[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
H.R. 5126, THE TRUTH IN
CALLER ID ACT OF 2006
HEARING
BEFORE THE
SUBCOMMITTEE ON TELECOMMUNICATIONS
AND THE INTERNET
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
MAY 18, 2006
Serial No. 109-92
Printed for the use of the Committee on Energy and Commerce
_____
U.S. GOVERNMENT PRINTING OFFICE
29-451 PDF WASHINGTON : 2006
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet: bookstore.gpo.gov Phone: toll free
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001
Available via the World Wide Web:
http://www.access.gpo.gov/congress/house
COMMITTEE ON ENERGY AND COMMERCE
JOE BARTON, Texas, Chairman
RALPH M. HALL, Texas
MICHAEL BILIRAKIS, Florida
Vice Chairman
FRED UPTON, Michigan
CLIFF STEARNS, Florida
PAUL E. GILLMOR, Ohio
NATHAN DEAL, Georgia
ED WHITFIELD, Kentucky
CHARLIE NORWOOD, Georgia
BARBARA CUBIN, Wyoming
JOHN SHIMKUS, Illinois
HEATHER WILSON, New Mexico
JOHN B. SHADEGG, Arizona
CHARLES W. "CHIP" PICKERING, Mississippi
Vice Chairman
VITO FOSSELLA, New York
ROY BLUNT, Missouri
STEVE BUYER, Indiana
GEORGE RADANOVICH, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
MIKE FERGUSON, New Jersey
MIKE ROGERS, Michigan
C.L. "BUTCH" OTTER, Idaho
SUE MYRICK, North Carolina
JOHN SULLIVAN, Oklahoma
TIM MURPHY, Pennsylvania
MICHAEL C. BURGESS, Texas
MARSHA BLACKBURN, Tennessee
JOHN D. DINGELL, Michigan
Ranking Member
HENRY A. WAXMAN, California
EDWARD J. MARKEY, Massachusetts
RICK BOUCHER, Virginia
EDOLPHUS TOWNS, New York
FRANK PALLONE, JR., New Jersey
SHERROD BROWN, Ohio
BART GORDON, Tennessee
BOBBY L. RUSH, Illinois
ANNA G. ESHOO, California
BART STUPAK, Michigan
ELIOT L. ENGEL, New York
ALBERT R. WYNN, Maryland
GENE GREEN, Texas
TED STRICKLAND, Ohio
DIANA DEGETTE, Colorado
LOIS CAPPS, California
MIKE DOYLE, Pennsylvania
TOM ALLEN, Maine
JIM DAVIS, Florida
JAN SCHAKOWSKY, Illinois
HILDA L. SOLIS, California
CHARLES A. GONZALEZ, Texas
JAY INSLEE, Washington
TAMMY BALDWIN, Wisconsin
MIKE ROSS, Arkansas
BUD ALBRIGHT, Staff Director
DAVID CAVICKE, General Counsel
REID P. F. STUNTZ, Minority Staff Director and Chief Counsel
SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET
FRED UPTON, Michigan, Chairman
MICHAEL BILIRAKIS, Florida
CLIFF STEARNS, Florida
PAUL E. GILLMOR, Ohio
ED WHITFIELD, Kentucky
BARBARA CUBIN, Wyoming
JOHN SHIMKUS, Illinois
HEATHER WILSON, New Mexico
CHARLES W. "CHIP" PICKERING, Mississippi
VITO FOSSELLA, New York
GEORGE RADANOVICH, California
CHARLES F. BASS, New Hampshire
GREG WALDEN, Oregon
LEE TERRY, Nebraska
MIKE FERGUSON, New Jersey
JOHN SULLIVAN, Oklahoma
MARSHA BLACKBURN, Tennessee
JOE BARTON, Texas
(EX OFFICIO)
EDWARD J. MARKEY, Massachusetts
Ranking Member
ELIOT L. ENGEL, New York
ALBERT R. WYNN, Maryland
MIKE DOYLE, Pennsylvania
CHARLES A. GONZALEZ, Texas
JAY INSLEE, Washington
RICK BOUCHER, Virginia
EDOLPHUS TOWNS, New York
FRANK PALLONE, JR., New Jersey
SHERROD BROWN, Ohio
BART GORDON, Tennessee
BOBBY L. RUSH, Illinois
ANNA G. ESHOO, California
BART STUPAK, Michigan
JOHN D. DINGELL, Michigan
(EX OFFICIO)
CONTENTS
Page
Testimony of:
Navin, Tom, Wireline Bureau Chief, Federal Communications Commission 16
Pies, Staci, Vice President, PointOne Communications, on behalf of
Voice on the Net (VON) Coalition 19 James, Lance, Chief Technology
Officer, Secure Science Corporation 24 Rotenberg, Marc, Executive
Director, Electronic Privacy Information Center 27
Additional material submitted for the record:
Sloane, David, Sr. Managing Director, Government Relations and
Advocacy, AARP, submission for the record 41
H.R. 5126, THE TRUTH IN
CALLER ID ACT OF 2006
THURSDAY, MAY 18, 2006
HOUSE OF REPRESENTATIVES,
COMMITTEE ON ENERGY AND COMMERCE,
SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET,
Washington, DC.
The Subcommittee met, pursuant to notice, at 9:09 a.m., in room 2123
of the Rayburn House Office Building, Hon. Fred Upton (chairman)
presiding.
Members present: Representatives Shimkus, Terry, Barton
(ex officio), Markey, Engel, and Inslee.
Staff present: Kelly Cole, Counsel; Jaylyn Jensen, Senior
Legislative Analyst; Howard Waltzman, Chief Counsel for
Telecommunications; Anh Nguyen, Legislative Clerk; Johanna Shelton,
Minority Counsel; and Peter Filon, Minority Counsel.
MR. UPTON. The witnesses can take their respective chairs.
Good morning. Now, there was a comment on the floor last night--or
I should say this morning, that another vote on a certain issue will
take place tomorrow. I said, it is tomorrow. For those of you that
were watching C-SPAN, most of us did not get home from votes on the
budget until pretty close to 2:00 a.m., and I actually thought this
hearing was starting at 10:00, but I saw that it was at 9:00. And I
may be the only Member here this morning for the hearing, although I
do understand that Mr. Shimkus is at a breakfast. I hope they have a
lot of coffee. I understand that Mr. Engel is en route. I understand
that Mr. Markey is en route, but I know Mr. Markey well, and there is
a stop at Starbucks that he never fails to make, so we will see if
they have a long line or not with this hearing.
But I am going to make a unanimous consent--and I did see Mr.
Chairman Barton. He gave me a big smile, and he said he would be here,
but I also know that he has been under the weather and under some
medical assistance with vertigo, and it caused him to not get back
from Texas until late yesterday afternoon. So we are going to start.
I will make a unanimous consent that all Member statements will be
made part of the record without a problem. And I will speak slowly,
hoping that Mr. Engel will get here as his office is just down the
hallway.
But anyway, today's hearing--I am going to have one more slug
of coffee, it has not kicked in yet--is on H.R. 5126, the Truth in
Caller ID Act of 2006, bipartisan legislation introduced by Chairman
Barton and Eliot Engel, and I commend both for their leadership.
I am delighted to be a proud cosponsor of the legislation. Caller
ID "spoofing" occurs when a caller fakes his caller ID information,
so that the number which appears on the recipient's caller ID screen
is not the caller's actual phone number. In many cases, such
"spoofers" are actually transmitting someone else's caller ID
information instead of their own. Apparently, some "spoofers" just
do it to play practical jokes on their friends, but, in fact, there
have been reports of much more sinister uses of "spoofing".
In some instances, "spoofing" is being used to trick people
into thinking the person on the other end of the line is someone
from a government agency, or some other presumably trustworthy
party. For instance, in this month's AARP Bulletin, there is a
consumer alert describing a prevalent scam where spoofers get the
local courthouse's phone number to pop up on people's caller ID
screens, and then they tell the recipients of the calls that they
are judicial officials in order to get the unsuspecting victims to
divulge personal information, like Social Security numbers, driver's
license numbers, et cetera, while enforcement officials are
particularly concerned about senior citizens' susceptibility to such
scams.
Another important case involved a SWAT team that surrounded an
apartment building after police received a call from a woman who said
she was being held hostage in an apartment. As it turned out, it
was a false alarm--caller ID was "spoofed" to make it look like it
was coming from the apartment. Apparently, it was somebody else's
idea of a bad prank.
In other instances, criminals are stealing credit card numbers,
getting the phone number of the actual cardholder, and then using
those credit cards to use to get unauthorized wire transfers.
In such cases, the criminal "spoofs" his caller ID information so
that the number which pops up on the wire transfer operator's screen
is that of the actual cardholder. Because such caller ID information
matches the actual cardholder's phone number on record with the
credit card company, the wire transfer company uses it to authorize
the wire transfer. Thus "spoofing" enables the crime to be
consummated.
And, of course, many of us are familiar with our own credit card
companies which may ask us to call from our home phone to
authenticate and activate those new cards. If the new card is
stolen out of the mail, then criminals may be able to "spoof" our
home phone numbers and authenticate and activate our new cards from
the convenience of their own homes, or motel rooms, or from whatever
rock they might decide to crawl under.
While such "spoofing" has been technically possible for some
time, it used to require specific phone connections and expensive
equipment. However, with the advent of VoIP, Voice over Internet
Protocol, it has become easier for callers to transmit any caller ID
information that the caller might choose. Moreover, there are online
companies which offer "spoofing" services for just a few bucks to
anyone with a phone.
Unfortunately, nefarious uses of "spoofing" appear to be proliferating,
and there is no law that actually protects the American public from
it. The Truth in Caller ID Act of 2006 would make "spoofing"
illegal. More specifically, it would make it unlawful for any
person to cause any caller identification service to transmit
misleading or inaccurate caller identification information--other
than for authorized activities of law enforcement agencies--and
require the FCC to issue implementing regulations within six months
of enactment.
Today we will hear from our witnesses about the problems of
"spoofing" and their suggestions about how this bill, the Truth in
Caller ID Act of 2006, might be improved. I look forward to hearing
from our witnesses. I appreciate you being here on time, and also my
colleague from Nebraska being on time. Mr. Terry, would you like to
make an opening statement?
[The prepared statement of Hon. Fred Upton follows:]
PREPARED STATEMENT OF THE HON. FRED UPTON, CHAIRMAN, SUBCOMMITTEE ON TELECOMMUNICATIONS AND THE INTERNET
Good morning. Today's hearing is on H.R. 5126, the Truth in Caller
ID Act of 2006, bipartisan legislation introduced by Chairman Barton
and Elliot Engel, who I commend for their leadership. I am a proud
cosponsor of their bill.
Caller ID "spoofing" occurs when a caller fakes his caller ID
information, so that the number which appears on a recipient's caller
ID screen is NOT the caller's actual phone number. In many cases,
such "spoofers" are actually transmitting someone else's caller ID
information instead of their own.
Apparently, some "spoofers" just do it to play practical jokes on
their friends. But there have been reports of much more sinister
uses of "spoofing".
In some instances, "spoofing" is being used to trick people into
thinking the person on the other end of the line is someone from a
government agency -- or some other presumably trustworthy party.
For instance, in this month's AARP Bulletin there is a consumer
alert describing a prevalent scam whereby "spoofers" get the local
courthouse's phone number to pop-up on peoples' caller ID screens
and then tell the recipients of the calls that they are judicial
officials in order to get unsuspecting victims to divulge personal
information, like Social Security numbers and drivers license numbers.
Law enforcement officials are particularly concerned about senior
citizens' susceptibility to such scams.
Another reported case involved a SWAT team surrounding an
apartment building after police received a call from a woman who said
she was being held hostage in an apartment. As it turned out, it was
a false alarm -- caller ID was "spoofed" to make it look like it was
coming from that apartment. Apparently, it was someone's idea of a
bad prank.
