When is it wrong to say you're someone else?
 The ethical hacker, is there such a thing? I'd wager that we've all done something under false pretext, but was it really illegal? That's the dilemma in the wake of the Hewlett-Packard boardroom intrigue where one board member used data mining to root out an alleged news leak. According to the CNet article, Patricia Dunn somehow acquired the personal phone records of several board members in an attempt to identify the person who was leaking information about former CEO Carly Fiorina's troubled tenure.
Apparently the phone records were acquire by someone who called the phone company and presented false information and claimed to be one of the board members. The information was then emailed to an anonymous yahoo account. The technique is called "pretexting" and it's used by private investigators and fly-by-night Internet background check sites. To further confuse the issue, court rulings are not clear on whether or not pretexting is illegal when the information is not used for other illegal activities. It's also unclear about the status of phone records as compared to financial records.
The question on my mind is whether or not pretexting SHOULD be illegal. On the one hand we've all called up a friend or a business and pretended to be someone else either for the purposes of pulling a joke or for getting general information without giving out personal details. On the other hand, folks that use YOUR information are clearly invading your privacy, regardless of whether or not the act is illegal.
So what should be done? Well for one thing we certainly don't need any new laws. First and foremost the kind of private life eavesdropping that was conducted by HP's board member is clearly wrong. It doesn't matter if she tapped the phones or had the tech fax over the billing records. That information is confidential and an employer has no business with it.
Furthermore, the utility and municipal services industry needs to get on par with the financial services industry. Simply asking for a current billing address and maybe the last four digits of SSN is NOT enough to safeguard identity theft. Billing records should NEVER be sent via email. It may be a hassle, but all requests for information of this nature should be made via a written and signed request. At least that way if someone tries to acquire the information under false pretense not only will we have a mailing address, but they will also be guilty of forgery.
Simply making it a crime to pretend to be someone else not only doesn't solve the problem, but it removes an important layer of anonymity that is all that remains between us and an information hungry world that wants to track our every purchase, taste and preference. Making it illegal to say you’re someone else is equivalent to implanting an automatic identification chip in our arm and turning us out on the street. It just doesn't fly, and we should fight it every step of the way. |
