FCC rules that confidential data collected on consumers’ devices by software for which carrier is responsible must be protected. 

Irony alert! As questions mount about the government’s access to consumers’ private communications – both telephonic and digital – the FCC has issued a Declaratory Ruling (Ruling) advising wireless carriers of their obligation to protect the privacy of their customers’ information. So even as the government acknowledges that its own treatment of such information may not have been as confidential as had previously been represented, the government is imposing arguably new confidentiality burdens on both large and small mobile carriers.

Essential governmental principle at work: do as we say, not as we do.

What’s at issue here is the protection of Customer Proprietary Network Information (CPNI), but in a relatively new setting. 

Generally, CPNI consists of certain customer information – including such data as the customer’s specific calling plans, special features, pricing and terms, and details about whom they call and when – that is deemed “proprietary”. (The official statutory definition of CPNI may be found in Section 222(h)(1) of the Communications Act.) The law requires that carriers go to great lengths to keep CPNI confidential: carriers can use, disclose, or permit access to individually identifiable CPNI only in limited circumstances relating to their provision of telecommunications services or with customer consent.

Historically, the FCC has focused on how carriers collect, retain and use CPNI in their internal, “back-office” systems. But in 2011, a new risk to CPNI surfaced, a risk not in the carriers’ internal systems, but in the consumers’ own individual devices.

As it turns out, those devices include software – installed by the carrier or by the manufacturer at the carrier’s request – that captures a wide range of data for diagnostic purposes and preserves those data in the device itself. The data are available both to the carrier, to help improve overall network performance, and to its customer-service reps, to help them assist individual customers with problems.  Some of those data include precisely the type of information (e.g., dialed phone numbers and calling behavior, location coordinates, mobile subscriber numbers) subject to CPNI protection. 

In November, 2011, a researcher found that that device-resident information could be accessed by third parties thanks to security vulnerabilities in the collecting software. Oops.

The primary culprit identified in 2011 was Carrier IQ, a program used by various carriers to obtain data on the operation of their respective networks. (While Carrier IQ is the only such program specifically identified by the FCC in the Ruling, there are undoubtedly others out there that do the same or similar things.) Once Carrier IQ’s apparent susceptibilities surfaced, the Commission examined the relevant law to determine whether changes were necessary to assure CPNI protections. The Ruling is the result.

In its Ruling, the Commission emphasizes that the collection of data on a consumer’s individual device – including data routinely entitled to CPNI protection – is legitimate and potentially beneficial to the carrier and the consumer alike. In other words, the collection of such data is permissible and CAN continue, regardless of whether any or all of the data so collected are CPNI. That’s the good news for carriers.

The not-so-good news: if a carrier is responsible for the collection of CPNI – whether that collection occurs in the carrier’s internal system or on the customer’s device – the carrier is required to “protect the confidentiality of CPNI [so collected] and to prevent unauthorized use, disclosure, or access”. So if any of the collected data are CPNI, the CPNI must be protected.

How does the FCC determine that a carrier is “responsible for the collection” of CPNI? According to the ruling, if the confidential data are “(1) collected by or at the direction of the carrier, and (2) may be accessed or controlled by the carrier or its designee”, then the carrier is responsible for that collection. So if the carrier itself installs information-gathering software on its customers’ devices, or if the carrier has such software installed by somebody else (obvious example: the device manufacturer), and if the carrier can then access and/or control the data collected by that software, then the carrier must assure the confidentiality of any CPNI collected as a result. This obligation kicks in whether or not the CPNI data have ever in fact been transmitted to the carrier’s own servers.

The perhaps-worse-news: the Ruling does not provide much guidance as to how carriers are expected to assure the required confidentiality. The Commission cautions that carriers must “take[ ] reasonable precautions to prevent the unauthorized disclosure” of CPNI”, and it alludes generally to protecting CPNI “whether by storing [it] in a location or form that it is protected or otherwise.”  But the FCC’s not-entirely-illuminating take-home message is that decisions will “depend on the facts and circumstances in a particular case”. 

One somewhat more detailed example the Commission does provide: a carrier is expected to “encrypt its CPNI databases if doing so would provide significant additional protection against the unauthorized access to CPNI at a cost that is reasonable given the technology a carrier already has implemented.” That example, however, may not be especially helpful in light of its relative non-specificity. (How much “additional protection”, after all, will afford “significant additional protection”? What cost is “reasonable” under what circumstances?)

What’s a mobile carrier to do? At the very least, it should have a comprehensive understanding of any and all software that it installs, or causes to be installed, on its customers’ devices. And it should have an equally comprehensive understanding of the nature of any and all data that such software can and does collect in any manner.  If ANY of those data qualify as CPNI, then the carrier should take careful steps to assure that such data are protected from unauthorized disclosure, access or use by any third party. If the carrier can’t guarantee such protection, the carrier should seriously consider removal of the collection software. Historically, the Commission has doled out five- and six-figure penalties for CPNI-related misconduct. Following the Ruling’s unequivocal extension of CPNI protection to device-resident data, the FCC is likely to be even less charitable in dealing with violations.

Of course, as the FCC recognizes, consumer devices can collect data in a wide variety of ways. Apps can be installed by the consumer or by third-parties unrelated to the carrier. Any information, CPNI or not, collected by such apps is not the carrier’s problem. But if any software for which the carrier is responsible collects CPNI, the carrier must protect any CPNI collected by such software.

The Ruling places mobile carriers in a difficult political position. When the FCC first sought comment on the issue of device-resident data collections, many carriers resisted what they viewed as the imposition of additional CPNI-related obligations. Since then, however, we have seen the revelations regarding the data that the large carriers have been turning over to the government through the various NSA surveillance programs. In the light of those revelations, now might not be the best time for carriers to be seen to be opposing protection of confidential customer information; efforts to seek reconsideration or judicial review of the Ruling are thus probably unlikely. Discretion being the better part of valor, mobile carriers may be better served by accepting and complying with the Ruling.