In other instances, criminals are stealing credit card numbers,
getting the phone number of the actual cardholder, and then using
those credit cards to get unauthorized wire transfers. In such cases,
the criminal "spoofs" his caller ID information so that the number
which pops-up on the wire transfer company operator's screen is that
of the actual card holder's. Because such caller ID information
matches the actual card holder's phone number on record with the
credit card company, the wire transfer company uses it to authorize
the wire transfer. Thus, "spoofing" enables the crime to be
consummated.
And, of course, many of us are familiar with our own credit
card companies which may ask us to call from our home phones to
authenticate and activate our new cards. If our new cards are stolen
out of the mail, then criminals may be able to "spoof" our home phone
numbers and authenticate and activate our new cards from the
convenience of their own homes or motel rooms -- or from whatever rock
they crawl under.
While such "spoofing" has been technically possible for some
time, it used to require specific phone connections and expensive
equipment. However, with the advent of VoIP, it has become easier
for callers to transmit any caller ID information that the caller
chooses. Moreover, there are online companies which offer "spoofing"
services for a few bucks to anyone with any phone.
Unfortunately, nefarious uses of "spoofing" appear to be
proliferating, and there is no law protecting the American public
from it. The Truth in Caller ID Act of 2006 would make "spoofing"
illegal. More specifically, it would make it unlawful for any person
to cause any caller identification service to transmit misleading or
inaccurate caller identification information - other than for
authorized activities of law enforcement agencies -- and require the
FCC to issue implementing regulations within six months of enactment.
Today, we will hear from out witnesses about the problem of "spoofing"
and their suggestions about how the Truth In Caller ID Act of 2006
might be improved. I look forward to hearing from our witnesses
today, and I appreciate them being here with us.
MR. TERRY. Thank you, Mr. Chairman. And I--not necessarily
on time by Michigan and Nebraska standards, but getting here at 10
after in D.C. is actually early for a meeting.
MR. UPTON. I gave a long-winded opening statement just so
that you could get here.
MR. TERRY. Thank you. And I do appreciate you having this
hearing, and it will be interesting to hear from the panel regarding
the Truth in Caller ID Act of 2006. Needless to say, coming from
Omaha, Nebraska, where I represent 30,000 people in the telecommunications/tele-services business, I am concerned about how
this Act may affect those companies and their employees. Many
Fortune 500 companies use the tele-services in my hometown and my
district in lieu of their own call centers and tele-services, so
when they make an outbound call or an inbound call, they answer it,
representing their claim, XYZ company. That is not "spoofing" in my
mind. That is not fraudulent. That is their client and they should
have a right to be able to speak on behalf of their client. So
hopefully there is nothing in the Truth in Caller ID Act that
prevents legitimate tele-services from doing their job on behalf of
their clients. It is not fraudulent.
So I think we need to kind of work through the details here,
and that is why it is important that we have this type of a hearing.
And I want to thank our panels for being here today to help us work
through the issues of what is legitimate, what is fraudulent. None
of us want people to be able to fake identities, "spoof," in order
to make contact. But on the other hand, we do not want to stop
legitimate commerce as well.
With that, Chairman, I thank you for holding this hearing,
and I yield back the remainder of my time.
MR. UPTON. I thank the gentleman for being here. And at
this point, I make a unanimous consent request that all Members will
have their opening statements as part of the record.
[Additional Statements for the record follow:]
PREPARED STATEMENT OF THE HON. BARBARA CUBIN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF WYOMING
Thank you, Mr. Chairman.
Just like our hearing on pretexting a few months back, I'm again
shocked about how people have conceived such a malevolent business
model that appears to be legal. The act of "spoofing," or changing,
one's caller ID information appears to be on the rise, which has
dangerous ramifications for those who rely on call restrictions to
protect themselves from estranged spouses or others who may be
harassing them.
Now I've learned about a website that not only offers the ability to
"spoof" one's caller ID, but also offers tools to change your voice
and record the conversation. What legitimate business use can one
imagine for these features?
We need to make certain that when someone receives a call, they can
trust the caller ID information is accurate. That's why I commend
Chairman Barton for his leadership on this bill and wish to join as
a cosponsor to ensure the caller ID is truthful.
I yield back the balance of my time.
PREPARED STATEMENT OF THE HON. PAUL E. GILLMOR, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OHIO
Thank you for holding this important hearing. I also would like to
commend the full committee chairman, Chairman Barton, on his
leadership with this important piece of consumer protection legislation.
Mr. Chairman, the issue of "Caller ID" Spoofing is not a
matter to be taken lightly. Rather, it is an issue critical to
ensuring the safety and privacy of our constituents. In a rapidly
changing telecommunications environment, Chairman Barton's bill is a
simple and straight-forward way in addressing the need to provide
accurate caller ID information.
As an advocate for strong sex offender laws, I fear that
erroneous caller ID information may be utilized as another tool for
predators to locate their prey's location and personal information.
Additionally, as a member of the Financial Services Committee, I
hear all too often about how cases of identity theft have decimated
an individual's financial wellbeing. If not prevented, this too
could become a tool for identity thieves to deprive innocent victims
of their nest eggs-especially in areas, such as my northwest Ohio
district, that have a large concentration of elderly residents.
Mr. Chairman, this is an important issue that must be
addressed, and I applaud you, Chairman Barton, and Mr. Engel for not
allowing it to become lost as we deal with larger, more comprehensive
telecommunications reform issues. Finally, I look forward to hearing
the testimony from today's panel, and to working with you and
Chairman Barton to see that all of our constituents are properly
protected from the dangers posed by caller ID spoofing.
PREPARED STATEMENT OF THE HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MASSACHUSETTS
Good Morning. I want to commend Chairman Upton for calling this
hearing today on legislation addressing "caller ID spoofing".
"Spoofing" is when a caller masks or changes the caller ID
information of their call in a way that disguises the true
origination number of the caller. In many instances, a call
recipient may be subject to pre-texting through spoofing, which can
lead to fraud, personal ID theft, harassment, or otherwise put the
safety of the call recipient in danger. It is important that we
explore and analyze the use of spoofing to commit crimes and
otherwise harm the public interest. (We spent time earlier this
year on legislation addressing these important issues, which
disappeared into an intelligence-gathering black hole just before
it reached the House floor, but perhaps it will re-emerge soon.....)
On the other hand, lest we think that spoofing always has nefarious
aims, we must recognize that there may be circumstances when a
person's safety may be put in danger if their true and accurate
call origination information is disclosed as well.
What we seek in caller ID policy is balance. This has been the case
since we held hearings in the early 1990s on caller ID, where this
Subcommittee sought to take into account emerging caller ID technology
in a way that also allowed callers to block their origination number
on a per call or per line basis. Technology also allowed call
recipients to refuse to receive calls by anyone who was blocking
their caller ID information from going through.
While I believe the intent of the legislation before us today has a
noble objective, I do not yet believe it adequately strikes the
historic balance we have sought to achieve for consumer privacy
and security. For instance, Members of Congress often have direct
lines in their offices. In order to ensure that such lines do not
become generally public, and therefore remain useful to us, it may
be necessary to keep such direct numbers confidential and have the
out-going caller ID information indicate a different number at
which our offices can be reached for return calls. That gives
the recipient a legitimate phone number to call back, but keeps
confidential lines private.
There are many doctors, psychiatrists, lawyers, and other
professionals who would similarly like to keep direct, confidential
lines private in this way who have no intention of misleading
anyone. In addition, there may be instances, for example when a
woman at a shelter seeks to reach her children, when spoofing is
important to safeguard someone's safety. Moreover, informants to
law enforcement tip lines or whistleblowers have additional reasons
for why their calling information should remain private. We should
not outlaw any of these practices and I think the legislation needs
some improvement and clarification in these areas.
Finally, I don't think the Subcommittee can convene here today and
discuss spoofing, consumer privacy, and caller ID legislation
without addressing the elephant in the back of the room.
We passed a bill addressing consumer phone records unanimously
through this Committee earlier this Spring after due deliberation
and public hearings. That legislation was pulled from the House
floor apparently because intelligence entities sought changes to
it. With the recent revelations about the alleged program at the
National Security Agency to gather up the phone records of tens
of millions of Americans, I think this Committee needs to
investigate those issues in a timely manner as well and I hope
the Chairman will announce such hearing soon.
Again, I thank Chairman Upton for calling today's hearing and
look forward to working with him and our other colleagues on this
bill as we move forward.
MR. UPTON. We have four very good witnesses today: Mr. Tom Navin,
the Wireline Bureau Chief of the FCC; Ms. Staci Pies, Vice President
of PointOne Communications in Texas, on behalf of Voice on the Net
Coalition; Mr. Lance James, Chief Technology Officer of Secure
Science Corporation; and Mr. Mark Rotenberg, Executive Director of
Electronic Privacy Information Center here in Washington. We thank
you all for being here this morning. And before I yield the time,
Mr. Engel has just made it through the threshold for an opening
statement. Again, I complemented you on being an original sponsor
of the bill with Mr. Barton. I appreciate you being here.
MR. ENGEL. Thank you. Thank you, Mr. Chairman. Yes, I am
a poor substitute for Mr. Markey today, but I want to thank you for
quickly scheduling this hearing. I really, as you know, have worked
really closely with you, and I think you have been an exemplary
Chairman, and I have no problem saying that publicly and privately
as well.
I support this bill obviously to combat caller ID fraud,
since I have added my name as the primary co-sponsor. When we were
finding out about these things, you and I had had much discussion
about it as I have with Jim Gordon, and this really seemed like a
no-brainer, this legislation, that really should be supported by
everyone in this Congress. I also strongly support regular
procedure, our colleagues are due the opportunity to learn about
the issue as well, and provide their own input. The bill is a good
bill. We need to continue to work to improve it, and I think that
we will do that, working across party lines.
I have been working with my colleagues for years now on
issues of privacy and identity theft. On each and every time we
plug one hole, crafty criminals come up with another way to commit
fraud. Recently on television, I was asked how come we cannot stay
ahead of the curve with getting the bad guys. And I said, well, you
know, the problem with this is they have to commit the fraud, and
then we realize the things that they are doing, and we always sort
of play catch-up with them. I have read news reports that criminals
are using these technologies to get people to give out private
information that they would never give out, except that they think
they are receiving a legitimate call from their bank, or a hospital,
or even a local courthouse, or even Congress. I have also read about
our colleague Tim Murphy being a victim in his capacity as a Member
of Congress, and that I heard that our colleague and committee member
Heather Wilson has also been a victim.
At this point, it became apparent to me that there are people
who seek to use these technologies to strike at the heart of our
democracy. They could well be planning to interfere with elections.
That is an assault on the democratic process, obviously. Leaving
fake messages that are insulting or incendiary on a public person's
voice mail that identifies the caller as an elected official or
candidate for public office can threaten the very nature of our
electoral process, and we can see how it could be used politically
to try to change or subvert the electoral process.
We have struggled to clean up our campaigns with greater
disclosure and bans on soft money. We should not let that hard work
be destroyed by a few unscrupulous acts. So the Truth in Caller ID
Act will give us another tool to use to combat identity theft and
even election fraud.
I thank the Chairman for his attention to this matter, and
I would like to ask unanimous consent to enter into the record a
letter from the National Network to End Domestic Violence.
Protecting victims of domestic violence has been a major issue
for this Congress, and I agree with them that the Truth in Caller
ID Act must not cause us to backtrack. So I ask unanimous consent
for that.
MR. UPTON. Without objection.
[The information follows:]
MR. ENGEL. I thank you, Mr. Chairman. I thank you for your
attention, and look forward to hearing from the witnesses, and yield
back.
[The prepared statement of Hon. Eliot Engel follows:]
PREPARED STATEMENT OF THE HON. ELIOT ENGEL, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW YORK
Mr. Chairman -
I want to thank you for quickly scheduling this hearing. Obviously,
I support this bill to combat Caller ID fraud - since I have added
my name as the primary cosponsor.
But, I also strongly support regular procedure. Our colleagues are
due the opportunity to learn about the issue as well and provide
their own input.
