Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging |
| Anonymous Internet Annoying Is Illegal in the U.S. »
January 9, 2006
Anyone Can Get Anyone's Phone Records
Interested in who your spouse is talking to? Your boss? A celebrity? A politician?
The Chicago Police Department is warning officers their cell phone records are available to anyone -- for a price. Dozens of online services are selling lists of cell phone calls, raising security concerns among law enforcement and privacy experts....
How well do the services work? The Chicago Sun-Times paid $110 to Locatecell.com to purchase a one-month record of calls for this reporter's company cell phone. It was as simple as e-mailing the telephone number to the service along with a credit card number. The request was made Friday after the service was closed for the New Year's holiday.
On Tuesday, when it reopened, Locatecell.com e-mailed a list of 78 telephone numbers this reporter called on his cell phone between Nov. 19 and Dec. 17. The list included calls to law enforcement sources, story subjects and other Sun-Times reporters and editors.
EDITED TO ADD (1/9): More information on BoingBoing.
EDITED TO ADD (1/9): Also see this on EPIC West.
EDITED TO ADD (1/14): Daniel Solove has some good commentary.
Posted on January 9, 2006 at 6:59 AM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Gives a whole new meaning to "don't give your boss your cell phone number".
I was considering returning my work-supplied pager, but now not so much.
It's a problem, We haven't privacity.
A reporter for a canadian magazine Maclean's did the same type of enquiry and they found out the telephone records for Jennifer Stoddart, she is the canadian privacy commissioner. They got her home phone, her vacation's home and cell records. So how did private canadian phone records end up in a U.S. database? mmmm.
read the article here:http://www.macleans.ca/topstories/canada/article.jsp?content=20051121_115779_115779
If you've got the dough you can get anything.
Bruce, you have an unclosed blockquote tag.
Her service provider, as I recall, was an American firm. Surprising, huh?
Great coverage of this and related issues is at http://www.privacylawyer.ca/
Interesting. The big question seems to be how they lift the records from the phone companies in the first place. Macleans suggests the likely scenario is that the rats at locatecell.com actually masquerade as the target customer! Whatever technique they employ, I'm confident there's an illicit component.
I'm thinking these guys are going to get shut-down big time........ eventually. :-)
The companies named in Macleans:
Bell Canada, Telus Mobility, Rogers are in fact Canadian.
All telephone traffic within and through the USA (Much of foreign traffic is deliberatedly routed through the US to make it accessible.) is required by law to be entirely and immediately open to law enforcement for free. Further, every telephone circuit must be available for surveillance by law enforcement for free.
In theory this access requires a warrant, but the hardware and software cannot read warrants, so all that is required is the operator's authorization, which is defaulted to 'on' (and which I think cannot be switched off).
The system that provides this access cannot be deny access to illicit use -- either by the police or anyone else. It's the nature of the beast -- by design.
Get used to it.
Thanks for the correction. A Verizon spokesperson was poo-pooing the gravity of this in another article I read on this, and I thought he was in the Macleans article.
Jeez. Pass the Geritol, somebody.
s/Verizon/Cingular/ in my previous comment.
EPIC has filed a complaint with the Federal Trade Commission identifying 40 websites that offer wireline and wireless phone records. We also filed a petition at the Federal Communications Commission proposing heightened security standards for phone companies, but the phone companies opposed it very strongly. This is all online at http://epic.org/privacy/iei/.
And BTW, they're not just "pretexting" phone companies. They are impersonating people to get financial, medical, and other records from unwitting companies.
We're pretty certain that the phone records are obtained by "pretexting," the practice of impersonating the account holder. The attorney for Bestpeoplesearch.com admitted this on CNBC the other day. I posted a transcript at:
Sounds pretty illicit. And if you can do it for phone records, I expect the exact same technique would work with credit cards.
Haha. There are some New York Times reporters whose cellphone calls I am sure more than a few people would be interested in.
It might work technically, but in the US it is against the law.
I'm amazed this is legal. Really.
Do you know whether this is legal in other countries too?
The EU has agreed on a directive that will ensure all kind of connection records will be stored at least 6 months and up to 2 years.
Combine this with the business scheme Bruce is showing off here and you've got privacy hell.
"I'm amazed this is legal. Really."
I don't think this is legal. In fact, I'm pretty sure it's not legal.
I'm fairly confident pre-texting is now illegal. I had an interesting conversation with a private detective who was griping about how the post 9/11 climate was really gumming up his ability to get information. He said that he used to pre-text to get bank records all the time, but now considered it too risky. (Note: this was a white-hat guy.)
Taking about privacy issues: here in Mexico due to a very-very-incredible-mishandled cookie in the site of one of the biggest carriers (you may guess who can it be) it is possible to have full access to the last two months of call records (date/time, call duration, phone dialed, address and name of the suscriber) of every land-line in the country that is listed on the white pages (not marked "private" and not a "commercial" line).
(To do this you first have to get and online account. Not difficult, every custommer of this carrier can easily get one using, paradoxically, the same website)
The problem is that they are codifying some values on the cookie (phone number, name of the suscriber, etc.) that are used on the application and. There is also a field in this cookie that if you change it from one value to the other, you get "all-view" access (you may also get access to some other functions, like paying and such, but I have not tried them)
It is my knowledge that this problem have been going on from about one and a half years (last time I checked was two months ago, it may already being fixed now but with the history record of this company I highly doubt it)
"Pre-texting", huh? Don't you just love it when people invent nice new jargon words to cover up good old fashioned terms like "impersonation" and "fraud". Of course, hackish and crackish types have our own jargon term, "social engineering".
