The FCC will vote later this month on new rules that clarify how carriers can use their customers call data and to ensure the data is better protected.
The Telecommunications Act of 1996 gives the FCC authority over how customer proprietary network information (CPNI) can be used by telecom carriers. The new CPNI rules would clarify when carriers need a customer's consent to use the data, and also direct the carriers on how they can protect the data from falling into the wrong hands. The FCC is expected to vote on the ruling at its June 27 meeting.
Under the ruling, it will be made clear that under existing law, when a carrier stores sensitive customer information from voice calls, it must protect that information and may use or disclose it only as permitted by the Commission's CPNI rules. The ruling only applies to carriers and only concerns call data such as the number called, the length of the call, and where a user was when on the call.
The ruling will also clarify that a carrier may collect this information but must take "reasonable precautions to prevent unauthorized disclosure" of it. When carriers collect such information about customers' use of their devices using preinstalled apps, the ruling will make clear that they are required to protect that information. Carriers would need consent before transferring customer data to a third party.
The FCC's inquiry into customer data was sparked in late 2011 by a security researcher, Trevor Eckhart, who found his data and keystrokes being tracked on his HTC Evo 3D. Eckhart originally attributed the tracking to CarrierIQ, but it was later determined that HTC had failed to remove certain files that should not have been on the device, which gave the impression CarrierIQ was logging keystrokes and other data. HTC settled the matter with the Federal Trade Commission in February 2013. AT&T Mobility (NYSE:T), Sprint Nextel (NYSE:S) and other carriers have used CarrierIQ software to measure network performance.
As The Hill notes, carriers pushed the FCC for voluntary privacy guidelines rather than mandatory rules and CTIA said the FCC should not restrict the use of network diagnostic tools like Carrier IQ.
"Such rules are unnecessary and would actually harm consumers by hamstringing providers in their ability to improve service quality, especially in these times of wireless spectrum capacity constraints," CTIA wrote in a filing.
"This important declaratory ruling will help ensure that private consumer information--such as the time, duration, and location of calls from a mobile device--will be protected," Acting FCC Chairwoman Mingon Clyburn said in a statement. "Millions of wireless consumers must have confidence that personal information about calls will remain secure even if that information is stored on a mobile device. This ruling makes clear that wireless carriers who direct or cause information to be stored in this way have a responsibility to provide safeguards, and I hope my colleagues will join me in supporting this effort."
- see this Washington Post article
- see this The Hill article
- see this AllThingsD article
Report: Verizon Wireless gave AP reporters' cell phone records to DOJ in leak probe
Verizon patents mobile surveillance system that could track children, elderly
Sprint, Verizon and AT&T on users' privacy: We aren't the gatekeepers anymore
Legislators move to curb cell phone records
Correction, June 11, 2013: This article incorrectly described the nature of what led to the FCC's original inquiry into subscriber data protection and privacy. Carrier IQ software was not what sparked the inquiry, rather it was a video that was originally falsely attributed to CarrierIQ software.