The bill before us today is a good bill but I believe there is room
for improvement. Working together, across party lines, will make
this a better bill.
For years now, I have been working with my colleagues on issues of
privacy and identity theft. Each and every time we plug one hole,
crafty criminals come up with another way to commit fraud.
I've read news reports that criminals are using these technologies
to get people to give out private information that they would never
give out except that they think they are receiving a legitimate call
from their bank or even local court house.
I also have read about our colleague Tim Murphy being a victim in
his capacity as a Member of the House. Then I learned our colleague
Heather Wilson has also been a victim.
At that point it became apparent to me that there are people who
seek to use these technologies to strike at the heart of our democracy.
They could well be planning to interfere with elections. That is an
assault on the democratic process.
Leaving fake messages that are insulting or incendiary on a person's
voicemail that identifies the caller as an elected official or
candidate for public office threatens the very nature of our
electoral process.
We have struggled to clean up our campaigns with greater disclosure
and bans on soft money. We should not let that hard work be
destroyed by a few unscrupulous actors.
The Truth in Caller ID Act will give us another tool to use to combat
identity theft and even election fraud.
I thank the chairman for his attention to this matter, look forward
to hearing from the witnesses and yield back.
MR. UPTON. The gentleman yields back. Again, I thank you
for your leadership on this issue, and I look forward to working
with you, as well as with Chairman Barton in moving this legislation
quickly through our Committee and to the floor. And with that, I
recognize the distinguished Chairman of the Full Committee, Mr.
Barton.
CHAIRMAN BARTON. Thank you, Chairman Upton, for calling
this hearing today on H.R. 5126, the Truth in Caller ID Act of 2006,
introduced by myself and Congressman Engel. This bill is necessary
to shut down the growing problem of manipulating caller ID
information. Caller ID so-called spoofing occurs when a caller
masquerades as someone else by falsifying the number that appears on
the recipient's caller ID display.
Everyone is familiar with the caller ID product that provides to a
consumer the name and number of who is placing an incoming call.
Unfortunately, caller ID "spoofing" is yet another tool available to
criminals to hijack the identities of consumers. For instance, the
AARP recently ran a "scam alert" when someone posing to be a
courthouse employee called a Sterling, Michigan woman claiming that
she had missed jury duty that week. The caller threatened that a
warrant was being issued for her arrest, and then asked to confirm
her Social Security number to verify her identity. This scam can
appear even more real when the con artist uses a caller ID
"spoofing" product which allows the con to display the name and
number of the courthouse on the caller ID box.
As with other scams, the internet is making caller ID
"spoofing" even easier. There are now websites that offer
subscribers, for a nominal fee, a simple web interface to caller ID
"spoofing" systems that let them appear to be calling from any number
they choose. Some of these web services boast that they do not
maintain logs, and fail to provide any contact information. Some
even offer voice scrambling services, which make the caller sound
like someone of the opposite sex.
Callers do not necessarily need to utilize a "spoofing"
website to manipulate caller ID information. Some providers of
Voice over Internet Protocol, or VoIP, services allow their
customers to tinker with the caller ID information. Certainly
this may not always be done for a deceptive or malicious purpose,
but it offers those who wish to do harm an easier way to part
consumers with their money.
I understand that the FCC is currently investigating the
caller ID "spoofing" problem, but I find it hard to believe that
today, there is no prohibition against sending false or deceptive
caller ID information. H.R. 5126, the Truth in Caller ID Act of
2006, would remedy that problem in short order.
H.R. 5126 specifically prohibits sending misleading or inaccurate
caller ID information. It covers traditional telephone service, as
well as VoIP calls, and provides a specific exemption for authorized
law enforcement actions. I understand that there may be a need for
additional exemptions, and I am anxious to hear from our witnesses
how the exemption issue should be handled as we move toward a
markup.
Consumers use caller ID services to protect themselves from
unwanted calls and contact, including from those who may want to do
them harm. They should be able to rely on the caller ID information
coming to them on a caller ID box, and H.R. 5126 will do just that.
I was one of the Congressmen that, in the mid-'90s, made sure
that caller ID was legal. There were members of this Committee who
did not wish to make caller ID a legal service. Thankfully, the
majority of the committee, then and now, supports caller ID. I
think the majority of this committee, with Mr. Engel's leadership,
is going to make sure that we make caller ID exactly what we
intended--that is a truthful identifier of who it is that is calling
your phone number.
Thank you, Chairman Upton, for holding this hearing today,
and I yield back the balance of my time.
[The prepared statement of Hon. Joe Barton follows:]
PREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, COMMITTEE ON ENERGY AND COMMERCE
Thank you for calling this hearing today on H.R. 5126, the "Truth in
Caller ID Act of 2006," introduced by myself and Rep. Engel. This
bill is necessary to shut down the growing problem of manipulating
caller ID information. Caller ID "spoofing" occurs when a caller
masquerades as someone else by falsifying the number that appears
on the recipient's caller ID display.
Everyone is familiar with the caller ID product that provides to
a consumer the name and number of who is placing an incoming call.
Unfortunately, caller ID spoofing is yet another tool available to
criminals to hijack the identity of consumers. For instance, the
AARP recently ran a "scam alert" when someone posing to be a
courthouse employee called a Sterling, Michigan woman claiming that
she had missed jury duty that week. The caller threatened that a
warrant was being issued for her arrest and then asked her to
confirm her Social Security number, to verify her identity. This
scam can appear even more real when the con artist uses a caller
ID "spoofing" product which allows the con to display the name and
number of the courthouse on the caller ID box.
As with other scams, the Internet is making Caller ID spoofing even
easier. There are now websites that offer subscribers, for a
nominal fee, a simple web interface to caller ID spoofing systems
that lets them appear to be calling from any number they choose.
Some of these web services boast that they do not maintain logs and
fail to provide any contact information. Some even offer voice
scrambling services which make the caller sound like someone of the
opposite sex.
But a con artist does not necessarily need to utilize a spoofing
website to manipulate caller ID information. Some providers of
voice over Internet-Protocol, or VoIP, services allow their customers
to tinker with the caller ID information. Certainly, this may not
always be done for a deceptive or malicious purpose, but it offers
those who wish to do harm an easier way to part consumers with their
money.
I understand the FCC is currently investigating the caller
ID spoofing problem, but frankly, I find it hard to believe that
today, there is no prohibition against sending false or deceptive
caller ID information. H.R. 5126, the "Truth in Caller ID Act of
2006" remedies this problem.
H.R. 5126 specifically prohibits sending misleading or inaccurate
caller ID information. It covers traditional telephone calls as well
as VoIP calls, and provides a specific exemption for authorized law
enforcement actions. I understand that there may be a need for
additional exemptions, and I'm anxious to hear from our witnesses how
the exemption issue should be handled as we move toward markup.
Consumers use caller ID services to protect themselves from unwanted
calls and contact, including from those who may want to do them harm.
They should be able to rely on the caller ID information coming to
them on a caller ID box, and H.R. 5126 will do just that.
I want to thank the Chairman Upton for holding this hearing today
and I yield back my time.
MR. UPTON. All right. I thank my Chairman, not only for a
statement, but also for moving the caller ID legislation a number of
years ago. There is nothing, and particularly at dinnertime when
somebody calls, to know exactly who it is, so that we as consumers
know whether we should take that call or whether we are going to
have cold food for dinner. It is very important. But with that,
your statements are made part of the record, and we would like you
to try and keep your remarks to not more than five minutes, at which
point, when you are completed--all four of you--we will do questions.
Again, thank you for your travel to get here promptly on time.
Mr. Navin, we will start with you.
STATEMENTS OF TOM NAVIN, WIRELINE BUREAU CHIEF, FEDERAL COMMUNICATIONS
COMMISSION; STACI PIES, VICE PRESIDENT, POINT ONE COMMUNICATIONS, ON
BEHALF OF VOICE ON THE NET (VON) COALITION; LANCE JAMES, CHIEF
TECHNOLOGY OFFICER, SECURE SCIENCE CORPORATION; AND MARC ROTENBERG,
EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER
start here
MR. NAVIN. Good morning, Chairman Upton and members of the
subcommittee. Thank you for the opportunity to speak about the
problem of caller identification, or caller ID, "spoofing".
As we have heard, caller ID services let customers identify
who is calling them by displaying the caller's telephone number, or
other information such as a name or business name, on the customer's
equipment before the customer picks up the phone. Caller ID
"spoofing" refers to a practice in which the caller ID information
transmitted with the telephone call is manipulated in a way that
misleads the call recipient about the identity of the caller. The
Commission is deeply concerned about reports that caller ID
information is being manipulated for fraudulent or other deceptive
purposes, and about the impact of those practices on the public trust
and confidence in the telecommunications industry. We also are
particularly concerned about how this practice may affect the public
safety and law enforcement communities.
The Commission addressed caller ID on the Public Switched
Telephone Network, or PSTN, in 1995, with Commission Rule 64.1601,
which generally requires all carriers using the Signaling System 7,
or SS7 protocol, to transmit the calling party number associated
with an interstate call to interconnecting carriers. This same
Commission rule also requires telemarketers to transmit accurate
caller ID information.
The development of Internet and IP technologies has made
caller ID "spoofing" easier than it used to be. Now, entities
using IP technology can generate false calling party information
and pass it into the PTSN, via SS7, with harmful real-life
consequences in such areas as public safety. For example, as we
have heard this morning, the Newark Star Ledger reported that
police in New Brunswick, New Jersey, shut down one city
neighborhood for hours, evacuating buildings and closing streets,
as a SWAT team surrounded an apartment house. Police had received
a call from a girl saying she had been handcuffed and raped in an
apartment when the call was, in fact, a hoax. This massive police
deployment occurred because the caller ID had been "spoofed" to
make the call appear to come from the apartment. Hoaxes like these
divert our local public safety resources away from where they are
so desperately needed, responding to real emergencies and real
threats to our homeland security.
I note that the Committee is considering imposing
restrictions on Voice over Internet Protocol, or VoIP providers,
that facilitate hoaxes and other harmful practices through caller
ID "spoofing". As you know, there are many varieties of VoIP, and
the definition of VoIP in this bill, as well as other proposed
legislation, could be interpreted to exclude many of them from the
reach of the FCC. As the House of Representatives considers
legislation affecting VoIP, it should be aware that a restrictive
definition of VoIP here, or in other legislation, might establish a
statutory precedent that would restrict the Commission's authority to
assist public safety and law enforcement in other contexts.
At present, my colleagues in the Commission's enforcement
bureau are actively pursuing the issue of caller ID "spoofing".
They have issued letters of inquiry or subpoenas to several entities
who are apparently engaged in marketing and selling caller ID "spoofing"
services to customers. The enforcement bureau continues to gather and
analyze information about these companies' practices, their networks,
their businesses, and their customers, and other germane information,
as well as to analyze enforcement options, some of which may be
limited to entities that are not regulated by the Commission. In
addition, the enforcement bureau has met with carriers, assembled
internal technical experts to address the problem, and begun
coordinating with the Federal Trade Commission regarding its efforts
to address this problem.
In conclusion, the intentional manipulation of caller ID
information, especially for the purposes of fraud or deception,
is a troubling development in the telecommunications industry.
As Chief of the Wireline Competition Bureau at the FCC, I share
your concern about this practice. I look forward to working with
this Committee, other members of Congress, Chairman Barton, and
the Commission, to ensure the public maintains its confidence in
the telecommunications industry. Thank you for the opportunity
to speak here today.
[The prepared statement of Thomas J. Navin follows:]
PREPARED STATEMENT OF THOMAS J. NAVIN, WIRELINE BUREAU CHIEF, FEDERAL COMMUNICATIONS COMMISSION
Good morning Chairman Upton, Ranking Member Markey and members of the
Subcommittee. Thank you for the opportunity to speak about the problem
of caller identification or "caller ID" spoofing.
