 
decide the particular false number to be displayed on the 
called parties' ID while others do provide that functionality. 
This functionality is very important because it implicates 
whether or not a spoofer would permit the customer to use 911 
as a spoofed number or whether the customer could, for example, 
choose another telephone number that might be a government 
number--and as you suggest, Senator Nelson--or the number of 
other emergency services providers.
    The Enforcement Bureau is continuing to gather and analyze 
information about the companies' practices, their network, 
businesses, and customers, and other relevant matters that will 
assist us in fully understanding the issues and whether 
violations of the Communications Act have, in fact, occurred.
    In addition to our enforcement efforts, the Commission has 
taken steps to prevent those engaged in Caller ID spoofing for 
deceptive reason from successfully accessing the personal 
information of telecommunications customers. In a recent order 
tightening the Commission's Customer Proprietary Network 
Information rules, we determined that a carrier providing call 
history information over the phone to a customer must first 
call that customer back at the telephone number of record to 
ensure that the individual calling is, in fact, the customer 
rather than relying on the Caller ID as an authentication 
method, thereby eliminating one of the major tools of 
pretexters.
    As we've testified previously, the Commission may not have 
sufficient authority to fully address this issue of spoofing. 
Some of the entities under investigation, do not appear to be 
directly regulated by the Commission and, in fact, they've made 
this assertion in response to our investigations. Thus, 
legislation that clarifies the Commission's authority in this 
area would be helpful.
    In conclusion, just to reiterate that the intentional 
manipulation of Caller ID information is an issue of importance 
to the Commission, particularly where it is used for fraudulent 
or deceptive reasons. We look forward to working with members 
of the Committee and other Members of Congress to ensure that 
the public maintains its confidence in the telecommunications 
industry. Thank you.
    [The prepared statement of Ms. Monteith follows:]

           Prepared Statement of Kris Anne Monteith, Chief, 
                        Enforcement Bureau, FCC
    Good morning Chairman Inouye, Vice Chairman Stevens and members of 
the Committee. Thank you for the opportunity to speak about the problem 
of caller identification (Caller ID) spoofing.
    As you know, Caller ID services let customers identify who is 
calling them before they answer a call by displaying the caller's 
telephone number or other information--such as a name or business 
name--on the customer's equipment before the customer picks up the 
phone. ``Caller ID spoofing'' refers to a practice in which the Caller 
ID information transmitted with a telephone call is manipulated in a 
manner that misleads the call recipient about the identity of the 
caller. The use of Internet technology to make phone calls has 
apparently made Caller ID spoofing even easier. The Commission is 
deeply concerned about reports that Caller ID information is being 
manipulated for fraudulent or other deceptive purposes and the impact 
of those practices on the public trust and confidence in the 
telecommunications industry. We are particularly concerned about how 
this practice may affect consumers as well as public safety and law 
enforcement communities.
    In my testimony, I will first provide a brief technical background 
on Caller ID spoofing. Then, I will describe the Commission's rules 
addressing Caller ID services and the steps the Commission is taking to 
make sure that providers are fully meeting their obligations under the 
Communications Act and the Commission's rules and orders.
    As a technical matter, Caller ID spoofing happens by manipulating 
the data elements that travel with a phone call. Phone calls on the 
public switched telephone network, or PSTN, are routed to their 
destinations by means of a specialized protocol called the Signaling 
System 7, or SS7. SS7 conveys information associated with a call such 
as the telephone number of the caller. The SS7 information for a call 
is provided by the carrier that the caller uses to place the call. 
Caller ID then displays that caller's number to the called party. 
Caller ID spoofing is accomplished by manipulating the SS7 information 
associated with the call.
    The Commission addressed Caller ID on the PSTN in 1995 with rule 
64.1601, which generally requires all carriers using SS7 to transmit 
the calling party number associated with an interstate call to 
interconnecting carriers. The same Commission rule also requires 
telemarketers to transmit accurate Caller ID information.
    The development of Internet and IP technologies has made Caller ID 
spoofing easier than it used to be. Now, entities using IP technology 
can generate false calling party information and pass it into the PSTN 
via SS7. Caller ID spoofing can potentially threaten our public safety. 
For example, spoofers can fabricate emergency calls and cause local law 
enforcement and public safety agencies to deploy their resources 
needlessly. Caller ID spoofing can potentially threaten consumers. For 
example, spoofing can be used by the unscrupulous to defraud consumers 
by making calls appear as if they are from legitimate businesses or 
government offices.
    The Commission's Enforcement Bureau (Bureau) has been investigating 
the issue of Caller ID spoofing since the summer of 2005 when 
information regarding junk fax spoofing came to our attention. To date, 
the Bureau has initiated investigations of thirteen companies engaged 
in the marketing and selling of Caller ID spoofing services to 
customers. One investigation resulted in a citation against a 
telemarketer, Intelligent Alternatives, for rule violations, including 
violations of the Caller ID rules under section 64.1601. We have sent 
formal Letters of Inquiry and, at the same time, served subpoenas to 
compel responses to our inquiries. In some cases, we have issued 
subsequent Letters of Inquiry to uncover additional evidence of 
possible violations of the Communications Act.
    Our investigations have revealed that the companies engaged in this 
practice are of varying degrees of sophistication that employ disparate 
methods and technologies to provide service to different types of 
customers. Some of the companies, for example, claim they are providing 
spoofing services only to customers such as law enforcement officials 
or private investigators, or to others engaged in the furtherance of 
debt collection and other similar objectives. The companies also allow 
customers varying amounts of flexibility over the spoofing: some 
companies claim they do not allow customers the ability to customize 
the false number to be displayed on the called party's Caller ID while 
others do provide that functionality. This last characteristic is 
particularly important when determining whether spoofers permit their 
customers to use ``9-1-1'' as a spoofed number or whether the customers 
can spoof the numbers of first responders and other emergency services 
providers. We are continuing to seek relevant information to assist us 
in fully understanding these issues and whether violations of the 
Communications Act or our rules have occurred.
    We also have held meetings with numerous industry representatives, 
including wireline, wireless, and Voice over Internet Protocol (VoIP)-
based companies, to determine the impact of Caller ID spoofing on their 
consumers and networks. And, we have coordinated with state agencies, 
the Federal Trade Commission and other interested organizations, such 
as the National Emergency Number Association, regarding their efforts 
to address and identify solutions to this problem. The Enforcement 
Bureau is committed to continuing to gather and analyze information 
about these companies' practices, their networks, their businesses, 
their customers, and other germane information.
    In addition to our enforcement efforts, the Commission has taken 
affirmative steps to prevent those engaged in Caller ID spoofing for 
deceptive reasons from successfully accessing the personal information 
of telecommunications customers. In a recent Order tightening the 
Commission's Customer Proprietary Network Information or CPNI rules, 
the Commission determined that a carrier providing call history 
information over the phone to a customer must call the customer at the 
account's telephone number of record to provide such information rather 
than rely on Caller ID as an authentication method, thereby eliminating 
one of the major tools of pretexters.
    As the Commission indicated in its testimony before the House of 
Representatives Energy and Commerce Subcommittee on Telecommunications 
and the Internet last year, the Commission may not have sufficient 
authority to fully address this issue; some of these entities do not 
appear to be directly regulated by the Commission, an assertion made by 
some targets of our investigations. Thus, legislation that clarifies 
the Commission's authority in this area would be helpful.
    In conclusion, the intentional manipulation of Caller ID 
information, especially for the purpose of fraud or deception, is a 
troubling development in the telecommunications industry. The 
Commission looks forward to working with this Committee, and other 
Members of Congress, to ensure the public maintains its confidence in 
the telecommunications industry. Thank you for the opportunity to speak 
with you today.

    Senator Nelson. Thank you, Ms. Monteith. At any time, 
Senator Stevens, since you have to leave early, that you want 
to go ahead and ask questions, feel free.
    Mr. Cerasale?

                  STATEMENT OF JERRY CERASALE,

           SENIOR VICE PRESIDENT, GOVERNMENT AFFAIRS,

               DIRECT MARKETING ASSOCIATION, INC.

