Lauren Weinstein <lauren@vortex.com> (05/06/91)
Like others reading the TELECOM Digest, I was amazed to see the recent message where an AT&T Communications employee apparently used his access to customer data to conduct a "private" investigation of a "contest/telemarketing" operation, then published the "results" via TELECOM. Immediately after seeing his original message, I sent the author private email asking for an explanation. Of particular interest to me was whether he was acting in violation of AT&T confidentiality rules, or whether the rules would have permitted such actions. I received a reply back from him today. In essence, he says that he made a mistake in making the information public, and that AT&T rules do *not* permit such disclosures from customer data. He also says that some of what he said in that message was obtained directly from a conversation with the telemarketer. In any case, it is obvious from his original message that he did access the customer records of the firm in question, and did obtain information regarding long distance calling patterns and telephone number usage information from those records. However obnoxious some may feel the firm to be, their telecom records are still deserving of the same security and confidentiality we all (should!) expect, and should not be subject to "private" investigations and disclosures outside of official channels. This is unfortunately symptomatic of the growing range of situations where the data collected on individuals and organizations in the course of their normal business is available to too many persons without authorization or "need to know". The amount of information that can be obtained with essentially no security controls, or often at the best semi-useless, pseudo-controls such as social security number, is vast and growing. In the telecommunications arena, the problem has grown greatly with the breakup of the Bell System -- it seems like customer telephone data is floating around almost freely between the local telcos and the private long distance carriers these days. But the same sorts of problems exist in many other areas of our lives, and only seem to be getting worse, not better. I believe that the time has come for another look at the Privacy Act in terms of how it does, or does not, protect consumer (both individual and business) information and who (both inside and outside of the firms collecting the data) has access to that information. I believe that meaningful, uniform minimum standards must be established for automated systems that allow consumers to access various account balances or similar data by telephone. The excuses of the firms providing these systems that it would be "too difficult for consumers" to remember a passcode or even know their account number (i.e. the ongoing Sprint account information case) must be treated as the unacceptable responses that they are. Consumers need protection both from the employees of the firms who maintain the data (whether or not such employees act with malicious intent is not the issue) and from outside person who can gain access to such data through the often non-existent security of these systems. Many of the companies involved state that they are providing all of the security required by law. OK then -- if they don't feel a need to go beyond the current law to a meaningful level of protection, the time has come to improve the laws to take into account the realities of the information age. And there isn't a moment to lose. --Lauren-- [Moderator's Note: Lauren is a long-time reader of the TELECOM Digest, whose participation goes back to the first issues in 1981. Due to the press of other business, he can't submit articles as often as he did in the past; so when I contacted him Sunday night asking for a piece today, I was very pleased when he agreed to write. Lauren is also the author of "The Day the Bell System Died", a song in the Telecom Archives which I reprint here from time to time. Thanks, Lauren! PAT]
Robert Jacobson <cyberoid@milton.u.washington.edu> (05/07/91)
In California, the Telephone Privacy Act, passed in 1986, makes it absolutely illegal for telephone companies to disclose personal calling records or any other personal information, other than what is found in the published directories, without the customer's consent or a court order. Bob Jacobson