Analysis

May
2013

Blagging for Information: Right or Wrong?

Over the last few years the phenomenon, known as “blagging”, has been prevalent in the media.  Reports were dominated by phone hacking scandals, which also highlighted the illicit investigation methods and tactics used by private investigators, and more recently, the Australian radio station prank that had unforeseen, yet terrible repercussions. 

The people seeking confidential information generally fall into three categories:

  • Private investigators who sell information to interested third parties
  • Journalists who are looking for a scoop
  • Criminals who use social engineering to defraud their targets

Neil Miller a Certified Fraud Examiner (CFE) and founder of Ten Intelligence Ltd, explores the investigative practice of “blagging”, the legislation surrounding the practice and finally, guidance on how professional investigators can obtain confidential information in the correct manner.

The Investigation Industry

Professional investigation companies are generally employed by law firms, accountants, multi-national corporations, financial services and public authorities.  They conduct a wide range of investigation services such as due diligence, computer forensics, surveillance, fraud investigations, open source research, forensic analysis, risk assessments and litigation support services.

The majority of these companies act diligently, employ highly skilled individuals and adhere to the law. 

The investigators they employ will normally gain their expertise from backgrounds in the security services, law enforcement, accountancy, law and commerce.

However, there is a rogue element in the industry and stereotypically it is some of these one man bands and individual private investigators who have damaged the integrity, professionalism and reputation of the industry by using illicit methods to support their investigation.  In January 2008, the Serious Organised Crime Agency recognised this practice and published a report entitled “The Rogue Element of the Private Investigation Industry and Others Unlawfully Trading in Personal Data” [1] which highlighted some of the illicit methods used in the industry.

Private investigators in the UK are currently not subject to licencing and the industry is not regulated; anyone can pertain to be a private investigator without any recognised training.

No regulation brings serious risks to the industry.  Most investigators will adhere to the laws, but there will be some who will turn to illegal methods to obtain the information they, or their client desires.  Such methods include practices known as “blagging” or “pretexting”.

In 2001, the Private Security Industry Act legislation outlined the details for regulating the licensing of private investigators. This was handed to the Security Industry Authority (SIA) which was tasked to enforce regulation and administer the licencing of private investigators.  After several government cutbacks, this has yet to materialise and is unlikely to happen until a new regulatory regime is agreed and implemented.

Blagging and Pretexting

Blagging has been part of an illegal privacy trade for many decades and in 2006 prompted the Information Commissioner’s report [2] “What Price Privacy?” More recently after the phone hacking scandal and the subsequent Leveson Enquiry, the Home Affairs Committee [3] submitted its report on the illicit techniques used in the private investigations industry.

Blagging is essentially the practice of deception by impersonating someone else with a view to obtain confidential information from an unsuspecting third party.

They use skill, confidence, polite determination and persuasive methods to trick individuals, or by bypassing security measures to target confidential personal information about an individual’s medical record, financial statements, vehicle information, phone records or mortgage details.

“Blaggers” often impersonate family members, employers, law enforcement officers, doctors, couriers, credit agencies and even florists to get the information they require. 

Journalists have often obtained information using blagging methods to give emphasis to stories that are supposedly in the public interest.

As you will read later, journalists can be deemed as exempt under Data Protection Act regulations and they often use this as their defence. However, caveats apply to these exemptions that are being clearly abused.

Are these blagging methods being exploited to create stories that wouldn’t necessarily have been in the public interest? Would they have remained private until they published it? Is this right or wrong?

So, how do they blag?

Before the blagger calls his unsuspecting target he will gain as much personal information as possible on the individual such as their home address, date of birth and mother’s maiden name through publicly available electoral register and birth records.

Additionally, with social networking sites such as LinkedIn and Facebook, they may have access to the individual’s school history, partner’s name, email addresses, mobile phone numbers, pet names and employment details.  These details or a combination of these are often used as security questions posed by banks, credit card and phone companies.

The blagger will tend to have all this information to hand prior to the “blag” and will call the target impersonating the individual he seeks information on.

For example, a basic conversation with a bank will generally go down the route of:

  • Bank Advisor: "Good morning.  My name is Jane; can I take your name please?"
  • Blagger: "Hi Jane, yes, my name is Neil Miller."
  • Bank Advisor: "Hello Mr Miller.  Can I have your date of birth please?"
  • Blagger: "1st January 1970"
  • Bank Advisor: "Thank you and the first line of your address and postcode please"
  • Blagger: "10 Acacia Avenue, AB1 2CD."
  • Bank Advisor: "Thank you Mr Miller. Now a couple of security questions if you don’t mind."
  • Blagger: "That's fine."
  • Bank Advisor: "Can I have your mother’s maiden name?
  • Blagger: "Sure – it’s Williams"
  • Bank Advisor: "and finally the name of your first school please?"
  • Blagger: "The London Primary school"
  • Bank Advisor: "Thank you Mr Miller – how can I help you today?"
  • Blagger: "Thanks Jane, can you please provide me with a list of recent credit and debit transactions and my current balance please? Have I transferred anything into my joint account recently? What about my savings account or ISA? What were my last two mortgage payments?