    Mr. Cerasale. Thank you very much, Senator Nelson, Senator 
Stevens, Senator Klobuchar. It's a privilege to be here today. 
The Direct Marking Association is a trade organization 
representing multi-channel and interactive marketers who use 
the mail, the phone, the Internet, e-mail, direct response TV, 
and radio to reach consumers and businesses.
    Spoofing of Caller ID harms the consumer. At a minimum, it 
deceives the consumer. More so, it can defraud them or even put 
them in harm's way. Spoofing of ID also harms the company. It's 
actually stealing the company's identification. Stealing the ID 
of the company, it ruins the reputation, those actions taken by 
the spoofer are believed by the recipient of the phone call to 
be the marketer itself calling and so it harms both the 
consumer and the business if it's done.
    We believe it also undermines the integrity and trust in 
this communication channel, which also is harmful to the 
economy, to government and so forth as we look at 
communications within the United States. The DMA issued 
guidance about spoofing a long time ago. It's attached to my 
written testimony.
    Caller ID, properly used, helps the consumer. It let's them 
know who is calling, what it is and you can channel your phone 
calls yourself and have control over your telephone inbox. So 
long ago, the DMA required its members to present Caller ID, 
including the name of the company and send not fraudulent, 
truthful--sending out that information.
    But to be fully useful, Caller ID has to--marketers have to 
be able to change Caller ID information. If I'm calling you as 
a telemarketer, Senator Nelson and there's the number and you 
want to try and get back to me, that phone number will be 
consistently busy because it's an outgoing telephone number.
    So the idea is, we have to put in a consumer customer 
service number where there are people ready to respond to the 
call, respond to the request from the consumer, including even 
putting them on the company's specific Do Not Call list.
    So there has to be an ability for the direct marketer to 
alter the Caller ID, but not for fraudulent purposes but to 
actually assist the consumer. Also, another problem is the duty 
of the marketer should be to transmit to the carrier the proper 
Caller ID information. We've found many times in instances that 
in presenting it to the consumer's phone, the information 
sometimes gets garbled and the marketer should not--if they 
have transmitted the information correctly, that should be the 
duty of the marketer. Now, it's no doubt when it has happened, 
there have been times when the number is altered when it's 
received by the consumer so that the local area code is placed 
in front of the number. And of course, the poor individual who 
then has that number that gets all the calls, gets angry at the 
marketer and eventually we find out and try and work it out 
quickly and communications carriers are helpful in trying to 
fix that and so forth; but we want to make sure that the 
liability on the marketer is to transmit to the carrier the 
proper information. That is the duty of the marketer.
    Looking at S. 704, we support S. 704. We think if you added 
an intent to defraud or cause harm standard, you would protect 
the marketer, those situations that I just mentioned in the 
sense of changing to a customer service number, transmitting 
the proper number to the carrier. It also would cover, we 
think, some of the instances that you mentioned, Senator 
Nelson, concerning the police trying to protect police numbers, 
not showing them, centers, shelters for homeless women, 
battered women that calling out, you don't want to show the 
number of that. Put some other number in there, a social 
service number or something so that you can try and protect 
people.
    Those are things, I think, that we need to try and protect 
in S. 704, those kinds of changes. We want to go after the 
spoofers, give the FCC all the authority it needs to shut these 
people down and we just need the ability to make Caller ID a 
valuable service as long as we're not using it to defraud or 
deceive. Thank you very much.
    [The prepared statement of Mr. Cerasale follows:]

     Prepared Statement of Jerry Cerasale, Senior Vice President, 
         Government Affairs, Direct Marketing Association, Inc.
I. Introduction & Summary
    Good morning Mr. Chairman and Members of the Committee. I am Jerry 
Cerasale, Senior Vice President for Government Affairs of the Direct 
Marketing Association, and I thank you for the opportunity to appear 
before the Committee as it examines S. 704 and the Caller ID spoofing 
issue in general.
    The Direct Marketing Association, Inc. (``DMA,'' www.the-dma.org) 
is the leading global trade association of businesses and nonprofit 
organizations using and supporting multichannel direct marketing tools 
and techniques. DMA advocates industry standards for responsible 
marketing, promotes relevance as the key to reaching consumers with 
desirable offers, and provides cutting-edge research, education, and 
networking opportunities to improve results throughout the end-to-end 
direct marketing process. Founded in 1917, DMA today represents more 
than 3,600 companies from dozens of vertical industries in the U.S. and 
50 other nations, including a majority of the Fortune 100 companies, as 
well as nonprofit organizations. Included are catalogers, financial 
services, book and magazine publishers, retail stores, industrial 
manufacturers, Internet-based businesses, and a host of other segments, 
as well as the service industries that support them.
    DMA and our members appreciate the Committee's continued outreach 
to the business community on important issues such as Caller ID 
spoofing. DMA fully supports the efforts of Senators Nelson, McCaskill, 
and Snowe, and the Committee, to enact legislation prohibiting Caller 
ID spoofing. Spoofing is a malicious practice that undermines Caller ID 
as a useful verification device, and can cause harm to both consumers 
and business. DMA has long recognized Caller ID as an important 
enhancer to two-way communication between people making and receiving 
calls, especially in the context of business and customer relations. 
Caller ID provides consumers with choice and control over their 
telephones. It alerts a consumer as to the identity of a caller and 
allows the consumer to choose whether to answer a call from a marketer 
offering a product or service of interest.
    Caller ID, when used for illegitimate purposes, can have a harmful 
effect on consumers and legitimate marketers and other businesses. Bad 
actors use Caller ID spoofing to damage a competitor's reputation, to 
gain unauthorized access to a consumer's personal information, and to 
commit illicit practices such as phishing and pretexting. The 
cumulative effect is consumer confusion, possible identity theft, and 
the transfer of ill will to legitimate businesses and marketers. We 
believe that spoofing, and, in general, the manipulation of Caller ID 
for illegitimate purposes, should be prohibited.
    Understanding the importance of standards and best practices in 
fostering consumer choice, DMA several years ago, working with our 
members, developed and adopted Caller-ID Requirements as part of our 
Guidelines for Ethical Business Practice (``Guidelines''), to 
specifically discourage illegitimate telemarketing practices that 
threaten to undermine consumer confidence and relations with legitimate 
marketers.\1\ In 2004, in response to a rise in Caller ID spoofing, DMA 
issued an advisory detailing marketers' rights and responsibilities 
when using Caller ID technology.\2\ DMA requires its members, including 
nonprofits and other groups, to transmit Caller ID information. 
Specifically, when DMA members make marketing calls, they are required 
to transmit the name of the seller and the telephone number by which a 
called party can call back during normal business hours to ask 
questions or request not to receive future calls. Under our Guidelines, 
DMA members must not transmit a false name or telephone number.
---------------------------------------------------------------------------
    \1\ Caller-ID/Automatic Number Identification Requirements, Article 
#46, DMA Guidelines for Ethical Business Practice, at 23 (attached) 
(available at http://www.the-dma.org/guidelines/
EthicsGuidelines.shtml).
    \2\ DMA Statement Caller-ID Falsification, September 2004 
(attached) (available at http://www.thedma.org/guidelines/callerid/
shtml).
---------------------------------------------------------------------------
    DMA also supports the importance of accurately disclosing identity 
and contact information in other forms of marketing communications. For 
example, in the e-mail context, our Guidelines detail responsible 
practices for marketers to disclose accurate identifying information. 
The problems caused by inaccurate e-mail headers are similar to those 
in the Caller ID spoofing context. In 2002, in response to illegitimate 
actors manipulating e-mail message headers, we developed and adopted 
Commercial Solicitations Online requirements as part of our 
Guidelines.\3\ Our members are required to clearly disclose the 
marketer's identity and street address in e-mail solicitations. The 
identity of the sender of the message must be provided clearly, 
honestly, and not in a misleading manner. The subject lines must 
accurately convey the content of the message, and the header 
information must be accurate. These requirements are also part of the 
CAN-SPAM Act that emerged through this Committee.
---------------------------------------------------------------------------
    \3\ Commercial Solicitations Online, Article #38, DMA Guidelines 
for Ethical Business Practice, at 20 (attached) (available at http://
www.the-dma.org/guidelines/EthicsGuidelines.shtml).
---------------------------------------------------------------------------
II. Legislation Should Include an ``Intent To Defraud or Cause Harm'' 
        Requirement
    As stated at the outset, DMA supports the purpose of S. 704, to 
prevent the manipulation of Caller ID for fraudulent, spoofing 
purposes. While the practice of spoofing to defraud or cause harm to a 
person is unacceptable, there are legitimate reasons for transmitting 
Caller ID information that is different from the calling party's 
information that the Committee should ensure are not restricted. 
Blocking or modifying Caller ID information is necessary in several 
contexts such as safety, protecting privileged communications, and in 
business and customer relations. Businesses rely on the practice of 
modifying Caller ID for such purposes as to facilitate a consumer's 
request to be placed on a business's do-not-call list and to properly 
disclose the identity of the entity on whose behalf a third-party 
marketer is calling. In order to ensure that non-spoofing activities 
that may involve display of Caller ID information that is different 
from that of the entity making the call are not unintentionally covered 
by the legislation, we suggest that the scope of conduct covered by the 
legislation should be narrowed to restrict only such acts committed 
with ``intent to defraud or cause harm.''
    Inclusion of such an ``intent to defraud or cause harm'' standard 
will serve the purpose of explicitly recognizing that the widely 
adopted business practice of transmitting a customer service telephone 
number in place of the calling party's telephone number is not 
restricted. Without such an intent standard, telemarketers that 
substitute a customer service telephone number for call back purposes 
could be covered by the bill. This practice is, in fact, currently 
required under existing law whereby marketers are required to transmit 
a telephone number through a caller identification service by which a 
called party may place a return call to make inquiries or request that 
their telephone number be added to the calling party's do-not-call 
list. Often businesses provide the telephone number of their customer 
service department to facilitate such requests rather than the number 
of the calling party's line. Businesses that employ such practices are 
not seeking to defraud or mislead customers, but rather transmitting 
the most relevant information and creating processes to efficiently 
respond to customer requests.
    In addition, we are aware of scenarios where the Caller ID 
information transmitted from the telemarketer to a telecommunications 
carrier is not the same as the information provided by the carrier to 
the call recipient. With a strict liability standard, and with no 
intent standard, telemarketers could be liable for an act of the 
carrier over which the telemarketer has no control. Thus, the addition 
of an ``intent to defraud or cause harm'' standard also will ensure 
that a telemarketer is only responsible for accurately providing Caller 
ID information to the carrier and not for incorrect transmission by the 
carrier.
    Requiring that a calling party provide its exact name and telephone 
number could jeopardize legitimate practices and restrain consumer 
preferences. Requiring ``intent to defraud or cause harm'' will ensure 
that bad actors with ill intent are targeted by the legislation rather 
than legitimate practices, customer preferences, and the underlying 
technology used. We believe that tying the act of transmitting 
misleading Caller ID information with an intent standard appropriately 
identifies the offending act while ensuring that businesses are not 
liable for simple mistakes or other instances where changing the Caller 
ID information is appropriate. We note that this is the approach that 
is in the Caller ID spoofing bills that recently passed the House of 
Representatives.
          * * * * * * *
    Thank you for your time and the opportunity to speak before your 
Committee. I look forward to your questions and working with the 
Committee on this legislation.
     Excerpts from the DMA Guidelines for Ethical Business Practice
Commercial Solicitations Online
Article #38
    Marketers may send commercial solicitations online under the 
following circumstances:

