2. What’s up with the FCC?
• Senator Franken became alarmed about
CarrierIQ (Thanks to all the hacking!)
• Requested info from the carriers on their
use of this technology.
• Petitioned the FCC for new rules to stop.
• FCC, following rulemaking process, issued
Notice and opened up for comments.
3. FCC’s Interesting Questions
• What privacy and security obligations should apply to
customer information that service providers cause to be
collected by and stored on mobile communications devices?
• How does the obligation of carriers to “take reasonable
measures to discover and protect against attempts to gain
unauthorized access to CPNI” apply in this context?
• What should be the obligations when service providers use a
third party to collect, store, host, or analyze such data?
• Many more good ones!
4. Carriers’ Answers
• The industry does just fine regulating itself.
• This is the purview of the Federal Trade
Commission and will cause conflicts.
• The FCC does not have the authority to
regulate handsets.
• The information the industry collects is
necessary to insure good service.
5. Industry Self-Regulation
• After people objected, CarrierIQ was “killed”
• Industry is bringing it back under new names
• T-Mobile calls the app “System Administrator”
• Some carriers are now openly selling user data
• Verizon markets user data online
• Suggests advertisers “re-correlate”.
• How is this even pretending there is self-regulation?
6. Federal Trade Commission’s Role
• FTC is deeply involved in improving mobile
privacy, particularly with applications.
• FTC has no authority over carriers and
their relationships with their customers.
• FTC has issued a statement in support of
further CPNI regulation.
7. FCC’s Authority to Regulate
• FCC has statutory authority to regulate
telephone privacy since 1934.
• CPNI=Customer Proprietary Network
Information
• Mobile privacy has been included since 2007
• FCC considered Handsets but so far
excluded them from CPNI order so far.
8. What IS CPNI anyway?
22 USC § 47 (h)(1)
• Information
• Relating to the “quantity, technical configuration,
type, destination, location, and amount of use of a
telecommunications service.”
• Made available to the carrier by the customer solely
by virtue of the carrier-customer relationship
• Also billing information.
• Can not be used toVerizon California,Telco’s own555 F.3d 270 (D.C. Cir.
market to a Inc. v. F.C.C., customers.
2009)
9. Insuring Good Service
• Anyone remember the arguments for the
Carterfone Decision? 13 F.C.C.2d 420 (1968)
• Similar “quality” argument here.
• Becomes an argument for including data
collected in CPNI:
• Information “necessary for the operation
of the network.”
10. Oh, and by the way
• CPNI must be disclosed to the customer
upon request.
• Location data is currently not available to
the consumer from any telco.
• Knowing what they know would be
interesting, wouldn’t it?
11. Did I mention?
• Verizon recently advertised
their customer data for sale.
http://business.verizonwireless.com/content/b2b/en/precision/overview.
12. Industry Twist:
Aggregation Work-Around
Aggregation Work-Around
• CPNI customer data may be released in
aggregate form.
• Only for enumerated purposes.
• Statute restricts the release of “individually
identifiable” information.
• No test yet to decide what is “identifiable”.
• Verizon recommends keying to other databases
13. Handset Manufacturers?
• Thoroughly entwined with carriers.
• Subsidies and exclusive contracts establish
carrier control.
• Apple iPhones pose a unique case
• Equipment suppliers may also be
regulated.
14. Also Against Regulation
• The usual advertising subjects:
• Direct Marketing Association
• Interactive Advertising Bureau
• Alarm Industry Communications Committee
• Consumer Banker Association
• Nothing much new to offer
15. On the Consumer Side
• The EFF (naturally)
• Electronic Privacy Information Center (Initiated 2007 CPNI order
covering mobile)
• Center for Democracy and Technology
• Center for Digital Democracy
• Future of Privacy Forum
• MA AG & Dept. of Telecommunications
• Catholic Bishops (with other clergy)
• Hispanic Technology & Telecommunications Partnership (HTTP)
• A private citizen
• Only 35 total comments
• Most discuss need for regulation rather than the form it should take.
16. Some Less-Obvious Concerns
• Catholic Bishops are concerned about
children being tracked.
• HTTP is concerned about minorities who
disproportionately rely on mobile services.
17. Two Approaches to Regulation
1.Give consumers more control
• Consumers often are pretty clueless
• Many don’t care about that control
1.Hold carriers more accountable
• Consumer choice could be left behind
• Poses enforceability issues
18. Who Owns Malware?
• Obviously the hacker does.
• Just a bit hard to regulate hackers
• Assignment of responsibility could be used as
incentive
• Incentive to accountable carriers to provide
better security
• Incentive for carriers to grant users control
19. What Should Regulation Look Like?
• Carriers must be held accountable (under CPNI
order) for everything the consumer cannot control.