As you know, caller ID services let customers identify who is calling
them by displaying the caller's telephone number or other information
- such as a name or business name - on the customer's equipment
before the customer picks up the phone. "Caller ID spoofing" refers
to a practice in which the caller ID information transmitted with a
telephone call is manipulated in a way that misleads the call
recipient about the identity of the caller. The use of Internet
technology to make phone calls has apparently made caller ID spoofing
even easier. The Commission is deeply concerned about reports that
caller ID information is being manipulated for fraudulent or other
deceptive purposes and the impact of those practices on the public
trust and confidence in the telecommunications industry. We are
concerned about how this practice may affect the public safety and
law enforcement communities in particular.
In my testimony, I will first provide a brief technical background
on caller ID spoofing. Then, I will describe the Commission's
rules addressing caller ID services and the steps the FCC is
taking to make sure that providers are fully meeting their
obligations under the Communications Act and the Commission's
rules and orders.
As a technical matter, caller ID spoofing happens by manipulating
the data elements that travel with a phone call. Phone calls on the
public switched telephone network, or PSTN, are routed to their
destinations by means of a specialized protocol called the
Signaling System 7, or SS7. Among other things, SS7 conveys
information with a call such as the telephone number of the
caller. The SS7 information for a call is provided by the carrier
that the caller uses to place the call. Caller ID, then, displays
that caller's number to the called party. Caller ID spoofing is
accomplished by manipulating the SS7 information associated with
the call.
The Commission addressed caller ID on the PSTN in 1995 with rule
64.1601, which generally requires all carriers using SS7 to
transmit the calling party number associated with an interstate
call to interconnecting carriers. The same Commission rule also
requires telemarketers to transmit accurate caller ID information.
The development of Internet and IP technologies has made caller
ID spoofing easier than it used to be. Now, entities using IP
technology can generate false calling party information and pass
it into the PSTN via SS7. In one particularly harmful way, caller
ID spoofing threatens our public safety. Spoofers can fabricate
emergency calls and cause local law enforcement and public safety
agencies to deploy their resources needlessly. The Newark
Star-Ledger reported that police in New Brunswick, New Jersey shut
down one city neighborhood for hours, evacuating buildings and
closing streets as a SWAT team surrounded an apartment house.
Police had received a call from a girl saying she had been
handcuffed and raped in the apartment, when the call was a
hoax. Caller ID had been spoofed to make the call appear to
come from the apartment. Hoaxes like these divert our local
public safety resources away from where they are so desperately
needed - responding to real emergencies and real threats to our
homeland security.
My colleagues in the Commission's Enforcement Bureau are actively
pursuing the issue of caller ID spoofing. They have issued letters
of inquiry or subpoenas to several entities who are apparently
engaged in marketing and selling caller ID spoofing services to
customers. The Enforcement Bureau continues to gather and analyze
information about these companies' practices, their networks, their
businesses, their customers, and other germane information, as well
as analyze enforcement options, some of which may be limited as to
entities that are not regulated by the Commission.
In addition, the Enforcement Bureau has met with carriers, assembled
internal technical experts to address the problem, and begun
coordinating with the Federal Trade Commission regarding its efforts
to address this problem.
Finally, I note that the Committee is considering imposing
restrictions on voice over Internet protocol, or VoIP providers
that facilitate caller ID spoofing. As you know, there are many
varieties of VoIP, and the definition of VoIP in this bill, as well
as other proposed legislation, could be interpreted to exclude many of
them from the reach of the Commission. As the House of
Representatives considers legislation affecting VoIP, it should be
aware that a restrictive definition of VoIP here or in other
legislation might establish a statutory precedent that would restrict
the Commission's authority to protect life and property in both the
public safety and law enforcement contexts.
In conclusion, the intentional manipulation of caller ID information,
especially for the purposes of fraud or deception, is a troubling
development in the telecommunications industry. As chief of the Wireline
Competition Bureau at the FCC, I share your concern about this practice.
I look forward to working with this Committee, other Members of Congress,
Chairman Martin and the Commission to ensure the public maintains its
confidence in the telecommunications industry. Thank you for the
opportunity to speak with you today.
MR. UPTON. Thank you. Ms. Pies?
MS. PIES. Thank you, Chairman Upton, Ranking Member Markey, and
members of the subcommittee. My name is Staci Pies. I am Vice
President of Governmental and Regulatory Affairs for PointOne, a
VoIP provider, and President of the Voice on the Net Coalition,
the VON Coalition, which is the voice of the VoIP industry. On
behalf of the VON Coalition, I thank the Subcommittee for this
opportunity to testify about this important issue.
Before I address caller ID in particular, I would like to
commend Chairman Barton for his leadership in the committee and
subcommittee for taking action in the recent COPE bill to accelerate
the availability of VoIP, and the ability to deliver E911 information
along with 911 calls. Particularly with respect to members, the
creation of a national emergency routing number administration will
assure that VoIP providers can obtain necessary pseudo-numbers in a
timely fashion.
VoIP providers who have made real strides in leveraging the
power of caller ID to provide innovative services to consumers
support this committee's effort to protect the integrity of caller
ID functionality. We fully agree that strong action must be taken
against those that intentionally "spoof" caller ID with the intent
to commit fraud, deceive, harass, or otherwise create threats to
life and limb, as mentioned by Mr. Engel. Congress is right to
focus its intention on those who would do so.
VoIP is burgeoning in popularity with consumers and businesses
because it can do what plain old telephone service does, but often
much, much more. VoIP allows consumers to take control over their
communications experience, to manage how they use those services, and
to decide when and where they want to receive calls. With VoIP, I
can direct certain calls to my work phone and others to my home or
mobile phone. I can screen calls and designate some calls at
specific times of day, for instance, during the family dinner hour,
to be sent straight to voice mail. Some VoIP services even flash
caller ID information on the TV screen, making it an easier decision
to ignore the call in favor of C-SPAN. VoIP providers allow
consumers to integrate technologies in innovative ways, to bring the
power and potential of the Internet to voice communications.
Many of the great benefits of VoIP to consumers and business
users depend on accurate and non-misleading identification of the
calling party. Businesses that use caller ID to call up a customer's
account record so that it is immediately available to the customer
service representative will not find the record very useful if it is
the wrong record because the caller ID has been "spoofed". At the
same time, VoIP often allows users greater control over their
personal privacy by allowing them to block the caller ID with a click
of a mouse.
As Congress addresses deceptive "spoofing," though, we urge
you to keep in mind that in some legitimate instances, it can be
necessary or desirable to change caller ID information where the
purpose is not to mislead or deceive, or where the modification is
necessary for a public purpose. The bill recognizes, for example,
that law enforcement may need to mask the true identity of an
originating telephone number. This is not the only legitimate need
to change caller ID information.
I would like to share five examples:
As referenced by Mr. Terry, the FCC has created specific rules
regarding what kind of caller ID information telemarketers should
send, in order to empower consumers to take steps to protect their
privacy. Barring any change to calling ID information would prohibit
compliance with this FCC rule.
Second, one of the benefits of VoIP is that it can help a
consumer better protect her own privacy and manage which of her personal
information she presents to the world, irrespective of which
communications device she picks up to initiate a call. Calls for
different purposes, personal versus business, may merit different
telephonic return addresses, as one might do with ordinary mail.
This is not meant, however, to sanction masquerading as another.
Third, there are also situations in which caller ID
information can endanger individual safety. Of course, as mentioned
this morning, the classic situation is battered spouse. In some
instances, blocking the delivery of caller ID information might be
sufficient, but any legislation should be careful about presuming
that blocking will always be adequate.
A fourth example is that in some circumstances, such as
with forwarded calls, caller ID information needs to be altered to
ensure that the original calling party's number is transmitted as
the caller ID information rather than an intermediate number.
And, finally, as I referenced at the beginning of my
remarks, for E911 systems, pseudo-numbers need to be inserted and
used, as this Committee has recognized in the COPE bill.
I would like to close with three additional thoughts. First,
that "spoofing" of caller ID is not new. Tools have been widely
available for years to "spoof" caller ID on traditional networks.
As Tom mentioned, the Commission has already addressed these issues.
One website even allows the ability to download "spoofing" software
from the Internet, and then you can just use a common tape recorder
to "spoof" the caller ID.
Second, fighting misleading and deceptive changes in caller
ID is only part of the solution. Companies handling sensitive
information must also make sure they are handling that information
with care.
And third, misleading people through the misuse of caller ID,
whether for a prank, or scam, or worse, is unacceptable. This
Committee is right to focus on those who intend to mislead. At the
same time though, legislation should not impose liability on
traditional carriers or VoIP service providers who merely transmit
what may turn out to be altered caller ID information. When good
technology is used for bad purposes, we would like to make sure that
it is the bad use of the technology, not the unknowing technology
itself which carries the burden.
In focusing on those few people who would abuse caller ID
technology, Congress can address the very real problem of "spoofing"
effectively, in a cost-efficient manner that protects the proper use
of this technology. Together, with this committee's previous efforts
to enable consumers to take advantage of VoIP benefits, we believe
VoIP is in position to help make communicating more affordable,
businesses more productive, jobs more plentiful, the Internet more
valuable, and Americans more safe and secure.
Thank you very much. I am happy to answer any questions I
can.
[The prepared statement of Staci Pies follows:]
PREPARED STATEMENT OF STACI PIES, VICE PRESIDENT, POINTONE
COMMUNICATIONS, ON BEHALF OF VOICE OF THE NET (VON) COALITION
Thank you, Chairman Upton, Ranking Member Markey, and members of the
Subcommittee. My name is Staci Pies. I am Vice President,
Governmental and Regulatory Affairs, of Point One, a VoIP provider,
and President of the Voice on The Net or VON Coalition - the voice for
the VoIP industry. On behalf of the VON Coalition, I thank the
Subcommittee for the opportunity to testify about this important issue.
Before I address caller ID in particular, I would like to
commend the Committee and Subcommittee for taking action in the recent
COPE bill to accelerate the ability of VoIP to deliver E911 information
along with 911 calls. Those provisions, along with what I hope will
be a liability provision that can be adopted when the bill comes before
the full House, help ensure that VoIP providers can accelerate E911
solutions through access to the necessary facilities, databases and
numbers required to deliver E911. Particularly with respect to
numbers, the creation of a national emergency routing number
administrator will ensure that VoIP providers can obtain necessary
pseudo-ANI numbers in a timely fashion. Leaders from this committee
have written to the FCC suggesting they create such an administrator,
and so have standards groups, but to date the FCC has unfortunately
not done so. That makes it important that this committee adopt E911
legislation this year.
VoIP is burgeoning in popularity with consumers because it
can do what Plain Old Telephone Service does - and often much much
more. VoIP allows consumers to take control over their communications
experience, to manage how they use those services and to decide when
and where they want to receive calls. With VoIP, I can direct certain
calls to my work phone, and others to my home or mobile phone. I can
specify in what order I want my devices to be rung. I can screen
calls and designate some calls at specific times of the day (for
instance, during the family dinner hour) to be sent straight to
voice mail. Some VoIP services even flash caller ID information on
the TV screen, making it an easy decision to ignore the call in
favor of . . . CSPAN. VoIP allows consumers to integrate
technologies in innovative ways - it allows them to integrate voice
mail, text messages, and voice services; to bring the power and
potential of the Internet to voice communications.
These Internet based voice advances are giving consumers new
choices, better prices, and advanced new features.
Many of the great benefits of VoIP to consumers and business users
depend on accurate and non-misleading identification of the calling
party. If I program my VoIP service to ensure that calls from my
son's school are simultaneously rung on all of my phones, I don't
want to answer it and find out that some telemarketer has spoofed
the number to fool me into believing it is a priority call. And
businesses that use caller ID to call up a customer's account record
so that it is immediately available to the customer service
representative won't find the record very useful if it is the wrong
record because the caller ID has been spoofed. To protect the
usefulness of their services, VoIP providers have a strong interest
in having Caller ID be accurate and non-misleading. At the same
time, VoIP often also allows users greater control over their
personal privacy by allowing them to block their caller-ID with the
click of a mouse.