   The solicitations are sent to the marketers' own customers, 
        or

   Individuals have given their affirmative consent to the 
        marketer to receive solicitations online, or

   Individuals did not opt out after the marketer has given 
        notice of the opportunity to opt out from solicitations online, 
        or

   The marketer has received assurance from the third party 
        list provider that the individuals whose e-mail addresses 
        appear on that list:

     have already provided affirmative consent to receive 
            solicitations online, or

     have already received notice of the opportunity to have 
            their e-mail addresses removed and have not opted out, and

   The individual is not on the marketer's in-house suppression 
        list

    Within each e-mail solicitation, marketers should furnish 
individuals with a notice and an Internet-based mechanism they can use 
to:

   Request that the marketer not send them future e-mail 
        solicitations and

   Request that the marketer not rent, sell, or exchange their 
        e-mail addresses for online solicitation purposes

    If individuals request that their names be removed from the 
marketer's in-house online suppression list, then the marketer may not 
rent, sell, or exchange their e-mail addresses with third parties for 
solicitation purposes.
    The above requests should be honored within 10 business days, and 
the marketer's opt-out mechanism should be active for at least 30 days 
from the date of the e-mail solicitation.
    Only those marketers that rent, sell, or exchange information need 
to provide notice of a mechanism to opt out of information transfer to 
third-party marketers.
    Marketers should process commercial e-mail lists obtained from 
third parties using DMA's E-Mail Preference Service suppression file. 
E-MPS need not be used on one's own customer lists, or when individuals 
have given affirmative consent to the marketer directly.
    Solicitations sent via e-mail should disclose the marketer's 
identity and street address. The subject and ``from'' lines should be 
clear, honest, and not misleading, and the subject line should reflect 
the actual content of the message so that recipients understand that 
the e-mail is an advertisement. The header information should be 
accurate. A marketer should also provide specific contact information 
at which the individual can obtain service or information.
          * * * * * * *
Caller-ID/Automatic Number Identification Requirements
Article #46
    Wherever the technology is available marketers should:

   Transmit a telephone number such as the telephone number of 
        the seller, service bureau, or customer service department that 
        the consumer can call back during normal business hours to ask 
        questions and/or to request not to receive future calls and

   Transmit the name of the seller or service bureau

    Marketers should not block transmission of caller identification or 
transmit a false name or telephone number.
    Telephone marketers using automatic number identification (ANI) 
should not rent, sell, transfer, or exchange, without customer consent, 
telephone numbers gained from ANI, except where a prior business 
relationship exists for the sale of directly related goods or services.
                                 ______
                                 
                 DMA Statement Caller-ID Falsification
Falsely altering Caller-ID information for marketing purposes is not 
        only unethical, it is illegal!
    In response to recent news reports about a new Caller ID service 
that would allow subscribers to transmit false Caller-ID information, 
The DMA has issued this statement to remind marketers about their 
rights and responsibilities when using Caller-ID technology.
    When calling customers or prospects, it is deceptive and unlawful 
for a marketer to knowingly substitute and transmit a false, or 
`dummy,' telephone number. Rather, wherever the technology is 
available, a marketer must:

   transmit the name of the seller or service bureau; and

   transmit an accurate and valid telephone number for the 
        seller, the service bureau, or respective customer service 
        department. A consumer should be able to call back this 
        telephone number during normal business hours to ask questions 
        and/or to request not to receive future calls.

    Please note that a marketer MAY transmit a Caller-ID telephone 
number that is DIFFERENT from the number from which the call is coming 
AS LONG AS the number transmitted correctly identifies the name of the 
seller or service bureau and is a valid number that the consumer may 
call back during normal business hours to ask questions and/or to 
request not to receive future calls. For example, sometimes it may be 
necessary to transmit a Caller-ID number for the customer service 
department, instead of the number of the representative who is calling 
(since the representative's number will likely be busy). In this 
instance, substituting the customer service department number provides 
the consumer with a number he/she can call back for more information 
and/or to request to be put on the company's do-not-call list.
    A marketer who intentionally creates and transmits inaccurate or 
false Caller-ID information is violating Federal law--for starters, the 
Federal Trade Commission Act (which outlaws unfair and deceptive trade 
practices), the Federal Trade Commission's Telemarketing Sales Rule, 
and the Federal Communications Commission's Telephone Consumer 
Protection Act.
    Moreover, transmitting false Caller-ID information violates the 
Direct Marketing Association's Guidelines for Ethical Business 
Practices (Article #44 and Article #51). Specifically, Article #44 
(Caller-ID/Automatic Number Identification Requirements) advises: 
``Marketers should not block transmission of caller identification or 
transmit a false name or telephone number . . .'' Article #51 (Laws, 
Codes, and Regulations) calls for marketers to abide by state, Federal 
and local laws governing marketing practices and business transactions.

    Senator Stevens. Senator, I'm going to have to leave. Could 
I just ask if you'd do two things. First, there is a House 
bill, H.R. 251 that has been passed and has been sent to the 
Senate. Senator Kyl has a bill, S. 1654, which has been sent to 
Judiciary. I think there is a criminal side of this and there 
is also a communications side of it. I'd appreciate it very 
much if you could give us, give to our staff, any suggestions 
you have about modifications of the bill with regard to the 
communications aspect so that we could have that information 
before the mark up next week.
    I do believe we will mark up the bill and get it out next 
week, but I'd hope that we'd be able to make any changes that 
would be necessary to get it to the floor in a manner that 
would not be controversial. I think if you have amendments that 
we can consider next week, it would be very helpful. Thank you 
very much. I hope you'll make me a co-sponsor, Mr. Chairman.
    Senator Nelson. Without objection.
    Senator Stevens. Thank you.
    Senator Nelson. Thank you, Senator.
    Senator Stevens. I also have questions I'll file for the 
record.
    Senator Nelson. OK. Thank you, Mr. Cerasale. Ms. Knight?

         STATEMENT OF ALLISON KNIGHT, STAFF COUNSEL AND

          DIRECTOR, PRIVACY AND HUMAN RIGHTS PROJECT,

          ELECTRONIC PRIVACY INFORMATION CENTER (EPIC)

