Tag Archives: CPNI

FCC Considering New Rules for Data Breaches

Back in January of this year, the FCC issued a Notice of Proposed Rulemaking in WC Docket No. 22-21 that proposes to change the way that ISPs and carriers report data breach to the FCC and to customers. The proposed new rules would modify some of the requirements of the customer proprietary network information (CPNI) rules that were originally put into place in 2007.

Since the 2007 CPNI order, all fifty states have adopted a version of the CPNI rules as well as rules from federal agencies like the Federal Trade Commission, the Cybersecurity and Infrastructure Agency, and the Securities Exchange Commission. The FCC is hoping to strengthen the rules on reporting data breaches since it recognizes that data breaches are increasingly important and can be damaging to customers.

The FCC completed a round of initial and reply comments by the end of March 2023, but is not expected to make a final order before the end of this year.

The current FCC rules for data breaches require carriers to notify law enforcement within seven days of a breach using an FCC portal that forwards a report to the Secret Service and the FBI. After a carrier has notified law enforcement, it can opt to notify customers, although that is not mandatory. One of the reasons this docket was initiated is that carriers have kept quiet about some major data breaches. The new rules would require carriers to provide additional information to the FCC and law enforcement. The new requirements also eliminate any waiting period, and carriers would be required to notify law enforcement and customers “without unreasonable delay”. The only exception to rapid customer notification would be if law enforcement asks for a delay.

The FCC is proposing new reporting rules that it says will better protect consumers, increase security, and reduce the impact of future breaches. There was a lot of pushback from carriers in comments to the docket that centered on two primary topics – the definition of what constitutes a data breach, and the requirement of what must be told to customers.

The FCC wants to expand the definition of data breach to include the inadvertent disclosure of customer information. The FCC believes that requiring the disclosure of accidental breaches will incentivize carriers to adopt more strenuous data security practices. Carriers oppose the expanded definition since disclosure would be required even when there is no apparent harm to customers.

Carriers also oppose the quick notification requirements. Carriers argue that it takes time to  understand the breadth and depth of a data breach and to determine if any customers were harmed. Carriers also need to be working immediately after discovering breach to contain and stop the problem.

Carriers are opposed to the FCC suggestions of what must be disclosed to customers. The FCC wants to make sure that customer notices include everything needed for customers to react to the breach. Carriers say that assembling the details by customer will take too long and could leave customers open to further problems. Carriers would rather make a quick blanket announcement instead of a detailed notice to specific customers.

One of the interesting nuances of the proposed rules is that there would be two types of notifications required – one for inadvertent leaks and another for what the FCC calls a harms-based notification. This would require a carrier to notify customers based on the specific harm that was caused.  Carriers were generally in favor of the harms-based approach but didn’t want to confuse customers by notifying them of every inadvertent breach that doesn’t cause any harm.

Consumer advocates opposed allowing only the harm-based trigger, because it allows a carrier to decide when a breach causes harm. They fear that carriers will under-report harm-based breaches.

These rules would apply to all ISPs and carriers, regardless of size. While it might still be some months before any new rules become effective, small ISPs ought to use this impending change as a reason to review data security practices and the ability to notify customers.

Protecting Broadband Customer Data

At the end of July, the FCC proposed a $20 million penalty against Q Link and Hello Mobile for not complying with the Customer Propriety Network Information (CPNI). The FCC concluded that the two companies violated the CPNI rules when they failed to protect confidential user data. The companies both had security flaws in their apps that allowed outside access to customer account information.

Today’s blog is not talking about these two carriers, but their security measures must be terrible to invite fines of that magnitude. Today’s blog will use these fines to highlight that there are still stringent privacy rules in place for voice providers, but nothing similar for broadband. Other than perhaps invoking an investigation from the Federal Trade Commission for allowing leaks of broadband customer information, there are no specific prohibitions in place to stop ISPs from misusing customer data.

