More and more companies assume your phone is your second-factor authentication, raising potential for abuse
I was updating my company 401(k) information last week, and the website wanted me to provide my cellphone number. It didn’t say why, nor did it explain how it would use that information. A conference I signed up for also wanted my cellphone number, again with no explanation or context.
In both cases, I left the field blank, but it’s getting harder to do so these days, as more and more services require a cellphone number, ostensibly to text confirmations such as for second-factor authentication or call if suspicious activity is detected on your account. Fortunately, it is illegal for businesses to require customers to furnish a cellphone number to complete an order, notes Federal Trade Commission analyst Bikram Bandy. But some companies may still make the cell number a required field in their forms.
That may be good for security, but it raises a host of privacy and sanity issues that the industry at large has not figured out — and some are abusing.
One issue is that as people are abandoning landlines for cellphones, direct marketers are unable to reach people to hawk their services, legit and otherwise. Federal law prohibits soliciting any phone numbers — landline or cellular — via autodialers, even if that phone is not on the Do Not Call registry.
I asked the FTC about what can be done with your cellphone number if you provide it. According to analyst Bandy and spokesman Mitch Katz, despite tight restrictions on abusive telemarketing, loopholes remain to be exploited. My outreach to the Federal Communications Commission (FCC), whose rules are very similar to the FTC’s, resulted in some of the same loopholes.
At the FTC, Katz’s personal advice is never to give out your cellphone number “because it will end up in a database somewhere.” The FCC’s official advice: “Be careful about giving out your mobile phone number, email address, or any other personal information.”
Here’s what a company can and cannot do with your phone number, whether a landline or cellphone:
If you have done business with the company and provided your phone number, the company or its agents can call you for 180 days, even if your number is on the FTC’s Do Not Call registry. That’s the “business relationship” exemption. It cannot use an autodialer to place robocalls, however — only make human-dialed calls to you.
The Do Not Call registry applies to personal phones, not business units. But many of us use the same phone for both, one of the muddying consequences of BYOD and COPE, as well as of working from home. As a result, a phone used for business — no matter who owns it — is less protected against telemarketing than one used for personal calls only; the Do Not Call registry does not apply to business solicitations. Still, FTC rules restricts the types of telemarketing calls that can be made to “business” numbers: The calls must be to sell a good or service related to that specific business, so unrelated telemarketing is not allowed. A seed company can call a farmer at his office or home number if that number is on the Do Not Call registry, for example, but a vacation cruise company cannot, Bandy says.
It has been illegal since September 2009 to use autodialers to call any phone, whether cell or landline, unless you agree in advance to such calls in writing, which hardly anyone knowingly does. But we still get them from less-scrupulous marketers.
If the company has your cellphone number, per FTC rules, it can text you all it wants — the Do Not Call registry only applies to voice calls — as long as the texts are not misleading or otherwise fraudulent. Per FCC rules, texts may not be sent by an automated system unless you agree to that in writing in advance for business relationships and orally for informational purposes (such as with nonprofits). The texts must include an opt-out link and ID from the sender. As we all know, few comply with the FCC’s rules.
The federal rules don’t apply to calls or texts made from other countries, so those Indian “we’ll fix your PC” scam callers can call as much as they want.
In a nutshell: Once you’ve released that cell number, you are fair game for telemarketing. How much telemarketing you’re setting yourself up for depends on how strictly a company follows the FTC’s and FCC’s rules. Lots of boiler-room operations don’t, enforcement is low, and even when caught all a company has to do is set up shop under a new name.
Basically, given that you have a cellphone with you all the time, it would be idiocy to turn it into a telemarketing venue. But you may have no realistic choice. For example, Apple’s iCloud uses your cell number to send texts to authorize certain changes to your iTunes account, iCloud access, and Apple ID. Google will do the same if you let it, as will some banks.