    Ms. Knight. Good morning. Senator Nelson, Members of the 
Committee, thank you for the opportunity to testify today on 
Caller ID spoofing and the Truth in Caller ID Act of 2007, S. 
704. My name is Allison Knight and I'm Staff Counsel and 
Director of the Privacy and Human Rights Project at the 
Electronic Privacy Information Center.
    I'd like to discuss two separate and important privacy 
interests related to the issue of Caller ID spoofing and the 
first is the right for call recipients to be free from 
pretexting and other fraud that can lead to the loss of their 
privacy and the threats of stalking, identity theft and 
harassment and we've heard from the other panelists on this 
issue.
    The second is the rights of callers to limit the disclosure 
of their phone numbers in order to protect their privacy and in 
some cases, their safety. The Truth in Caller ID Act of 2007, 
S. 704, as currently drafted, does not adequately protect both 
of these interests. EPIC recommends that any ban on Caller ID 
spoofing include an intent requirement so that spoofing is only 
prohibited where it is clear that the person who does not 
provide identifying information intends to defraud or to cause 
harm.
    EPIC recommended the inclusion of an intent requirement in 
testimony on a similar bill introduced in the House last year 
and this intent requirement was incorporated into the version 
of the bill that recently passed in the House that was just 
referred to, H.R. 251. As Mark Rotenburg, Executive Director of 
EPIC stated, ``an intent requirement preserves the privacy 
rights of callers and permits legitimate uses of spoofing while 
outlawing fraud and harassment assisted by the technology.''
    We also have concerns about the provision in the Senate 
bill that permits law enforcement agencies to possibly 
misrepresent their identities in the context of 
telecommunications services.
    Before Caller ID services were offered, telephone customers 
generally had the ability to control the circumstances under 
which their phone numbers were disclosed to other people. Many 
individuals have legitimate reasons to report a different 
number than the one presented on Caller ID. For example, a 
person may wish to keep his or her direct line private when 
making calls from within an organization. Similarly, an 
individual with multiple communications devices, such as a 
landline and a cell phone and a wireless handheld device, may 
want to route all returned calls to one device or a number.
    Now, in some circumstances, disclosure of a person's phone 
number may also put his or safety at risk. Domestic violence 
survivors, shelters and other safe homes need to preserve the 
confidentiality of their phone numbers. They may need to 
contact abusers without exposing their location in order to 
arrange custody or other legitimate matters. They may also need 
to contact other third parties, such as businesses that have 
permissive privacy policies and may share collected phone 
numbers with lists or data brokers. In all of these situations, 
preserving anonymity is necessary for the caller's safety.
    Caller ID blocking may seem like a viable means for 
allowing callers to protect their anonymity while not 
misleading recipients, however Caller ID blocking is not a 
complete solution because a caller can be identified through 
other means, first of all, such as the Automatic Number 
Identification System, which was developed for emergency 
services. Also, some recipients prevent blocked ID calls and 
indications are that the number of individuals doing this is 
growing. So in the case of a domestic violence survivor, 
attempting to safely reach a required phone number, an 
individual would have to use spoofing for the innocent purpose 
of preserving the confidentiality of his or her number.
    We can't ignore the privacy interests of those who decline 
to accept calls from unknown numbers. If an individual has been 
habitually harassed by phone calls from a Caller ID-blocked 
number, we should not permit the harasser to use spoofing as a 
means to circumvent the individual's screening and I believe 
this is the purpose, the reason that this bill was introduced.
    Caller ID spoofing can create privacy risks. Last year, 
EPIC brought to Congress's attention, the problem of pretexting 
consumers' phone records. Pretexting is a technique by which a 
bad actor can obtain an individual's personal information by 
impersonating a trusted entity. For these reasons, the practice 
of spoofing for the purpose of fraud or for harm should be 
curtailed. Preventing spoofing for harmful reasons would hold 
illegitimate spoofers accountable.
    Spoofing Caller ID numbers can create a real risk to 
individuals who might be defrauded or harmed by illegitimate 
uses of the technology, at the same time, it's important not to 
punish those who may have a legitimate reason to conceal their 
actual phone numbers. The inclusion of an intent requirement in 
the Senate bill would focus the punishment on harmful and 
fraudulent uses of Caller ID spoofing while preserving 
legitimate uses of the technique.
    In addition, an intent requirement would render specific 
exemptions, such as for law enforcement unnecessary as a 
legitimate law enforcement activity that employs spoofing would 
be protected by the requirement to show an intent to defraud or 
cause harm.
    I'd be happy to answer any questions you have. Thank you.
    [The prepared statement of Ms. Knight follows:]