There is an interesting history of regulations for the protection of broadband customer information. The FCC, under Chairman Tom Wheeler, had implemented CPNI rules for broadband in 2016 along with other broadband regulations like net neutrality. These regulations went into effect near the end of 2016 and included a provision to allow customers to opt in or out of allowing an ISP to use and share their personal data.

In 2017, Congress eliminated the CPNI protections for broadband in response to a request by FCC Chairman Ajit Pai. Pai argued that it wasn’t fair to enforce privacy rules on big ISPs that weren’t also required for web companies like Google and Facebook. He also argued that CPNI rules made no sense after the Pai FCC had eliminated Title II regulation, which had declared that broadband is considered to be an information service and not a telecommunications service. Congress passed the Congressional Rule Act that eliminated the CPNI requirement along with other broadband regulations, and the FCC implemented the change in September 2017.

This has resulted in an unusual regulatory environment where two cellular carriers can be heavily penalized for not protecting customer data while ISPs cannot.

Telephone companies routinely capture details of customer calling – who you call and who calls you. This is familiar to anybody who’s seen a TV crime show since one of the first things detectives routinely do is to ask to see telephone calling records for a suspect. Telephone companies can’t release this information without a warrant. CPNI rules also require phone companies to keep other customer data secure, such as billing records, credit card numbers, etc. Telephone companies are even prohibited from marketing their own products to customers if a customer opts out of such marketing.

The 2016 privacy rules that were in place for only a short time implemented the same sort of privacy rules as voice, but customers were also given the choice to allow or deny access to their records. ISPs gather a lot more data about customers than telephone companies. For example, an ISP knows every web page you have visited since they control the DNS routing that connects you to websites. There are numerous other things an ISP can know about a customer if they choose to look deeper into the packets between users and websites.

ISPs I know aren’t worried about these issues because they don’t share customer information. They don’t record details of customer broadband transactions, and they try hard to keep information like credit card numbers safe from hackers. But I don’t think anybody believes the largest ISPs when they say that they don’t monetize information from customer data, particularly since, with current rules, there is no restriction against them doing so. The big ISPs don’t want any restrictions on what they do with customer data and any revenue streams that might come from selling data, and in today’s regulatory world, they are largely getting what they want.

FCC to Tackle Data Breaches

The FCC has a new Notice of Proposed Rulemaking (NPRM) concerning an update of customer proprietary network information (CPNI) rules. The FCC wants to strengthen the rules concerning notifying customers of a data breach.

CPNI rules are codified at the FCC from Section 222(a) of the Telecommunications Act of 1996. CPNI rules are intended to protect customer data. For those that haven’t read CPNI rules for a while, Section 222(a) rules state:

Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.

In plain English, this means that every telecom carrier must take steps to protect customer data that is collected as part of providing a telecommunications service.

There have been a number of well-known data breaches in the industry, and the FCC is proposing to tighten the rules related to notifying customers about data breaches. For example, the current rules give carriers seven days to notify customers of breaches of their personal data, and the NPRM will propose to drastically shorten that time frame. The FCC will also be proposing that carriers must disclose inadvertent breaches of data that were caused by the carrier, as opposed to a malicious outside party. Finally, carriers will be required to report all data breaches to the FCC, the FBI, and the U.S. Secret Service.

For those of you not familiar with the NPRM process, the FCC uses this method to notify the industry of proposed changes in regulations. An NPRM spells out the specific proposed rule changes by showing the proposed change in FCC rules. The FCC then invites comments on the proposed rule changes and often asks additional questions to get feedback. The FCC sometimes adopts the NPRM as proposed but often modifies the proposed rules based upon the comments received.

It doesn’t seem likely that the FCC will allow an opt-out of these rule changes for small carriers and these rules are likely to apply to everybody, like the current CPNI rules.

As is usual these days, there is a regulatory twist. As it sits today, the FCC no longer regulates broadband since it is not classified as a telecommunications service. The Section 222 rules only apply to telecommunications carriers and the new rules might only apply to carriers that offer traditional telephone service, cellular services, or anything else remaining under FCC jurisdiction. An ISP that only provides broadband might be exempt from CPNI rules – although you could face an expensive legal fight if the FCC sees it otherwise. An awful lot of our regulatory rules are sitting in the gray areas these days.