The FTC’s Bandy says that if you provide your cell number, such companies could call on your cellphone for purposes other than verification and authorization. However, they would have to use human-dialed calls, which are costly, lessening the chances of spam calls.
Text spam is not prohibited by the FTC, but the FCC regulates texted commercial solicitations: As previously noted, automated texts are banned, and texts must include an opt-out method and a return address. That’s pretty much it — there’s no equivalent to the Do Not Call registry for texts. As you can see, the FCC’s text spam regulations are not as stringent as the FTC’s phone spam regulations.
Apple uses privacy protection as a competitor differentiator, and I trust it not to abuse me via texts or calls; Google, not so much, despite assurances from the company that it won’t use for other purposes or share my number. Google’s business is all about mining and selling personal data, so at some point I believe it will change those policies.
FTC rules restrict its ability to sell those numbers to others, and Do Not Call registry rules still apply. However, a real risk of text spam and a smaller risk of increased phone solicitations to your cellphone remain.
Likewise, I’m leery of my bank or other financial institution having my cellphone number, despite FTC and FCC rules. That industry is a master at spam, after all. The same goes for my Kaiser health plan; the constant robocalls to my home landline phone got so bad that I provided a fax number to stop the barrage of calls and voicemails that boiled down to “we have useful information for you; please call to see what it might be.” And Kaiser wants my cell number? Nuh-uh.
Another issue is cost — on many cellphone plans, texts cost 20 cents each. You could spend a fortune — or be forced to buy a text plan on top of the already-high cost of a data plan — if your cellphone number gets out. This issue is waning, though, as the cellular carriers have herded most people into their higher-priced “everything” plans. Most users no longer face an economic loss from telemarketing via cellular, only a loss of time and quiet.
The third issue is, as I mentioned previously, that many of us have one number — our cell — for both business and personal use. We don’t have two-line cellphones in the United States, and if there were they’d be confined to the same carrier and probably cost twice as much as a single-line plan.
That commingling means you can’t easily manage calls and texts from legitimate but off-hours sources. iOS and Android have do-not-disturb features, but they don’t work per user. In some cases, you can filter out notifications based on contacts groups, but it’s a lot of work to manage, as I discovered when I tried using Google Voice for that purpose, and it’s hardly exact.
As a journalist, I’m barraged by PR people across the globe, who don’t respect time zones or weekdays. My phone literally rings 24/7 as PR peons dial numbers from one of a half dozen databases they use to track the media. (That’s allowed as a business-to-business solicitation.)
I had to retire my old home number once I got on the PR telemarketing databases — I naively provided it to one PR person, who added it to the firm’s media database, which then propagated everywhere. Long ago, I also stopped answering my office landline due to the constant PR spam calling, so this issue is acute for me. But it’s acute for many professionals, especially anyone targeted by a vendor for a sales pitch. Ask any CIO.
What to do? Probably the best option is a federal law that disallows all marketing calls and texts from a company and all its affiliates and partners to cellphones when those numbers are provided for use as second-factor authentication or as a verification method. Furthermore, no marketing call or text should be allowed to hide its originating number (as many do), so abusers can be more easily identified.
There should be no exceptions — after all, they can always email their pitches, since most people now have phones that do email.
A federal law won’t stop abuse. Who doesn’t still get marketing calls for personal landlines or cellphones you’ve added to the federal Do Not Call registry, even a decade after its launch? But the law has reduced telespam hugely and has been effective.
Maybe Apple or Google will figure out smarter ways to filter incoming calls and texts to block abuse before it wakes you up at 2 a.m., interrupts your dinner, or raises your monthly bill. Or maybe the industry will support two-line phones in a way the carriers don’t abuse.
I’m not holding my breath for a technology solution: Look at how ineffective technology has been in dealing with email spam.
I suspect the only way for our cellphones to not reach that state is to keep off the telemarketing grid in the first place. When asked to provide my cellphone number, I say no 99 percent of the time. Security is important, but sanity is more crucial.