• Opt-in schemes with opt-out available any time
• How much data is really necessary if they can’t
sell it?
• Carriers need incentive to grant users who want it
control.
• Carriers become responsible for any data breach
on an unlocked phone
20. Added Bonus for Location Privacy
• Location should be included in CPNI.
• Far less ambiguity for law enforcement
requests for location tracking data.
• Would require Pen/trap (judicial) order.
• Still a lower standard than 4th Amendment
probable cause search warrant.
21. Likeliness of Change
• Politics are in a pro-privacy upswing now.
• Many Senators are making a stand
• White House created a privacy initiative
• Even the GAO has signaled the need for
greater privacy controls.
• “Defense” and “law enforcement”
arguments are moot here.
22. Conclusions-Predictions
• There will probably be new regulation soon
• The Telcos will sue, challenging the statutory
basis for the regulation.
• Telcos will try to keep it tied up in court.
• They will not win (out on a limb here).
• Enforcement will become a huge mess.
• Consumers will still benefit from regulation
24. 2007 Update Process
• March 15 2006 Notice issued.
• Similar comment period. (30 day comment,
30 day reply)
• 399 docs logged - only 37 here. Why?
• Sunshine Act meeting July 6, 2006
• Rule posted June 8, 2007
25. Complete List of Questions
1. How have [data privacy] practices evolved since we collected information on this issue in the 2007 Further Notice?
2. Are consumers given meaningful notice and choice with respect to service providers’ collection of usage-related information on their devices?
3. Do current practices serve the needs of service providers and consumers, and in what ways?
4. Do current practices raise concerns with respect to consumer privacy and data security?
5. How are the risks created by these practices similar to or different from those that historically have been addressed under the Commission’s CPNI
rules?
6. Have these practices created actual data-security vulnerabilities?
7. Should privacy and data security be greater considerations in the design of software for mobile devices, and, if so, should the Commission take any
steps to encourage such privacy by design?
8. What role can disclosure of service providers’ practices to wireless consumers play?
9. To what extent should consumers bear responsibility for the privacy and security of data in their custody or control?
1. Whether the device is sold by the service provider;
2. Whether the device is locked to the service provider’s network so that it would not work with a different service provider;
3. The degree of control that the service provider exercises over the design, integration, installation, or use of the software that collects and stores
information;
4. The service provider’s role in selecting, integrating, and updating the device’s operating system, preinstalled software, and security capabilities;
5. The manner in which the collected information is used;
6. Whether the information pertains to voice service, data service, or both
7. The role of third parties in collecting and storing data.
10. Are any other factors relevant?
11. If so, what are these other factors, and what is their relevance?
12. What privacy and security obligations should apply to customer information that service providers cause to be collected by and stored on mobile
communications devices?
13. How does the obligation of carriers to “take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI”
apply in this context?
14. What should be the obligations when service providers use a third party to collect, store, host, or analyze such data?
15. What would be the advantages and disadvantages of clarifying mobile service providers’ obligations, if any, with respect to information stored on
mobile devices—for instance through a declaratory ruling?
26. References
• Neat Infographic: Zeit Online, Betrayed by our own Data,
http://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz/komplettansicht.
• Statute authorizing CPNI Regulation: 47 U.S.C. § 222
• CPNI Regulation: 47 C.F.R. § 64.2001 et. seq.
• FCC’s code for CPNI Rulemaking Information: 96-115
• FCC’s code for CPNI Compliance Certification: 06-36
• Federal Register of official publications: https://www.federalregister.gov/
• White House announcement of Comprehensive Privacy Blueprint (under Dep’t of Commerce):
http://www.ntia.doc.gov/blog/2012/white-house-unveils-new-comprehensive-privacy-blueprint
• FTC: Beyond Voice: Mapping the Mobile Marketplace http://www.ftc.gov/reports/mobilemarketplace/mobilemktgfinal.pdf.
• Google’s consent decree with Federal Trade Commission, published April 5, 2011, https://federalregister.gov/a/2011-7963
• Pew research on mobile communications
http://pewresearch.org/pubs/1601/assessing-cell-phone-challenge-in-public-opinion-surveys.
