NYT: Caller-ID Spoofing Goes Commercial

[Ben Teitelbaum <>]

http://www.nytimes.com/2004/09/02/technology/02caller.html?pagewanted=print&position=

September 2, 2004
A Commercial Software Service Aims to Outfox Caller ID
By KEN BELSON

ike most bill collectors, Marvin Smith is always seeking ways to get
chronic debtors to pay up. When he calls the first time, he typically
hears excuses and requests for more time. When Mr. Smith calls again,
the debtors often block his calls using ordinary caller ID technology
from the phone company.

That means he then visits in person, a time-consuming and sometimes
dangerous task. But Mr. Smith, who runs a collection agency in Austin,
Tex., says he may have found a solution: a new computerized service
enabling him to create false outbound phone numbers with a click of a
mouse, so he can skirt the call blockers.

The service, the first commercial version of a technology known mainly
among software programmers and the computer-hacker underground until
now, was introduced nationwide on Wednesday by a California company
called Star38.

For $19.99 a month and as little as 7 cents a minute, customers can go
to the company's Web site (www.star38.com), log in and then type the
number that they want to call and the number that they want to appear
on the caller ID screen of the recipient's phone.

For an additional fee, they can also specify names that can appear
along with their telephone numbers.

"This product would be beneficial," Mr. Smith, the bill collector,
remarked. "I'm going to look into it."

Star38 says that others with reason to mask their telephone
identities, including private detectives and law enforcement
officials, are looking into it, too.

But some privacy-rights advocates and consumer groups wonder whether
angry former spouses, stalkers or fraud artists might not be far
behind.

"Some people see caller ID as an invasion of their privacy, while
others see it as a protection of their privacy," said Robert Atkinson,
director of policy research at the Institute for Tele-Information at
Columbia University. "It's spy versus spy."

Officials at the Federal Communications Commission indicate that there
is nothing illegal, per se, in the Star38 system.

And to some extent, it is merely the latest step in the continual
cat-and-mouse game played since caller ID was introduced in the
1980's.

But the new service goes beyond past techniques like withholding the
caller's number or masking it with a series of meaningless digits
(calls from the main office of The New York Times, for example,
regularly appear on the called party's screen as 111-111-1111). With
Star38, for the first time it will be possible for vast numbers of
people to place calls masquerading as someone else.

"My concern is that private investigators will find out your mother's
number so their number will pop up on your telephone as 'Mom,' " said
Loretta M. Lynch, a member of the California Public Utilities
Commission, which oversees the telecommunications industry in the
state. "People will not trust what their phones tell them. It will
spell the end of caller ID as a way for people to protect their
privacy."

The developers of Star38, who say they required only 65 lines of
computer code and $3,000 to create their service, insist that they
will take steps to ensure that it is not used maliciously. They plan
to spend up to 10 days checking the business licenses of all
applicants and will ask subscribers to agree not to use Star38 to
commit fraud, and to accept legal liability if they violate state or
federal laws.

The company also plans to cooperate with police forces, if asked, to
provide records of what numbers customers dialed to and from, and what
numbers they chose to show the recipients of their calls.

"Law enforcement will have complete access to search our database,"
said Jason Jepson, the chief executive of Star38, of Newport Beach,
Calif. "We don't want the insinuation that they can sign up, use it
temporarily and then run off."

Mr. Jepson, 30 - who says he got the idea for his service after
speaking to his aunt, a bounty hunter, about the best ways to get in
touch with people - said Star38 had no immediate plans to sell its
service to ordinary consumers because of the potential for
misuse. "There are too many things that can go wrong," Mr. Jepson
said.

But industry experts say that the caller ID spoofing, as it is known,
is simple enough to develop that it is only a matter of time before
other service providers make it available to anyone.

The legal and ethical boundaries of the service are rather blurry. An
F.C.C. official said the agency's rules require only that telephone
companies provide caller ID abilities and the ability to block caller
ID. The rules do not cover add-on services like Star38 provided by
nontelephone companies.

But Star38 or any other service that helps companies deceive consumers
does have the potential to run afoul of the federal Fair Debt
Collection Practices Act.

"Third-party debt collectors are prohibited from using any means that
is likely to deceive consumers, " said Rozanne Andersen, general
counsel at the Association of Credit Collection Professionals, a trade
group based in Minneapolis, "so unless the collector is presenting a
telephone number that is meaningful to the consumer, it is arguably a
deceptive practice." She also said that a service like Star38 could
violate various state fraud laws.

Mr. Jepson said the company's lawyers were confident that the service
was legal. And he said that debt collectors, who might be able to
spoof caller ID systems by using Star38, would still be obligated to
identify themselves once a recipient picked up the phone.

At least one big telephone company, BellSouth of Atlanta, is concerned
about the advent of Star38. "It raises safety issues," said Jeffrey
Battcher, a BellSouth spokesman. "Our legal and regulatory departments
are looking into it. Also, the service degrades a BellSouth service
that people pay for - the caller ID information they pay for."

As for privacy-rights advocacy, not all are in the same camp when it
comes to caller ID. Some privacy groups opposed the original caller ID
services because they forced consumers to reveal personal information
involuntarily. Some of those groups now warily support Star38's
spoofing technology.

"This is solving a problem that caller ID created," said Mark
Rotenberg, executive director of the Electronic Privacy Information
Center in Washington. "Most people thought of caller ID as a net
privacy loss, but this technology may help customers recapture some
privacy."

Others add that caller ID spoofing is no different - and no better or
worse - from other telecommunications technology that have allowed
people to mask their identities or locations. For years, people have
used pay phones to hide their whereabouts, and some companies now sell
cheap mobile phones with a finite number of minutes that callers can
use temporarily and throw out afterward.

And anyone with a computer and a telephone line can create free e-mail
addresses that preserves anonymity.

"You've always had in technology an arms race when you try to change
things," said Lee Tien, a senior staff lawyer at the Electronic
Frontier Foundation, a nonprofit group that advocates minimal
regulation of the Internet. "I've never liked caller ID, but it's one
of the things you have to deal with."

Still, Mr. Tien and others warn that there is often a gap between the
introduction of technology and the public's knowledge of its uses and
abuses, and the lag leaves ordinary people open to exploitation. And
since Star38 will be available only to companies and not consumers, it
is individuals who may be most at risk initially, they say.

"This is another case where the technology is developing so quickly
that there aren't standards settled on for people to keep up with
what's possible, and that's where you have the deception," said Jay
Stanley, communications director of the technology and liberty project
at the American Civil Liberties Union. "There's a lag between what's
possible and what's known."

Mr. Jepson, who said he had received about six dozen e-mail messages
so far from potential customers who had downloaded the Star38
software, maintained that his company's safeguards were intended to
prevent misuse.

"Every technology has a dark side," Mr. Jepson said, "but our customer
will have to use it legally."

Copyright 2004 The New York Times Company