Florida Attorney General Charlie Crist issued last week subpoenas targeting five different Caller ID spoofing sites. Four of the subpoenas are directed at the domain name registrars in an effort to unmask the identities of the site operators, while the fifth one is directed at one such site operator, Tricktel.com, with demand to reveal business records and the identifies of any Florida customers.

"People use Caller ID to protect themselves from unwanted calls and contact from those who would do them harm," Crist said in a press release. "It is wrong for individuals or businesses to deceive our citizens, and this cannot be allowed to continue unchecked."

In the interest of disclosure, Florida AG Crist is also the Republican candidate for governor of Florida.

Federal Investigation

Florida’s probe comes after a broader federal investigation was launched by the FCC a month earlier. The FCC issued letters to at least three Caller ID spoofing sites demanding detailed information on the structure of their business and the names of every customer that has used the services, the dates, and number of phone calls made. Wired News has reported that at least one of those services, Telespoof.com, has complied and turned over its customer records to the FCC after FCC had issued a formal subpoena.

Privacy and Legal Implications

The debate on the legality of these sites is raging. Lawyers for the Caller ID spoofing services claim that they are primarily used for lawful aims. "We’re talking about private investigators, skip tracers, law enforcement agencies, attorneys, others who are legitimately trying to locate people to enforce their rights or in many cases the rights of the public, There are lots of legitimate uses of this." Also, Chris Hoofnagle, an attorney with the Electronic Privacy Information Center, says he thinks Caller ID spoofing has legitimate uses, and would rather see fraudsters prosecuted for their crimes than have spoofing sites categorized as burglar tools. Mr. Hoofnagle argues that the right thing to do is to prosecute the underlying fraud, and not the tools that have legitimate uses (e.g. calling a police tip line, or a newspaper story.)

On the other hand, it has been reported that criminals have used the sites while making pretext phone calls to extract private information like bank account and SSNs out of consumers and companies. Experts say the services have also been used to target businesses that rely on Caller ID for authentication — Western Union’s money-transfer service has been particularly vulnerable, as are T-Mobile voicemail boxes in their default configuration.

A groundbreaking case in the area of Internet crimes came down last week from the Ninth Circuit Court of Appeals. The question presented to the court was whether a suspect’s membership to a website that displays child pornography provides a probable cause to search/seize his computer.

Mr. Gourde was a paying member of a child pornography website for a total of two months before it was shut down by the FBI. The site had in its possession illegal images and after the FBI obtained a list of all site members, agents applied for search warrants for the computers of the members. Months after the site had been shut down, agents found over 100 illegal child pornography images in Gourde’s computer. He was charged with, among other things, with possession of child pornography under 18 U.S.C. §§ 2252(a)(4)(B), (b)(2), and 2256.

Gourde moved to suppress the images, claiming that the FBI did not have a probable cause to search his computer. The district court disagreed; Gourde pleaded guilty, but reserved his right to appeal. A three-judge panel of the Ninth Circuit reversed in 2004. In rehearing the case en banc, the Ninth Circuit reversed its earlier ruling by a 9-2 vote. In an opinion authored by Judge McKeown, the Court held three factors critical to the correct determination that there was a probable cause. First, even though the site contained legal images, it was focused on illegal child pornography. Second, it was significant that Gourde remained a paid subscriber for two months and until the site was shut down by the FBI. Third, due to the nature of computers and because it is impossible (for average user, at least) to permanently delete an image from a computer, there was a likelihood that there would be evidence left on Gourde’s computer.

While at the end of this case justice prevailed, this case bears a hint of a slippery slope. It is not hard to conceive a scenario in which law enforcement could obtain warrant solely based on a user’s membership of a site which has some sort of illegal content. In an extreme example, someone posting child pornography images to eBay, for instance, could give a probable cause to search millions of users’ computers because they might have downloaded some of this content. As the dissents point out, the government could have easily obtained evidence about whether Gourde had in fact downloaded illegal images before applying for a warrant (Judge Reinhardt; presumably he meant feds checking the server logs to establish who downloaded what).

U.S. v. Gourde, 03-30262 (9th Cir., Mar. 9, 2006)

A law criminalizing fraudulent acquiring and reselling phone records is pending in Congress.

Anyone who "fraudulently" acquires and resells records of calls made by a telephone subscriber could face fines of up to $500,000 and prison sentences of up to 20 years, under a bill proposed Wednesday in the U.S. House of Representatives.

In light of increased congressional scrutiny of firms reselling phone records, lawsuits by phone companies, and outraged public, the proposed law, dubbed "Law Enforcement and Privacy Act of 2006" has been proposed by five republican and four democrats from the House Judiciary Committee.

[Via CNET News.com, CA -]

 Next entries »