larry@uunet.uu.net (Larry Lippman) (09/15/89)
In article <telecom-v09i0352m06@vector.dallas.tx.us> laba-2ac%web-2a.Berkeley. EDU@ucbvax.berkeley.edu writes: > In the area of security, in MCI, their customer system was called OCIS > (pronounced "oh-sis"), for On-line Customer Information System. It ran > (runs) on multiple IBM 3070's running VMS, in a CICS appication (it > uses DB-2 for the database). The thing I seem to remember is that they > were lax as far as what you can get from OCIS. Almost everybody could > get the full billing information on you (from anywhere in the country, the > country is divided up into 7 divisions, and you'd have to "access" each > division to find somebody, but that just takes a few more keystrokes). > The only thing they placed restrictions on was who could view Calling > Card codes and who could do changes to that account. They just now got > on-line call-detail, and the call detail is held on-line for 3 months > before it is archived. That is how I found an ex-girlfriend (and saw who > she was calling to boot). We had fun looking up celebrities and other > people we knew to see who they were calling (get the numbers, call the > appropriate CNA, then volia, "We Got Your Number!") It was a great way > to kill time, needless to say. The potential of unauthorized access to customer information, as exemplified above, has always been a source of paranoia to New York Telephone. Needless to say, there have been incidents of information "abuse" which have caused New York Telephone to maintain a reasonable level of customer information database security, and to conduct periodic audits of database access. While I am not certain of the law in other states, it is a specific _crime_ in New York State for a person to obtain billing and physical plant INFORMATION about a telephone subscriber without having prior authorization to do so. The actual text of Penal Law 250.30 is as follows: "A person is guilty of unlawfully obtaining communications information when, knowing that he does not have the authorization of a telephone or telegraph corporation, he obtains or attempts to obtain, by deception, stealth or in any other manner, from such corporation or from any employee, officer or representative thereof: 1. Information concerning identification or location of any wires, cables, lines terminals or other apparatus used in furnishing telephone or telegraph service; or 2. Information concerning a record of any communication passing over telephone or telegraph lines of any such corporation. Unlawfully obtaining communications information is a class B misdemeanor." I don't know of any attempted prosecutions or case law for the above criminal offense, although the law has been on the books since 1965. This law is not intended to cover any act of eavesdropping, which is covered by other sections of the Penal Law. A reasonable interpretation of this law would include billing records of toll calls. This law is one of the reasons why New York Telephone is sensitive to "unauthorized" use of ANAC (Automatic Number Announcement Circuit). While it would certainly be stretching the imagination a bit, a person using ANAC in an attempt to identify someone ELSE's telephone pairs could be prosecuted under this law. New York Telephone security personnel are a frustrated lot; while they would love to prosecute people (and there have been cases where there was sufficient basis for prosecution, but where it was declined) and set an example for purposes of deterance, such prosecution would also disclose details which could facilitate others to commit the same unlawful act. As a result, New York Telephone security personnel generally limit prosecution to larceny in one form or another. <> Larry Lippman @ Recognition Research Corp. - Uniquex Corp. - Viatran Corp. <> UUCP {allegra|boulder|decvax|rutgers|watmath}!sunybcs!kitty!larry <> TEL 716/688-1231 | 716/773-1700 {hplabs|utzoo|uunet}!/ \uniquex!larry <> FAX 716/741-9635 | 716/773-2488 "Have you hugged your cat today?"