   Prepared Statement of Allison Knight, Staff Counsel and Director, 
Privacy and Human Rights Project, Electronic Privacy Information Center 
                                 (EPIC)
    Chairman Inouye, Vice Chairman Stevens, and members of the 
Committee, thank you for the opportunity to testify today on Caller ID 
spoofing and the Truth in Caller ID Act of 2007, S. 704. My name is 
Allison Knight and I am Staff Counsel and Director of the Privacy and 
Human Rights Project at the Electronic Privacy Information Center. EPIC 
is a non-partisan research organization based in Washington, D.C. that 
seeks to focus public attention on emerging civil liberties issues and 
to protect privacy, the First Amendment, and Constitutional values.
    Two separate and important privacy interests meet in the issue of 
Caller ID spoofing. First, there is the right of callers to limit the 
disclosure of their phone numbers in order to protect their privacy, 
and in some cases, their safety. Second, there is the right for call 
recipients to be free from pretexting and other fraud that can lead to 
the loss of their privacy, and the threats of stalking, identity theft, 
and harassment.
    The Truth in Caller ID Act of 2007, S. 704, as currently drafted 
does not adequately protect both interests. EPIC recommends that any 
ban on Caller ID spoofing include an intent requirement, so that 
spoofing is only prohibited where it is clear that the person who does 
not provide identifying information ``intends to defraud or cause 
harm.'' EPIC recommended the inclusion of an intent requirement in 
testimony on a similar bill introduced in the House last year,\1\ and 
this intent requirement was incorporated into the version of bill that 
recently passed in the House.\2\ As Marc Rotenberg, Executive Director 
of EPIC stated, ``an intent requirement preserves the privacy rights of 
callers and permits legitimate uses of spoofing, while outlawing fraud 
and harassment assisted by the technology.'' \3\ We also have concerns 
about the provision in the Senate bill that permits law enforcement 
agencies to possibly misrepresent their identities in the context of 
telecommunications services.
---------------------------------------------------------------------------
    \1\ The Truth in Caller ID Act of 2006, H.R. 5126.
    \2\ The intent requirement was also included in the Truth in Caller 
ID Act of 2007, H.R. 251. EPIC testified on this House bill on February 
28, 2007, in support of the intent requirement. The Truth in Caller ID 
Act of 2007, H.R. 251 passed the House on June 12, 2007, and was 
received into the Senate and referred to the Committee on Commerce, 
Science, and Transportation on June 13, 2007.
    \3\ H.R. 5126, the Truth in Caller ID Act of 2006: Before the 
Subcomm. on Telecommunications and the Internet of the H. Comm. on 
Energy and Commerce, 109th Cong. (2006) (statement of Marc Rotenberg, 
President and Executive Director, Electronic Privacy Information 
Center). See also, H.R. 251, the Truth in Caller ID Act of 2007: Before 
the Subcomm. on Telecommunications and the Internet of the H. Comm. on 
Energy and Commerce, 110th Cong. (2007) (statement of Allison Knight, 
Director, Privacy and Human Rights Project, Electronic Privacy 
Information Center).
---------------------------------------------------------------------------
Telephone Customers Have Legitimate Reasons to Withhold Their Phone 
        Numbers
    The introduction of Caller ID services and the associated Automatic 
Number Identification (ANI) created new risks to privacy. Before these 
services were offered, telephone customers generally had the ability to 
control the circumstances under which their phone numbers were 
disclosed to others. In many cases, there was little need for a 
telephone customer to disclose a personal phone number if, for example, 
a person was calling a business to inquire about the cost or 
availability of a product or wanted information from a government 
agency. In other cases, there was a genuine concern that a person's 
safety might be at risk. For example, women at shelters who were trying 
to reach their children were very concerned that an abusive spouse not 
be able to find their location.\4\
---------------------------------------------------------------------------
    \4\ Letter from National Network to End Domestic Violence to the 
House Committee on Energy and Commerce (May 16, 2006).
---------------------------------------------------------------------------
    In the context of the Internet and the offering of voice services 
over Internet Protocol (VoIP), there are additional concerns about the 
circumstances under which a person may be required to disclose their 
identity. The Supreme Court has repeatedly made clear that the right to 
be anonymous is protected by the First Amendment and also that the 
Internet is entitled to a high level of First Amendment protection.\5\
---------------------------------------------------------------------------
    \5\ Watchtower Bible & Tract Society v. Village of Stratton, 536 
U.S. 150 (2002), McIntyre v. Ohio Elections Commission, 514 U.S. 334 
(1995), and Talley v. California, 362 U.S. 60 (1960); ACLU v. Reno, 521 
U.S. 844 (1997).
---------------------------------------------------------------------------
    Many individuals have legitimate reasons to report a different 
number than the one presented on Caller ID. For example, a person may 
wish to keep her direct line private when making calls from within an 
organization. Such an arrangement legitimately gives call recipients a 
number to which they can return a call, but prevents an individual 
person's phone from being inundated with calls that should be routed 
elsewhere.
    In addition to threatening a person's rights to privacy and to 
freedom of speech, in some circumstances disclosure of a person's phone 
number may also put his or her safety at risk. For example, domestic 
violence survivors, shelters, and other safe homes need to preserve the 
confidentiality of their phone numbers. They may need to contact 
abusers without exposing their location, in order to arrange custody or 
other legitimate matters. They may need to contact businesses the 
abuser is acquainted with, and that may share survivor information with 
the abuser. They may also need to contact other third parties, such as 
businesses that have permissive privacy policies, and thus share 
collected telephone numbers with list or data brokers. In all of these 
situations, preserving anonymity is necessary for safety.\6\
---------------------------------------------------------------------------
    \6\ Domestic Violence and Privacy, Electronic Privacy Information 
Center http://www.epic.org/privacy/dv/.
---------------------------------------------------------------------------
Caller ID Blocking Does Not Adequately Protect Privacy Interests
    Caller ID blocking may seem like a viable means for allowing 
callers to protect their anonymity while not misleading recipients. 
However, Caller ID blocking is not a complete solution. One reason for 
this is that Caller ID is not the only way that a caller can be 
identified. Another system, known as Automatic Number Identification, 
or ANI, will still disclose a caller's identity in many situations, 
regardless of whether or not the caller used call blocking. This means 
that many businesses, emergency service providers, and anyone with a 
toll-free number can reliably gain the phone number of a caller, even 
if Caller ID is blocked. Spoofing services can protect the anonymity of 
a caller's ANI data when calling toll-free numbers and those entities 
that use ANI identification.
    Some recipients prevent blocked ID calls, and indications are that 
the number of individuals doing this is growing. In the case of a 
domestic violence survivor attempting to safely reach a required phone 
number, an individual would have to use spoofing for the innocent 
purpose of preserving the confidentiality of his or her number.
    We also cannot ignore the privacy interests of those who decline to 
accept calls from unknown numbers. If an individual has been habitually 
harassed by calls from a caller-blocked number, we should not permit 
the harasser to use spoofing as a means to circumvent the individual's 
screening. At the same time, it is clear that there could be 
prosecution for harassment whether or not additional prohibition on 
spoofing were enacted.\7\
---------------------------------------------------------------------------
    \7\ See 47 U.S.C.  223; 47 U.S.C.  227.
---------------------------------------------------------------------------
Spoofing Can Create Privacy Risks
    This is not to say that Caller ID spoofing is an unqualified good--
far from it. Last year, EPIC brought to Congress's attention the 
problem of pretexting consumers' phone records.\8\ Pretexting is a 
technique by which a bad actor can obtain an individual's personal 
information by impersonating a trusted entity. Pretexters have spoofed 
the telephone numbers of courthouses, in order to harass people for 
supposedly missing jury duty, threatening fines or arrest unless they 
turn over Social Security Numbers or other personal information.\9\ Rob 
Douglas of PrivacyToday.com, with whom EPIC has worked on the 
pretexting issue, noted how fraudsters would use spoofing services in 
order to fool customers into thinking that fraudulent calls were coming 
from trusted sources.\10\
---------------------------------------------------------------------------
    \8\ Protecting Consumers' Phone Records: Before the Subcomm. on 
Consumer Affairs, Product Safety, and Insurance of the S. Comm. on 
Commerce, Science, and Transportation, 109th Cong. (2006) (statement of 
Marc Rotenberg, President and Executive Director, Electronic Privacy 
Information Center). http://www.epic.org/privacy/iei/
sencomtest2806.html; Phone Records for Sale: Why Aren't Phone Records 
Safe From Pretexting?: Before the H. Comm. on Energy and Commerce, 
109th Cong. (2006) (statement of Marc Rotenberg, President and 
Executive Director, Electronic Privacy Information Center) http://
www.epic.org/privacy/iei/pretext_testimony.pdf.
    \9\ Sid Kirchmeyer, Scam Alert: Courthouse Con, AARPBulletin, May 
2006, http://www.aarp.org/bulletin/consumer/courthouse_con.html.
    \10\ Phone Records for Sale: Why Aren't Phone Records Safe From 
Pretexting?: Before the H. Comm. on Energy and Commerce, 109th Cong. 
(2006) (statement of Robert Douglas, CEO, PrivacyToday.com), http://
www.privacytoday.com/HC020106.htm.
---------------------------------------------------------------------------
    For these reasons, illegitimate spoofing activities should be 
curtailed. Law enforcement and telephone companies can retrace these 
calls to the originating service.\11\ A spoofed number is not 
completely anonymous and without accountability. Preventing spoofing 
for harmful reasons will hold illegitimate spoofers accountable.
---------------------------------------------------------------------------
    \11\ Peter Svenson, Caller ID Spoofing Becomes All Too Easy, USA 
Today, Mar. 1, 2006, http://www.usatoday.com/tech/news/2006-03-01-
caller-id_x.htm.
---------------------------------------------------------------------------
Intent Requirement
    The inclusion of an intent requirement in the Senate bill would 
focus the punishment on harmful and fraudulent uses of Caller ID 
spoofing while preserving legitimate uses of the technique. In 
addition, an intent requirement would render specific exemptions for 
law enforcement unnecessary, as legitimate law enforcement activity 
that employs spoofing would be protected by the requirement to show 
intent to defraud or cause harm.
Significance of NSA Surveillance Program for Privacy of Call Records
    Mr. Chairman, I would also like to bring to the Committee's 
attention our concern that the National Security Agency may have 
constructed a massive database of telephone toll records of American 
consumers. Last year, EPIC filed a complaint with the Federal 
Communications Commission in which we alleged that Section 222 of the 
Communications Act, which protects the privacy of customer record 
information, might have been violated.\12\ We urged the Commission to 
undertake an investigation of this issue. In light of the ongoing 
controversy about the possibility that Federal privacy laws were 
violated, the need to pursue this investigation is clear.
---------------------------------------------------------------------------
    \12\ EPIC Complaint to the Federal Communications Commission (May 
16, 2006).
---------------------------------------------------------------------------
    We respectfully ask Members of this Committee to support EPIC's 
recommendation that the FCC undertake an investigation of the possibly 
improper disclosure of telephone toll records by the telephone 
companies that are subject to the privacy obligations contained in the 
Communications Act. If the Communications Act was violated, that should 
be of great concern to the Committee.
Conclusion
    Spoofing Caller ID numbers can create a real risk to individuals 
who might be defrauded or harmed by illegitimate uses of this 
technology. At the same time, it is important not to punish those who 
may have a legitimate reason to conceal their actual telephone numbers. 
The inclusion of an intent requirement in the Truth in Caller ID Act of 
2007 would significantly improve the bill by distinguishing between 
appropriate and inappropriate Caller ID spoofing.
    I will be happy to answer any questions you might have at this 
time.

    Senator Nelson. Thank you, Ms. Knight. Mr. Jones?

           STATEMENT OF HON. RON JONES, COMMISSIONER,

           TENNESSEE REGULATORY AUTHORITY; CHAIRMAN,

CONSUMER AFFAIRS COMMITTEE, NATIONAL ASSOCIATION OF REGULATORY 
                     UTILITY COMMISSIONERS

    Mr. Jones. Thank you, Senator Nelson and members of the 
Committee. NARUC represents the state public utility 
commissions, the PUCs in all 50 states, the District of 
Columbia and U.S. territories with jurisdiction over 
telecommunications, electricity, natural gas, water and other 
utilities and in this capacity, the PUCs are on the frontline 
of consumer protection in these areas and are often the first 
to learn of emerging consumer concerns.
    NARUC is pleased to be here in support of the enactment of 
Caller ID spoofing legislation. In fact, NARUC considered and 
passed a resolution that was adopted at our summer meeting in 
2006. As has been mentioned here, Caller ID spoofing harms 
consumers in the areas of identity theft, credit card fraud, 
public safety, endangerment, law enforcement interference and 
other areas.
    But more specifically of concern to NARUC, NARUC believes 
that government at all levels must be able to identify and 
address new and novel threats in a timely fashion to ensure the 
safety of consumers. Allowing the practice of Caller ID 
spoofing to continue may reduce consumer trust in many of the 
public, commercial, financial and political institutions that 
are relied upon by American consumers.
    NARUC is pleased with the inclusion of language in S. 704, 
acknowledging the key role state officials play in protecting 
consumers through enforcement of state laws that are consistent 
with Federal rules. NARUC's one suggestion for change in the 
bill would be to strike the section limiting state action while 
a Federal enforcement action or proceeding is pending. Federal 
and state agencies can mutually benefit from revelations 
gleaned from concurrent investigation of violations of their 
respective laws and we see a great benefit in not taking cops 
off the beat, so to speak.
    Consumer protection is and has been for a long time, a core 
competency of state commissions. States should not be 
encumbered from investigation and enforcement of violations of 
state law.
    Caller ID spoofing is a key tool in identity theft efforts 
by criminals. The Federal Trade Commission reports that 10 
million individuals are victims of identity theft each year and 
identity theft is the number one consumer complaint. Passage of 
the Truth in Caller ID Act of 2007 will be a huge step forward 
in reducing the problem of identity theft. NARUC believes it 
will remove a major weapon that is Caller ID spoofing from the 
arsenal of criminals.
    Senator Nelson and members of the Committee, NARUC and its 
members are committed to working with you to protect consumers 
and we urge your swift passage of S. 704 to end the practice of 
Caller ID spoofing and we certainly thank you for inviting 
NARUC to testify before the Committee and I'd be happy to 
answer any questions.
    [The prepared statement of Mr. Jones follows:]

