FCC Warned Against Ordering Carriers to Throw Away Customer Records
DoJ and the Dept. of Homeland Security asked the FCC not to require that carriers dispose of customer calling and other records after a specified date, arguing that customer proprietary network information (CPNI) is used in “virtually every federal, state, and local investigation of consequence.” Meanwhile, an industry source said, the FTC is poised to announce enforcement actions against 5 companies for selling phone records.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The FTC is expected to announce the actions today (Wed.). Carriers have argued that federal officials should pursue action against pretexters who sell the information rather than the carriers themselves. The major wireless carriers have filed several lawsuits against information brokers, most of them based online.
Most comments on a rulemaking seeking further guidance on CPNI rules followed traditional lines, with carriers opposing additional rules and other parties sounding an alarm bell about the need for stricter regulations. The Electronic Privacy Information Center asked the FCC to tighten rules for CPNI last summer. The FCC proposed regulations in Feb. after a blogger gained national attention by buying the cellphone records of former presidential candidate Wesley Clark online for $89.95. Legislation is also moving forward in Congress, with the House expected to vote today on the Commerce Committee version of a bill.
The FCC is considered unlikely to heed calls for significant new regulation beyond requiring carriers to submit annual certifications providing details with how they comply with CPNI rules. But the FCC sought comments on a variety of issues, including a suggestion the agency require carriers to dispose of records “when they are no longer needed for billing or dispute purposes.”
DoJ and DHS said in general they support rules for safeguarding CPNI, but oppose any mandate that carriers destroy records after a given date. Comments by DoJ and DHS are generally given special weight at the FCC. The departments advised the FCC that police need access to CPNI data “in connection with investigations of all kinds -- from child pornography to illegal drug trafficking, counter- intelligence, espionage, and more.”
“While measures are needed to prevent improper access to this sensitive information, such measures should not work to limit properly authorized officials from lawfully accessing CPNI in order to solve and prevent crimes and to protect national security and public safety,” the agencies said. “Because not all records would be immediately destroyed, efforts are better focused on proper security for the records while they are maintained.”
Carriers in general advised the FCC against imposing overly restrictive rules for safeguarding CPNI data. Also focusing on security, CTIA warned that if the FCC establishes strict rules for CPNI it could in effect give wrongdoers a “roadmap to circumvent security.”
“CTIA does not support the adoption of specific and prescriptive security procedures,” the group said. “This proceeding also should not be used to create CPNI procedures unrelated to the pretexting problem, such as customer opt-in for all access, use, and disclosure of CPNI.” CTIA said it supports some requirements, including that all carriers make passwords available to all customers for account access and a requirement that each carrier’s annual CPNI certification be filed with the Commission.
“No new prescriptive rules regarding carriers’ protection of CPNI are needed,” Cingular said. “Carriers are already trying to curb data brokers’ abuses through legal action, and the theft of CPNI appears to be on the wane.” NTCA cautioned the FCC against imposing burdensome new regulations on small carriers. “Rather than impose new, costly security measures, the Commission should work with carriers, the FTC and law enforcement to identify wrong- doers,” the group said. “Only enforcement and the threat of future enforcement actions will deter parties from using illegal means to obtain information.”
But the National Assn. of Attorneys Gen. said “the apparent ease” with which data brokers appear able to obtain records shows “current regulatory safeguards to protect CPNI privacy are adequate.” The group said one way to curb abuse would be to require that records be sent by mail, since most pretexters are getting records by fax or e-mail. Privacy Rights Clearinghouse said most reports lead to the same conclusion: “Not only are current safeguards for customer calling records inadequate, but those that exist are being blatantly ignored.”
Producing a good deal of comment was the question of whether subscribers should have to opt in to security to prevent their data from being shared. “There is substantial independent evidence verifying that an opt-in approach is the only effective method to protect sensitive private information,” EPIC said: “An opt-out approach is inadequate because it is not calculated to reasonably inform consumers about their privacy options. Not only is the burden on the customer to return their opt-out notice, such notices are vague, incoherent, and often concealed in a pile of less important notices.”