FCC Warned Against Ordering Carriers to Throw Away Customer Records

The FTC is expected to announce the actions early today (Wed.). Carriers have argued that federal officials should pursue action against pretexters who sell the information rather than the carriers themselves. The major wireless carriers have filed several lawsuits against information brokers.

Most comments on a rulemaking seeking further guidance on CPNI rules followed traditional lines, with carriers opposing additional rules and other parties sounding an alarm bell about the need for stricter regulations. The Electronic Privacy Information Center asked the FCC to tighten rules for CPNI last summer. The FCC proposed regulations in Feb. (CD Feb 13 p1) after a blogger gained national attention by buying the cellphone records of former presidential candidate Wesley Clark online for $89.95. Legislation is also moving forward in Congress, with the House expected to vote today on the Commerce Committee version of a bill.

The FCC is considered unlikely to heed calls for significant new regulation beyond requiring carriers to submit annual certifications providing details with how they comply with CPNI rules. But the FCC sought comments on a variety of issues, including a suggestion the agency require carriers to dispose of records “when they are no longer needed for billing or dispute purposes.”

DoJ and DHS said in general they support rules for safeguarding CPNI, but oppose any mandate that carriers destroy records after a given date. Comments by DoJ and DHS are generally given special weight at the FCC. The departments advised the FCC that police need access to CPNI data “in connection with investigations of all kinds -- from child pornography to illegal drug trafficking, counter- intelligence, espionage, and more.”

“While measures are needed to prevent improper access to this sensitive information, such measures should not work to limit properly authorized officials from lawfully accessing CPNI in order to solve and prevent crimes and to protect national security and public safety,” the agencies said. “Because not all records would be immediately destroyed, efforts are better focused on proper security for the records while they are maintained.”

Carriers in general advised the FCC against imposing overly restrictive rules for safeguarding CPNI data. Also focusing on security, CTIA warned that if the FCC establishes strict rules for CPNI it could in effect give wrongdoers a “roadmap to circumvent security.”

“CTIA does not support the adoption of specific and prescriptive security procedures,” the group said. “This proceeding also should not be used to create CPNI procedures unrelated to the pretexting problem, such as customer opt-in for all access, use, and disclosure of CPNI.” CTIA said it supports some requirements, including that all carriers make passwords available to all customers for account access and a requirement that each carrier’s annual CPNI certification be filed with the Commission.

“No new prescriptive rules regarding carriers’ protection of CPNI are needed,” Cingular said. “Carriers are already trying to curb data brokers’ abuses through legal action, and the theft of CPNI appears to be on the wane.” NTCA cautioned the FCC against imposing burdensome new regulations on small carriers. “Rather than impose new, costly security measures, the Commission should work with carriers, the FTC and law enforcement to identify wrong- doers,” the group said. “Only enforcement and the threat of future enforcement actions will deter parties from using illegal means to obtain information.”

But the National Assn. of Attorneys Gen. said “the apparent ease” with which data brokers appear able to obtain records shows “current regulatory safeguards to protect CPNI privacy are adequate.” The group said one way to curb abuse would be to require that records be sent by mail, since most pretexters are getting records by fax or e-mail. Privacy Rights Clearinghouse said most reports lead to the same conclusion: “Not only are current safeguards for customer calling records inadequate, but those that exist are being blatantly ignored.”

Producing a good deal of comment was the question of whether subscribers should have to opt in to security to prevent their data from being shared. “There is substantial independent evidence verifying that an opt-in approach is the only effective method to protect sensitive private information,” EPIC said: “An opt-out approach is inadequate because it is not calculated to reasonably inform consumers about their privacy options. Not only is the burden on the customer to return their opt-out notice, such notices are vague, incoherent, and often concealed in a pile of less important notices.”

NASUCA Says CPNI Rules Are ‘Inadequate’

The FCC’s CPNI rules are “inadequate” and should be beefed up to protect consumers, said NASUCA: “The Commission should prohibit telecommunications carriers from disclosing CPNI -- even to an affiliate, joint venture partner or independent contractor -- unless the customer first specifically and affirmatively authorizes disclosure.” NASUCA pushed 5 “basic principles” to protect consumers’ information: (1) Telecom carriers should notify consumers before any of their personal information is disclosed. (2) Consumers should know how the released information will be used. (3) Companies should take steps to make sure CPNI is “accurate and secure… with safeguards to protect against loss and unauthorized access.” (4) Consumers should have the ability to correct errors in their CPNI. (5) Companies and the industry as a whole should develop enforcement measures to make sure CPNI is treated securely.

USTelecom argued against additional rules. “There is no need for the Commission to impose additional [CPNI] regulations on telecommunications carriers because the current CPNI obligations… are fully sufficient,” the association told the FCC. There’s no evidence of “carrier negligence” or “any intentional violation” of CPNI requirements imposed by the Telecom Act, USTelecom said. There’s also no evidence that the security measures proposed by the Electronic Privacy Information Center (EPIC) would protect consumer privacy, USTelecom said. “Bad actors such as data brokers and pretexters are motivated by profit and will certainly attempt to find ways around any regulations,” USTelecom said. In the meantime, “conducting an inquiry into the current method of security measures used to verify the identity of those requesting CPNI would likely result in providing wrong-doers with a roadmap of how to more easily obtain such CPNI,” USTelecom said.

The FCC asked for views on EPIC’s proposals in the comments filed late last week. EPIC has suggested several security measures such as consumer-set passwords, audit trails, encryption of stored records, deletion of call records once they no longer are needed for billing purposes and notification to customers when security of their CPNI has been breached.

CompTel said it agreed with EPIC about the importance of the CPNI security issue but “the measures proposed by EPIC in its petition would not advance the Commission’s privacy protection measures.” Instead, CompTel said, the proposals would “impose massive additional costs on carriers and their customers without any concomitant benefits to consumers.”