• Privacy and Data Management on Mobile Devices | Pew Research Center's Internet & American Life Project:
http://pewinternet.org/Reports/2012/Mobile-Privacy.aspx
• Senate’s “Privacy Bill of Rights” http://thomas.loc.gov/cgi-bin/query/z?c112:S.799:
• Mosaic theory, see United States v. Maynard, 615 F.3d 544, 557 (D.C. Cir. 2010)
• Notice link sent via SMS on Aug. 30, 2012 to T-Mobile customers: https://support.t-mobile.com/docs/DOC-2929?noredirect=true
• Verizon’s marketing information on user data: http://business.verizonwireless.com/content/b2b/en/precision/overview.html
• Verizon’s limited “opt out” requirements: http://www.hyperorg.com/blogger/2009/03/07/tales-of-data-pirates-opting-out-of-
verizons-open-ended-sharing/
Hinweis der Redaktion
German politician Malte Spitze neat infographic threats to hacker Verizon didn’t even bother to respond other carriers “Only to improve our network” ANYONE can petition the FCC (or any agency) for new rules. FCC doesn’t have to listen. No federal agency can, by law, make rules without opening up comments for 30 days.
There were 16 questions that were included in the text. These are merely representative.
- Industries that are self-regulating typically have outside incentive to do so. - Perhaps you’ve heard of the FTC getting involved in the Google $2.1M privacy violation fine? - Because handsets are “owned” by customer they aren’t under the statutory authority of the FCC. - Dropped calls, calls attempted where service is bad: it’s good to know
Carriers really jumped to the consumer response to the disclosure of this. - Jumped by making a better effort to disguise it from the customers. Verizon is not even worried about user backlash. - You think they have all the best lobbyists? Self-regulating industries like video games and movies have solid incentive to do so.
* FTC’s mandate: Fair Credit reporting act, Child Online Privacy Protection Act, Unfair Trade Practices Act (covering policy enforcement, spam, spyware, etc.) * unless you count anti-competitive behavior (collusion, trust, etc.) * View the issue as an “ecosystem” where
2007: EPIC CPNI: Electronic Privacy Information Center thought it was important to address issues of pretexting, wiping refurbished devices. - Also considered carrier responsibility at the handset, but carriers convinced FCC that they couldn’t have enough control to be responsible for them.
They want INFORMATION (Invoke conflict between #6 & #2) Carrier-customer relationship is special because the trust required to let them handle your data. What is protected is periodically updated by Congress. Last act was 1996. Telcos used to try to use this information to market new goods, get customers to switch back, etc
Show of hands for Carterfone (Explain Carterfone blank stares/few hands raised.) - In order to ensure quality of the network, it needed to be a closed system. - Became specs managed by the FCC: Without it we’d still be leasing modems from AT&T. Lets say we buy this argument. That is exactly what the CPNI order was FOR!
Currently if you want to get the cell site location information, data collected on where you go with your phone turned on (for 911), NO carrier will give it to you. Phone companies operate in a deliberate air of obfuscation and misinformation.
It looks like Verizon is the only telco currently selling their users out. Doesn’t mean that if they get away with it, others won’t follow. - They’re able to do it while still sticking to their privacy policy.
Simply aggregating is not enough. Identifiability and the mosiac theory: What is anonymous anyway? Carriers know that “depersonalized” data may be “repersonalized through correlation techniques.
CPNI has traditionally covered equipment vendors as customers as well. - Protects vendors from carriers, vice versa. - Customer is a very broad term.
We all know what this is about: Alternate revenue streams. Changes the competitive playing field in a limited field like this, could force competitors into it. If 1 vendor only cost $40/month when others cost $80 for same service, not going to compete. If users don’t know what they’re losing, how can they make informed tradeoffs?
Comments were pretty evenly split between the pro- and con-regulation. Anyone can submit a comment during the defined period. Every comment becomes a public record. You should comment too!
Think of the Children! *ahem* Seeing a common theme of disadvantaged/uninformed. The minority thing is an issue, because you’re talking about entire classes of people being tracked and monetized.
More user control IS the hacker solution, but it doesn’t work for everyone. Most users expect carriers to protect them and act in their best interests. Liability incentive could be powerful motivator towards relinquishing control
But who has the liability for the data leaks? Who is responsible for security? Those who you don’t trust to manage their phone? Trust and security are intertwined.
If you don’t trust your user to control their device, you can’t trust your user to manage their security. Conversely, if the user can be expected to control their personal data, they should have the trust to control their device.
“ Location” is specifically included in the CPNI statute. It’s unambiguous. Enforcement hasn’t happened yet, but then again, it wasn’t a problem. The current state is very ambiguous as to ownership. - See my ToorCamp talk on location privacy.
Privacy has been taking a beating in the last few years because of Terrist FUD Arguing for privacy is like arguing for motherhood. No reason to deny this for people. Advertising interests are very powerful and work behind the scenes. Insulation between FCC and Lobbyist $$ a Thing.
2007 update process 96-115: 3/15/06 Comments opened. Similar reply period. 399 docs logged Comments were thinly veiled threats against the FCC. The work the Trade Commission is doing against social media will pale in scope to this Even imperfect implementation will help consumers. THE END