Minority Statement

• Ted Stevens

  Senator
  Read statement

  Minority Statement

  Ted Stevens

  I’m very grateful Senator Inouye called this hearing. These ID services provide us all with information that we need. I’m delighted to have the information when I see who is calling me, I can tell whether to pick up right away or to ask my staff to deal with it, if it something I know I don’t have the time for. This idea that some people can alter that ID information bothers me considerably because it means the loss of privacy, it means identity theft possibilities, and as Senator Nelson mentioned it can compromise personal safety.

   

  We need to understand these concerns and try to make a record.  That’s what we’re going to do today with your help, so that others can review the comments of this panel, which will help us determine what holes are in our laws and if they can be filled to address and prevent this spoofing practice.

   

  I’m particularly worried about the fraudulent aspects that Senator Nelson has mentioned. Particularly, what it would cost, if it could lead to obtaining money totally under false pretenses. It should be against the law already, but I want to find that out, if there is anyone in law enforcement who is working to deal with that directly at this time.

   

  Senators Nelson, Snowe and McCaskill have introduced this bill. It is going to come before the Committee next week and this will be the only hearing and the only opportunity we have to get a record for other members to learn from. So, I’m particularly concerned about the law enforcement acts that have been taken and whether this bill will really provide a solution. I congratulate the sponsors, but will this bill provide the tools law enforcement needs to really improve enforcement activities, and will it provide the information that’s necessary.

   

  I’d like to see something developed that if I see something on my caller ID that I want to preserve, then I can. We lose that immediately once we hang up, we’ve lost that ID. What the telephone record might show would be one thing, but what shows up on the ID is another thing. Some way or another, we’ve got to find a way to preserve that information to show the fraudulent activities involved. We get a great many calls from around the country. When we get a caller ID that indicates to us it’s a Governor or it’s someone from a major organization and we’re working on that legislation, we should be able to rely on that ID.

   

  This fraudulent ID concept goes into violating constitutional concepts that people have the right to contact Congress to readdress wrongs, but if they’re contacting us under false pretenses, we’ve got to have a way to know it. I think this is a very important piece of legislation. I do hope the record will help us convince the other members of the Committee of that fact.

Testimony

• Ms. Kris Monteith

  Chief of Enforcement Bureau

  Federal Communications Commission
  Download Testimony (17.17 KB)

• Mr. Jerry Cerasale

  Senior Vice President, Government Affairs

  Direct Marketing Association
  Download Testimony (94.88 KB)

• Ms. Allison Knight

  Staff Counsel and Director of the Privacy and Human Rights Project

  Electronic Privacy Information Center
  Read statement

  Testimony

  Ms. Allison Knight

  Testimony and Statement for the Record of

   

   

   

  Allison Knight, Staff Counsel

  Electronic Privacy Information Center (EPIC)

   

   

   

  Hearing on

   

  The Truth in Caller ID Act of 2007, S. 704

   

   

   

  Before the

   

  Committee on Commerce, Science and Transportation

  U.S. Senate

   

   

   

   

  June 21, 2007

  253 Russell Office Building

   

  
  

  Chairman Inouye, Vice Chairman Stevens, and Members of the Committee, thank you for the opportunity to testify today on caller ID spoofing and the Truth in Caller ID Act of 2007, S. 704. My name is Allison Knight and I am Staff Counsel and Director of the Privacy and Human Rights Project at the Electronic Privacy Information Center. EPIC is a non-partisan research organization based in Washington, D.C. that seeks to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.

  Two separate and important privacy interests meet in the issue of caller ID spoofing. First, there is the right of callers to limit the disclosure of their phone numbers in order to protect their privacy, and in some cases, their safety. Second, there is the right for call recipients to be free from pretexting and other fraud that can lead to the loss of their privacy, and the threats of stalking, identity theft, and harassment.

  The Truth in Caller ID Act of 2007, S. 704, as currently drafted does not adequately protect both interests. EPIC recommends that any ban on caller ID spoofing include an intent requirement, so that spoofing is only prohibited where it is clear that the person who does not provide identifying information “intends to defraud or cause harm.” EPIC recommended the inclusion of an intent requirement in testimony on a similar bill introduced in the House last year,[1] and this intent requirement was incorporated into the version of bill that recently passed in the House.[2] As Marc Rotenberg, Executive Director of EPIC stated, an intent requirement preserves the privacy rights of callers and permits legitimate uses of spoofing, while outlawing fraud and harassment assisted by the technology.[3] We also have concerns about the provision in the Senate bill that permits law enforcement agencies to possibly misrepresent their identities in the context of telecommunications services.

