Phone companies and federal lawmakers are demanding it be halted. The Federal Communications Commission is launching an investigation. The business of buying and selling private phone calling records is suddenly under considerable scrutiny.
The Internet, it turns out, has taken something old — a tool for monitoring cheating spouses or conniving business associates — and made it new again.
Last week, at least 40 Web sites were offering cell-phone numbers, unlisted numbers and calling records. For $110 or so, they'd sell you a month's worth of cell-phone calling records for any number, no questions asked.
Such records have been bought and sold for decades, prized by private investigators, lawyers and people in less legitimate professions.
Case in point: In 1998, Los Angeles' police department had a serious security problem. Suspected mobsters obtained home phone numbers and addresses of detectives. In an apparent attempt at intimidation, one mobster showed up at a police officer's home while he was at work, gave his name to the officer's wife and walked away.
The LAPD eventually determined that the officers' personal data came from a Denver firm, Touch Tone Information Inc., that used a technique known as "pretexting." Touch Tone workers would call up phone companies and records holders pretending to be regulators, customers or employees and get them to divulge account information.
The case stirred outrage. The Federal Trade Commission forced Touch Tone out of business and its owner, James Rapp, spent a few months in jail. Robert Pitofsky, chairman of the FTC at the time, said: "This case should send a strong message to information brokers that the FTC will pursue firms that use false pretenses to profit at the expense of consumers' privacy."
Six years later, "pretexting" is again in the spotlight. According to reports this month, Chicago's police department has warned its officers that their cell-phone records are available online. Illinois' attorney general subsequently subpoenaed Locatecell.com, a Web site that sells such records.
Locatecell.com, which is run by a company called 1st Source Information Specialist, was not reachable by phone to explain its methods and did not respond to an e-mail seeking comment.
But according to industry insiders, companies like it obtain their information from a relatively small group of professional "pretexters."
The "pretexters" buttress their believability by buying such personal data as Social Security numbers from online database companies. Often a name, address and the last four digits of a person's Social Security number are all that's needed to obtain calling records.
Another route is to buy the information from insiders, like phone company employees.
So why didn't the Touch Tone case put such businesses out of business?
For one, the FTC went after Touch Tone not for snooping on the private lives of police officers but for "pretexting" financial information from banks.
"Our primary focus there was on financial, because that's really where the most direct harm is," Joel Winston, associate director of the FTC's division of privacy and identity protection, said in an interview. "If I'm pretexting a bank and getting your bank account records I can drain your account."
"With phone records ... not to minimize the intrusion on one's privacy, but generally it doesn't lead to any specific economic harm. It's a different kind of harm," Winston said. Nevertheless, he added, the practice "raises significant privacy concerns."
The Web sites that sell phone records these days claim they aren't doing anything illegal in obtaining them. They claim no specific prohibition exists against posing as someone else to obtain private information as long as the data is not financial. (After the Touch Tone case, Congress passed the Gramm-Leach-Bliley Act of 1999, which specifically made financial pretexting illegal.)
In the absence of criminal prosecution, cell-phone carriers have turned to civil litigation, with some success.
In September, Verizon Wireless secured a permanent injunction against a company in Tennessee that was selling its records. Most recently, Cingular Wireless on Friday received a restraining order against the current and previous owners of Locatecell.com.
The carriers, however, say they can't do it alone.
"We need the assistance of the law enforcement community here," said Joe Farren, spokesman for CTIA, which represents the wireless phone industry.
That help may finally be arriving. Sens. Charles Schumer, D-N.Y., Arlen Specter, R-Pa., and Bill Nelson, D-Fla., introduced a bill Wednesday that would make it illegal to pose as someone else when calling a phone company, or for an employee to sell customer data.
In the meantime, customers can put up a minor road block for pretexters themselves by asking their phone company to set a PIN code for their account instead of using their Social Security number.
Robert Douglas in Steamboat Springs, Colo., a former private investigator who has testified on Capitol Hill about pretexting, notes that this is not a very good defense — customer service representatives can often be browbeaten into giving up personal information even if its protected by a PIN and password.
Neither will it help, of course, if an employee is on the take.