Protecting Consumer Privacy
April 2006

Wireless Carrier Security Measures
The wireless industry is committed to protecting customer privacy and security and employs a variety of practices to thwart the unauthorized access of customer information.  More >
 
Training: Over 70 percent of customer/carrier contacts are over the phone, so carriers spend thousands of hours training their service representatives to be responsive to customers and to screen callers that may be trying to trick the carrier into disclosing call records. Each of the four national carriers will lock customer accounts on demand with a password that the customer selects.  Many carriers have adopted a policy to only send billing records by mail or to the fax number provided when the account was initiated.
 
Billing System Control Mechanisms: Carriers require several tokens to verify a customer’s identity when they request information over the phone. Many carriers will send billing details only to the customer's address of record. Most billing systems have audit mechanisms to track every user who views an account. This tracking feature allows the carrier to research specific accounts that have been compromised and monitor service representatives that are viewing an unusually large number of accounts.
 
Protecting Internet Access to Account Data: Carriers that provide on-line access to billing data provide the accounts with unique passwords that are difficult for information brokers to guess. They also disable access when customers have not accessed their records over the Internet or do not access their accounts for long periods.  
 
Many of these security measures come at a price – additional costs and reduced convenience for the consumer. Customers frequently forget passwords, so carriers must rely on a secondary verification method to re-establish the inquirer’s identity.  These fallback procedures introduce secondary vulnerabilities that information brokers may be able to manipulate. Because of these problems, many of the carriers are considering new notification policies including alerting customers via text message or mail immediately when anyone has requested billing information or requested other changes to the customer’s account.  
 
Leading wireless carriers subscribe to CTIA’s Consumer Code for Wireless Service, which requires the participating carriers to adopt and publish a privacy policy that explains its information practices to consumers, in accordance with applicable federal and state laws.

Laws and Regulations
Section 222 of the Communications Act demands that all carriers protect the confidentiality of customer proprietary network information (CPNI). CPNI includes call records and any other identifying data the carrier has collected. More >
 
The Act does allow carriers to release CPNI records when ordered by a court or after the carrier has obtained the customer’s approval. Carriers are required to train their personnel on these exceptions, discipline infractions, and maintain a log of all disclosures to third parties. Each year, the carrier must certify compliance by providing a statement explaining how its operating procedures and policies support the Act.  
 
There are a growing number of additional federal and state laws that ensure the industry and government are working together to protect the consumer’s personal data. 

  • Recently, the NYSE required its listed companies to pass Codes of Conduct under Section 406 of the Sarbanes-Oxley Bill to address confidentiality as a goal of its compliance program and to adopt a policy that its “[e]mployees, officers and directors should maintain the confidentiality of information entrusted to them by the company or its customers.”   
  • California’s SB 1386 requires that any service provider that experiences a breach of its security provide notice to those affected. Eighteen states have passed similar laws in the past 30 months and similar federal legislation is pending.   
  • Section 521 of the Gramm-Leach-Bliley Act 15 USC §6821 prohibits any      person from obtaining customer information from a financial institution by making fictitious or fraudulent statements.

What Can Consumers Do?
The industry encourages concerned consumers to call their wireless carrier and put passwords on their accounts. It is best to use a password that is easy to remember, but others are not likely to know. Customers can call their carrier and verify whether their account is “restricted”. They can also verify whether they have “opted out" from sharing any of their records with marketers.   
  
Investigation and Prosecution
Wireless carriers maintain security and fraud departments responsible for investigating cases where employees or dealers may be providing customer data to outside parties. Through these investigations, the carriers are identifying the information brokers and the specific channels they have been using to access consumer’s call records. Verizon, Cingular, Sprint-Nextel and T-Mobile have taken legal action to stop information brokers in the past. More >
 
The U.S. Federal Trade Commission has also been working through its “Operation Detect Pretext” to identify and enjoin the illegal conduct of information brokers.  The FTC has warned companies to comply with Federal laws, such as Gramm-Leach-Bliley, which protect consumers’ personal information. 
 
There are a significant number of laws that make it a crime for information brokers to use pretexting to elicit records from financial institutions. Expanding these laws to cover call records from telecommunications carriers may make it easier to prosecute crooked information brokers. 
  
Examples of Unauthorized Access 
Privacy and consumer advocacy groups have argued the wireless industry needs additional incentives and regulations in order to safeguard consumer privacy. They point to information brokers who claim to be able to access any consumer’s call records in their Internet advertisements. Wireless carriers have identified several methods by which information brokers access these records. More >

  • Pretexting. The broker pretends to be the account holder by presenting the social security number, mother’s maiden name, birth date or other identifying information to the carrier’s customer service representative.  
  • Accessing Online Accounts. Initially, companies often assigned simple, default passwords (e.g., last four digits of account number) that enabled customers to easily access their account information online. Unfortunately, the practice also made it possible for brokers to gain unauthorized access to customer information. 
  • Compromising Service Reps.  Brokers have blackmailed and bribed customer service representatives that have access to customer records.  

Carriers are familiar with each of these ploys and will continue to take extraordinary measures to foil the variety of illegal attempts to hijack consumer records. The wireless industry also complies with a multitude of laws and regulations designed to protect consumer privacy. In spite of carriers’ efforts, information brokers may still succeed, so carriers have been partnering with law enforcement to prosecute pretexters and those that advertise their capability to steal the consumer’s information.

CTIA Wireless Industry Indices Report

A complimentary copy of the report is distributed to each of the carriers participating in the survey. 

In addition, CTIA does offer the report for sale to our membership and the general public.


To purchase a copy click here.