Modernizing CPNI Rules

I think we badly need new CPNI rules for the industry. CPNI stands for ‘Customer Proprietary Network Information’ and are rules to govern the use of data that telcos and ISPs gather on their customers. CPNI rules are regulated by the FCC and I think it’s fully within their current mandate to update the rules to fit the modern world.

While CPNI is related to privacy issues it’s not exactly the same. CPNI rules involve how ISPs use the customer data that they must gather in order to make the network operate. Originally CPNI rules involved telephone call details – who we called, who called us, etc. Telcos have been prohibited by CPNI rules from using this kind of data without the express consent of a consumer (or else in response to a valid subpoena from law enforcement).

Today the telcos and ISPs gather a lot more information about us than just telephone calling information. For instance, a cellular company not only knows all of your call details, but they know where you are whenever you call, text or make a data connection from your cellphone. Every ISP knows every web search you make since they are the ones routing those requests to the Internet. If you buy newer ISP products like home automation they know all sorts of details that they can gather from monitoring motion detectors and other devices that are part of their service.

Such CPNI data is valuable because it can be used by the ISP to assemble a profile of each customer, particularly when CPNI data is matched with data gathered from other sources. Every large ISP has purchased a business arm that is aimed to help them monetize customer data. The ISPs are all envious of the huge advertising revenues generated by Facebook and Google and want to climb into the advertising game.

The FCC was given the authority to limit how carriers use customer proprietary data, granted by Section 222(b) of the Telecommunications Act of 1934. Those statutes specifically prohibit carriers from using CPNI data for marketing purposes. Over the years the FCC developed more specific CPNI rules that governed telcos. However, the FCC has not updated the specific CPNI rules to cover the wide range of data that ISPs gather on us today. Telcos still ask customers for permission to use their telephone records, but they are not required to get customer permission to track web sites we visit or our location when using a cellphone.

The FCC could invoke CPNI protections for companies that they regulate. It gets dicier for the FCC to expand CPNI rules past traditional carriers. All sorts of web companies also gather information on users. Google makes most of their money through their search engine. They not only charge companies to get higher ranking for Google searches, but they monetize customer data by building profiles of each user that they can market to advertisers. These profiles are supposedly very specific – they can direct advertisers to users who have searched for any specific topic, be it people searching for information about diabetes or those looking to buy a new truck.

There are many who argue that companies like Google should be brought under the same umbrella of rules as ISPs. The ISPs rightfully claim that companies like Google have a major market advantage. But the ISPs clearly prefer the regulatory world where no company is subject to CPNI rules.

There other web applications that are harder to justify as being related to CPNI. For example, a social network like Facebook gathers huge amounts of private data about its users – but those users voluntarily build profiles and share that data freely.

There are more complicated cases such as Amazon, which has been accused of using customer shopping data to develop its own product lines to directly compete with vendors selling on the Amazon platform. The company clearly uses customer data for their own marketing purposes – but Amazon is clearly not a carrier and it would be a huge stretch to pull them under the CPNI rules.

It’s likely that platforms like Facebook or Amazon would have to be regulated with new privacy rules rather than with CPNI rules. That requires an act of Congress, and it’s likely that any new privacy rules would apply to a whole large range of companies that use the web – the approach taken by the European Union.

Telephone versus Broadband Privacy

We now have an unusual regulatory world where there is more privacy protection in place for telephone customers than there is for broadband customers. One of the many things done in the Congressional Review Act (CRA) for the new budget that went into effect on April 3 was to nullify the FCC’s privacy rules for ISPs. These rules were implemented in the fall of 2016 and prohibited ISPs from using customer data without customer consent.

There have been no equivalent changes in the rules for landlines, cellular phones and cable TV subscribers. The rules for telephone privacy were established by the Telecommunications Act of 1996 and are referred to as CPNI (Customer Proprietary Network Information). These rules prohibit phone companies from using calling records unless they have customer permission. There is a good summary of a customer’s rights on this FCC web page.