EPIC notes that these companies may use several other methods as well (no doubt, if paid enough they use whatever method works), but _all_ of them consitute unauthorised access to a computer data source. IANAL but this seems to me definitely seriously illegal, as in, go directly to the Federal pen and do not emerge until there's a "1" in the year. Chris, I wouldn't just be calling the FTC and FCC, I'd be calling the FBI too.
> All telephone traffic within and through the USA ... is required by law to be entirely and immediately open to law enforcement for free. .... The system that provides this access cannot be deny access to illicit use
Umm, this has nothing to do with law enforcement taps. The crooks are impersonating the victim and just ask for their itemised bills. Sometimes via a human operator, sometimes via a weakly secured web interface. Completely regardless of law enforcement access, all companies keep these billing records for several years anyway, both to prepare invoices and to respond to disputes. And it is entirely appropriate that the data should be made available to the customer, whether as a basic courtesy and service (in the US model) or because he has a legal right to it (in the non-US model).
The problem here is a combination of minimum wage call-centre operators not trained to understand social engineering, and excessively weak authentication before releasing quite large amounts of quite private information. And it is a problem which is fairly pervasive in our society.
Our European friends tell us that the problem is much less severe in countries with national ID cards, but that solution is no cure all, creates its own issues, and is culturally and political unacceptable in my country and probably the US too. (I would have also said the UK, but they seem to have gone over to the dark side now.)
There is no magic cure all, but Bruce has observed that we can go a long way by putting the responsibility on those with the ability to act on it, i.e. the companies holding the data. Something like, say, a $10,000 fine for the first personal record and a $1,000 fine for each subsequent one which an independant ombudsman is able to obtain, will soon get the data locked up like Fort Knox.
Archive.org says that locatecell.com is run by DataFind Solutions LLC in Reynoldsburg, OH:
DataFind Solutions LLC
2965 Taylor Rd
Reynoldsburg, OH 43068
Here is a link to the cell phone companies' response to EPIC, arguing that no new security measures are needed, and that enforcement of existing laws should solve the problem. You be the judge.
Maybe they should start selling search warrants too?
DataFind has quite a user agreement...basically, you agree that you have researched the law and agree that whatever they are doing is legal. Furthermore, you hold them harmless if it isn't legal...at least that's how I read it.
"All telephone traffic within and through the USA (Much of foreign traffic is deliberatedly routed through the US to make it accessible.) is required by law to be entirely and immediately open to law enforcement for free. Further, every telephone circuit must be available for surveillance by law enforcement for free."
How would you know if you were the target, or your wife or daughter, of the police or some other person.... How would you find out if someone just wanted to listen in and play with you and your family. How do you know if someone has a copy of the phone records if they don't use for some time? What would you really experience if your or your daughter or wife was the victim. What if your daughter was a real victim and it was not just a topic for you on discussion on this board. Would your daughter want to tell you of her suspicions. Or should she just laugh it off and get use to it.
No, not quite right its much more complex than that.
If this were true then contract killing would also be legal, with the proper eula.
"EPIC has filed a complaint with the Federal Trade Commission identifying 40 websites that offer wireline and wireless phone records."
It sounds like the problem is that the companies holding the records have completely ineffectual security. Why don't you file a complaint against them?
So, why is it technically illegal for the government to spy on US citizens, but seems to be "okay" for the commercial sector to do this? I mean, this has to be a violation of something that people breaking the laws should go to jail.... for a VERY long time... with a big guy named Bubba as a cell mate who hasn't had any nooky for a long time, IMHO.
The obvious response is to do what I do to Google: Drown the real data in bullshit. For Google, I run an automated program that searches many, many times over using randomly-selected words and phrases. For the cell phone, I'll just place 10 or 20 meaningless, even wrong-number calls a day. Or, maybe not.
Excellent post for publicizing this bogusness. These guys at bestpeoplesearch.com also offer the service of telling you who other people are calling from their cellphones, according to the WaPo. Now if Bruce would just post about the *possible* security issues with sitemeter's IP tracking database, I'll be happy.
for landlines, 1) apply for service using your real name but with a fake initial added, which confuses them to the point that this telephone account will not be linked to your real name in any of the stalker services, and 2) opt out of your service provider selling your account records (i don't know if they really stop selling your records, but i can't identify any harm from it).
for cellphones, get a prepaid tracfone from walmart using cash and activate it from a cybercafe or public library under a fake name. you can go a year before you have to renew with a credit card, or just toss it and buy a new one.
I doubt that all Canadian communication (phone) cross the border to be inspected by US. In the cases of the telephone records for Jennifer Stoddart, some of them have been done between neighbor cities.
I did use some equipment on the POTS that gives me the round trip delay of the call. Only a few milli-seconds between neighbor cities. No enough for more than 300 Km round-trip at the speed of light if we neglect the processing time of the phone system.
man,reading this is scary.does this mean tey have wrtten transcripts also??
want to check on bf phone hes cheating
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.