Moreover, we fully agree that strong action must be taken
against those that intentionally spoof Caller ID with the intent to
commit fraud, deceive, harass or otherwise create threats to life
and limb. Media reports about spoofers calling police and drawing
out SWAT teams are inexcusable and potentially life threatening.
A stalker spoofing Caller ID to harass victims, or identity thieves
pretending to be their victims are things every American should
care about. Spoofing to deceive, defraud, or harass cannot and
should not ever be condoned or tolerated. Congress is right to
focus its attention on those who would do so.
As Congress addresses deceptive spoofing, though, we urge
you to keep in mind that in some legitimate instances it can be
necessary or desirable to change caller ID information - where the
purpose is not to mislead or deceive, or where the modification is
necessary for a public purpose. The bill recognizes, for example,
that law enforcement may need to mask the true identity of an
originating telephone number. This is not the only legitimate need
to change caller id information. I'd like to share five examples:
* First, the FCC has created specific rules regarding what kind of
caller ID information telemarketers should send. Telemarketers are
required to transmit as caller ID a number to which a consumer can
make a do-not-call request, rather than the telephone number from
which the call is placed. The FCC did so deliberately in order to
empower consumers to take steps to protect their privacy. Barring
any change to caller ID information could prohibit compliance with
this FCC rule.
Second, one of the benefits of VoIP is that it can help a consumer
better protect her own privacy and manage which of her personal
information she presents to the world, irrespective of which
communications device she picks up to initiate a call. Consumers
may want to direct return calls to a home or business landline,
rather than a wireless number, for example. Calls for different
purposes (personal versus business) may merit different telephonic
return addresses, as one might do with ordinary mail. This is not
meant, however, to sanction masquerading as another.
Third, there are also some situations in which caller ID
information can endanger individual safety. The classic situation
is the battered spouse. In some instances, blocking the delivery
of caller ID information might be sufficient. But any legislation
should be careful about presuming that blocking will always be
adequate.
A fourth example is that, in some circumstances, such as with
forwarded calls, caller ID information needs to be altered to ensure
that the original calling party's telephone number is transmitted as
caller ID, rather than an intermediate number.
And finally, as I mentioned at the beginning of my remarks, for
E911 systems pseudo ANIs need to be inserted and used as this
committee has recognized in the COPE bill.
I'd like to close with three additional thoughts. First, spoofing
of Caller ID is not new. Tools have been widely available for years
to spoof Caller ID on traditional networks. One website offers the
ability to download spoofing software from the Internet which then
allows a common tape recorder to spoof caller ID.
Second, fighting misleading and deceptive changes in Caller ID is
only part of the solution. Companies handling sensitive customer
information must also make sure they are handling that information
with care. While Caller ID can help a business retrieve a
customer's account record, as long as Caller ID can technically be
spoofed (which will be the case even with new legislation) the
business needs to handle disclosure of those records with the utmost
care - making consumer privacy their top priority.
Third, misleading people through the misuse of caller ID,
whether for a prank, a scam, or worse, is unacceptable. This
Committee is right to focus on those who intend to mislead. At the
same time, though, legislation should not impose liability on
traditional carriers and VoIP services providers who merely transmit
what may turn out to be altered caller ID information When good
technology is used for bad purposes we'd like to make sure it's the
bad use of the technology, not the unknowing technology itself,
which carries the burden. Networks and network service providers
may be unable and should not be required to become "content police"
or to discern legitimate and illegitimate uses of network services.
Instead, service providers are best able to assist in the efforts to
fight spoofing by keeping accurate records and making those records
available as appropriate to proper authorities. In focusing on
those few people who would abuse caller ID technology, Congress can
address the very real problem of spoofing effectively, in a cost-
efficient manner that protects the proper use of this technology.
VoIP service providers, who have made real strides in leveraging
the power of Caller ID to provide innovative services to consumers,
fully support this Committee's efforts to protect the integrity of
caller ID functionality. Together with this committee's previous
efforts to enable consumers to take advantage of VoIP benefits, we
believe VoIP is positioned to help make communicating more
affordable, businesses more productive, jobs more plentiful, the
Internet more valuable, and Americans more safe and secure.
Thank you very much. I am happy to answer any questions I can.
MR. UPTON. Thank you. Mr. James?
MR. JAMES. Good morning.
MR. UPTON. That button.
MR. JAMES. Good morning, Mr. Chairman, Mr. Engel, and other members
of the committee. I want to thank you for giving me the opportunity
to speak on this topic today, a very important issue.
As one of the founders of Secure Science Corporation, an
Internet security and research company, I personally witness the
extent to which the abuse and misuse of Caller ID can have. In
August of 2004, our investigation team discovered that two of the
Nation's largest telecommunications providers, T-Mobil and Verizon,
were vulnerable to a technique known as caller ID "spoofing". This
technique is entirely reliant upon the manipulation of caller ID to
be successful and enables the attacker's access to individual
customer's voicemails without using a PIN code, violating both
customer privacy and authentication protocols to cellular and
land-line voicemail networks.
Similar intrusions, also known as exploits, include unauthorized
termination of customer accounts, anonymous automatic phone SPAM,
and the potential to gain full administrative control over a major
telecommunications network that serves both businesses and
residential phone lines. This last possibility is one of the
greatest concerns in conjunction with the inappropriate and unlawful
uses of caller ID and could even be viewed as a threat to national
security in much the same way as the destabilization of a utilities
plant or traffic control station could be.
Other exploits employing caller ID "spoofing" have been
used by criminals who con unsuspecting victims out of money and in
many cases their identity. These individuals are titled as phishers
and the activity is phishing, spelled with a p-h. This activity
involves the utilization of information gained illegally by breaking
into a potential victim's voice mail account. This in turn allows
the phishers to further victimize customers by using, for example,
billing information to steal identities and garner even more
personal information from other sources. Conversely, phishers will
use caller ID "spoofing" in order to pose as a victim's bank and
phish the account via phone. This same method is also used to lure
wire transfer delivery services, such as Western Union, into
authorizing fraudulent transfers over the phone. Additionally,
phishers will verify their access to the stolen accounts by using the
victim's contact numbers in an attempt to validate account
availability and amounts by calling the banks themselves and
"spoofing" the caller ID as the user of the account.
Because of the level and quantity of illegal activities
participated in by phishers, anonymity is one of their primary
objectives. Caller ID "spoofing" enables them not only to communicate
covertly with one another, but also provides them with an advantage
against law enforcement agencies. As a direct result, the phishers
continue their operations all the while evading subpoena attempts.
The aforementioned instances are just some of the many ways
in which the fraudulent uses of caller ID are being employed today.
Our company's research alone demonstrates that more than 75 percent
of the transactions and/or "spoofed" calls made on providers'
networks were with mal-intent. This was actually conducted by--we
work a lot with Anti-Fraud, with covert calling web services out
there--companies that do caller ID "spoofing". And we basically help
them try to eliminate the fraud. But we are seeing about 75 percent
of the activity is actually fraudulent.
Despite the dark side of caller ID "spoofing," there are very
tangible benefits associated with this technique when used in a
responsible manner. Secure Science Corporation is often called upon
to assist companies who provided automated caller ID "spoofing"
service to detect and prevent fraudulent activity on their network.
And in order to do this successfully, it is not unusual for us to aid
law enforcement by using caller ID "spoofing" techniques to track
down these perpetrators. By accessing the very information they
attempt to conceal, phishers and other criminals are not successful
in their evasive actions, thus increasing the amount of successful
investigations with law enforcement involvement brought forth against
them. We use a technique that actually allows us to track down the
phone numbers they are using. And we have to use a caller ID
manipulation technique to do these type of techniques, so there are
some very legitimate applications, especially in law enforcement.
One of the most common reasons for the manipulation of caller
ID information is executed by the vast majority of Voice over IP
companies, as well as those businesses which use private branch
exchanges, better known as PBXs. In this case they appropriately
utilize the technique so as to provide their telephone communications
user with a viable and fiscally prudent alternative to traditional
long distance services. One such legitimate caller ID "spoofing" is
the transmission of the caller's home telephone number on a Voice
over IP call.
With respect to the positive and welcomed uses affiliated with
caller ID "spoofing" such as research, investigative tactics, and
public services, it is my recommendation as a representative of the
information security community that the exemption to this bill be
either expanded to include the above mentioned uses, or that the term
"illicit" be added to the general wording of the bill. This way, the
legitimate academic and commercial entities and the law enforcement
agencies they aid, will not unduly suffer the effects of this
proposed Act.
The implementation of the Truth in Caller ID Act of 2006 will
without a doubt prove to be instrumental in the fight against the
criminal activities in, and the abuse of, our Nation's telephone
communication systems. By recognizing this bill as an amendment to
the Communications Act of 1934, our government will continue to send
the message of intolerance towards those who seek to take advantage
of burgeoning technologies for illegal and/or unethical use .
Thank you very much.
[The prepared statement of Lance James follows:]
PREPARED STATEMENT OF LANCE JAMES, CHIEF TECHNOLOGY OFFICER, SECURE
SCIENCE CORPORATION
The "Truth in Caller ID Act of 2006" is being introduced with the goal
of preventing criminal activities and/or the obstruction of justice
with respect to the manipulation of caller identification information.
As one of the founders of Secure Science Corporation, an Internet
security and research company, I have personally witnessed the extent
to which the abuse and misuse of caller ID can have. In August of
2004, our investigation team discovered that two of the Nation's
largest telecommunications providers (T-mobile, Verizon) were
vulnerable to a technique known as "Caller-ID Spoofing". This
technique is entirely reliant upon the manipulation of Caller ID to
be successful and enables the attacker access to individual
customer's voicemail without using a PIN code, violating both
customer privacy and authentication protocols to cellular and
land-line voice mail networks. Similar intrusions, also known as
"exploits", include unauthorized termination of customer accounts,
anonymous automatic phone SPAM, and the potential to gain full
administrative control over a major telecommunications network that
serves both business and residential phone lines. This last
possibility is one of the greatest concerns in conjunction with the
inappropriate and unlawful uses of caller ID and could even be viewed
as a threat to national security in much the same way as the
destabilization of a utilities plant or traffic control station
would be.
Other exploits employing Caller ID Spoofing have been used by
criminals who con unsuspecting victims out of money and in many
cases their identity (also called "Phishers" and their methods
"Phishing"). This activity involves the utilization of information
gained illegally by breaking into a potential victim's voice mail
account. This in turn allows the phishers to further victimize
customers by using, for example, billing information to steal
identities and garner even more personal information from other
sources. Conversely, Phishers will use Caller ID Spoofing in order
to pose as a victim's bank and phish the account via phone. This
same method is also used to lure wire transfer delivery services
(such as Western Union) into authorizing fraudulent transfers over
the phone. Additionally, Phishers will verify their access to the
stolen accounts by using the victim's contact numbers in an attempt
to validate account availability and amounts.
Because of the level and quantity of illegal activities participated
in by Phishers, anonymity is one of their primary objectives. Caller
ID Spoofing enables them to not only communicate covertly with one
another, but also provides them with an advantage against law
enforcement agencies. As a direct result, the Phishers continue
their operations all the while evading subpoena attempts.
The aforementioned instances are just some of the many ways in
which the fraudulent uses of Caller ID are being employed today.
Our company's research alone demonstrates that more than 75% of the
transactions and/or spoofed calls made on providers' networks were
with mal-intent.
Despite the dark side of Caller ID Spoofing, there are very tangible
benefits associated with this technique when used in a responsible
manner. Secure Science Corporation is often called upon to assist
companies who provide automated Caller ID Spoofing services to detect
and prevent fraudulent activity on their network. In order to do this
successfully, it is not unusual for us to aid law enforcement by using
Caller-ID Spoofing techniques to track down these perpetrators.
By accessing the very information they attempt to conceal, Phishers
and other such criminals are not successful in their evasive actions,
thus increasing the amount of successful investigations with law
enforcement involvement brought forth against them.
