Cell phone records for sale

Bruce Schneier noticed this Chicago Sun-Times article describing Internet services that sell complete cell phone records to anyone who has the caller’s phone & credit card numbers:

How well do the services work? The Chicago Sun-Times paid $110 to Locatecell.com to purchase a one-month record of calls for this reporter’s company cell phone. It was as simple as e-mailing the telephone number to the service along with a credit card number. The request was made Friday after the service was closed for the New Year’s holiday.

On Tuesday, when it reopened, Locatecell.com e-mailed a list of 78 telephone numbers this reporter called on his cell phone between Nov. 19 and Dec. 17. The list included calls to law enforcement sources, story subjects and other Sun-Times reporters and editors.

Ernie Rizzo, a Chicago private investigator, said he uses a similar cell phone record service to conduct research for his clients. On Friday, for instance, Rizzo said he ordered the cell phone records of a suburban police chief whose wife suspects he is cheating on her.

“I would say the most powerful investigative tool right now is cell records,” Rizzo said. “I use it a couple times a week. A few hundred bucks a week is well worth the money.”

Dont you have the equivalent of the Data Protection act in the US? Patriot doesn’t seem quite so insidious if you can just ring up the phone company and buy a record of anyone’s cell phone.

Oh we do, but it only applies to law enforcement. You see, stalkers, criminals, and corperate america in general can raid your personal data all they want. However, the local police and FBI can’t touch it with a 10 foot pole. It is a wonderful system.

I’ll save somebody a hundred dollars.

I call whores.

Well, ostensibly your data is “protected” by requiring a piece of public information (your cell number) and a piece of “secure” information (your CC#).

So you either have people doing illegal things to acquire your CC# in which case, well, if they can breach your CC# why should you expect your cell records to be more secure, or you have people who theoretically ought to already have access to your call records (i.e. the wife above in a presumed trusting relationship) having access.

What method of identification would be more secure? A pin number? A password? Should you have to get a subpoena for your own phone records?

(Not that the prospect isn’t worrying, but the problem seems couched in the assumption that the CC# is a secure piece of data. Any secure piece of data is compromisable, although CC#s might be somewhat moreso. Theoretically they’re protected on the usage end, though. Realistically… shrug)

Well, if their your phone records, you can usually just look them up without paying. So it is a bit odd.

I also crank call funeral parlors.

True enough. With that in mind, it makes it pretty obvious that these services shouldn’t be available. I don’t feel that anyone should be able to get my records who isn’t me. (Or, of course, law enforcement, if I did something to merit that kind of scrutiny).

Nowhere in the article does it say it’s YOUR credit card number – it’s to pay for the record search, not as a piece of “secure” information.

Then Christoph’s introductory sentence is misleading. If anyone can buy your cell records knowing only your cell number that’s truly disturbing. Can they buy normal land-line records in this way? If not, why the dichotomy? The article made it seem like phone companies are breaking their contract (if not federal law) by giving these records out. Is it actually illegal to do this on land lines, or is it just that the land-line companies are better at protecting customer data?

Information wants to be free. The only way you can prevent people from buying and selling your personal details is to make them public knowlege.

I call Nintendo Power Hintline more often than I call my family.

We did some telemarketing a while back to drum up business.

Basically, you acquire personal information from brokers. It costs about $250 per area code, or 5,000 records, depending on what info you want.

The lists were OK in terms of apparent accuracy, and got us the expected return on cold-calling for new subscribers.

I did note, however, that it contained the fake phone number, name and address that I give out to salespeople when asked. There were lots of obvious fake entires, stuff like 123-4567 phone numbers and Napoleons and what have you.

Also, these brokers seem to take Do Not Call very seriously. Their lists come pre-scrubbed. But the information they offer is extremely complete. If you want to pay for it, you can get emails, fax numbers, cell numbers, and so on. But nothing so crazy as phone records, or what newspapers they subscribe to.

Whoa, you’re right! I re-read the article, and it does appear to say that absolutely anyone can get anyone’s records for a given phone number. That’s just crazy. Why hasn’t anyone sued those phone companies yet?

Basically, you acquire personal information from brokers. It costs about $250 per area code, or 5,000 records, depending on what info you want.

There’s a difference between that and being able to get my phone bill. My Phone number is publicly listed which means it crops up in phone books and on directory enquiries etc. Going Ex-directory removes it from those lists, but my details can still be used for marketing purposes by companies that have a record of my number. Plus we have another level up which is our version of the DNC list and is backed up with fines etc, so it’s taken pretty seriously.

But if it turns out that someone is flogging my phone bill then I’d be talking to solicitors about getting my phone company nailed under the Data Protection Act. That is supposed to be priviledged information and they have a responsibility not only to protect that information, but not to misuse it either.

These companies just generally pull a Jim Rockford to get the info. The methods they use are illegal. And the phone companies don’t have enough in place to stop the social engineering that allows the information to escape.

You could have saved the typing time too, because we already knew that.