I wrote a post about this in April of 2004 on my first identity theft blog, scamsafe.com. You can find the pretext article here.

I’ll assume you are aware of what is going on over in the Hewlett-Packard board room. I won’t opine on it directly. But I will add this. Pretexting is not identity theft. Pre-texting is a method, a means to gather information. I wouldn’t even say that pretexting to get phone records is identity theft. Criminal fraud, maybe or maybe not. ID theft? No, unless a specific state law has written the term “phone records” into their identity theft law. And I am not aware of one that has. If you are, email me.

Why isn’t pretexting necessarily a crime? There is no federal law that makes pretexting illegal in all cases. There is a federal law (Gramm-Leach-Bliley Act of 1999) that prohibits obtaining customer information by false pretenses—from financial institutions. The only other federal jurisdiction might be the Federal Trade Commission, but that is pretty murky and they can only take civil action. Now, it is possible, I assume, for an attorney general or district attorney to broadly apply other fraud statutes in this case. But it may be an uphill battle. I’ll leave that to others to decide.

Update: Some REALLY great information and discusion is going on in the comments. Thanks for Stuart and Michael for your insights. I will follow up soon.

Update 2: This is a fascinating case, I wish I had time to dig into it more and blog about it. But I will just keep this follow up to the comments below tied to identity theft. Since the crimes occurred on persons and through records in California let’s examine CA penal code 530.5 which is the identity theft law. The private investigator used social security numbers, pretending to be certain individuals in the case, and opened online accounts at SBC/AT&T to view phone records via the web. And it’s possible the PI or their contractors did not unlawfully obtain the SSNs but paid for them through a service. The law is clear that a crime is committed when either (1) personal identifying information is used to for unlawful purpose, or (2) when someone with intent to defraud, acquires or transfers that PIF.

530.5 (a) Every person who willfully obtains personal identifying information, as defined in subdivision (b), of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, or medical information in the name of the other person without the consent of that person, is guilty of a public offense…

(b) "Personal identifying information," as used in this section, means the name, address, telephone number, health insurance identification number, taxpayer identification number, school identification number, state or federal driver's license number, or identification number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, checking account number, PIN (personal identification number) or password, alien registration number, government passport number, date of birth, unique biometric data including fingerprint, facial scan identifiers, voice print, retina or iris image, or other unique physical representation, unique electronic data including identification number, address, or routing code, telecommunication identifying information or access device, information contained in a birth or death certificate, or credit card number of an individual person.

(d) Every person who, with the intent to defraud, acquires, transfers, or retains possession of the personal identifying information, as defined in subdivision (b), of another person is guilty of a public offense…

It isn’t clear that phone records are PIF. However, subdivision (d) seems to apply. So this might be a 530.5 violation if someone obtained (doesn’t matter how) SSN’s with intent to defaud (commit another crime), such as those Michael Webster points out in the comments. Whew. This is too complicated.

And by the way, Patricia Dunn doesn’t seem to have committed a crime in any way. The only possible criminals from where I sit would be the private eye and/or the contractor hired to do the digging. Although the whole thing stinks from an ethical standpoint. One director (Sonsini) assurred other directors (Dunn, Perkins) that getting phone records wasn’t a crime. Dunn clearly approved the nasty investigation of other directors AND reporters. And the people hired by HP (or sub-contractors) might have committed a crime in order to obtain the information. What a disaster all around.

So, I’m with Michael Webster here. There just HAS to be a crime committed here. But I’m still not sure it was identity theft. I wonder if California will amend 530.5 to make subdivision B (the definition of PIF) more broad. Updated: The more I think about it, the more it sure seems like ID theft or damn close to it.

Update 3: It’s worth mentioning that it appears a Caller ID spoofing service was used in this case to fool AT&T customer service (read the link Michael points to in the comments). Probably a spoofcard. I told you these things are bad news.

The FTC accounced this today:

Social networking Web site operators Xanga.com, Inc. and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and its implementing Rule, under the terms of a settlement with the Federal Trade Commission announced today.

According to the FTC, Xanga.com collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent. The penalty is the largest ever assessed by the FTC for a COPPA violation, and is more than twice the next largest penalty.