One of the most common reasons for the manipulation of Caller ID
information is executed by the vast majority of Voice-Over-IP
companies, as well as those businesses which use Private Branch
Exchanges, better known as PBX's. In this case they appropriately
utilize the technique so as to provide their telephone
communications users with a viable and fiscally prudent alternative
to traditional long distance services. One such legitimate use of
Caller ID Spoofing is the transmission of the caller's home telephone
number on a Voice-over-IP call".
With respect to the positive and welcomed uses affiliated with
"Caller ID Spoofing" such as research, investigative tactics, and
public services, it is my recommendation as a representative of the
information security community that the exemption to this Bill be
either expanded to include the above mentioned uses, or that the term
"illicit" be added to the general wording of the Bill. This way, the
legitimate academic and commercial entities (and the law enforcement
agencies they aid) will not unduly suffer the effects of this proposed
Act.
The implementation of "The Truth in Caller ID Act of 2006" will
without a doubt prove to be instrumental in the fight against the
criminal activities in, and the abuse of, our nation's telephone
communication systems. By recognizing this Bill as an amendment to
the "Communications Act of 1934", our government will continue to
send the message of intolerance towards those who seek to take
advantage of burgeoning technologies for illegal and/or unethical
use.
Lance James
Chief Technology Officer
Secure Science Corporation
MR. UPTON. Five seconds to spare. You did very well.
Mr. Rotenberg MR. ROTENBERG. Thank you very much, Chairman Upton,
Mr. Engel, members of the subcommittee. My name is Marc Rotenberg.
I am Director of the Electronic Privacy Information Center.
We focus on emerging privacy issues. We appreciate the opportunity
to be before the subcommittee again and to testify on the Truth in
Caller ID Act, H.R. 5126.
From our perspective, there are two different privacy
interests at issue here. The first, of course, concerns the privacy
interest of the person's telephone number who would be disclosed to
the call recipient. And there are many legitimate circumstances
under which a person would rightfully not want to have their
telephone number disclosed. Both Ms. Pies and Mr. James have
described instances in their industry and their research where they
would also see customers who would not provide their own telephone
number or would, for legitimate business purposes, provide someone
else's telephone number. But of course, there are also
circumstances under which providing a number that is not your own
can lead to fraudulent activity, can place public safety at risk.
And so we certainly understand the intent of the bill's sponsors to
ensure that misrepresenting a person's telephone number does not
enable any type of conduct that is criminal or puts the public at
risk.
This debate is very similar, in fact, to the debate that took
place when the caller ID service was originally offered. And as you
may recall at that time, Congress worked with the FCC and the State
public utility commissions to establish some privacy safeguards,
such as per call blocking or per line blocking, to ensure that people
who have a legitimate reason to withhold the disclosure of their
telephone number would be protected.
So our view regarding this legislation is that it is
appropriate to protect both privacy interests. And the way to do
that would be to distinguish between the legitimate and illegitimate
types of "spoofing" that might occur. And I think the simple way
that you could accomplish this goal would be to add an intent
requirement, so that you would make the illegitimate "spoofing" of a
telephone number, that which occurs with the intent to defraud or
harass the call recipient. I think that would cover virtually all
of the circumstances that have been described so far and at the same
time ensure that the legitimate uses by businesses and by residential
telephone customers would be protected.
I also indicate in the testimony that particularly with the
introduction of new Internet-based telephone services, such as Voice
over IP, where people will be providing different types of information
in the network environment, I think there are actually some First
Amendment issues where people who might be broadcasting information
over Voice over IP service would have the right to withhold their
identity. And I think that is an interest that the Supreme Court has
recognized and certainly one that Congress would not want to prohibit
people from acting upon.
So I think in addition to protecting the privacy of telephone
customers, there are also important free speech reasons why people
should not be required to dispose their personal telephone numbers,
unless they intend to cause harm, to engage in fraud, or to harass.
There are, as you know, Mr. Chairman, statutes that are also
available to punish those types of activities when hey occur.
Finally if I may, I wanted to say just a brief word about our
filing yesterday at the FCC regarding the recent disclosure concerning
the possibility that the National Security Agency may have established
a large database on call detail information. I understand that this
issue is a little bit outside the purview of the Subcommittee, but at
the same time it is very much related to this issue about the privacy of
telephone numbers. We have asked the Chairman of the FCC, Mr. Martin,
to open an investigation into the question of whether Section 222,
which was the provision of the Communications Act that requires
telephone companies to protect the privacy of the call record
information that they have obtained has been violated. We very much
hope that the members of the Subcommittee will support that effort.
We know that Mr. Markey has already indicated that he believes that
the FCC should undertake an investigation in this matter, and
Commissioner Michael Cobbs has expressed support for that as well.
Anyway, these are the main points of my testimony. As I said,
I think it is important to distinguish between the legitimate and
illegitimate circumstances where caller ID "spoofing" might occur.
And I would be pleased to answer your questions.
[The prepared statement of Marc Rotenberg follows:]
PREPARED STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
Chairman Upton, Ranking Member Markey, and members of the
subcommittee, thank you for the opportunity to testify today on
caller ID spoofing and H.R. 5126, the Truth in Caller ID Act of
2006. My name is Marc Rotenberg and I am President and Executive
Director of the Electronic Privacy Information Center. EPIC is a
non-partisan research organization based in Washington, D.C. that
seeks to focus public attention on emerging civil liberties issues
and to protect privacy, the First Amendment, and constitutional
values.
Two separate and important privacy interests meet in the issue
of caller ID spoofing. First, there is the right of a caller not to
have his or her identity broadcast with every phone call made. There
are many circumstances where it is not necessary for a person's phone
number to be disclosed. In fact, in some cases, a person's safety may
be placed at risk. Second, there is the right for call recipients to
be free from pretexting and other fraud that can lead to the loss of
their privacy, and the threats of stalking, identity theft, and
harassment.
The bill as currently drafted does not adequately protect both
interests. EPIC recommends that any ban on caller ID spoofing include
an intent requirement, so that spoofing is only prohibited where it
is clear that the person who does not provide identifying information
intends to cause harm. By adding a requirement that an offender act
"with the intent to defraud or harass" the call recipient, we believe
that H.R. 5126 may provide a tool to protect the privacy of both
callers and call recipients. We also have concerns about the
provision that permits law enforcement agencies to possibly
misrepresent their identities in the context of telecommunications
services.
Telephone Customers Have Legitimate Reasons to Withhold Their Phone
Numbers
The introduction of caller ID services and the associated
Automatic Number Identification (ANI) created new risks to privacy.
Before these services were offered, telephone customers generally
had the ability to control the circumstances under which their phone
numbers were disclosed to others. In many cases, there was little
need for a telephone customer to disclose a personal phone number
if, for example, a person was calling a business to inquire about
the cost or availability of a product or wanted information from a
government agency. In other cases, there was a genuine concern that
a person's safety might be at risk. For example, women at shelters who
were trying to reach their children were very concerned that an
abusive spouse not be able to find their location.
The state public utility commissions, the FCC, and the
Congress all worked to establish safeguards so that individuals would
have some ability to limit the disclosure of their telephone numbers
either by means of per-call blocking or per-line blocking. As a
general matter, privacy advocates favored per-line blocking for all
residential telephone customers because we did not see the benefit in
requiring individuals to disclose their phone numbers and we objected
to the cost that customers were asked to pay to obtain per-line
blocking services.
In the context of the Internet and the offering of voice
services over Internet Protocol (VOIP), there are additional concerns
about the circumstances under which a person may be required to
disclose their identity. The Supreme Court has already made clear
that the Internet is entitled to a high level of First Amendment
protection.1 Anonymous speech is a central facet of the free
speech guaranteed by the First Amendment. Without it, speakers with
minority opinions are subject to the tyranny of the majority. The
Supreme Court has recognized the importance of protecting anonymous
speech in a series of cases, including Watchtower Bible & Tract
Society v. Village of Stratton,2 McIntyre v. Ohio Elections
Commission,3 and Talley v. California.4 In each of these cases, the
Supreme Court recognized that, to protect speech, anonymous speech
needed to be protected. A speaker's decision to remain anonymous, the
Court said in McIntyre, "like other decisions concerning omissions or
additions to the content of a publication, is an aspect of the
freedom of speech protected by the First Amendment.5
Caller ID Blocking Does Not Adequately Protect Privacy Interests
In order to protect telephone users' right to speak anonymously
in the face of caller ID, caller ID blocking services were offered. By
going through the extra step of dialing *67 before making a call, or by
paying for permanent blocking, a user can prevent his or her number
from being disclosed to the call recipient.
Despite some of the drawbacks to this system (having to pay
for permanent privacy, for instance), caller ID blocking may seem
like a viable means for allowing callers to protect their anonymity
while not misleading recipients. However, caller ID blocking is not a
complete solution. One reason for this is that caller ID is not the
only way that a caller can be identified. Another system, known as
Automatic Number Identification, or ANI, will still disclose a caller's
identity in many situations, regardless of whether or not the caller
used call blocking. This means that many businesses, emergency service
providers, and anyone with a toll-free number can reliably gain the
phone number of a caller, even if caller ID is blocked. Spoofing
services can protect the anonymity of a caller's ANI data when calling
toll-free numbers and those entities that use ANI identification.
Another problem with requiring callers to disclose the number
they call from is that many individuals to protect the have legitimate
reasons to report a different number than the one presented on caller
ID. For example, a person may well wish to keep her direct line
private when making calls from within an organization. Such an
arrangement legitimately gives call recipients a number to which they
can return a call, but prevents an individual person's phone from being
inundated with calls that should be routed elsewhere.
Spoofing Can Create Privacy Risks
This is not to say that caller ID spoofing is an unqualified
good--far from it. Earlier this year, EPIC brought to Congress's
attention the problem of pretexting consumers' phone records.6
Pretexting is a technique by which a bad actor can obtain an
individual's personal information by impersonating a trusted entity.
For instance, pretexters would obtain individuals' phone records by
calling phone companies and pretending to be the individuals
themselves. This tactic of fraud can be used in other situations as
well, such as obtaining an individual's Social Security number by
pretending to be the individual's bank or insurance company.
Understandably, caller ID spoofing is an important weapon in
a pretexter's arsenal. Rob Douglas of PrivacyToday.com, with whom
EPIC has worked on the pretexting issue, noted how fraudsters would
use spoofing services in order to fool customers into thinking that
fraudulent calls were coming from trusted sources.7
Nor can we ignore the privacy interests of those who decline
to accept calls from unknown numbers. If an individual has been
habitually harassed by calls from a caller-ID blocked number, we
should not permit the harasser to use spoofing as a means to
circumvent the individual's screening. At the same time, it is clear
that there could be prosecution for harassment whether or not
additional prohibition on spoofing were enacted.8
Intent Requirement
Just as we cannot assume that all those who draw their
curtains have something to hide, we cannot assume that every caller
who spoofs their number is a bad actor. Callers from within a company
might want to keep their direct lines private. Law enforcement
informants and whistleblowers who call a toll-free tip line have
good reason for keeping their calling information private.
What distinguishes these legitimate uses of spoofing from a
pretexter pretending to be a bank in order to get account
information, or a cyberstalker spoofing in order to harass his
victim, is the intent behind the spoofing. However, as it currently
stands, H.R. 5126 does not draw a distinction between these intents.
We believe that the insertion of a phrase--"with the intent
to defraud or harass"--into Section 2(e)(1) of the bill will preserve
the privacy rights of callers while outlawing fraud and harassment
assisted by the technology.
Significance of NSA Surveillance Program for Privacy of Call Records
Mr. Chairman, it is difficult to comment on the legislation
before the Subcommittee today without also noting the recent
revelation that the National Security Agency may have constructed a
massive database of telephone toll records of American consumers.
Yesterday, EPIC filed a complaint with the Federal
Communications Commission in which we alleged that section 222 of the
Communications Act, which protects the privacy of customer record
information, may have been violated. We urged the Commission to
undertake an investigation of this issue.
Given the very real possibility that the telephone numbers
of American consumers may have been improperly disclosed by the
telephone companies to the National Security Agency without legal
authority there is the obvious consideration that some telephone
customers may choose to take advantage of "spoofing" services to
protect their privacy against unlawful surveillance.