However, if the FCC eventually brings broadband back into the regulatory fold, as is expected, then these rules would apply to all ISPs selling broadband services.

Modernizing CPNI Rules

I think we badly need new CPNI rules for the industry. CPNI stands for ‘Customer Proprietary Network Information’ and are rules to govern the use of data that telcos and ISPs gather on their customers. CPNI rules are regulated by the FCC and I think it’s fully within their current mandate to update the rules to fit the modern world.

While CPNI is related to privacy issues it’s not exactly the same. CPNI rules involve how ISPs use the customer data that they must gather in order to make the network operate. Originally CPNI rules involved telephone call details – who we called, who called us, etc. Telcos have been prohibited by CPNI rules from using this kind of data without the express consent of a consumer (or else in response to a valid subpoena from law enforcement).

Today the telcos and ISPs gather a lot more information about us than just telephone calling information. For instance, a cellular company not only knows all of your call details, but they know where you are whenever you call, text or make a data connection from your cellphone. Every ISP knows every web search you make since they are the ones routing those requests to the Internet. If you buy newer ISP products like home automation they know all sorts of details that they can gather from monitoring motion detectors and other devices that are part of their service.

Such CPNI data is valuable because it can be used by the ISP to assemble a profile of each customer, particularly when CPNI data is matched with data gathered from other sources. Every large ISP has purchased a business arm that is aimed to help them monetize customer data. The ISPs are all envious of the huge advertising revenues generated by Facebook and Google and want to climb into the advertising game.

The FCC was given the authority to limit how carriers use customer proprietary data, granted by Section 222(b) of the Telecommunications Act of 1934. Those statutes specifically prohibit carriers from using CPNI data for marketing purposes. Over the years the FCC developed more specific CPNI rules that governed telcos. However, the FCC has not updated the specific CPNI rules to cover the wide range of data that ISPs gather on us today. Telcos still ask customers for permission to use their telephone records, but they are not required to get customer permission to track web sites we visit or our location when using a cellphone.

The FCC could invoke CPNI protections for companies that they regulate. It gets dicier for the FCC to expand CPNI rules past traditional carriers. All sorts of web companies also gather information on users. Google makes most of their money through their search engine. They not only charge companies to get higher ranking for Google searches, but they monetize customer data by building profiles of each user that they can market to advertisers. These profiles are supposedly very specific – they can direct advertisers to users who have searched for any specific topic, be it people searching for information about diabetes or those looking to buy a new truck.

There are many who argue that companies like Google should be brought under the same umbrella of rules as ISPs. The ISPs rightfully claim that companies like Google have a major market advantage. But the ISPs clearly prefer the regulatory world where no company is subject to CPNI rules.

There other web applications that are harder to justify as being related to CPNI. For example, a social network like Facebook gathers huge amounts of private data about its users – but those users voluntarily build profiles and share that data freely.

There are more complicated cases such as Amazon, which has been accused of using customer shopping data to develop its own product lines to directly compete with vendors selling on the Amazon platform. The company clearly uses customer data for their own marketing purposes – but Amazon is clearly not a carrier and it would be a huge stretch to pull them under the CPNI rules.

It’s likely that platforms like Facebook or Amazon would have to be regulated with new privacy rules rather than with CPNI rules. That requires an act of Congress, and it’s likely that any new privacy rules would apply to a whole large range of companies that use the web – the approach taken by the European Union.

Telephone versus Broadband Privacy

We now have an unusual regulatory world where there is more privacy protection in place for telephone customers than there is for broadband customers. One of the many things done in the Congressional Review Act (CRA) for the new budget that went into effect on April 3 was to nullify the FCC’s privacy rules for ISPs. These rules were implemented in the fall of 2016 and prohibited ISPs from using customer data without customer consent.