Telephone companies routinely capture details of customer calling – who you call and who calls you. This is familiar to anybody who’s seen a TV crime show since one of the first things detectives routinely do is to ask to see telephone calling records for a suspect. The telephone companies can’t release this information without a warrant if a customer has elected to keep their records private. In addition to calling records these rules also require phone companies to keep other customer data secure, such as billing records, credit card numbers etc. Telephone companies are even prohibited from marketing their own products to customers if the customers opt out.

The 2016 privacy rules for broadband had implemented the same sort of privacy rules. Customers were given the choice to allow or deny access to their records. This was a far more reaching protection due to the large volume of information that an ISP has about their customers. At a minimum an ISP knows every web page you have visited since they control the DNS routing that connects you to web sites. There are numerous other things an ISP can know about a customer should they choose to look deeper into the packets to and from customers.

The new FCC Chairman Ajit Pai led the charge to kill the 2016 ISP privacy rules. Those were put into place just before the 2016 election and he had voted against the rules then. His primary argument is that the protections put barriers onto ISPs while there was nothing similar to ‘edge providers’, that is web companies like Facebook or Google. Those companies have no restrictions on what they can collect from users of their software and platform. Chairman Pai argued that the privacy rules didn’t really protect customers and just ended up putting ISPs at a disadvantage compared to Google.

It’s a valid argument, but killing ISP privacy protection is not the only way to get more parity between web companies. The European Union has taken an opposite approach and has placed restrictions on what both ISPs and edge providers can collect without customer permission.

Regulations are often squirrely and it’s not hard to find regulatory rules that make no sense or that have lasted far past their usefulness. I find it particularly odd, though, that I can tell my cellular provider to keep details of my phone calls private, but I can’t stop them from recording all of the web sites I visit. I’m sure the average citizen is far more concerned about web usage records than they are about who called them.

People who are concerned about their web privacy are taking steps to protect their information. Many people have changed to VPNs to encrypt their web usage and keep the details away from the ISP. There are alternate providers that can do DNS searches so that you ISP doesn’t know the web sites you visit. People are using web browsers that don’t track their usage. Large numbers of people are reportedly dropping off Facebook and other platforms that routinely and openly benefit from their personal data.

What’s most disconcerting about all of this is that privacy is the kind of regulation that has now become partisan. It’s not hard to envision a future Democratic FCC putting the privacy rules back in place and we might see this and similar issues yo-yo with changes in the administration. Of course, the easiest way around that is to do what my smaller ISP clients do – they don’t record customer information, so they don’t really care what the FCC says about privacy – they just provide it as another aspect of good customer service.

FCC Reverses 2016 Privacy Ruling

The FCC adopted an order that formally recognized that the privacy rules passed by the Tom Wheeler FCC are cancelled and that the FCC will revert to the previous privacy rules that were in effect in the past. The action is mostly a clarification because Congress passed H.J. Res 34, the Congressional Review Act that nullified the actions of the last FCC.

This FCC means a number of things. For regulated telephone providers (both LECs and CLECs) it means that all of the previous rules that were generally referred to as a Customer Proprietary Network Information (CPNI) are back in effect. Those rules are codified in FCC Rules Section 64.2009(e) and (c). Those rules include:

  • An obligation to not disclose telephone customer data without permission from the customer.
  • An annual compliance certification to demonstrate compliance with the CPNI rules. This filing will be due next year again, filed no later than March 1.
  • Compliance with various recordkeeping rules that would demonstrate compliance should a carrier ever be audited.

The FCC also reminded non-regulated ISPs that while they are not directly subject to the CPNI rules that they are still subject to Section 222 of the Communications Act that says that all carriers must take reasonable and good faith steps to protect customer privacy.

The rules passed by the last FCC would have brought all ISPs into the same regulations as telcos. And in doing so the rules went further than in the past and required that any service provider get customer buy-in before using their data. Customers were to have been provided with the option to allow ISPs to use data for any purpose, to allow ISPs to use data just for marketing to the customer, or customers could have opted out and chosen full privacy.

