http://www.suntimes.com/output/news/cst-nws-privacy05.html ---cut--- Steven M. Bellovin Fri, 06 Jan 2006 14:02:12 -0800 18 USC 2702(c) says A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2)) ... (6) to any person other than a governmental entity. ... If the phone companies are not giving it out voluntarily, perhaps they're being tricked or perhaps they have corrupt employees. ---end-cut--- from the article: ""In some cases, telephone company insiders secretly sell customers' phone-call lists to online brokers, despite strict telephone company rules against such deals, according to Schumer."" the call center employees and other data services API's (less common) is exactly how they do it. t-mobile, verizon, sprint, they all contract out to call centers for various things which provide the call center operators a restricted environment in which to use their internal applications (usually IE, sometimes Remedy or Oracle Forms, graphical Java apps, etc). obviously part of the features of these applications is search by name, MIN, account, etc. often you can access a person's entire account through such systems and very little if any oversight is provided. the carriers sole focus (as it seems) is to prevent fraudulent equipment/phone deliveries to operators using customer accounts. they could care less about unauthorized access given their lack of any attempt to halt such activity. in addition to this, many of these internal networks are horribly insecure, as was well demonstrated by the t-mobile hacks earlier this year. [1] the only reason they continue to get away with such poor practice is that these networks are (in theory) all internal with dedicated lines from the call center back to the carrier networks on which the applications are run. and the fallout from their insecurity is not directly attributable back to them (they can and do blame various middle men, from devious operators to negligent call center policies, etc) [1] http://www.theregister.co.uk/2005/02/16/t_mobile_hacker_guilty/ ---- more fun quotes: "To test the service, the FBI paid Locatecell.com $160 to buy the records for an agent's cell phone and received the list within three hours, the police bulletin said." "I would say the most powerful investigative tool right now is cell records," Rizzo said. "I use it a couple times a week. A few hundred bucks a week is well worth the money."