There have been no equivalent changes in the rules for landlines, cellular phones and cable TV subscribers. The rules for telephone privacy were established by the Telecommunications Act of 1996 and are referred to as CPNI (Customer Proprietary Network Information). These rules prohibit phone companies from using calling records unless they have customer permission. There is a good summary of a customer’s rights on this FCC web page.

Telephone companies routinely capture details of customer calling – who you call and who calls you. This is familiar to anybody who’s seen a TV crime show since one of the first things detectives routinely do is to ask to see telephone calling records for a suspect. The telephone companies can’t release this information without a warrant if a customer has elected to keep their records private. In addition to calling records these rules also require phone companies to keep other customer data secure, such as billing records, credit card numbers etc. Telephone companies are even prohibited from marketing their own products to customers if the customers opt out.

The 2016 privacy rules for broadband had implemented the same sort of privacy rules. Customers were given the choice to allow or deny access to their records. This was a far more reaching protection due to the large volume of information that an ISP has about their customers. At a minimum an ISP knows every web page you have visited since they control the DNS routing that connects you to web sites. There are numerous other things an ISP can know about a customer should they choose to look deeper into the packets to and from customers.

The new FCC Chairman Ajit Pai led the charge to kill the 2016 ISP privacy rules. Those were put into place just before the 2016 election and he had voted against the rules then. His primary argument is that the protections put barriers onto ISPs while there was nothing similar to ‘edge providers’, that is web companies like Facebook or Google. Those companies have no restrictions on what they can collect from users of their software and platform. Chairman Pai argued that the privacy rules didn’t really protect customers and just ended up putting ISPs at a disadvantage compared to Google.

It’s a valid argument, but killing ISP privacy protection is not the only way to get more parity between web companies. The European Union has taken an opposite approach and has placed restrictions on what both ISPs and edge providers can collect without customer permission.

Regulations are often squirrely and it’s not hard to find regulatory rules that make no sense or that have lasted far past their usefulness. I find it particularly odd, though, that I can tell my cellular provider to keep details of my phone calls private, but I can’t stop them from recording all of the web sites I visit. I’m sure the average citizen is far more concerned about web usage records than they are about who called them.

People who are concerned about their web privacy are taking steps to protect their information. Many people have changed to VPNs to encrypt their web usage and keep the details away from the ISP. There are alternate providers that can do DNS searches so that you ISP doesn’t know the web sites you visit. People are using web browsers that don’t track their usage. Large numbers of people are reportedly dropping off Facebook and other platforms that routinely and openly benefit from their personal data.

What’s most disconcerting about all of this is that privacy is the kind of regulation that has now become partisan. It’s not hard to envision a future Democratic FCC putting the privacy rules back in place and we might see this and similar issues yo-yo with changes in the administration. Of course, the easiest way around that is to do what my smaller ISP clients do – they don’t record customer information, so they don’t really care what the FCC says about privacy – they just provide it as another aspect of good customer service.

FCC Reverses 2016 Privacy Ruling

The FCC adopted an order that formally recognized that the privacy rules passed by the Tom Wheeler FCC are cancelled and that the FCC will revert to the previous privacy rules that were in effect in the past. The action is mostly a clarification because Congress passed H.J. Res 34, the Congressional Review Act that nullified the actions of the last FCC.

This FCC means a number of things. For regulated telephone providers (both LECs and CLECs) it means that all of the previous rules that were generally referred to as a Customer Proprietary Network Information (CPNI) are back in effect. Those rules are codified in FCC Rules Section 64.2009(e) and (c). Those rules include:

  • An obligation to not disclose telephone customer data without permission from the customer.
  • An annual compliance certification to demonstrate compliance with the CPNI rules. This filing will be due next year again, filed no later than March 1.
  • Compliance with various recordkeeping rules that would demonstrate compliance should a carrier ever be audited.

The FCC also reminded non-regulated ISPs that while they are not directly subject to the CPNI rules that they are still subject to Section 222 of the Communications Act that says that all carriers must take reasonable and good faith steps to protect customer privacy.