One of the big public fears that was voiced in opposition to the congressional action that reversed the privacy rules is that ISPs are now free to use customer information in any manner and that they could even go so far as to ‘sell the browsing history’ of customers on the open market. If ISPs misuse customer broadband data in too egregious of a manner I guess we’ll have to wait for a specific complaint using the Section 222 rules to see what level of protection data customers actually have.

All of the big ISPs have come out and said that they would never sell customer browsing data, and it’s probable that even under the older rules that are still in place that directly selling specific customer data might be illegal.

But we know that the big ISPs have all made plans to monetize customer data, and many of them have already been doing that for years. The most likely use of customer data will be for the biggest ISPs to engage in the same kind of advertising that is being done by Google and Facebook. The social media companies have built detailed profiles of their customers, something that advertisers find valuable. But the ISPs have a big advantage over the social media companies in that they know a lot more about customers including all of the web searches they make and all of the web sites they visit. The big ISPs all have branches of their business that are focusing on this kind of advertising, and even smaller ones like Altice recently purchased a company that creates targeted advertising based upon customer profiles.

There was an article in Forbes earlier this year by Thomas Fox-Brewster that speculated that targeted advertising is what the ISPs really want. They look at the gigantic revenues being earned by Google and Facebook and want a piece of that action. He doesn’t believe that the ISPs will directly sell data, which might invite retaliation from future regulators. But he does speculate that over time that customer information from the ISPs will leak into the public through the companies that use their data for targeted advertising. The web advertisers are not bound by any legal restrictions on using purchased data and over time, as they do various ad campaigns they could effectively build pretty detailed customer profiles based upon different a series of ad campaigns.

Certainly this is of concern to many people. People are free to avoid services like Facebook or Google if they want to maintain privacy, but it takes a lot of effort to hide from their ISP. And while ISPs are probably never going to market a database directly that shows a given customer’s browsing history, as they use our data for advertising purposes they are going to be providing bits of pieces about each of us, that over time can be reassembled to create incredibly detailed profiles. Folks who are savvy and concerned about this are going to thwart the ISPs as much as possible through the use of VPNs and other tools to hide their web activity. But it’s likely that most people won’t do this and I would expect over the next few years to see the ISPs pop onto the radar in a big way as advertisers.

Broadband CPNI?

FCC_New_LogoA group of consumer and privacy groups has asked the FCC to begin enforcing customer privacy rules. In the industry this process is called CPNI (customer proprietary network information) when applied to telephone and cable TV.

Now that the FCC has classified broadband as a common carrier service, they have the authority to investigate and regulate broadband privacy issues. This is something that the industry needs. Until now there has been very limited regulation of broadband by the Federal Trade Commission since the FTC authority was drawn only from the Children’s Online Privacy Act. But the FCC now has much stronger authority.

Current CPNI rules for telephone and cable TV are focused to a large degree on billing issues and on protecting private data like social security numbers, credit card numbers or other sensitive customer information. There is also a prohibition against disclosing the details of what customers do with those services – such as the calls they make or the channels they watch. (Of course, I guess we now know that the NSA is immune from the obligation to protect telephone records).

As sensitive as privacy matters are in those areas there are larger concerns with broadband. What people do online is extremely personal and the vast majority of Americans think that details of their online life should not be recorded or sold to others.

There are a whole lot of places that the FCC could go with broadband CPNI over and above the normal protections of billing data. For example, what are the obligations of companies to notify people when there has been a data breach and customer information has been compromised? Should ISPs have to disclose to customers if they use their data for any purposes or sell it to others in any form? And if so, how much do companies have to disclose?

An ISP is in very powerful position with a customer. If they wish to record what a customer does online they know everything that the customer isn’t somehow encrypted. They are the first in line to see outgoing bits and the only one to see all of the incoming bits.