   

  Telephone Customers Have Legitimate Reasons to Withhold Their Phone Numbers

   

  The introduction of caller ID services and the associated Automatic Number Identification (ANI) created new risks to privacy. Before these services were offered, telephone customers generally had the ability to control the circumstances under which their phone numbers were disclosed to others. In many cases, there was little need for a telephone customer to disclose a personal phone number if, for example, a person was calling a business to inquire about the cost or availability of a product or wanted information from a government agency. In other cases, there was a genuine concern that a person’s safety might be at risk. For example, women at shelters who were trying to reach their children were very concerned that an abusive spouse not be able to find their location.[4]

  In the context of the Internet and the offering of voice services over Internet

  Protocol (VOIP), there are additional concerns about the circumstances under which a person may be required to disclose their identity. The Supreme Court has repeatedly made clear that the right to be anonymous is protected by the First Amendment and also that the Internet is entitled to a high level of First Amendment protection.[5]

  Many individuals have legitimate reasons to report a different number than the one presented on caller ID. For example, a person may wish to keep her direct line private when making calls from within an organization. Such an arrangement legitimately gives call recipients a number to which they can return a call, but prevents an individual person’s phone from being inundated with calls that should be routed elsewhere.

  In addition to threatening a person’s rights to privacy and to freedom of speech, in some circumstances disclosure of a person’s phone number may also put his or her safety at risk. For example, domestic violence survivors, shelters, and other safe homes need to preserve the confidentiality of their phone numbers. They may need to contact abusers without exposing their location, in order to arrange custody or other legitimate matters. They may need to contact businesses the abuser is acquainted with, and that may share survivor information with the abuser. They may also need to contact other third parties, such as businesses that have permissive privacy policies, and thus share collected telephone numbers with list or data brokers. In all of these situations, preserving anonymity is necessary for safety.[6]

   

  Caller ID Blocking Does Not Adequately Protect Privacy Interests

  Caller ID blocking may seem like a viable means for allowing callers to protect their anonymity while not misleading recipients. However, caller ID blocking is not a complete solution. One reason for this is that caller ID is not the only way that a caller can be identified. Another system, known as Automatic Number Identification, or ANI, will still disclose a caller's identity in many situations, regardless of whether or not the caller used call blocking. This means that many businesses, emergency service providers, and anyone with a toll-free number can reliably gain the phone number of a caller, even if caller ID is blocked. Spoofing services can protect the anonymity of a caller's ANI data when calling toll-free numbers and those entities that use ANI identification.

  Some recipients prevent blocked ID calls, and indications are that the number of individuals doing this is growing. In the case of a domestic violence survivor attempting to safely reach a required phone number, an individual would have to use spoofing for the innocent purpose of preserving the confidentiality of his or her number.

  We also cannot ignore the privacy interests of those who decline to accept calls from unknown numbers. If an individual has been habitually harassed by calls from a caller-ID blocked number, we should not permit the harasser to use spoofing as a means to circumvent the individual's screening. At the same time, it is clear that there could be prosecution for harassment whether or not additional prohibition on spoofing were enacted.[7]

   

  Spoofing Can Create Privacy Risks

  This is not to say that caller ID spoofing is an unqualified good -- far from it. Last year, EPIC brought to Congress's attention the problem of pretexting consumers' phone records.[8] Pretexting is a technique by which a bad actor can obtain an individual's personal information by impersonating a trusted entity. Pretexters have spoofed the telephone numbers of courthouses, in order to harass people for supposedly missing jury duty, threatening fines or arrest unless they turn over Social Security numbers or other personal information.^[9] Rob Douglas of PrivacyToday.com, with whom EPIC has worked on the pretexting issue, noted how fraudsters would use spoofing services in order to fool customers into thinking that fraudulent calls were coming from trusted sources.[10]

  For these reasons, illegitimate spoofing activities should be curtailed. Law enforcement and telephone companies can retrace these calls to the originating service.^[11] A spoofed number is not completely anonymous and without accountability.  Preventing spoofing for harmful reasons will hold illegitimate spoofers accountable.

  
  Intent Requirement

   

  The inclusion of an intent requirement in the Senate bill would focus the punishment on harmful and fraudulent uses of caller ID spoofing while preserving legitimate uses of the technique. In addition, an intent requirement would render specific exemptions for law enforcement unnecessary, as legitimate law enforcement activity that employs spoofing would be protected by the requirement to show intent to defraud or cause harm.

