Pretexting all too often an invasion of privacy

When the Hollywood gumshoes do it, it's considered good detective work.

When a real private investigator's consultant, who happens to have been hired by Hewlett-Packard's chairwoman, does it - as was revealed last week - it's considered a possible career-ender and maybe even illegal.


It's called pretexting and is broadly defined as getting personal information under false pretenses. It's hardly new, whether it takes place in boardrooms or beyond. But in these days of increasing privacy concerns and cyber-based identity theft, lawmakers and businesses are cracking down on those who would pretend to be someone else to get private details, such as account information or Social Security numbers.

Still, to many, it's a tried-and-true investigative method that's been put to use by everyone from television PI's to the police.


Jim Rockford of the 1970s Rockford Files, for example, used to carry a printing press in his car to whip up phony business cards. Undercover detectives frequently fake their identities to find bad guys. And in Towson, investigators for Victor Aulestia's firm will fudge facts to score information about everyone from insurance defrauders to cheating spouses.

"It's just amazing how people will throw information at you without verifying further what you're doing or where you're from," said Aulestia, who directs the investigative division of Absolute Investigative Services Inc.

That same vulnerability has caused thousands to be cheated out of their account information and life savings from scam artists, however. And in some stalker cases, it's even led to death. Such dangers have spurred a spate of recent laws meant to prevent people from using fraudulence to obtain private records.

A 1999 federal law makes it illegal to use deception to obtain financial information. And Congress is considering a bill that would make such methods illegal when obtaining phone records, similar to legislation already in place in several states.

Such a law, passed during this year's legislative session, takes effect in Maryland Oct. 1.

"The bill that passed only dealt with telephone records because that's where the issue has been previously," said Steve Sakamoto-Wengel, a Maryland assistant attorney general in the consumer protection division.

But, he added, "I would have concerns about obtaining any kind of information based on false information. ... Nobody should be posing as somebody else to be getting personal information."

A filing Wednesday with the U.S. Securities and Exchange Commission showed that detectives hired by Hewlett-Packard's chairwoman, Patricia Dunn, had used the technique to obtain phone records.


According to the Associated Press, Dunn has said she initiated the investigation to determine who had been leaking company details to news reporters, which was considered an "egregious breach" of company standards. She also said she would resign her position if asked. The records of some board members and news reporters were accessed, according to the Wall Street Journal.

Pretexting has been around as long as there have been nosy neighbors. But it's received more attention during the past few years as cellular phone companies and others have filed court cases against those who try to deceitfully access telephone records.

During the past few months, the Federal Trade Commission has also sued five Internet operations for selling phone records to alleged pretexters, though the agency hasn't fully defined what types of pretexting are illegal or acceptable, if any.

"The only type of pretexting that's specifically banned by federal law is for financial information," said Joel Winston, the FTC's associate director of the division of privacy and identity protection, which has oversight responsibility for prosecuting illegal pretexters.

But his agency has been using the Federal Trade Commission Act, which prohibits deceptive or unfair trade practices, to legally address other forms of pretexting that have consumer angles, such as companies selling access to sensitive information, the release of which, Winston said, "could cause serious harm to consumers."

Phone records have been accessed to reveal undercover law enforcement operations, Winston said, and could "facilitate stalking or other predatory behavior."


One case often cited involves a New Hampshire woman and Florida data company, Docusearch. In 1999, that business obtained the work address of Amy Boyer by calling her at home under false pretenses and then sold the information to Liam Youens, who tracked her down and killed her. In 2003, the New Hampshire Supreme Court ruled that could be held liable for its actions.

"Arguably there are times when the use of pretext would be both appropriate and lawful," said Robert Douglas, a security consultant in Colorado and former private investigator who testified in the Docusearch case. "There are a number of Supreme Court decisions that say that law enforcement can lie as part of an investigation. It's a little bit murkier with private investigators or what are being called 'information brokers.'"

Douglas, a Baltimore native, spent 20 years working as a PI and routinely bought personal records from companies selling the data, until he realized many were using illegal tactics to get them. He testified before Congress on the issue in 1998, which he says led to the passage of the federal law prohibiting people from lying to get financial information.

He also led a sting in 2001 that caught Baltimore information broker David J. Kacala allegedly using fraudulent means to access bank records, according to an FTC complaint. In May, Kacala was again sued by the FTC, but this time for selling phone records.

Douglas said he is working with the U.S. Senate to draft a bill that would broadly outlaw the use of pretexting to obtain consumer records, replacing the "piecemeal" efforts to protect individual categories of information, such as financial data and phone records.

That would still allow investigators some sneakiness in the way they go about gathering information.


At Towson's Absolute Investigative Services Inc., for example, investigators could still tell people they are investigating a car accident, when really they're trying to locate a worker who's lying about being injured.

In general, the rule is that lying is OK to get basic location information, as long as the liars don't pretend to be from a real company or represent a real person, experts said.

"You pretty much have to make up something," investigative director Aulestia said.

Even justifiable pretexting, like that used to track down a missing child, makes Beth Givens nervous.

"I think it's very easy to go over the line," said Givens, who is the director of the Privacy Rights Clearinghouse, a San Diego consumer advocacy organization.

She's called on companies to better train their workers to recognize a pretexter who might be illegally fishing for information. But even so, she knows it will be a tough battle.


Said Givens: "It's very hard for someone to realize they're being duped."

Protect yourself from pretexting

Don't give out personal information over the telephone, Internet or through the mail unless you know the recipient.

Ask your financial institutions about their policies to prevent pretexting.

Pay attention to your billing cycles and notify companies if your banking statements or bills don't arrive on time. They may have been diverted to a phony address.


Review your statements for discrepancies that may signal the account information is being misused.

Add obscure passwords to your credit card, bank and telephone accounts. Avoid using common information, such as birth dates, names or Social Security numbers.

Hide personal information when strangers will be in your home.

Check your credit report for unauthorized activity.

Check with your employer to see who has access to your personal information and how it is protected.

[ SOURCE: Federal Trade Commission]