House Commerce Committee Holds Hearing on Bill Related to Pretexting of, and Data Sharing by, Carriers

March 9, 2007. The House Commerce Committee held a hearing titled "Combating Pretexting: H.R. 936, Prevention of Fraudulent Access to Phone Records Act". Both Democrats and Republicans stated that there is a need for the bill, and urged approval.

The one major area of disagreement is the provisions of Title II of the bill that limit data sharing by carriers. Representatives of carriers, and some committee members, argued that the bill should not interfere with legitimate business practices of carriers.

Title I of HR 936 creates civil prohibitions affecting pretexters, purchasers of data collected by pretexting, data brokers, and other intermediaries. It give civil enforcement authority to the Federal Trade Commission (FTC).

Title II contains two types of provisions. One pertains to pretexting and fraud. It requires the FCC to adopt rules mandating that carriers take certain actions to protect the security of customer proprietary network information (CPNI) from pretexters.

The other contains some general privacy provisions for carriers that do not address fraud or pretexting. These sections would prohibit carriers from sharing certain information with affiliates, partners or contractors without the consent of customers. See also, related story titled "Summary of HR 936, the Prevention of Fraudulent Access to Phone Records Act" in TLJ Daily E-Mail Alert No. 1,550, March 12, 2007.

The HCC also reported a bill in the 109th Congress. See, HR 4943 (109th), the "Prevention of Fraudulent Access to Phone Records Act". HR 936 (110th) as introduced, is substantially identical to HR 4943 (109th) as reported by the HCC. However, the full House did not approve the bill, although it was briefly placed on the suspension calendar in March of 2006.

Rep. John Dingell (D-MI), the Chairman of the HCC, said at the March 9, 2007 hearing that "after the Committee reported this bill last year, it mysteriously disappeared from the House floor schedule, and the House took no action before the 109th Congress adjourned."

Rep. Ed Markey (D-MA) stated that the bill was removed from the suspension calendar because of objections from the "intelligence community".

Rep. Anthony Weiner (D-NY) said that "if the administration has concerns about national security, concerns about the legislation, let us hope this year they confront it in a more forthright fashion, rather than in the dark of night simply killing a bill that should have been on the suspension calendar, as many of us would agree with. If a court gets an opportunity to views these concerns, I am sure they will make the right decision. But simply making these privacy decisions in the dark of night by security officials -- we have learned over and over -- this administration cannot be trusted with that much authority."

Many Republican members expressed support for both HR 4943 (109th) and HR 936 (110th), but in nonpartisan language.

Also, last year the Congress enacted a criminal bill, HR 4709, the "Telephone Records and Privacy Protection Act of 2006". President Bush signed this bill into law on January 12, 2007. See, story titled "Bush Signs Bill That Criminalizes Pretexting to Obtain Phone Records" in TLJ Daily E-Mail Alert No. 1,520, January 16, 2007, and story titled "Rep. Smith Introduces Bill to Criminalize Pretexting to Obtain Consumer Phone or VOIP Records" in TLJ Daily E-Mail Alert No. 1,308, February 13, 2006.

The HCC's Subcommittee on Oversight and Investigations also held extensive hearings last fall on pretexting, focusing on the Hewlett Packard scandal.

The bill requires the FCC to conduct a rulemaking proceeding, and complete it within 180 days. The FCC opened a rule making proceeding over a year ago. This proceeding is Docket No. 96-115 and RM-11277. The FCC adopted its NPRM on February 10, 2006. See, story titled "FCC Adopts NPRM Regarding Privacy of Consumer Phone Records" in TLJ Daily E-Mail Alert No. 1,308, February 13, 2006. It released the text [34 pages in PDF] on February 14, 2006. The NPRM is FCC 06-10.

The FCC has not yet issued rules, although Chairman Kevin Martin has given speeches and held news conferences in which he has discussed possible contents of these rules.

Rep. Dingell stated that he wants the FCC to complete this rulemaking.

Lydia Parnes testified on behalf of the FTC. She said that "the FTC does support this legislation". She also stated that she is not aware of the position of the Department of Justice, and that she is not aware of any law enforcement objection. See also, prepared testimony [PDF]. See also, prepared testimony of Tom Navin, Chief of the FCC's Wireline Competition Bureau.

Steve Largent, head of the CTIA - Wireless Association, and Walter McCormick, head of USTelecom, both offered objections to Section 202 of the bill, which creates an opt-in regime for data sharing by carriers.

Largent wrote in his prepared testimony [PDF] that "the imposition of new restrictions on the ability of carriers to share CPNI with joint venture partners or independent contractors is unduly burdensome and has no connection with the goal of preventing fraudulent access to phone records. Many CTIA members employ third-parties to assist with billing and customer care functions. The parties that engaged in these activities for our carriers are bound by strict safeguarding agreements that govern both confidentiality and security obligations". See also, McCormick's prepared testimony [PDF].

Several members of the Committee expressed support for the carriers' position on this issue, including Rep. Rick Boucher (D-VA), Rep. Joe Pitts (R-PA), and Rep. Greg Walden (D-OR).

Mark Rotenberg, head of the Electronic Privacy Information Center's (EPIC), testified in support of HR 936. See, prepared testimony [PDF]. The EPIC's August 30, 2005, petition for rulemaking prompted the FCC to initiate its rulemaking proceeding in February of 2006.

And see, prepared testimony [PDF] of David Einhorn, who testified regarding the pretexting of his phone records.

Neither this hearing, nor this bill, pertain to any of the National Security Agency's (NSA) surveillance or data aggregation programs. Nevertheless, Rep. Dingell said that "Certain major telecommunications companies allegedly turned over the detailed call records of millions of Americans to the National Security Agency (NSA). These phone customers were not informed that the NSA had their records. Apparently this may have been done without proper process. At least one company found it illegal and refused to comply."

Rep. Barton again recited his definition of "pretexting". He said, as he has said at prior hearings, that "Pretexting is pretending to be someone you're not, to get something you shouldn't have, to use in a way that is probably wrong." However, HR 936 does not incorporate or reflect this definition.