FCC Issues New Rules to Guard Against Pretexting

The U.S. Federal Communications Commission (FCC) has established rules that prohibit telephone and mobile phone carriers from releasing customer records over the phone without a password.

In part, the new privacy rules are designed to protect against pretexting, the practice of impersonating a phone customer to gain access to personal phone records, according to the FCC.

In addition, the new rules prohibit unauthorized access to phone records, require notice of any account information changes and demand that organizations obtain customer permission prior to sharing personal data with third parties such as marketing firms.

If someone is unable to provide a password, then carriers may not release any phone records except by sending them to the customer’s street address of record or by calling the customer directly at the telephone number of record.

Protecting Consumers

The new order is designed to be all-encompassing for carriers by taking a strong approach to protecting consumer privacy, FCC Chairman Kevin Martin said Monday. “The unauthorized disclosure of consumers’ private calling records is a significant privacy invasion,” he stated.

“Compliance with our consumer protection regulations is not optional for any telephone service provider. We need to take whatever actions are necessary to enforce these requirements to secure the privacy of personal and confidential information of American customers,” Martin added.

HP Leads the Charge

Americans became aware of pretexting last year when executives at Hewlett-Packard became embroiled in a scandal in which pretexting was used to spy on the firm’s board members.

HP executives, in an effort to track the source of boardroom leaks to the media, allegedly approved the use of pretexting to acquire the phone records of journalists.

Although the HP pretexting scandal hit the national news media just last year, the FCC had been developing the new privacy rules long before then. The nonprofit privacy rights group Electronic Privacy Information Center (EPIC) raised the issue in 2005.

EPIC Involvement

The FCC action is “encouraging” and the new rules are “a very important step to protect consumer privacy,” Marc Rotenberg, EPIC’s executive director, told the E-Commerce Times.

“These are important rules that should help safeguard the privacy of telephone customers’ information,” he added. “It is a very good start but there is still more work to be done.”

In addition to requiring password protection, the rules order carriers to ask a customer’s permission when sharing private account information with business partners and independent contractors.

Opting In

The U.S. Telecom Association, which represents the major carriers, complained that the FCC’s new opt-in consent requirement violates companies’ First Amendment right to communicate with customers. The ruling offers an “extremely anti-consumer outcome,” according to the organization.

“We are deeply concerned that the FCC is taking an overly broad approach [that goes] far beyond protecting the legitimate privacy interests of call detail information to preventing any marketing of new services, bundled offerings and new applications,” the association continued.

Also, the FCC now requires carriers to notify customers and law enforcement officials of any unauthorized disclosure of phone records.