     Prepared Statement of Hon. Ron Jones, Commissioner, Tennessee 
 Regulatory Authority; Chairman, Consumer Affairs Committee, National 
            Association of Regulatory Utility Commissioners
    Mr. Chairman, Vice Chairman Stevens, and Members of the Committee, 
thank you for the opportunity to testify today on S. 704, the ``Truth 
in Caller ID Act of 2007.''
    I am Ron Jones, Commissioner with the Tennessee Regulatory 
Authority and a member of the National Association of Regulatory 
Utility Commissioners (NARUC). I serve as Chairman of NARUC's Committee 
on Consumer Affairs. NARUC represents State public utility commissions 
(PUCs) in all 50 States, the District of Columbia and U.S. territories 
with jurisdiction over telecommunications, electricity, natural gas, 
water and other utilities. In this capacity, PUCs are on the frontline 
of consumer protection in these areas and are often the first to learn 
of emerging consumer concerns.
    We commend you, Co-Chairman Stevens, the sponsors of this 
legislation Senators Nelson and Snowe, your staffs and other committee 
members, for addressing the issue of Caller ID fraud, otherwise known 
as Caller ID spoofing. Caller ID spoofing is an issue of growing 
concern and one of the many tools criminals can use to perpetrate fraud 
and steal the identities of hard-working, law-abiding Americans.
    I am pleased to be here today to present NARUC's support for 
enactment of Caller ID spoofing legislation that would prohibit the 
intentional falsification of the name or number that appears on a 
customer's caller identification (ID) display. A resolution to this end 
was adopted at the NARUC Summer Meeting in 2006, which I have submitted 
for the record with my testimony. The resolution was adopted in 
response to growing consumer complaints concerning the practice of 
Caller ID spoofing and notes the important role state PUCs play in 
policing such activities.
    The telecommunications industry has experienced a decade of 
unprecedented technological innovation bringing consumers an array of 
new communications devices and services. Unfortunately, with new 
technology often come new risks and increased opportunities criminals 
can exploit for their own nefarious purposes.
    Previously, special equipment and knowledge was necessary to fake 
Caller ID information. However, the rise of new multifunctional, user 
friendly, Internet technologies and Voice over Internet Protocol (VoIP) 
has put spoofing within easy reach of scammers. All one has to do is go 
to a website, pay a small fee--often as low as $10--type in the number 
you'd like to call then input the name and number that you would like 
to be displayed on the call recipients Caller ID. It is as easy as 
that.
    How is Caller ID spoofing being used and how is it harming 
consumers? There are several areas in which this technology is being 
used to harm consumers, including but certainly not limited to:

   Identity theft: Caller ID fraud is a key tool in pretexting 
        which is the practice of obtaining personal information under 
        false pretenses

   Criminals can falsify the home number of consumers to 
        activate or make purchases on stolen credit cards

   Emergency calls to 911 call centers can be fabricated 
        diverting public safety resources away from real emergencies

   Terrorists could use it to mask their true location 
        hampering law enforcement

   An ex-spouse could use it to harass a former wife or husband 
        who has blocked calls from their phone

    Each of these examples is alone a legitimate reason to prohibit the 
practice of Caller ID spoofing. Taken together they provide 
overwhelming evidence of the need for this legislation. In our 
increasingly technological age, government at all levels must be able 
to identify and address new and novel threats in a timely fashion to 
ensure the safety of consumers. Allowing the practice of Caller ID 
spoofing to continue may reduce consumer trust in many of the public, 
commercial, financial and political institutions that are relied upon 
by American consumers.
    The full extent of Caller ID spoofing is difficult to ascertain. By 
its very nature the goal is to disguise the true identity of the 
perpetrator and their motives. In many cases a consumer may not even 
know they were a victim of Caller ID spoofing. States, like the Federal 
Government, are becoming more aware of this problem and are looking to 
prohibit the practice.
    In my home State of Tennessee, our Senate approved Caller ID 
spoofing legislation but it failed to pass the House. Although my state 
does not have a specific Caller ID spoofing law, we are collecting 
information and learning the extent of such fraud through our oversight 
of the State Do Not Call (DNC) Registry.
    When a complaint regarding a DNC Registry violation is received 
from a consumer, the Authority initiates an investigation. If it is 
subsequently determined that the Caller ID information utilized in the 
violation was falsified, it is noted in the record. A review of 2007 Do 
Not Call violations found forty-two complaints that the Regulatory 
Authority was not able to fully investigate because the originator of 
the call could not be determined or contacted. This happened because 
the number provided to us by the Do Not Call complainant was a spoofed 
number and could not be traced back to the caller despite agency 
subpoenas for phone records of the complainant in an effort to 
determine the identity of the caller.
    The forty-two complaints represent about 14 percent of the total Do 
Not Call complaints received by the Tennessee Regulatory Authority 
since the first of this year. While this may not sound like a large 
percentage, it is my belief that this number is not representative of 
the true scope of this problem. Regardless, each of these identified 
forty-two instances of Caller ID fraud is a potential crime and 
therefore should not be condoned.
    To elaborate on the breadth of this problem, let me share with you 
an example of Caller ID fraud investigated by my colleagues in 
Nebraska. The Nebraska Public Service Commission investigated a slew of 
pre-recorded, automatically dialed calls on the eve of the November 
2006 election. The Commission received several complaints about the 
politically motivated calls in the days before the election. Upon 
investigation, the Commission learned the numbers that appeared on the 
Caller ID were fraudulent and in most cases they were phone numbers 
that were unassigned. Even with the help of the phone companies they 
were unable to determine the actual source of the calls.
    NARUC is pleased with the inclusion of language in S. 704 
acknowledging the key role State officials play in protecting consumers 
through enforcement of State laws that are consistent with Federal 
rules. NARUC's one suggestion for change in the bill would be to strike 
the section limiting State action while a Federal enforcement action or 
proceeding is pending. Federal and State agencies can mutually benefit 
from revelations gleaned from concurrent investigation of violations of 
their respective laws. Consumer protection is a core-competency of 
State commissions; States should not be encumbered from investigation 
and enforcement of violations of State law.
    As I previously stated, Caller ID spoofing is a key tool in 
identity theft efforts by criminals. The Federal Trade Commission 
reports that 10 million individuals are victims of identity theft each 
year and identity theft is the number one consumer complaint. Passage 
of the Truth in Caller ID Act of 2007 will be a big step forward in 
reducing the problem of identity theft. It will remove a major weapon, 
Caller ID spoofing, from the arsenal of criminals.
    Mr. Chairman, members of the Committee, NARUC and its members are 
committed to working with you to protect consumers. We urge your swift 
passage of S. 704 to end this practice. Thank you for inviting me to 
testify before you and I would be happy to answer any questions.
Resolution* Supporting Federal Legislation To Combat Caller 
                        Identification Spoofing
---------------------------------------------------------------------------
    \*\Sponsored by the Committees on Telecommunications and Consumer 
Affairs. Adopted by the NARUC Board of Directors August 2, 2006
---------------------------------------------------------------------------
    Whereas, Congress is considering legislation to prohibit the 
intentional falsification of the name or number that appears on a 
consumer's caller identification (ID) display, commonly referred to as 
``Caller ID spoofing''; and
    Whereas, The Truth in Caller ID Act of 2006, H.R. 5126, would make 
it unlawful for a person, in connection with any telecommunications 
service or VoIP service, to cause any caller identification service to 
transmit misleading or inaccurate caller identification information 
with the intent to defraud or cause harm; and
    Whereas, The use of Internet technology to make telephone calls has 
made Caller ID spoofing easier; and
    Whereas, Caller ID spoofing may be used for fraudulent or deceptive 
purposes which could harm consumers and lessen consumers' trust in the 
telecommunications industry; and
    Whereas, Caller ID spoofing may also threaten public safety by 
fabricating emergency calls and thereby diverting public safety 
resources away from real emergencies; and
    Whereas, The Federal Communications Commission (FCC) is attempting 
to address this problem through enforcement actions and coordination 
with the Federal Trade Commission (FTC); and
    Whereas, The National Association of Regulatory Commissioners 
(NARUC) and its member states have consistently supported and 
encouraged consumer protection and safety issues; now therefore be it
    Resolved, That the Board of Directors of the National Association 
of Regulatory Commissioners (NARUC), convened in its 2006 Summer 
Meetings in San Francisco, California, expresses its support for 
Federal legislation that would make it unlawful for a person to 
transmit misleading or inaccurate caller identification information 
with the intent to defraud or cause harm; and be it further
    Resolved, That NARUC is committed to working with Congress, the 
FCC, the FTC, and the industry on a comprehensive approach to this 
issue in order to educate and protect consumers from Caller ID 
spoofing.

    Senator Nelson. Thank all of you very much. Senator 
Klobuchar?