The rules passed by the last FCC would have brought all ISPs into the same regulations as telcos. And in doing so the rules went further than in the past and required that any service provider get customer buy-in before using their data. Customers were to have been provided with the option to allow ISPs to use data for any purpose, to allow ISPs to use data just for marketing to the customer, or customers could have opted out and chosen full privacy.

One of the big public fears that was voiced in opposition to the congressional action that reversed the privacy rules is that ISPs are now free to use customer information in any manner and that they could even go so far as to ‘sell the browsing history’ of customers on the open market. If ISPs misuse customer broadband data in too egregious of a manner I guess we’ll have to wait for a specific complaint using the Section 222 rules to see what level of protection data customers actually have.

All of the big ISPs have come out and said that they would never sell customer browsing data, and it’s probable that even under the older rules that are still in place that directly selling specific customer data might be illegal.

But we know that the big ISPs have all made plans to monetize customer data, and many of them have already been doing that for years. The most likely use of customer data will be for the biggest ISPs to engage in the same kind of advertising that is being done by Google and Facebook. The social media companies have built detailed profiles of their customers, something that advertisers find valuable. But the ISPs have a big advantage over the social media companies in that they know a lot more about customers including all of the web searches they make and all of the web sites they visit. The big ISPs all have branches of their business that are focusing on this kind of advertising, and even smaller ones like Altice recently purchased a company that creates targeted advertising based upon customer profiles.

There was an article in Forbes earlier this year by Thomas Fox-Brewster that speculated that targeted advertising is what the ISPs really want. They look at the gigantic revenues being earned by Google and Facebook and want a piece of that action. He doesn’t believe that the ISPs will directly sell data, which might invite retaliation from future regulators. But he does speculate that over time that customer information from the ISPs will leak into the public through the companies that use their data for targeted advertising. The web advertisers are not bound by any legal restrictions on using purchased data and over time, as they do various ad campaigns they could effectively build pretty detailed customer profiles based upon different a series of ad campaigns.

Certainly this is of concern to many people. People are free to avoid services like Facebook or Google if they want to maintain privacy, but it takes a lot of effort to hide from their ISP. And while ISPs are probably never going to market a database directly that shows a given customer’s browsing history, as they use our data for advertising purposes they are going to be providing bits of pieces about each of us, that over time can be reassembled to create incredibly detailed profiles. Folks who are savvy and concerned about this are going to thwart the ISPs as much as possible through the use of VPNs and other tools to hide their web activity. But it’s likely that most people won’t do this and I would expect over the next few years to see the ISPs pop onto the radar in a big way as advertisers.

Broadband CPNI?

FCC_New_LogoA group of consumer and privacy groups has asked the FCC to begin enforcing customer privacy rules. In the industry this process is called CPNI (customer proprietary network information) when applied to telephone and cable TV.

Now that the FCC has classified broadband as a common carrier service, they have the authority to investigate and regulate broadband privacy issues. This is something that the industry needs. Until now there has been very limited regulation of broadband by the Federal Trade Commission since the FTC authority was drawn only from the Children’s Online Privacy Act. But the FCC now has much stronger authority.

Current CPNI rules for telephone and cable TV are focused to a large degree on billing issues and on protecting private data like social security numbers, credit card numbers or other sensitive customer information. There is also a prohibition against disclosing the details of what customers do with those services – such as the calls they make or the channels they watch. (Of course, I guess we now know that the NSA is immune from the obligation to protect telephone records).

As sensitive as privacy matters are in those areas there are larger concerns with broadband. What people do online is extremely personal and the vast majority of Americans think that details of their online life should not be recorded or sold to others.

There are a whole lot of places that the FCC could go with broadband CPNI over and above the normal protections of billing data. For example, what are the obligations of companies to notify people when there has been a data breach and customer information has been compromised? Should ISPs have to disclose to customers if they use their data for any purposes or sell it to others in any form? And if so, how much do companies have to disclose?

An ISP is in very powerful position with a customer. If they wish to record what a customer does online they know everything that the customer isn’t somehow encrypted. They are the first in line to see outgoing bits and the only one to see all of the incoming bits.