Clearly, the issues raised by the NSA program include some
matters that are not typically considered by this Subcommittee. But
we would urge Members to support EPIC's recommendation that the
FCC undertake an investigation of the possibly improper disclosure.
If the Communications Act was violated, that should be of concern.
And it would seem doubly unfair for the Committee to push
forward legislation that would prevent telephone customers from
protecting the privacy of their phone numbers at the same time
questions have been raised about whether phone records are subject
to unlawful searches.
Conclusion
Spoofing caller ID numbers can create a real risk to
individuals who might be defrauded by bad actors. However,
protecting callers' privacy rights, means that any ban on spoofing
take into account the intent of the caller. By prohibiting spoofing
with an intent to defraud or mislead the call recipient, the Truth
in Caller ID Act would be significantly improved. I will be happy
to answer any questions you might have at this time.
MR. UPTON. Well, thank you. Thank you again for your travel
from the West Coast and Texas as well. I have a couple of questions
and we will proceed on our 5 minutes and rotate among Members here.
Mr. Navin, a couple questions for you. Has the FCC actually gotten
complaints from folks with regard to "spoofing"? And if so, how
many? Has it come to your attention?
MR. NAVIN. I have consulted with our Consumer and
Governmental Affairs Bureau and they indicate that they have
received approximately 20 complaints--20 more formal complaints on
this and perhaps five times that number of inquiries with regard to
caller ID "spoofing" in general.
MR. UPTON. And you know, when we passed the Do Not Call List
a couple years ago now, and of course the FTC is where we call to get
on that list. I do not know if you tried with your counterparts at
the FTC as it relates to this at all--maybe we should have asked the
Chair when she was here the other day about that issue. Do you know
if there has been any communication between the FCC and the FTC in
terms of complaints that might have gone to them?
MR. NAVIN. I understand that our enforcement bureau has
reached out to the folks at the FTC. I do not know the answer to
your specific question about whether they are doing any investigations
themselves. But I know that they are fully aware of our activities in
terms of the companies that we have contacted and our efforts to gather
more information about this problem. But I cannot speak to what the
FTC is actually doing.
MR. UPTON. I would think that if this legislation were to
become law tomorrow these companies that are offering their services to
"spoof" would likely go out of business like that. Would you suspect
that that is the case?
MR. NAVIN. I really could not make a prediction on that. I
think that to the extent that they are offering this service to mislead
or defraud the customer, I think that they very well may be captured by
the legislation. As I understand it, there has also been some debate
about adding an intent requirement, and that could certainly play a
role in the Commission's ability to enforce the legislation. So I
could not say for sure that everyone would go out of business.
MR. UPTON. Okay. I really view this as someone coming to
your door. I mean, I like caller ID. Got it on my phones, and I
know who it is. It is going to be for my son or it is going to be
for my daughter. It is going to be for my wife, me, or whoever it
is. And it is very much like someone knocks on your door. Often
you look out the little window or--figure out who it is that is
coming in. And I do not know if the FCC--have you all ever thought
about--do you think that you have the actual rule-making ability to
do this without legislation or do you really need legislation to try
and prevent "spoofing" from occurring?
MR. NAVIN. Certainly one of the challenges for the
Commission as communications have migrated to Internet-based
platforms has been the nature of the investigative targets. The
Commission finds itself calling on companies that have not
traditionally been regulated by the Commission because they are not
license holders or entities that have been typically or historically
regulated by the Commission. So I think that there is some concern.
There is always some concern on the part of the Commission relating
to its enforcement authority in the Internet context. And I think
that the Commission would be particularly concerned about any
restrictive definitions in the legislation as it relates to VoIP
service providers. I think that a restrictive definition in this
context may have unintended consequences for the Commission in other
contexts, including the public safety context and the law enforcement
context.
MR. UPTON. Thank you. Mr. Engel?
MR. ENGEL. Thank you, Mr. Chairman.
Mr. Navin, do you think the authority needs or are there
things we could possibly add that you think would be helpful?
MR. NAVIN. I would repeat my comment about the definition of
VoIP service providers in this bill. The definition of VoIP service
providers in this bill would seem to limit the Commission's flexibility
to expand the definition to include one-way services, for example, or
services that are not offered for a fee. I know that the Department of
Justice recently filed with the Commission in another docket--in the
CALEA docket--its concerns about any definition of VoIP providers that
is restrictive because of the substitution that is going on between
communication services today.
MR. ENGEL. Thank you. Ms. Pies, I see in your testimony you
mentioned you think people would ignore the phone to continue watching
C-SPAN. So my question to you is have you been talking to my mother in
Florida? Because she is the only one I know who does that.
MS. PIES. Actually, my father watches C-SPAN all the time
and calls me and asks why I have not testified yet, so here I am.
MR. ENGEL. Well, when I come home my wife says--she sees me
turning on C-SPAN and she says to me after doing this all day, you come
home and turn on C-SPAN. You have got to be kidding. But today is my
anniversary and I have been married 26 years, so something has been
working. I do not know. Sir, thank you.
MR. UPTON. She is watching right now.
MR. ENGEL. That is why, you see? Now where are the C-SPAN
cameras?
MS. PIES. That is a nice gift. Congratulations.
MR. ENGEL. Thanks. Seriously, though. I want to commend
the VoIP providers. It is an exciting technology. And many
thousands of my constituents have started using Cablevision's
Optimum Voice Service. But I understand that there is no standard
for VoIP providers when it comes to caller ID. So I want to ask you.
Do most programs let someone manually enter any caller ID information
they want?
MS. PIES. I can't speak for most VoIP services. I do know
that a number of residential services that are designed essentially
to replace your plain old telephone service only permit the user to
have the numbers that are assigned to them. So for instance, if I
could select one number or if I can select five, those are my five
numbers and I can use any of them. They are my numbers. Some
services that again may be unlawful or illegitimate may not stop
that, but I do not actually have knowledge of who those providers
might be, if that happens at all.
MR. ENGEL. Thank you. Is the VoIP industry working toward
a standard for how to handle this so that it would be uniform?
MS. PIES. That is an interesting question. There are a lot
of different standards that are used to transmit calls that originate
to IP. In many instances, IP-originated calls do not have a standard
telephone number associated with them. And in those instances, there
are no standards but international requirements that the provider can
use a different code to transmit. And that code is, I believe,
000123456. Because VoIP calls do not have the same tie to geography
that plain old telephone calls have, the phone number is in many
instances irrelevant. And so rather than retrofitting our networks
to add a phone number that has no meaning, providers often do not
engage in any change or manipulation at all.
MR. ENGEL. Thank you. Mr. James, if you could see one thing
added, removed, or changed in this bill, what would it be?
MR. JAMES. I would honestly focus on the intent behind the
bill. And the reason I say this is because if you look at other
crimes that exist on the Internet such as SPAM or phishing--the
techniques that are used for phishing are very common. An example
as layman as possible, I will try to be--you can mirror a website.
You can set up a "spoofed" email. You can then send out the mass
mailing. If you look at all three of those techniques specifically,
all three of those are legal when they are used legitimately. You
can mirror a website. There is nothing wrong with that. You can
"spoof" your email if you are showing someone a demonstration.
People do it all the time when they change their identity on their
email from multiple mail accounts. They literally are just changing
their email address, but it is going through a different mail server.
And on the third one, you can do the same mass mailing with bulk mail
campaigns for marketing that have opt-in lists and all these such
things. So there are mainly two things that I would focus on.
I agree with Mr. Navin on the VoIP definition needs to be broadened.
And the reason why are we have to also look at successors to VoIP in
the sense of--smart homes is a good example. Not all of them are
two-way. What if you are doing a home alert safety system for your
grandmother and you want to just use VoIP to do the intercom system
over the Internet and say are you okay? That is a one-way system.
So VoIP could still be utilized in that and that is one-way. So I
think that we should open that expansion a little bit. I would
recommend going to the U.S. Patent Office, looking up if the
definitions of VoIP are defined there, and start maybe using those
types of techniques there.
Another thing that I would see to expand on the bill possibly is,
agreeing with Mr. Rotenberg on the legitimacy and the illegitimacy
concepts. The reason why is--one of the things that I think that
might want to be added to the clause of illegitimate activity is
that teeth need to be added to this bill. And what I mean by that
is that technology should be in place in telecom providers to help
detect illegitimate activity so that you can actually enforce this.
Because caller ID "spoofing" is essentially anonymous in many cases
and it becomes very difficult to track down.
MR. ENGEL. If you would just indulge me, Mr. Chairman, I
would like to ask Mr. Rotenberg the same question. I know you
mentioned it in your testimony. But if you want to add anything, if
you could see one thing added, removed, or changed in the bill, what
\would it be?
MR. ROTENBERG. Mr. Engel, I think adding the intent
requirement is the key addition. And what that effectively does
would be to distinguish between the people who are "spoofing" with
mal intent and the people who are "spoofing" with a legitimate
business purpose or privacy interest. I think virtually all of the
witnesses have made a similar point, so I hope it is a change that
the Subcommittee would make.
MR. ENGEL. All right. Well, thank you. Mr. Navin, do you
want to add anything? I know we talked about the FCC but is there
anything else that you would want to add about the bill? If you
could see one thing added, removed, or changed, what would it be?
MR. NAVIN. I would emphasize that the Commission will take
all steps that it can possibly take to implement the legislation
however Congress determines to pass it, but I think it is important
that the definition of VoIP services in the bill does not
necessarily restrict the Commission's authority as it relates to
solving this problem as well as other problems that the Commission
faces, including 911 and law enforcement. Thank you.
MR. ENGEL. Thank you. Thank you, Mr. Chairman.
MR. UPTON. Mr. Terry?
MR. TERRY. Thank you, Mr. Chairman. I will go back to my
opening statement. I guess the specific question as the bill is
written now, under this assumption a tele-services company has a
contract with XYZ Corporation to do outbound calls trying to get them
to subscribe to more credit card services, let us say, for example.
And the telemarketing service is located in Omaha, Nebraska. The
client is located in New York City and uses the general number for
their client as the caller ID number. So the intent is to use a
different number, but one of their client. Mr. Navin, and then I
will go down the panel, so we have the intent to use a different
phone number. Is that conduct "spoofing" under this bill? And
then after that, should it be or should it not be "spoofing"?
MR. NAVIN. As I understand it, the focus of the bill is
misleading or inaccurate caller ID information. Based upon the
Commission's existing rules that the Commission adopted in 2003,
in the Do Not Call proceeding, it does not seem to me that the
hypothetical that you gave would fall within the definition of
inaccurate or misleading information. Indeed, under the
Commission's rules, any person or entity that engages in
telemarketing must transmit caller ID information. Any person or
entity that engages in telemarketing is prohibited from blocking
the transmission of caller ID information. The telemarketers may,
however, substitute for the name and phone number used or billed
for making the call the name of the seller on behalf of which the
telemarketing call is placed and the seller's customer service
telephone number. So according to the Commission's existing rules,
which I think were designed to get at the issue of inaccurate or
misleading information, I do not think that your hypothetical
creates a problem.
MR. TERRY. All right. So there is nothing in this bill
that would then, in essence, create an issue of trumping your
regulatory language?
MR. NAVIN. I do not believe so. Certainly if necessary
you could specifically make reference to the Commission's rules and
preserve the Commission's existing rules in this regard to ensure that
telemarketers are not captured by this legislation.
MR. TERRY. All right. The other three, I will ask it in a
different way. And that is just is that a legitimate business
practice for a telemarketer to use the caller ID number of their
client instead of it having to come up XYZ Telemarketing? I will
just let you go down whether that is acceptable or whether that is
fraudulent.