   

  Significance of NSA Surveillance Program for Privacy of Call Records

  Mr. Chairman, I would also like to bring to the Committee’s attention our concern that the National Security Agency may have constructed a massive database of telephone toll records of American consumers. Last year, EPIC filed a complaint with the Federal Communications Commission in which we alleged that Section 222 of the Communications Act, which protects the privacy of customer record information, might have been violated.[12]  We urged the Commission to undertake an investigation of this issue. In light of the ongoing controversy about the possibility that federal privacy laws were violated, the need to pursue this investigation is clear.

  We respectfully ask Members of this Committee to support EPIC’s recommendation that the FCC undertake an investigation of the possibly improper disclosure of telephone toll records by the telephone companies that are subject to the privacy obligations contained in the Communications Act. If the Communications Act was violated, that should be of great concern to the Committee.

   

  Conclusion

  Spoofing caller ID numbers can create a real risk to individuals who might be defrauded or harmed by illegitimate uses of this technology. At the same time, it is important not to punish those who may have a legitimate reason to conceal their actual telephone numbers. The inclusion of an intent requirement in the Truth in Caller ID Act of 2007 would significantly improve the bill by distinguishing between appropriate and inappropriate caller ID spoofing.

   I will be happy to answer any questions you might have at this time.

  
  

  ---

  [1] The Truth in Caller ID Act of 2006, H.R. 5126.

  [2] The intent requirement was also included in the Truth in Caller ID Act of 2007, H.R. 251. EPIC testified on this House bill on February 28, 2007, in support of the intent requirement. The Truth in Caller ID Act of 2007, H.R. 251 passed the House on June 12, 2007, and was received into the Senate and referred to the Committee on Commerce, Energy and Transportation on June 13, 2007.

  [3] H.R.5126, the Truth in Caller ID Act of 2006: Before the Subcomm. on Telecommunications and the Internet of the H. Comm. on Energy and Commerce, 109th Cong. (2006) (statement of Marc Rotenberg, President and Executive Director, Electronic Privacy Information Center). See also, H.R.251, the Truth in Caller ID Act of 2007: Before the Subcomm. on Telecommunications and the Internet of the H. Comm. on Energy and Commerce, 110th Cong. (2007) (statement of Allison Knight, Director, Privacy and Human Rights Project, Electronic Privacy Information Center).

  [4] Letter from National Network to End Domestic Violence to the House Committee on Energy and Commerce (May 16, 2006).

  [5] Watchtower Bible & Tract Society v. Village of Stratton, 536 U.S. 150 (2002), McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995), and Talley v. California, 362 U.S. 60 (1960); ACLU v. Reno, 521 U.S. 844 (1997).

  [6] Domestic Violence and Privacy, Electronic Privacy Information Center http://www.epic.org/privacy/dv/.

  [7] See 47 U.S.C. § 223; 47 U.S.C. § 227.

  [8] Protecting Consumers' Phone Records: Before the Subcomm. on Consumer Affairs,

  Product Safety, and Insurance of the S. Comm. on Commerce, Science, and

  Transportation, 109th Cong. (2006) (statement of Marc Rotenberg, President and

  Executive Director, Electronic Privacy Information Center).

  http://www.epic.org/privacy/iei/sencomtest2806.html; Phone Records for Sale: Why

  Aren’t Phone Records Safe From Pretexting?: Before the H. Comm. on Energy and

  Commerce, 109th Cong. (2006) (statement of Marc Rotenberg, President and Executive

  Director, Electronic Privacy Information Center) http://www.epic.org/privacy/iei/pretext_testimony.pdf.

  [9] Sid Kirchmeyer, Scam Alert: Courthouse Con, AARPBulletin, May 2006, http://www.aarp.org/bulletin/consumer/courthouse_con.html.

  [10] Phone Records for Sale: Why Aren’t Phone Records Safe From Pretexting?: Before the H. Comm. on Energy and Commerce, 109th Cong. (2006) (statement of Robert Douglas, CEO, PrivacyToday.com), http://www.privacytoday.com/HC020106.htm.

  [11] Peter Svenson, Caller ID Spoofing Becomes All Too Easy, USA Today, Mar. 1, 2006, http://www.usatoday.com/tech/news/2006-03-01-caller-id_x.htm.

