The practice occurs in the open, and regulators say it's a growing problem.
Reports of the unauthorized sale of personal telephone records may be sending chills up the spines of callers across the county, but the practice does not occur underground or on the black market. It occurs right out in the open, and according to regulators its a growing problem.
Numerous data broker Web sites advertise personal phone records for sale, including the numbers called, the length of calls, and sometimes the location of cell phones.
How brokers get their hands on the records is the subject of an ongoing investigation by the Federal Communications Commission, where employees have gone undercover to buy data, FCC Chairman Kevin Martin told members of Congress on Feb. 1.
While the records might be obtained by people impersonating account holdersknown as pretextingthey also might be obtained through the breach of carriers security protocols or from "rogue" employees, Martin said at a hearing before the House Committee on Energy and Commerce.
So far, the brokers dont appear intimidated by the FCCs efforts.
Several brokers that received subpoenas in November for details on their practices failed to respond adequately. They were consequently sent citations and referred to the Department of Justice for enforcement, Martin said.
In addition to investigating the data brokers, the FCC is also investigating the phone carriers to determine whether they have implemented appropriate data safeguards.
Carriers were required to detail their security procedures and practices, disclose problems, and address changes made in response to the data broker problem.
On Monday, the commission fined AT&T and Alltel each $100,000 for not adequately responding to the request.
The FCC will continue to examine ways to protect caller information, but the agencys actions arent enough, Martin said.
Both Martin and Federal Trade Commission Commissioner Jon Leibowitz said Congress should ban the commercial availability of phone records.
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
"An entire industry of companies offering to provide purchasers with the cellular and landline phone records of third parties recently has developed," Leibowitz said.
"Although the acquisition of telephone records does not present the opportunity for immediate financial harm as the acquisition of financial records does, it nonetheless is a serious intrusion into consumers privacy and could result in stalking, harassment and embarrassment."
Bills are pending in both the House and Senate creating penalties for anyone using false pretenses to buy someone elses phone records.
Reps. Marsha Blackburn, R-Tenn., and Jay Inslee, D-Wash., introduced legislation Jan. 31, to increase criminal penalties for anyone posing as an account holders to access records.
During the hearing, however, Inslee said he believes such records are not only through pretexting.
"I get the sense theres a broad-based structural loss of this information," Inslee said.
The Blackburn-Inslee bill resembles a Senate bill authored by Sens. Charles Schumer, D-N.Y., Arlen Specter, R-Pa., and Bill Nelson, D-Fla. The measures resemble provisions in the Gramm Leach Bliley Act passed to protect bank records.
To read more about the Department of Justices request to track peoples cell phone information, click here.
The legislation has the support of major telephone companies, including BellSouth.
"This bill protects consumers by going after the con artists," said Herschel Abbott, vice president governmental affairs at BellSouth. "Under the legislation, identity thieves and data brokers who try to trick phone companies into revealing call records will be fined and jailed."
The Senate is scheduled to take up the problem of unauthorized phone record sales Feb. 8.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.