As you will see, once the blagger has used his skill and confidence to bypass these security measures they will be able access a plethora of confidential information from the customer service agent.  During the call, he will either write down the information or record the conversation so that he can refer to it once the call is finished.

Although an audit trail will always be logged by the bank when a customer account page is opened, customers will rarely check with the bank when they last made contact with them. 

So who will ever know? What if the banking advisor was genuinely deceived by the call?  Did she knowingly disclose the information? Has she committed an offence?  How will it ever be reported?

Thankfully, many organisations will train their call centre employees on how to spot fraudulent access indicators and social engineering techniques.  But these are confident people, male or female they will rarely make mistakes and they are very convincing.

If a person is accused or challenged on making such calls, he will hang up.  If he is caught by law enforcement then his defence lawyer may argue that the individual’s details were from the public domain and was only seeking “information” and not “physical property” from the third party.  As “information” cannot necessarily be stolen, they may argue that this practice is not in breach of criminal law.  It is a very weak defence and should not be tested.

There are many considerations to make when employing private investigators.  As a matter of precaution and to save any reputational and legal damage – always use a professional company that come with ethical endorsements.

Information and Legislation
Although the private investigation industry in the UK is unregulated there is some legislation which governs the protection of individuals’ privacy that must be considered when conducting criminal and civil investigations in the United Kingdom. This legislation comes in the form of the Human Rights Act 1998, Regulation of Investigative Powers Act 2000 and the Data Protection Act 1998.

This legal protection has been tested in relation to the News of the World case, where Glenn Mulcaire and Clive Goodman were sentenced to six and four months respectively for interception of communications offences under the Criminal Law Act 1977 and the Regulation of Investigatory Powers Act 2000.

The Regulation of Investigative Powers Act 2000

The Regulation of Investigative Powers Act 2000, commonly known as RIPA, regulates the use of investigatory powers by public authorities in England, Wales and Northern Ireland in accordance with the human rights statutory framework in the United Kingdom. 

RIPA generally applies to investigations whilst working within public authorities such as the police, HMRC, Financial Conduct Authority, Department for Work and Pensions, Serious Fraud Office, UK Border Agency and local authorities.

However, RIPA does not currently apply to investigation companies or individual private investigators unless they are providing professional services, such as covert surveillance, on behalf of a public authority.  There is no protection under this Act where the investigators’ client is a private company or individual.

As RIPA is generally recognised as the guiding legislation on surveillance and communication interception, investigation companies and individual private investigators should consider adopting best practice principles and ethics contained in the Act to any covert operations they perform.  This will not only give them credibility, but also any evidence gathered from surveillance will more likely be recognised in court.

Data Protection Act 1998

Legislators and law enforcement will argue that the theft of confidential information is an offence under the Data Protection Act 1998.

Currently, if a person is found guilty of unlawfully obtaining personal data under section 55 of the DPA 1998, he or she will only be fined up to £5,000 in a Magistrates Court, or an unlimited amount in the Crown Court.  Unfortunately, this fine is hardly a deterrent, especially in a lucrative market such as this where sensitive information can be exchanged for thousands of pounds. 

The Information Commissioner’s Office (ICO) is tasked to enforce the Data Protection Act 1998. The ICO offers specific best practice guidelines to private investigators and also to organisations who have been asked to provide information by investigators [4].

The key point to be made here is that an investigator with a legitimate request for information should be open about their activity and will not need to resort to blagging.

The ICO explains that the Data Protection Act 1998:

  • Regulates the processing of personal information and requires organisations to keep it secure.
  • Generally restricts disclosure of personal information to third parties unless an exemption applies.
  • The Act does not require an organisation to provide information to a third party.
  • Even where an exemption from the Act applies, an organisation might decide to withhold the information requested unless or until a court orders them to disclose it.

So what are the exemptions of this Act, and who do they apply to?

Crime & Taxation

The first exemption is set out in the Crime & Taxation section at 29 (1a) of the Act, where it states personal data can be processed for the “prevention or detection of crime” [5]

The exemption doesn’t actually specify who can make such requests, but the ICO offers the following guidance [6].

“The police are most likely to ask you to release personal information under this exemption. However, you may get requests from other organisations that can rely upon this exemption because they have a crime prevention or law enforcement function, for example, the Department for Work and Pensions – Benefit Fraud Section.”