  [12] EPIC Complaint to the Federal Communications Commission (May 16, 2006).

• Mr. Ron Jones

  Director, Tennessee Regulatory Authority

  Chair, Consumers Affairs Committee of the National Association of Regulatory Utility Commissioners (NARUC)
  Read statement

  Testimony

  Mr. Ron Jones

  Testimony of the Honorable Ron Jones

  Commissioner, Tennessee Regulatory Authority

   

  before the

   

  Committee on Commerce, Science and Transportation of the

  United States Senate

   

  on behalf of the

   

  National Association of Regulatory Utility Commissioners (NARUC)

                                                                                     

  June 21, 2007

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

  National Association of

  Regulatory Utility Commissioners

  1101 Vermont Ave, N.W., Suite 200

  Washington, D.C.  20005

  Telephone (202) 898-2200, Facsimile (202) 898-2213

  Internet Home Page http://www.naruc.org

   

   

   

  Chairman Inouye, Vice-chairman Stevens, and members of the Committee, thank you for the opportunity to testify today on S. 704, the “Truth in Caller ID Act of 2007.”

   

              I am Ron Jones, commissioner with the Tennessee Regulatory Authority and a member of the National Association of Regulatory Utility Commissioners (NARUC).  I serve as chairman of NARUC’s Committee on Consumer Affairs.  NARUC represents State public utility commissions (PUCs) in all 50 States, the District of Columbia and U.S. territories with jurisdiction over telecommunications, electricity, natural gas, water and other utilities.  In this capacity, PUCs are on the frontline of consumer protection in these areas and are often the first to learn of emerging consumer concerns. 

   

              We commend Senators Nelson and Snowe for introducing S. 704 and the Committee for addressing the issue of caller ID fraud, otherwise known as caller ID spoofing.  Caller ID spoofing is an issue of growing concern and one of the many tools criminals can use to perpetrate fraud and steal the identities of hard-working, law-abiding Americans.

   

              I am pleased to be here today to present NARUC’s support for enactment of caller ID spoofing legislation that would prohibit the intentional falsification of the name or number that appears on a customer’s caller identification (ID) display.  A resolution to this end was adopted at the NARUC Summer Meeting in 2006, which I have submitted for the record with my testimony.  The resolution was adopted in response to growing consumer complaints concerning the practice of caller ID spoofing and notes the important role State PUCs play in policing such activities.

   

              The telecommunications industry has experienced a decade of unprecedented technological innovation bringing consumers an array of new communications devices and services.  Unfortunately, with new technology often come new risks and increased opportunities criminals can exploit for their own nefarious purposes. 

   

              Previously, special equipment and knowledge was necessary to fake caller ID information.  However, the rise of new multifunctional, user friendly, Internet technologies and Voice over Internet Protocol (VoIP) has put spoofing within easy reach of scammers.  All one has to do is go to a website, pay a small fee - often as low as $10 - type in the number you’d like to call then input the name and number that you would like to be displayed on the call recipients Caller ID.  It is as easy as that.

   

              How is caller ID spoofing being used and how is it harming consumers?   There are several areas in which this technology is being used to harm consumers, including but certainly not limited to:

   

  • Identity theft: caller ID fraud is a key tool in pretexting which is the practice of obtaining personal information under false pretenses
  • Criminals can falsify the home number of consumers to activate or make purchases on stolen credit cards
  • Emergency calls to 911 call centers can be fabricated diverting public safety resources away from real emergencies
  • Terrorists could use it to mask their true location hampering law enforcement
  • An ex-spouse could use it to harass a former wife or husband who has blocked calls from their phone

             

              Each of these examples is alone a legitimate reason to prohibit the practice of caller ID spoofing.  Taken together they provide overwhelming evidence of the need for this legislation.  In our increasingly technological age, government at all levels must be able to identify and address new and novel threats in a timely fashion to ensure the safety of consumers.  Allowing the practice of caller ID spoofing to continue may reduce consumer trust in many of the public, commercial, financial and political institutions that are relied upon by American consumers.

   

              The full extent of caller ID spoofing is difficult to ascertain.  By its very nature the goal is to disguise the true identity of the perpetrator and their motives.  In many cases a consumer may not even know they were a victim of caller ID spoofing.  States, like the federal government, are becoming more aware of this problem and are looking to prohibit the practice.  