MS. PIES. Not only is it acceptable, and as Mr. Navin
mentioned, required by the FCC rules, it is an enabling feature of
VoIP technology. As you know, it is not just in the telemarketing
business, but it allows jobs to be in-sourced to rural areas, to
people who may not be able to get out to a call center. They can
actually work from home. Rather than their home number showing up,
it would be a central phone number that shows up. So it is actually
a very important feature. I am not sure that the legislation as it
is drafted today actually gets at allowing it. Probably if you went
back and included intent language, as we have discussed, that would
be very helpful.
MR. JAMES. The answer to this is it is definitely applicable
in marketing, whether it is telemarketing or some other. And I will
give an example of that. Two days ago, I saw a Bank of America email
talking about their partnership with eHealth Insurance. It was sent
by a third party but it said it was from Bank of America. But if you
go through the mail headers, it is not really sent from Bank of
America's system. It is actually sent from their marketing third
party vendor. So in a case such as this, yes, there is a very
legitimate use, and I think that I am agreeing with virtually everybody
as well on this panel that "legitimate" needs to be defined. If you
look at the bill today, it technically could surpass because one would
argue misleading. Well, we are not misleading. We are calling on
behalf of our client, and technically that falls under this bill that
says, we are not misleading anything, but I would want to clarify that
further along so that we are not even having to go to a hearing about
it and debating the issue or going to court on this issue, so that it
is more defined.
MR. ROTENBERG. Mr. Terry, I actually disagree with Mr. Navin's
assessment about how the language would be interpreted in this bill.
He is referring to earlier legislation and rulemaking that was
explicitly enabled by that statute for the FCC to develop regulations
and to interpret terms. This bill which is before your subcommittee
is, first of all, more recent in time. Secondly, it doesn't
incorporate the earlier definitions. And third, it creates no
rulemaking authority for the FCC to do so. And, at first impression,
if a court looks at the language of this statute, this statute
prohibits making a call in which misleading or inaccurate caller
identification information is provided. I think those words are fairly
straightforward. So in the absence of similar authority for the FCC to
conduct a rulemaking and interpret those terms, I think it would not
provide protection for the type of tele-services you have described.
And I think the better approach would, in fact, be to create an
explicit intent requirement that would protect businesses that are
not engaging in fraudulent or harassing activity.
MR. TERRY. Very good, thank you.
MR. UPTON. Mr. Inslee?
MR. INSLEE. Thank you. Mr. Rotenberg, just briefly on the
issue of surveillance. You indicated that it would be a good idea
for Members of Congress to weigh in on this. What would you suggest
about a strategy in that regard?
MR. ROTENBERG. Well, Mr. Inslee, we would very much appreciate
support from the subcommittee members, certainly of both parties,
encouraging Chairman Martin to open an investigation as to whether
Section 222 was violated. You know that earlier this year, hearings
were held on the question of pre-texting, which is the way in which
people's personal telephone numbers became available for sale on the
Internet, and a lot of good work was done in this committee, and
Chairman Martin testified about the importance of protecting the
privacy of those records. Very similar issues, but of course on a
much larger scope, have arisen now in the context of the domestic
surveillance program, and we hope that Chairman Martin will be
encouraged to pursue this investigation.
MR. INSLEE. I will join others in doing that. Just so you
know, I will be bringing in an amendment--a little bit related issue
on the Defense Department Appropriations Bill that will prohibit the
expenditure of taxpayer money for electronic surveillance that does
not comply with the FISA law. So we will be having a debate on the
House floor here in a few weeks.
MR. ROTENBERG. Thank you.
MR. UPTON. Mr. Engel, do you have additional questions?
MR. ENGEL. Well, I have just one kind of light-hearted
question. I understand that our computer engineers are working on
what is called Internet-2. I really, to tell you the truth, don't
know a lot about it, but I believe it is supposed to be an upgrade,
like going from Windows ?98 to XP, and I am sure we will be holding
hearings on it. My question is to anybody. Do any of you know if
Internet-2 will help this situation that we are talking about it
today, or possibly make it worse? Mr. James.
MR. JAMES. If I may? I don't think that--Internet-2 is
technically a medium for communication. I was kind of thinking about
when I was going through this bill about, one of the reasons why I
agree with Mr. Navin about expanding is we could get into a predecessor
scenario of VoIP working on an IPX protocol instead of the standard
internet TCP/IP protocol, and that would basically not be covered by
this bill because it specifically says TCP/IP. And I was actually
thinking if Internet-2 is one of the examples, what happens there?
Is it going to be using the same protocol? Will it be defined in
this bill? I don't think that Internet-2 is going to necessarily
secure the techniques against caller ID "spoofing", because the
problem is at a protocol layer of the actual VoIP--without getting
technical, it is basically a session initiation protocol. It is
basically this specific protocol, and that is where the weakness
lies. It doesn't really matter what it communicates on. If
Internet-2 does buy into, like, cryptographic communication per
every communication it ever makes, an authentication on every little
communication your computer may make, and so it does accountability
and auditing trails and all this. There is a very good chance that
we could stem it down because of the fact that we could track the
activity itself. But, unless it does something like that, which I
don't believe it does at this time, it is not going to be much more
effective.
MR. ENGEL. Thank you. If we have hearings about it, we should
call you back again. Anybody else?
MS. PIES. Mr. Engel, I just wanted to mention that the
committee or subcommittee should approach the definition and what it
encompasses cautiously. Certainly, Congress should want to ensure
that any legislation enables new technology and the new features that
are so important for both residential users and businesses rather than
stifling the technology. And the concern that the VoIP industry has is
not, certainly, any desire to get out of obligations or to ensure the
safety and security of our Nation, but it is that we won't be able to
continue to make the investments that will bring these transformative
technologies to consumers. And so it is not a specific request, but
just sort of a word of caution.
MR. ENGEL. Well, thank you. I appreciate that. Thank you, Mr.
Chairman.
MR. UPTON. Thank you, again, for your leadership on this issue.
Mr. Navin, I have one last question, and that is if we were to add the
clause or intent to defraud as part of this legislation standard to the
bill, how would that affect your efforts to enforce the law?
MR. NAVIN. I think that, from the Commission's vantage
point, any time you add an intent standard, it puts an additional
evidentiary burden on the Commission in its enforcement process, so I
think it would make it more difficult to enforce. The Commission would
certainly take all steps necessary to enforce the law, but I think it
would indeed make it more difficult.
MR. UPTON. And, with that, I will yield to my friend, Mr.
Markey--
MR. MARKEY. Thank you.
MR. UPTON. --in the nick of time.
MR. MARKEY. Thank you so much. Mr. Navin, is it? Navin. In
your testimony, you note that the Commission addressed caller ID on the
public switch telecom network in 1995, with a rule which requires all
carriers using Signaling Systems 7 to transmit the calling party number
associated with an interstate call to interconnecting carriers. Did
the recently granted Verizon forbearance petition remove this
requirement for Verizon?
MR. NAVIN. The Verizon forbearance petition sought flexibility
from certain common carrier regulations. I don't specifically recall
whether they enumerated this regulation in their petition.
The Commission did not deny that petition within the statutorily
defined period of time and, according to the statute, if the
Commission fails to take action, the petition is deemed granted.
So I don't know whether they specifically enumerated this regulation
in their petition.
MR. MARKEY. So they did not grant forbearance from all of
Title II, is that what you are saying?
MR. NAVIN. My recollection is that there were certain
obligations that Verizon carved out of its application, and I know,
for example, in an ex parte in the beginning of February, they made
it plain to the Commission that their petition did not include asking
the Commission to remove the Section 254 obligation, which is the
universal service obligation. I also know that in one of those ex
partes, they restricted the scope of the petition to exclude certain
special access services that they are providing today. So I don't know
if they specifically excluded-- MR. MARKEY. You don't know.
MR. NAVIN. --this.
MR. MARKEY. Okay. Did they list Section 222, the CPNI section?
MR. NAVIN. In the original petition, they asked for relief from
all common carrier regulation. Section 222 is within the body of law
under Title II of the Act, so I think it is certainly arguable that
they included, or intended to include, this within the scope of the
petition to the extent that they were seeking to get out from Title II.
MR. MARKEY. Okay. So many of us are concerned about
allegations that carriers circumvented the Section 222 Customer Privacy
rules and gave calling data to the NSA. And yet the FCC recently granted
Verizon the right to avoid these rules, and many others, when it granted
through inaction the Verizon forbearance petition. Mr. Rotenberg,
could you comment on that?
MR. ROTENBERG. Well, Mr. Markey, we are honestly concerned if
the telephone companies are trying to get out from under the Section
222 obligations, particularly, as you note, in light of the recent
allegations. We are not familiar with the Verizon forbearance
petition, but I will point out that this provision of the
Communications Act traces its routes, actually, to the original
passage, back in 1934, when telephone companies were asked to ensure
that the privacy of their customers would be protected. So obviously
this would be of great concern.
MR. MARKEY. Okay. Mr. Navin, when do you expect to
complete the Notice of Proposed Rulemaking on CPNI?
MR. NAVIN. I believe that we have received comments in that
proceeding, but we have not yet received reply comments. I think that
we would wait until the record closed before we began the process of
presenting options to the commissioners. I think that the reply comment
period closes either later this month or early in June, so I think that
we will begin to brief the commissioners and present options to them
some time thereafter.
MR. MARKEY. Okay. And I would ask you just, Mr. Rotenberg,
if you could, just tell me--if you could just summarize the one thing
you want us to remember about the issue that we are dealing with in the
hearing today?
MR. ROTENBERG. Well, Mr. Markey, on the legislation before the
committee, we feel very strongly that an intent requirement needs to be
added to distinguish between legitimate and illegitimate uses for caller
ID "spoofing". And as for the other issue you raised, we very much
support the effort to encourage Chairman Martin to conduct an
investigation to Section 222 and the allegation that information was
improperly disclosed.
MR. MARKEY. Thank you. Well, I have asked the Chairman of
the--I have asked Chairman Martin to give us information as to what
exactly has taken place in the relationship between the telephone
companies and the NSA so that we can have more information to
determine whether or not any privacy laws have been violated, or any
other laws that have pass by this Committee that may have been
violated. So I thank you, Mr. Chairman, for this lively and
entertaining-- MR. UPTON. I didn't see a Starbucks cup there.
MR. MARKEY. --and--which probably means I am not really
awake, even if I am sitting here, at this point. But I thank you
for the hearing, Mr. Chairman.
MR. UPTON. Thank you all for being here. I appreciate
your testimony. I would say that it is my understanding that it
is likely that we will move to a markup relatively soon on this
bill before the full committee, and I appreciate your input and
your thoughts, and we look forward to continuing on a bipartisan
path. With that, we are adjourned.
[Whereupon, at 10:19 a.m., the subcommittee was adjourned.]
SUBMISSION FOR THE RECORD BY DAVID SLOANE, SR. MANAGING DIRECTOR, GOVERNMENT RELATIONS AND ADVOCACY, AARP
1 ACLU v. Reno, 521 U.S. 844 (1997).
2 536 U.S. 150 (2002).
3 514 U.S. 334 (1995).
4 362 U.S. 60 (1960).
5 McIntyre, 536 U.S. at 342.
6 Protecting Consumers' Phone Records: Before the Subcomm. on Consumer
Affairs, Product Safety, and Insurance of the S. Comm. on Commerce,
Science, and Transportation, 109th Cong. (2006) (statement of Marc
Rotenberg, President and Executive Director, Electronic Privacy
Information Center) http://www.epic.org/privacy/iei/
sencomtest2806.html; Phone Records for Sale: Why Aren't Phone
Records Safe From Pretexting?: Before the H. Comm. on Energy and
Commerce, 109th Cong. (2006) (statement of Marc Rotenberg, President
and Executive Director, Electronic Privacy Information Center)
http://www.epic.org/privacy/iei/pretext_testimony.pdf.
7 Phone Records for Sale: Why Aren't Phone Records Safe From
Pretexting?: Before the H. Comm. on Energy and Commerce, 109th Cong.
(2006) (statement of Robert Douglas, CEO, PrivacyToday.com)
http://www.privacytoday.com/HC020106.htm.
8 See 47 U.S.C. � 223; 47 U.S.C. � 227. 41 (1)
