Do you think that the typical Internet sex offender lies about his age, pretends to be another child, then abducts his victim after tricking the boy or girl into a secret tryst?

Well, that isn't the way it happens, an expert on online sex crimes argued before the United States Senate yesterday.

Dr. David Finkelhor of the University of New Hampshire told the Senate Commerce Committee that, after studying hundreds of cases, his research team found "a different reality."

• Teenagers, not young children, are the typical online sex crime victims. And the "predominant crime scenario" rarely involves violence or abduction. These take place, respectively, in only five and three percent of cases.
• The overwhelming majority of adult offenders do not conceal who they really are. 80% are "quite explicit about their sexual intentions towards these kids."
• Violent sex crimes are atypical in these cases. By the time the adult and the teenager have met, the former has typically engaged in weeks of "very often quite explicit online conversations that play on the teen's desire for romance, adventure, sexual information and understanding."

  Finkelhor characterized these teenagers as "troubled youth with histories of family turmoil and physical and sexual abuse."

Cell phone customers whose calling record data has been stolen will learn about the theft as long as two weeks after the Federal Bureau of Investigation does, the Federal Communications Commission ruled today.

That is, if the FBI and the United States Secret Service (USSS) do not ask the carrier to continue to put off disclosure of the security breach.

The decision is part of a suite of new rules to protect consumers from "pretexters"—con artists who trick phone companies into disclosing calling records, then sell the data over the Internet or elsewhere.

Today's FCC decisions mean that from now on:

• Phone companies cannot release customer phone call records unless the customer provides a password. In the absence of a password, the company can only send the data to the customers' address of record or call the customer back at their phone number of record.
• Carriers must notify the customer immediately if their password changes.
• Telcos must get explicit consent from customers before sharing calling data with marketing partners and independent contractors.
• Carriers must submit an annual certification to the FCC that includes actions taken against pretexters and a summary of relevant complaints from consumers.

The FCC opened a new rulemaking proceeding on pretexting a little over a year ago, requested by the Electronic Privacy Information Center (EPIC).

During the course of the comment cycle the Department of Justice, Federal Bureau of Investigation, and Department of Homeland Security repeatedly asked the FCC to include rules that delay carriers letting customers know if the security of their records has been compromised.

Perhaps one of the most disturbing aspects about this week's revelations of the Federal Bureau of Investigation's abuses of the Patriot Act is the agency's widespread use of "exigent letters" to improperly obtain consumer telephone records.

A 199 page audit by the Justice Department's Office of Inspector General (OIG) issued on Friday indicates that from 2003 through 2005 the FBI ignored proper legal procedures for securing private documents: including email records, financial records, and customer telephone data.

The revelations have great significance for the Federal Communications Commission, currently considering new rules to make consumer telephone records more secure against "pretexters" - ”con artists who fool telephone companies into giving up private phone use data, then selling the information to others.

The Patriot Act requires the FBI to issue "national security letters" (NSLs) - essentially warrants - to entities that have private data that the FBI wants. The agency can also get the documents through Grand Jury subpoenas.

But in the case of telephone records, the OIG found over 700 instances in which the FBI obtained the information without resorting to either method. Instead they sent out so-called "exigent letters," signed by FBI officials who had no authorization to sign NSLs.

A major cell phone trade association has asked the Federal Communications Commission for more time to comment on a Justice Department proposal that would require phone companies to delay telling customers that their data has been stolen.

"The proposal, if adopted by the FCC in the manner proposed by the Department, inadvertently could require carriers to report immaterial breaches and could force carriers to delay notifying customers of major security breaches," a representative of CTIA, the Wirelss Association, wrote to the FCC on February 5th. "Both of these elements could create a direct conflict with certain state security breach notification laws."

The Department of Justice (DOJ) has asked the Federal Communications Commission to "include a mechanism of delay" in any rules requiring phone companies to notify consumers that their records have been "pretexted"—that is, stolen. The delay would last at least a week, and could go on indefinitely.

As the Federal Communications Commission prepares new regulations to crack down on con artists who steal and sell cell phone data, Verizon and other telcos are pushing the agency not to go too far.

Verizon, XO Communications, and T-Mobile all filed with the FCC or visited its offices on the matter on Monday and Tuesday of this week.

The Dow Jones media service, citing anonymous sources, says that the FCC will soon vote on a series of new regulations that would make it harder for "pretexters" to fool phone companies into disclosing customer cell phone records. These would include requiring phone operators to ask for a password from customers who want such data, as well as stricter rules for sharing information with third party telemarketers.

The FCC has not scheduled the issue for its upcoming January 17th meeting, but is expected to act on the proposed rules soon.

The Federal Communications Commission has fined a firm accused of illegally selling cell phone customer data $97,500 for failing to provide information about how it got the private consumer telephone records that its Web site offered for sale.

On January 20th, 2006, the FCC issued a subpoena to LocateCell and another data broker, DataFind.org, demanding documentation of its practices. LocateCell, which was based in Missouri, is no longer in business. The states Attorney General Jay Nixon shut the company down with a court order eleven days after the FCC's subppoena.

Selling phone records, formally known as "Customer Proprietary Network Information" (CPNI), is against the law, specifically against Section 222 of the Communications Act.

The Department of Justice (DOJ) has formally asked the Federal Communications Commission to "include a mechanism of delay" in any rules requiring phone companies to notify consumers that their records have been "pretexted"—that is, stolen. The delay would last at least a week, and could go on indefinitely.

"Allowing for delayed consumer notification in appropriate cases enhances our ability to investigate the circumstances surrounding the loss of the data and, thereby, advances consumer protection," Deputy Attorney General Paul McNulty wrote to the FCC on December 28th, 2006.

The DOJ request comes in the context of an FCC proceeding to establish security measures against "pretexters" - con artists who trick phone companies into disclosing customer records, then sell those records to others.

In February of 2006, the FCC opened a new rulemaking proceeding on pretexting, requested by the Electronic Privacy Information Center (EPIC). The proceeding asked the public to comment on five security measures proposed by EPIC to protect customer phone data: passwords set by customers, better tracking of customer records, encryption of records, limits to how long companies can keep customer data, and letting customers know if the security of their records has been compromised.