   

              In my home State of Tennessee, our Senate approved caller ID spoofing legislation but it failed to pass the House.  Although my State does not have a specific caller ID spoofing law, we are collecting information and learning the extent of such fraud through our oversight of the State Do-Not-Call (DNC) Registry.

   

              When a complaint regarding a DNC Registry violation is received from a consumer, the Authority initiates an investigation.  If it is subsequently determined that the caller ID information utilized in the violation was falsified, it is noted in the record.   

  A review of 2007 Do-Not-Call violations found forty-two complaints that the Regulatory Authority was not able to fully investigate because the originator of the call could not be determined or contacted.  This happened because the number provided to us by the Do-Not-Call complainant was a spoofed number and could not be traced back to the caller despite agency subpoenas for phone records of the complainant in an effort to determine the identity of the caller. 

   

              The forty-two complaints represent about 14% of the total Do-Not-Call complaints received by the Tennessee Regulatory Authority since the first of this year.  While this may not sound like a large percentage, it is my belief that this number is not representative of the true scope of this problem.  Regardless, each of these identified forty-two instances of caller ID fraud is a potential crime and therefore should not be condoned. 

   

              To elaborate on the breadth of this problem, let me share with you an example of caller ID fraud investigated by my colleagues in Nebraska.  The Nebraska Public Service Commission investigated a slew of pre-recorded, automatically dialed calls on the eve of the November 2006 election.  The Commission received several complaints about the politically motivated calls in the days before the election.  Upon investigation, the Commission learned the numbers that appeared on the caller ID were fraudulent and in most cases they were phone numbers that were unassigned.  Even with the help of the phone companies they were unable to determine the actual source of the calls. 

   

              NARUC is pleased with the inclusion of language in S. 704 acknowledging the key role State officials play in protecting consumers through enforcement of State laws that are consistent with Federal rules.  NARUC’s one suggestion for change in the bill would be to strike the section limiting State action while a federal enforcement action or proceeding is pending.  Federal and State agencies can mutually benefit from revelations gleaned from concurrent investigation of violations of their respective laws.  Consumer protection is a core-competency of State commissions; States should not be encumbered from investigation and enforcement of violations of State law.

   

              As I previously stated, caller ID spoofing is a key tool in identity theft efforts by criminals. The Federal Trade Commission reports that 10 million individuals are victims of identity theft each year and identity theft is the number one consumer complaint.  Passage of the Truth in Caller ID Act of 2007 will be a big step forward in reducing the problem of identity theft.  It will remove a major weapon, caller ID spoofing, from the arsenal of criminals.

   

              Mr. Chairman, members of the Committee, NARUC and its members are committed to working with you to protect consumers.  We urge your swift passage of S. 704 to end this practice.  Thank you for inviting me to testify before you and I would be happy to answer any questions.

  
  

        Resolution Supporting Federal Legislation To Combat Caller Identification Spoofing

   

  WHEREAS, Congress is considering legislation to prohibit the intentional falsification of the name or number that appears on a consumer's caller identification (ID) display, commonly referred to as “caller ID spoofing”; and

   

  WHEREAS, The Truth in Caller ID Act of 2006, H.R. 5126, would make it unlawful for a person, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm; and

   

  WHEREAS, The use of Internet technology to make telephone calls has made Caller ID spoofing easier; and

   

  WHEREAS, Caller ID spoofing may be used for fraudulent or deceptive purposes which could harm consumers and lessen consumers’ trust in the telecommunications industry; and

   

  WHEREAS, Caller ID spoofing may also threaten public safety by fabricating emergency calls and thereby diverting public safety resources away from real emergencies; and

   

  WHEREAS, The Federal Communications Commission (FCC) is attempting to address this problem through enforcement actions and coordination with the Federal Trade Commission (FTC); and

   

  WHEREAS, The National Association of Regulatory Commissioners (NARUC) and its member States have consistently supported and encouraged consumer protection and safety issues; now therefore be it

   

  RESOLVED, That the Board of Directors of the National Association of Regulatory Commissioners (NARUC), convened in its 2006 Summer Meetings in San Francisco, California, expresses its support for Federal legislation that would make it unlawful for a person to transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm; and be it further

   

  RESOLVED, That NARUC is committed to working with Congress, the FCC, the FTC, and the industry on a comprehensive approach to this issue in order to educate and protect consumers from caller ID spoofing.

  ________________________________

  Sponsored by the Committees on Telecommunications and Consumer Affairs

  Adopted by the NARUC Board of Directors August 2, 2006