FCC orders carriers to protect customer information residing on devices

WASHINGTON--The FCC voted to require wireless carriers to protect and safeguard subscribers' information that sits on their smartphones and other mobile devices. 

In a declaratory ruling, the commission said carriers must take "reasonable precautions" to prevent the unauthorized disclosures of what is known as customer proprietary network information (CPNI). CPNI includes the phone numbers of the caller and those the subscriber called, the duration of calls, the location at the beginning and end of calls and other similar information.

Carriers are already required to protect CPNI that resides on their networks. The new rules extend that protection to mobile phones. Specifically, the rules makes clear that when carriers use their control of customers' devices to collect information about subscribers' use of the network, including using preinstalled apps, and the carrier or its designee has access to or control over the information, carriers are required to protect that information in the same way they are required to protect CPNI on the network.

The FCC noted that carriers are allowed to collect this information and to use it to improve their networks and for customer support. Carriers sometimes use the information to detect a weak signal, a dropped call, or trouble with particular phone models. The rules give carriers leeway on how they will protect the unauthorized disclosure of the information, but the FCC can take enforcement action against carriers if they do not take reasonable precautions, and CPNI on a device is compromised.

At the FCC's open meeting on Thursday, the commissioners were at pains to point out that the ruling does not impose any requirements on non-carrier, third-party application developers, on handset makers or companies that create mobile operating systems. The ruling also does not adopt or propose any new rules regarding how carriers may use CPNI or how they must protect it.

Democratic Commissioner Jessica Rosenworcel said the distinctions between what carriers are responsible for protecting and what handset makers and platform companies are responsible for protecting can be confusing to consumers. She urged the FCC to work with the Federal Trade Commission help consumers understand the different ways information can be collected on their phones.

The recent disclosures about National Security Agency surveillance programs, and in particular the program that collects telephone metadata similar to CPNI from virtually every American phone call, has added greater resonance to the debate over privacy. However, the new FCC ruling does not affect legal requests carriers must comply with when government agencies request subscriber information for investigations.

For more:
- see this release

Related Articles:
BlackBerry hacked? NSA, GCHQ reportedly break into BlackBerry calls, messages
Apple: We received up to 5,000 requests for user data from government in 6 months
Report: NSA doesn't directly get access to Verizon Wireless, T-Mobile call data
Reports: NSA gets phone records from Verizon, AT&T, Sprint, as well as data from Apple, Google and others
Report: NSA collecting calling records of millions of Verizon customers
FCC to vote on new rules to protect wireless customers' call data