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you, Mr. Chairman. Thank you. I'm 
sorry I missed the opening statements. I had another meeting 
and I'm the new Senator from Minnesota and I have a background 
that is interesting for what we're talking about today because 
I practiced in the telecommunications area for 13 years and 
worked with NARUC rather extensively, Mr. Jones, and then also 
was a prosecutor for 8 years and so I dealt with these issues. 
In fact, my claim to fame is that I got a law passed in 
Minnesota banning Internet phishing but I still got elected 
somehow.
    Anyway, my focus here is on trying to solve this in a way 
that works. I've encountered these things before where if you 
do things too broadly, you can make mistakes but at the same 
time, I've seen the consequences of these kinds of fraud and 
crime, especially in the criminal areas where perpetrators 
might try to pretend they are someone else when they're 
calling. And at the same time, I was very interested in what 
you were saying, Ms. Knight, because when I was a prosecutor, 
we obviously had blocked phones and I know exactly what you 
mean, that more and more people don't accept blocked phone 
calls so when you have victims of domestic abuse or people at 
shelters, there must be a way to get around this. So I'm very 
interested and I was talking to Senator Nelson and his staff 
about some kind of slight change to this so that we make sure 
that those things wouldn't be banned or get someone in trouble 
for doing that for what is really a good reason.
    So my questions are, well first of all, of you, Mr. Jones 
about the idea of striking the section that talks about 
allowing state action to continue. Are there state actions that 
are ongoing in this area or do you have examples from around 
the country where people are looking into this?
    Mr. Jones. Well, Senator, I'm not aware of current state 
actions. I know in the State of Tennessee, when we have 
violations of the Do Not Call Registry and we seek to determine 
the manner of that violation, often times that we determine 
that that number is a spoof call. But more importantly, what we 
seek to try to preserve is the ability for states, when they do 
take action or decide to take action, to pursue Caller ID 
spoofing and as such, consider legislation that they are able 
to do so and they are not encumbered by a prohibition in 
Federal law from moving forward.
    Senator Klobuchar. Then, Ms. Monteith, did I say your name 
correctly? It's easier than mine. But this is based on your 
prepared testimony about how the FCC has met with some of the 
companies, wireless and wireline and Voice over Internet 
Protocol companies, about the Caller ID spoofing issue. Could 
you talk a little bit about what they said in terms of any work 
that is being done to try to address the issue coming from the 
private sector?
    Ms. Monteith. Our meetings with service providers were 
aimed at both understanding potentially how this works within 
the telecommunications network and also discussing with them 
whether or not they were getting complaints from their 
customers about spoofing activities. We did learn how this 
happens in the network, and as I mentioned, there are a variety 
of different ways in which a number can be spoofed.
    In terms of complaints, we get complaints and I think some 
of the telecom carriers have gotten complaints, and they try to 
redress them in a variety of ways. Sometimes, as I think the 
Committee is aware, we've found it is difficult to determine 
where the spoofing is coming from. Sometimes it is couched as 
telemarketing. Sometimes it is harassment types of complaints 
and it is often times difficult to identify who is at the 
bottom of it.
    I'm not sure I've addressed your question. I'm sorry, 
Senator.
    Senator Klobuchar. No, and I can talk to some of them, too. 
You know, sometimes there can be technological answers to these 
things because it is often like looking for a needle in a 
haystack, as you mentioned, to try to find the perpetrator and 
beyond that, I remember we dealt with this with the phishing 
issue. Often times people are victims and they don't know it. 
You didn't hear a complaint because there is some marketer and 
maybe they didn't respond positively so we never knew it 
happened. But I just wondered if you have seen that happening, 
if you think there is a lot more of this going on than we know 
of.
    Ms. Monteith. That may be the case. In just looking at the 
complaint numbers that the Commission has received, we really 
have not seen what we would characterize as a large number of 
consumer complaints. For example, in 2005, we received two 
dozen complaints. In 2006, roughly double that, about 60 
complaints, and so far this year, around 30 complaints. Those 
are not large numbers of complaints when you're talking about 
consumers nationwide having the ability to file complaints with 
the FCC.
    Senator Klobuchar. Although some people might complain to 
the Attorney General's Offices in their state.
    Ms. Monteith. Correct.
    Senator Klobuchar. I mean, I just remember with the 
phishing issue, it was clearly going on. The banks were really 
upset about it. Their names were being used fraudulently on 
these e-mails and it was going on everywhere and when someone 
was a victim, it was bad because they would maybe lose hundreds 
of thousands of dollars. But there were many victims that 
didn't know they were victims and I'm wondering if that's a 
little bit of what's going on here. I don't think I'd remember 
if I see some marketing firm on a Caller ID. I might not answer 
the phone and never even know it happened. So do you think it's 
possible that there is more of it going on that isn't reflected 
in the complaints?
    Ms. Monteith. Yes, I do think that that's possible.
    Senator Klobuchar. All right, good. I just wondered, Ms. 
Knight, if you could just talk a little bit more about the 
victim angle here and the privacy angle in terms of making sure 
as we look at how we could couch some language on the intent 
and make it narrow enough that it doesn't preclude prosecution 
of these crimes. Sometimes it's hard to prove intent but if you 
have someone who is stealing money or something, it makes it a 
lot easier. But could you give me your thoughts on that?
    Ms. Knight. Sure. The language that EPIC has recommended 
would be including an intent to defraud or to cause harm. 
Another reason that we chose those two terms was that first of 
all, fraud would generally deal with commercial violations and 
would imply monetary damages and then second, harm would 
appropriately widen the intent requirement beyond strictly 
fraudulent activity to capture threats to physical safety 
associated with activities such stalking and domestic violence 
that I spoke about earlier.
    Senator Klobuchar. OK, thank you. Mr. Cerasale, you're the 
only one I didn't ask a question of, so I guess my last 
question will be for you. I'd asked Ms. Monteith about any 
efforts in the private sector of looking at this issue and I 
wondered if you knew of any from a technological standpoint?
    Mr. Cerasale. Well, from a technological standpoint, our 
members--as we said, most of them do, if they are 
telemarketers, alter the Caller ID number that is transmitted 
to a customer service number where someone will answer. They 
keep a record of watching what kind of problems they find, 
problems in the final transmission of the Caller ID information 
to the recipient. Sometimes that can be garbled and they work 
with the carriers to try and fix that. They have not, at this 
point--there has not been, from a straight marketer's point of 
view, a great clamor to the DMA that this is a major problem. 
We are starting to hear it some from banks and so forth, 
similar to phishing. I think you have to look at this as 
telephone phishing and it starts with the banks. ``Please give 
me your number. We have a problem with our computer system and 
I need this.''
    So those kinds of things are what we're starting to see and 
they tend to be a spoofing of someone with whom you have a 
true, strong customer relationship. With so many phone numbers 
on a National Do Not Call Registry, there are many consumers 
who do not, if they are on the registry and someone is 
spoofing, they don't care about that. They're just going to 
call. Many of those consumers don't answer the phone. So then 
that spoofing may occur, as you spoke about and it's not 
reported, because I don't respond, because I'm not supposed to 
be receiving telemarketing phone calls, because I'm on the 
list. But if I receive something from my bank or something 
where I have a really close relationship, those are the ones 
that will be answered and we're starting to hear some noise 
from banks on that. And it looks like it may be that banks and 
similar types of financial institutions are going to do the 
same thing they've done with phishing--we will never call you 
and ask you directly for your account numbers, just like we'll 
never send you an e-mail asking for your account numbers. And I 
think that's the way that we see beginning, from a marketers' 
standpoint, of trying to combat the spoofing of a financial 
institution to try and defraud.
    Senator Klobuchar. Well, thank you. Now, I would point out, 
when we embarked on this phishing adventure a few years ago in 
our state, I just noticed yesterday--I was reading the Star and 
Tribune in Minneapolis and they had just convicted someone or 
charged someone. So I think that I wanted to thank Senator 
Nelson for being out front on this with Senator Snowe.
    I think just because we've seen a creeping number of 
complaints going up is all the more reason that you want to get 
at least some tools in place that law enforcement can use, 
knowing we don't really know what direction this will go. But 
at the same time, making sure that we protect the privacy 
interests and I believe, some of the state interests, as the 
witnesses pointed out. Thank you very much.
    Senator Nelson. Senator Klobuchar will be added as a co-
sponsor.
    Senator Klobuchar. Thank you.
    Senator Nelson. Senator Sununu?