This one, I can hardly believe. Did you know that if you call the Oregon state DMV, the person you speak with there might be a convicted felon? And they would have access to your sensitive personal information (DMV data is some of the most sensitive information you can imagine). But wait, good news. The Oregon DMV reassures us that while you may speak with a rapist or killer, don’t worry, because they won’t let someone convicted of identity theft man the phones. Well then, no worries!

David House,  a spokesman for the Oregon DMV said, "Yes, there can be murderers, rapists, drug possession, but if they were convicted of identity theft, they wouldn't be able to work for us."

Do they realize how easy it is to commit identity theft? All you need to do is see a SSN, write it down, and give it to someone else to commit fraud. This story was reported back in 2005 by KATU 2 - Portland, Oregon, but I just happened upon it recently. 

ConsumerAffairs.com reports on this one.

A security breach on MySpace that enabled users to view other users' private pictures and postings went unattended for several months, according to news reports.

Update: Watch out, this browser looks like it might be bad news. Read more here.

Update 2: Yep, stay away from Browzar. At best, it doesn’t really do much and is an annoyance. It’s not even a new browser, it’s a “wrapper” around Internet Explorer.

There’s a new web browser, believe it or not. It’s designed to not leave a trail behind and provide complete privacy; CNET has a story or just visit their web site. Oh, just because I linked there doesn’t mean I vouch for it. It may not be the best idea to install software you aren’t familiar with. And there are many tools available that will wipe away all the little footprints you leave behind when you browse the web. Go to http://www.download.com or http://downloads.zdnet.com and you will find quite a few. The idea behind browzar is that it does it automatically.

A new survey of technology professionals reports that 63 percent of respondents don't believe they can prevent such breaches. The survey can be found here. More from PC World:

"This group came out much, much more negative than I ever expected," said Larry Ponemon, the founder and chairman of the Ponemon Institute, an Elk Rapids, Michigan-based firm that looks at information and privacy management practices in business and government. "They said they're bad at detecting [breaches], but even worse at preventing [breaches]."

The 11-page study, "National Survey on the Detection and Prevention of Data Breaches," which was released Monday, is based on responses from 853 IT professionals, including senior executives, information security managers, and others. The study was sponsored by PortAuthority Technologies, a Palo Alto, California-based vendor of information leak prevention software.

The study also found that 41 percent of respondents said their companies are not effective in enforcing data security policies because of a lack of corporate resources.

Have you ever seen an employment verification from Choicepoint?  This is something that a prospective employer might use to confirm that your employment background is as you told them. I have one in my hands right now. It has the person’s full name, social security number, and date of birth. It arrived in the mail today.

I assume that Choicepoint does over a million of these a year. I don’t know how many are mailed to former employers, but I bet it’s in the hundreds of thousands.

This is another example of how your sensitive data flies around, unprotected, all the time. The counter point is this: What if the former employer is large and needs your SSN and DOB to confirm it has the correct person? But couldn’t they just send the SSN with all but 4 digits redacted? And give the recipient the option of confirming the SSN by telephone. Why is the default always to send our SSN? Because it’s easier.

The AP via Cnet.com reports that AT&T filed suit against 25 data brokers that fraudulently gets access to private phone records. Hey, this is nothing new. All a data broker, or private investigator, has to do is pre-texting: pretend to be YOU in order to fool the phone company into handing over your records. It’s easy. This is another example of why identity theft is not just about credit cards. With personal identifying information, a fraudster can unlock all kinds of doors.

AT&T has joined the fight to keep unauthorized data brokers from obtaining and selling its customers' calling records.

On Wednesday, the company's services division filed a lawsuit in U.S district court in San Antonio, Texas, to block 25 unnamed "John Doe" defendants who have allegedly pretended to be customers to gain access to account information.

AT&T said that the so-called data brokers had fraudulently obtained records for some 2,500 customers. The company said this information was used mainly in legal and domestic disputes and that no driver's license numbers or sensitive financial data were accessible.

There is a little irony here, since AT&T was sued itself recently for providing sensitive data to the government. But that’s entirely different and it’s good that AT&T is doing something here about pre-texting and fraud.

Well, this is good news, but file under “it’s about time.” Starting this fall, Cal Poly San.Luis Obispo will no longer use SSNs as student ID numbers. Now, every other university that still uses the social security nunmber as an ID needs to follow suit. SANS NewsBites links to the story.