Re: phone records for sale.

2006-01-10 Thread Travis H.
You can get records of most kinds from various private investigators
and data brokers for a fee.  I first found out about this in the
mid-90s, but I'm sure they existed before that.

Where the data collection is illegal, the reputable firms assure you
that they are not doing anything illegal, which is correct; they farm
it out to contractors with more cunning than scruples, and they don't
ask questions.  Records of all kinds are available, including
subscriber information for a specific mobile or pager number, or land
lines marked as unlisted.

Mitnick managed to pretext as a law enforcement agent and attempted to
get an informant's drivers license record faxed to him, according to
"The Fugitive Game".  Apparently informants are specifically marked in
the records, which alerted a DMV clerk that something was amiss.

A book I recently read reports that DEA agents have given up informant
names and other info to murderous cartels for as little as $50 a pop,
so to speak.

A well-intentioned law might stop wholesale retail operations, but I
have doubts it would stop the suitably motivated.  I'd rather not have
to try to restrict the activities of some other party who has my
information, I'd rather prevent information from leaking to other
parties in the first place.  The case of utilities delivered to one's
residence is particularly problematic as far as privacy goes.
--
"If I could remember the names of these particles, I would have been a botanist"
  -- Enrico Fermi -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: phone records for sale.

2006-01-09 Thread leichter_jerrold
| 18 USC 2702(c) says
| 
|   A provider described in subsection (a) may divulge a record or
|   other information pertaining to a subscriber to or customer of
|   such service (not including the contents of communications
|   covered by subsection (a)(1) or (a)(2)) ...
| 
|   (6) to any person other than a governmental entity.
| 
| The first time I read that last clause, I couldn't believe it; I
| actually went and looked up the legislative history.  I found that
| Congress wanted to permit sale for marketing or financial reasons, but
| wanted to limit the power of the government.  (The Supreme Court had
| ruled previously that individuals had no expectation of privacy for
| phone numbers they'd dialed, since they were being given voluntarily to
| a third party -- the phone company.)
Where two parties exchange information voluntarily, deciding who ought to
have 
control of what can get ... interesting.  Here's a more complex case:  
Vendors have long claimed the right use their own customer lists for
marketing 
purposes.  But suppose you buy using a credit card.  Then information about 
your purchase is known not just to you and the vendor you dealt with, but
the 
credit card company (construed broadly - there's the issuing bank, the 
vendor's bank, various clearing houses...).  Can the credit card company use

the same information for marketing - selling, say, a list of a vendor's 
customers who used a credit card to the vendor's competitors?  The same 
vendors who claim that you have no right to tell them what they can do with 
the transaction information incidental to you doing business with them make
a 
very different set of arguments when its "their" information being sold by 
someone else.

This issue came up a number of years ago, but I haven't heard anything
recent
about it.  I'm not sure how it came out - the credit card companies may have
decided to back off because the profit wasn't worth the conflicts.  We're in
the midst of battles, not yet resolved as far as I know, about whether a
search engine can let company A put ads up in reponse to searches for
competitor company B.  Can an ISP sell lists of people who visited ford.com
from among their customers to GM?

Information doesn't want to be free - in today's economy, information wants
to
be charged for everywhere, from everyone.
-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


RE: phone records for sale.

2006-01-06 Thread Adler, Joseph
I got curious about this issue, and did a little digging into what's
going on here. It turns out that the FCC is looking into this problem at
EPIC's request.

EPIC filed a petition for rulemaking on this subject with the FCC -
which went out for public comment at the end of the year. The petition
itself contains copious material about the practices and methods - which
you can download. Use the FCC ECFS template:
http://gullfoss2.fcc.gov/prod/ecfs/comsrch_v2.cgi
and enter "RM-11277" without the quotes, and click on Retrieve Document
List. I found both the original petition and the replies from service
providers fascinating.

-- Joseph Adler

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perry E. Metzger
Sent: Friday, January 06, 2006 9:34 AM
To: cryptography@metzdowd.com
Subject: phone records for sale.


The Chicago Sun Times reports that, for the right price, you can buy
just about anyone's cell phone records:

http://www.suntimes.com/output/news/cst-nws-privacy05.html

Quite disturbing.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: phone records for sale.

2006-01-06 Thread Hack Hawk
On Fri, 2006-01-06 at 09:34, Perry E. Metzger wrote:
> http://www.suntimes.com/output/news/cst-nws-privacy05.html
> 
> Quite disturbing.

More disturbing than even the people at Chicago Sun Times realize
apparently.  ;)  Hope no-one was sniffing their email.

'It was as simple as e-mailing the telephone number to the service along
with a credit card number.'



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: phone records for sale.

2006-01-06 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, "Perry E. Metzger" writes:
>
>The Chicago Sun Times reports that, for the right price, you can buy
>just about anyone's cell phone records:
>
>http://www.suntimes.com/output/news/cst-nws-privacy05.html
>
>Quite disturbing.

Yes, but it's also bad reporting -- the newspaper neglected to call the 
cell phone companies and ask what their privacy policies are.  What 
happened may have been 100% legal and explicitly permitted by law...

18 USC 2702(a)(3) says

a provider of remote computing service or electronic 
communication service to the public shall not knowingly 
divulge a record or other information pertaining to a 
subscriber to or customer of such service (not including 
the contents of communications covered by paragraph (1) or (2)) to 
any governmental entity.  

18 USC 2702(c) says

A provider described in subsection (a) may divulge a record or
other information pertaining to a subscriber to or customer of
such service (not including the contents of communications
covered by subsection (a)(1) or (a)(2)) ...

(6) to any person other than a governmental entity.

See 
http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2702000-.html
for the full text.

The first time I read that last clause, I couldn't believe it; I
actually went and looked up the legislative history.  I found that
Congress wanted to permit sale for marketing or financial reasons, but
wanted to limit the power of the government.  (The Supreme Court had
ruled previously that individuals had no expectation of privacy for
phone numbers they'd dialed, since they were being given voluntarily to
a third party -- the phone company.)

If the phone companies are not giving it out voluntarily, perhaps
they're being tricked or perhaps they have corrupt employees.  From my
experience, one way you authenticate yourself to a cell phone company is
by social security number, and those aren't exactly hard to find.  That
possibility suggests using stronger authentication, but of course that
gets in the way of customer service for the 99.99% of queries that are
legitimate.  (I've had to call my company from abroad, more than once,
on fairly urgent matters.  I had no easy access to, say, my last bill.)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


phone records for sale.

2006-01-06 Thread Perry E. Metzger

The Chicago Sun Times reports that, for the right price, you can buy
just about anyone's cell phone records:

http://www.suntimes.com/output/news/cst-nws-privacy05.html

Quite disturbing.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]