At the end of July, the FCC proposed a $20 million penalty against Q Link and Hello Mobile for not complying with the Customer Propriety Network Information (CPNI). The FCC concluded that the two companies violated the CPNI rules when they failed to protect confidential user data. The companies both had security flaws in their apps that allowed outside access to customer account information.
Today’s blog is not talking about these two carriers, but their security measures must be terrible to invite fines of that magnitude. Today’s blog will use these fines to highlight that there are still stringent privacy rules in place for voice providers, but nothing similar for broadband. Other than perhaps invoking an investigation from the Federal Trade Commission for allowing leaks of broadband customer information, there are no specific prohibitions in place to stop ISPs from misusing customer data.
There is an interesting history of regulations for the protection of broadband customer information. The FCC, under Chairman Tom Wheeler, had implemented CPNI rules for broadband in 2016 along with other broadband regulations like net neutrality. These regulations went into effect near the end of 2016 and included a provision to allow customers to opt in or out of allowing an ISP to use and share their personal data.
In 2017, Congress eliminated the CPNI protections for broadband in response to a request by FCC Chairman Ajit Pai. Pai argued that it wasn’t fair to enforce privacy rules on big ISPs that weren’t also required for web companies like Google and Facebook. He also argued that CPNI rules made no sense after the Pai FCC had eliminated Title II regulation, which had declared that broadband is considered to be an information service and not a telecommunications service. Congress passed the Congressional Rule Act that eliminated the CPNI requirement along with other broadband regulations, and the FCC implemented the change in September 2017.
This has resulted in an unusual regulatory environment where two cellular carriers can be heavily penalized for not protecting customer data while ISPs cannot.
Telephone companies routinely capture details of customer calling – who you call and who calls you. This is familiar to anybody who’s seen a TV crime show since one of the first things detectives routinely do is to ask to see telephone calling records for a suspect. Telephone companies can’t release this information without a warrant. CPNI rules also require phone companies to keep other customer data secure, such as billing records, credit card numbers, etc. Telephone companies are even prohibited from marketing their own products to customers if a customer opts out of such marketing.
The 2016 privacy rules that were in place for only a short time implemented the same sort of privacy rules as voice, but customers were also given the choice to allow or deny access to their records. ISPs gather a lot more data about customers than telephone companies. For example, an ISP knows every web page you have visited since they control the DNS routing that connects you to websites. There are numerous other things an ISP can know about a customer if they choose to look deeper into the packets between users and websites.
ISPs I know aren’t worried about these issues because they don’t share customer information. They don’t record details of customer broadband transactions, and they try hard to keep information like credit card numbers safe from hackers. But I don’t think anybody believes the largest ISPs when they say that they don’t monetize information from customer data, particularly since, with current rules, there is no restriction against them doing so. The big ISPs don’t want any restrictions on what they do with customer data and any revenue streams that might come from selling data, and in today’s regulatory world, they are largely getting what they want.