The FCC has already started some internal work on the topic and held a workshop. From there the FCC has a number of options. They can first solicit comment and ideas from the public to see what kinds of sentiments are out there. It seems for almost everything the FCC does there are two sides of opinion, and there will be those that are in favor of very strong rules and those in favor of a very light touch. But the FCC would do well to hear all of these opinions before trying to formulate specific rules.

But they do have the option to go straight to a rulemaking. They could propose specific CPNI rules and let everybody take pot shots at them. I’m suspecting that for something this new and different that they are going to want to hear all sides of the arguments first before developing rules. The FCC also might be slow-rolling this. The whole Title II regulatory process is under appeal in the courts and they might not want to go too far down any path until they feel more secure that the courts believe they have the authority to regulate broadband in this manner.

One thing that we can probably expect from the FCC is that whatever they do is going to apply to ISPs but not to what they call edge providers. That would be all of the companies like Google and Facebook that operate on the web and that are not under the Title II regulatory regime. I know that consumer groups are going to want that kind of protection because I think it’s generally assumed that it’s the edge providers – and not the ISPs – that are using and misusing people’s data today.

Broadband CPNI

FCC_New_LogoThe FCC said before they passed the net neutrality rules that they were going to very lightly regulate broadband providers using Title II. And now, just a few weeks after the new net neutrality rules are in place, we already see the FCC wading into broadband CPNI (customer proprietary network information).

CPNI rules have been around for a few decades in the telephony world. These rules play a dual purpose of providing customer confidentiality (meaning that phone companies aren’t supposed to do things like sell lists of their customers). They also provide protection of customer calling information by requiring a customer’s explicit permission to use their data. Of course, we have to wonder if these rules ever had any teeth at all since the large telcos shared everything they had with the NSA. But I guess that is a different topic and it’s obvious that the Patriot Act trumps FCC rules.

The CPNI rules for telephone service are empowered by Section 222 of Title II. It turns out that this is one of the sections of Title II for which the FCC didn’t choose to forebear for broadband, and so now the FCC has opened an investigation into whether they should apply the same, or similar, rules for broadband customers.

It probably is necessary for them to do this, because once Title II went into effect for broadband this gave authority in this area to the FCC. Until now, customer protection for broadband has been under the jurisdiction of the Federal Trade Commission.

There clearly is some cost for complying with CPNI rules, and those costs are not insignificant, especially for smaller carriers. Today any company that sells voice service must maintain, and file with the FCC, a manual showing how they comply with CPNI rules. Further, they have to periodically show that their staff has been trained to protect customer data. If the FCC applies the same rules to ISPs, then every ISPs that sells data services is going to incur similar costs.

But one has to wonder if the FCC is going to go further with protecting customer data. In the telephone world usually the only information the carriers save is a record of long distance calls made from and to a given telephone number. Most phone companies don’t track local calls made or received. I also don’t know of any telcos that record the contents of calls, except in those circumstances when a law enforcement subpoena asks them to do so.

But ISPs know everything a customer does in the data world. They know every web site you have visited, every email you have written, everything that you do on line. They certainly know more about you than any other party on the web. And so the ISPs have possession of data about customers that most people would not want shared with anybody else. One might think that in the area of protecting customer confidentiality the FCC might make it illegal for an ISP to share this data with anybody else, or perhaps only allow sharing if a customer gives explicit permission.

I have no idea if the larger telcos use or sell this data today. There is nothing currently stopping them from doing so, but I can’t ever recall hearing of companies like Comcast or AT&T selling raw customer data or even metadata. But it’s unnerving to think that they can, and so I personally hope that the FCC CPNI rules explicitly prohibit ISPs from using our data. I further hope that if they need a customer’s permission to use their data that this is not one of those things that can be buried on page 12 of the terms of service you are required to approve in order to use your data service.

What would be even more interesting is if the FCC takes this one step further and doesn’t allow any web company to use your data without getting explicit permission to do so. I don’t have idea if they even have that authority, but it sure would be a huge shock to the industry if they tried to impose it.