Telephone records contain a large amount of intimate personal information. Recent years have seen a rise in the use of this information for marketing and even for criminal purposes. The purchase and sale of telephone record information, therefore, became a booming business. Websites and data brokers claiming to be able to obtain the phone records for any phone number within a few days abounded.
However, the methods by which these data brokers obtained their information came under intense fire from public interest groups concerned about consumer privacy. Consumer groups and news outlets reported that telephone records were being obtained fraudulently by data brokers or other individuals without the knowledge or consent of the customers to whom the records related. Data brokers are thought to employ three different practices to obtain customer telephone records without the approval of the customer. The first method occurs when an employee of one of the phone companies sells the records to the data broker. The second method occurs through a practice called “pretexting,” where a data broker pretends to be the owner of the phone and obtains the records from the telephone company under false pretenses. The third method is employed when a data broker obtains the customer’s telephone records by accessing the customer’s account on the Internet.
In response to increased concern over the unauthorized disclosure of private telephone records, Congress and other regulatory agencies have taken a number of steps to improve the security of this information. Congress enacted the Telephone Records and Privacy Protection Act of 2006, which makes “pretexting” a federal offense. The Federal Trade Commission has instituted a number of enforcement actions against data brokers. In the 110th Congress, bills have been introduced to ensure greater security of phone records. And the FCC recently amended its regulations governing the disclosure of Customer Proprietary Network Information (CPNI) in an attempt to address the concerns raised by Congress, the Electronic Privacy Information Center (EPIC), and other consumer groups regarding the unauthorized disclosure of such information.
This report discusses recent legislative and regulatory efforts to protect the privacy of customer telephone records and efforts to prevent the unauthorized use, disclosure, or sale of such records by data brokers. In addition, it provides a brief overview of the confidentiality protections for customer information established by the Communications Act of 1934. It does not discuss the legal framework for the disclosure by telephone companies of phone records to the government. For an overview of laws that address disclosure of telephone records to the government, see CRS Report RL33424 (PDF; 138 KB), Government Access to Phone Calling Activity and Related Records, by Elizabeth B. Bazan, Gina Marie Stevens, and Brian Yeh. For an overview of federal law governing wiretapping and electronic eavesdropping, see CRS Report 98-326 (PDF; 464 KB, via EPIC), Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by Gina Marie Stevens and Charles Doyle. This report will be updated when warranted.