The FCC has already started some internal work on the topic and held a workshop. From there the FCC has a number of options. They can first solicit comment and ideas from the public to see what kinds of sentiments are out there. It seems for almost everything the FCC does there are two sides of opinion, and there will be those that are in favor of very strong rules and those in favor of a very light touch. But the FCC would do well to hear all of these opinions before trying to formulate specific rules.

But they do have the option to go straight to a rulemaking. They could propose specific CPNI rules and let everybody take pot shots at them. I’m suspecting that for something this new and different that they are going to want to hear all sides of the arguments first before developing rules. The FCC also might be slow-rolling this. The whole Title II regulatory process is under appeal in the courts and they might not want to go too far down any path until they feel more secure that the courts believe they have the authority to regulate broadband in this manner.

One thing that we can probably expect from the FCC is that whatever they do is going to apply to ISPs but not to what they call edge providers. That would be all of the companies like Google and Facebook that operate on the web and that are not under the Title II regulatory regime. I know that consumer groups are going to want that kind of protection because I think it’s generally assumed that it’s the edge providers – and not the ISPs – that are using and misusing people’s data today.

Broadband CPNI

FCC_New_LogoThe FCC said before they passed the net neutrality rules that they were going to very lightly regulate broadband providers using Title II. And now, just a few weeks after the new net neutrality rules are in place, we already see the FCC wading into broadband CPNI (customer proprietary network information).

CPNI rules have been around for a few decades in the telephony world. These rules play a dual purpose of providing customer confidentiality (meaning that phone companies aren’t supposed to do things like sell lists of their customers). They also provide protection of customer calling information by requiring a customer’s explicit permission to use their data. Of course, we have to wonder if these rules ever had any teeth at all since the large telcos shared everything they had with the NSA. But I guess that is a different topic and it’s obvious that the Patriot Act trumps FCC rules.

The CPNI rules for telephone service are empowered by Section 222 of Title II. It turns out that this is one of the sections of Title II for which the FCC didn’t choose to forebear for broadband, and so now the FCC has opened an investigation into whether they should apply the same, or similar, rules for broadband customers.

It probably is necessary for them to do this, because once Title II went into effect for broadband this gave authority in this area to the FCC. Until now, customer protection for broadband has been under the jurisdiction of the Federal Trade Commission.

There clearly is some cost for complying with CPNI rules, and those costs are not insignificant, especially for smaller carriers. Today any company that sells voice service must maintain, and file with the FCC, a manual showing how they comply with CPNI rules. Further, they have to periodically show that their staff has been trained to protect customer data. If the FCC applies the same rules to ISPs, then every ISPs that sells data services is going to incur similar costs.

But one has to wonder if the FCC is going to go further with protecting customer data. In the telephone world usually the only information the carriers save is a record of long distance calls made from and to a given telephone number. Most phone companies don’t track local calls made or received. I also don’t know of any telcos that record the contents of calls, except in those circumstances when a law enforcement subpoena asks them to do so.

But ISPs know everything a customer does in the data world. They know every web site you have visited, every email you have written, everything that you do on line. They certainly know more about you than any other party on the web. And so the ISPs have possession of data about customers that most people would not want shared with anybody else. One might think that in the area of protecting customer confidentiality the FCC might make it illegal for an ISP to share this data with anybody else, or perhaps only allow sharing if a customer gives explicit permission.

I have no idea if the larger telcos use or sell this data today. There is nothing currently stopping them from doing so, but I can’t ever recall hearing of companies like Comcast or AT&T selling raw customer data or even metadata. But it’s unnerving to think that they can, and so I personally hope that the FCC CPNI rules explicitly prohibit ISPs from using our data. I further hope that if they need a customer’s permission to use their data that this is not one of those things that can be buried on page 12 of the terms of service you are required to approve in order to use your data service.

What would be even more interesting is if the FCC takes this one step further and doesn’t allow any web company to use your data without getting explicit permission to do so. I don’t have idea if they even have that authority, but it sure would be a huge shock to the industry if they tried to impose it.