The Act doesn’t specify what a crime is, or the severity of a crime.  Nor does it state whether the prevention or detection of crime is related to public prosecution or civil litigation matters.

So does conducting a fraud investigation for a client constitute the detection of a crime? As long as the request is official and is proportionate to the crime itself then a request should be made.  However, it is still up to the organisation to make its decision as to disclose the information or not. 

Legal proceedings or obtaining legal advice

The second exemption is set out in section 35 covering disclosures required by law or made in connection with legal proceedings [7].  The Act states that personal data can be processed if the particular information being requested is necessary for:

a) the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

b) for the purpose of obtaining legal advice

This is useful when investigators are acting for litigators involved in, or contemplating legal proceedings against someone.  The disclosure of information may then be exempt and it could be provided to the investigator if the organisation chooses to do so. 

Investigators should make sure that as much evidence as possible is gathered prior to using any exemption as, and this is an important point, the organisation also has a duty to the individual too and should inform them of your request.

Journalism, literature and art

The third exemption is set out in section 32 where it states that personal data can be processed only for the special purposes if:

  • the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material, or
  • the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest

However, this exemption has specific caveats in the Act that directly states:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons such as: 

  • The processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
  • That damage or distress is or would be unwarranted.
  • The exemptions and caveats are clearly abused.  Is the revelation of a celebrity’s personal medical condition warranted, for example?

How to request information under the Data Protection Act:

When an investigator requires personal and confidential information, using s29(1) and s35 exemptions outlined in Part Two above, he/she should follow these measures:

  • Register yourself with the Information Commissioner [8] and make sure you are compliant with the Act too.
  • Make your request for information in writing
  • Provide enough information outlining why an exemption applies in the particular circumstances or that disclosure is otherwise in compliance with the Act
  • Briefly state the purpose of the request outlining:
    • how it is in connection with current, or prospective legal proceedings or
    • obtaining legal advice, or
    • to prevent or detect a crime, or
    • catch and prosecute an offender
  • Use caution when requesting personal information from an organisation. In making your request you will also be disclosing personal information about the individual, for example that they are involved in legal proceedings
  • Do not disclose any more information than is necessary for your request to be properly considered by the organisation.
  • Do not deceive or mislead organisations as obtaining the information in this way is likely to be an offence under the Act.

The Fraud Advisory Panel [9] also outlines their guidance:

  • Give the person or body you are contacting full details of who you are and why you seek access to their data.
  • Make a written request [as outlined above]
  • Anticipate what you will need in order to establish that you have a legitimate reason for asking for the data and the extent to which this is compatible with the object of your investigation.

Remember that ‘data protection’ is often used as an excuse for non-cooperation, so be prepared to set out why the disclosure you seek is not in breach of the Act and explain why the person you are talking to can lawfully tell you what you need to know.

Conclusions

In light of these recent events in the industry, it is very likely that it will eventually be regulated. When, and in what capacity will it be regulated we don’t yet know.  The Home Affairs Committee has recommended the introduction of a two-tier system whereby private investigators and investigation companies will require a licence to operate. But also registration should apply to those in-house investigators of companies already subject to regulation such as law firms and insurance companies.  Both tiers should be governed by a new Code of Conduct for Private Investigators.

In terms of the blagging practice itself? There is large thick ethical and legal line as to what is acceptable and what is not.  As an investigator you will know whether you are crossing this line. For example, asking a neighbour whether “Bob still lives next door” is fine; or covertly making a controlled test purchase of a product to check it’s not counterfeit is okay. However, impersonating someone, and ringing a bank or doctors to obtain protected confidential information from them, is not.

If an investigation requires personal or confidential information then there are legal ways of requesting this.  There are written exemptions in the legislation that is recognised as the route to this information.  When you ask for information, do so in writing and act diligently, professionally and openly.  Be careful not to disclose more than is necessary.

 

[1] http://www.soca.gov.uk/about-soca/library/doc_download/396-the-rogue-element-of-the-private-investigation-industry.pdf

[2] http://www.ico.gov.uk/~/media/documents/library/Corporate/Research_and_reports/WHAT_PRICE_PRIVACY.ashx

[3] http://www.publications.parliament.uk/pa/cm201213/cmselect/cmhaff/100/10002.htm

[4] http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/disclosures_to_private_investigators_v1.0.pdf

[5] http://www.legislation.gov.uk/ukpga/1998/29/section/29

[6] http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/section_29_gpn_v1.pdf

[7] http://www.legislation.gov.uk/ukpga/1998/29/section/35

[8] http://www.ico.gov.uk/

[9] https://www.fraudadvisorypanel.org/index.php



Back to Listings