Liar, Liar, and Pretexting, 2006-09-19
Story continued from Page 1
“
What if you don’t affirmatively lie, but merely mislead – allow the recipient of the information to believe that you are someone else, or need the information? Is anything less than the truth, the whole truth and nothing but the truth actionable?
”
Not only does the GLBA only cover a narrow scope of records, it also has some exclusions which are, well bizarre. It excludes law enforcement agents acting within the scope of their duties. This suggests that if the cops want your financial records, rather than going down the hall to the prosecutor to get a subpoena (or issuing an administrative subpoena, getting a search warrant, a FISA warrant, a FISA order, a National Security Letter, the consent of the bank, or any of the myriad legal ways to get your information) it would be permissible for the cops to simply call the bank, pretend to be you (or anyone else) and trick the bank into ponying up your records. Pretty cool. And if you challenge the legality of the search as a violation of your privacy, a court might very well conclude that these records about you aren’t your records, but rather records of the financial institution. Therefore, even if the search is unreasonable, you don’t have what the law terms standing to challenge it. Lovely.
Other exclusions allow insurance investigators to get your records by pretext if they are investigating insurance fraud (do two wrongs make a right?) and licensed private investigators to use trickery rather than legal subpoenas to get financial records from you or from your bank if they are trying to enforce a delinquent child support order. I am all for enforcing child support orders, and for getting accurate financial records to do so - but I am at a loss to see why you would ever need to use deceit to do so. You already have a court involved and a judgment. Just subpoena the damned things! If a PI thought that some deadbeat dad was using my name for some reason, this suggests that he could call my bank and pretend to be me, and get my bank records with no showing of reasonableness. I don’t think so.
Consumer Protection Laws
The GLBA would be of little help to either the Hewlett Packard Board, or to the journalists whose records were examined by the investigators. Other than GLBA, there are a few laws in the United States that outright ban pretexting, although legislatures in California, (AB 1891, SB 1665), Georgia (HB 1290, SB 455), Kentucky (HB 543), Hawaii (HB 2818, HB 2841) and New Jersey (AB 2105, AB 2539, AB 3008) are considering such laws.
Thus, State Attorney’s General and prosecutors, as well as consumer protection agencies, generally rely on Federal and state consumer protection laws, such at the Federal Trade Commission Act, which prohibit both deceptive and unfair trade practices. And lying is generally considered a deceptive practice.
To use these consumer protection laws you would have to show a few things - first, that you are in some trade or business (as liberally interpreted by the FTC and the courts). Thus, social lying (like the kind you might do at a bar, or what happens in Vegas stays in Vegas...) and some forms of social engineering might not be covered by the law. Second, you would have to show that the actions are generally considered to be either deceptive or unfair. Well, duh. Pretending to be someone else to get their information is, well, deceptive.
Some of the cases brought by the government under consumer protection statutes have been downright nasty. In 1999 for example, the FTC fined James and Regena Rapp $200,000 for pretexting after James Rapp reportedly wrote a 1000 page book about how to obtain information, and reportedly obtained private information on people like Monica Lewisnky, the Ramsey family, and others - usually at the behest of private investigators.
In another case in 2003, a man contacted an Internet based company called Docusearch.com to find out information about his former girlfriend. He purchased various services from the online company, including her address, social security number, employer information including employer’s address. Docusearch hired an investigator, Michele Gambino to find this information, which she did by “pretexting” the ex-girlfriend. For a few hundred dollars, the ex boyfriend located his ex-girlfriend, found her, and killed her, before killing himself. Her estate sued Docusearch, and the court found that the pretexting was a deceptive trade practice.
In another case, Massachusetts v. Source One, Source One advertised in a bunch of legal periodicals that it would conduct “asset searches” for a fee. Lots of lawyers used their services to find out whether people they were suing (or about to sue) had any assets worthy of attachment - after all, you don’t want to sue unless you can collect, right? Problem was, as everybody knows (or should know) financial records are presumably secret. A host of government regulations, including the Gramm Leach Bliley Act (GLBA), and Office of the Comptroller of the Currency and other financial regulations prohibit financial institutions from disclosing this information except under certain circumstances - and helping out private investigators ‘aint one of those recognized exceptions (that is, without a subpoena). After hearing the testimony, the court concluded that, “. . . the only way that information brokers can obtain private financial information from banks is through the use of deception and trickery, including impersonation of account holders.” Well, either that or the less deceptive practice of dumpster diving. Therefore, the court concluded that Source One violated the Massachusetts deceptive practices law.
Finally, California has also gone after a company called Trace Data USA for pretexting people’s cell phone records.
Pretexting and Deception
Okay, so making a business out of pretexting to get someone’s information is a deceptive trade practice, right? Um... not so fast. Remember our Insurance agents, child support detectives and cops? If they are permitted to use pretexting (a deceptive trade practice) under GLBA, but prohibited under the deceptive trade practice law, what’s the point of the exception? What if you tell the truth about who you are, but lie about the reason you want the non-public information?
Story continued on Page 3