               STATEMENT OF HON. JOHN E. SUNUNU, 
                U.S. SENATOR FROM NEW HAMPSHIRE

    Senator Sununu. Thank you, Mr. Chairman. I just have a 
couple of questions. First let me begin with some basic 
questions that Senator Stevens had and that is just viewing 
these things from the consumers' perspective. I guess for each 
of our panel members, maybe we can start with Ms. Monteith, if 
a consumer has concerns or is a victim of domestic abuse, or 
they have a complaint or concern about these kind of fraudulent 
activities, is there anything they can do to verify the 
accuracy of Caller ID information that is being presented to 
them through their phone system?
    Ms. Monteith. I do not know the answer to that question, 
other than the information, obviously, is displayed on their 
customer equipment and calling back the telephone number that's 
displayed to attempt to verify whether or not, in fact, it's 
the entity that it purports to be, or checking with their 
telecommunications carriers and looking at their call records 
to determine where calls came from.
    But let me look into that question and I'd be happy to get 
back with you.
    Senator Sununu. Thank you. Second and more broadly, there 
certainly was an increase in the number of complaints from 2005 
to 2006 regarding spoofing. The number went from 24 complaints 
to 60 complaints. This year, we're about halfway through the 
year. We've had 30 complaints. It certainly doesn't represent a 
dramatic increase and I think overall, it's a relatively modest 
number. So I have two basic questions. First, is that level of 
activity necessary to do a new piece of legislation and the 
second is whether or not the FTC already has the authority to 
deal with a good deal of the fraudulent activity.
    As you know, the FCC has a responsibility and oversight for 
a lot of the IP and broadband voice services. So one, given the 
level of complaints and problems and two, given that the FCC 
already has some authority in this area, is there is a pressing 
need for new legislation and if you think that there is, what 
specific enforcement tools are missing that aren't available 
already?
    Ms. Monteith. I can't comment on the need for legislation. 
I would need to let the Commissioners and the Chairman speak 
for themselves on that matter. I would say that the FCC would 
investigate any consumer complaint, regardless of the number of 
consumer complaints that come to us. So in fact, we're looking 
at the consumer complaints that have been filed with us and 
have taken the initiative to open investigations on this issue 
when it came to our attention.
    Senator Sununu. But there's nothing restricting you from 
opening investigations? There's nothing restricting you from 
enacting penalties where fraudulent activity is found?
    Ms. Monteith. With respect to penalties, two things, I 
think. One, we've already testified that it's not clear that we 
have the authority in this area over entities that are not 
directly regulated by the Commission and, in fact, that issue 
has been raised in response to our Letters of Inquiry by some 
of the targets of our investigations. And second----
    Senator Sununu. Specifically what entities are you talking 
about? As a legislator, I would hope that you don't have any 
authority over entities that aren't--you don't specifically 
have jurisdiction over. In other words, we set up 
jurisdictional boundaries for the clear purpose of not having 
overlapping regulations of administration and oversight. So if 
there are specific entities that you believe you ought to have 
oversight over, you need to be specific about that, about where 
those gray areas might exist.
    But let me--my understanding is you have oversight of 
telecom carriers, which has a long legal history of definition. 
Go ahead.
    Ms. Monteith. That's correct. I'm talking about entities 
that are not directly regulated by the Commission, and not 
commenting on whether we ought to have jurisdiction, merely 
pointing out that there is a question mark that has been raised 
in our investigations as to whether we do have jurisdiction, 
since these entities are not directly regulated by the 
Commission and do not appear to be common carriers.
    Senator Sununu. But with regard to those that you do have 
jurisdiction over, you have the ability to open cases, to carry 
through enforcement and to levy penalties, correct?
    Ms. Monteith. That is correct.
    Senator Sununu. Would the other panel members like to 
comment?
    [No response.]
    Senator Sununu. OK. Is there any specific enforcement tool, 
putting aside the issue of coverage or jurisdiction, any 
enforcement tool that any of the panel members want to 
highlight as being unavailable right now or lacking right now 
in current legislation?
    [No response.]
    Senator Sununu. OK, thank you, Mr.--I'm sorry, who is--it 
is a Chairman today? Mr. Chairman. Thank you, Mr. Chairman. I 
don't want any trouble there. Senator Klobuchar's chair is much 
larger than yours so I was entirely confused. I apologize.
    [Laughter.]
    Senator Klobuchar. We need a visual for that to understand. 
Thank you.
    Senator Nelson. As a matter of fact, I'm surprised that 
Senator Inouye and Senator Stevens allow Senator Rockefeller to 
have that big chair here. But because of his back, he has to 
have it.
    Senator Klobuchar. And it makes me look too small. Please 
continue.
    Senator Nelson. I want to ask you with the fact that Voice 
over Internet Protocol is increasingly becoming a reality and 
we estimate some nine million customers today are using 
telephone calls through VoIP. And the fact that the FCC has 
jurisdiction directly over traditional telephone calls and that 
VoIP service providers are not clearly subject to the same FCC 
Caller ID regulations. So I wanted to ask any of you, do you 
think that this legislation plugs the hole with regard to new 
technologies like VoIP?
    Ms. Monteith. Yes, it appears to do so. The only issue we 
might bring to your attention, Senator Nelson, is that the 
definition of VoIP that is crafted in the legislation does not 
include a provision for VoIP service that might be provided 
without a fee.
    Senator Nelson. Without what?
    Ms. Monteith. Without a fee. In other words, some VoIP 
services may be provided free of charge.
    Senator Nelson. And would that not be within the 
jurisdiction of the FCC?
    Ms. Monteith. Certainly not currently and in reading the 
legislation, I believe the legislation defines VoIP as two-way 
communications provided for a fee, directly to the public for a 
fee. There may be some services that are provided----
    Senator Nelson. So if we're trying to get our hands around 
spoofing and we want you to have the regulatory authority, 
we've got to make that exception.
    Ms. Monteith. I believe that it might be appropriate to 
include that language and we'd be happy to work with your 
staff.
    Senator Nelson. OK, thank you for that recommendation. 
Commissioner Jones, you have stated in your testimony that some 
telemarketers are using spoofing to avoid the Do Not Call list 
enforcement. Do you think that this legislation will fix that 
problem? And will it make the Do Not Call lists' enforcement 
easier for you?
    Mr. Jones. Yes, sir. The legislation goes a long way in 
addressing that and certainly enforcement will be easier based 
on the penalties that are being proposed in there. But of 
course, that would only be honored by those who are not bad 
actors. But certainly, we believe that goes a long way and as I 
stated earlier, what we believe is that what would make it even 
stronger is to not prohibit the states from engaging in a 
concurrent investigation to the extent that state laws allow 
them to do so.
    Senator Nelson. And you think the legislation as it is 
written, would prohibit the states?
    Mr. Jones. From engaging in concurrent investigations, yes, 
sir.
    Senator Nelson. OK. Are there any other tools that you see 
that we need on the Federal level to stop all of this practice?
    Mr. Jones. Well, Senator, if I could think about that a 
little bit and get something back to you, I would appreciate 
that.
    Senator Nelson. Well, while you're thinking about it, go 
beyond spoofing.
    Mr. Jones. OK.
    Senator Nelson. And are there any other telecommunications 
related scams that we need to examine?
    Mr. Jones. Well, beyond spoofing, I think the major one, 
which is not strictly telecommunications but the convergence of 
technology with the phishing example that was given earlier, 
which is a form of web-based spoofing and the URL redirection 
that accompanies that, and that's the part of that particular 
effort that renders the victim unable to know that he or she 
has been spoofed because of the URL redirection. I think, to 
the extent that that technology gap is also considered to be 
closed, then that certainly will go a long way in stopping the 
spoofing in all of its forms, whether it is telecommunications 
through Caller ID or whether it is web-based, along with the 
URL redirection that accompanies that.
    Senator Nelson. You all have suggested that we add the 
intent to defraud or cause harm. Does anybody disagree with 
that on the panel, if that is needed to be added to the bill?
    Ms. Monteith. Senator Nelson, I don't know that the 
Commission has taken a position on that and again, I would be 
happy to get back to your staff on that issue, after speaking 
with the Chairman's Office and the Commissioner's.
    Senator Nelson. Well, are there any other tools that you 
think that we need to consider in cracking down on this 
practice?
    Ms. Monteith. No. I do not.
    Senator Nelson. OK. Senator Klobuchar?
    Senator Klobuchar. You've been very helpful. Thank you to 
all four of you.
    Senator Nelson. Well, thank you all. It was a very 
enlightening hearing and we will proceed with your suggestions 
as we mark up the bill next week. Thank you and the hearing is 
adjourned.
    [Whereupon, at 11:03 a.m., the hearing was adjourned.]
                            A P P E N D I X

 Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii
    Millions of Americans use caller identification services to check 
the name or number of a calling party before they answer the phone. 
Historically, this information has been highly reliable, as attempts to 
provide false Caller ID information required specialized equipment and 
knowledge. However, with the growth of Internet-based calling 
technologies, the ability to send false Caller ID information has 
become significantly easier.
    As a result, criminals have seized this opportunity. They rely on 
sending fraudulent Caller ID information, a practice known as spoofing, 
to cloak their identities. These con artists gain their victims trust 
by posing as financial institutions or government agencies and use that 
trust to deceptively obtain personal information that enables identify 
theft or other forms of fraud.
    To combat this spoofing problem, Senators Nelson, Snowe, and 
McCaskill have introduced legislation S. 704, that would amend the 
Communications Act to explicitly prohibit the transmission of 
misleading or inaccurate Caller identification in connection with 
traditional phone as well as Voice over Internet Protocol services.
    I support them in these efforts and look forward to the testimony 
from today's witnesses.

                                  
